Topic: ASICMINER: Entering the Future of ASIC Mining by Inventing It - page 1328. (Read 3917029 times)

Guys:

I know I am not always on topic, but please let's keep GLBSE malfunctions/competitors out of this thread !

You are the worst alternative porno Mircea. You just stole 4500btc from MPOE.

Guys, I tell you: get out of GLBSE, as soon as you can!

It doesn't matter what authentication method and how many of them you will use, because Nefario is a fucking thief and he can steal you whatever he wants, whenever he wants - as long as you "keep" it on his server.

But don't sell your ASICMINER shares!
Only withdraw them from GLBSE.
Check out my latest project: https://bitcointalksearch.org/topic/assets-otc-contract-management-system-105437
... and ask friedcat to move your assets off GLBSE.
It is possible.

And friedcat (unlike Nefario) is a guy that you can trust - I give you my word on that, fwiw with my 10-14 ignores

It was said before, it will need (apparently) to be said again: GLBSE is a bad choice for security and other reasons.

Problem is three fold. First, 2FA enabled does not require 2FA for every action, you have to click ALL the boxes to do this. Second, there is no 2FA option for buying/selling, only transferring assets between GLBSE accounts and withdrawing BTC and password changing and logging in, thus flash crashes using your assets is still possible. Third, GLBSE can (but doesn't) set cookies for session only, which means closing the browser clears the session cookies, but you should manually log out anyhow so this is the least problematic of the three.

I have brought this up with nefario before, he has not fixed it yet.

I'm not sure why I'm wasting my breath.  GLBSE operator and the beneficiaries of the the stolen ASICMINER shares, with the exception of Jatarul who sold back to me, could care less about what I have to say.
I've chosen to take a break, probably a permanent distancing, from this forum because of this incident.  I do not believe in the 'finders keepers' mentality and dislike those that support instantaneous transfers over fraud controls and will happily benefit from fraud.  Nefario, who had the opportunity to make this right for 30 BTC, other beneficiaries, including a forum staff member who specifically benefited by ~160 shares and then offered me 0.64 BTC as a consolation (grr) has left me feeling that this is just not the place for me to hang out in.

With that said I wanted to clarify some of my comments, clear up some fallacies and offer a very serious warning.


We need to be clear on terms to understand my point and Nefario's statement.  Nefario is right that Session Fixation was not the method used - I can't comment if Session Fixation is not possible with GLBSE.  This is my mistake to describe what happened to my GLBSE account as a result of Session Fixation.
However, I was a victim of a session hijack.  Session Fixation describes a specific attack scenario, while session hijack can be considered a more vague term for any compromise of an authenticated session.
My apologies to Nefario for continuing to use the Session Fixation term.  Still, I stand by my belief that my session was hijacked (and that it was facilitated by freenode's web interface)

I maintain that Nefario's management of the client-side environment for the GLBSE web app is a security risk.  This led to my GLBSE session being hijacked.
Dutchbrat and Smiguel's experience points out the same client side behavior that allowed for my session to be hijacked.
GLBSE can claim no responsibility for lax control of sessions on the client side, but any honest assessment of session management for security sensitive sites will point to the same conclusion.

Taken from
http://stackoverflow.com/questions/805895/how-come-closing-a-tab-doesnt-close-a-session-cookie

Point (a convenient excuse if attempting to deny responsibility for security)
"The session cookie is per-process not per window. So even if you selected New Window you'd still get the same session id. This behavior makes sense. You wouldn't want a user to re-sign in each time they opened a new window while browsing your site."

Counter point
"In such circumstances, the tab closing isn't the main issue. It's controlling the expiration of the session more actively. You'll want to implement some sort of activity timeout on the client in JS that automatically logs out after no user activity. You'll find this type of behavior on most banking sites"

Going further than the counter point is my personal feeling that if a site that consists of a single browser tab experience (no popups) and that site dev isn't using JS to invalidate the authenticated session when the DOM (page) object for the site is closed the site dev is horribly negligent and just doesn't give a shit about what happens on the client side.

I've asked Nefario to answer the counter point in the GLBSE 2.0 testing thread.  Why doesn't Nefario take client session management more seriously?

DiabloD3's comment about enabling 2FA for each and every GLBSE activity is very good advice.  By 2FA design, even if your session is hijacked the attacker will not have the 2FA auth code to take any action within your account.  Here's the scary part.  GLBSE's 2FA measures might be buggy.   Take a look at this quote.


I emphasize *might* be buggy.  It is not for me to say.

Finally.


Yes, don't trust GLBSE or any other site that takes a "use at your own risk" attitude.  This is especially pertinent for the anonymity loving Bitcoin related sites.  Isolate your web session with GLBSE as much as possible.  Use unique email address, unique and strong password, enable 2FA for every action and open GLBSE in it's own full browser process - not a tab - and terminate that process when done.

If the Devs, the big mining companies and the miners are all corrupt, then there will probably be mass-adoption of BitCoin

Because then it will be just like any other fiat currency 

But developers are normal people too, so it might be possible that they are replaced with corrupt people. Does the community then still have a chance? I mean most of the people would download the new hashingtype automatically and wouldnt care about. I guess that would be more than 51%. So it could be possible to overtake bitcoin when the devs are corrupted? Or wouldnt that work?

Yep - as I said above:
I highlighted in orange the specific words
Both of course, the developers and the community.

So the community can also tell the devs to piss off by voting by not upgrading.

Am i not sure but wouldnt the p2p-characteristic of bitcoin network be a protection in itself? I mean even when the developers would be replaced with some greedy persons that want to earn money maybe by killing asic-companies and explain it to the community as a threat to the network... wouldnt this only work when the majority of the network would agree? I mean they could simply disable automatic update for the wallet and still work on the old fork. So nothing would happen. Am i right?

I also don't like the idea of the company solo mining before selling the chips tho I don't mind them doing both at the same time.

No, that reply didn't really address the concerns he brought up.

There's no reason this statement of fact should be controversial at all.

His post was properly replied to in the subsequent post by DutchBrat:
https://bitcointalksearch.org/topic/m.1153777

I.e., read the IPO-OP!

If midnightmagic doesn't want to invest under those terms, that's his decision.

--

You stirred up the hornet's nest with this unsupported assertion:


You have ignored my multiple requests to show where such an advisory is given.

The fallout of your unfounded statement has now moved to:
https://bitcointalksearch.org/topic/m.1155021

I'd appreciate if people would stop trolling and putting words in my mouth.
midnightmagic raised some important points, and as an investor I think they should be fully taken into consideration. It's really that simple.

Why? Seeing how you disapprove of the approach so much.

The plan has been stated since the first page of this thread. Well before you had any chance to invest.

yes please. And Luke Jr., please stop spamming with your baseless stupidity about the algorithm change. It makes no sense to change the algorithm and it would only serve one thing - destruction of bitcoin.

+1

Can we please keep this thread focused on what's in the OP?  It's getting cluttered. I posted a question related to backup algorithms in https://bitcointalksearch.org/topic/m.1155928 - hopefully we can continue the discussion there, and hopefully that can be moved to the mining board or one of its children.

Your welcome

Your history of ignoring me in the software development arena has shown that: in every case you have ignored my code change arguments and requests, you have taken my advice at a later date and done it.

Except one case - which means your clone miner produces less shares for most people on BFL

Um, no. I want ASICMINER to be as profitable as it can be. I think reconsidering the hoarding plan can help that significantly.

But with ASICMINER having a (near?) majority forces the entire Bitcoin currency to depend on trusting us. I'm okay with that - it's only 1-2 months until consumers have ASICs themselves. But I don't think all Bitcoin is as trusting, and that could have a negative impact on price as well as future profitability even assuming the mining is never abused.