Bitcoin Forum>Economy>Marketplace>Lending
Pages:
Author

Topic: [CLOSED] CoinLenders - page 16. (Read 226433 times)

🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 05:18:39 AM
#679
Quote from: matt4054 on July 12, 2013, 05:03:27 AM
OK, so CoinChat doesn't salt passwords. It means that if an attacker gets access to the CoinChat user database, he will be able to lookup hashes in rainbow tables and find cleartext of obvious, dictionary and otherwise weak passwords. That certainly isn't "best practice compliant", but since CoinLenders is not affected, isn't it a bit off topic here?

I think we have all taken good note that TF and gweedo aren't best friends, but this is getting ridiculous IMHO
Especially with him wanting the database for CoinLenders. Like lol.

CoinLenders now hashes passwords with a user unique salt. The entropy for the randomly generated salt is from /dev/urandom, which is good for most cryptographic purposes but still not as good as /dev/random. CL didn't use /dev/random at the start because it is blocking and that's not practical for a site with thousands of users.

Soon, when you sign into CoinLenders your password will be resalted with random bits from /dev/random.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: [CLOSED] CoinLenders
July 12, 2013, 03:34:56 AM
#678
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:33:24 AM
You're the one who spread FUD about me, I'm just doing the same except I'm not making things up unlike you Smiley

ok I am waiting...
matt4054
legendary
Activity: 1946
Merit: 1035
Re: [CLOSED] CoinLenders
July 12, 2013, 05:03:27 AM
#678
OK, so CoinChat doesn't salt passwords. It means that if an attacker gets access to the CoinChat user database, he will be able to lookup hashes in rainbow tables and find cleartext of obvious, dictionary and otherwise weak passwords. That certainly isn't "best practice compliant", but since CoinLenders is not affected, isn't it a bit off topic here?

I think we have all taken good note that TF and gweedo aren't best friends, but this is getting ridiculous IMHO
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:26:27 AM
#677
More lies from you. I do hash and salt my passwords (sha256 + salt, or bcrypt + user unique salt).

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: [CLOSED] CoinLenders
July 12, 2013, 03:30:54 AM
#676
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:28:09 AM
Quote
It was just odd to see that as I haven't (though I am limited on my PHP knowledge) ever seen it like that before, lol.

So is gweedo Tongue

@gweedo, do you want me to bring up the critique of your coding skills someone did in the newbie section and pointed out like 8 flaws?

Also, I found a vulnerability on your website in about 2 minutes. Just saying.

Wait how did this turn from you to me? This is your thread and your off topic but post whatever you want, this should be fun Smiley
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:24:01 AM
#676
You're the one who has been attacking me and who started all this Smiley
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:20:48 AM
#675
It's out of context because I do hash passwords. I said that in that thread. However, you don't include that portion, which makes people think I don't hash passwords (when I do).
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:17:29 AM
#674
CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: [CLOSED] CoinLenders
July 12, 2013, 03:24:50 AM
#673
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:20:21 AM
Quote from: gweedo on July 12, 2013, 03:15:54 AM

Well this starting to look like pirateat40. If your doing nothing wrong then you should certainly be able to keep your cool and prove me wrong, one function doesn't do that sorry.

What do you think a function showing I am hashing passwords prove with salting?

Anyway, he's just here because he wants to spread FUD about me - but there's tools to defend about that, because spreading FUD is untrustworthy. Smiley

Anyone can download a function change a few variables and say this it, I think we need more proof.

Just for your information, I meet with actual people in real life, and do bitcoin deals, and guess what, this site and the trust ratings have nothing to do with that. Investors don't care LMAO I am an accredited investor look it up. That is what matters to them not some stupid forum with people like you who think this is their life LMAO.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:14:22 AM
#673
That's for coinchat, not CoinLenders. I posted proof that CoinLenders does hash and salt.

In fact check the client JS, it's hashed right in your browser.

Just more FUD from gweedo as usual.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:10:33 AM
#672
That's for coinchat, not CoinLenders. I posted proof that CoinLenders does hash and salt.

In fact check the client JS, it's hashed right in your browser.

Just more FUD from gweedo as usual.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 04:02:22 AM
#671
VIP can't make red icons. Only moderators and admins are supposed to. Move to a new topic if you want to talk about that.

Just so people know, I've already shown I hash and salt your passwords for CoinLenders (it's actually hashed twice, once at your client and once on the server). gweedo is just spreading FUD.

Also, keep in mind that CoinLenders and Inputs.io are one of the very few Bitcoin sites that handles more than 10k BTC and hasn't been hacked. A lot others have been - some of them I found vulnerabilities in them myself (and reported of course).
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 03:52:39 AM
#670
Yeah, I can see why you want to protect your reputation even through you code vulnerable sites. Tongue

While wanting the full source code and database of coinlenders as proof. Also, my challenge for you to do the red icon still stands (create a new thread, this is about coinlenders).
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 03:37:34 AM
#669
Please provide me with a written & signed contract to pentest your site and I will post the vulnerabilities.

I don't think anyone will hire you as a programmer anymore after that through.

The icon for this message, which is reserved for moderators and administrators, is just a testament to my web dev & security skills (try doing the same and failing Smiley)
gweedo
legendary
Activity: 1498
Merit: 1000
Re: [CLOSED] CoinLenders
July 12, 2013, 03:15:54 AM
#668
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:12:35 AM
Quote
LMAO one function is all you post, no no, you have to post the entire source, plus if you really want to prove it, post the entire database as well.

Yeah I ran out of more polite things I can say, you can fuck off.

Well this starting to look like pirateat40. If your doing nothing wrong then you should certainly be able to keep your cool and prove me wrong, one function doesn't do that sorry.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 03:33:24 AM
#668
You're the one who spread FUD about me, I'm just doing the same except I'm not making things up unlike you Smiley
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 03:28:09 AM
#667
Quote
It was just odd to see that as I haven't (though I am limited on my PHP knowledge) ever seen it like that before, lol.

So is gweedo Tongue

@gweedo, do you want me to bring up the critique of your coding skills someone did in the newbie section and pointed out like 8 flaws?

Also, I found a vulnerability on your website in about 2 minutes. Just saying.
ranlo
legendary
Activity: 1974
Merit: 1007
Re: [CLOSED] CoinLenders
July 12, 2013, 03:25:19 AM
#666
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:23:12 AM
== and != means they are equal
=== and !== means they are identical

For ==, if something isn't identical, PHP will try and make them equal by converting in types. For example, by converting the string '00000' into the number zero, and '000000000' into the number zero, which matches.

For your specific example (5+9 != 6+3), PHP will first work out the values of the left hand and right hand side (9) and then compare if 9 is equal in value to 9.

Ahh, thanks a lot! I'll quit filling up your thread now, :p. It was just odd to see that as I haven't (though I am limited on my PHP knowledge) ever seen it like that before, lol.
gweedo
legendary
Activity: 1498
Merit: 1000
Re: [CLOSED] CoinLenders
July 12, 2013, 03:11:58 AM
#665
Quote from: 🏰 TradeFortress 🏰 on July 12, 2013, 03:07:22 AM
You can't say you didn't do this to yourself. Enjoy your red text!


Snippet from CoinLenders source:
Code:
function userRegister($username, $email, $legalname, $password1, $password2){
global $mysqli;
global $passwordSalt;

$username = $mysqli->real_escape_string($username);
$email = $mysqli->real_escape_string($email);
$legalname = $mysqli->real_escape_string($legalname);

if($password1 !== $password2){
return "passmismatch";
}
if(strlen($password1) < 8){
return "passshort";
}
$password = hash("SHA256", $passwordSalt . $password);

[..]

As you can clearly see, passwords are hashed and salted.


LMAO one function is all you post, no no, you have to post the entire source, plus if you really want to prove it, post the entire database as well. And again you threaten me with trust system just shows your abusing it.
🏰 TradeFortress 🏰
vip
Activity: 1316
Merit: 1043
👻
Re: [CLOSED] CoinLenders
July 12, 2013, 03:23:12 AM
#665
== and != means they are equal
=== and !== means they are identical

For ==, if something isn't identical, PHP will try and make them equal by converting in types. For example, by converting the string '00000' into the number zero, and '000000000' into the number zero, which matches.

For your specific example (5+9 != 6+3), PHP will first work out the values of the left hand and right hand side (9) and then compare if 9 is equal in value to 9.

Also, @gweedo if you still think I suck at web development theymos can attain to the fact that I reported a vulnerability that gives me powers reserved by moderators earlier today Smiley
Pages:
Bitcoin Forum>Economy>Marketplace>Lending
Jump to: