[BTC-TC] Virtual Community Exchange [CLOSED] - page 82.

btharper

sr. member

Activity: 389

Merit: 250

Quote from: burnside on July 08, 2013, 03:52:17 AM

Quote from: Rannasha on July 07, 2013, 02:00:57 PM

Quote from: btharper on July 07, 2013, 01:31:46 PM

Quote from: Lohoris on July 07, 2013, 12:55:39 PM

Quote from: EskimoBob on July 07, 2013, 12:33:35 PM

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

That's, like, the whole point of 2FA.

I'd say using a separate program on the same machine offers some additional security over not using it at all. A simple keylogger won't compromise your account anymore, though anything that can just read the 2FA files can, but I'd hope those are less common so far.

Yeah, you do gain additional security, since many keyloggers just grab as many passwords on autopilot and that's it. However, if someone is specifically targeting you or uses a more advanced keylogger, they can access the 2FA program just as easily as your password.

Running a 2FA program on your main machine is a bit like using a Mac for security: It's not inherently more secure, but since it's less targeted by attackers, your chance of getting hit is reduced.

Yubikeys and old phones are cheap and readily available. An old phone doesn't even need cellular service. Just wifi to get the app installed and once it's installed, it doesn't even need that except to occasionally sync the time. I think we're in a good place security-wise. Where we could improve:

- One-time use form tokens. These also prevent double button press form submission issues. (90% done, it's in testing now.)
- 2FA input in a few places that don't already have it. (most places that don't are not particularly sensitive.)
- Require 2FA to use the site. Essentially no trading would be allowed until 2FA was turned on. (still thinking this one over.)

Cheers.

Short of sending out free yubikeys for qualifying members a la MtGox I think it would be difficult to force existing 2FA, especially for new users. Incentives like existing lower trade fees should be effective and might be easy enough to tweak as required to push more adoption.

davos

member

Activity: 106

Merit: 10

Quote from: burnside on July 08, 2013, 03:52:17 AM

- Require 2FA to use the site. Essentially no trading would be allowed until 2FA was turned on. (still thinking this one over.)

If you're going to do mandatory 2FA (which I agree with), you might consider offering an SMS token as google does with gmail logins. It's probably not as secure as some other options, but any additional security that requires more than just a concurrent session is probably beneficial.

It's not entirely reasonable (just yet) to assume that everyone who may be using BTCT or LTCGlobal has a smartphone - but a mobile phone and/or yubikey requirement makes sense.

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: Rannasha on July 07, 2013, 02:00:57 PM

Quote from: btharper on July 07, 2013, 01:31:46 PM

Quote from: Lohoris on July 07, 2013, 12:55:39 PM

Quote from: EskimoBob on July 07, 2013, 12:33:35 PM

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

That's, like, the whole point of 2FA.

I'd say using a separate program on the same machine offers some additional security over not using it at all. A simple keylogger won't compromise your account anymore, though anything that can just read the 2FA files can, but I'd hope those are less common so far.

Yeah, you do gain additional security, since many keyloggers just grab as many passwords on autopilot and that's it. However, if someone is specifically targeting you or uses a more advanced keylogger, they can access the 2FA program just as easily as your password.

Running a 2FA program on your main machine is a bit like using a Mac for security: It's not inherently more secure, but since it's less targeted by attackers, your chance of getting hit is reduced.

Yubikeys and old phones are cheap and readily available. An old phone doesn't even need cellular service. Just wifi to get the app installed and once it's installed, it doesn't even need that except to occasionally sync the time. I think we're in a good place security-wise. Where we could improve:

- One-time use form tokens. These also prevent double button press form submission issues. (90% done, it's in testing now.)
- 2FA input in a few places that don't already have it. (most places that don't are not particularly sensitive.)
- Require 2FA to use the site. Essentially no trading would be allowed until 2FA was turned on. (still thinking this one over.)

Cheers.

Rannasha

hero member

Activity: 728

Merit: 500

Quote from: btharper on July 07, 2013, 01:31:46 PM

Quote from: Lohoris on July 07, 2013, 12:55:39 PM

Quote from: EskimoBob on July 07, 2013, 12:33:35 PM

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

That's, like, the whole point of 2FA.

I'd say using a separate program on the same machine offers some additional security over not using it at all. A simple keylogger won't compromise your account anymore, though anything that can just read the 2FA files can, but I'd hope those are less common so far.

Yeah, you do gain additional security, since many keyloggers just grab as many passwords on autopilot and that's it. However, if someone is specifically targeting you or uses a more advanced keylogger, they can access the 2FA program just as easily as your password.

Running a 2FA program on your main machine is a bit like using a Mac for security: It's not inherently more secure, but since it's less targeted by attackers, your chance of getting hit is reduced.

btharper

sr. member

Activity: 389

Merit: 250

Quote from: Lohoris on July 07, 2013, 12:55:39 PM

Quote from: EskimoBob on July 07, 2013, 12:33:35 PM

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

That's, like, the whole point of 2FA.

I'd say using a separate program on the same machine offers some additional security over not using it at all. A simple keylogger won't compromise your account anymore, though anything that can just read the 2FA files can, but I'd hope those are less common so far.

Lohoris

hero member

Activity: 630

Merit: 500

Bitgoblin

Quote from: EskimoBob on July 07, 2013, 12:33:35 PM

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

That's, like, the whole point of 2FA.

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

Quote from: Rannasha on July 07, 2013, 11:04:32 AM

If you use a script like that for GAuth, make sure to use it on a separate machine from the one you use to log in, otherwise you may still lose your account if your machine is compromised.

... and this is exactly why I do not like this at all. I still need to have 2 or more computers.

Rannasha

hero member

Activity: 728

Merit: 500

If you use a script like that for GAuth, make sure to use it on a separate machine from the one you use to log in, otherwise you may still lose your account if your machine is compromised.

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

Quote from: 🏰 TradeFortress 🏰 on July 07, 2013, 07:04:52 AM

Quote from: EskimoBob on July 07, 2013, 07:03:55 AM

Not sure why anyone has to remember those PIN's... but never mind that.
Yes, I understand, that this is what your Yubikey is doing... if you have one. Google 2fa is basically the same but you need one of those shiny slab-phones to use it.
What I proposed is a low cost, OS and phone independent solution.

No, you don't need a smartphone to use google 2fa.

Thank you for not posting any useful links Wink

Looks like here is one: https://bitcointalksearch.org/topic/m.2216245

Ira H. Fuchs

newbie

Activity: 14

Merit: 0

Quote from: Rannasha on July 06, 2013, 11:50:45 AM

Quote from: Ira H. Fuchs on July 06, 2013, 10:47:05 AM

Quote from: dexX7 on July 06, 2013, 10:33:55 AM

Quote from: Ira H. Fuchs on July 06, 2013, 10:09:10 AM

good morning, What is a virtual stock this is a news to me. What brokers deal in these types of instruments thanks..Ira

Here we go:

Quote

Why would I want to invest in a virtual currency company?
To expand your BTC virtual currency fortune of course! Or something more noble, like funding a project for a greater good.

Is it legal for this exchange to operate?
Most countries require real securities exchanges to register and abide by a very strict set of rules. Obviously we do not have the funding to afford such registration or the overhead of administering such rules. In addition, no single country would allow such an exchange to operate globally. As such we have taken the following approach to the operation of the site:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Is it legal for me to use the site?
Most countries will have no problem with you using a securities simulation site, even one that uses digital virtual currencies. There are multiple examples of virtual goods exchanges in operation around the globe, most of which are better funded in the legal department than this one. It is largely on the backs of these giants that we believe we are in the clear. We also believe that everything digital has some value to someone, and trying to artifically limit what "virtual" or "digital" belongings people are allowed to trade or play games with is simply not going to be possible. Of course, please let us know if you believe your country may have an issue with it and we will post prominent warnings. We do ask that you keep the following in mind at all times:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Why should we trust this site after so many others have failed?

We are different in several key ways:

We do not pretend that we are a real registered exchange.
We do not pretend the assets on the site are real.
We are a real company, registered in Belize.
We are transparent. We do not lock you into using our site. Every asset issuer receives a daily email showing who is holding their assets. This allows them to move their virtual operation off the site to anywhere
else they might choose.

https://btct.co/faq

good morning, Who runs this exchange, and where is the registering agent contact information as required by law thanks..Ira

Burnside runs the exchange. And since it is advertised a virtual exchange, not a real one, it doesn't fall under those parts of the law. The company that operates the exchange is registered in Belize. I'm sure you can find contact info on the site somewhere ^^

good morning, There is no contact information on your website. I'm surprised no one has brought this up already...Ira

🏰 TradeFortress 🏰

vip

Activity: 1316

Merit: 1043

👻

Quote from: EskimoBob on July 07, 2013, 07:03:55 AM

Not sure why anyone has to remember those PIN's... but never mind that.
Yes, I understand, that this is what your Yubikey is doing... if you have one. Google 2fa is basically the same but you need one of those shiny slab-phones to use it.
What I proposed is a low cost, OS and phone independent solution.

No, you don't need a smartphone to use google 2fa.

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

Quote from: Deprived on July 07, 2013, 06:43:38 AM

Quote from: EskimoBob on July 07, 2013, 06:34:30 AM

Because of all the security drama, I proposed a bit more secure PIN system for bitfunder
Here is the copy from https://bitcointalksearch.org/topic/m.2673044

Can you generate PIN's that can be used only once? Question is, how to deliver the list of keys to your client so "they" (bad guys) do not have them

Code:

1) 11975
2) 14975
3) 07277
4) 06680
5) 14321
6) 28753
7) 90415
8) 91468
9) 99442
10) 95016
...

None of the numbers can be reused. When I log in and start a transfer or any other operation, where coin/shares move, system ask for a PIN #?. Lets sat I have used 1-3 so it asks for PIN 4 and then for #5 etc.
If I screw up and enter PIN #4 incorrectly, PIN #5 will be asked and so on.
If you add a delay, that starts to grow after every wrong entry, brute force becomes pointless. Even better, lock the account down after 5 wrong PIN entries and send out an e-mail.

Google Authenticator or Yubikey both do what you propose already - without you having to generate and remember a long list of PINs. Every time I do a trade or transfer on BTC-TC I have to touch my Yubikey to get it to generate a new 'PIN' which is longer than your 5-digit ones and can't be calculated or generated by anyone without the actual Yubikey.

There's no need to invent a square wheel when round ones already exist.

Not sure why anyone has to remember those PIN's... but never mind that.
Yes, I understand, that this is what your Yubikey is doing... if you have one. Google 2fa is basically the same but you need one of those shiny slab-phones to use it.
What I proposed is a low cost, OS and phone independent solution.

elefter

member

Activity: 67

Merit: 10

is it my idea or the number of shares in the ask and bid is displayed wrong?

Deprived

hero member

Activity: 532

Merit: 500

Quote from: EskimoBob on July 07, 2013, 06:34:30 AM

Because of all the security drama, I proposed a bit more secure PIN system for bitfunder
Here is the copy from https://bitcointalksearch.org/topic/m.2673044

Can you generate PIN's that can be used only once? Question is, how to deliver the list of keys to your client so "they" (bad guys) do not have them

Code:

1) 11975
2) 14975
3) 07277
4) 06680
5) 14321
6) 28753
7) 90415
8) 91468
9) 99442
10) 95016
...

None of the numbers can be reused. When I log in and start a transfer or any other operation, where coin/shares move, system ask for a PIN #?. Lets sat I have used 1-3 so it asks for PIN 4 and then for #5 etc.
If I screw up and enter PIN #4 incorrectly, PIN #5 will be asked and so on.
If you add a delay, that starts to grow after every wrong entry, brute force becomes pointless. Even better, lock the account down after 5 wrong PIN entries and send out an e-mail.

Google Authenticator or Yubikey both do what you propose already - without you having to generate and remember a long list of PINs. Every time I do a trade or transfer on BTC-TC I have to touch my Yubikey to get it to generate a new 'PIN' which is longer than your 5-digit ones and can't be calculated or generated by anyone without the actual Yubikey.

There's no need to invent a square wheel when round ones already exist.

EskimoBob

legendary

Activity: 910

Merit: 1000

Quality Printing Services by Federal Reserve Bank

Because of all the security drama, I proposed a bit more secure PIN system for bitfunder
Here is the copy from https://bitcointalksearch.org/topic/m.2673044

Can you generate PIN's that can be used only once? Question is, how to deliver the list of keys to your client so "they" (bad guys) do not have them

Code:

1) 11975
2) 14975
3) 07277
4) 06680
5) 14321
6) 28753
7) 90415
8) 91468
9) 99442
10) 95016
...

None of the numbers can be reused. When I log in and start a transfer or any other operation, where coin/shares move, system ask for a PIN #?. Lets sat I have used 1-3 so it asks for PIN 4 and then for #5 etc.
If I screw up and enter PIN #4 incorrectly, PIN #5 will be asked and so on.
If you add a delay, that starts to grow after every wrong entry, brute force becomes pointless. Even better, lock the account down after 5 wrong PIN entries and send out an e-mail.

burnside

legendary

Activity: 1106

Merit: 1006

Lead Blockchain Developer

Quote from: Exocyst on July 06, 2013, 09:50:43 AM

Hi Burnside,

How is the options trading API coming along? Can you give a rough estimate of delivery schedule for this important (to me) feature? Love the realtime tab! Keep up the good work.

Soon I hope. I wrapped up a huge piece of my backend work this week. Hopefully we'll be seeing a lot less of the "asset lock timeouts" going forward.

Rannasha

hero member

Activity: 728

Merit: 500

Quote from: Ira H. Fuchs on July 06, 2013, 10:47:05 AM

Quote from: dexX7 on July 06, 2013, 10:33:55 AM

Quote from: Ira H. Fuchs on July 06, 2013, 10:09:10 AM

good morning, What is a virtual stock this is a news to me. What brokers deal in these types of instruments thanks..Ira

Here we go:

Quote

Why would I want to invest in a virtual currency company?
To expand your BTC virtual currency fortune of course! Or something more noble, like funding a project for a greater good.

Is it legal for this exchange to operate?
Most countries require real securities exchanges to register and abide by a very strict set of rules. Obviously we do not have the funding to afford such registration or the overhead of administering such rules. In addition, no single country would allow such an exchange to operate globally. As such we have taken the following approach to the operation of the site:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Is it legal for me to use the site?
Most countries will have no problem with you using a securities simulation site, even one that uses digital virtual currencies. There are multiple examples of virtual goods exchanges in operation around the globe, most of which are better funded in the legal department than this one. It is largely on the backs of these giants that we believe we are in the clear. We also believe that everything digital has some value to someone, and trying to artifically limit what "virtual" or "digital" belongings people are allowed to trade or play games with is simply not going to be possible. Of course, please let us know if you believe your country may have an issue with it and we will post prominent warnings. We do ask that you keep the following in mind at all times:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Why should we trust this site after so many others have failed?

We are different in several key ways:

We do not pretend that we are a real registered exchange.
We do not pretend the assets on the site are real.
We are a real company, registered in Belize.
We are transparent. We do not lock you into using our site. Every asset issuer receives a daily email showing who is holding their assets. This allows them to move their virtual operation off the site to anywhere
else they might choose.

https://btct.co/faq

good morning, Who runs this exchange, and where is the registering agent contact information as required by law thanks..Ira

Burnside runs the exchange. And since it is advertised a virtual exchange, not a real one, it doesn't fall under those parts of the law. The company that operates the exchange is registered in Belize. I'm sure you can find contact info on the site somewhere ^^

dexX7

legendary

Activity: 1106

Merit: 1026

Quote from: Ira H. Fuchs on July 06, 2013, 10:47:05 AM

good morning, Who runs this exchange, and where is the registering agent contact information as required by law thanks..Ira

Good morning, too. First of all: thanks for keeping the blockchain alive! I'm a bit stunned though. For someone who owns more than 1000 Bitcoin and who is capable of running the university computer to mine Bitcoin, which is many times more powerful than anything available to the public, you should be able to research those information quite easily. By the way, did you find out where BTC is traded yet? Wink

Ira H. Fuchs

newbie

Activity: 14

Merit: 0

Quote from: dexX7 on July 06, 2013, 10:33:55 AM

Quote from: Ira H. Fuchs on July 06, 2013, 10:09:10 AM

good morning, What is a virtual stock this is a news to me. What brokers deal in these types of instruments thanks..Ira

Here we go:

Quote

Why would I want to invest in a virtual currency company?
To expand your BTC virtual currency fortune of course! Or something more noble, like funding a project for a greater good.

Is it legal for this exchange to operate?
Most countries require real securities exchanges to register and abide by a very strict set of rules. Obviously we do not have the funding to afford such registration or the overhead of administering such rules. In addition, no single country would allow such an exchange to operate globally. As such we have taken the following approach to the operation of the site:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Is it legal for me to use the site?
Most countries will have no problem with you using a securities simulation site, even one that uses digital virtual currencies. There are multiple examples of virtual goods exchanges in operation around the globe, most of which are better funded in the legal department than this one. It is largely on the backs of these giants that we believe we are in the clear. We also believe that everything digital has some value to someone, and trying to artifically limit what "virtual" or "digital" belongings people are allowed to trade or play games with is simply not going to be possible. Of course, please let us know if you believe your country may have an issue with it and we will post prominent warnings. We do ask that you keep the following in mind at all times:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Why should we trust this site after so many others have failed?

We are different in several key ways:

We do not pretend that we are a real registered exchange.
We do not pretend the assets on the site are real.
We are a real company, registered in Belize.
We are transparent. We do not lock you into using our site. Every asset issuer receives a daily email showing who is holding their assets. This allows them to move their virtual operation off the site to anywhere
else they might choose.

https://btct.co/faq

good morning, Who runs this exchange, and where is the registering agent contact information as required by law thanks..Ira

dexX7

legendary

Activity: 1106

Merit: 1026

Quote from: Ira H. Fuchs on July 06, 2013, 10:09:10 AM

good morning, What is a virtual stock this is a news to me. What brokers deal in these types of instruments thanks..Ira

Here we go:

Quote

Why would I want to invest in a virtual currency company?
To expand your BTC virtual currency fortune of course! Or something more noble, like funding a project for a greater good.

Is it legal for this exchange to operate?
Most countries require real securities exchanges to register and abide by a very strict set of rules. Obviously we do not have the funding to afford such registration or the overhead of administering such rules. In addition, no single country would allow such an exchange to operate globally. As such we have taken the following approach to the operation of the site:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Is it legal for me to use the site?
Most countries will have no problem with you using a securities simulation site, even one that uses digital virtual currencies. There are multiple examples of virtual goods exchanges in operation around the globe, most of which are better funded in the legal department than this one. It is largely on the backs of these giants that we believe we are in the clear. We also believe that everything digital has some value to someone, and trying to artifically limit what "virtual" or "digital" belongings people are allowed to trade or play games with is simply not going to be possible. Of course, please let us know if you believe your country may have an issue with it and we will post prominent warnings. We do ask that you keep the following in mind at all times:

No assets on the site are to be considered real.
The use of this site is for educational and entertainment purposes only.
If an asset issuer on this site defaults, you have ZERO RECOURSE. (not like you have any recourse in most international BTC situations anyway.)

Why should we trust this site after so many others have failed?

We are different in several key ways:

We do not pretend that we are a real registered exchange.
We do not pretend the assets on the site are real.
We are a real company, registered in Belize.
We are transparent. We do not lock you into using our site. Every asset issuer receives a daily email showing who is holding their assets. This allows them to move their virtual operation off the site to anywhere
else they might choose.

https://btct.co/faq

Topic: [BTC-TC] Virtual Community Exchange [CLOSED] - page 82. (Read 316534 times)