Author

Topic: 2FA desperately needed 2BTC Bounty (Read 5171 times)

hero member
Activity: 1162
Merit: 643
BTC, a coin of today and tomorrow.
June 10, 2024, 09:05:09 AM
#62
(I sent Stunna a PM about this bounty ~11 months ago and never heard anything back. I sent that PM because I thought it very likely that theymos would eventually merge my 2FA patch, and I wanted to give Stunna an opportunity to re-think this thread before that happened. Anyway, I'm not going to be an asshole about it and hound Stunna, but with 2 BTC on the table I'm also not going to play it so cool that I don't even try to claim it.)
Maybe you came too late. When Stunna created this thread, he gave alot of publicly by continuously bumping the thread. At a time he even doubled the reward. You also would have written on this thread that you wanted to join the bounty before coding the patch. Stunna could argue that you didn't follow the due process to win the bounty Grin

Let's be hopeful OP will return to the forum because he appeared online this year. Also who knows if theymos might want to pay the reward of the bounty since the Op is not available.
legendary
Activity: 2968
Merit: 3061
Join the world-leading crypto sportsbook NOW!
June 10, 2024, 03:26:25 AM
#61
Stunna hasn't been online since Feb this year and hasn't posted since July 15, 2023. I think it would be a bit of a stretch to assume the bounty should be still available. The price of bitcoin on April 12 2014 was seemingly around $420 so at most the original offer of 2btc is less than a grand. Maybe he could send you that amount but I think trying to grab a whopping 2btc is a big ask  Grin.
hero member
Activity: 510
Merit: 4005
June 09, 2024, 11:01:02 PM
#60
I know this is a long shot, but... I did fulfill the requirements to be able to claim this still-open BTC-denominated bounty, so I'll leave an addy:

184Rg7mSkJ8WL1c5VjAMDi3QU7qXGJ29zy

(I sent Stunna a PM about this bounty ~11 months ago and never heard anything back. I sent that PM because I thought it very likely that theymos would eventually merge my 2FA patch, and I wanted to give Stunna an opportunity to re-think this thread before that happened. Anyway, I'm not going to be an asshole about it and hound Stunna, but with 2 BTC on the table I'm also not going to play it so cool that I don't even try to claim it.)

Here's the PM (for all you nosy motherfuckers excessively curious types):

Hey Stunna,

I hope you don't mind me sending you a PM out of nowhere.

I just wanted to check if the bounty you set for adding 2FA to the forum is still active?

No hard feelings if it isn't, I decided to take a shot at getting theymos to accept a 2FA patch before I was aware of your bounty, but I'd (obviously) be very happy to hear that you haven't rescinded your offer.

Kind regards -- PowerGlove
legendary
Activity: 3066
Merit: 1757
January 25, 2018, 02:50:23 PM
#59
Any news on 2FA implementation?
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
July 08, 2014, 07:04:57 AM
#58
I changed some things in my "2FA modification for SMF 1.1.19" and it would be great if some people could test it here.



Download: https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk


Install & Test (within 3 minutes)
1. Download SMF 1.1.19 - http://download.simplemachines.org/?archive;version=75
2. Install SMF
3. Download "2FA Modification" - https://mega.co.nz/#!io5QxZrK!vhcQ1zdjauEYgeS_xpuOhWtLEmE_t3jcemakz4fKlKk
4. Go to "Admin" > "Packages" > "Download Packages" > "Upload a Package" and select the .zip file
5. Click "Apply Mod" to install, then "Install now"
6. Change your 2FA settings at "Profile" > "2FA Settings"


Test without installing SMF
You can also just look at the ~5 relevant files to see if there is anything wrong with it.


