0 Members and 1 Guest are viewing this topic.
Is the coin dead?
My view is that dev talent is scare and best redirected away from failed projects rather than throwing new effort at it.I tried my best and ultimately failed.
Quote from: Riverhead on October 10, 2014, 04:10:08 pmKeep in mind a non compromised wallet stores an ENCRYPTED copy of your private keys. That's why you need to unlock your wallet with a good passphrase. It's effectively 2-Factor Authentication. They need both the .dat file AND your pass phrase for it to be useful.Look, it's not a true 2-factor, unless it uses a separate device to decrypt.I don't think FT has stolen keys,Sorry for the rant, but this is disaster in the makings. I hope I'm wrong, I really do.
Keep in mind a non compromised wallet stores an ENCRYPTED copy of your private keys. That's why you need to unlock your wallet with a good passphrase. It's effectively 2-Factor Authentication. They need both the .dat file AND your pass phrase for it to be useful.
Quote from: Riverhead on October 10, 2014, 04:10:08 pmKeep in mind a non compromised wallet stores an ENCRYPTED copy of your private keys. That's why you need to unlock your wallet with a good passphrase. It's effectively 2-Factor Authentication. They need both the .dat file AND your pass phrase for it to be useful.Look, it's not a true 2-factor, unless it uses a separate device to decrypt. If there is a key-logger, it doesn't matter how strong your second password on top of the private key is. This is true for all crypto projects. It's scary full of amateur decisions.Even the "non-hobby" projects like DNS and BTSX have that flaw. And as I mentioned a billion times, it is extremely easy to fix. Heck even Bytemaster mentioned somewhere he added it to the toolkit as method somewhere, but nobody is using it.I don't think FT has stolen keys, if he did, he'd have more than just personal issues.However in this day and age you can NEVER be sure what's running on your desktop. Given that it's a huge incentive, you know someone, somewhere will exploit the attack vector.I would not import any keys until this issue is resolved. And I say that even for the existing DACs.Sorry for the rant, but this is disaster in the makings. I hope I'm wrong, I really do.
Quote from: Riverhead on October 10, 2014, 04:10:08 pmKeep in mind a non compromised wallet stores an ENCRYPTED copy of your private keys. That's why you need to unlock your wallet with a good passphrase. It's effectively 2-Factor Authentication. They need both the .dat file AND your pass phrase for it to be useful.Naturally with a compromised wallet they get the plane text version. However if you imported your keys into a non compromised wallet a developer is no further ahead of anyone else who has just a locked .dat file. They'd still need to get you to install and unlock a compromised wallet to get the keys in plane text. Try dumping your private keys in a QT wallet with it locked. Doesn't work.As far as needing a mechanism to claim AGS without a plane text key import it seems that's on each DAC developer to implement but from what Toast said the expensive part is getting it audited because otherwise you're still just trusting the developer.I learned something new here. So using lts as a exampleI dumped my un encrypted text based ags key from the wallet I made my donation from into the lts wallet. In order to access the ags donation wallet they would need the password for the ags donation wallet and the private key?
Keep in mind a non compromised wallet stores an ENCRYPTED copy of your private keys. That's why you need to unlock your wallet with a good passphrase. It's effectively 2-Factor Authentication. They need both the .dat file AND your pass phrase for it to be useful.Naturally with a compromised wallet they get the plane text version. However if you imported your keys into a non compromised wallet a developer is no further ahead of anyone else who has just a locked .dat file. They'd still need to get you to install and unlock a compromised wallet to get the keys in plane text. Try dumping your private keys in a QT wallet with it locked. Doesn't work.As far as needing a mechanism to claim AGS without a plane text key import it seems that's on each DAC developer to implement but from what Toast said the expensive part is getting it audited because otherwise you're still just trusting the developer.
Quote from: Riverhead on October 10, 2014, 05:02:30 amQuote from: tonyk on October 10, 2014, 04:56:43 amQuote from: Brekyrself on October 10, 2014, 04:36:20 amBetter to try and fail then to never try in the first place, thanks for the fun.Any insight into the next project?That is very counter intuitive statement... read my posts in this sub-forum... how could this project be a success?Now back to the priv keys of mine that I imported... they are forever in jeopardy of someone deciding that stealing/using them is the better way to go...On that note - Is not this easy enough to transfer the AGS donations from the original 'donation from' to a new one?Your keys aren't "out there" unless this client was compromised and I don't think it was. A malicious dev can't somehow get your private keys unless they release a compromised version and you open your wallet.dat with it and unlock it.Good to know Riverhead! I imported just a few keys but still prefer not to give my AGS to somebody for no reason at all...
Quote from: tonyk on October 10, 2014, 04:56:43 amQuote from: Brekyrself on October 10, 2014, 04:36:20 amBetter to try and fail then to never try in the first place, thanks for the fun.Any insight into the next project?That is very counter intuitive statement... read my posts in this sub-forum... how could this project be a success?Now back to the priv keys of mine that I imported... they are forever in jeopardy of someone deciding that stealing/using them is the better way to go...On that note - Is not this easy enough to transfer the AGS donations from the original 'donation from' to a new one?Your keys aren't "out there" unless this client was compromised and I don't think it was. A malicious dev can't somehow get your private keys unless they release a compromised version and you open your wallet.dat with it and unlock it.
Quote from: Brekyrself on October 10, 2014, 04:36:20 amBetter to try and fail then to never try in the first place, thanks for the fun.Any insight into the next project?That is very counter intuitive statement... read my posts in this sub-forum... how could this project be a success?Now back to the priv keys of mine that I imported... they are forever in jeopardy of someone deciding that stealing/using them is the better way to go...On that note - Is not this easy enough to transfer the AGS donations from the original 'donation from' to a new one?
Better to try and fail then to never try in the first place, thanks for the fun.Any insight into the next project?
Quote from: Riverhead on October 10, 2014, 05:02:30 amYour keys aren't "out there" unless this client was compromised and I don't think it was. A malicious dev can't somehow get your private keys unless they release a compromised version and you open your wallet.dat with it and unlock it.That makes perfect sense.I forgot the wallet.dat itself is encrypted. The client still could have been compromised when the keys were actually imported though, right?
Your keys aren't "out there" unless this client was compromised and I don't think it was. A malicious dev can't somehow get your private keys unless they release a compromised version and you open your wallet.dat with it and unlock it.
Good to know Riverhead! I imported just a few keys but still prefer not to give my AGS to somebody for no reason at all...
Quote from: Gentso1 on October 08, 2014, 01:18:26 pmI am curious if the dev fund of lts was left alone or liquidated before this announcement, also the time seems odd as its right before ags/pts share's mature...Care to comment on how much of the dev fund was cashed out before your announcement freetrade?Sure. 0. I was interested in building a successful project, not cashing out a few pennies. My view is that dev talent is scare and best redirected away from failed projects rather than throwing new effort at it.I tried my best and ultimately failed. I can understand why participants might be disappointed, as am I, but personal attacks are unwarranted where hugely ambitious, hugely risky projects fail. I've risked more and lost more than anyone else with this project.
I am curious if the dev fund of lts was left alone or liquidated before this announcement, also the time seems odd as its right before ags/pts share's mature...Care to comment on how much of the dev fund was cashed out before your announcement freetrade?
lottoshares was an ameteur/hobby product, but that's ok. Who was expecting massive ROI and widespread adoption?Part of the value of AGS is that it filters out winners and value producers. Don't feel "ripped off", feel vindicated.
Don't panic. There is only the possibility of keys being compromised. Did you use the Windows binary or build from source? Anyway, FT had good intentions to do this project but has abandoned it for whatever reason. That doesn't mean a trojan key stealer was in the code.If this was a DAC from someone completely unknown it might be worrisome. I say if yu still have your AGS DNS and after a time Notes you're in the clear because I doubt someone with all the AGS keys would wait around.
I would hardly view asking a question as a personal attack but if you took it that way I am sorry.
Quote from: Gentso1 on October 09, 2014, 12:28:22 amQuote from: Riverhead on October 08, 2014, 09:28:57 pmIt would be tough because a likely code hack like that would be in the binaries and not checked into GitHub (reason md5 is so important).Also I can't comment on how ags is stored but since claiming requires a private key i3 doesn't have I doubt anything can be done. Only future snapshots would benefit and since ags snapshot is long in the books....Maybe I am misunderstanding you. I am worried about anyone who trusted this software or dev with their ags private key.If FT has the private keys of many users who had to use them to claim LTS, it would be a race to claim future DAC's. I don't really care about lts, I didn't have any stake in it other then my ags donation. I am concerned about FT having access to private keys via LTS claiming and his work on future projects. I hear ya. What I'm saying is the ags private keys are set. Since pts is liquid they can be moved to new keys for future snapshots (like music on the 10th) but any previous snapshots (DNS, BTSX) are cast in stone now so best to claim and move to new keys their respective blockchains so if private keys are compromised the addresses are empty.I don't think there is anything that can be done for ags holders. However I really doubt the keys are compromised. FT has his issues but I don't believe he'd pull off a massive heist.
Quote from: Riverhead on October 08, 2014, 09:28:57 pmIt would be tough because a likely code hack like that would be in the binaries and not checked into GitHub (reason md5 is so important).Also I can't comment on how ags is stored but since claiming requires a private key i3 doesn't have I doubt anything can be done. Only future snapshots would benefit and since ags snapshot is long in the books....Maybe I am misunderstanding you. I am worried about anyone who trusted this software or dev with their ags private key.If FT has the private keys of many users who had to use them to claim LTS, it would be a race to claim future DAC's. I don't really care about lts, I didn't have any stake in it other then my ags donation. I am concerned about FT having access to private keys via LTS claiming and his work on future projects.
It would be tough because a likely code hack like that would be in the binaries and not checked into GitHub (reason md5 is so important).Also I can't comment on how ags is stored but since claiming requires a private key i3 doesn't have I doubt anything can be done. Only future snapshots would benefit and since ags snapshot is long in the books....
Quote from: toast on October 08, 2014, 07:47:25 pmNone of the devs have built such a tool yet because we trust ourselves. It is simple to implement in the toolkit right now but then you either have to strip it down until it's small enough to audit (the hard part) or you'd just be trusting us anyway.No one is questioning you. However I prefer to sign on a machine that is offline. Produce the signature there. Then transfer via USB and then import it. This is the safest. Even if your software is trusted most people's machines aren't!With AGS not being liquid this is a big deal.And I beg you to add this to the code it is relatively easy to do. And should have been the default way to import keys in the toolkit.Going forward this is a must for BTS DACs
None of the devs have built such a tool yet because we trust ourselves. It is simple to implement in the toolkit right now but then you either have to strip it down until it's small enough to audit (the hard part) or you'd just be trusting us anyway.
Quote from: bitmeat on October 08, 2014, 07:05:15 pmGuys, "tool" just means whenever someone releases a DAC to check for signed message instead of asking for private key when importing. That's it! Possibly even a one line change in the code. I am really shocked DNS didn't implement that. Should be extremely easy to do.Interesting. Wonder if cob will do this. If not we can ask for it in the wallet [ANN] thread. In the meantime may be best for pts holders to transfer holdings to a new address before Oct 10th. That will prevent any past leaks from claiming your Notes.
Guys, "tool" just means whenever someone releases a DAC to check for signed message instead of asking for private key when importing. That's it! Possibly even a one line change in the code. I am really shocked DNS didn't implement that. Should be extremely easy to do.
It is simple to implement in the toolkit right now but then you either have to strip it down until it's small enough to audit (the hard part) or you'd just be trusting us anyway.
Update:I've been trying to resolve two problems with LottoShares but have not managed to do so.The first is a forking problem when the checkpointing server is running. The checkpointing server allows draws to take place but causes forks to take place when checkpoints aren't accepted by some clients.The second is decentralizing the draw/random number generation. Using the block hash and a private key to generate unpredictable randomness is centralized and ultimately unsatisfactory. I think the second problem may only be resolvable in the context of a (bitshares style) delegate model.Unfortunately I've been unable to resolve these problems in LTS despite a huge amount of effort. I have now decided to redirect my efforts to other projects.Thanks to everybody who took part and I'm sorry it didn't turn out as well as we had all hoped.
I have read that too. I hope until then nothing really bad happens and everything crashes because then I will have spent 1 year of my life for nothing and be left keeping the bag as usual...
When freetrade signed on to do this project many on bitcointalk brought up his history with memory coin I believe it was. I went through the thread some time ago and I remeber thinking to myself it seemed a little shady but not nearly enough evidence to stand on its on. How ever when you put that and now this into play we have a dev who just at best case circumstances was "at the wrong place at the wrong time" so to speak. My biggest concern now is:1."30% will be targeted at the public addresses of individuals who can be helpful to LottoShares DAC (devs, exchanges, service providers, marketeers etc - email memorycoincc@gmail.com to make a pitch, full list to be provided at launch)" https://bitsharestalk.org/index.php?topic=4691.0 "10% will be proportionally distributed to MemoryCoin (MMC) holders (Block #39,983)" a project he worked as a dev before, please read the thread and notice their mature date is the first on the list and much before ags/pts would have had access to their funds.2. private keys were used to claim lts holdings and it is not far fetched to think that freetrade my now have anyone's private keys who claimed ags/pts. pts not being much of a problem becasue funds can be moved but ags.......3.Future projects he is working on. While the above is circumstantial when you put it all together it looks, not favorable.I for one do not want to see the above dev working on any I3 projects until the nature of this flaw is explored by someone who understands code and a little explaining is done on the devs part as to how much lts he claimed and sold before "announcing" a fatal blow to lts. *Please note I have not used the words fraud or scammer I am merely saying hey lets take a closer look at this because its odd and if indeed he is up to something we should obviously not have him working on future projects. This also highlights the immediate need to have a system other then submitting of private keys.
Quote from: Riverhead on October 08, 2014, 04:41:54 pmor it'll get snapshotted into Just Dice Style DAC.I'd really recommend not snapshotting LTS for anything. Care to guess who's the biggest holder of LTS? Do you want to reward him for this?
or it'll get snapshotted into Just Dice Style DAC.
First MMC now LTS... I doubt anyone will learn to trust this dev again.
Given this news why is LTS up 20%? Granted, it's 20% of a very small number but someone is buying up LTS.
Quote from: liondani on October 08, 2014, 02:52:23 pmQuote from: CossCrypto on October 08, 2014, 02:44:12 pmQuote from: liondani on October 08, 2014, 02:35:20 pmIt seems like it is the first official DAC scam... (Sorry to say that but it really smell like that! Hope I am totally wrong, but the first signs where already there before lunch... )Hope nobody made the mistake to share his AGS/PTS keys !!!That's why we are screaming we need a tool for that exact reason !!!We don't want expose our AGS/PTS keys to untrusted individuals in future.PS so for everybody has used his key for this project it's better to claim his AGS/PTS on new DACs immediately after lunch and of course NOT for third party DACS before a tool is out there securing us !!!Are you saying that he could have recorded all private key inputs of LTS users with the wallet??Is it not possible? Can a trusted programmer/developer that has reviewed the code ensure us that this is not the case?I just want to make you all think about the possibility's that this can/could happen at some time especially from third party DA Cs and push our DEVs NOW to give us a tool that eliminate our concerns !Logically speaking I think it could be possible for sure to use a wallet as a kind of "keylogger"...that sucks. Now I'll have to be worried of somebody else holding my private keys only because I liked his DAC...
Quote from: CossCrypto on October 08, 2014, 02:44:12 pmQuote from: liondani on October 08, 2014, 02:35:20 pmIt seems like it is the first official DAC scam... (Sorry to say that but it really smell like that! Hope I am totally wrong, but the first signs where already there before lunch... )Hope nobody made the mistake to share his AGS/PTS keys !!!That's why we are screaming we need a tool for that exact reason !!!We don't want expose our AGS/PTS keys to untrusted individuals in future.PS so for everybody has used his key for this project it's better to claim his AGS/PTS on new DACs immediately after lunch and of course NOT for third party DACS before a tool is out there securing us !!!Are you saying that he could have recorded all private key inputs of LTS users with the wallet??Is it not possible? Can a trusted programmer/developer that has reviewed the code ensure us that this is not the case?I just want to make you all think about the possibility's that this can/could happen at some time especially from third party DA Cs and push our DEVs NOW to give us a tool that eliminate our concerns !
Quote from: liondani on October 08, 2014, 02:35:20 pmIt seems like it is the first official DAC scam... (Sorry to say that but it really smell like that! Hope I am totally wrong, but the first signs where already there before lunch... )Hope nobody made the mistake to share his AGS/PTS keys !!!That's why we are screaming we need a tool for that exact reason !!!We don't want expose our AGS/PTS keys to untrusted individuals in future.PS so for everybody has used his key for this project it's better to claim his AGS/PTS on new DACs immediately after lunch and of course NOT for third party DACS before a tool is out there securing us !!!Are you saying that he could have recorded all private key inputs of LTS users with the wallet??
It seems like it is the first official DAC scam... (Sorry to say that but it really smell like that! Hope I am totally wrong, but the first signs where already there before lunch... )Hope nobody made the mistake to share his AGS/PTS keys !!!That's why we are screaming we need a tool for that exact reason !!!We don't want expose our AGS/PTS keys to untrusted individuals in future.PS so for everybody has used his key for this project it's better to claim his AGS/PTS on new DACs immediately after lunch and of course NOT for third party DACS before a tool is out there securing us !!!
Quote from: FreeTrade on October 07, 2014, 11:20:42 amUpdate:I've been trying to resolve two problems with LottoShares but have not managed to do so.The first is a forking problem when the checkpointing server is running. The checkpointing server allows draws to take place but causes forks to take place when checkpoints aren't accepted by some clients.The second is decentralizing the draw/random number generation. Using the block hash and a private key to generate unpredictable randomness is centralized and ultimately unsatisfactory. I think the second problem may only be resolvable in the context of a (bitshares style) delegate model.Unfortunately I've been unable to resolve these problems in LTS despite a huge amount of effort. I have now decided to redirect my efforts to other projects.Thanks to everybody who took part and I'm sorry it didn't turn out as well as we had all hoped. Any more insight into this? Is there another dev working on LTS? Will you be porting LTS over to a BTSX model? This just seems very blunt.
bitcointalk user emrebey said the following on 20/09/2014;regarding the dev inactivity,just have a little patience. freeTrade dealing with some real life stuff, he will come back soon.