Topic: [ANN][KARM] Karma / ₭ / X11 - page 407. (Read 583278 times)

I'm sure that once its time to pay the dividends a very secure method for ensuring the payment is done to the legit shareholders is properly available.

But why is that true?
Because the community actively worked in identifying and giving solutions to the problems found!

Also, the sooner a proper method is used for validating the exchange of the BTC address (like the one I gave), the less address verifications will have to be redone in future.
Yes... Because once a proper method starts to be used, all shares confirmations will have to be redone.

Believe me, I'm do not wish anyone to panic.
I'm just offering my skills (in this case security flaws identification) to the community.

At some level I agree with you that some matters should be addressed in private, but this one I'm not sure, because as you probably know "multiple heads think better than one".

it all sounds a bit over complicated and convoluted to me.

I don't know why they didn't just set up a Karma-shares address, ask people to send Karma to that address if they want karmashares.. and when they send the money include a valid Bitcoin address in the message that is embedded into the transaction and any transaction that doesn't follow the rules just gets refunded.

that way you have the Sending Karma Address tied to the Receiving Bitcoin address for payouts and everything being stored in the block chain so it can't be hacked easily.

by collecting email addresses which are tied to both  a Bitcoin address and a Karma address you are effectively holding them in a centralized location where the data could be hacked or stolen. If the data gets lost or stolen then hackers could potentially know how many bitcoins and karma each person has and their login ID (email address is used as login ID for most exchanges). from there all the hacker needs to do is break into the email accounts and then they can steal coins from anyone who has an exchange account (which is almost everyone). This is what happened to FR33Aid (their online wallet was hacked via an unsecured improperly secured email address)

not to mention this cold turn out to be an administrative nightmare for anyone who regularly has to deal with payouts and refunds etc for karmashares.

I know its too late to change things now.. but I'm just saying it for the record.
centralizing information is never a good idea.  just look at all the credit card hack scandals we have had over the past few months..

I understand that for legal reasons it may have been necessary to collect email addresses but I do own shares in companies like ASICMiner (based in china) where no personal information is kept about me at all... just my bitcoin address.. if i ever need to prove I own the shares then all I need to do is send a signed message.

Obviously you sign the Karmacoin address that the coins have been sent from. No, because HIS Karmacoin  address isn't YOUR Karmacoin address - the address from which the coins have been seen. The bitcoin address you specify is the address that the dividends will be sent to.
 
It would be very simple to ask for a confirmation of address ownership before sending any dividends - sending an ammount of X.xxxxx from the address to a Karmashares LLC address for example precisely demonstrates control. All of this could also be bypassed by giving the option of registration with 2FA on Karmashares LLC - verified and secured.

It is not as vulnerable as people have been making out and by the time the first payments are due to be sent out there will no doubt be a very secure method of ensuring everything is above board. Stop whipping up panic and let Kosmost and the team handle things in due course. A more appropriate means of relaying concerns like this would be over PM to ensure others do not get misled and panic. The only people who would either not care or not be averse to creating panic are those who are not currently invested at all and wish to buy cheap coins. Remember that when you read what members have to say folks.

I don't understand how signing an empty message with a random Karmacoin receiving address would prove anything? Which Karmacoin address should I sign with and how do you verify that signature? I mean that i have lots of receiving addresses in my wallet

Could someone else send a signed message about my transaction before me signed with his Karmacoin receiving address?

Sorry 'ShawnLeary', but my solution is still the only one that offers protection in the exchange of the BTC address, so I'm still the one deserving the tips ;-)


Comparing the current signature (generated by signing an empty message) with a previous one (also generated by an empty message), like suggested by 'spitfire1337', and only accepting the new signature if different from the previous one (after checking that the new signature also belongs to the same address offcourse) is not enough.

Of course it is better than nothing but it still leaves too much possibility of cheating the system.

Please read my suggestion again, which to my knowledge is the only solution exchanged in this forum that offers total security in the transaction of the BTC address for dividends, regarding proving that the BTC address is given by the REAL owner of the Karmashares LLC.

One possible safety measure regarding COMMUNICATION SECURITY is to require a registration to Karmashares.com with an email that asks for 2FA verification like google mail. Making any further requests and communication pass thru that system. (WALLET SIGNATURE, PROFIT SHARE etc) but I am sure Karmateam is preparing something in this line.

Thanks for the thought. I'm glad you're thinking about this. Any changes will need to be signed again. No records are deleted (and backups are made). So if you update something (or sign something) we will compare it against what was previously submitted.

Thank you for this great thought

You totally cock blocked PTMan tip I was about to send!  So un-Karma like j/k

Your solution solves part of the possible attacks but not all.
What if the attacker intercepts an email, steals the new signature while making the original email never reach Karmashares LLC, so that he can be the first to use that signature (and therefore give his own BTC address, stealing the dividends of a Karmashares shareholder)?
I can think of some ways this can be done.

The solution is, as I suggested before, signing the complete message with the BTC and KARMA address (the signature would be written in a separated text box of the online form).

This way, and only this way, Karmashares LLC can be sure that the BTC address (to where the dividends will be sent) is provided by someone who has access to the Karma wallet that has the address that generated the transaction to Karmashares LLC.


Please do not allow it to be possible to mess with Karmashares LLC dividend payment system with just a little of hacking and/or social engineering.

Only 45 minutes left to send your coins for 10X KarmaShares .

http://www.reddit.com/r/Karmashares/comments/23gl6g/karmashares_llc_ready_to_roll_heres_how_to_buy/

Here is an other food for thought

Remember how google website was at beginning? Facebook? First internet websites?

In time, everything will be smoothed out.


Now, how about improving our Part D?

Thanks!

I welcome all tips.
Specially if they are in Karma!

Here's the thing though, anytime you sign a empty message the signature is always different. All kosmost has to do is see if the newly submitted signature is the same as the original email and then not accept the change unless they send him a new signature. Since someone who is snooping can only get the signature that you sent to begin with this would solve that problem easily and keep things simple and not so confusing.

another gif file: signature

Thank you so much .

Well done sir!  I'm gonna tip you for this!

Just did 105M, wanted to do more but had already donated 100M before

Of course it is tied to the Karma wallet... But it is not tied in any way to the Bitcoin address!

Lets say that an attacker got access to the signature tied to a given Karma address of someone that sent coins to Karmashares LLC.
As you probably know emails are not that hard to snoop... And the form sends an email to someone from Karmashares LLC right?

An attacker could copy a signature he got from snooping the emails sent to Karmashares LLC, put it in the form (http://karmacoin.me/contact? ) with the correspondent Karma address of the shares holder (not the atacker Karmacoin address!) and request a change of the bitcoin address associated with the shares (that are nos his) to one of his own bitcoin addresses.
This way the atacker/hacker would be paid the dividends of Karmashares LLC insted of the legit owner of the shares.

The signature of a blank message is in itself proof that it was signed by the owner of the wallet.
But if the message it was generated with does not contain the BTC address of the owner then I see a big security flaw.

MY SOLUTION:
So I suggest that you ask the shareholders to sign the message, character by character (just do copy-paste), that they put on the form (http://karmacoin.me/contact?).
With the signature pasted in a different text box; because it is obviously not possible to sign a message containing the signature itself.


I'm just trying to help.
A security flaw like the one I pointed could discredit Karmashares LLC if taken advantage off... And be sure it will if it is not solved.