Some details:
- Supports 2FA using OATH TOTP (Google Auth)
- Requires the 2FA code for enabling 2FA (with the key/QR that is shown)
- After that requires 2FA code for logging in and disabling it
- You cannot use the same 2FA code twice in a row for security reasons
- "Forgot password" still possible without 2FA, but you do still need 2FA to login
- Uses the default SMF method against multiple login tries (I will still look if this is sufficient)
- Uses phpSec for the OATH TOTP class and random string generator (openssl_random_pseudo_bytes, mcrypt_create_iv or mt_rand as fallback if other 2 unavailable.) I use 3 files of phpSec and stripped them down to only use the basic functions. http://phpseclib.com/
- Uses the following JS script to generate the QR code (only uses qrcode.min.js - doesn't need jQuery) https://github.com/davidshimjs/qrcodejs


I hope some people can test it, would be great, thanks Smiley
hero member
Activity: 742
Merit: 502
Circa 2010
July 03, 2014, 07:18:01 PM
#57
any way to make a backup of a 2FA key if I close the key window and don't write the  key?

As stated there are really only two options if you want to backup your key but forgot to do it initially when the secret/QR code was offered. The first would be to disable your 2FA and then re-enable it noting down the new key associated with it. If for some reason you don't want do that and your using a phone based authenticator you might be able to extract the key from the phone data (easier on Andriod then on iOS). The first option is probably easier and more secure but if you want to do the second one there should be some guide - just google them out.
hero member
Activity: 616
Merit: 500
July 03, 2014, 10:44:09 AM
#56
any way to make a backup of a 2FA key if I close the key window and don't write the  key?
legendary
Activity: 1267
Merit: 1000
July 03, 2014, 03:36:55 AM
#55
Excellent advice - thanks for explaining this in such a way that is easy to understand.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
July 03, 2014, 12:59:30 AM
#54
You should make the backup of the QR/key on a computer or piece of paper, not on your Android phone because if you lose your phone it's still lost :p AFAIK, Titanium Backup makes a backup of your whole phone, that might be good, but not what I meant.

The key is a 16 character code, like "SYLC3WL6FV56YB6T". You could just write this on a piece of paper and make sure any thief (or even "friends") cannot easily get this. If your phone is lost, your 2FA will still work with this 16-character code (just add it on a new phone.)

The QR code is actually also your key with an easy link for your mobile to understand it. You could just right click on the QR code and "print it". Or you could save it on your computer. But obviously you shouldn't leave an image like that on your computer, because if your computer gets hacked, the hacker will probably have both your passwords and your 2FA codes. You would have to encrypt these specific images to make it password-protected (with a unique long password - not used anywhere else.) To be honest I am not an expert in that and I am not sure what program is best for that (especially since TrueCrypt is gone.)

Maybe someone else has a recommendation for the best way to encrypt a file on a computer? Is making a ZIP file with 7z with a long unique password with AES-256 "good enough"? Or better use a "real encryption" program?
legendary
Activity: 1267
Merit: 1000
July 03, 2014, 12:45:24 AM
#53
Thanks for confirming that, NLNico.

But how do you make a protected back up of the new QR code/key?
Is that on Titanium Backup or Huh
Sorry for all the questions...
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
July 03, 2014, 12:01:03 AM
#52
Yes. You cannot see the key/QR after it's enabled for security reasons.

For example on an exchange or gambling site: if a hacker somehow hijacks your session, they will probably still need 2FA for any withdrawal (aka actually stealing your coins), so it would be a big problem if the key/QR is shown to them.

On most or all sites you should be able to easily disable 2FA with your current code. After you double-check it's really disabled, you can delete the specific account from your 2FA app. Then just enable it again with the new key/QR and make a (protected) backup of it.
legendary
Activity: 1267
Merit: 1000
July 02, 2014, 11:50:29 PM
#51

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)



I need to do this, but how? 

The QR code is not visible once I enable....are  you saying to set up new?

Have numerous accounts using 2FA, and I kid about having this android just for 2FA.
I'll also be screwed if I lost this device.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
June 30, 2014, 12:30:27 AM
#50
What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...
The way 2FA works is that your mobile phone and the forum have the same key. You are scanning the key with the QR code to import it into your mobile application (for example: Google Authenticator)

Some more background info:
For now I only implemented the "Time-based One-time Password Algorithm" (TOTP.) This algorithm uses the key and time to generate the digit code. This is why the device you use must have the correct time synchronized and also why Yubikey doesn't support it by default (Yubikey has no battery so no time.) There seems to be a application for Yubikey though btw: http://www.yubico.com/applications/internet-services/gmail/

Anyway, what you should -always- do with 2FA is make a backup of the KEY or the QR code, so:
- print the QR code or key (and secure it properly!)
- write the key down (and secure it properly!)
- save the QR/key on your computer but make sure to encrypt it very well (so.. secure it properly!)

With this QR/key you can just import it in your new phone if your old one gets lost. (obv after that you should disable/enable the 2FA again to generate a new key.)

At the 2FA setup page there will be a warning that says you can permanently lose access to your account if you don't make a backup. However in theory, like bluefirecorp said, you should be able to prove it by signing a message from a bitcoin address. But that depends on what policy theymos will use for that.



Theymos already gave some feedback on my modification and I will take a day or 2 to make some changes. After this I will publish the code in this thread so hopefully some more people can have a look at it. I made it like a "real SMF package" so it is very easy to install/test. Hopefully after that we can use it soon Smiley
legendary
Activity: 882
Merit: 1000
June 29, 2014, 08:44:51 PM
#49
What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...

Sign a message from a bitcoin address that was tied to your account in the past stating you own the account?
hero member
Activity: 616
Merit: 500
June 29, 2014, 04:16:03 PM
#48
What if the device where the 2FA is saved gets broken or lost? Happened to me some weeks ago with an exchange, needed to give personal info to them and was a pain to get it back, but this forum requires no personal info and is international, so...
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
June 29, 2014, 02:52:03 PM
#47
Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon Smiley

If he accepts/implements it I'll make good on my offer. Thanks for giving this a shot
newbie
Activity: 10
Merit: 0
June 29, 2014, 09:52:36 AM
#46
Wow you have really put up much effort on making this. IMO established forums do offer this sometimes specially when they have money (or electronic items) in there.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
June 29, 2014, 09:18:32 AM
#45
Hey Stunna, just to let you know, I made a modification for 2FA support for this forums' version (SMF 1.1.19.) I just sent a PM to theymos with the details. I hope he can check it to see if it all works properly so it can be implemented soon Smiley
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
April 13, 2014, 10:23:10 PM
#44
Bounty was doubled the other day, if anyone would like to pledge towards the bounty please let me know.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
March 29, 2014, 01:15:56 PM
#43
Here's a friendly bump again, as it's really a nice idea.

"Authy" might be usefull here. Cryptsy uses it too. By Authy, you get a code on your smartphone which gives you the right to log in. This coin is only valid for 20 seconds.

So, if someone wants to hack your account, they need your password as well as your phone physically.

Theymos wants some sort of custom implementation made exclusively for this forum version. 
legendary
Activity: 1050
Merit: 1007
Live like there is no tomorrow!
March 26, 2014, 07:03:27 PM
#42
Here's a friendly bump again, as it's really a nice idea.

"Authy" might be usefull here. Cryptsy uses it too. By Authy, you get a code on your smartphone which gives you the right to log in. This coin is only valid for 20 seconds.

So, if someone wants to hack your account, they need your password as well as your phone physically.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
March 21, 2014, 02:04:40 PM
#41
Bumping this again as I think this should be implemented before a year from now.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.

Not sure how time consuming this would be, I'm willing to put 1BTC towards a bounty for it though. The only condition of the bounty would be that it is of high enough quality to be accepted/implemented by Theymos. If anyone would like to contribute towards this bounty or is interested in writing the patch please let me know.


EDIT: I've doubled the bounty if anyone is interested, it is now 2BTC.
administrator
Activity: 5222
Merit: 13032
March 19, 2014, 10:17:55 PM
#40
Bumping this again as I think this should be implemented before a year from now.

If someone wants to write a patch for it, I will seriously consider adding it. I believe that safely adding 2FA would be very time-consuming, so I'm not willing to do it myself or direct Slickage to do it.
administrator
Activity: 5222
Merit: 13032
March 19, 2014, 10:02:17 PM
#39
Nothing yet. You might want to check the 'New software" sub-forum in the meta section and theymos is asking for suggestions so this feature might be added to the new forum.

That's already in the requirements.
full member
Activity: 147
Merit: 100
March 19, 2014, 09:39:22 PM
#38
Nothing yet. You might want to check the 'New software" sub-forum in the meta section and theymos is asking for suggestions so this feature might be added to the new forum.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
March 19, 2014, 08:17:37 PM
#37
Bumping this back up. Unless new software is coming within a month, I recommend adding in 2fa.

