Pages:
Author

Topic: GLBSE 2.0, Is safer now. - page 6. (Read 8829 times)

hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 12:58:40 PM
#27
I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.

Actually I changed my mind, turns out you (I) actually need to buy a Yubikey to even get started, I don't want to bother waiting.

I'll find another option.
Will use Google Authenticator, actually that seems to be the perfect option.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 12:10:09 PM
#26
Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Holy scam warning Batman!

Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0?  You're honestly saying you use the same email/password for multiple sites and have been doing it for years?  I find it hard to believe that anyone in Bitcoin could be so naive.  You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address?  I apologize, but I don't believe you are that stupid.  You were around for the MtGox email address hack, you know better.  This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits.  For someone with 4 listings on the GLBSE, I find this incredibly irresponsible.

THIS WARNING seems to be a lot more relevant now.

I would hold off on the speculation for a while. We must allow Goat a reasonable amount of time to comply with the requests.

Nefario.
donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
April 02, 2012, 11:59:45 AM
#25
Hold assets created by me at your own risk. If I am hacked I will take no responsibility. Why? My account is attached to a free e-mail account that I have used for years on public computers all over the world. Would I even dream of putting 1000s of bitcoins on the security of this free junk mail account? No, never and to do so would be negligent! This was forced upon me without warning or consent!

Holy scam warning Batman!

Goat, why didn't you create an alias email account with an outrageously complicated password when you signed up for GLBSE 2.0?  You're honestly saying you use the same email/password for multiple sites and have been doing it for years?  I find it hard to believe that anyone in Bitcoin could be so naive.  You hold thousands maybe tens of thousands of dollars in other people's money and you reuse a commonly used email address?  I apologize, but I don't believe you are that stupid.  You were around for the MtGox email address hack, you know better.  This seems like either A) you setting up to scam everyone and not claim responsibility or B) you trying to create a panic in all your holdings so that you can buy them back for cheap and keep the profits.  For someone with 4 listings on the GLBSE, I find this incredibly irresponsible.

THIS WARNING seems to be a lot more relevant now.
sr. member
Activity: 434
Merit: 251
April 02, 2012, 11:26:33 AM
#24
What i find most alarming in this thread is that goat doesn't want to authenticate his account...

Apart from that, having a secure email address, and single use password is a basic when money is involved...
Regarding 2 step authentication, how difficult is it to implement google authenticator ? (like bitcoinica did)

hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 11:13:13 AM
#23
I'm going to add Yubikey support soon, next few hours.

likuidxd makes some very good points, security is everyones responsibility.

I'm making the commitment to secure GLBSE, but it only works if users secure their passwords.

If you want to be able to recover your accounts via email then you need to secure those as well, there is not other way around it.
sr. member
Activity: 476
Merit: 500
April 02, 2012, 10:59:04 AM
#22
Goat, are you preemptively passing all blame of Nefario if something goes wrong with any of your GLBSE listings here because you don't want to authenticate your account? You can personally take measures to keep your e-mail account safe if you're worried. One, for instance, is as simple a rotating passwords regularly. It is the responsibility of both of you to secure your accounts, taking no responsibility is fairly childish IMO.
My apologies, but this sounds sketchy
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 10:04:24 AM
#21
I could also add GPGAuth as an authentication method
http://gpgauth.org

However there is currently only a plugin for Google Chrome and no ruby server side implementation(which means I'd have to create it.

So it's an option, and one I'd happily support in the current system, just not an immediate one.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 10:02:00 AM
#20
How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.


If I remember correctly, when I was starting with GLBSE1.0 the initial crypto development it was quite a pain and something I had trouble with, it's certainly doable
hero member
Activity: 938
Merit: 1002
April 02, 2012, 09:25:39 AM
#19
How difficult is it to support (optional) GPG encrypted e-mails? This is one feature I wish all services adopted.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 09:18:05 AM
#18
"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.

I'm certainly not going to be doing that.
donator
Activity: 266
Merit: 252
I'm actually a pineapple
April 02, 2012, 09:16:32 AM
#17
"Security questions" are often the weak point of many authentication systems. If indeed all it takes (I don't use GLBSE) is to know your birth city, that is clearly insufficient security. Ask about first pet names if you must have security questions at all, but leave biographical data that can be scraped from facebook out of it.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 08:37:56 AM
#16
Regarding lost keys from 1.0

I spent A LOT OF TIME, dealing with this issue, a lot of people lost their keys, as a result the security of the system as a whole was reduced as without the keys people were unable to recover their accounts.

Cryptographically the system was really well secured, sadly people didn't look after their keys so it didn't work.
legendary
Activity: 1652
Merit: 1128
April 02, 2012, 08:35:03 AM
#15
I'm still stuck on the whole email account with the name of x as his password (I'll be nice and not say it  Wink), that's just lazy.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
April 02, 2012, 08:34:32 AM
#14
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!
What is not solid about that? Take care of your passwords and make them secure enough with something like KeePass. Most users on most Bitcoin exchanges have the same kind of protection.

You can take your password and encrypt it exactly like you encrypted your private key if you want.

I agree though that a 2nd auth with your phone would be preferable here, but I don’t think your topic’s title is appropriate, because yes, having a PW is safe if you can take care of it.

Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

I can keep my password safe but he forced me to use an account that was not safe. To get the password to that account all you need to know is what city I was born in. Had I known that this feature would have been implemented I would have never used that e-mail address. Hell I doubt I would have even signed up.

What do you think the title of this thread should be? I am open to changing it if you have a better idea.

Just pm Nefario and ask him to change your email address? Why this drama?

The drama because I've locked his account and asked for ID verification.

His reply:

Sorry about this but I am not going to take the fall for this if it goes sideways.

https://bitcointalksearch.org/topic/glbse-20-is-safer-now-75047

I had also told him about a policy I'd like to implement, reducing the number of assets a single account/person can create, although I think that can wait until another time, certainly until this gets sorted out.

I'll unlock it as soon as he provides this information.

Quote from: Chaang Noi (Goat)
GLBSE2.0 is nothing close to solid. All you need now to get access to someone’s account is their e-mail address and password. That is it!

This is complete rubbish, Chaang is using Gmail, which itself uses two factor authentication, and is as secure as any internet connected system available. It's weakness are the users, their choice of password (password strength) and whether they re-use that password.

A strong, single use password is as good as it gets without adding two factor authentication (something I'm researching).

Keeping in mind that all other exchanges and most other websites do the same, username/password, account recovery through email GLBSE2.0 is not exceptionally more or less secure.

I'm a very reasonable person, and I find it unsettling how quickly this has been splashed across several threads on the forums. About 5 hours after I emailed him asking (asking, not demanding) for proof of identity, in a clear attempt to pressure me to unlock his account.

Nefario
sr. member
Activity: 462
Merit: 250
April 02, 2012, 08:32:07 AM
#13
@Blitzboom I've no idea how many people lost their keys from 1.0 but I'm sure it's harder to brute force a key pair then pwning an email, if very frequently all it needs is to answer a question "did you get laid this year? y/n"
hero member
Activity: 532
Merit: 500
April 02, 2012, 08:29:16 AM
#12
2 step auth w/ google authenticator would be a good thing. Passwd + key option would be cool too. Being able to turn off email password reset would be very very nice.

using a secure email account for financial services to email you seems crucial.

I'm not sure what disturbs me the most about this thread. There are several issues to ponder. Undecided
N12
donator
Activity: 1610
Merit: 1010
April 02, 2012, 08:13:56 AM
#11
Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

once your email account is pwned you have a attack vector that bypasses glbse
Do you know how many people lost their private key and could not prove that their account was theirs on GLBSE?

I’ve told Nefario from the start that private keys are a bad idea because people cannot and will not secure them, and it actually decreases usability. He himself had a hardcore stance like you did, but he became convinced otherwise and so he built GLBSE 2.0.

Now compare the popularity of nick/pw GLBSE 2.0 with the private key original GLBSE.
sr. member
Activity: 462
Merit: 250
April 02, 2012, 08:10:19 AM
#10
Much more concerning is the question whether GLBSE now has any exploitable vulnerabilities etc., I would really like to see Patrick Strateman (from Intersango, where Nefario works too) do some penetration testing like he did with other exchanges if it hasn’t yet happened.

once your email account is pwned you have a attack vector that bypasses glbse
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
April 02, 2012, 08:08:05 AM
#9
title proposal:

bring back web keys. say no to user name / password authentication
Crypto keys are only as strong as the user's ability to secure his computer and his passphrase.

2 factor auth is a better idea. Yubikey, matrix card, etc. And no, "security questions" are NOT 2 factor auth.
sr. member
Activity: 462
Merit: 250
April 02, 2012, 08:00:09 AM
#8
title proposal:

bring back web keys. say no to user name / password authentication
Pages:
Jump to: