Author

Topic: Building a trading bot for the "trust no-one" guys . (Read 3273 times)

sr. member
Activity: 267
Merit: 250
Woodwallets.io
Sorry to be obtuse... but with Buy/Sell orders on Gox, what value does a trading bot do for you???

How can you tell gox to sell/buy 20coins at market price, only if the price drops/rise under/above a threshold?
hero member
Activity: 826
Merit: 500
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.
yeah
full member
Activity: 210
Merit: 100
Sorry to be obtuse... but with Buy/Sell orders on Gox, what value does a trading bot do for you???

The question isn't really about a trading bot. The author is trying to figure out how to get closed source software trusted enough to be used. 

A bot that does nothing but trade on mtgox could be trivially reverse engineered to find out  whatever super secret algorithm is used.
gbx
full member
Activity: 226
Merit: 100
Sorry to be obtuse... but with Buy/Sell orders on Gox, what value does a trading bot do for you???
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




That's extraordinarily poor design

Hi joshki, I'd love to hear from you better designed solutions.

Why?  I have no desire to enable you, or teach you basic software design.
The constrain here is that the bot only communicates with mtgox. Please, enlighten us.
b!z
legendary
Activity: 1582
Merit: 1010
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

Thanks for the feedback TradeFortress, I will consider getting TFO. However I'm not forcing you (nor anybody else) to use it. I totally understand your point of view. If you have something else to add on the topic help me out!

PS: since you care so much about security, why would you be logged in as root on a ubuntu machine? Wink

Sincerely, Nicolò

Because it makes him seem like some sort of l33tanonhax0r.

To OP, I do suggest you release the software as open source. Bitcoin is pretty new and any open source things you release are helpful.
full member
Activity: 210
Merit: 100
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




That's extraordinarily poor design

Hi joshki, I'd love to hear from you better designed solutions.

Why?  I have no desire to enable you, or teach you basic software design.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




That's extraordinarily poor design

Hi joshki, I'd love to hear from you better designed solutions.
full member
Activity: 210
Merit: 100
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




That's extraordinarily poor design
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




The part in bold sounds very bad...

why is that?
legendary
Activity: 1148
Merit: 1018
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!




The part in bold sounds very bad...
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public?
Hi nitrous Wink
Yes it is necessary that the bot remain closed source. The business model will be embedded in the source code and I can't allow people to just comment out those lines.
People on betalist will have to sign an NDA and will face consequences if distributing the source without authorisation.

Thank you again for your suggestions!


sr. member
Activity: 246
Merit: 250
Hi Advanced,

Is it important that your bot remain closed source? I don't have anything against closed source, but if you're willing to give access to your source code to those on the beta list, who could potentially release it themselves, why not just release the code to the public? You can still distribute precompiled binaries for those who don't know enough to compile it themselves, and other people can verify the authenticity of the binary for you. Many open source projects do this, and unless you intend to keep the source closed, this could help you with the trust issue. Of course, there would still be some who might question whether the binary is compiled from different code, but they would be able to check and compile it themselves.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Quote
Sorry Advanced, but you aren't clear on what a firewall does, so i fear you have some things to learn before your project can take off.  And I don't know why you are against open source for software you don't seem to be planning to sell.  All the big boys in this movement invite others to read their code because they know the value is not in having the code, it's in being able to write good code to start with.  All of your stuff with 3rd parties cross signing is a waste of time.  Nobody will believe any of the "people" who cross sign your closed code - give it up.

Another way to put it:  If an idiot copies code he can eat a fish for a day.  The guy who writes good code will catch as many fish as he wants and will eat for a lifetime.  

Hello Professor,
I'm here to say that I don't take lessons of open source software. A simple bot with no algorithms whatsoever represent no contribution for the OSS community (it ain't no astrophysics http://arxiv.org/abs/1304.6780v1) . I've been contributing and I am contributing to OSS projects for the last 12 years, this is a different topic.

If you want to add something to this thread, try to help the others in finding workarounds to it. Otherwise,

so long and thanks for all the fish.
member
Activity: 103
Merit: 10
You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.

THIS

Thank you Rampion.

I agree with his statement  ^---- THAT ----^

Sorry Advanced, but you aren't clear on what a firewall does, so i fear you have some things to learn before your project can take off.  And I don't know why you are against open source for software you don't seem to be planning to sell.  All the big boys in this movement invite others to read their code because they know the value is not in having the code, it's in being able to write good code to start with.  All of your stuff with 3rd parties cross signing is a waste of time.  Nobody will believe any of the "people" who cross sign your closed code - give it up.

Another way to put it:  If an idiot copies code he can eat a fish for a day.  The guy who writes good code will catch as many fish as he wants and will eat for a lifetime. 
legendary
Activity: 1148
Merit: 1018
You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.

THIS
sr. member
Activity: 267
Merit: 250
Woodwallets.io

Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
I'm on it. Would you be interested in trying it out?


I probably would as I don't have any real wealth on BTC-e so if it was stolen the crying would be short lived.  Shoot me PM when you have something ready and are ready to hack my computer.  I am rather naive and dumb anyway.

Ok you are on the betalist ! Just be patient;) Thanks
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Hi!

My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas


Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Wink Thanks for sharing your ideas!

I'm adding a very simple demo bot these days, just to show the usage of the bot. However the loadable rule-set are done with drools here. But I don't have a very simple trading language yet, so the rules still look rather complicated. I looked for a collab to develop a better trading language, but it seems, that noone is interested in such stuff... Sad

Ciao,
Andreas


Hi Andreas!
I'm interested Wink That seems fun!  How can we proceed? lets talk about it out of this thread so we don't go OT
full member
Activity: 182
Merit: 100

Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
I'm on it. Would you be interested in trying it out?


I probably would as I don't have any real wealth on BTC-e so if it was stolen the crying would be short lived.  Shoot me PM when you have something ready and are ready to hack my computer.  I am rather naive and dumb anyway.
full member
Activity: 224
Merit: 100
One bitcoin to rule them all!
It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind Wink

So you wouldn't use a bot only because the language it is written to?

There are found weaknesses/exploits all the time, thats why you get that "Justask" popup more or less every week.
IMHO - Java is fine for many tasks, but not for task that demand high security.

Here in Norway, the banks have publicly announced that you should avoid running java while doing your online banking.
Even found an english link about it - http://theforeigner.no/pages/news/java-issues-prompt-more-norway-warnings/
legendary
Activity: 965
Merit: 1000
Hi!

My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas


Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Wink Thanks for sharing your ideas!

I'm adding a very simple demo bot these days, just to show the usage of the bot. However the loadable rule-set are done with drools here. But I don't have a very simple trading language yet, so the rules still look rather complicated. I looked for a collab to develop a better trading language, but it seems, that noone is interested in such stuff... Sad

Ciao,
Andreas
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Of course, not everyone reads the source code of everything they run -- even if it is open source.  But the source code being available allows the community as a whole to examine it (and someone will, most likely), and eventually malicious code will likely be exposed, the author's reputation destroyed, etc.  This is much more difficult when the source code is not available and the author is unknown.


What if I give the source code to {alice,bob,mum,...}, they check it, run it, test it. Then they build it and they compute the md5 checksum and I will distribute their bin, together with the md5 check sum?

Not enough?

In this scenario is important how we select people, but I hope you got the idea ( already drafted in some other posts ago)
sr. member
Activity: 267
Merit: 250
Woodwallets.io
My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas


Ciao Andreas, I'm working in java too and I already implemented the Strategy.java and the Rule.java Wink Thanks for sharing your ideas!
legendary
Activity: 965
Merit: 1000
My idea: use an opensource trading framework, that allows you to load your strategy. It might limit your orders to user-entered accounts, so your strategy will only move funds from one user-account to another (so your bot cannot run with the money Smiley ).

However, I only release java-sources, so I don't know the javascript frameworks. If you want to look at some part of my sources: https://github.com/ReAzem/cryptocoin-tradelib
, but it still lacks the rule-engine stuff. Don't know if or how I should release it.

If you have a good concept, how to make money of it, let me know.... Wink

Ciao,
Andreas
full member
Activity: 210
Merit: 100
Of course, not everyone reads the source code of everything they run -- even if it is open source.  But the source code being available allows the community as a whole to examine it (and someone will, most likely), and eventually malicious code will likely be exposed, the author's reputation destroyed, etc.  This is much more difficult when the source code is not available and the author is unknown.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.


Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.

I see.

The CS was only an example to say that here we don't have anything like a karma (HN or Reddit style). Whether those approach works, is an open topic. However here the 'number of post' doesn't tell me anything about trustworthiness. As I said before the target user of people I want to reach, cannot even understand how to test a source-code. And the one who have time/skills to search deep through my code looking for obfuscated malicious code could write their own bot. Or test mine using wireshark etc. Some people can make a malicious open-source application and it'd take months for a community to spot it i.e. http://www.ioccc.org/2000/anderson.c (unless it is a piece of software with much interests on it).
full member
Activity: 210
Merit: 100
The problem is this.  Nobody knows who you are. 

Interesting.

Does it imply that you'd trust using my application if you knew who I am? 
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you... so, here I am, asking you what i'd take to 'trust' me.


Yeah, the problem with the couchsurfing thing is that even if someone has some good references, I can't know that they're not just looking for the right opportunity to do something they shouldn't.  Same thing with knowing who you are -- it takes more than just reading your CV or something like that -- you have to have enough actual knowledge about someone and trust that they don't have ulterior motives.

The possibility for abuse with something like this is so high that it's unlikely you're going to convince people to trust code they can't see.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
The problem is this.  Nobody knows who you are.  

Interesting.

Does it imply that you'd trust using my application if you knew who I am?  
In this case, what do you need to know?
What if I attach to the bin files a folder with my ID, CV, Address, Certificate of residence? Is that enough?
Maybe we should hang out quite a bit before you can use my application. A beer? Wink


I make you an example : I'm on couchsurfing. Couchsurfing is an online board, just like this one. Despite this, more than 2 million people are sleeping in eachother's houses for free. I constantly host people, mostly strangers. I trust them after I read their references. This forum kind of misses the feedback system of CS, and I'm searching for an alternative to it. Wink I can't have a beer with everyone of you...
So, here I am, asking you what it takes to 'trust' me, in a software-developer kind of way.





sr. member
Activity: 267
Merit: 250
Woodwallets.io
OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.



Hi Zedster, nice to meet you!

Yes you can definetly have someone to test and certificate your application. I used to work in a online gambling company. Back then, we had to comply with several certifications (than can cost up to some hundred-thousands $/€).  I want to see what is that people actually trust... For instance, I am reading up on truste.com, but I want to hear from the community first. As you can see the paranoia-level is quite high, and with reasons

Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
I'm on it. Would you be interested in trying it out?
full member
Activity: 210
Merit: 100
If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'. 

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.




The problem is this.  Nobody knows who you are.  Nobody knows who the developers of *most* open source software are -- but we can open the source code and review it, and eventually enough people have done that to give that software some level of trust from the community.

With commercial software, if Microsoft does something bad with their software, everybody knows who they are, and they have some level of trust based on who they are, and the consequences if they do something they shouldn't.

You're a guy posting on an internet board.  If you want trust from this kind of community, you have little option other than to open your source.
full member
Activity: 182
Merit: 100
OK I am one of the "trust no-one" guys but I am also not a coder but would like a trading bot.  There must be some service that certifies software that can be trusted isn't there?  Like I say I have no idea.  I don't understand why people don't write botnet killing anti-virus viruses for example. So I am pretty clueless.  I guess only bad things can be coded.

One more question.  Would you consider writing a bot for something besides the Magic: The Gathering of Incompetents exchange?  BTC-e for LTC (read cheapo) traders?
sr. member
Activity: 267
Merit: 250
Woodwallets.io
If the application is closed source, it will not be trusted.  That's the bottom line.

Hi joshki. I agree with you as long as you define what it means to be 'trusted'.  

There are several (thousands) levels of 'trust' . I already admitted that this is not trivial and the trust in the application is bounded by this closed-source constraint. I want to see how far I can push trust within the boundaries of the problem space.

Thank you for the feedback, it made me realize I need to edit the first post.


full member
Activity: 210
Merit: 100
You cannot do what you wish to do.

If the application is closed source, it will not be trusted.  That's the bottom line.

Publish your source or live with it.
sr. member
Activity: 267
Merit: 250
Woodwallets.io
You don't trust firewalls. Ok, it makes sense to a certain degree.
Lets try to add some layers to the security and see if you'd change the attitude:

  • What if 10 indipendent members of the community gets paid to analise outgoing traffic using tools to sniff the packets going in and out from the network interface ?  (Wireshark et.al.)
  • What if I make an open contest with 1000 BTC price for whose of you who find something which is not from/to data.mtgox.com?
    Would you trust the bot after some power-nerd spend many hours around it? (Do you think I could get around the network interface? Maybe with some pigeon I could deliver some coins at my door in paperwallet format Wink )
  • What if I distribute the source code to ,say, 10 third-party entities (someone really paranoid with their coins) who checks it,approve it, compile it on their machines while creating a MD5 signature and then I distribute those binaries?

Can't really think about anything else at the moment, but I hope you got the idea.

Would you 'trust' it then? I mean, I don't care about ALL the community. Its ok to be diffident (I keep my coins offline in the stomach of a giant whale ). I just want to see if there is something I can do to convince some "trust-no-one" dude out there.

C'mon Wink  

nonetheless this is a fun mental experiment, isn't it?

sr. member
Activity: 267
Merit: 250
Woodwallets.io
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.

Thanks for the feedback TradeFortress, I will consider getting TFO. However I'm not forcing you (nor anybody else) to use it. I totally understand your point of view. If you have something else to add on the topic help me out!

PS: since you care so much about security, why would you be logged in as root on a ubuntu machine? Wink

Sincerely, Nicolò
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Why not selling a trading strategy for an existing tradebot?

that's a good idea and this is why I'm making the strategy exportable in json/xml files Wink Up!
vip
Activity: 1316
Merit: 1043
👻
Firewalls won't help! You could do some clever thing such as modify the cache of a browser to make it pass your API keys to your site when next opened. Inject into another process. Etc etc. There's tons of possibilities.

Source code or GTFO. Seriously, I'm not trusting anything I don't build from source, especially when it involves thousands of dollars.
legendary
Activity: 965
Merit: 1000
Why not selling a trading strategy for an existing tradebot?
sr. member
Activity: 267
Merit: 250
Woodwallets.io
And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!   Grin

Hi Mr. bezzeb, loving hearing from you Wink

Totally agree on every single word. Ideal is open source, but let's try to engineer some smart-ass solution without distributing the code.

I knew mine was a non-trivial question (indeed you are the first answering it after more than 26h of uptime) Wink  I'm looking forward to hear some smart ideas from some of you.  I want to open my source to some of you to validate it. I will let you compile it, sign it, PGP it, and whatever it takes to makes the other feel confident.

People that can write malicious code to go around firewalls can write their own bot. They are not my target-users. Why would they? Wink But I have already 20 BTC owner (techie-people-who-cant-write-code-themselves) pushing me every single day to give them the bot I'm using, and I know personally only half of them.
I want to provide them (and other users) the best possible level of trust without giving away a code they can't even understand.

I would love to hear some smart-ass solution to make it as-safe-as-possible without distributing the code in the wild.  I guess it involves trusted third-parties, but can't figure out how.

Wink

PS: I'm not malicious enough to know how to go around a well-configured system firewall preventing me from transmitting any data outsite of localhost. Enlighten me (or not) if you want !

PPS: This will be a lot easier if freaking mtg and other allows third party applications. In that case I'm not storing your keys, I need to be validated by mtg authority, and all the problems would be solved. I asked mtgox about it: the answer? "No ETA". Lets try to figure something out in the meantime.

member
Activity: 103
Merit: 10
It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind Wink

So you wouldn't use a bot only because the language it is written to?

I think Malawi is confusing browser context with local application context.  Common misunderstanding amongst lay-public.

To those who don't know:
1. Java in a browser is hard (as is anything in a browser) because one must keep it contained in the browser to prevent it from gaining local execution rights on your machine.  This is the security headache Oracle (and much of the world) is now fighting to prevent the act of simply visiting a website from installing evil local software on your machine.

2. If you are running a program on your local computer written in Java (*or any language*) - it already can erase your hard drive if it wants to.  So like ANY program:  make sure you trust it before running it.  To do otherwise is unsanitary and you shouldn't be surprised if you catch e-diseases.

And this brings me to you Mr Advanced:  Without open source code, there's no way you can be trusted unless I knew you on a personal level somehow.  It would be completely trivial to write a line of code to transmit a users private API keys (or keyboard capture logs of banking passwords or, or or....) off to a server I owned.  And excluding data collection, it really would be one line of code if I didn't want to add a few lines to help make sure the the transmission worked or to have fail-over destinations or encryption and so-forth.  Heck, stolen data is very valuable - might be worth 10 lines to make sure the transmission was reliable.  Firewall?  Please, it won't stop transmissions.  (Though some malware set up firewalls to keep other bad guys out.  lol )

I'm not saying you are a bad guy - contrary!  The odds dictate that you're probably a very nice trustworthy person.  But lets be real.  If I run any code and the source isn't open - then it inherently cannot be fully trusted.  And not just for evil code - how about buggy and crashy and awful code?  And now I'm speaking to you Microsoft and Apple!!!   Grin
sr. member
Activity: 267
Merit: 250
Woodwallets.io
It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure

Hi Malawi, what do you mean by "inherently unsecure" ? I think that security is barely a property of a language itself. Some languages are more fault-prone than others, however I think this is not the case for java. Could you provide some reference ?

 You can write 'secure' code or 'unsecure' code in pretty much whatever comes to mind Wink

So you wouldn't use a bot only because the language it is written to?
sr. member
Activity: 267
Merit: 250
Woodwallets.io
It has to be javascript? We are working on a java lib for trading...

nope, indeed is Java(FX)
full member
Activity: 224
Merit: 100
One bitcoin to rule them all!
It has to be javascript? We are working on a java lib for trading...

Java is inherently unsecure
legendary
Activity: 965
Merit: 1000
It has to be javascript? We are working on a java lib for trading...
sr. member
Activity: 267
Merit: 250
Woodwallets.io
Hi everybody,
Some time ago I  released a node.js online bot for buying/selling BTC when price changes.

As I received good (and bad) feedback, I'm currently working to build a better bot for the "trust no-one" kind of traders.
I'm one of those guys Wink  I'd never give my api keys away to someone else.

This time I can't distribute the source-code ( this is not negotiable Sad ) .
Therefore the topic becomes not trivial. I know its not feasible to get a full-trust without seeing the code, but yet optimising the trust-level between this boundaries is a mind-challenging problem.
 I don't want you to trust me, I just want you to feel safe-enough to use the application. Here is what I have now

  • Anonymous : no registration needed whatsoever.
  • Offline : you need to download an application that runs locally .You will never give me your API keys, they will be stored locally on your machine.
  • It comes with a firewall : for the paranoid guys, I'm distributing the application with a third-party firewall (ipchains script, little snitch, etc) , pre-configured to block all outgoing connections of my application towards websites different from mtgox,btc-e, and others. Wink
  • Community tested: I'm currently recruiting beta-testers from the community. I give access to the source-code. (Get in touch if you want to be one of them - PM me). I will let them perform network traffic test to see how the traffic is only directed to mtgox.
  • Gox API v2 : uses the new and better-designed version of mtgox APIs to minimize risks related to resource saturation.
  • I'm considering getting some other sort of certifications. http://www.truste.com/?

EDIT : Ideas from this discussion

  • Proof of my real identity : The application will come with a proof of my real identity
  • Outgoing traffic tested by the community at network layer : When released the application will have to go through an open contest. I'll offer 1000 BTC to people able to spot any connection going somewhere different that data.mtgox.com . Use sniffers, or whatever you want.
  • Binaries distributed by someone else : I will recruit 10 members of the community from this thread to independently review the source code, compile it on their own machine, compute the md5 checksum and send the application to me. I will then distribute those binaries together with the md5 checksum.
  • You name it : < there is still space>

Since you will be among early-adopters (and many of you already wrote their own trading bot), I'm here to ask you to help me make you feel safe.

What else would you like to have to feel safer?

Nicolò.
Jump to: