Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][VRC] | VeriCoin | PoS - Dynamic Interest | SMS | ANON
by
yourstruly
on 30/06/2014, 13:26:07 UTC
Quote from: pnosker on June 30, 2014, 01:23:33 PM
Quote from: yourstruly on June 30, 2014, 01:20:44 PM
Quote from: pnosker on June 30, 2014, 01:15:35 PM
Quote from: battbot on June 30, 2014, 01:11:51 PM
Quote from: yourstruly on June 30, 2014, 01:02:26 PM
Quote from: pnosker on June 30, 2014, 12:58:49 PM
Quote from: yourstruly on June 30, 2014, 12:52:47 PM
Your centralized services on vericoin.info are woefully insecure.

The debian 6 server running the site has not been hardened, you can login as root over ssh. There are many many more problems but I don't want to divulge too much as it could hurt a lot of people. The developer can send me a message if they want to talk about this in private.

Yea... ok. VeriBit/VeriSend are hosted on a Windows server.

They are not hosted on a windows server, that is not what I said. They are clearly hosted on debian running a legacy version of apache. I would be even more worried if they were actually on a windows server.

Edit: I'm not trying to spread FUD here, this is a very serious concern with how much money is being pumped into this economy. I'm worried about the alt-currency community more than the price of any individual coin. You can see that from my post history.

This is part of the reason I don't understand quite understand the hype around veribit.  People are saying it makes things so much easier, but does it really?  And at what cost?  The cost of security?  As far as I understand, all veribit does is exchange VRC for BTC, like any other altcoin can already do on any exchange.  Except, with veribit, we are trusting VRC's dev team to handle security on their centralized servers.  I am not saying VRC dev's are untrustworthy at all, but I do question whether they are qualified to keep these services secure.  As for me, I would far more trust services like Mintpal to securely hold and exchange my altcoins for BTC to then use and make purchases.

The VeriBit servers don't "hold" your coins for more than 5 minutes. After they receive them and get 4 confirms, they send you your BTC. So the user will never lose. If we have a security flaw (which we are getting audited right now), our pot of BTC could be lost. But I don't think that's a concern since the developer running the server works for the cloud computing division of one of the top software companies in the world... and knows his security.

Saying he works somewhere and saying he knows his security when this is obviously untrue makes me even more skeptical.

There is no reason root login should be enabled on the server, there is no reason password authentication should even be enabled. You should be logging in through keys. I shouldn't have to say this to someone who "knows their security".

Look, I don't know what to tell you. If you're actually concerned you would have PMed me. I don't have shell access to the Dreamhost server that the website is on. What I can tell you, is that the server that hosts all of the apps isn't a *nix server with root access, it's a Windows server hosted by Azure. I would be very skeptical if DreamHost left root access open on their server.

Why is it running on windows? Windows is known to have a lot of security risks, is not open source and not usually a go to choice for someone who "knows their security".