Topic: ASICMINER: Entering the Future of ASIC Mining by Inventing It - page 1327. (Read 3917468 times)

Where is the ASICMiner board? Is it a sub-board somewhere? Thanks

FYI - the security issue of GLBSE is now discussed on the ASICminer board. Updates will be posted as soon as a consensus is reached.

Please don't confuse chargeback with reversal. In a reversal the two parties have to agree. In chargeback, only the issuer of the money - not the service/product - can recall the funds.
nedbert9 was asking for reversal.

Angry neighborhood bastard mod here.

Enough about GLBSE. Go take it up in the GLBSE thread.

Don't you think that for some people, the security of this project's assets might be equally important as the security of the actual manufacturing of the chip?
GLBSE's security = ASICMINER security.
Don't you understand it?

Seriously, people discussing GLBSE's security: GTFO of this thread. I put it on my watchlist for updates on ASICMINER, not GLBSE.

Replied on the other thread.

I second that motion.

Surely there is a GLBSE specific thread.

Let's try to get back to, stay on, ASICMINER / Bitfountain specific issues.

--

Chain attacks are also well covered in other threads in general.

Or here which was spun off of this one:
https://bitcointalksearch.org/topic/m.1155021

This isn't entirely true. As I know you're fully aware, if an ASIC manufacturer with much greater than 50% of the network hashpower has implemented some new secret hashing algorithm, they can declare that the Bitcoin network is switching to their new algorithm and that they'll use their 51% to prevent any transactions ever confirming for users that remain on the old one. They can't force everyone to change to their algorithm, but they can render the existing one useless quite easily.

Guys:

I know I am not always on topic, but please let's keep GLBSE malfunctions/competitors out of this thread !

You are the worst alternative porno Mircea. You just stole 4500btc from MPOE.

Guys, I tell you: get out of GLBSE, as soon as you can!

It doesn't matter what authentication method and how many of them you will use, because Nefario is a fucking thief and he can steal you whatever he wants, whenever he wants - as long as you "keep" it on his server.

But don't sell your ASICMINER shares!
Only withdraw them from GLBSE.
Check out my latest project: https://bitcointalksearch.org/topic/assets-otc-contract-management-system-105437
... and ask friedcat to move your assets off GLBSE.
It is possible.

And friedcat (unlike Nefario) is a guy that you can trust - I give you my word on that, fwiw with my 10-14 ignores

It was said before, it will need (apparently) to be said again: GLBSE is a bad choice for security and other reasons.

Problem is three fold. First, 2FA enabled does not require 2FA for every action, you have to click ALL the boxes to do this. Second, there is no 2FA option for buying/selling, only transferring assets between GLBSE accounts and withdrawing BTC and password changing and logging in, thus flash crashes using your assets is still possible. Third, GLBSE can (but doesn't) set cookies for session only, which means closing the browser clears the session cookies, but you should manually log out anyhow so this is the least problematic of the three.

I have brought this up with nefario before, he has not fixed it yet.

I'm not sure why I'm wasting my breath.  GLBSE operator and the beneficiaries of the the stolen ASICMINER shares, with the exception of Jatarul who sold back to me, could care less about what I have to say.
I've chosen to take a break, probably a permanent distancing, from this forum because of this incident.  I do not believe in the 'finders keepers' mentality and dislike those that support instantaneous transfers over fraud controls and will happily benefit from fraud.  Nefario, who had the opportunity to make this right for 30 BTC, other beneficiaries, including a forum staff member who specifically benefited by ~160 shares and then offered me 0.64 BTC as a consolation (grr) has left me feeling that this is just not the place for me to hang out in.

With that said I wanted to clarify some of my comments, clear up some fallacies and offer a very serious warning.


We need to be clear on terms to understand my point and Nefario's statement.  Nefario is right that Session Fixation was not the method used - I can't comment if Session Fixation is not possible with GLBSE.  This is my mistake to describe what happened to my GLBSE account as a result of Session Fixation.
However, I was a victim of a session hijack.  Session Fixation describes a specific attack scenario, while session hijack can be considered a more vague term for any compromise of an authenticated session.
My apologies to Nefario for continuing to use the Session Fixation term.  Still, I stand by my belief that my session was hijacked (and that it was facilitated by freenode's web interface)

I maintain that Nefario's management of the client-side environment for the GLBSE web app is a security risk.  This led to my GLBSE session being hijacked.
Dutchbrat and Smiguel's experience points out the same client side behavior that allowed for my session to be hijacked.
GLBSE can claim no responsibility for lax control of sessions on the client side, but any honest assessment of session management for security sensitive sites will point to the same conclusion.

Taken from
http://stackoverflow.com/questions/805895/how-come-closing-a-tab-doesnt-close-a-session-cookie

Point (a convenient excuse if attempting to deny responsibility for security)
"The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site."

Counter point
"In such circumstances, the tab closing isn't the main issue. It's controlling the expiration of the session more actively. You'll want to implement some sort of activity timeout on the client in JS that automatically logs out after no user activity. You'll find this type of behavior on most banking sites"

Going further than the counter point is my personal feeling that if a site that consists of a single browser tab experience (no popups) and that site dev isn't using JS to invalidate the authenticated session when the DOM (page) object for the site is closed the site dev is horribly negligent and just doesn't give a shit about what happens on the client side.

I've asked Nefario to answer the counter point in the GLBSE 2.0 testing thread.  Why doesn't Nefario take client session management more seriously?

DiabloD3's comment about enabling 2FA for each and every GLBSE activity is very good advice.  By 2FA design, even if your session is hijacked the attacker will not have the 2FA auth code to take any action within your account.  Here's the scary part.  GLBSE's 2FA measures might be buggy.   Take a look at this quote.


I emphasize *might* be buggy.  It is not for me to say.

Finally.


Yes, don't trust GLBSE or any other site that takes a "use at your own risk" attitude.  This is especially pertinent for the anonymity loving Bitcoin related sites.  Isolate your web session with GLBSE as much as possible.  Use unique email address, unique and strong password, enable 2FA for every action and open GLBSE in it's own full browser process - not a tab - and terminate that process when done.

If the Devs, the big mining companies and the miners are all corrupt, then there will probably be mass-adoption of BitCoin

Because then it will be just like any other fiat currency 

But developers are normal people too, so it might be possible that they are replaced with corrupt people. Does the community then still have a chance? I mean most of the people would download the new hashingtype automatically and wouldnt care about. I guess that would be more than 51%. So it could be possible to overtake bitcoin when the devs are corrupted? Or wouldnt that work?

Yep - as I said above:
I highlighted in orange the specific words
Both of course, the developers and the community.

So the community can also tell the devs to piss off by voting by not upgrading.

Am i not sure but wouldnt the p2p-characteristic of bitcoin network be a protection in itself? I mean even when the developers would be replaced with some greedy persons that want to earn money maybe by killing asic-companies and explain it to the community as a threat to the network... wouldnt this only work when the majority of the network would agree? I mean they could simply disable automatic update for the wallet and still work on the old fork. So nothing would happen. Am i right?

I also don't like the idea of the company solo mining before selling the chips tho I don't mind them doing both at the same time.