Pages:
Author

Topic: -account compromised- (Read 3399 times)

copper member
Activity: 2310
Merit: 1032
March 18, 2013, 06:44:48 AM
#43
Message:
Code:
I'm psy. Squall1066 has been scammed by MAC in 24 BTC. This is just a test message intended for Bitcointalk and not to be taken seriously by anyone. Mon, March 18 2013 10:40 AM

Signature:
Code:
G+tumBo0kYxAttLfFXfbiCTYICQjHd0zy98d7K79UTA9nXxN280XB8sKLYcR//Jr1MoUDLnyXRG0XPGoa+6qprQ=

Now anyone can check my OTC page(linked in my signature), get my public Bitcoin address from there and verify I was the one who signed a message.

To verify, open Bitcoin-qt, File > Verify Message, enter my bitcoin address in the 1st field, the message in the 2nd field and the signature in the 3rd field and press the Verify Message button.

FFS, this is in Bitcoin-qt, with a graphical interface. Any donkey can do it.

EEeehh AAAAuuuuhhhhh, I cant do it lol, Where is the address for the first field?

OK, I got it.



Check the part on the quote that wasn't bolded by you...
legendary
Activity: 1358
Merit: 1002
March 18, 2013, 06:39:06 AM
#42
Message:
Code:
I'm psy. Squall1066 has been scammed by MAC in 24 BTC. This is just a test message intended for Bitcointalk and not to be taken seriously by anyone. Mon, March 18 2013 10:40 AM

Signature:
Code:
G+tumBo0kYxAttLfFXfbiCTYICQjHd0zy98d7K79UTA9nXxN280XB8sKLYcR//Jr1MoUDLnyXRG0XPGoa+6qprQ=

Now anyone can check my OTC page(linked in my signature), get my public Bitcoin address from there and verify I was the one who signed a message.

To verify, open Bitcoin-qt, File > Verify Message, enter my bitcoin address in the 1st field, the message in the 2nd field and the signature in the 3rd field and press the Verify Message button.

FFS, this is in Bitcoin-qt, with a graphical interface. Any donkey can do it.

EEeehh AAAAuuuuhhhhh, I cant do it lol, Where is the address for the first field?

Check the part on the quote that wasn't bolded by you...
copper member
Activity: 2310
Merit: 1032
March 18, 2013, 06:35:19 AM
#41
Message:
Code:
I'm psy. Squall1066 has been scammed by MAC in 24 BTC. This is just a test message intended for Bitcointalk and not to be taken seriously by anyone. Mon, March 18 2013 10:40 AM

Signature:
Code:
G+tumBo0kYxAttLfFXfbiCTYICQjHd0zy98d7K79UTA9nXxN280XB8sKLYcR//Jr1MoUDLnyXRG0XPGoa+6qprQ=

Now anyone can check my OTC page(linked in my signature), get my public Bitcoin address from there and verify I was the one who signed a message.

To verify, open Bitcoin-qt, File > Verify Message, enter my bitcoin address in the 1st field, the message in the 2nd field and the signature in the 3rd field and press the Verify Message button.

FFS, this is in Bitcoin-qt, with a graphical interface. Any donkey can do it.

EEeehh AAAAuuuuhhhhh, I cant do it lol, Where is the address for the first field?
hero member
Activity: 952
Merit: 1009
March 18, 2013, 06:11:04 AM
#40
Even better. So that system is already in place.
legendary
Activity: 1358
Merit: 1002
March 18, 2013, 05:42:45 AM
#39
Message:
Code:
I'm psy. Squall1066 has been scammed by MAC in 24 BTC. This is just a test message intended for Bitcointalk and not to be taken seriously by anyone. Mon, March 18 2013 10:40 AM

Signature:
Code:
G+tumBo0kYxAttLfFXfbiCTYICQjHd0zy98d7K79UTA9nXxN280XB8sKLYcR//Jr1MoUDLnyXRG0XPGoa+6qprQ=

Now anyone can check my OTC page(linked in my signature), get my public Bitcoin address from there and verify I was the one who signed a message.

To verify, open Bitcoin-qt, File > Verify Message, enter my bitcoin address in the 1st field, the message in the 2nd field and the signature in the 3rd field and press the Verify Message button.

FFS, this is in Bitcoin-qt, with a graphical interface. Any donkey can do it.
legendary
Activity: 906
Merit: 1002
March 18, 2013, 05:06:04 AM
#38
Hm... maybe it would be a good feature if there is a fix bitcoin address bound to every user account (set during registration) and only admins/mods can change those. Maybe thats too much trouble for mods, so second possibility there is a bitcoin address bound to every user account with the timestamp when it has been set and a public log of the old bitcoin addresses with the old timestamps.

When you use those addresses for transactions (at least for the bigger ones) the right owner would get the funds and could send them back later in case he didnt request that transaction.
If an address had changed in the last couple of days you can still decide if you trust that new address and/or ask the "owner" if its not possible to use an "older" address from the logs.
vip
Activity: 1316
Merit: 1043
👻
March 18, 2013, 04:41:47 AM
#37
Not much point in I.P's mose scammers use TOR anyway, We need something else.

If we're dealing with identity theft do we not already have a solution for that with the signature function in the client?

I thought that just ties up the client with a address, If an account is hacked, Could it not come from any client?

Now I don't claim to understand the signature thingy completely, but the way I understand it it is possible to sign a message with the client. This signature depends on the context of the message and the wallet keys and can be checked for authenticity in another client. The following should then be possible:
- Build a central repository of signatures for users (yeah, yeah, I know, centralization bad, but bear with me)
- When a user requests a loan, have him sign that message with the client.
- Now you should be able to check that signature against the signature in the repository via your own client and determine if the person is indeed who they claim to be.

Someone correct me if I'm wrong here. I'm not good with the signature stuff, it breaks my brain, but this is how I would assume it works.

Well I know less than you on this (and it shows how well used a feture it must be) But if I understand correctly, There is no way to varify a new user, As there is no "history" of the signature? So at some point someone has to take a first gamble? Which instantly make me think of shill acounts and fake build up, We have to keep using coins to keep the system alive, But the way things are going, Everyone will be to scared to spend them for feer of it not arriving to the person they wanted it to.  Shocked
It's based on address - you know I have the address firstbits 1GLados (because I've traded substantially with it, eg buying asicminer shares, bitfunder public asset listings), and then you know whoever can sign a message from 1GLados has access to my private keys. There's still the risk of compromise, but less than just someone logging into a forum account without 2fa.
hero member
Activity: 952
Merit: 1009
March 18, 2013, 04:41:27 AM
#36

Well I know less than you on this (and it shows how well used a feture it must be) But if I understand correctly, There is no way to varify a new user, As there is no "history" of the signature? So at some point someone has to take a first gamble? Which instantly make me think of shill acounts and fake build up, We have to keep using coins to keep the system alive, But the way things are going, Everyone will be to scared to spend them for feer of it not arriving to the person they wanted it to.  Shocked

Yes, the repository would only work reliably for established users. The idea is specifically preventing things like your situation where an established users forum account is taken over. I think you are very right in assuming that these things will be happening more often now.
copper member
Activity: 2310
Merit: 1032
March 18, 2013, 04:37:54 AM
#35
Not much point in I.P's mose scammers use TOR anyway, We need something else.

If we're dealing with identity theft do we not already have a solution for that with the signature function in the client?

I thought that just ties up the client with a address, If an account is hacked, Could it not come from any client?

Now I don't claim to understand the signature thingy completely, but the way I understand it it is possible to sign a message with the client. This signature depends on the context of the message and the wallet keys and can be checked for authenticity in another client. The following should then be possible:
- Build a central repository of signatures for users (yeah, yeah, I know, centralization bad, but bear with me)
- When a user requests a loan, have him sign that message with the client.
- Now you should be able to check that signature against the signature in the repository via your own client and determine if the person is indeed who they claim to be.

Someone correct me if I'm wrong here. I'm not good with the signature stuff, it breaks my brain, but this is how I would assume it works.

Well I know less than you on this (and it shows how well used a feture it must be) But if I understand correctly, There is no way to varify a new user, As there is no "history" of the signature? So at some point someone has to take a first gamble? Which instantly make me think of shill acounts and fake build up, We have to keep using coins to keep the system alive, But the way things are going, Everyone will be to scared to spend them for feer of it not arriving to the person they wanted it to.  Shocked
hero member
Activity: 952
Merit: 1009
March 18, 2013, 04:24:11 AM
#34
Not much point in I.P's mose scammers use TOR anyway, We need something else.

If we're dealing with identity theft do we not already have a solution for that with the signature function in the client?

I thought that just ties up the client with a address, If an account is hacked, Could it not come from any client?

Now I don't claim to understand the signature thingy completely, but the way I understand it it is possible to sign a message with the client. This signature depends on the context of the message and the wallet keys and can be checked for authenticity in another client. The following should then be possible:
- Build a central repository of signatures for users (yeah, yeah, I know, centralization bad, but bear with me)
- When a user requests a loan, have him sign that message with the client.
- Now you should be able to check that signature against the signature in the repository via your own client and determine if the person is indeed who they claim to be.

Someone correct me if I'm wrong here. I'm not good with the signature stuff, it breaks my brain, but this is how I would assume it works.
copper member
Activity: 2310
Merit: 1032
March 18, 2013, 04:17:40 AM
#33
Not much point in I.P's mose scammers use TOR anyway, We need something else.

If we're dealing with identity theft do we not already have a solution for that with the signature function in the client?

I thought that just ties up the client with a address, If an account is hacked, Could it not come from any client?
hero member
Activity: 952
Merit: 1009
March 18, 2013, 04:14:32 AM
#32
Not much point in I.P's mose scammers use TOR anyway, We need something else.

If we're dealing with identity theft do we not already have a solution for that with the signature function in the client?
copper member
Activity: 2310
Merit: 1032
March 18, 2013, 04:05:47 AM
#31
Not much point in I.P's mose scammers use TOR anyway, We need something else.
sr. member
Activity: 280
Merit: 250
March 17, 2013, 07:46:03 PM
#30
lol if you can think of it, its already been done.
newbie
Activity: 50
Merit: 0
March 17, 2013, 01:03:13 PM
#29
So any random can come in here with multiple account pretending to loan to himself to build rep? Doesn't seem very safe for lenders.

You arent here for long right? Otherwise you would know that they try that every week and no lender consider loans from one "no reputation account" to another "no reputation account" as reputation.

Have only been here a couple week, have only known about btc for a month or so. Just learning the ropes in a sense.
legendary
Activity: 906
Merit: 1002
March 17, 2013, 12:32:12 PM
#28
So any random can come in here with multiple account pretending to loan to himself to build rep? Doesn't seem very safe for lenders.

You arent here for long right? Otherwise you would know that they try that every week and no lender consider loans from one "no reputation account" to another "no reputation account" as reputation.
newbie
Activity: 50
Merit: 0
March 17, 2013, 12:17:49 PM
#27
Wow. I can't believe that a forum dealing with lending wouldn't check IP's. So any random can come in here with multiple account pretending to loan to himself to build rep? Doesn't seem very safe for lenders.
legendary
Activity: 1288
Merit: 1227
Away on an extended break
March 17, 2013, 12:13:35 PM
#26
Does this site not check IPs? Hence a mod can't check the IP of the poster and compare it to the previous IP's?


I can't see IP's; only theymos can. It would be good to have that feature though for a quick deductions in cases like this.
sr. member
Activity: 364
Merit: 250
firstbits 1LoCBS
March 17, 2013, 12:11:43 PM
#25
In my conversations with them, I referred to you as an example of a stand-up guy who's benefiting long-term from stepping up and taking responsibility for a circumstance that was beyond your control (the stolen money in the UK post incident)

In the long-run, we'll know and evaluate our peers by the manner in which they handle unfortunate occurrences such as this.

I've been on a conference call with MAC (Mike) and Ascension (Jerrod)

They will be covering the 24 BTC lost in this incident - Squall1066 will be made whole.


I am glad to hear that, Squall doesnt deserve this.

newbie
Activity: 50
Merit: 0
March 17, 2013, 11:46:41 AM
#24
Does this site not check IPs? Hence a mod can't check the IP of the poster and compare it to the previous IP's?
Pages:
Jump to: