Pages:
Author

Topic: Building a trading bot for the "trust no-one" guys . - page 2. (Read 3259 times)

legendary
Activity: 965
Merit: 1000
Hi!

My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas


Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Wink Thanks for sharing your ideas!

I'm adding a very simple demo bot these days, just to show the usage of the bot. However the loadable rule-set are done with drools here. But I don't have a very simple trading language yet, so the rules still look rather complicated. I looked for a collab to develop a better trading language, but it seems, that noone is interested in such stuff... Sad

Ciao,
Andreas
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Of course, not everyone reads the source code of everything they run -- even if it is open source.  But the source code being available allows the community as a whole to examine it (and someone will, most likely), and eventually malicious code will likely be exposed, the author's reputation destroyed, etc.  This is much more difficult when the source code is not available and the author is unknown.


What if I give the source code to {alice,bob,mum,...}, they check it, run it, test it. Then they build it and they compute the md5 checksum and I will distribute their bin, together with the md5 check sum?

Not enough?

In this scenario is important how we select people, but I hope you got the idea ( already drafted in some other posts ago)
sr. member
Activity: 267
Merit: 250
Woodwallets.io
My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas


Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Wink Thanks for sharing your ideas!
legendary
Activity: 965
Merit: 1000
My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas
full member
Activity: 210
Merit: 100
Of course, not everyone reads the source code of everything they run -- even if it is open source.  But the source code being available allows the community as a whole to examine it (and someone will, most likely), and eventually malicious code will likely be exposed, the author's reputation destroyed, etc.  This is much more difficult when the source code is not available and the author is unknown.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.


Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.

I see.

The CS was only an example to say that here we don't have anything like a karma (HN or Reddit style). Whether those approach works, is an open topic. However here the 'number of post' doesn't tell me anything about trustworthiness. As I said before the target user of people I want to reach, cannot even understand how to test a source-code. And the one who have time/skills to search deep through my code looking for obfuscated malicious code could write their own bot. Or test mine using wireshark etc. Some people can make a malicious open-source application and it'd take months for a community to spot it i.e. http://www.ioccc.org/2000/anderson.c (unless it is a piece of software with much interests on it).
full member
Activity: 210
Merit: 100
The problem is this.  Nobody knows who you are. 

Interesting.

Does it imply that you'd trust using my application if you knew who I am? 
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.


Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you...
So, here I am, asking you what it takes to 'trust' me, in a software-developer kind of way.





sr. member
Activity: 267
Merit: 250
Woodwallets.io
OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.



Hi Zedster, nice to meet you!

Yes you can definetly have someone to test and certificate your application. I used to work in a online gambling company. Back then, we had to comply with several certifications (than can cost up to some hundred-thousands $/€).  I want to see what is that people actually trust... For instance, I am reading up on truste.com, but I want to hear from the community first. As you can see the paranoia-level is quite high, and with reasons

Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
I'm on it. Would you be interested in trying it out?
full member
Activity: 210
Merit: 100
If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'. 

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.




The problem is this.  Nobody knows who you are.  Nobody knows who the developers of *most* open source software are -- but we can open the source code and review it, and eventually enough people have done that to give that software some level of trust from the community.

With commercial software, if Microsoft does something bad with their software, everybody knows who they are, and they have some level of trust based on who they are, and the consequences if they do something they shouldn't.

You're a guy posting on an internet board.  If you want trust from this kind of community, you have little option other than to open your source.
full member
Activity: 182
Merit: 100
OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.

One more question.  Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
sr. member
Activity: 267
Merit: 250
Woodwallets.io
If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'.  

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.

Thank you for the feedback, it made me realize I need to edit the first post.


full member
Activity: 210
Merit: 100
You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
You don't trust firewalls. Ok, it makes sense to a certain degree.
Lets try to add some layers to the security and see if you'd change the attitude:

  • What if 10 indipendent members of the community gets paid to analise outgoing traffic using tools to sniff the packets going in and out from the network interface ?  (Wireshark et.al.)
  • What if I make an open contest with 1000 BTC price for whose of you who find something which is not from/to data.mtgox.com?
    Would you trust the bot after some power-nerd spend many hours around it? (Do you think I could get around the network interface? Maybe with some pigeon I could deliver some coins at my door in paperwallet format Wink )
  • What if I distribute the source code to ,say, 10 third-party entities (someone really paranoid with their coins) who checks it,approve it, compile it on their machines while creating a MD5 signature and then I distribute those binaries?

Can't really think about anything else at the moment, but I hope you got the idea.

Would you 'trust' it then? I mean, I don't care about ALL the community. Its ok to be diffident (I keep my coins offline in the stomach of a giant whale ). I just want to see if there is something I can do to convince some "trust-no-one" dude out there.

C'mon Wink  

nonetheless this is a fun mental experiment, isn't it?

sr. member
Activity: 267
Merit: 250
Woodwallets.io
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

Thanks for the feedback TradeFortress, I will consider getting TFO. However I'm not forcing you (nor anybody else) to use it. I totally understand your point of view. If you have something else to add on the topic help me out!

PS: since you care so much about security, why would you be logged in as root on a ubuntu machine? Wink

Sincerely, Nicolò
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Why not selling a trading strategy for an existing tradebot?

that's a good idea and this is why I'm making the strategy exportable in json/xml files Wink Up!
vip
Activity: 1316
Merit: 1043
👻
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.
legendary
Activity: 965
Merit: 1000
Why not selling a trading strategy for an existing tradebot?
sr. member
Activity: 267
Merit: 250
Woodwallets.io
And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!   Grin

Hi Mr. bezzeb, loving hearing from you Wink

Totally agree on every single word. Ideal is open source, but let's try to engineer some smart-ass solution without distributing the code.

I knew mine was a non-trivial question (indeed you are the first answering it after more than 26h of uptime) Wink  I'm looking forward to hear some smart ideas from some of you.  I want to open my source to some of you to validate it. I will let you compile it, sign it, PGP it, and whatever it takes to makes the other feel confident.

People that can write malicious code to go around firewalls can write their own bot. They are not my target-users. Why would they? Wink But I have already 20 BTC owner (techie-people-who-cant-write-code-themselves) pushing me every single day to give them the bot I'm using, and I know personally only half of them.
I want to provide them (and other users) the best possible level of trust without giving away a code they can't even understand.

I would love to hear some smart-ass solution to make it as-safe-as-possible without distributing the code in the wild.  I guess it involves trusted third-parties, but can't figure out how.

Wink

PS: I'm not malicious enough to know how to go around a well-configured system firewall preventing me from transmitting any data outsite of localhost. Enlighten me (or not) if you want !

PPS: This will be a lot easier if freaking mtg and other allows third party applications. In that case I'm not storing your keys, I need to be validated by mtg authority, and all the problems would be solved. I asked mtgox about it: the answer? "No ETA". Lets try to figure something out in the meantime.

member
Activity: 103
Merit: 10
It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind Wink

So you wouldn't use a bot only because the language it is written to?

I think Malawi is confusing browser context with local application context.  Common misunderstanding amongst lay-public.

To those who don't know:
1. Java in a browser is hard (as is anything in a browser) because one must keep it contained in the browser to prevent it from gaining local execution rights on your machine.  This is the security headache Oracle (and much of the world) is now fighting to prevent the act of simply visiting a website from installing evil local software on your machine.

2. If you are running a program on your local computer written in Java (*or any language*) - it already can erase your hard drive if it wants to.  So like ANY program:  make sure you trust it before running it.  To do otherwise is unsanitary and you shouldn't be surprised if you catch e-diseases.

And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!   Grin
Pages:
Jump to: