Jutarul
Donator
Legendary
Offline
Activity: 994
Merit: 1000
|
|
August 29, 2012, 11:14:30 PM |
|
|
|
|
|
SmiGueL
|
|
August 30, 2012, 05:18:18 PM Last edit: August 30, 2012, 05:36:15 PM by SmiGueL |
|
GLBSE resets the session ID after login which prevents session fixation. We only whitelist certain html elements for PM's and contracts so no XSS, and we use SSL so no man in the middle session sniffing attacks. Session ID's are not predictable or unencrypted.
I don't know exactly what you mean by this, but I have Google 2FA installed. When I log in on GLBSE en close the tab without logging out, I can re-open GLBSE after a few hours and it will come back up with me logged in, so I don't have to re-login I do leave other tabs in my google chrome open, so I never close chrome completely FYI Even if you,after you totaly CLOSE Internet Explorer or Firefox, (I don't use Chrome, so can't test it) go to GLBSE your session is still active/logged in. Actually, after you restart your computer, it is still logged in.. I have 2FA activated, but only have to fill in the auth-key when I use a 'new' computer.. As long as a 'hacker' can't use my SessionID on his own computer, I see no problem, but according to the above this ID won't change since I'm always logged in..
|
|
|
|
Jutarul
Donator
Legendary
Offline
Activity: 994
Merit: 1000
|
|
August 30, 2012, 07:30:11 PM |
|
GLBSE resets the session ID after login which prevents session fixation. We only whitelist certain html elements for PM's and contracts so no XSS, and we use SSL so no man in the middle session sniffing attacks. Session ID's are not predictable or unencrypted.
I don't know exactly what you mean by this, but I have Google 2FA installed. When I log in on GLBSE en close the tab without logging out, I can re-open GLBSE after a few hours and it will come back up with me logged in, so I don't have to re-login I do leave other tabs in my google chrome open, so I never close chrome completely FYI Even if you,after you totaly CLOSE Internet Explorer or Firefox, (I don't use Chrome, so can't test it) go to GLBSE your session is still active/logged in. Actually, after you restart your computer, it is still logged in.. I have 2FA activated, but only have to fill in the auth-key when I use a 'new' computer.. As long as a 'hacker' can't use my SessionID on his own computer, I see no problem, but according to the above this ID won't change since I'm always logged in.. Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible. Especially since 2FA doesn't protect you from your shares being dumped to the market!
|
|
|
|
memvola
|
|
August 30, 2012, 07:43:19 PM |
|
Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible.
How does cross-application scripting (?) apply to this case? I think the current scheme is pretty OK actually. Do you have a scenario how a session can be remotely hijacked?
|
|
|
|
Jutarul
Donator
Legendary
Offline
Activity: 994
Merit: 1000
|
|
August 30, 2012, 10:17:30 PM |
|
Ok. this then qualifies as a major security hazard. We need to advice any shareholder to only run GLBSE as a dedicated user then. Otherwise cross-application hacking is possible.
How does cross-application scripting (?) apply to this case? I think the current scheme is pretty OK actually. Do you have a scenario how a session can be remotely hijacked? If you can't rely on the security settings of your browser (that's what's the case here) you have to go to the next level and put your applications into a sandbox. The easiest way to achieve that is to setup up a different user account for trusted services, e.g. for logging into email, exchanges and glbse. Another, more fancy solution is to run the insecure stuff in a virtual machine. I know it's a hassle but if you can't rely on the security model of GBLSE you have to make your own. I can't list you attack scenarios because it's been a while since I've been reading up on the different possible attack vectors. But sandboxing/different user accounts is an old technique which hardly breaks (unless you run the insecure stuff as root).
|
|
|
|
Tachikoma
|
|
August 30, 2012, 10:29:11 PM |
|
This discussion about GLBSE is a useful one but I feel this topic is not the place for it. When I see updates on this topic I hope to read about developments surrounding ASICMINER. I think these GLBSE discussions would be better off in their own topic.
|
|
|
|
memvola
|
|
August 30, 2012, 11:06:16 PM |
|
I know it's a hassle but if you can't rely on the security model of GBLSE you have to make your own.
Yes, I do run as different users when it's necessary for security. Yet I didn't really get why I shouldn't rely on GLBSE's model. I'll read about what you said about browser's settings. I won't reply again, since it's apparently off-topic. This discussion about GLBSE is a useful one but I feel this topic is not the place for it. When I see updates on this topic I hope to read about developments surrounding ASICMINER. I think these GLBSE discussions would be better off in their own topic.
I agree. Though it became relevant because of the possibility of me paying the price as a shareholder. I guess this is best moved to PMs.
|
|
|
|
VeeMiner
|
|
August 31, 2012, 04:00:36 PM Last edit: August 31, 2012, 08:29:31 PM by VeeMiner |
|
so I decided to put some of my very limited budget in ASICMINER. It seems like a trustworthy company that can deliver and make good money in a long run. My question is if we will receive any more information about current development of this company as there hasn't been much discussion about what's going on right now in the thread. I wonder if some of the bigger shareholders have some more information that they would be willing to share with the small investors.
|
|
|
|
imsaguy
General failure and former
VIP
Hero Member
Offline
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
|
|
August 31, 2012, 04:18:32 PM |
|
so I decided to put some of my very limited budget in ASICMINER. It seems like a trustworthy company that can deliver and make good money in a long run. My question is if we will receive any more information about current development of this company as there hasn't been much on subject discussion about what's going on right now in the thread. I wonder if some of the bigger shareholders have some more information that they would be willing to share with the small investors.
The board members receive emails with updates. I don't know how much they are allowed to disclose,.
|
|
|
|
punin
|
|
August 31, 2012, 05:48:55 PM |
|
GLBSE uses SSL from the browser to Cloudflare and from Cloudflare to the GLBSE server, cloudflare can minify JavaScript (hence the "we may change site content" in their TOS). I have a paid service with them.
OMG you're using cloudflare? So you're trusting all our wealth in hands of a SSL proxy?! I'm out!
|
|
|
|
VeeMiner
|
|
August 31, 2012, 08:30:20 PM |
|
The board members receive emails with updates. I don't know how much they are allowed to disclose,.
yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development
|
|
|
|
DeaDTerra
Donator
Legendary
Offline
Activity: 1064
Merit: 1000
|
|
August 31, 2012, 10:44:22 PM |
|
The board members receive emails with updates. I don't know how much they are allowed to disclose,.
yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development I can provide this info if I get a good to go from friedcat //DeaDTerra
|
|
|
|
zefir
Donator
Hero Member
Offline
Activity: 919
Merit: 1000
|
|
August 31, 2012, 10:46:27 PM |
|
The board members receive emails with updates. I don't know how much they are allowed to disclose,.
yeah, that's what I meant, I would be interested if the board members could give us some information about the recent development Hi VeeMiner, the additional information board members received so far does not exceed what is available here in the forums - at least nothing that would give you an informational advantage over non-board members. To give you a better idea, here is what has been provided so far: 1) a detailed explanation on the relation between ASICMINER and Bitfountain shares and how dividends will be distributed. This is basically a confirmation on what was already written in the IPO posts. 2) an introduction of the people behind Bitfountain, including full names, contact information, and short CV. This is basically to confirm that those people a) are real, b) are capable to deliver what is planned, and c) can be contacted for further questions. All in all it does not provide valuable information other than a strong indication that those folks are serious and the plan sounds reasonable. I'm pretty sure friedcat will make most of those documents available to the general public at a later date (but for obvious reasons he won't post contact information to the individual developers on a searchable forum). HTH
|
|
|
|
LazyOtto
|
|
August 31, 2012, 10:55:57 PM |
|
Actually, zefir, merely what you have said is comforting. ty
And fits what I was expecting. The board members acting as a 'half-way house' where credibility/sincerity can be established without doing a full-monty to the entire public.
And, I hope, helping to smooth out or suggest clarification of statements before they are released to the unwashed mob who might misinterpret text presented in good faith.
|
|
|
|
imsaguy
General failure and former
VIP
Hero Member
Offline
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
|
|
August 31, 2012, 11:12:30 PM |
|
Actually, zefir, merely what you have said is comforting. ty
And fits what I was expecting. The board members acting as a 'half-way house' where credibility/sincerity can be established without doing a full-monty to the entire public.
And, I hope, helping to smooth out or suggest clarification of statements before they are released to the unwashed mob who might misinterpret text presented in good faith.
+1
|
|
|
|
friedcat (OP)
Donator
Legendary
Offline
Activity: 848
Merit: 1005
|
|
September 01, 2012, 07:04:15 AM |
|
This week I have a way more limited time replying mails and PMs. Please expect a delay as long as 1-2 days. Though much information will be released to the board members only, direct questions from the community are still welcome.
In addition, timely reply will be back normal from next Saturday. Before that, please understand that there may be some delays. Sorry for the inconvenience.
Board members could also ask my partners for answers if I couldn‘t reply very soon.
|
|
|
|
niko
|
|
September 01, 2012, 10:29:24 PM |
|
There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow. Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
DiabloD3
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
September 01, 2012, 10:36:48 PM |
|
There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow. Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?
I am not going to publicly state the information I know, but I can tell you this: that isn't an issue.
|
|
|
|
DutchBrat
|
|
September 01, 2012, 11:40:57 PM |
|
There is obviously a race to ASICs with potentially valuable bounty at the end of the rainbow. Could you comment on what steps have been taken by Bitfountain to ensure security and integrity of their designs?
I am not going to publicly state the information I know, but I can tell you this: that isn't an issue. Maybe it is in the best interest of everyone to not be updated publicly or at all until the ASICs are happily hashing away BFL isn't saying anything until they have a product and we wouldn't want them rushing out their products (even far below spec) because they read in some thread on some forum that ASICMINER was 3 weeks from mining and producing.... Then again: I would like to know there's actually some progress being made... maybe that could be the role of the board-members It is 1 thing to trust the people behind ASICMINER whom I have never met/seen (I'm not saying I don't trust you !!!), but it would instil more trust if a couple of the more noticeable board members tell us everything is going as hoped, without giving away any timelines... I gotta think about this further....
|
|
|
|
imsaguy
General failure and former
VIP
Hero Member
Offline
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
|
|
September 02, 2012, 12:32:13 AM |
|
Then again: I would like to know there's actually some progress being made... maybe that could be the role of the board-members
It is 1 thing to trust the people behind ASICMINER whom I have never met/seen (I'm not saying I don't trust you !!!), but it would instil more trust if a couple of the more noticeable board members tell us everything is going as hoped, without giving away any timelines...
There have been ongoing discussions between board members on the email list and I've not seen anything to indicate things aren't proceeding according to plan.
|
|
|
|
|