Pages:
Author

Topic: Bitcoin7 a new exchange - page 4. (Read 20871 times)

legendary
Activity: 1372
Merit: 1008
1davout
June 17, 2011, 01:07:22 AM
#70
You should pay DAVOUT for the work he has done
I just posted code to exploit the vulnerability to show how simple it was.
sr. member
Activity: 364
Merit: 250
June 16, 2011, 06:33:57 PM
#69
davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.

I reported the exploit and posted the POC.

No, I won't work for them. I don't need that on my rep. If they want to give me BTC, that'd be great.
legendary
Activity: 1386
Merit: 1004
June 16, 2011, 06:32:13 PM
#68
davout did you see a real result of the "exploit"? Yes or No?

I will say that while this may revolt you.......

You should pay DAVOUT for the work he has done even though you did not contract with him.  You might want to hire him for FURTHER work checking out your site (if he is interested/willing to do so). 

I love the idea of an additional exchange, the more the better.  But we need them to be secure.  It is not just about the fees.
legendary
Activity: 2618
Merit: 1007
June 16, 2011, 06:25:51 PM
#67
I was just looking for a way to delete my account and couldn't find any obvious was to do so... could you please give me specifics? (I don't care about the 1 US-cent that's left, keep it as a tip)

Also something strange:
Added funds 1xx.xx USD 1.xx USD <-- the second number = commissions.
WTF?! Why did I get charged commissions for sending money on MtGox suddenly?

Commission % is displayed as 0% by the way... and was at 0% (now it's been changed to 1%!) back then.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 04:09:05 PM
#66
davout did you see a real result of the "exploit"? Yes or No?
No. I saw code that was trivially exploitable.

This code got fixed because some honest people pointed it out previously in this very thread. (Did you thank them at all ? Cheesy)
newbie
Activity: 29
Merit: 0
June 16, 2011, 03:49:02 PM
#65
davout did you see a real result of the "exploit"? Yes or No?
hero member
Activity: 714
Merit: 500
June 16, 2011, 03:40:12 PM
#64
Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better Wink)

Hrm. Bcrypt, eh?

Oh, and BitcoinPouch.com is also open-source. I just haven't been plugging it much because I want to make sure it's well-tested and hardened before I expose it to the general public. Open source is good for that very reason. Plus it's nice to be able to fix, with your own hands, any security holes you notice instead of having to wait on someone else to do it.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 03:31:04 PM
#63
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
I don't speculate, I point at hard facts.
You were vulnerable to one identified CSRF exploit, you fixed it, good.

You still didn't make any statement regarding the amounts storage, the options are :
 - "We use floats because we don't have a clue about handling money in a database"
 - "We now use decimals instead of floats because we understand the exact implications"

"we store amounts very precisely", "we're monitoring the site closely", "trust us!", "we don't want to communicate about it", "davout is mean", "" are not acceptable answers.

I'm not making any assumption regarding your honesty, I'm making statements about technical matters and I have no problem being corrected if I happen to be wrong (see previous posts).

Now I suggest you get your code straight and be open about it.


We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.
This is an outright lie. It was trivially exploitable.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
more marketing talk...

You're salting and hashing your user's passwords before storing them in your database, right?
Check his source, of, wait a minute, only bitcoin-central.net is open source and correctly stores passwords using bcrypt (yes, hashes and salts are good but bcrypt is much better Wink)






hero member
Activity: 714
Merit: 500
June 16, 2011, 03:24:23 PM
#62
You're salting and hashing your user's passwords before storing them in your database, right?
sr. member
Activity: 364
Merit: 250
June 16, 2011, 03:20:44 PM
#61
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
Soo. if it couldn't be used, what was there to FIX?
newbie
Activity: 29
Merit: 0
June 16, 2011, 03:19:53 PM
#60
We had a CSRF which could not be used at all anyway. Of course the spot was fixed in a minute after reporting.

Part of the data is still stored in floats, we are upgrading at the moment and we aim to release the new version live this night.

On both points I can say honestly that neither the found CSRF could have harmed a user, nor the floats (on the datatypes we still use them) could cause crucial loss of data.
full member
Activity: 140
Merit: 101
June 16, 2011, 03:16:19 PM
#59
So for what it's worth.

I have successfully transferred BTC to B7.

I have sold some BTC.

I transferred it to my Dwolla account and it's showing up there....

member
Activity: 69
Merit: 10
firstbits.com/1c3qpa
June 16, 2011, 02:51:31 PM
#58
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!

Do you still use floats to store values and are you still vulnerable to CSRF exploits?
newbie
Activity: 29
Merit: 0
June 16, 2011, 02:47:56 PM
#57
Just to mention that we are monitoring the topic closely, without taking part of it as it seems whatever we write there will always be people like davout who will speculate and turn the exchange to be a fraud. Luckily there are more and more successful trades and people with positive reaction.
We had flaws, we still have, we were not ready for the start yesterday, but we are working 24/7 on all requests.

Again thanks for all who are trusting us and also starting to defend us -> it really helps and motivates us people!
sr. member
Activity: 252
Merit: 250
June 16, 2011, 01:05:16 PM
#56
Exchanges are crucial. If this exchange is shit (smells like it), it damages bitcoin.

So yes, it is time to get vicious.
jr. member
Activity: 56
Merit: 1
June 16, 2011, 12:15:31 PM
#55
Wow, you guys are hyper-critical. Why so much hate in your reaction?
I agree the reaction has been harsh, but I think it's a good thing.
The influx of users have been overwhelming. Many people have seen quick dollars and business opportunities. We need to make sure these new businesses are sound and safe for the users.

If that means aggressively auditing every new project for security holes and taking a "scam until proven otherwise" stance, so be it. Better safe than sorry.
Every project handling people coins needs to have very high security standards. Lotteries need to be provably honest. Exchanges and escrows need to be transparent.
We need to raise the bar.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 12:10:13 PM
#54
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
it's yours that i'm going to exploit for the lulz
hero member
Activity: 698
Merit: 500
June 16, 2011, 11:58:49 AM
#53
if there're holes, EXPLOIT THE GODDAMN THING, JUST FOR THE LULZ!
full member
Activity: 210
Merit: 100
firstbits: 121vnq
June 16, 2011, 11:51:58 AM
#52
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.

YOU CAN'T RUN A LIVE MONEY EXCHANGE SITE WITH LARGE SECURITY HOLES.

Seriously, "fixing on the fly" is not an okay way to run a site that is moving money. It doesn't matter whether they are scammers or very well-meaning but incompetent programmers trying to cash in off the lack of exchanges currently out there.

If you are making mistakes at the most basic levels, it is likely that your site is going to be riddled with possible security holes. No one wants to hear "Oh, sorry, we are fixing it now" after their money goes flying out the window. Not to mention any exchange handling any large amounts of money is going to be a target for thieves, hackers, governments, DDOS attacks, etc etc etc. If you are going to paint a target on your back with other people's money, you best be in a position to handle it.

For all I know these folks are the nicest people on earth and I'd be happy to have a beer with them. That doesn't mean they should be programming a currency exchange.
legendary
Activity: 1288
Merit: 1080
June 16, 2011, 10:08:54 AM
#51

Registered today.  Transfered a few euros via SEPA.

I'll let you guys know if everything went smooth.
Pages:
Jump to: