[ANN][PASL]-[PASCAL Lite]-[The Future is Almost Here] - page 44.

ulfsaar

full member

Activity: 197

Merit: 100

GUYS,

Some questions: please fill in if you feel like it?

1. How to spot trolls from far apart?
2. Any ideas how to STOP trolls?
3. How to make trolls look onto themselves first before trolling?

We have a bad troll on slack and it seems we have another bad troll in this thread.

ulfsaar

full member

Activity: 197

Merit: 100

Quote from: busara on May 10, 2017, 04:40:36 AM

Quote from: Marvell1 on February 03, 2017, 12:06:01 PM

Quote from: SIRacer09 on February 03, 2017, 08:48:11 AM

I didn't get in until late, so I guess my question is this:

If adaseb isn't going to work on the coin anymore, isn't it not worth mining now? I think he said it did it just for fun.

Maybe scratch this one and start a different one? Just some thoughts...

Isn't the whole point to get the coin on an exchange so others can buy/sell that don't want to mine it? If dev work won't

continue, I guess I don't see the reason for relaunching.

Exactly dev is abandoning the coin why would you keep mining ?

we can not copy others in our effort because we want to go at top level of progress.

Why resurrect an ancient post?

busara

newbie

Activity: 35

Merit: 0

Quote from: Marvell1 on February 03, 2017, 12:06:01 PM

Quote from: SIRacer09 on February 03, 2017, 08:48:11 AM

I didn't get in until late, so I guess my question is this:

If adaseb isn't going to work on the coin anymore, isn't it not worth mining now? I think he said it did it just for fun.

Maybe scratch this one and start a different one? Just some thoughts...

Isn't the whole point to get the coin on an exchange so others can buy/sell that don't want to mine it? If dev work won't

continue, I guess I don't see the reason for relaunching.

Exactly dev is abandoning the coin why would you keep mining ?

we can not copy others in our effort because we want to go at top level of progress.

seenotaajs

newbie

Activity: 14

Merit: 0

hey adaseb,

i tried to mine pascal lite with claymore dual mine, but I am losing half of the ETH hashes. When I mine ETH+Decred it doesn't happen.

I know you are not responsible for claymore's miner, but wanted to get some advice - how you setup your miner or maybe you could paste your .bat file so I can make necessary adjustments to mine.

I am new to mining so kinda noob in all these questions. I am using RX 570 card and getting 23mh/s for ETH, but when mining pascal I get 13.5 and 400 for pascal.

Thanks in advance.

loky4i4

newbie

Activity: 55

Merit: 0

how long pasl will be in maintenance on cryptopia Huh

ulfsaar

full member

Activity: 197

Merit: 100

Quote from: nightraven on May 09, 2017, 12:03:26 PM

Quote from: adaseb on May 09, 2017, 10:16:52 AM

The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain.

It is not true that

Quote

The private key is not exposed over the internet even in encrypted form.

What you see in the browsers URL or address bar at the top is exactly the request you transmit over the net from the local device to the server. And the encrypted private key is as everybody can see at the URL bar used as a link. This request is stored a lot of places where unauthorized people can get hold of it. Firstly in the users own browser cache. Secondly in the servers cache and further more a number of other places.

I don't know about bitcoin but as far as I understand coins based on Pascal Coin I doubt that it is possible to make a "send to" operation without using the account owner's private key, so I guess that is why you need to get the private key included in the URL. It demands a lot of trust to send you the private key every time the mobile wallet is used because it eliminates most of the security that is built into Pascal based coins.

Well, now I have warned you. And I think you should inform all users of this mobile wallet so the know what kind of risk they run.

Do not pay attention to this troll. HE only wants to peak at the code. LOL. You sure are a dev? Try creating one that generates everything on the browser, like a paper wallet and you'll see. Stop this nonsense. IDIOT. You need to upgrade your cryptography knowledge.

nightraven

full member

Activity: 286

Merit: 102

Quote from: adaseb on May 09, 2017, 10:16:52 AM

The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain.

It is not true that

Quote

The private key is not exposed over the internet even in encrypted form.

What you see in the browsers URL or address bar at the top is exactly the request you transmit over the net from the local device to the server. And the encrypted private key is as everybody can see at the URL bar used as a link. This request is stored a lot of places where unauthorized people can get hold of it. Firstly in the users own browser cache. Secondly in the servers cache and further more a number of other places.

I don't know about bitcoin but as far as I understand coins based on Pascal Coin I doubt that it is possible to make a "send to" operation without using the account owner's private key, so I guess that is why you need to get the private key included in the URL. It demands a lot of trust to send you the private key every time the mobile wallet is used because it eliminates most of the security that is built into Pascal based coins.

Well, now I have warned you. And I think you should inform all users of this mobile wallet so the know what kind of risk they run.

dongqiang

full member

Activity: 222

Merit: 100

A clone from PASC but progress better more than PASC ,very good.
even PASC don't have a mobile wallet yet !

adaseb

legendary

Activity: 3808

Merit: 1723

Quote from: nightraven on May 09, 2017, 10:05:19 AM

Quote from: adaseb on May 09, 2017, 08:46:23 AM

nightraven,

Our mobile wallet is no different than

https://blockchain.info/wallet/#/

Millions of people use it. And nobody complains.

You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers.

Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No

Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it.

EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server.

EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example

I admit that there is some security because the user's private key is encrypted. But there is a risk when a decrypted private key is exposed. And the risk depends on the strength of the password the user select when he encrypt the key. Take a pile of random passwords and check them with a password generator and you will see a lot of weak passwords. Your web wallet does not force the user to select a strong password. It accept a simple password like "123456".

I'm of course aware that the the URL doesn't appear in a Google search etc. But there is a risk when data are included in the URL. That is why most programmers prefer to use POST method instead of GET method when sensitive data are transmitted over the net.

It is of course open for discussion how big the risk is. But we often see, that when there is a risk sooner or later somebody exploit the weakness. And why do the user have to run a risk and use his encrypted private key as a link? If you need a unique link for each user, then the public key or a hash of it would be equally good and risk free to use.

The private key is not exposed over the internet even in encrypted form. Connection to the internet is needed to do SPV which is similar to what Electrum does so you can see your balance, accounts, and be able to send funds without being synced with the blockchain.

We can do a "Cold Storage" form of the wallet, however most won't use that since its very complex for most individuals. However if there is enough interest then it will be done in the future.

nightraven

full member

Activity: 286

Merit: 102

Quote from: adaseb on May 09, 2017, 08:46:23 AM

nightraven,

Our mobile wallet is no different than

https://blockchain.info/wallet/#/

Millions of people use it. And nobody complains.

You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers.

Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No

Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it.

EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server.

EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example

I admit that there is some security because the user's private key is encrypted. But there is a risk when a decrypted private key is exposed. And the risk depends on the strength of the password the user select when he encrypt the key. Take a pile of random keys and check them with a password generator and you will see a lot of weak passwords. Your web wallet does not force the user to select a strong password. It accept a simple password like "123456".

I'm of course aware that the the URL doesn't appear in a Google search etc. But there is a risk when data are included in the URL. That is why most programmers prefer to use POST method instead of GET method when sensitive data are transmitted over the net.

It is of course open for discussion how big the risk is. But we often see, that when there is a risk sooner or later somebody exploit the weakness. And why do the user have to run a risk and use his encrypted private key as a link? If you need a unique link for each user, then the public key or a hash of it would be equally good and risk free to use.

adaseb

legendary

Activity: 3808

Merit: 1723

nightraven,

Our mobile wallet is no different than

https://blockchain.info/wallet/#/

Millions of people use it. And nobody complains.

You make an account and you need to save your Wallet ID and/or Seed to be able to access your account. If you forgot those or your password your account is lost forever because they don't store anything on their servers.

Just because your private key shows up in the URL doesn't mean it will appear inside a Google search. For example look at http://directory.io , every bitcoin private key in existence is on that website but does that mean everyone's account is in jeopardy? No

Reason why everybody is upset with your comments is because you are saying this all on conjecture. Like xiphon said before, if you can provide EVIDENCE that there is a security issue we will be more than happy to explain it to you or to fix it.

EVIDENCE would be something like you running a packet sniffer and discovering that after you set your password, the private key is sent to the online server.

EDIT: Apparently blockchain.info actually does store your wallet on their servers but its encrypted with your password. So ignore that comment above... Use Bitaddress.org or megadice.com instead as an example

nightraven

full member

Activity: 286

Merit: 102

Quote from: ulfsaar on May 09, 2017, 06:49:26 AM

Quote from: nightraven on May 09, 2017, 05:39:47 AM

Quote from: xiphon on May 08, 2017, 07:58:17 PM

Quote from: nightraven on May 08, 2017, 07:07:14 PM

Well, the private key is send as part of the URL whenever the wallet is used.
Is it decrypted and used server side?

No, no and ... again .. NO.
That is not how the Web Wallet works.

We do not store any secure information, private keys.
We do not transmit any sensitive data over the network.

All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network.

Sorry, i do not want to teach you cryptography basics here.

If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal.

But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above.
Of course, you can do what you want, but it is not widely accepted in the crypto community.

I would never ever write as I did without a proofs or with zero-proof as you write:

If you look at this screenshot you will see, that the encrypted public key is part of the URL:

Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself.

And just one more proof from the java script itself. A search in the decompressed code gives the following snippet:

Code:

}, "Bookmark or write down the current page URL. It will be used to access your wallet the next time.
The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null),
g.default.createElement("small", null,
"We do not store any secure information, private keys. ", g.default.createElement("br", null),
"We do not transmit any sensitive data over the network."))))),

I repeat: "The link is your private key." I hope this is enough proofs.

So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server?

Dont pay attention to this troll. Troll will be troll. But this one is a poor troll.

I think we should have a serious and fair debate about this security problem without accusations or name calling.

I'm not a troll. I don't write anything inflammatory, off-topic or untrue. I report with proofs something that seems to be insecure and unusual, because private keys normally should be kept private. That is why it is called private. I don't blame anybody. I don't shout scam or fraud. I don't know what it is. I hope it is a simple mistake.

I just tell the plain facts as I see them. And it is a fact that the users public key is exposed because it is used as a link to the server. Nobody can deny that..

Q_R_V

sr. member

Activity: 428

Merit: 250

Inactivity: 8963

Nah, he just want to buy cheap coins, so he is spreading fud. Remember, every business tactic is valid Wink

ulfsaar

full member

Activity: 197

Merit: 100

Quote from: nightraven on May 09, 2017, 05:39:47 AM

Quote from: xiphon on May 08, 2017, 07:58:17 PM

Quote from: nightraven on May 08, 2017, 07:07:14 PM

Well, the private key is send as part of the URL whenever the wallet is used.
Is it decrypted and used server side?

No, no and ... again .. NO.
That is not how the Web Wallet works.

We do not store any secure information, private keys.
We do not transmit any sensitive data over the network.

All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network.

Sorry, i do not want to teach you cryptography basics here.

If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal.

But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above.
Of course, you can do what you want, but it is not widely accepted in the crypto community.

I would never ever write as I did without a proofs or with zero-proof as you write:

If you look at this screenshot you will see, that the encrypted public key is part of the URL:

Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself.

And just one more proof from the java script itself. A search in the decompressed code gives the following snippet:

Code:

}, "Bookmark or write down the current page URL. It will be used to access your wallet the next time.
The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null),
g.default.createElement("small", null,
"We do not store any secure information, private keys. ", g.default.createElement("br", null),
"We do not transmit any sensitive data over the network."))))),

I repeat: "The link is your private key." I hope this is enough proofs.

So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server?

Dont pay attention to this troll. Troll will be troll. But this one is a poor troll.

nightraven

full member

Activity: 286

Merit: 102

Quote from: xiphon on May 08, 2017, 07:58:17 PM

Quote from: nightraven on May 08, 2017, 07:07:14 PM

Well, the private key is send as part of the URL whenever the wallet is used.
Is it decrypted and used server side?

No, no and ... again .. NO.
That is not how the Web Wallet works.

We do not store any secure information, private keys.
We do not transmit any sensitive data over the network.

All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network.

Sorry, i do not want to teach you cryptography basics here.

If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal.

But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above.
Of course, you can do what you want, but it is not widely accepted in the crypto community.

I would never ever write as I did without a proofs or with zero-proof as you write:

If you look at this screenshot you will see, that the encrypted public key is part of the URL:

Everybody can check and see this in their own web wallet. just click on Keys in the footer and see for yourself.

And just one more proof from the java script itself. A search in the decompressed code gives the following snippet:

Code:

}, "Bookmark or write down the current page URL. It will be used to access your wallet the next time.
The link is your private key. ", g.default.createElement("br", null), g.default.createElement("br", null),
g.default.createElement("small", null,
"We do not store any secure information, private keys. ", g.default.createElement("br", null),
"We do not transmit any sensitive data over the network."))))),

I repeat: "The link is your private key." I hope this is enough proofs.

So the private key is send to the server whenever someone use the web wallet. And then it is important to know why it should be send and what it is used for at the server?

ulfsaar

full member

Activity: 197

Merit: 100

Quote from: ?? on ??

Quote from: nightraven on May 08, 2017, 05:59:05 AM

Very nice

But I think that all kind of wallets should be open source. Just to make sure that nothing is going on behind the scene.

... agreed.

Grin

It will be open source eventually. Its up to the dev to decide. I trust the dev that there's nothing behind the scene so we have nothing to worry about. You have to remember forging is done on your browser.

People are lingering to take a peek at the code itself. LOLOL Grin

adaseb

legendary

Activity: 3808

Merit: 1723

Quote from: theone211984 on May 09, 2017, 01:01:50 AM

how send my acc to wallet mobile ?

i have acc in wallet windows

You can just insert your private key into

https://wallet.pascallite.com/#

insert after the #

OR

Just send 1 account to your mobile wallet, and then send coins to that account.

theone211984

newbie

Activity: 1

Merit: 0

how send my acc to wallet mobile ?

i have acc in wallet windows

Dermelon

sr. member

Activity: 435

Merit: 400

Web wallet is cool. I tried to transfer account and send Pasl, its success.
Good job dev.

xiphon

full member

Activity: 254

Merit: 121

Quote from: nightraven on May 08, 2017, 07:07:14 PM

Well, the private key is send as part of the URL whenever the wallet is used.
Is it decrypted and used server side?

No, no and ... again .. NO.
That is not how the Web Wallet works.

We do not store any secure information, private keys.
We do not transmit any sensitive data over the network.

All of the encryption stuff is done right in a browser tab. User's private key (encrypted, decrypted, whatever you can imagine) is never transmitted over the network.

Sorry, i do not want to teach you cryptography basics here.

If you want to act as a researcher, you are welcome. Inspect the product, find the weakness, share you paper/report with the community. That would be a great deal.

But for now, please, understand that we can't argue with zero-proofs posts like the one you wrote above.
Of course, you can do what you want, but it is not widely accepted in the crypto community.

Topic: [ANN][PASL]-[PASCAL Lite]-[The Future is Almost Here] - page 44. (Read 164899 times)