Pages:
Author

Topic: rated (Read 4652 times)

hero member
Activity: 826
Merit: 500
September 05, 2012, 01:37:03 AM
#30

 Even if you use lastpass with a yubikey, hackers can get in with a keylogger or Lastpass can get hacked. Hotwallet can use your yubikey to log you in directly AND encrypt your password with a secure cipher like MARS or RC6. Hackers can't touch that!
*note: hot wallet is currently in alpha. max of 100 users. please do not deposit large amounts of coins until we're out of beta.



I'm a little confused by your logic, Your saying if you use lastpass with a yubikey hackers can get your passwords. But on the next line your saying Hotwallet can use your yubikey to secure your account.

Last time I checked Yubikey creates one time use passwords, when the button is pressed on it. So the same password from the yubikey shouldn't work if its been keylogged because its already been used.

LastPass stores your passwords with PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. Sure lastpass can get hacked but if you use a SECURE password that has never been cracked on any published Password lists then your passwords are safe. Passwords lists are now multi-million long now, so if you think Year1992 is a secure password your in for a big surprise because the last list I saw I think 5k people used it lol.
legendary
Activity: 2271
Merit: 1363
August 30, 2012, 07:23:29 AM
#29
Finally a Domain !

May I now suggest that i get so see an new default page after i took the tremendous effort in logging into the doghouse.
One of my Wallets would suffice if you need something to begin with.
sr. member
Activity: 252
Merit: 250
August 29, 2012, 04:33:41 PM
#28
ssl is pretty much useless, funny you are getting slammed for that opinion. says more about the people shitting on you then yourself though no worries. This coming from the guy that tries to shit you on any oppurtunity I get  Cheesy


http://convergence.io/ for real security
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
August 29, 2012, 04:32:10 PM
#27
update on the ssl issue;

I've decided not to buy one unless I can get it for $5/yr or cheaper.

http://www.techrepublic.com/blog/security/are-self-signed-certificates-safer/3388?tag=btxcsim

SSL CA's are a scam, and using them actually makes me vulnerable to MITM attacks. Fuck that.

I knew I was right. My experience comes from using the stuff, not from reading biased articles on CNN like Nimda.

If $5 is the make-or-break point, one really ought to question whether your solution is viable.  If you are looking to start a real business venture, then getting EV SSL should be a no-brainer and should solve a good chunk of the problem you call a scam.

Nevertheless, you can get one for well under $5/yr at http://cert.startcom.org/
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 29, 2012, 04:17:04 PM
#26
Lol, at least they're better than Fox
legendary
Activity: 2271
Merit: 1363
August 24, 2012, 08:26:26 AM
#25
a free yubikey?Huh
hero member
Activity: 518
Merit: 500
August 24, 2012, 07:55:39 AM
#24
Hello! I'd like to make a quick announcement.

We're reaching 100 users!

So to keep the system open, accounts with zero balance which have not logged in for 3 days will be deleted. Please log in to your account or make a new one if you wish to keep using the hotwallet beta!

Right now Devil Coins are up and running and there are many exciting things in store. So check it out!

https://199.48.69.241/hotwallet/devicoin.php

Chat soon~

Serena

I think deleting any accounts at this point is a bad idea, you have not yet even included all the most essential functionality. Does it even require any extra resources to have a couple unused (yet) accounts open?

What if an account has a zero balance, but an address from it has already been sent out, then when that person gets paid the money is gone?
hero member
Activity: 616
Merit: 500
Portland Bitcoin Group Organizer
August 23, 2012, 09:28:38 PM
#23
what's your business model?
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 23, 2012, 12:58:47 PM
#22
Who was it who cried wolf about Bitcoinica? Would you call them "rita repulsa?"

There comes a point when you are obviously wrong and you just like to keep on going with it. For fuck sakes nimda, what is your point, exactly?
My point is that you should get your cert signed.

Hmm... I notice that unlike me, you are only taking select pieces of my post out of context to reply to them. I'd prefer if you did what I do and reply to the whole message. Wasn't it you who accused me of "ignoring what people say?"
Quote
Quote
That's right, you have a rep for ignoring what people say and justifying your own behavior and ideas.
If you say so. I hope you'll notice, however, that instead of ignoring what you're saying, I am splitting up the quote and responding to every last bit of it.

Quote
HTTPS does not even prevent man in the middle attacks; this was shown years ago and you still drone on about it.
HTTPS is certainly useful, however. It makes attacks more difficult and mitigates many threats.
Quote
Get a yubikey and go away.
Honestly, this is a little off-topic, but a yubikey is not much more secure than 2-factor auth with a cellphone, and I already own a cellphone. Coinbase does this correctly.


Quote
If hotwallet becomes popular I'll spend the bitcoin it takes to buy a certificate.
I hope that end-users are smart enough to not make hotwallet popular without a cert.
Quote
But for now, please just stop being annoying.
I'll try.
Quote
A public sign means jack shit.
Yeah, that's why Google, MtGox, Microsoft, Bitcointalk.org don't have public signs either, because they're useless. Oh, wait...
Quote
I might as well post the public key right here. If you trust that I am usagi then you would have to trust the public key I post. I could sign it with my GPG. Then what would you say?
It's better than nothing, but it probably won't help traffic to your site very much. A big, red warning is a turnoff for the non-technical.
Quote
As for not signing Theymos's public key, who cares? When you said that you sounded like a nitpicking idiot.
It was an example. I'm not signing theymos' public key, and I'm certainly not signing Hotwallet's. Especially given that I consider theymos more trustworthy than Hotwallet.

Quote
Quote
You wanna talk security? There are dozens of people trying to crack hotwallet right now, not flapping their lips queefing on a forum just talking about it. I've had over 50 SSL injection attacks in the last 3 days on the login page alone. What's the point of getting an independently certified SSL certificate if you can be hacked in some other way or of there's some other gaping security flaw? I loved it when you said that you were wondering what other security holes there were. Yeah I can imagine. All you do is wonder. Like the guy that said he doesn't see any evidence that it's secure. Well frankly I'm not surprised.
I'll come back to this last bit; I g2g.

If you can't point out an actual security flaw, please just stop posting on this thread. In fact please delete your posts so far. You've pretty much ruined it already.
[/quote]
Dozens? That's impressive. How many dozen?
No, I will not delete my posts. Especially given the fact that you've only quoted parts of them.
hero member
Activity: 588
Merit: 500
August 23, 2012, 10:33:54 AM
#21
I've found plenty of bugs, but my guess is you'll introduce the security flaws later.
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 23, 2012, 08:26:15 AM
#20
I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.
"No, u"
Insults like that carry no useful information and add nothing to this thread.

You're wrong. They communicate that you're pissing me off and likely many others.
Well, I guess it does communicate that much.
Quote
That warning is for sites you've been to before.
The warning contains information pertinent to all websites, and I've never been to Hotwallet before.

No, it does not. If you've never been to a website before it does not make sense to assume someone is doing a man in the middle attack. For what purpose? To gather data that.... doesn't exist?   To learn what login you..... don't have?
How about "sniff your login credentials on account creation?" That would work...

Quote
Accept the certificate, leave, and come back the next day.

Quote
No new message? That means....

it's okay.
No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.

B I N G O

What can I say? GOOD JOB, MARCO! Keep fishin'!
Thanks. I'm not going to sign your cert, however. In fact, I haven't even signed theymos' public key.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.
Quote
It's not a FUCKING security flaw nimda. Here's a hint. Even if I have SSL and use LUKS and encrypt everything on the server people can STILL hack the system with a motherfucking AM/FM RADIO from outside the fucking BUILDING if I don't use a god damn FARADAY CAGE! But that's paranoid shit -- you know, like pretending there's hackers out to get you and do a man in the middle attack on you to a website you've never even been to before!
Lol
If hotwallet becomes popular, "do[ing] a man in the middle attack on you to a website you've never even been to before" can become a viable way to make money. Especially if its owner says "oh just ignore that warning."
Quote
Seriously, try out the system. Don't deposit any bitcoins in your account? I don't fucking CARE! But please don't come on here and whine about SSL. It's stupid and pointless. Go, find a REAL security flaw -- because you know real security is all about compartmentalization -- and get back to me. This SSL bullshit is noob wannabe shit nimda. Get with the program. You obviously aren't even familiar with SSL spoofing (or you're an unethical asshole). So don't bother. Please, you're just going to make yourself look stupid again.

You wanna talk security? There are dozens of people trying to crack hotwallet right now, not flapping their lips queefing on a forum just talking about it. I've had over 50 SSL injection attacks in the last 3 days on the login page alone. What's the point of getting an independently certified SSL certificate if you can be hacked in some other way or of there's some other gaping security flaw? I loved it when you said that you were wondering what other security holes there were. Yeah I can imagine. All you do is wonder. Like the guy that said he doesn't see any evidence that it's secure. Well frankly I'm not surprised.
I'll come back to this last bit; I g2g.
hero member
Activity: 588
Merit: 500
August 23, 2012, 01:27:13 AM
#19
Actually I was thinking about spending the day at Starbucks tomorrow firesheeping.
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 22, 2012, 05:57:49 PM
#18
He donated 50 BTC to the forums and made a couple hundred posts. I think that's irrelevant to the subject at hand, though.
hero member
Activity: 482
Merit: 502
August 22, 2012, 05:50:10 PM
#17
VIP, Sr. Member? How did this happen?
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 22, 2012, 05:35:08 PM
#16
I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
https://i.imgur.com/tcB37.png

Stop being a dink.
"No, u"
Insults like that carry no useful information and add nothing to this thread.
Quote
That warning is for sites you've been to before.
The warning contains information pertinent to all websites, and I've never been to Hotwallet before.
Quote
If you know it's a new site, an alpha site, which hasn't registered a certificate...

it's okay.
You're handling other people's money. Real money.
Quote
Just accept the certificate.
Hell no. That's saying "just trust me." I will never "just trust" anyone, especially not in Bitcoin land.
Quote
Seriously nimda you're getting a bad rep for being a know it all tattletale.
Cool. I couldn't care less about my "tattletale" reputation. I "tattle" on potential scammers in the Lending forums too. Look how many people have MNW on ignore, yet they trust his word in a 5000+ BTC bet. The important part is...
I don't scam people, nor am I careless with their money.
That's the only part of my rep I care about.
Quote
Accept the certificate, leave, and come back the next day.
Bad idea
Quote
No new message? That means....

it's okay.
No, it means you're the same person who said he was hotwallet the day before. In a nutshell, it's basically me "signing" your cert.
You're handling other people's money. Real money. And security should come first. Even before domain names.

Quote
Try to understand -- it's a new site. I'm still working on it. I don't even have a hostname yet.
I understand that perfectly. However, security should come first, because you're handling other people's money.
Quote
If you feel the government (or worse, hackerz) are waiting around for you to access a startup web wallet for the first time and the lack of me paying $20 or whatever to get a signed certificate raises all sorts of red flags in your mind causing you not to use said web service, you SERIOUSLY need to re-evaluate your security priorities. It's just not that important. I mean fuck, you could encrypt your hard drive with truecrypt and use a 128 character password if you wanted to. It's not going to make you any safer.
Those red flags are popping up all over the place. They're not just "face-value" warnings though. It's not just "oh, this could be a man-in-the-middle attack." Rather, it's "oh, this service is using SSL improperly. I wonder if other aspects of its security are done correctly? Passwords? Storage of BTC?"

Look at all the holes in BitDayTrade. Did you see the Reddit post exposing its flaws? It claimed to use bcrypt, but that was a lie. A lie which was only brought to light when other security flaws were discovered. This is why I have no money on either platform.

Don't take spectators exposing security flaws as personal insults. Take them as suggestions, and use them to improve your service. It's called feedback, and feedback is the main reason that developers even have this pre-release stage that Hotwallet is currently in.
hero member
Activity: 784
Merit: 1000
0xFB0D8D1534241423
August 22, 2012, 01:23:24 PM
#15
Quote
Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with 199.48.69.241 instead of an attacker who generated his own certificate claiming to be 199.48.69.241.
Lolok, have all my BTC plox. YOUR BITCOINS ARE NOW DIAMONDS. SELF-CERT DIAMONDS.

This post makes no sense. Who are you quoting?

And why?
I am quoting Google Chrome's warning. It should be self-explanatory for a web-dev such as yourself.
Getting back on topic, HTTPS. Do you even know why HTTPS is important? HTTPS uses a SSL certificate as proof that the information which you supply cannot be intercepted by a third party. That's it. What nimda said was wrong, as you should know. But if you know this, why are you complaining? Again, this is just an alpha release. There is simply no way someone has set up a sniffer or has cut cables and is listening to hotwallet right now. We don't even have a hundred users and there just aren't that many bitcoins in the system. (Yes, there are bitcoins in the system. How many? Not tellin').

But sure, I see the value in HTTPS for a production site. It only takes 10 or 20 minutes to set up SSL. Not a priority for an alpha release, but I did it over my coffee break yesterday. Had to be done at some point. Anyways, I guess I should thank you for the tip but please, if you "see no evidence" that just means you don't know what to look for... if you have something real to say though, I'm right here and will fix it ASAP. That's why I am doing this, and coming to the community for advice. To make a better system.
usagi seems to love referring to me by name, rather than the substance of my posts. I do find humor, however, in the fact that I was quoting Google Chrome, a fairly reputable (Roll Eyes) web-browser.
The fact of the matter is that the blue part up there is misleading. Have you ever used GPG? It's the same concept. The problem is thus:
1. I create a keypair and a malicious version of hotwallet
2. I sign my malicious end and claim that the signature is from hotwallet.
3. I, the third party, intercept the information you supply.
4. Well, who are you to know any better?

SSL only works when a trusted third party signs your keypair. Then this happens:
1. I create the malicious stuff
2. I sign my malicious end
3. You check with the trusted third party (e.g. Verisign). They say "oh no, that's not really Hotwallet's keypair!"
4. You don't lose any personal info or bitcoins.

I find it humorous that usagi attacked others for their lack of HTTPS knowledge without implementing it correctly. And yes, the warning still appears:
sr. member
Activity: 419
Merit: 250
August 22, 2012, 11:23:23 AM
#14
usagi has been a customer of mine for a while and we've had some trading related transactions.

If i had any use for this service, I would definitely use it and not have any trust reservations (about usagi anyway)
sr. member
Activity: 419
Merit: 250
August 22, 2012, 11:22:34 AM
#13
No Https you have to be out of your mind. BOOM.

Lol.. someone's not too quick.
legendary
Activity: 1414
Merit: 1000
HODL OR DIE
August 22, 2012, 10:55:19 AM
#12
No Https you have to be out of your mind. BOOM.
hero member
Activity: 518
Merit: 500
August 22, 2012, 09:52:58 AM
#11
Is there any protection for the users from you just taking all the bitcoins and dissapearing, like mybitcoin did? I seem to remember a place called something like strongcoin which encrypted the keys so only the user could acces the bitcoins, the site manager never had any access to the coins.

Another question: I don't see it now, but in the future will you add functionality to import/export keys or access things like cassiacius coins?
Pages:
Jump to: