Your centralized services on vericoin.info are woefully insecure.
The debian 6 server running the site has not been hardened, you can login as root over ssh. There are many many more problems but I don't want to divulge too much as it could hurt a lot of people. The developer can send me a message if they want to talk about this in private.
Yea... ok. VeriBit/VeriSend are hosted on a Windows server.
They are not hosted on a windows server, that is not what I said. They are clearly hosted on debian running a legacy version of apache. I would be even more worried if they were actually on a windows server.
Edit: I'm not trying to spread FUD here, this is a very serious concern with how much money is being pumped into this economy. I'm worried about the alt-currency community more than the price of any individual coin. You can see that from my post history.
This is part of the reason I don't understand quite understand the hype around veribit. People are saying it makes things so much easier, but does it really? And at what cost? The cost of security? As far as I understand, all veribit does is exchange VRC for BTC, like any other altcoin can already do on any exchange. Except, with veribit, we are trusting VRC's dev team to handle security on their centralized servers. I am not saying VRC dev's are untrustworthy at all, but I do question whether they are qualified to keep these services secure. As for me, I would far more trust services like Mintpal to securely hold and exchange my altcoins for BTC to then use and make purchases.
The VeriBit servers don't "hold" your coins for more than 5 minutes. After they receive them and get 4 confirms, they send you your BTC. So the user will never lose. If we have a security flaw (which we are getting audited right now), our pot of BTC could be lost. But I don't think that's a concern since the developer running the server works for the cloud computing division of one of the top software companies in the world... and knows his security.
Saying he works somewhere and saying he knows his security when this is obviously untrue makes me even more skeptical.
There is no reason root login should be enabled on the server, there is no reason password authentication should even be enabled. You should be logging in through keys. I shouldn't have to say this to someone who "knows their security".
Look, I don't know what to tell you. If you're actually concerned you would have PMed me. I don't have shell access to the Dreamhost server that the website is on. What I can tell you, is that the server that hosts all of the apps isn't a *nix server with root access, it's a Windows server hosted by Azure. I would be very skeptical if DreamHost left root access open on their server.
Why is it running on windows? Windows is known to have a lot of security risks, is not open source and not usually a go to choice for someone who "knows their security".
OMG, do you not know where DEV3 works or have you been under a rock since this coin has come out? It's obviously running on Windows since he works at the biggest software company in the world where it's actually made and developed. I would think he knows more about the inner workings than anyone else here. Why would someone familiar with Windows and the security work with something else he is unfamiliar with?
Back to my previous point, 95% of people who use Linux servers dont want to drop $699 on a Windows server OS. Love it when people tout that Linux is so superior. No, its not, get over it.
Post
Topic
BoardAnnouncements (Altcoins)
Re: {ANN} Square - POW/Dist Hybrid 5 M Total - Launch 07/01/14 ! Twitter GIVEAWAY!
Windows servers are exceptionally secure. Linux has its perks but your average Joe will only run a Linux server for the 1 key point of free. I manage enterprise windows servers for a living. You set proper measures and your just as secure if not more secure then any linux box. The ONLY thing a Linux server has over windows is stability over longevity of up time.
I would like to personally thank anyone who may be selling VRC for the past hour.
Me too. It's a bad idea to dump when the new wallet is being released in two days with VeriBit and VeriSend integrated and another professionally designed one on July 19th.
Fully transparent development team who revealed their full names and educational backgrounds and training and current employers/institutions. Not like the other crapcoins who have anonymous creators who have something to hide.
Probably one of the few coins that institutional investors would be happy investing in.
I'm fully out of the coins that don't release their team member names.
That era is over. If you can't tell me who you are, I'm going to assume you're hiding something from me.