Topic: [Discussion] Forum tipping service (Read 514 times)

I think this is an excellent idea and I can definitely get behind it! I have been thinking for a while that this forum needs something of this sort. I would also love to see a Btalk Lotto fund that could be awarded to any active user on this website that contributes. Wow I hope this happens. Keep up the great work here Black Hat!

I do feel like the need to provide service to this community after all that I have earned and learned. However, I doubt if this particular will succeed. Besides the cost of operating this service, there are the legal costs which I've accounted for. And, due to the minimum overall recognition, it discourages me further to continue building it.

But, I'm patient. I want to give it a couple of months, and see if it's seemed as interesting.

That can theoretically work, but you need to submit your node's public key, and I'll send with keysend every x days. But, I don't like it, because it is less flexible.

1. Registration page generates you a random, unique passcode.
2. You are told to post this passcode on a topic which is for server registrations only.
3. Once you do, you submit the post link.
4. My server scrapes the page and verifies you are indeed the owner.
5. Then, a private code is generated, displayed on the front end, and you're added in the database.

Can you implement some sort of sort and settle once a day/week instead of a manual invoice?

And what's the plan for account authentication?

I'd also like to state I like seeing the BCT plugins idea finally being utilized here on bct.(about time)

Let's just say his precious m!xer income ($1200/month, while the minimum wage in Greece is €660/month) was lost permanently, so he has to find another source of income.

I'm curious to find out what Greek lawyers have to say about a centralized money transmitting service with no licence and no regulation...

Don't worry, he's very young and he'll learn many lessons the hard way.

To me it seems highly ironic that he has criticized heavily CEX in the past (Angelo loves flip-flopping), even though they're regulated services (at least Binance is, that's why they got a hefty 4 billion $ fine) and now he's back to promote a centralized service with zero regulation and most people here don't even know his real name, his address, his occupation etc. CZ is not anonymous, everyone knows who he is.

Oh well, maybe the Greek authorities will have to interrogate Mr. Angelo after all...

I spent over 1 hour going through the entire post and reply including the one from the first one you made. And I must say the forum tipping is quite a nice idea however it seems forum members are not in much support of it (for now).
I noticed from all your replies that you really wanted to make it possible and you still do . So my best suggestion is;

Take your time to create all the necessary programs and setups including the extension like you mentioned and store it somewhere safe . The forum may want it sometime in the future. Besides if you observe, theymos didn't accept the 2FA until some years later and power glove already had it ready and sitting somewhere so implementing it was quick and easy.
Just create , store and relax.

This solves the problem of an attacker stealing everyone's funds by compromising a machine I have no physical control over, but it does not mean the funds cannot move without the user's digital signature which is what I believe was your argument.

There is indeed risk with trusting a remote computer for not getting compromised. Nonetheless, the purpose of a VPS is to provide isolation and consistent uptime. Allocating a local computer for this process doesn't seem like a responsible course of action. Lots of lightning nodes operating on AWS and Google cloud servers, and with a lot more liquidity than this one, gives me the impression that I can trust it.

It's exciting to think that an individual might gain some tips for writing a nice post. It is the same way the merit system works, with the difference that tipping is not necessary to upgrade membership. I fear that an issue will develop and the tipping system become an evaluation tool for publications and members, especially since anyone can manipulate the system by depositing a large amount and sending tips to accounts that he wants to appear better than others. By studying the suspicions that some people have regarding the merit system, you will be able to identify many details that you may have missed during the design.

@BHC
In fact, I find it a brilliant idea and I am sure it will receive great support from the community here.
Certainly, there are many who do not prefer custodial services of all kinds in order to preserve their privacy, but your reputation on the forum is what lends legitimacy to the concept. I advise you not to be upset or pay too much attention to some destructive criticism.

I wish you good luck and success.
Cheers,

first of all..
CEX at the most basic level do a thing called hot/cold wallet. where they dont keep full stash on the public access server that do order/payment/withdrawal requests.
second of all they FAIL when they get hacked and lose their hotwallet stash because they should keep even the hot wallet stash separate from the public access server

again if you have 2 servers.. one is the public access that takes the user requests and a second one that remotely sniffs the public server to read such requests and perform them separate. you add an extra layer of security.

like i said, the cheap affordable low maintenance approach would be to use the forums PM inbox to take requests and then your home PC does the payments. where you keep your funds separate. and keep your home pc unidentifiable from the forum/extension, thus avoid hacker finding your home pc

if you however want to hotwallet any/all funds on the same server that takes the user requests(public access) then you are not even doing basic security of a CEX..  it shows you are not ready to manage funds
because you prefer not to care about security and are expecting to one day shout "i been hacked"

..
so like i said if users sigup to you a with public address (much like sigcampaign applicants use bitcoin addresses to sign up)
YOU no longer need to create, manage, store, give out private keys/codes.... because doing so is a security risk

and instead you can verify a user is making a genuine request by them sending you a signed message that proves the request is unique, independent and genuine. which stops hackers from just spamming everyones "code" to raid you dry.. and stops hackers getting everyones codes because there is no central store to get codes

much like you proved you didnt sell your account by signing your 'black' vanity address..
without anyone needing to manage your private key centrally

It is definitely not ideal, but in my experience, it is the only solution that survives. For example, look on stacker.news. It started as an alternative to Hacker News with tips, but it has transformed into a small forum overtime. The concept of tips, as it turns out, proved to be a successful idea.

I would prefer to implement this in the most transparent manner feasible, but achieving self-custody seems too unrealistic.

I've had troubles in real life. I took care of them. I warned about my departure, because I didn't want to be the guy that suddenly disappeared without informing anyone.

Sorry to intervene but does this mean that BHC should tell us why he decided to leave and then came back? I mean aren't we all allowed to take a break? Perhaps you don't like the fact that he made a "goodbye" post instead of simply disappearing for a while. I mean what is your concern? That he left for a reason we should know? Or that he is not the same person?

I did poorly at relaying this but these where my sentiments exactly.

@BlackHatCoiner I'm personally going to give you benefit of the doubt and tell myself , That's the original BHC based on the fact your putting time into LN in an altruistic manner. Custodial or not the risk I feel are low with you at the wheel.

With that being said I'm going to level with you.

 You introduced doubt before a product launch.

I know your a private individual but it would be a little naive of us to proceed without some explanation wouldn't it?
(In regards to your departure and return)

Edit -1337 that's neat.

@BlackHatCoiner, I support the idea, it would definitely be an improvement of the forum, but...
The technical part that you present is too centralized and therefore is not the best solution. Here's an example from a couple of months ago when you wanted to take a break from the forum, that shouldn't happen if you started this thing. And honestly, there are many reasons why any of us won't, can't or don't want to come to this forum at some point.

This is not any doubt in you or criticism against you, I'm just expressing the first thing I thought when I read your proposal.

If a hacker hacks the server, they can take the money. Whether we use digital signatures or private codes in plain text, the money are sitting on the server and can be claimed if the machine is compromised.

A hacker isn't supposed to steal everyone's codes. They are supposed to compromise the server, and if the server (or the home computer in your analogy) is compromised, digital signatures provide no extra security. The private code is only used to authenticate your account; it is the same as choosing a strong password. If you're concerned about impersonation (e.g., hacker steals your private code and pretends to be you), I can promise to only keep the hash of the codes (which can be verified on the front-end).

This is the same as telling me that a centralized exchange which asks for a public key is more secure than one that asks for a password. Both are central point of failures which can be compromised regardless.

https://bitcointalksearch.org/topic/m.63358011.

This is getting off-topic. If you believe I'm not the person who owned the account before 2024, you can ask me to sign a message (as I have already done in the linked post above).

he has always been promoting middlemen services that take in coins and manage them and release them on a different date. (mixers, subnetworks)
he has always idolised centralised development(core)
but before was just the promotion guy taking affiliate/advertising revenue.
but yea seems strange to see him now want to be a business owner going legit, having to be transparent about all money flows he touches(which is different to his supposed 'privacy' advertising)

chances are 50:50 the user writing posts in 2024 is not the same greek echo chamber of previous years. although other topics since return did smell of the same scripted rhetoric.. but that could have been just a planned act to make a few posts in the tone of the previous guy, just to hide the hand over of account

I'm a little confused, didn't you say like 2 weeks ago your done here?
Now your back with a custodial service?
Your a member I rub shoulders with a lot and your recent activity is very out of character.

if you are the creator, storer and provider of peoples identity(secret code). that becomes not only a minus of privacy, but if you are hacked the hacker can pretend to be everyone and raid your custody by spamming you with everyones code they accessed, if you have it all mingled together on your server
(bad security on so many levels)

however if your system operates remotely where a public access server just receives payment requests. (where payments are done separately to requests) EG lets say using this forums inbox of Private messages to receive payment requests. and your home PC separately performs the payments

and just from remote pc sniff your forum inbox for pm's you are one step further back from being hacked
if users provide you a public key to register them as their iD(you dont need access to their private key). and when making payments they request to you (via PM message or browser extension) a signed message by signing it with THEIR private key. then a hacker cant just spam your mailbox with everyones code, nor get everyones private key from your side

thus your subnetwork node is not on a public access server to be hacked. and the payment messages cant be hacked as a whole because they are separate and peoples secret is not available from any part you have access to

..
come on its 2024.. you must know bitcoin well enough by now that having users provide their own public keys for ID is far far far better then you as a custodian creating silly private pin numbers to users where you store the pin numbers incase they forget..(where you can be hacked to drain everyone)

wake up

you do not need to know people private keys/codes/pins to provide a secure system.. bitcoin pub/priv keypairs is the most basic thing of bitcoin you should utilise, where by they provide you the public. and signed massages so that you dont need to worry about the private

You don't have to be passive aggressive.

Would you trust Binance more if they made their platform open-source on Github?

Most likely not, because it's a custodial service. That's what I meant for Alby. If you trust them for your funds, use them.

The idea is brilliant.

It is widely used with Nostr UIs. For example this is Jack Mallers' profile. You can head over to the lightning icon and it will load a screen like this:



If you click on the "Zap X sats" icon it will guide you to a QR code and a lightning invoice.

Then, clicking on the "pay now" it will require you to open the wallet of your choice in order to pay. For example we could use something like alby, which requires a plugin to be installed on the browser.

So, to break it down for you, in order for this to function, we need:

1. A way to post invoices as a payee. This one is tricky if you don't run your own node, but theoretically you could create an invoice and post it somewhere. Once the invoice is paid, it gets cancelled and then they need to enter a new one. This should take place automatically. I suggest reading how nostr implements it, as defined in NIP-57.

2. A way to pay someone as a payer. This one is very easy in my opinion, because you can use whatever wallet you want.

It's less attractive. To make an account you need to provide a public key, which you must have generated beforehand. Besides, since I will have custody of your funds, why does it matter? Whether it is a private code, or a signed message, it happens for me to authenticate your account.

I'm not afraid it will lead to a "tip race" of the first page, as it already exists with merits. I'm afraid it will be abused in the following manner: alt accounts will tip each other and make it look as if they're millionaires. It doesn't harm anyone though, does it? Pretty much the opposite. It reveals who owns alt accounts.

No, because very few people run lightning nodes, and if you don't run a lightning node, you don't have custody in lightning.

I'll contact them when needed. Thanks.

---

If someone has thought of a way to send tips without forfeiting custody of their sat and without running a node, inform me. I will completely reconstruct the project from zero. Currently, the only viable solution appears to be one without custody. While I strongly advocate for self-custody, I don't perceive it as a significant concern, given that tips are intended to be of modest amounts.

Yeah but that is going to be a whole new extensions starting from scratch, that usually means lot of bugs and not many people willing to test it.

I mean this, open source MIT license:
https://github.com/getAlby/lightning-browser-extension

I don't think it's hard to explain (to most people) what that means 
Go ahead and make your own non-custodial alternative, can't wait to see it.