Theymos recently stated it'll be a feature of the new forum, but that's apparently a year away:

https://bitcointalksearch.org/topic/m.5069851

Bumping this again as I think this should be implemented before a year from now.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
February 12, 2014, 12:33:56 PM
#36
Bumping this back up. Unless new software is coming within a month, I recommend adding in 2fa.

Theymos recently stated it'll be a feature of the new forum, but that's apparently a year away:

https://bitcointalksearch.org/topic/m.5069851
legendary
Activity: 1137
Merit: 1035
Bitcoin accepted here
February 12, 2014, 12:31:07 PM
#35
Bumping this back up. Unless new software is coming within a month, I recommend adding in 2fa.

I really don't think that's the case...
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
February 12, 2014, 10:53:11 AM
#34
Bumping this back up. Unless new software is coming within a month, I recommend adding in 2fa.
full member
Activity: 362
Merit: 100
January 29, 2014, 01:30:20 PM
#33
If this was offered then finally accounts would be more secure. but as usual we shouldn't expect any big change like this in this year because people programming here like to take their time with the work  Grin .
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
January 28, 2014, 11:14:01 PM
#32
Maybe the new forum which some speak of is going to have this implemented.

Don't see that getting released anytime in the near future, may as well implement it in the current forum.
hero member
Activity: 602
Merit: 500
January 27, 2014, 06:17:56 PM
#31
Maybe the new forum which some speak of is going to have this implemented.
sr. member
Activity: 288
Merit: 250
January 27, 2014, 06:02:58 PM
#30
I think so too, for our own safety.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
January 27, 2014, 03:19:42 PM
#29
Bumping this up from page three, this definitely needs to be done.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
January 12, 2014, 04:11:53 AM
#28
Bump, hope everyone is having a splendid weekend!

hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
January 06, 2014, 03:06:41 AM
#27
Come on theymos!
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
January 05, 2014, 10:52:06 PM
#26
Staff account hacked, just another reason for 2FA:

https://bitcointalksearch.org/topic/m.4291311
sr. member
Activity: 389
Merit: 250
January 05, 2014, 08:00:59 PM
#25
A little bump because I support this.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
January 04, 2014, 03:04:20 PM
#24
Pushing this back up from page 3.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
December 25, 2013, 11:31:42 PM
#23
Merry Christmas everyone  Smiley
sr. member
Activity: 459
Merit: 250
December 20, 2013, 02:29:11 PM
#22
YubiCloud Yubikey 2FA gets my vote since I already own one.

Something 2FA is definitely required though.
legendary
Activity: 1204
Merit: 1001
December 18, 2013, 04:05:30 PM
#21
never gonna happen. too much effort. no one cares about you. find another forum.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
December 18, 2013, 03:58:24 PM
#20
Bumping this to keep it on first page, I think this is a 100% necessary update and shouldn't be too difficult.
b!z
legendary
Activity: 1582
Merit: 1010
December 14, 2013, 06:27:38 AM
#19
legendary
Activity: 1652
Merit: 1128
December 14, 2013, 02:53:47 AM
#18
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin

Ha, figured it may've been something along these lines.  Cheesy

Is there any updates on the avatar situation?

Yes I have an update. The update is that an update will be coming eventually.  Grin

Any updates on the update time for the update?

We apologize for the lack of an update about the update. Those responsible have been sacked.

Watched too much Monty Python this weekend
hero member
Activity: 588
Merit: 500
December 13, 2013, 08:34:18 PM
#17
this would be a nice addon to this forum specially with the two recent attacks and the possibility that some accounts (specially in the last attack) has been compromised. making a fully updated software would be even better but on short-term adding 2FA is a priority.
Quote
Yes I have an update. The update is that an update will be coming eventually.   Grin
update us when that update is updated  Roll Eyes
legendary
Activity: 2912
Merit: 6403
Blackjack.fun
December 13, 2013, 02:10:40 PM
#16
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin

Ha, figured it may've been something along these lines.  Cheesy

Is there any updates on the avatar situation?

Yes I have an update. The update is that an update will be coming eventually.  Grin

Any updates on the update time for the update?
legendary
Activity: 1302
Merit: 1007
December 11, 2013, 08:12:11 PM
#15
Yeah, I totally support this. Of course, it shouldn't be required, but it could really help us feel safer when attacks such as the last few happen. Not so much for the password, but for the account.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
December 11, 2013, 05:45:22 PM
#14
Yes I have an update. The update is that an update will be coming eventually.  Grin

Hah, may as well toss in an authenticator for now then. Costs nothing and would take almost no time. I believe Theymos is in university though so he's probably busy with finals, but it would be appreciated if he looked into adding this when free.
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
December 11, 2013, 12:06:40 PM
#13
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin

Ha, figured it may've been something along these lines.  Cheesy

Is there any updates on the avatar situation?

Yes I have an update. The update is that an update will be coming eventually.  Grin

It's been so long, might as well fork NodeBB and create some new forum software xD
legendary
Activity: 1652
Merit: 1128
December 11, 2013, 11:53:15 AM
#12
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin

Ha, figured it may've been something along these lines.  Cheesy

Is there any updates on the avatar situation?

Yes I have an update. The update is that an update will be coming eventually.  Grin
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
December 11, 2013, 11:46:09 AM
#11
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin

Ha, figured it may've been something along these lines.  Cheesy

Is there any updates on the avatar situation?
qwk
donator
Activity: 3542
Merit: 3413
Shitcoin Minimalist
December 11, 2013, 11:42:43 AM
#10
For some, "soon" is equivalent to "two more weeks™",
for the forum software, "soon" is more like "two more years" Grin
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
December 11, 2013, 06:14:29 AM
#9
Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.
This is borderline easy to implement.

Even mobile phone verification?
Mobile verification is stupid. Authy/Google Authenticator FTW.

What's stupid about it? And I've only just quickly googled what Authy is, but if it's some kind of mobile app verification, then I suppose that's just as good.

I also heard the forum is getting new software soon
Roll Eyes
I read that line and thought the same Tongue

Care to elaborate?
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
December 11, 2013, 01:27:00 AM
#8
Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.
This is borderline easy to implement.

Even mobile phone verification?
Mobile verification is stupid. Authy/Google Authenticator FTW.
legendary
Activity: 1204
Merit: 1001
December 10, 2013, 08:07:50 PM
#7
I also heard the forum is getting new software soon
Roll Eyes

I read that line and thought the same Tongue
qwk
donator
Activity: 3542
Merit: 3413
Shitcoin Minimalist
December 10, 2013, 03:45:25 PM
#6
I also heard the forum is getting new software soon
Roll Eyes
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
December 10, 2013, 02:06:20 PM
#5
Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.
This is borderline easy to implement.

Even mobile phone verification?
hero member
Activity: 658
Merit: 502
Doesn't use these forums that often.
December 10, 2013, 01:50:37 PM
#4
Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.
This is borderline easy to implement.
member
Activity: 98
Merit: 10
December 09, 2013, 09:25:44 AM
#3
Great idea  Smiley ,specially for important commercial and administrative accounts and any account that can be potentially used to scam with. and with the hack there is an increased risk though most already changed passwords (and the possibility of future hacks).
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
December 09, 2013, 08:46:06 AM
#2
Yeah, would be a good idea, but I don't know how easily or how costly it would be to implement. I also heard the forum is getting new software soon, so hopefully maybe that will/or could be a feature.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
December 09, 2013, 06:49:20 AM
#1
I know this has been posted before, but I feel this is of the utmost importance especially given the recent man-in-the-middle attack. If Theymos could quickly look into adding this, it would be much appreciated as passwords were potentially compromised recently. I'd feel much safer if given some sort of two step option.

This is especially important for the sake of protecting moderator/escrow accounts, quite a bit of damage could done if those accounts were compromised.


Thanks


EDIT: A staff account was compromised this could have been easily prevented.


EDIT2: A bounty has been created: https://bitcointalksearch.org/topic/m.5826860


EDIT3: I've upped the bounty to 2BTC.

Edit4: A fix has been proposed, waiting on Theymos to check it out and potentially implement.
Jump to: