[4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool - page 1131.

slush

legendary

Activity: 1386

Merit: 1097

Quote from: dooglus on January 12, 2011, 03:46:01 AM

I tried changing the password for one of my workers. The new password is displayed on the website, but the original password is still required when running the miner.

Oh, I'm surprised that nobody ask for this before. Unfortunately, this is 'by design'. I mean, once worker ask for his first getwork, application load his settings to memory and keep them until application restart; it is performance optimization, because it's not possible to ask databaase 100x per second to check worker's login/password. So I plan to add periodic reload of those credentials, but even then it will take some time until credentials loaded in memory expire...

Quote

Also, is it possible to change my account password, as opposed to the worker passwords?

Now it is possible, you can reset password from login page. Still not comfortable, because you have to confirm email even if you know old password, but it works.

slush

legendary

Activity: 1386

Merit: 1097

Quote from: BitterTea on January 11, 2011, 09:06:53 PM

Hey slush, weird question, but does the server give a response to the client when they find a valid block?

No, when miner report 'found block', it is only found pool share (block with difficulty 1). You have to check website, if you workers have some number in 'blocks' column.

slush

legendary

Activity: 1386

Merit: 1097

Quote from: pc on January 10, 2011, 08:57:13 PM

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

Yes, with worker login/password, nobody can do something wrong (change wallet, login to profile or so). But you still should keep this secret (I mean don't post it to forum or so), because somebody can sabotage your miner's work in this way.

Pool have memory for last 12 getwork requests per worker to validate submitted share later. So when somebody will request getworks using your worker credentials during your miner's work and your miner submit valid share, it can be rejected because attacker pushed out this job from pool queue already. So, nothing strange, but simply don't spread your credentials to other people.

Quote

2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie),

There is SSL enabled, but only with self-signed certificate. Currently I don't plan to change it to, because startssl.com offer only weak, 128bit certificates and classic certificates are quite expensive. But if you care, you can write down certificate fingerprint...

Quote

and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

I agree that security IS the concern here. Firstly I was oriented mainly to security of pool algorithm, but it looks pretty good, so I can work on frontend improvements. Today I implemented CSRF protection, which improve security against javascript attacks.

slush

legendary

Activity: 1386

Merit: 1097

Today pool update:

Added protection against CSRF to account page.
Password reset feature (follow link on login page)

lfm

full member

Activity: 196

Merit: 104

Quote from: BitterTea on January 12, 2011, 01:20:52 PM

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.

Ya, just if your account is sub-penny the fractions get carried over to the next round

BitterTea

sr. member

Activity: 294

Merit: 252

dooglus,

The current round lasts until the pool finds a new block. Everyone who contributed to finding that block gets paid based on the shares, and a new round starts.

At least that's my understanding.

dooglus

legendary

Activity: 2940

Merit: 1333

On http://mining.bitcoin.cz/home/ is says:

Quote

"Shares do not carry over from one block to the next. When the pool mints a block, only users who worked on that block are rewarded, and only for work they did on that block."

but that doesn't seem to be the case.

I am getting rewarded for all blocks I contribute shares to, not only the ones the pool mints. It seems that the server counts up all the shares in the current round, not just the current block. The distinction being that a round lasts until we mint a block. Sometimes over 20 blocks are minted by others before we get to mint one, but all the shares I contribute in the mean time also get rewarded.

marcusaurelius

newbie

Activity: 37

Merit: 0

is it possible for you to display the amount of btc each worker made? that would help me a lot. thanks.

dooglus

legendary

Activity: 2940

Merit: 1333

I tried changing the password for one of my workers. The new password is displayed on the website, but the original password is still required when running the miner. I even tried deleting the worker and recreating it with the new password, but the original password is still required. Eventually I had to make a worker with a different name to get the password changed.

Also, is it possible to change my account password, as opposed to the worker passwords?

Thanks.

Chris.

BitterTea

sr. member

Activity: 294

Merit: 252

Hey slush, weird question, but does the server give a response to the client when they find a valid block?

gigitrix

hero member

Activity: 630

Merit: 500

Quote from: j16sdiz on January 10, 2011, 08:31:44 AM

Quote from: slush on January 07, 2011, 04:54:28 PM

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS). That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

Slush, I'm shamelessly using this technique as well. If this causes issues for your servers I would be happy to lower the getwork request rate (and slow down generation/stop using so many resources) or if it really bothers you you can remove these clients from your end of the site (I won't re-add them). I just can't say no to free bitcoins (without free room noise and heat Grin

)

pc

sr. member

Activity: 253

Merit: 250

I've been using the pool happily for a few days now, and I have a couple questions relating to its security:

1) Am I correct that the username/password of my workers don't actually have to be "secure", as the most that one could do with them is submit shares for me, right? And they're passed unencrypted by the miner, right?

2) Are there any plans for SSL for the web management interface? If not, it seems that an attacker could learn my account password (as opposed to a worker's password) or impersonate my session (as it seems to remember me via a cookie), and then change the bitcoin address that rewards get sent to. If I'm vigilant I might notice, but an attacker may steal quite a few bitcoins from me before I notice. I do understand that I'm getting exactly what I'm paying for here, but as the pool becomes a bigger and bigger part of the bitcoin mining system, it may be a good plan to look at as it may start to become a target.

Thanks!

j16sdiz

newbie

Activity: 37

Merit: 0

Quote from: BitterTea on January 10, 2011, 09:19:09 AM

That's only ~578 khashes/second. Doesn't seem that great.

Well. You pay nothing for that 578khashes.
If you want more, it cost $0.1 per "cpu hour" (that's around 500k hashes).

Quote from: BitterTea on January 10, 2011, 09:19:09 AM

Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...

It is on google's servers. The mobile phone number is for SMS verification.
Why free? It's something like flicker or picasa -- they want you to depends on theirs service and pay them someday.

slush

legendary

Activity: 1386

Merit: 1097

Quote from: ronaldmaustin on January 10, 2011, 09:38:07 AM

Block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner.

Yes, something like this. Job received by miner contains transaction for 50BTC to pool wallet.

ronaldmaustin

full member

Activity: 143

Merit: 100

Quote from: slush on January 10, 2011, 09:21:54 AM

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

I did see it before and will read it again so maybe I can clarify the question I have been trying to ask for five posts now. I *thought* your answer was going to be that somehow the block of 50 coins that I generate for the pooled miner was signed with the key of the pooled miner and thus, to steal the block would do me no good, as it was already allocated to you before it left my computer. Had you answered in this way, my next question was going to be how that is achieved. I'll go back and re-read the posts and maybe after five or so more attempts I'll be able to structure my question properly.

slush

legendary

Activity: 1386

Merit: 1097

Quote from: ronaldmaustin on January 10, 2011, 08:36:26 AM

Okay, I'll try to keep it simple. When I generate a valid block worth 50 bitcoins as part of the pool, how do you prevent me from keeping the block for myself when I find it?

If you mean 'steal it for myself and make own 50 BTC' - it is technically not possible.

If you mean 'steal it for myself and sabotage cluster' - it is possible, but you cut yourself for reward, so it is economically unsuitable for you. It was also heavily discussed on forum before, please read it before new posts on this topic.

BitterTea

sr. member

Activity: 294

Merit: 252

Quote from: j16sdiz on January 10, 2011, 08:31:44 AM

Quote from: slush on January 07, 2011, 04:54:28 PM

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS). That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

That's only ~578 khashes/second. Doesn't seem that great. Where does the hashing happen, on the mobile phones or on Google's servers? Doesn't seem like something they'd give away for free...

slush

legendary

Activity: 1386

Merit: 1097

Quote from: j16sdiz on January 10, 2011, 08:31:44 AM

no, I am using google app engine (https://appengine.google.com/) free quota.

Well, nothing is for 'free'. But I won't judge this.

Quote

around 50G hashes per day per mobile phone number.

Which is 11 pool shares per day from whole GAE cluster, so average 0.033 bitcoins (or 0.01 USD) daily. Wow!

(GAE is great tool and I also use it. But it's purpose is different than crunching hashes.)

ronaldmaustin

full member

Activity: 143

Merit: 100

Quote from: slush on January 10, 2011, 07:08:51 AM

Hey, sorry, but I completely don't understand what's your question...? When you want to solve blocks standalone, simply connect your miner to your local bitcoind.

Quote

Okay, I'll try to keep it simple. When I generate a valid block worth 50 bitcoins as part of the pool, how do you prevent me from keeping the block for myself when I find it?

j16sdiz

newbie

Activity: 37

Merit: 0

Quote from: slush on January 07, 2011, 04:54:28 PM

I made pool to help standalone miners smooth their income, not to help people with stealing CPU power from university computer lab.

no, I am using google app engine (https://appengine.google.com/) free quota.
It have 6.5 free "cpu hour" (which is, only 3 real hours) per application.
10 applications for each user (verified by SMS). That is .... around 50G hashes per day per mobile phone number.

It is written in java, and I will release the source code in a few days.

Topic: [4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool - page 1131. (Read 4382642 times)