Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: [ANN][VRC] | VeriCoin | PoS - Dynamic Interest | SMS | ANON
by
yourstruly
on 30/06/2014, 13:36:41 UTC
Quote from: ringsting on June 30, 2014, 01:33:46 PM
Quote from: yourstruly on June 30, 2014, 01:20:44 PM
Quote from: pnosker on June 30, 2014, 01:15:35 PM
Quote from: battbot on June 30, 2014, 01:11:51 PM
Quote from: yourstruly on June 30, 2014, 01:02:26 PM
Quote from: pnosker on June 30, 2014, 12:58:49 PM
Quote from: yourstruly on June 30, 2014, 12:52:47 PM
Your centralized services on vericoin.info are woefully insecure.

The debian 6 server running the site has not been hardened, you can login as root over ssh. There are many many more problems but I don't want to divulge too much as it could hurt a lot of people. The developer can send me a message if they want to talk about this in private.

Yea... ok. VeriBit/VeriSend are hosted on a Windows server.

They are not hosted on a windows server, that is not what I said. They are clearly hosted on debian running a legacy version of apache. I would be even more worried if they were actually on a windows server.

Edit: I'm not trying to spread FUD here, this is a very serious concern with how much money is being pumped into this economy. I'm worried about the alt-currency community more than the price of any individual coin. You can see that from my post history.

This is part of the reason I don't understand quite understand the hype around veribit.  People are saying it makes things so much easier, but does it really?  And at what cost?  The cost of security?  As far as I understand, all veribit does is exchange VRC for BTC, like any other altcoin can already do on any exchange.  Except, with veribit, we are trusting VRC's dev team to handle security on their centralized servers.  I am not saying VRC dev's are untrustworthy at all, but I do question whether they are qualified to keep these services secure.  As for me, I would far more trust services like Mintpal to securely hold and exchange my altcoins for BTC to then use and make purchases.

The VeriBit servers don't "hold" your coins for more than 5 minutes. After they receive them and get 4 confirms, they send you your BTC. So the user will never lose. If we have a security flaw (which we are getting audited right now), our pot of BTC could be lost. But I don't think that's a concern since the developer running the server works for the cloud computing division of one of the top software companies in the world... and knows his security.

Saying he works somewhere and saying he knows his security when this is obviously untrue makes me even more skeptical.

There is no reason root login should be enabled on the server, there is no reason password authentication should even be enabled. You should be logging in through keys. I shouldn't have to say this to someone who "knows their security".

Dude, you are embarrassing yourself.  It's obvious that you have a little bit of knowledge but not much.  

You're saying the website is hosted on a nix box that isn't secure.  He is saying the apps aren't hosted on that box, even if the Linux box isn't secure the services aren't even hosted on that machine.

You are right, the site hosting the wallets is run on an insecure unix box. The centralized anonymity services and exchange are ran on a insecure windows machine. I don't think I'm the one embarrassing myself. Anyone involved with this project should be embarrassed for running anonymity services on windows.