Topic: Building a trading bot for the "trust no-one" guys . - page 2. (Read 3222 times)

Hi!


I'm adding a very simple demo bot these days, just to show the usage of the bot. However the loadable rule-set are done with drools here. But I don't have a very simple trading language yet, so the rules still look rather complicated. I looked for a collab to develop a better trading language, but it seems, that noone is interested in such stuff...

Ciao,
Andreas

What if I give the source code to {alice,bob,mum,...}, they check it, run it, test it. Then they build it and they compute the md5 checksum and I will distribute their bin, together with the md5 check sum?

Not enough?

In this scenario is important how we select people, but I hope you got the idea ( already drafted in some other posts ago)

Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Thanks for sharing your ideas!

My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know....

Ciao,
Andreas

Of course, not everyone reads the source code of everything they run -- even if it is open source.  But the source code being available allows the community as a whole to examine it (and someone will, most likely), and eventually malicious code will likely be exposed, the author's reputation destroyed, etc.  This is much more difficult when the source code is not available and the author is unknown.

I see.

The CS was only an example to say that here we don't have anything like a karma (HN or Reddit style). Whether those approach works, is an open topic. However here the 'number of post' doesn't tell me anything about trustworthiness. As I said before the target user of people I want to reach, cannot even understand how to test a source-code. And the one who have time/skills to search deep through my code looking for obfuscated malicious code could write their own bot. Or test mine using wireshark etc. Some people can make a malicious open-source application and it'd take months for a community to spot it i.e. http://www.ioccc.org/2000/anderson.c (unless it is a piece of software with much interests on it).

Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer?


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. I can't have a beer with everyone of you...
So, here I am, asking you what it takes to 'trust' me, in a software-developer kind of way.

Hi Zedster, nice to meet you!

Yes you can definetly have someone to test and certificate your application. I used to work in a online gambling company. Back then, we had to comply with several certifications (than can cost up to some hundred-thousands $/€).  I want to see what is that people actually trust... For instance, I am reading up on truste.com, but I want to hear from the community first. As you can see the paranoia-level is quite high, and with reasons

I'm on it. Would you be interested in trying it out?

The problem is this.  Nobody knows who you are.  Nobody knows who the developers of *most* open source software are -- but we can open the source code and review it, and eventually enough people have done that to give that software some level of trust from the community.

With commercial software, if Microsoft does something bad with their software, everybody knows who they are, and they have some level of trust based on who they are, and the consequences if they do something they shouldn't.

You're a guy posting on an internet board.  If you want trust from this kind of community, you have little option other than to open your source.

OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.

One more question.  Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?

Hi joshki. I agree with you as long as you define what it means to be 'trusted'.  

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.

Thank you for the feedback, it made me realize I need to edit the first post.

You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.

You don't trust firewalls. Ok, it makes sense to a certain degree.
Lets try to add some layers to the security and see if you'd change the attitude:

• What if 10 indipendent members of the community gets paid to analise outgoing traffic using tools to sniff the packets going in and out from the network interface ?  (Wireshark et.al.)
• What if I make an open contest with 1000 BTC price for whose of you who find something which is not from/to data.mtgox.com?
  Would you trust the bot after some power-nerd spend many hours around it? (Do you think I could get around the network interface? Maybe with some pigeon I could deliver some coins at my door in paperwallet format )
• What if I distribute the source code to ,say, 10 third-party entities (someone really paranoid with their coins) who checks it,approve it, compile it on their machines while creating a MD5 signature and then I distribute those binaries?

Can't really think about anything else at the moment, but I hope you got the idea.

Would you 'trust' it then? I mean, I don't care about ALL the community. Its ok to be diffident (I keep my coins offline in the stomach of a giant whale ). I just want to see if there is something I can do to convince some "trust-no-one" dude out there.

C'mon  

nonetheless this is a fun mental experiment, isn't it?

Thanks for the feedback TradeFortress, I will consider getting TFO. However I'm not forcing you (nor anybody else) to use it. I totally understand your point of view. If you have something else to add on the topic help me out!

PS: since you care so much about security, why would you be logged in as root on a ubuntu machine?

Sincerely, Nicolò

that's a good idea and this is why I'm making the strategy exportable in json/xml files Up!

Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

Why not selling a trading strategy for an existing tradebot?

Hi Mr. bezzeb, loving hearing from you

Totally agree on every single word. Ideal is open source, but let's try to engineer some smart-ass solution without distributing the code.

I knew mine was a non-trivial question (indeed you are the first answering it after more than 26h of uptime)  I'm looking forward to hear some smart ideas from some of you.  I want to open my source to some of you to validate it. I will let you compile it, sign it, PGP it, and whatever it takes to makes the other feel confident.

People that can write malicious code to go around firewalls can write their own bot. They are not my target-users. Why would they? But I have already 20 BTC owner (techie-people-who-cant-write-code-themselves) pushing me every single day to give them the bot I'm using, and I know personally only half of them.
I want to provide them (and other users) the best possible level of trust without giving away a code they can't even understand.

I would love to hear some smart-ass solution to make it as-safe-as-possible without distributing the code in the wild.  I guess it involves trusted third-parties, but can't figure out how.



PS: I'm not malicious enough to know how to go around a well-configured system firewall preventing me from transmitting any data outsite of localhost. Enlighten me (or not) if you want !

PPS: This will be a lot easier if freaking mtg and other allows third party applications. In that case I'm not storing your keys, I need to be validated by mtg authority, and all the problems would be solved. I asked mtgox about it: the answer? "No ETA". Lets try to figure something out in the meantime.

I think Malawi is confusing browser context with local application context.  Common misunderstanding amongst lay-public.

To those who don't know:
1. Java in a browser is hard (as is anything in a browser) because one must keep it contained in the browser to prevent it from gaining local execution rights on your machine.  This is the security headache Oracle (and much of the world) is now fighting to prevent the act of simply visiting a website from installing evil local software on your machine.

2. If you are running a program on your local computer written in Java (*or any language*) - it already can erase your hard drive if it wants to.  So like ANY program:  make sure you trust it before running it.  To do otherwise is unsanitary and you shouldn't be surprised if you catch e-diseases.

And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!