Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Pools
Re: Please test: New Experimental Pool "Eligius"
by
andrew.skretvedt
on 26/05/2011, 17:06:47 UTC
@Luke-Jr

Hi! I just wanted to extend a note of gratitude for the efforts of yourself and your collaborators on the Eligius pool. You've done well bootstrapping this thing and it appears to be polishing up and gaining support nicely.

I'm still relatively new to the pooled mining scene, having just a few weeks ago stopped generating on my own.

I scoured this forum and other resources learning about the pooled mining scene and evaluating the pools to decide which I should join. Bitcoinpool had really looked the most interesting to me, and I was just about to set up there when they experienced their April security breach, leading to a number of accounts being compromised and having their payment streams redirected.

I think they are doing their best at bitcoinpool, but after watching them for a few weeks now, I still have reservations that they may they have architected the accounts system in a way that leaves it fatally vulnerable.

My guess here, some posts to their forum suggest they (had been, and if true maybe are still) are storing actual account passwords in their database, rather than salted hashes. One post suggested the attacker got hold of the accounts database, and was using the raw passwords stored therein to begin redirecting the payment streams; something that the best practice of using salted hashes would have prevented, if that was in fact what transpired. The website itself, where accounts are created and managed, has no security, and they appear to me (disturbingly) to eschew the basic value of securing account/registration sessions with SSL. Little niggles of this sort suggest they may have an incomplete understanding of robust security practices.

So then I see this very forum topic!

What a concept! Forget the account. Just point your miner at our server, mine away, and just tell us the bitcoin address where you want the credit sent. This is so brilliant it seems like one of those obvious things you wonder how no one thought about it sooner?

In the aftermath of their breach, I mentioned the Eligius approach on the bitcoinpool forum as an idea about shortcutting the inherent need to start carefully considering security once accounts come into play. The responses were skeptical; along the line that this would make it hard to trust the pool operator, because it would be difficult to verify that your work was being properly credited.

I admit to being ignorant about the mechanics of the various pooled mining credit systems, but at least I have been able to observe the diligent efforts you've put forth making Eligius completely up-front and transparent. You've proven that even without accounts, self-auditing and tracking is possible.

With the polish starting to shine on this pool, it's feeling less experimental now. But the novel feature of an accountless architecture has made ME feel safer testing and now fully adopting it for my use, than the other more well established pools available. So, thanks! I'm sure I cannot be the only one who feels like this.