Bitcoinica - Security? | Bitcointalksearch.org

sgbett

legendary

Activity: 2576

Merit: 1087

You know what, if there was ever any doubt about zhoutongs age, it has to be a fact!

I remember when I was 17, and someone was like "oh you need your thing to do X" and you could just sit down and bang out code and have it done in hours. It's like your brain just ebbed code and your fingers just did the best they could to keep up!

Unfortunately I never had the fortune that my hero coding actually turned into much cold hard cash (still, what's a coder gonna do otherwise.. not code!? you just keep doing it cos you love coding!) Wink

Oh yeah, course I am jealous, but I don't begrudge you anything Mr Z. I love the work you guys are doing.

I'm sure in 20 years time, as you pump out the code in a much more sedentary manner (or more likely stroll along a sunny beach) you'll look back on these good times and think, how the hell did I pull that off.

Those all-nighters just get harder and harder! Wink

zhoutong

vip

Activity: 490

Merit: 502

Quote from: zhoutong on January 13, 2012, 02:45:26 AM

Quote from: M4v3R on January 13, 2012, 01:52:55 AM

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

It's LIVE! Two-factor authentication!

Announcement: https://bitcointalksearch.org/topic/bitcoinica-two-factor-authentication-58522

zhoutong

vip

Activity: 490

Merit: 502

Quote from: M4v3R on January 13, 2012, 01:52:55 AM

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

LOL. It's such a coincidence! I have started working on Google Authenticator two hours ago (1 hour earlier than your post).

It's going to be up in 10 minutes! Stay tuned!

M4v3R

hero member

Activity: 607

Merit: 500

As for two-factor auth, I'd reccomend Google Two-factor auth mechanism. It's great, because it utilizes app on your phone as auth mechanism, which works offline, and it also provides fallback in case you lose your phone.

Link: http://code.google.com/p/google-authenticator/

Eveofwar

sr. member

Activity: 406

Merit: 250

Quote from: ?? on ??

let's just hope he's actually getting laid

Not sure how that's relevant in helping with Bitcoinica security flaws ? Anyways...

Quote from: somestranger on January 12, 2012, 11:57:28 PM

Quote from: Eveofwar on January 12, 2012, 10:09:19 PM

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21 1.613423 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
utf8=%E2%9C%93&authenticity_token=&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.

With or without the www, still http Cry

Sounds like it's time to bookmark the HTTPS login page lulz.

somestranger

hero member

Activity: 487

Merit: 500

Are You Shpongled?

Quote from: Eveofwar on January 12, 2012, 10:09:19 PM

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21 1.613423 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
utf8=%E2%9C%93&authenticity_token=&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

Without the www it redirects to https. With it, it's http.

Eveofwar

sr. member

Activity: 406

Merit: 250

Quote from: somestranger on January 12, 2012, 08:26:30 PM

Quote from: Eveofwar on January 12, 2012, 08:20:45 PM

Quote from: somestranger on January 12, 2012, 08:07:00 PM

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.

Quote from: sgbett on January 12, 2012, 09:38:31 PM

Quote from: Eveofwar on January 12, 2012, 08:20:45 PM

Quote from: somestranger on January 12, 2012, 08:07:00 PM

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted.

Firefox 3.6.25 and IE 8 on 3 different computers.

Type www.bitcoinica.com and press enter -> http://www.bitcoinica.com -> click Login -> http://www.bitcoinica.com/login -> enter email/pass and login -> https://www.bitcoinica.com/trading

From Wireshark:
21 1.613423 50.56.4.62 HTTP 956 POST /sessions HTTP/1.1 (application/x-www-form-urlencoded)

Line-based text data: application/x-www-form-urlencoded
utf8=%E2%9C%93&authenticity_token=&login=email%40host.com&password=mycleartextpassword&commit=Log+in

Highly unlikely I'm the only one....anyone else care to try ?

the joint

legendary

Activity: 1834

Merit: 1020

Use the same two-factor authentication that TradeHill uses (Duo-Security). I love it. It's so 21st century.

sgbett

legendary

Activity: 2576

Merit: 1087

Quote from: Eveofwar on January 12, 2012, 08:20:45 PM

Quote from: somestranger on January 12, 2012, 08:07:00 PM

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted.

somestranger

hero member

Activity: 487

Merit: 500

Are You Shpongled?

Quote from: Eveofwar on January 12, 2012, 08:20:45 PM

Quote from: somestranger on January 12, 2012, 08:07:00 PM

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted.

I tried in both Firefox and Chrome typing "bitcoinica.com" and both redirect to https. Not sure why it is different for you.

Eveofwar

sr. member

Activity: 406

Merit: 250

Quote from: somestranger on January 12, 2012, 08:07:00 PM

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Looks like you can browse on http all the way up to the login page, which is also http. Once logged in, you're redirected to an https site. This would mean that username/password is sent unencrypted.

somestranger

hero member

Activity: 487

Merit: 500

Are You Shpongled?

Quote from: Eveofwar on January 12, 2012, 07:48:10 PM

What about forcing http -> https ? Just a suggestion.

It already is. Dual authentication like SMS is a much needed security feature in case of keyloggers, etc. that https isn't going to protect against.

Eveofwar

sr. member

Activity: 406

Merit: 250

What about forcing http -> https ? Just a suggestion.

arepo

sr. member

Activity: 448

Merit: 250

this statement is false

Quote from: incraft3817 on January 12, 2012, 07:42:42 PM

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lawl

teflone

hero member

Activity: 770

Merit: 500

You're fat, because you dont have any pics on FB

Quote from: incraft3817 on January 12, 2012, 07:42:42 PM

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

lmao..

incraft3817

member

Activity: 87

Merit: 10

The only securities you need are chastity belt for your daughters. Because zhoutong is young and horny and he is going to be filthy rich in a couple years.

Koekiemonster

sr. member

Activity: 321

Merit: 250

Bitbuy.nl!

I totally agree with the OP. I would really like some extra security.

Otoh

donator

Activity: 3136

Merit: 1167

yes agreed, as I'd already posted on his thread about this just a couple of hours ago

https://bitcointalksearch.org/topic/m.687845

even a 3 random chars drop down input for secondary verification from a long memorable phrase or paper hard copy of random chars would be good & easy enough to implement I'd imagine

because in order to get maximum protection from a zhoutonging it's tempting to park a large portion of one's BTC holdings there atm rather than say at Goxed or in one's own secure storage wallet/coded key in the cloud

...

PS I thought it was Australian girls atm btw

incraft3817

member

Activity: 87

Merit: 10

He's too busy traveling and banging American girls to build security for his site. Grin

Mushoz

hero member

Activity: 686

Merit: 500

Bitbuy

Zhoutong, I was wondering if there are any plans in the making involving added security for your site? Looking at the average daily volume that Bitcoinica produces, there must be quite a lot of funds in that place. The thing is, if someone manages to access your account, he can easily run off with BTC, because it's not reversible. I think a lot of people would appreciate a bit of added security for their accounts. I know I would. Could you please implement one of these two solutions?

1) SMS-authentication
2) Yubikey authentication

Thank you very much!

Topic: Bitcoinica - Security? (Read 1984 times)