BRB, reverse-engineering Bitcoinica | Bitcointalksearch.org

ashleyconnor

newbie

Activity: 38

Merit: 0

Quote from: davout on July 13, 2012, 04:14:25 PM

Quote from: hazek on July 13, 2012, 04:10:53 PM

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...

I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

I installed redis but I was getting nilClass errors.

I'll give it more time later.

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: paulie_w on July 13, 2012, 04:43:59 PM

i assume there's no easy install of all dependencies listed neatly in a Gemfile?

Your assumption is incorrect

Quote from: paulie_w on July 13, 2012, 04:43:59 PM

i would like to know how the app interfaces with the local bitcoin client or client(s).

It uses the bitcoiner gem which is my code (extracted from bitcoin-central) packaged by someone I don't know as a ruby gem

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: davout on July 13, 2012, 04:14:25 PM

Quote from: hazek on July 13, 2012, 04:10:53 PM

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...

I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

can you talk a bit about that?

i assume there's no easy install of all dependencies listed neatly in a Gemfile?

i would like to know how the app interfaces with the local bitcoin client or client(s).

hazek

legendary

Activity: 1078

Merit: 1002

Cool, I can't wait to hear how it really worked.

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: hazek on July 13, 2012, 04:10:53 PM

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...

I haven't gotten there yet.
Took a bit of time to get every moving part in place to have it actually running.

hazek

legendary

Activity: 1078

Merit: 1002

Could you in layman's terms explain what the app actually does in terms of positions and matching and liquidating, ect...

davout

legendary

Activity: 1372

Merit: 1007

1davout

Additionally the app itself has never been hacked (which is a little surprising Cheesy

)

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: paulie_w on July 13, 2012, 03:17:32 PM

so, this is good material for the wiki that should be written. even if it is "fucking trivial to get right" (ie, fucking obvious).

It would be pointless to write this in the wiki, all the Rails security basics are widely available online.
If you want your app to be secure it's not the lack of information that's in the way.

paulie_w

sr. member

Activity: 420

Merit: 250

Quote

Rails gives you the infrastructure to easily write them since day one. But they don't just write themselves

The real facepalm flaw is the fact that production passwords are stored in the code itself. This is plain wrong.
You're effectively giving the github (or whatever source control system you use) access to all funds at all times.
And it's fucking trivial to get right, just make a deploy hook to copy the production configuration files from the production server, to the production server.

so, this is good material for the wiki that should be written. even if it is "fucking trivial to get right" (ie, fucking obvious).

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: ashleyconnor on July 13, 2012, 12:38:19 PM

Just had a quick look.
Not one test in the whole codebase.

You can't judge an app on that, tests mean you're protecting yourself against regressions.
The app was written in 4 days, I think it is an impressive piece of work despite a couple major security flaws I identified by simply having a quick look.

Quote from: paulie_w on July 13, 2012, 02:49:43 PM

aren't unit tests a default part of rails these days?
or is that some other kind of test?

Rails gives you the infrastructure to easily write them since day one. But they don't just write themselves

The real facepalm flaw is the fact that production passwords are stored in the code itself. This is plain wrong.
You're effectively giving the github (or whatever source control system you use) access to all funds at all times.
And it's fucking trivial to get right, just make a deploy hook to copy the production configuration files from the production server, to the production server.

paulie_w

sr. member

Activity: 420

Merit: 250

Quote from: ashleyconnor on July 13, 2012, 12:38:19 PM

Just had a quick look.

Not one test in the whole codebase.

aren't unit tests a default part of rails these days?

or is that some other kind of test?

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: ashleyconnor on July 13, 2012, 12:38:19 PM

Just had a quick look.

Not one test in the whole codebase.

"I am a god-level programmer and every line that I write turns to gold and bows down at my feet. Unit tests? What an insult!" Undecided

ashleyconnor

newbie

Activity: 38

Merit: 0

Just had a quick look.

Not one test in the whole codebase.

hazek

legendary

Activity: 1078

Merit: 1002

Quote from: davout on July 13, 2012, 11:49:50 AM

Quote from: hazek on July 13, 2012, 11:02:01 AM

Can you copy their ToS and post it here?

Here you go : http://pastebin.com/AMrABK66

The good thing is that what genjix posted contains a full git repository, meaning we see can all the different ToS versions.

Awesome thanks!

I wonder what insights we will gain from seeing under the hood just how exactly did Bitcoinca operate, it might turn out that the attack was actually a good thing and it stopped a bucket shop scam where people were unfairly losing loads of money vs the house. Of course there's no question the loss for everyone who had their funds there is very unfortunate and regrettable and wrong.

davout

legendary

Activity: 1372

Merit: 1007

1davout

Quote from: hazek on July 13, 2012, 11:02:01 AM

Can you copy their ToS and post it here?

Here you go : http://pastebin.com/AMrABK66

The good thing is that what genjix posted contains a full git repository, meaning we see can all the different ToS versions.

hazek

legendary

Activity: 1078

Merit: 1002

Quote from: proudhon on July 13, 2012, 11:03:27 AM

Quote from: hazek on July 13, 2012, 11:02:01 AM

Can you copy their ToS and post it here?

Will you post a link to the source code?

Did you miss the link here? It's in the first post.

proudhon

legendary

Activity: 2198

Merit: 1311

Quote from: hazek on July 13, 2012, 11:02:01 AM

Can you copy their ToS and post it here?

Will you post a link to the source code?

hazek

legendary

Activity: 1078

Merit: 1002

Can you copy their ToS and post it here?

davout

legendary

Activity: 1372

Merit: 1007

1davout

Topic: BRB, reverse-engineering Bitcoinica (Read 1988 times)