Search content
Sort by

Showing 20 of 62 results by jrmithdobbs
Post
Topic
Board Auctions
Re: 5 Junior Members Email is Included
by
jrmithdobbs
on 03/06/2018, 21:30:57 UTC
Password was guessed on this account everything after the cosbycoin post was not the original account holder. lolololol bitcoin

They didn’t bother resetting the email and I started getting a bunch of emails of private messages re: selling accounts this morning.

The password on the account has been reset.

Hey @theymos or however you summon admins here. I deleted the posts it would let me.
Post
Topic
Board Auctions
Senior Member Auction
by
jrmithdobbs
on 03/06/2018, 18:46:53 UTC
Senior Member Auction
Quality Posts, No Negative Feedback, Not Blacklisted by Smas, No Loans

Starting Bid: $120
Bidding Increments: $10

Buy it now: $150

Escrow if you don't send first.

Post
Topic
Board Auctions
Re: 5 Junior Members Email is Included
by
jrmithdobbs
on 01/06/2018, 21:37:22 UTC
Bump for today!
Post
Topic
Board Auctions
Re: 5 Junior Members Email is Included
by
jrmithdobbs
on 01/06/2018, 01:36:12 UTC
Bump for today!
Post
Topic
Board Auctions
Re: 5 Junior Members Email is Included
by
jrmithdobbs
on 30/05/2018, 18:09:16 UTC
Bump for today!
Post
Topic
Board Auctions
Re: 5 Junior Members Email is Included
by
jrmithdobbs
on 29/05/2018, 15:49:59 UTC
bump for today!
Post
Topic
Board Invites & Accounts
Cheap Bitcointalk Accounts
by
jrmithdobbs
on 28/05/2018, 02:06:49 UTC
Senior Member = $150
Full Member = $70
Member = $35
Junior Member = $15

Quality Posts, No negative feedback, No loans, No staked address, With Original Email

Big discounts for bulk orders.

Escrow via Bitify.com.
Post
Topic
Board Auctions
5 Junior Members Email is Included
by
jrmithdobbs
on 28/05/2018, 02:03:20 UTC
You are bidding for 5 junior members.

5 junior members have quality posts, no negative feedback, not hacked, no loans and original email included.

Starting bid: 0.01 btc
Bidding Increments: 0.001 btc

Buy it now: 0.015 btc

Escrow via bitify.com
Post
Topic
Board Bitcoin Discussion
Topic OP
Cosbycoin
by
jrmithdobbs
on 11/09/2011, 07:32:26 UTC
Bitcoins are so 2010. Entrust your crypto currency to the only man deserving of your trust: The Cos.

http://cosbycoin.com

On this momentus anniversary cosbycoin is dedicated displaying a proper tribute to the victims of loss of life, liberty, and the pursuit of happiness. Namely, that the terrorists won.
Post
Topic
Board Wallet software
Re: libbitcoin
by
jrmithdobbs
on 21/07/2011, 05:48:13 UTC
I wonder here, what is the advantage to decomposing the scripts into separate database rows, instead of storing it as a binary blob?

I mean, the most common operation is "fetch the entire script and execute the opcodes". By decomposing the data structure this deep this becomes a more expensive query.

For a node, maybe. What about for data processing? Say you just want to quickly find all scripts with the same destination address. The performance difference will be negligible for the amount of flexibility gained. Returning data like this is what RDBMS' are optimized for.
Post
Topic
Board Bitcoin Discussion
Re: Potential attack vector in generating Bitcoin addresses?
by
jrmithdobbs
on 05/07/2011, 20:24:21 UTC
The botnet would need many years for reaching a 50% probability of key collision.

Many millions of years.

It's not impossible for a collision to be found, but there's not enough profit in it. Even if someone can find one address every hundred million years, all they get to spend is the balance of that one address. This equates to an averaged cost of fraud of way less than a millionth of a cent per transaction.

It's not worth worrying about, when any simple trojan or social engineering attack is sure to net a few wallets.

Many trillions of year. It is not possible.
Highly improbable. Not impossible.

Let's assume you can gen and encode 2500 pubkeys a second with known privkeys. Right now that's this many days to exhaust the entire key space:

Code:
536074487209797201035050856521703277098472151229817426108599925962560.8
or
Code:
1468697225232321098726166730196447334516362058163883359201643632774.1
years

Now let's assume you can make that 50 times faster ... then it'd take this many days:
Code:
10721489744195944020701017130434065541969443024596348522171998519251.2
or
Code:
146869722523232109872616673019644733451636205816388335920164363277.4
years
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] More likely MtGox Post-Mortem
by
jrmithdobbs
on 30/06/2011, 18:40:26 UTC
Hello vindication, how are you today sir?:

http://forum.bitcoin.org/index.php?topic=24727.0
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 18:16:13 UTC
I for one hope that when/if someone does discover some potentially damaging exploit that they won't put us all at risk by instantly sharing it with everyone, including those who will jump at an opportunity to take advantage, at least until site admin has had an opportunity to take action.
If you're so worried feel free to stop using the services provided by companies with horrible security records or, as previously stated, petition said service providers to open their code and/or make public the results of 3rd party code/security audits.

To everyone sending me hate-filled PMs:

I don't care. See the above.

Additionally:

It is not my responsibility to enforce responsible journalism. If the blog d'jour is posting ill-informed "articles" about your pet bitcoin project, petition them to hold themselves to a higher standard of journalism.

I thought this forum was full of lolbertarians who believe in "absolutely free market capitalism?" Vote with your feet and your wallet.

Oh wait, I get it, your idealistic "free market" concepts only apply when they work in your favor. Brilliant!
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 16:58:35 UTC
They're calling it a way to get "free bitcoins".  Good job OP.  I don't suppose you'd "fully disclose" that the "exploit" as you call it, is not, in fact, a way to get "free bitcoins".  I don't suppose you'd bother to correct the misinformation you've fostered.

Read the comments on that article. I posted a gpg signed comment (that got mangled by their crappy site) calling the author out for irresponsible journalism. Before you even posted this. He made no attempt to contact me and only a cursory attempt to contact tux so that he could add a derisive comment in his "article."

Crappy journalist is crappy. Surprise, surprise.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 13:06:04 UTC
He programs large blocks of code and does insufficient testing leaving the community of users to suffer the consequences. MtGox nolonger deserves the privilege of keeping bugs and security flaws private.
He also has (by his own admission) written his own in house mysql DAO code instead of using a public, well vetted one. He say it doesn't use bind values. He doesn't understand why this is bad.:

(This is edited to leave irrelevant pieces out, please feel free to verify with anyone else logging #mtgox.)
Quote
[17:57:31] dehuman: we had been working on security, I can guarantee there is no SQLi right now
[17:57:45] MagicalTux: how can you say so with confidence?
[17:57:51] are you using parameterized queries?
[17:58:01] everywhere
[17:58:07] go1dfish: because I know each and every line of the code, and we mostly use either DAO
[17:59:21] just make good code and things are fine
[17:59:49]   @MagicalTu : just make good code and things are fine
[17:59:58] thats kinda a slap in the face dont you think?
[18:00:08] dehuman: healthy code is important for a healthy security & business
[18:00:46] we've been busy for 2 months rewriting Mt.Gox
[18:00:49] you exposed 60,000 client's information
[18:01:02] i wouldn't talk about healthy code, healthy security, healthy business
[18:01:06] not yet
[18:01:08] dehuman: new code is healthy
[18:01:10] quite a bit premature for that
[18:01:30] MagicalTux: looks like DAO doesn't protect against SQLi by default
[18:01:36] your using bound parameters everywhere?
[18:02:23] go1dfish: DAO makes SQLi impossible, since queries are not built by the dev
[18:02:36] go1dfish: now it just depends how you do that
[18:03:18] good show, you shouldn't be writing sql by hand for mt gox
[18:03:42] go1dfish: \DB::DAO('Table')->insert(array('Field' => $value));
[18:04:36] MagicalTux: cool, yeah that should be pretty resiliant against injection assuming the underling DAO implementation is sane
[18:05:02] go1dfish: the DAO implementation was written by us, and makes sure everything is escaped correctly, including table & field names
[18:05:15] you wrote your own DAO?
[18:05:20] why the hell would you want to do that?
[18:05:25] so does this mean previously mtgox didn't use any type of DAO pattern?
[18:05:27] I mean, im no EXPERT...
[18:05:34] Ox41: I'm hoping thats a misunderstanding
[18:05:39] 'dont reinvent the wheel'
[18:05:41] go1dfish: I doubt it is
[18:05:47] Ox41: it's part of our framework

Just sayin'.

Did you fail to read the part about responsible disclosure?
http://en.wikipedia.org/wiki/Responsible_disclosure
They are two separate but related concepts. I subscribe to the former and deem the latter unnecessary in cases such as these where the company in question has a track record like mtgox.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 04:58:49 UTC
The only thing that was AFAIK grossly mis-handled was the password list leak. He should have set the confirmation/claim process into working *before* someone hacked into accounts and distorted the market.

He also ignored attempts to report the nasty CSRF, that came to light right before that all went down, for about a week. But, I digress.

I have no plans to "nail him to the wall" for every mistake. In fact, I will probably not be looking at mtgox at all after the next 72 hours.

And to clear things up, this is a little more than just a display bug. This is also the cause of the weirdness people have been reporting about it dropping from 17->15 etc without executing orders in-between.

Quote
Edit: btw why not change the name of this topic now that it turned out not to be a "trade matching bug" at all?

It is a trade matching bug. Trades are not revalidated on withdrawal/deposit to the account. I never claimed it was an exploit. "Exploiting" in the original text is the normal english use of the word, not the info-sec use. So no, I will not change the title.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 04:39:54 UTC
What you did is no different than what Lulzsec has been doing this past 50 days - blatantly disregarding the safety of individuals in order to make a point, arrogantly.

You say that like it's a bad thing?

Quote
You NEVER release 0-day exploits into the wild without a LENGTHY process of notification to the original coder

Maybe YOU don't. Plenty of people do.

Quote
There's an email feature in the mtgox interface where you can report bugs without exposing innocent traders (who will be affected by exploits if the price swings or if one of your 0-days can lead to compromising other people's balances or wallets).

Not my problem. If you're so worried about this particular scenario maybe you should be lobbying the bitcoin vendors you use to open their systems or publicly disclose results of code/security audits, etc.

I can agree on full disclosure for big bureaucratic organisations that ignore you when you report a bug.

But honestly, in this case, for a small company like MtGox.

A small company with a proven track record of ignoring such reports is no better than a large company full of Kafka-esque nightmare-level bureaucracies.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 04:24:28 UTC
I don't hate you (and please don't mischaracterize what I say). Where is this purported acknowledgment that this was a vulnerability? From what I've seen you've completely overstated the case (and I'm not exactly MagicalTux's biggest fan right now). Yes, you just made yourself look like an ass.

I could not confirm or deny that similar trades would execute without possibly committing fraud, so did not try. I explicitly stated this and the possibility that it was just a display bug. I posted (to f-d at least, here soon after) as soon as Tux started responding to me. The text was pre-prepared and not modified. Yes he did tell me that it would be fixed while we were talking.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 04:09:47 UTC
I believe you're already involved with britcoin.co.uk ?

I don't know why I'm going to taking the troll bait. Last thread I was supposedly affiliated with tradehill.

For the record: I am not now, nor have I been in the past, directly affiliated with any bitcoin exchange or service offerings. I speak with devs involved with several such project on a regular basis, however, yes, including those involved with britcoin amongst others.

I think it's very good that you do bug testing on MtGox and report the bugs.

But why don't you give MT even a day to fix it before you post it to the forums and mailing list?

Because I firmly believe that this principle has shown time and time again to hold true:

http://en.wikipedia.org/wiki/Full_disclosure

Full disclosure is the only real disclosure.
Post
Topic
Board Bitcoin Discussion
Re: [Full Disclosure] Live mtgox.com trade matching bug.
by
jrmithdobbs
on 28/06/2011, 03:56:07 UTC
After making yourself look like such an ass, you should really reconsider that.

By having MagicalTux confirm that one of the possibilities I explicitly posted was indeed the case? Not following you.

Just so you know this was disclosed to Tux at the same time it was posted. He considers it a problem and is working to fix it.

Hate me all you want.

I still believe that people not disclosing these issues to the public is what led to the last major compromise. Would you rather not be made aware of the issues and blindly assume that everything in the world of bitcoin is perfect?

Additionally. At jgarzik's request I wont be posting these to the bitcoin-dev list going forward. There is talk of a separate bitcoin-vendor-sec (or similarly named) list being created.

Erm, no it doesn't mean this.  If it's well designed, there is a semaphore or lock to prevent this.  No sense jumping to conclusions based on what is essentially little more than a display bug.
You're right, that should say possibly, not actually.