Pages:
Author

Topic: [Discussion] Forum tipping service (Read 587 times)

hero member
Activity: 1386
Merit: 599
January 07, 2024, 06:48:49 PM
#36
I think this is an excellent idea and I can definitely get behind it! I have been thinking for a while that this forum needs something of this sort. I would also love to see a Btalk Lotto fund that could be awarded to any active user on this website that contributes. Wow I hope this happens. Keep up the great work here Black Hat!
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 05, 2024, 06:08:48 AM
#35
I noticed from all your replies that you really wanted to make it possible and you still do
I do feel like the need to provide service to this community after all that I have earned and learned. However, I doubt if this particular will succeed. Besides the cost of operating this service, there are the legal costs which I've accounted for. And, due to the minimum overall recognition, it discourages me further to continue building it.

But, I'm patient. I want to give it a couple of months, and see if it's seemed as interesting.

Can you implement some sort of sort and settle once a day/week instead of a manual invoice?
That can theoretically work, but you need to submit your node's public key, and I'll send with keysend every x days. But, I don't like it, because it is less flexible.

And what's the plan for account authentication?
1. Registration page generates you a random, unique passcode.
2. You are told to post this passcode on a topic which is for server registrations only.
3. Once you do, you submit the post link.
4. My server scrapes the page and verifies you are indeed the owner.
5. Then, a private code is generated, displayed on the front end, and you're added in the database.
hero member
Activity: 1439
Merit: 513
January 04, 2024, 08:30:54 PM
#34
Can you implement some sort of sort and settle once a day/week instead of a manual invoice?

And what's the plan for account authentication?

I'd also like to state I like seeing the BCT plugins idea finally being utilized here on bct.(about time)
sr. member
Activity: 1666
Merit: 310
January 04, 2024, 06:33:16 PM
#33
I'm a little confused, didn't you say like 2 weeks ago your done here?
Now your back with a custodial service?
Your a member I rub shoulders with a lot and your recent activity is very out of character.
Let's just say his precious m!xer income ($1200/month, while the minimum wage in Greece is €660/month) was lost permanently, so he has to find another source of income. Wink

I'm curious to find out what Greek lawyers have to say about a centralized money transmitting service with no licence and no regulation... Roll Eyes

Don't worry, he's very young and he'll learn many lessons the hard way. Cool

but if you are hacked the hacker can pretend to be everyone and raid your custody by spamming you with everyones code they accessed, if you have it all mingled together on your server
If a hacker hacks the server, they can take the money. Whether we use digital signatures or private codes in plain text, the money are sitting on the server and can be claimed if the machine is compromised.

then a hacker cant just spam your mailbox with everyones code, nor get everyones private key from your side
A hacker isn't supposed to steal everyone's codes. They are supposed to compromise the server, and if the server (or the home computer in your analogy) is compromised, digital signatures provide no extra security. The private code is only used to authenticate your account; it is the same as choosing a strong password. If you're concerned about impersonation (e.g., hacker steals your private code and pretends to be you), I can promise to only keep the hash of the codes (which can be verified on the front-end).

This is the same as telling me that a centralized exchange which asks for a public key is more secure than one that asks for a password. Both are central point of failures which can be compromised regardless.

first of all..
CEX at the most basic level do a thing called hot/cold wallet. where they dont keep full stash on the public access server that do order/payment/withdrawal requests.
second of all they FAIL when they get hacked and lose their hotwallet stash because they should keep even the hot wallet stash separate from the public access server

again if you have 2 servers.. one is the public access that takes the user requests and a second one that remotely sniffs the public server to read such requests and perform them separate. you add an extra layer of security.

like i said, the cheap affordable low maintenance approach would be to use the forums PM inbox to take requests and then your home PC does the payments. where you keep your funds separate. and keep your home pc unidentifiable from the forum/extension, thus avoid hacker finding your home pc

if you however want to hotwallet any/all funds on the same server that takes the user requests(public access) then you are not even doing basic security of a CEX..  it shows you are not ready to manage funds
because you prefer not to care about security and are expecting to one day shout "i been hacked"

..
so like i said if users sigup to you a with public address (much like sigcampaign applicants use bitcoin addresses to sign up)
YOU no longer need to create, manage, store, give out private keys/codes.... because doing so is a security risk

and instead you can verify a user is making a genuine request by them sending you a signed message that proves the request is unique, independent and genuine. which stops hackers from just spamming everyones "code" to raid you dry.. and stops hackers getting everyones codes because there is no central store to get codes

much like you proved you didnt sell your account by signing your 'black' vanity address..
without anyone needing to manage your private key centrally
To me it seems highly ironic that he has criticized heavily CEX in the past (Angelo loves flip-flopping), even though they're regulated services (at least Binance is, that's why they got a hefty 4 billion $ fine) and now he's back to promote a centralized service with zero regulation and most people here don't even know his real name, his address, his occupation etc. CZ is not anonymous, everyone knows who he is.

Oh well, maybe the Greek authorities will have to interrogate Mr. Angelo after all... Cool
sr. member
Activity: 448
Merit: 560
Crypto Casino and Sportsbook
January 04, 2024, 02:52:02 PM
#32
It is definitely not ideal, but in my experience, it is the only solution that survives. For example, look on stacker.news. It started as an alternative to Hacker News with tips, but it has transformed into a small forum overtime. The concept of tips, as it turns out, proved to be a successful idea.

I would prefer to implement this in the most transparent manner feasible, but achieving self-custody seems too unrealistic.
I spent over 1 hour going through the entire post and reply including the one from the first one you made. And I must say the forum tipping is quite a nice idea however it seems forum members are not in much support of it (for now).
I noticed from all your replies that you really wanted to make it possible and you still do . So my best suggestion is;

Take your time to create all the necessary programs and setups including the extension like you mentioned and store it somewhere safe . The forum may want it sometime in the future. Besides if you observe, theymos didn't accept the 2FA until some years later and power glove already had it ready and sitting somewhere so implementing it was quick and easy.
Just create , store and relax.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 04, 2024, 02:01:30 PM
#31
[...]
This solves the problem of an attacker stealing everyone's funds by compromising a machine I have no physical control over, but it does not mean the funds cannot move without the user's digital signature which is what I believe was your argument.

There is indeed risk with trusting a remote computer for not getting compromised. Nonetheless, the purpose of a VPS is to provide isolation and consistent uptime. Allocating a local computer for this process doesn't seem like a responsible course of action. Lots of lightning nodes operating on AWS and Google cloud servers, and with a lot more liquidity than this one, gives me the impression that I can trust it.
legendary
Activity: 1778
Merit: 1474
🔃EN>>AR Translator🔃
January 04, 2024, 01:54:46 PM
#30
It's exciting to think that an individual might gain some tips for writing a nice post. It is the same way the merit system works, with the difference that tipping is not necessary to upgrade membership. I fear that an issue will develop and the tipping system become an evaluation tool for publications and members, especially since anyone can manipulate the system by depositing a large amount and sending tips to accounts that he wants to appear better than others. By studying the suspicions that some people have regarding the merit system, you will be able to identify many details that you may have missed during the design.

@BHC
In fact, I find it a brilliant idea and I am sure it will receive great support from the community here.
Certainly, there are many who do not prefer custodial services of all kinds in order to preserve their privacy, but your reputation on the forum is what lends legitimacy to the concept. I advise you not to be upset or pay too much attention to some destructive criticism.

I wish you good luck and success.
Cheers,
legendary
Activity: 4424
Merit: 4794
January 04, 2024, 11:55:24 AM
#29
but if you are hacked the hacker can pretend to be everyone and raid your custody by spamming you with everyones code they accessed, if you have it all mingled together on your server
If a hacker hacks the server, they can take the money. Whether we use digital signatures or private codes in plain text, the money are sitting on the server and can be claimed if the machine is compromised.

then a hacker cant just spam your mailbox with everyones code, nor get everyones private key from your side
A hacker isn't supposed to steal everyone's codes. They are supposed to compromise the server, and if the server (or the home computer in your analogy) is compromised, digital signatures provide no extra security. The private code is only used to authenticate your account; it is the same as choosing a strong password. If you're concerned about impersonation (e.g., hacker steals your private code and pretends to be you), I can promise to only keep the hash of the codes (which can be verified on the front-end).

This is the same as telling me that a centralized exchange which asks for a public key is more secure than one that asks for a password. Both are central point of failures which can be compromised regardless.

first of all..
CEX at the most basic level do a thing called hot/cold wallet. where they dont keep full stash on the public access server that do order/payment/withdrawal requests.
second of all they FAIL when they get hacked and lose their hotwallet stash because they should keep even the hot wallet stash separate from the public access server

again if you have 2 servers.. one is the public access that takes the user requests and a second one that remotely sniffs the public server to read such requests and perform them separate. you add an extra layer of security.

like i said, the cheap affordable low maintenance approach would be to use the forums PM inbox to take requests and then your home PC does the payments. where you keep your funds separate. and keep your home pc unidentifiable from the forum/extension, thus avoid hacker finding your home pc

if you however want to hotwallet any/all funds on the same server that takes the user requests(public access) then you are not even doing basic security of a CEX..  it shows you are not ready to manage funds
because you prefer not to care about security and are expecting to one day shout "i been hacked"

..
so like i said if users sigup to you a with public address (much like sigcampaign applicants use bitcoin addresses to sign up)
YOU no longer need to create, manage, store, give out private keys/codes.... because doing so is a security risk

and instead you can verify a user is making a genuine request by them sending you a signed message that proves the request is unique, independent and genuine. which stops hackers from just spamming everyones "code" to raid you dry.. and stops hackers getting everyones codes because there is no central store to get codes

much like you proved you didnt sell your account by signing your 'black' vanity address..
without anyone needing to manage your private key centrally
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 04, 2024, 10:38:08 AM
#28
The technical part that you present is too centralized and therefore is not the best solution.
It is definitely not ideal, but in my experience, it is the only solution that survives. For example, look on stacker.news. It started as an alternative to Hacker News with tips, but it has transformed into a small forum overtime. The concept of tips, as it turns out, proved to be a successful idea.

I would prefer to implement this in the most transparent manner feasible, but achieving self-custody seems too unrealistic.

I know your a private individual but it would be a little naive of us to proceed without some explanation wouldn't it?
I've had troubles in real life. I took care of them. I warned about my departure, because I didn't want to be the guy that suddenly disappeared without informing anyone.
hero member
Activity: 560
Merit: 1060
January 04, 2024, 10:19:15 AM
#27
I know your a private individual but it would be a little naive of us to proceed without some explanation wouldn't it?
(In regards to your departure and return)

Sorry to intervene but does this mean that BHC should tell us why he decided to leave and then came back? I mean aren't we all allowed to take a break? Perhaps you don't like the fact that he made a "goodbye" post instead of simply disappearing for a while. I mean what is your concern? That he left for a reason we should know? Or that he is not the same person?
hero member
Activity: 1439
Merit: 513
January 04, 2024, 09:21:27 AM
#26
@BlackHatCoiner, I support the idea, it would definitely be an improvement of the forum, but...
The technical part that you present is too centralized and therefore is not the best solution. Here's an example from a couple of months ago when you wanted to take a break from the forum, that shouldn't happen if you started this thing. And honestly, there are many reasons why any of us won't, can't or don't want to come to this forum at some point.

This is not any doubt in you or criticism against you, I'm just expressing the first thing I thought when I read your proposal.
I did poorly at relaying this but these where my sentiments exactly.

@BlackHatCoiner I'm personally going to give you benefit of the doubt and tell myself , That's the original BHC based on the fact your putting time into LN in an altruistic manner. Custodial or not the risk I feel are low with you at the wheel.

With that being said I'm going to level with you.

 You introduced doubt before a product launch.

I know your a private individual but it would be a little naive of us to proceed without some explanation wouldn't it?
(In regards to your departure and return)

Edit -1337 that's neat.





legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
January 04, 2024, 08:44:44 AM
#25
@BlackHatCoiner, I support the idea, it would definitely be an improvement of the forum, but...
The technical part that you present is too centralized and therefore is not the best solution. Here's an example from a couple of months ago when you wanted to take a break from the forum, that shouldn't happen if you started this thing. And honestly, there are many reasons why any of us won't, can't or don't want to come to this forum at some point.

This is not any doubt in you or criticism against you, I'm just expressing the first thing I thought when I read your proposal.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 04, 2024, 07:20:20 AM
#24
but if you are hacked the hacker can pretend to be everyone and raid your custody by spamming you with everyones code they accessed, if you have it all mingled together on your server
If a hacker hacks the server, they can take the money. Whether we use digital signatures or private codes in plain text, the money are sitting on the server and can be claimed if the machine is compromised.

then a hacker cant just spam your mailbox with everyones code, nor get everyones private key from your side
A hacker isn't supposed to steal everyone's codes. They are supposed to compromise the server, and if the server (or the home computer in your analogy) is compromised, digital signatures provide no extra security. The private code is only used to authenticate your account; it is the same as choosing a strong password. If you're concerned about impersonation (e.g., hacker steals your private code and pretends to be you), I can promise to only keep the hash of the codes (which can be verified on the front-end).

This is the same as telling me that a centralized exchange which asks for a public key is more secure than one that asks for a password. Both are central point of failures which can be compromised regardless.

I'm a little confused, didn't you say like 2 weeks ago your done here?
https://bitcointalksearch.org/topic/m.63358011.

chances are 50:50 the user writing posts in 2024 is not the same greek echo chamber of previous years.
This is getting off-topic. If you believe I'm not the person who owned the account before 2024, you can ask me to sign a message (as I have already done in the linked post above).
legendary
Activity: 4424
Merit: 4794
January 04, 2024, 05:04:58 AM
#23
I'm a little confused, didn't you say like 2 weeks ago your done here?
Now your back with a custodial service?
Your a member I rub shoulders with a lot and your recent activity is very out of character.

he has always been promoting middlemen services that take in coins and manage them and release them on a different date. (mixers, subnetworks)
he has always idolised centralised development(core)
but before was just the promotion guy taking affiliate/advertising revenue.
but yea seems strange to see him now want to be a business owner going legit, having to be transparent about all money flows he touches(which is different to his supposed 'privacy' advertising)

chances are 50:50 the user writing posts in 2024 is not the same greek echo chamber of previous years. although other topics since return did smell of the same scripted rhetoric.. but that could have been just a planned act to make a few posts in the tone of the previous guy, just to hide the hand over of account
hero member
Activity: 1439
Merit: 513
January 03, 2024, 07:28:13 PM
#22
I'm a little confused, didn't you say like 2 weeks ago your done here?
Now your back with a custodial service?
Your a member I rub shoulders with a lot and your recent activity is very out of character.

legendary
Activity: 4424
Merit: 4794
January 03, 2024, 10:09:53 AM
#21
much easier that users use their own keys and just send blackhat PM of a signatured message
It's less attractive. To make an account you need to provide a public key, which you must have generated beforehand. Besides, since I will have custody of your funds, why does it matter? Whether it is a private code, or a signed message, it happens for me to authenticate your account.

if you are the creator, storer and provider of peoples identity(secret code). that becomes not only a minus of privacy, but if you are hacked the hacker can pretend to be everyone and raid your custody by spamming you with everyones code they accessed, if you have it all mingled together on your server
(bad security on so many levels)

however if your system operates remotely where a public access server just receives payment requests. (where payments are done separately to requests) EG lets say using this forums inbox of Private messages to receive payment requests. and your home PC separately performs the payments

and just from remote pc sniff your forum inbox for pm's you are one step further back from being hacked
if users provide you a public key to register them as their iD(you dont need access to their private key). and when making payments they request to you (via PM message or browser extension) a signed message by signing it with THEIR private key. then a hacker cant just spam your mailbox with everyones code, nor get everyones private key from your side

thus your subnetwork node is not on a public access server to be hacked. and the payment messages cant be hacked as a whole because they are separate and peoples secret is not available from any part you have access to

..
come on its 2024.. you must know bitcoin well enough by now that having users provide their own public keys for ID is far far far better then you as a custodian creating silly private pin numbers to users where you store the pin numbers incase they forget..(where you can be hacked to drain everyone)

wake up

you do not need to know people private keys/codes/pins to provide a secure system.. bitcoin pub/priv keypairs is the most basic thing of bitcoin you should utilise, where by they provide you the public. and signed massages so that you dont need to worry about the private
sr. member
Activity: 1666
Merit: 310
January 03, 2024, 06:48:25 AM
#20
What do you mean it's open-source?
I mean this, open source MIT license:
https://github.com/getAlby/lightning-browser-extension

I don't think it's hard to explain (to most people) what that means  Roll Eyes
Go ahead and make your own non-custodial alternative, can't wait to see it.
You don't have to be passive aggressive.

Would you trust Binance more if they made their platform open-source on Github? Roll Eyes

Most likely not, because it's a custodial service. That's what I meant for Alby. If you trust them for your funds, use them.
hero member
Activity: 560
Merit: 1060
January 03, 2024, 06:26:45 AM
#19
The idea is brilliant.

It is widely used with Nostr UIs. For example this is Jack Mallers' profile. You can head over to the lightning icon and it will load a screen like this:



If you click on the "Zap X sats" icon it will guide you to a QR code and a lightning invoice.

Then, clicking on the "pay now" it will require you to open the wallet of your choice in order to pay. For example we could use something like alby, which requires a plugin to be installed on the browser.

So, to break it down for you, in order for this to function, we need:

1. A way to post invoices as a payee. This one is tricky if you don't run your own node, but theoretically you could create an invoice and post it somewhere. Once the invoice is paid, it gets cancelled and then they need to enter a new one. This should take place automatically. I suggest reading how nostr implements it, as defined in NIP-57.

2. A way to pay someone as a payer. This one is very easy in my opinion, because you can use whatever wallet you want.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 03, 2024, 05:53:19 AM
#18
much easier that users use their own keys and just send blackhat PM of a signatured message
It's less attractive. To make an account you need to provide a public key, which you must have generated beforehand. Besides, since I will have custody of your funds, why does it matter? Whether it is a private code, or a signed message, it happens for me to authenticate your account.

However, aren't you afraid that this will lead to a form of abuse on the forum (spam, the race to be on the first page of a new topic etc.)? This already exists, but wouldn't such a feature make things worse?
I'm not afraid it will lead to a "tip race" of the first page, as it already exists with merits. I'm afraid it will be abused in the following manner: alt accounts will tip each other and make it look as if they're millionaires. It doesn't harm anyone though, does it? Pretty much the opposite. It reveals who owns alt accounts.

We all already have the option of putting a BTC address on our profile, wouldn't it be easier to add a LN profile-box for potential tips (if fees remain high on-chain)? That would solve the custody problem.
No, because very few people run lightning nodes, and if you don't run a lightning node, you don't have custody in lightning.

Yeah but that is going to be a whole new extensions starting from scratch, that usually means lot of bugs and not many people willing to test it.
I'll contact them when needed. Thanks.



If someone has thought of a way to send tips without forfeiting custody of their sat and without running a node, inform me. I will completely reconstruct the project from zero. Currently, the only viable solution appears to be one without custody. While I strongly advocate for self-custody, I don't perceive it as a significant concern, given that tips are intended to be of modest amounts.
legendary
Activity: 2212
Merit: 7064
January 03, 2024, 04:52:19 AM
#17
Cool, but as per my understanding, getAlby's browser extension is sort of like a lightweight lightning wallet. My browsing extension will simply send API requests and play a little bit with the forum's page structure.
Yeah but that is going to be a whole new extensions starting from scratch, that usually means lot of bugs and not many people willing to test it.

What do you mean it's open-source?
I mean this, open source MIT license:
https://github.com/getAlby/lightning-browser-extension

I don't think it's hard to explain (to most people) what that means  Roll Eyes
Go ahead and make your own non-custodial alternative, can't wait to see it.


Pages:
Jump to: