Pages:
Author

Topic: [BOUNTY 22 btc] lulzSec secure, private exchange (Read 10270 times)

sr. member
Activity: 350
Merit: 251
LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.
That's simply not true. From what I understand it's basically a free-for-all, so there's bound to be a lot of dumb teenagers, but also smarter (and sometimes older) hacktivists. They all use the name "anonymous" (or lulzsec) so you'd never know. It's a pretty interesting strategy as it allows them to hide in the crowd.

Then again, a lot of "professional" penetration testers also simply fire up their exploit scanner and then charge you big $$$ per hour. So I don't see the problem in letting a hacker group doing it for free Smiley


Lulz Security® is not part of anonymous, just like wikileaks is not part of anonymous. they are all separate entities, although they may have similar goals and ways of working. and anyone who thinks they are simply just some script kiddies, you would have to be wrong in a lot of cases, sure a lot of script kiddy anons exist, but a lot of them are also very good, like the sony hack(s).
legendary
Activity: 2408
Merit: 1121

Exactly. The edges are where it falls apart. Not sure how to address this.

The issue is addressed via centralization, or simply trading in person in your area, or via mail.

I just don't see your idea working.

Yeah, I know. The whole trading transaction thing is all well and good - but I don't know how to handle the edges where a level of trust is required.

Just threw it out there in case someone has a 'satoshi' and figures it out.
hero member
Activity: 812
Merit: 1022
No Maps for These Territories
LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.
That's simply not true. From what I understand it's basically a free-for-all, so there's bound to be a lot of dumb teenagers, but also smarter (and sometimes older) hacktivists. They all use the name "anonymous" (or lulzsec) so you'd never know. It's a pretty interesting strategy as it allows them to hide in the crowd.

Then again, a lot of "professional" penetration testers also simply fire up their exploit scanner and then charge you big $$$ per hour. So I don't see the problem in letting a hacker group doing it for free Smiley
legendary
Activity: 1022
Merit: 1001
wow what a fucked up thread
full member
Activity: 196
Merit: 101

How do you make sure that the people actually have the USD they are trading for BC.

Exactly. The edges are where it falls apart. Not sure how to address this.

You could have a decentralized 'reputation' for each address that's used for trading, maybe.
sr. member
Activity: 350
Merit: 251

Exactly. The edges are where it falls apart. Not sure how to address this.

The issue is addressed via centralization, or simply trading in person in your area, or via mail.

I just don't see your idea working.
legendary
Activity: 2408
Merit: 1121

How do you make sure that the people actually have the USD they are trading for BC.

Exactly. The edges are where it falls apart. Not sure how to address this.
sr. member
Activity: 350
Merit: 251
@bitcoin_bug

I've thought about how to implement this, but it all comes down to how you redeem bitcoins to < insert currency of choice > on the edges. Here's a sample idea that I was trying to work with:

http://farm6.static.flickr.com/5061/5898790520_fda447e331_b.jpg

However, as it says - there are plenty of things to be worked out. Storing trades via blockchain is all well and good, but it wouldn't be particularly fast. Not sure what the best implementation would be at this point.

How do you make sure that the people actually have the USD they are trading for BC.
legendary
Activity: 2408
Merit: 1121
@bitcoin_bug

I've thought about how to implement this, but it all comes down to how you redeem bitcoins to < insert currency of choice > on the edges. Here's a sample idea that I was trying to work with:



However, as it says - there are plenty of things to be worked out. Storing trades via blockchain is all well and good, but it wouldn't be particularly fast. Not sure what the best implementation would be at this point.
sr. member
Activity: 350
Merit: 251
Lulz Security® is not an entity you request, hackers are not people you want to associate yourself with.
sr. member
Activity: 463
Merit: 252
What you're asking for is basically impossible to do while simultaneously following anti money laundering and anti terrorism laws and eliminating counter party risk.
hero member
Activity: 607
Merit: 500
Does BitMarket.eu (because it doesn't have money deposits) count? Smiley

Not sure ... are you suggesting we request lulzSec to run a 'test' on Bitmarket.eu?

What is BitMarket.eu's privacy and security policies on storing customer records, transaction records, etc?

If an attacker was to infiltrate and publish records would it lead to compromised security situation or embarassment of clients using it?

Compromising security always leads to embarassment of the site that get's compromised.
We don't store any details on our members beside of their logins, emails and hashed passwords. The database is only readable by one user, which has very long and secure password. Database admin interface is not viewable from outside. We use a non-default SSH port. We make offsite backups of both our wallets and the db. I'm not sure what else you expect? We'll happily adapt to more security measures that we could not thought of.
hero member
Activity: 616
Merit: 500
Sending btc/money to LuLz is LuLz.

That's like paying off the mafia not to attack your business.
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
And when L/S says it's been tested and all threats have been addressed... Your going to put your money in? After they have had a chance to check it all out?  No thanks.
sr. member
Activity: 440
Merit: 251
I'm interested in developing a secure exchange platform. Not so sure what you mean by private---is it just that there's no public record of deposits/withdrawals/trades?

I think the stored-password-hash system is ultimately not secure enough for something like this. What I'd like to build is a stored-public-key system something like that for the #bitcoin-otc web of trust. A client sending a command to the exchange server would timestamp it and sign it with his public key, and the server would verify the signature before carrying out the command. I see no theoretical barrier to implementing this in Javascript so that, to the user, it looks just like entering a password at any other site---but it sounds hard, and you'd have to figure out where to store the private key on the client's end. Building a standalone client application that calls GPG for the signing would be easier but probably less used.

I recommend you start with my API:

https://github.com/FellowTraveler/Open-Transactions/wiki

newbie
Activity: 28
Merit: 1
Didn't Lulzsex just admit to being behind the attack at MTGox? I think they just admitted it on their twitter; Hackavism for Silk Road no doubt, but they probably won't admit that.

I wonder if they really are messing with the FBI like they say they are? Or is that just social engineering?
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
Does BitMarket.eu (because it doesn't have money deposits) count? Smiley

Not sure ... are you suggesting we request lulzSec to run a 'test' on Bitmarket.eu?

What is BitMarket.eu's privacy and security policies on storing customer records, transaction records, etc?

If an attacker was to infiltrate and publish records would it lead to compromised security situation or embarassment of clients using it?
full member
Activity: 140
Merit: 101
I'm interested in developing a secure exchange platform. Not so sure what you mean by private---is it just that there's no public record of deposits/withdrawals/trades?

I think the stored-password-hash system is ultimately not secure enough for something like this. What I'd like to build is a stored-public-key system something like that for the #bitcoin-otc web of trust. A client sending a command to the exchange server would timestamp it and sign it with his public key, and the server would verify the signature before carrying out the command. I see no theoretical barrier to implementing this in Javascript so that, to the user, it looks just like entering a password at any other site---but it sounds hard, and you'd have to figure out where to store the private key on the client's end. Building a standalone client application that calls GPG for the signing would be easier but probably less used.
hero member
Activity: 607
Merit: 500
Does BitMarket.eu (because it doesn't have money deposits) count? Smiley
newbie
Activity: 56
Merit: 0
LulzSec is nothing more than a bunch of dumb teenagers using entry-level penetration testing tools.

And the lulz grows.

lulz
Pages:
Jump to: