Author

Topic: [DEAD] DeepBit.net PPS+Prop,instant payouts, we pay for INVALID BLOCKS too - page 294. (Read 1601419 times)

full member
Activity: 126
Merit: 100
member
Activity: 82
Merit: 10
full member
Activity: 126
Merit: 100
Hey, [Tycho], recently slush made this post in his thread:

In connection to recent security issues of other bitcoin site I want to clarify, that pool application does not store account passwords in paintext, but as hashes with random salt to avoid possible dictionary attacks. Also pool sources are built on technologies which does not allow SQL injection in any form. Finally, the profile page is using techniques against Cross site request forqery attack. It makes impossible to modify (for example) wallet address from malicious javascript. I care about overall pool security a lot.


Could you confirm you have something of the sort? It would put my mind and several other's people's mine at ease
newbie
Activity: 42
Merit: 0
Tycho:
Can I get help with reseting, or recovering a lost account password?
newbie
Activity: 5
Merit: 0
thanks  for having long polling support
full member
Activity: 126
Merit: 100
I've already said it and I'll say it again, feature-wise and in general, this is by far the best pool. Sure the fees are the highest on the market, but they are offset by LP and failed block payouts, which IMO, as long as slush doesn't implement LP, deepbit is actually cheaper than slush. Having such a large hashrate, this is, for most, the most attractive pool to join.
member
Activity: 79
Merit: 10
Thank you for all the new features; making this pool better very fast. Keep it up Smiley.
hero member
Activity: 742
Merit: 500
Difficulty period of ~68978.89245792 just ended this night and new difficulty is ~82347.22294654 (~19% increase) Smiley

During this period we have found 263 blocks with average 68128.4106 shares per block, which is ~1.23% better than expected.
Our hashrate is about 90 GH/s and peak value yesterday was over 100 GH/s.

UPDATE:
  • You can try to enable history column in you advanced settings
    If history column is enabled, you can see your shares/total shares, average speed and balance change for each block
legendary
Activity: 1596
Merit: 1100
It's very simple:  using Digest auth by default will reduce potential for problems, over existing practice of using Basic auth.  Is SSL better?  Yes.  Do potential problems exist even with Digest?  Yes.  But neither of those factors implies that Digest is useless, given current client implementations and practices.

Remember:  don't let perfect be the enemy of good.
full member
Activity: 182
Merit: 107
Worker processing and JSON API doesn't allow attacker to steal user's money or account. There is no function to change user's bitcoin address with worker password or api token. Someone may even use random password for main account and never use it again to prevent it's interception Smiley)
Right, that's pretty much what I'm saying -- implementing digest auth for mining doesn't seem worthwhile, given that damage can only result if the user is dumb enough to use a shared password for a worker.  Attacks under the user's identity can be easily detected.

If it wasn't clear, I was only bringing up a possible attack against a normal bitcoind in response to this:

This standard was started by bitcoind, and is used outside of pools.
I was trying to illustrate that digest auth is pointless for mining accounts, and offers only the illusion of protection for a normal bitcoind.
hero member
Activity: 742
Merit: 500
User who cares about securuty would use separate password for workers.
Worker processing and JSON API doesn't allow attacker to steal user's money or account. There is no function to change user's bitcoin address with worker password or api token. Someone may even use random password for main account and never use it again to prevent it's interception :))
legendary
Activity: 1596
Merit: 1100
Using encryption is better than not using encryption.  Thanks for that news flash.
full member
Activity: 182
Merit: 107
...because not all users will or can use HTTPS, rendering most of those points moot.
Nobody could use TLS before TLS was invented, either.  It's a good thing people didn't give up on creating it.
full member
Activity: 182
Merit: 107
If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.
To elaborate on this a bit: suppose that Mallory does have the ability to intercept Alice's traffic.  Using basic auth, Mallory can extract Alice's username and password, then send his own requests to her bitcoind and do stuff.  He may also be able to authenticate using Alice's credentials to other services (email, etc.).

Using digest auth, Mallory cannot easily extract Alice's username and password, but if Mallory has the ability to intercept traffic he probably has the ability to alter it as well.  He can then execute a MITM attack, change Alice's request payload, and transfer money to himself, possibly even return a response back to Alice that looks like a reasonable response to her original request so that she is not immediately aware of the attack.  Mallory can't try to authenticate using Alice's unknown-to-him credentials elsewhere, but he now has a fair amount of control over her bitcoind.  This is a slightly better scenario, but only marginally.

Using TLS, Mallory would have to compromise Alice's bitcoind private key (or trick Alice into using a forged certificate) in order for any such attacks to be possible.
legendary
Activity: 1596
Merit: 1100
...because not all users will or can use HTTPS, rendering most of those points moot.
full member
Activity: 182
Merit: 107
This standard was started by bitcoind, and is used outside of pools.
If we are talking about Bitcoin's own RPC mechanism, this should really use TLS anyway, rendering the HTTP auth mechanism irrelevant.  If you're sending requests over the Internet to other bitcoind instances to do things like transfer money, all of the data should be secured.

Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.
Please read my original post again.  It's clear that you skipped some parts.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.
I'm not disputing that, only indicating that there are perfectly reasonable workarounds that exist already, and that any security-conscious user would already be using them.  Besides, digest-mode authentication is really like using a band-aid on a severed limb.  If we're going to spend energy securing the protocol, how about we do it right?
hero member
Activity: 742
Merit: 500
Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:
05.04.2011 18:08:56   0h 25m   31955    None
How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? :o
Everything is fine on my side. PM me your login name so i can check your account stats.

What was shown on your account page and in workers table ?

If you are using PPS mode, then there is no "your reward per block", your account balance just increases every hour.
hero member
Activity: 499
Merit: 500
Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? Shocked

Are you set for Pay-Per-Share?   PPS does not show you payout by block, only Proportional.

   
newbie
Activity: 20
Merit: 0
Hi Tycho! I've been using rpcminer-cuda without problems, but now I've noticed this in my profile:

05.04.2011 18:08:56   0h 25m   31955    None
05.04.2011 17:43:09   0h 49m   61789    None
05.04.2011 16:54:08   0h 59m   74549    None
05.04.2011 15:54:58   0h 19m   25210    None
05.04.2011 15:35:16   0h 42m   55033    None
05.04.2011 14:52:19   0h 23m   30346    None
05.04.2011 14:28:50   0h 02m   3113    None
05.04.2011 14:26:23   0h 30m   38431    None
05.04.2011 13:56:16   0h 07m   9308    None
05.04.2011 13:48:45   0h 34m   42825    None
05.04.2011 13:14:34   0h 42m   53102    None
05.04.2011 12:32:13   0h 30m   40124    None
05.04.2011 12:01:24   0h 26m   33833    None
05.04.2011 11:34:37   2h 18m   181196    None
05.04.2011 09:15:50   2h 35m   203520    None
05.04.2011 06:40:35   1h 36m   123378    None
05.04.2011 05:04:08   0h 00m   871    None
05.04.2011 05:03:23   0h 25m   31564    None
05.04.2011 04:37:58   0h 40m   50619    None
05.04.2011 03:57:42   1h 31m   114299    None
05.04.2011 02:26:00   0h 18m   22245    None
05.04.2011 02:07:55   2h 49m   209771    None
04.04.2011 23:18:31   0h 19m   24617    None
04.04.2011 22:58:37   0h 05m   6482    None
04.04.2011 22:53:05   0h 13m   15859    None
04.04.2011 22:39:33   0h 27m   33861    None
04.04.2011 22:11:54   4h 02m   238749    None
04.04.2011 19:14:14   1h 05m   64308    None
04.04.2011 18:09:00   0h 27m   35344    None
04.04.2011 17:41:39   2h 30m   194227    None

How can it be posible? I've been watching the window and it was working, and I've also been checking my gpu temps and my card was at >60º so it was working... what happened here? Shocked
legendary
Activity: 1596
Merit: 1100
Note that any risk of discovered passwords is mitigated by pools that have worker accounts (like slush's) and where users use random passwords, different from the main account password, for the worker accounts.

This standard was started by bitcoind, and is used outside of pools.  Furthermore, if I intercept a worker password, I can make an attack look like it's coming from another user, possibly getting them kicked off the pool server.

Such attack easily discovered by IP or if user usually use another miner.

That does not excuse sending cleartext passwords with every request.  Users have been known to do strange things, like re-use passwords.

Decades of security practice has demonstrated that cleartext passwords should never ever be used.

Jump to: