Naphex: which you would need to generate a valid otp
Naphex: asciilifeform: are you sugesting DPA could be use in retriving yubikey secret?
Naphex: don't place maxtrust(TM) on anything though :)
Naphex: but it's a level above
Naphex: i don't place maxtrust on it
Naphex: i use a yubikey neo, and i'm pretty happy with it
Naphex: but the software is, and there are some yubi software generators around
Naphex: doubt their open
Naphex: of the hardware?
Naphex: and you don't have to keep the secret keys for it
Naphex: i'd recommend the system over gauth
Naphex: so there
Naphex: i will soon be implementing GPG OTP
Naphex: asciilifeform: i trust them mostly, but the security level is chosen by the client. so if client trusts yubi, then it trusts yubi validation servers
Naphex: just to make sure they are clean, and no 0 day can travell till the end
Naphex: and they check and validate the protocol and messages before
Naphex: i have state-full firewalls that know the protocol before
Naphex: then server checks signature, then checks otp
Naphex: so lets say, max length 120, valid checksum, valid message
Naphex: messages will only be fowarded by firewalls/load balancers/proxy whatever. only if valid clean message
Naphex: OTP - is otp released to the client, by levels email yubikey/gpg/ - whatever
Naphex: signature is hmac-sha256 with secret, from field 1 to uuid
Naphex: forgot that :P
Naphex: TIMESTAMP/MICRO:MESSAGE-DATA:UUID:SIGNATURE:OTP
Naphex: for example
Naphex: MESSAGE-DATA:UUID:SIGNATURE:OTP
Naphex: everything else gets dunked a long way from there
Naphex: server can only get clean, hard messages
Naphex: they can't
Naphex: or break HMAC-SHA256
Naphex: the most sophisticated attacker, will need user secrets to get whatever they have
Naphex: well put it like this
Naphex: i haven't lost 1 satoshi yet
Naphex: and you can get it out of your pocket
Naphex: it was probably worth it
Naphex: thestringpuller: honestly if you have a well designed system, that gets breached and you get ninja'd out of the 10 hotwallet BTC
Naphex: maybe buy some Google Play Giftcards
Naphex: so he can do whatever with it
Naphex: mean while, Joe Giner wants his 0.2 btc that he just bought out now
Naphex: thestringpuller: well thats their priviledge
Naphex: after a phone call
Naphex: but wait 5mins on a withdrawal, and you're gonna get an email
Naphex: and run everything else cold, you can even run deposits cold
Naphex: but you can always keep i.e 10 BTC out of 1000 HOT
Naphex: look, you can secure servers and keep stuff secure. now i'm not saying run everything hot
Naphex: :))
Naphex: they want it too
Naphex: so clients can withdraw in an instant
Naphex: why would i when i want a hot instant wallet?
Naphex: so you want to sign transactions offline?
Naphex: for incoming or outgoing?
Naphex: which are hot by design
Naphex: only the hot wallets
Naphex: its a dead end
Naphex: even if an attackers gets through mostly everything undetected
Naphex: now the users have that secret, so an intruder couldn't do much without user secrets
Naphex: now OTP can be, Email / YubiKey -> GPG, Bitcoin signature
Naphex: if the user's OTP is not valid
Naphex: won't accept any messages, whatever the source or trust
Naphex: thestringpuller: for example, current hot wallet software
Naphex: you trust the sig
Naphex: if your hot wallet serves based on verified, signed messages, wheter HMAC or whatever, i'd say its pretty fine.
Naphex: thestringpuller: there are hot wallets and cold ones
Naphex: for notifications?
Naphex: uh, what's that related to?
Naphex: but what i'm thinking is just a notification system for BitcoinD clusters, track txid's, addresses and confirmations
Naphex: even if its not final version
Naphex: i will when there is something working
Naphex: its private atm, not on any service. just dirty git clone
Naphex: yes i forked current master, and 0.9.1
Naphex: either that or in reverse, where it connects to a aggregate server, and that just runs pubsub
Naphex: connect to it, and broadcast notifications through it
Naphex: danielpbarron: dexX7 i'm thinking like listen to a port/unix socket
Naphex: dexX7: yes but i want something more clear cut, that can scale
Naphex: and make sure you only accept validated messages, before hitting your software
Naphex: firewall with blacklist everything, only whitelist what you know
Naphex: but keep it clean, and only run what you need - bare
Naphex: you can use whatever you want, except windows
Naphex: to ward off any physical attacks like physical hdd theft
Naphex: make sure you use filesystem encryption as well
Naphex: whatever you can install the cleanest
Naphex: i'd go with gentoo, but whatever is fine
Naphex: and keep it clean and bare
Naphex: danielpbarron: linux would be fine, but make sure you don't run other stuff
Naphex: what's the luck for?:P
Naphex: i wouldn't do websockets in it, too much overhead for bitcoin
Naphex: this is not related, just offtime stuff
Naphex: for the exchange i use something else entierly
Naphex: artifexd: thanks, but implementing this in bitcoin core.
Naphex: whats that? - first look is just watch only
Naphex: B. JSON-NP Callbacks - For easier integration with current systems
Naphex: A. UNIX Socket / Local Socket - Connect to it, start broadcasting notifications
Naphex: for a first implementation do notification with:
Naphex: and i was getting into posting the messages and thinking
Naphex: so in my offtime i'm implementing a decent notification system in bitcoin core
Naphex: is that an eggbot? or some standalone?
Naphex: :P
Naphex: probably should reply that with privmsg/notice
Naphex: ;]
Naphex: kakobrekla: is there a list / help of assbot commands?
Naphex: ;;rate HoreaV 10 Horea Vuscan of BTCXchange.ro
Naphex: :))
Naphex: so... :D
Naphex: “Asadar, s-a rugat Sfantului Efrem cel Nou si a facut de trei ori Semnul Sfintei Cruci peste computer. Spre marea sa uimire, nu numai ca a reusit sa deschida fisierul, ci a putut sa stearga integral sectiunea corupta”
Naphex: if you haven't seen it
Naphex: :)
Naphex: mircea_popescu: http://www.doxologia.ro/viata-bisericii/marturii/sfantul-efrem-cel-nou-deblocat-programe-informatice-reparat-fisiere-corupte and soon with bitcoin recovery :))
Naphex: good day today
Naphex: :D
Naphex: http://www.ziardecluj.ro/sfantul-efrem-ocrotitorul-clujului-repara-calculatoare-si-tamaduieste-constipatia
Naphex: morning
Naphex: ohlc even;]
Naphex: OHCL-V Ticker Plant and Payments API+Widgets coming soon
Naphex: withdrawals are blocked from the API atm, so withdrawals only from frontend
Naphex: you set up an API key and you can just use that
Naphex: https://api.btcxchange.ro/ - api
Naphex: and some presentation
Naphex: but the website is meant too ease up stuff for regular folks
Naphex: you can do it yourself if you set up an api key
Naphex: but its baked in into frontend so .. :p
Naphex: backend is just uuid / secret + otp choice (default email otp without yubi and soon gpg)
Naphex: not really, just in the frontend
Naphex: gpg otp will be set up after in security
Naphex: registration is just username /password /email
Naphex: as well as gpg otp for withdrawals
Naphex: with gpg auth the flow is going to be username/pass -> gpg otp -> logged in
Naphex: yeah - email is bound in. but atleast with gpg auth you get rid of verification emails
Naphex: probably in a few weeks, is going to be up
Naphex: already started work on implementing gpg otp in the validation server
Naphex: yep
Naphex: ah
Naphex: benkay: it's https://www.btcxchange.ro / why - sup?
Naphex: back
Naphex: ;o
Naphex: "You try and do your best for women, but they all just run us down. Bitches" ;]
Naphex: :))
Naphex: http://nymag.com/daily/intelligencer/2014/04/kkk-leader-caught-with-a-black-male-prostitute.html
Naphex: morning
Naphex: morning
Naphex: garage sales!
Naphex: gn fluff` :D
Naphex: gn
Naphex: http://fc03.deviantart.net/fs71/f/2013/292/4/5/tucker_s_law_tea_towel_by_masterplanner-d6r36bp.png
Naphex: mircea_popescu, ever seen the thick of it / in the loop? https://www.youtube.com/watch?v=0MSScBIopM8 Alistar Cambell loved it ;]
Naphex: i got like ~100GB/s DDoS protection from the datacenter, after they cut upstream
Naphex: cloudflare just setup varnish
Naphex: or just set up your own proxy/load balancer/cleaner
Naphex: mircea_popescu: :D
Naphex: there's a lesson there
Naphex: ASR only operates in conjunction with the Electronic Accelerator (E gas) and uses components of the Anti-lock Brake System (ABS). If one wheel suddenly begins to rotate faster than the others (slip), ASR intervenes in the engine management system and reduces power until the wheel stops spinning.
Naphex: probably the diff or systems like ASR/ESP, not really sure.
Naphex: if wheel doesn't do contact it doesn't spin
Naphex: nah i it's the same on my audi/quattro
Naphex: differential probably
Naphex: https://www.youtube.com/watch?v=MQm5BnhTBEQ now guys in the desert, they get bored hardcore ;o
Naphex: i'm pretty bored
Naphex: dunno about that
Naphex: ah
Naphex: hey mike_c can we add BTCXChange on btcalpha?:p
Naphex: why are people still using it
Naphex: cloudflare sucks
Naphex: https://www.youtube.com/watch?v=0USm3AilHiU - good tune to start your fridays ;]
Naphex: bbl
Naphex: you can JNI plug and do some C to make it faster
Naphex: speeds up development, keeps it tidy
Naphex: but java gets you lots of bonuses early, when working on anything mid-size
Naphex: fluffypony: ofc same with everything :]
Naphex: a good tool :]
Naphex: java is good
Naphex: !up mrwdunne
Naphex: !up mircea_popescu
Naphex: jurov, asked that too.. even hacked bank accounts
Naphex: as in hacked bank accounts, or clients wanting reversals because they inputed by mistake too many 0's
Naphex: mrwdunne: before i got splitted, i asked what is your defense against bank fraud considering 'instant' bank transfers?
Naphex: mrwdunne: will you have liquidity at launch?
Naphex: thq fluffypony
Naphex: :]
Naphex: MichalisBTC: go core!:D
Naphex: artifexd: VPN
Naphex: ;;later tell Naphex fork BitcoinD, and implement clearing notifications via JSON-RPC
Naphex: why hasn't anyone implemented clearing notifications in BitcoinD Core ;o
Naphex: yeah but when ddos hits, and their customers can't deposit / withdraw, support phones and emails start burning
Naphex: getting ddos'ed and cloudflare shutting down the API's
Naphex: as we see every day with blockchain
Naphex: completly shutting down you're clearing node
Naphex: the weak point beeing any DDoS
Naphex: !up MichalisBTC
Naphex: 'here is your money, its good'
Naphex: punkman: ok payment, at 3 confirmations. send clearence
Naphex: MichalisBTC: what is the hard work in clearing bitcoin?
Naphex: MichalisBTC: did the API's require signing? like HMAC?
Naphex: not a full verifying node yes?
Naphex: MichalisBTC: bitcoin network, as in SPV BitcoinJ
Naphex: where are the encryption keys kept?
Naphex: All the private keys and wallet files are immediately backed up to multiple physical locations via encrypted tunnels. The keys and files are stored in an encrypted format on database which reside on encrypted partition file systems. Thus eliminating the possibility of stealing keys, even if hard drives from backup locations are stolen.
Naphex: can i clean you out if i get access to the gre?
Naphex: and locked down internet
Naphex: MichalisBTC: what does the secure architecture entail? what other security systems are in place, besides the GRE tunnel
Naphex: "
Naphex: E. Process large amount requests.
Naphex: D. Create hot wallets.
Naphex: C. Create new customer wallet.
Naphex: The built in API allows to perform the following functions:
Naphex: B. Get balance updates for any existing wallet under the control of the system.
Naphex: A. Send bitcoins from master, customer, hot wallets.
Naphex: "
Naphex: ThickAsThieves: run a full-node cluster, and get whatever data you need from there. use full nodes for payments, and multi-sig cold wallets for storage
Naphex: MichalisBTC: so the clearing engine keeps the wallets, provides restful apis to the other products right?
Naphex: too me it just looks like products spinned off bitcoinj
Naphex: any MITM will own the SPV's
Naphex: simple payment verification
Naphex: ThickAsThieves: as in thin client, in bitcoinj
Naphex: high scale services on spv?:(
Naphex: fluffypony: prolly more interesting, RON vs BTCHotWallet https://i.imgur.com/ZvdQiSl.png
Naphex: and its raining :|
Naphex: brb, heading home. done with the office
Naphex: and we'll replace it with proper OHLC-V data & candlesticks
Naphex: will switch it with a good graph pretty soon, the data plant should be ready by monday
Naphex: fluffypony: there is a slider down, you squeeze it
Naphex: so.. hooray!
Naphex: well, i missed the whole news
Naphex: they banned btc again?:)
Naphex: lol
Naphex: and removing some bugdowns
Naphex: mostly cacheing tuning
Naphex: nah
Naphex: https://i.imgur.com/CDR0owC.png load times post frontend optimizations :D
Naphex: or just let gox diee
Naphex: http://www.fentonreport.com/bitcoin/why-the-savegox-plan-is-very-important-to-the-bitcoin-ecosystem
Naphex: MrWDunne: better have that proffesional hired and with an office near ;]
Naphex: which for a bitcoin exchange, i doubt its going to be enough
Naphex: you're relianing on a lot of outsourcing
Naphex: who will mange them full time?
Naphex: the servers, the colocation, the hosting
Naphex: MrWDunne: what about hardware?
Naphex: MrWDunne: are you going to do the tehnical monitoring as well?
Naphex: especially early
Naphex: and you'd want someone doing lots of monitoring
Naphex: i'd care for backdoors, known 'issues', and insider leaks
Naphex: for something so sensitive, i wouldn't do much trusting. or use developers that are not in-house
Naphex: outsourced tech is the most problematic imho
Naphex: MrWDunne: who wrote the specs, for the third party to develop?
Naphex: but you'll need tons of tools attached especially when you go live
Naphex: so it depends a lot on what the tradeengine is going to do
Naphex: you're gonna need too attach lots of other components, for reporting, monitoring, and keeping track off
Naphex: tbh, i'd be scared of doing that in C++ enterprise wise
Naphex: do you have a contract with the development team? too keep extending/bugfixing after release?