Why is it insecure to store the session ID in a cookie ...

Reminder to have your DMARC\SPF records in place

Just got emailed this to our domain contact email, although low risk as we have strict spam filer its a valid problem for people outside our organization.
First time I've ever seen a buy bounty for a DMARC/SPF record , tried to find out online how much these get , seems someone paid 5$
Unrelated and I'm not associated but these guys do free Dmarc monitoring for 365 Clients :
Use this https://go.valimail.com/microsoft.html

I am a security researcher and I provide information and knowledge regarding “Vulnerability" on websites. I have found some vulnerabilities on your website/domain.
I just sent a forged email to [[email protected]](mailto:[email protected]) that appears to originate from [[email protected]](mailto:[email protected]). I was able to do this because of the following :
DMARC record lookup and validation for: domain.com.
"No DMARC Record found"
1)Publish DMARC Record.
2)Enable DMARC Quarantine/Reject policy
3)Your DMARC record should look like
"v=DMARC1; p=reject; sp=none; pct=100; ri=86400; [rua=mailto:[email protected]](mailto:rua=mailto:[email protected])"
And As I have seen the SPF and TXT record for the domain.com. which is :
Found v=spf1 record for domain.com:
v=spf1 include:au._netblocks.mimecast.com ~all
as u can see the symbol at last which tilde (~all ) is the issue , which should be replace by Hyphen (-all) symbol .
so valid record will be look like :
Found v=spf1 record for domain.com:
v=spf1 include:au._netblocks.mimecast.com -all
Whats the issue :
as u can see in the article difference between softmail and fail you should be using fail as Softmail allows anyone to send spoofed emails from your domains.
in current SPF record you should replace ~ with - at last before all , - is strict which prevents all spoofed emails except if you are sending .
You can validate by testing yourself over here: mxtoolbox.com
This is useful in phishing, and this type of vulnerability is news worthy (http://bits.blogs.nytimes.com/2015/04/09/sendgrid-email-breach-was-used-to-attack-coinbase-a-bitcoin-exchange/
This can be done using any php mailer tool like this ,
$to = ["[email protected]](mailto:"[email protected])";
$subject = "Password Change";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: [[email protected]](mailto:[email protected]). ";
Due to this vulnerability, any hacker can send a forged email to your customers using your domain .Thus, getting sensitive information of your customers like login details, download a virus/malware etc.
Also When an attacker sends an email to your customers asking them to change their password. The customer, after seeing the mail, might consider the mail as legit and falls for the trap.
In doing this the attacker can take them to his website where certain JavaScript is executed which steals customer's session id and password.
The results can be more dangerous and impactful.
A study shows why DMARC and SPF are crucial:
1) $1.6 million on average is what one single spear phishing attack costs for organizations
2) $500 million every year is scammed by phishing attacks
3) Just 3% of all users will report phishing email to their management
4) More than 400 businesses are targeted by BEC scams every day
5) 76% of organizations have reported that they have been victim of a phishing attack.
6) 1 in 3 companies have been victims of CEO fraud emails
7) 70% of all global emails is malicious
8) Fake invoice messages are the #1 type of phishing lure
You can find the SPF fix over here : https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
For DMARC record : https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/
and DMARC policy here: https://support.rackspace.com/how-to/create-a-dmarc-policy/
Let me know if you need me to send a forged email.
Note: I am expecting a bounty for this responsible disclosure and I would like to report more in the future.
submitted by excalabyte to sysadmin [link] [comments]

Log of Mobile Wallet AMA with Lucio - 6th June 2019

Yesterday we completed our first day of ARK Developer AMA's. I'd like to thank everyone who came and participated in each AMA and I believe it to be a big success! Community feedback can help shape how our software acts, looks and functions so if you have any ideas then feel free to join the next AMA!
Our next Developer AMA's will take place on Thursday, June 13th.
The topics of discussion will be; ARK Deployer: Alex (10:00 UTC) & ARK Internet-of-Things (IoT): Simon (20:00 UTC)
Hope to see you all there! - To join Slack, go to the following link http://slack.ark.io
Here's the log of the Mobile Wallet AMA

Hey you all! Almost a year and a half after the first release, we are starting the development of Mobile Wallet 2.0. During this time we have collected your feedback and requests to create a wallet focused on what you need. If you have any idea, question or suggestion feel free to tell us.

spghtz (ark.party / civseed)
Hey Lucio! Thanks for dropping by.
  1. Will the mobile-wallet v2 (Android and Apple development) take place in public? Or only available when it's been released?
  2. Will the Android version be in Java, Kotlin, or a hybrid?

mak (AIP23 - Delegate Markets)
Hey lucio, thanks for the AMA. How do you guys plan on compromising between utility via plugins and different bridgechains etc vs ease of use and simplicity. Seems to me like a hard bargain, especially when you have to throw in the limitations of a touch based UI system.

Munich (ARKLand Delegate)
Hey Lucio :slightly_smiling_face: Extending @spghtz (ark.party / civseed)’s 2nd question, I’d like to ask if you guys have considered using React Native rather than Ionic for the v2 wallet

@spghtz (ark.party / civseed)
  1. Our projects are usually developed internally, and when ready we release the source code.
  2. It will be native, but with the same codebase. I'm analyzing 4 frameworks, React Native, Vue Native, NativeScript and Flutter.

Justin (doubled1c3)
Any plans to implement security measures beyond PIN such as biometric types? I have heard this question from some users

@mak (AIP23 - Delegate Markets)
Mobile v1 was not developed with custom networks in mind, in v2 our goal is to make the task of importing/adding /using a custom network more intuitive
I noticed that we have different types of users, from delegates to beginners, so we need to define the best experience for each one. As commented earlier today some features are not interesting for those who are not advanced.

I think, when it comes to mobile or desktop either one, if a plugin doesn’t make sense for a mobile environment or a touch based interface, then the market would show us that over time. We might take a chance on some innovative ideas and see how they play out, but for the most part I think the mobile wallet will initially feature plugins focused on payments and managing funds, voting etc, and not application specifics or elaborate functions.
Some things will just make more sense in a desktop environment.
No one is asking you guys the tough questions... like what is your favorite movie or sandwich? :joy::joy:

Alex Barnsley [ARK Team]
that’s not mobile wallet related @Matthew_DC :colbert:

alessio // fun
I asked @Alex Barnsley [ARK Team] a tough question earlier and he dodged it :colbert:

Justin (doubled1c3)
I'm curious about implementing OS notifications within the mobile wallet for some events, like "transaction received" "delegate dropped" etc. Plans for OS notifications?

I said in the blog, get to know our developers who don’t often get to be in the spotlight. :colbert:

alessio // fun
I confess I don't use the mobile wallet often, and I only have an iPhone, so I'm a bit out of the loop regarding Android. How are plans progressing regarding Ledger integration there, as I believe it's not feasible on iOS?

Munich (ARKLand Delegate)
It should be possible on iOS with the bluetooth ledger nano X

Alex Barnsley [ARK Team]

mak (AIP23 - Delegate Markets)
not really a question but since we have you here I should probably say it. I would really like it if the mobile wallet workflow was better designed for easy onboarding. right now I can't introduce people to Ark or crypto in general in a public place because writing down a seed phrase and keeping it secure becomes quite an overwhelming scenario for a new user in the middle of a crowd.

alessio // fun
Yes true I'm thinking of Nano S

mak (AIP23 - Delegate Markets)
I'd love to be able to go anywhere ask people to download the wallet and just drop them some ark like ver used to do

mak (AIP23 - Delegate Markets)
it's the best marketing you could get

@Justin (doubled1c3)
Sorry, forgot to reply. About the alternative to the PIN, I had tried to implement the touch ID but I found it very insecure since I would have to save your passphrase basically without encryption.

goldenpepe (biz_network)
```right now I can't introduce people to Ark or crypto in general in a public place because writing down a seed phrase and keeping it secure becomes quite an overwhelming scenario for a new user in the middle of a crowd.```
I had this experience manning the faucet at Consensus 2 years ago
There was a small crowd of people all standing around the faucet on their phones trying to get past all the screens so they can get to their wallet address (edited)

mak (AIP23 - Delegate Markets)
I created a ticket about this a few months ago but it seems like it's not a priority

@alessio // fun
In the Ledger repo has a package compatible with React Native, but as you said, only for Android: https://github.com/LedgerHQ/ledgerjs/tree/mastepackages/react-native-hid
Ledger's JavaScript libraries. Contribute to LedgerHQ/ledgerjs development by creating an account on GitHub.

alessio // fun
It probably takes a lot of time and planning to get it right, you can't just snap your fingers and come up with an easy to use onboarding process for everyone

goldenpepe (biz_network)
yea UX is hard

Colby (The Golden Horde)
replied to a thread:
Absolutely agreed there

Munich (ARKLand Delegate)
Maybe an option like on deployer.ark.io, have a “basic” mode and an “advanced”mode for onboarding

mak (AIP23 - Delegate Markets)
I suggested a solution in the github ticket which I think gets around the issue, Bitcoin.com wallet has been using it for years now which is why they can do that

@mak (AIP23 - Delegate Markets)
I agree, backup may be the most important part, in v2 we want to make this more evident and mandatory.

Sam [ARK Team]
Do you have a link to that particular Github ticket @mak (AIP23 - Delegate Markets) by any chance? (edited)

alessio // fun
I'd be interested to see it as well

Munich (ARKLand Delegate)
iirc it’s on the mobile-wallet repo (edited)

mak (AIP23 - Delegate Markets)
https://github.com/ArkEcosystem/mobile-wallet/issues/282 @Sam [ARK Team] (edited)
Improve onboarding process · Issue #282 · ArkEcosystem/mobile-wallet
Is your feature request related to a problem? Please describe. Current workflow of setting up a new wallet is really unfavourable for onboarding new people in public places. For instance if I want ...

alessio // fun
@Lucio Does that also apply to Nano X or just Nano S?

Nano S, for X is this one:
Ledger's JavaScript libraries. Contribute to LedgerHQ/ledgerjs development by creating an account on GitHub.

alessio // fun
And that'll work on iOS too? It'd be a big reason for me to switch from S to X if so

Yes, it was built on the top of the package https://github.com/Polidea/react-native-ble-plx, which supports iOS
React Native BLE library. Contribute to Polidea/react-native-ble-plx development by creating an account on GitHub.

@Lucio why are you shifting away from Ionic for the ark wallet? They are at v4.0 at the moment, seem to be a good framework.

@Justin (doubled1c3)
About notifications, I've implemented and released notifications for incoming transactions. But it did not work properly on Android, I ended up removing it because it required more network requests and battery consumption. Probably in this new framework we will implement, since it will be native.

Alex Barnsley [ARK Team]
I believe it also caused issues with Android in that the mobile wallet was showing on the lock screen (edited)

We had some performance issues, keyboard crashes and even vunerabilities with Ionic's webview

Is it possible in the future that ark holds the passphrase and it acts like a bank account. Than people can manage there wallet but also can recover it. Like people can choose amateur and advanced control... just an idea :)

alessio // fun
I sincerely hope not

Sam [ARK Team]
That's incredibly unlikely @Drakeler - One of the positives of decentralized networks is that people no longer need to depend on organisations to secure their funds for them. Users have full control and that's a positive thing :thumbsup::skin-tone-2:

But old people... altzeimer...

alessio // fun
Hopefully that'll evolve from "incredibly unlikely" to "absolutely never going to happen"

Sam [ARK Team]
Well yeah, I'd go as far to say it's never going to happen.

Car accident..

When do you expect there to be an update on the QR code support for bridgechains. Currently the QR scanning feature on Android only supports addresses beginning with 'A' or 'D'?

Just thinking that people should be more satisfied if there is abackup

Alex Barnsley [ARK Team]
in those cases @Drakeler , for example, they should put it in a will or give family members they trust access in some way
(not official advice)

@PJ tomorrow or monday we will release the update

But is it possible that ark wallet import it? Something like it

Munich (ARKLand Delegate)
yes you can import wallets to the mobile wallet
Ideally you will have a backup of your passphrase secured somewhere, and have a trusted person have access to it in case anything happens to you

Sam [ARK Team]
Just a few minutes left guys so if you have further questions, get them in quickly :smile: (edited)

I know but you can give in a email. If your wallet isn't used like a year they send the passphrase to a email you set... like an inheritance
Just a way to give people more security (edited)
Other option you might implement is like a monthly payment setting. Is that going to come?

Munich (ARKLand Delegate)
@Lucio is 2FA something that could be done in the next wallet?
I know the implications of having 2FA app and a wallet on the same device, but I see this q asked often

@Drakeler I think LastPass has something similar to releasing access to another person if you do not use it for a while

Yes but ark can be the first to do it in blockchain!
Just ideas... to help ark move to the public

I think we have already discussed the possibility of implementing 2FA between desktop and mobile, right? @Alex Barnsley [ARK Team] I'm not sure what our conclusion was about this

Alex Barnsley [ARK Team]
:yes: deemed it as not worthy, because having the 2fa locally isn’t secure
since you could have access to both ends of the 2fa process and can manipulate it
“you” being an exploiter

alessio // fun
Thanks for taking the time for this ama @Lucio

Sam [ARK Team]
The hour is now up so that concludes the AMA
Thanks to everyone who came to take part in this week's Developer AMA sessions.
submitted by avfcpieface to ArkEcosystem [link] [comments]

Setting up a Webshop that accepts lightning payments via lightning charge. Seeking brave alpha tester

Hey everyone,
after the big news yesterday that lightning charge by the elements group is out I am helping my fiancee's sister who is running a medium sized webshop for a living to add bitcoin as a form of payment. She is very happy to do so and promised to HODL all revenue made via Bitcoins (sorry I have to brag that she must have great influence (; ). However her product is rather cheap (only a few bucks) so without lightning it didn't make sense to accept bitcoin because fees would have been higher that the price for the product.
After the great help and suggestions by cdecker on the IRC yesterday and today (kudos and shoutout to him!) I knew the roadmap: * I set up a virtual machine on amazon elastic cloud (actually a friend did this who is doing this on a regular basis. Thanks Heinrich!) * We set up my very first bitcoin node (bitcoin core 0.15 which worked pretty easy! Amzing good processes and workflows) * We set up my very first lighting node. (which also turned out to be pretty straight forward) * We had everything on testnet and I am currently running on mainnet (however bitcoind is still downloading and verifying the blockchain)
We have several problems though at the last step in which case the needed technology stack is kind of out of our comfort zone: 1. I can't set up lightning charge following this tutorial: https://github.com/ElementsProject/lightning-charge (I know it's ridiculous but I am not living in the javascript / node.js world, so I am having problems with user rights when running npm. If anyone would be willing to have a look (maybe via skype screenshare session it would be great!) 2. I currently don't have any hot wallet coins on the bitcoin node since this is my very first node and I am kind of afraid to transfer my funds. As far as I understand, I do not really need bitcoins myself to fund lightning channels as long as the other lightning nodes open and fund the channels (which is the preferred way anyway, since a webshop is obviously only accepting BTC and has basically only incoming payments over the long turn). Anyway I would need some brave people who are running lightning nodes that would hook me up to the lightning mainet by funding some channels with me. obviously there is little risk involved since I can't steel or access the funds as long as nobody is really buying products in the webshop and paying with bitcoin. 3. the blockchain needes really a lot of time to download and verify. That makes sense if all the merkle trees need to be calculated for every block. Is there a better way to skip veryfication? Or ist that such a security risk that I just have to wait?
./lighting-cli getinfo: { "id" : "020bcf913931fe5fb96931c9be470bbdccd1b24eaa5a0758dbf7efc45bedcb1ebe", "port" : 9735, "address" : , "version" : "v0.5.2-2016-11-21-1574-g575b733", "blockheight" : 331274 }
the bitcoin address of that corresponding wallet reads: 36DqbzCRcXeHbUG6C9jjxMghmuCHZg9BRn but as far as I understand that is not needed for channel creation.
Disclaimer: She and I do understand that lightning on mainnet is highly experimental. However her product is basically digital so in case something goes wrong she could still satisfy the consumers but just has to give up the lost revenue. In that sense she and I are willing to take the risk of setting up this prototypical real world application to demonstrate from a real user the usefulness of the lighting network and lightning charge.
happy to hear from u and receive some PMs or other input!
best Rene
submitted by renepickhardt to Bitcoin [link] [comments]

Computer sending and receiving "STUN Binding Requests/Responses" from same IP

Hi, I'm using a router that has IDS (Intrusion Detection/Prevention) as a feature. I've noticed a continual number of alerts classified as "STUN Binding Requests" from my local computer's IP to I'm also receiving "STUN Binding Responses" from that same IP ( to my computer's local IP.
It is classified as an "Attempted Use Privilege Gain". The signature description for these is, exactly: "ET INFO Session Traversal Utilities for NAT (STUN Binding Request[or Response])" and links to this reference.
This is happening even after I've blocked these kinds of packets with the IDS and done a clean install of my computer.
If, presumably, it requires my computer to somehow send these requests to get a response, I'm wondering if my computer might be compromised in a way that causes it to continue sending them. Could it be a rootkit that persists even with macOS re-install? It doesn't seem likely... Maybe it's an app on my Mac? I don't see any specific outbound connection attempts to that IP on "Little Snitch", which I've installed.
AbuseIPDB.com shows that other people are getting the same issues (STUN Binding Requests|Responses) from the IP in question. It seems to belong to an "ISP" of ThreatMetrix Inc. : https://www.abuseipdb.com/check/
ThreatMetrix Inc. is apparently in the business of creating "anonymous profiles" of consumers to protect against fraudulent activity, and a "digital identity graph" to allow businesses to improve end-user authentication (source)
Does anyone have any insight as to what might be happening, and the level of threat I'm facing (to my network, and with possible compromise of my computer)? Much appreciated.
Edit: I searched for "ThreatMetrix" on Reddit and found this thread here -- could it be that JavaScript from CoinBase (which is a website I access sometimes) is causing these requests and illiciting these responses from the ThreatMetrix IP?
submitted by secsearcher to AskNetsec [link] [comments]

Of Wolves and Weasels - Day 148 - DOGE4DOGE - Building a Worldwide Brand

Hey all, GoodShibe here!
With our Bootstrap Service Economy starting to take shape, I think now is an excellent time for us to talk about Marketing and Advertising and how we're actually more than just a coin - why we're building a Worldwide Brand.
And why that's a great thing.
You see, I read a post today from slipstream-
Reading comments on hacker news and found this interesting comment related to dogecoin...
Which got me thinking. See, traditionally, I've never been a 'sales' person or an 'Advertising' person. In fact, I have, especially when I was younger, espoused a very... uh... Bill Hicks-ish (warning: NSFW language) approach to the topic.
So what changed?
Mostly, my perspective.
Marketing and Advertising are tools, no more or less bad than hammers or power saws. Heck, I spent all last weekend Advertising for the Lego Movie without even realizing it. (Seriously, I'm not being paid for this, but check it out, it's awesome).
But we do it all the time.
We want people to know about and appreciate the same things that we do. We tell people where to try good food, where the best grocery deals are, where the cheapest gas is, what Radio stations we like, what TV shows and movies we're watching.
If you've ever used a Foursquare-ish app to announce your location, you're Advertising for someone - doing their work for them. If you've ever raved about how awesome Game of Thrones is... you're Advertising.
Most of us don't realize it, but there's actually quite a difference between Marketing and Advertising. Advertising is only about getting the word out there - it is only a small part of the Marketing process.
But Marketing itself covers quite a large number of other factors:
"Market research, media planning, public relations, product pricing, distribution, customer support, sales strategy, and community involvement." (From above, linked article)
And, whether we realize it or not, we're actively taking part in this process, daily.
Here's a brief set of examples, just off the top of my head:
Market Research - What are the other coins doing? What's Bitcoin/Litecoin/etc doing?
Media Planning - Hey, let's help get the Jamaican Bobsled Team to Sochi.
Public Relations - See our What is Dogecoin Video
Product Pricing - How many threads exist about us watching the price and waxing poetic about where it should and shouldn't be?
Distribution - Tipping
Customer Support - /Dogeducation, for one. HowToDoge.com, DogecoinTutorial.com, all sorts of options there.
Sales Strategy - DOGE4DOGE is all about helping our coin gain acceptance locally and worldwide
Community Involvement - I'm pretty sure this one goes without saying
Where Marketing and Advertising go to the Dark Side is when it becomes about Lies. When you can't actually sell the product on its merits.
The International Brand that we're building with Dogecoin is something that WE'VE had a say in every step of the way. Our symbol, our coin, has come to represent our values of Fun and Kindness, Compassion and Camaraderie - worldwide, no matter what language you speak.
We fight for the the Underdoge - and we believe that the future of money is in showing appreciation for people, instantly, no matter where they are in the world. Financially empowering the people who are working to make their world a more fun, more interesting, better place to live.
No one person did this. You did, all of us did.
Because we wanted it bad enough.
We took a joke and made the world laugh along with us - and there is more joy and laughter and fun and kindness in the world... thanks to you.
Thanks to Dogecoin.
So while some people might scoff and roll their eyes, I feel that we should continue to pick up and use the tools that we've been given.
Because 'Money' is the least revolutionary thing about us.
We're not 'going' to change the world.
We ARE changing the world.
And we're only just getting started.
It's 9:05AM EST and we're at 81.05% of DOGEs found. Our Global Hashrate is holding strong at ~46 Gigahashes per second and our Difficulty is down from ~866 to ~713.
As always, I appreciate your support!
DOGE4DOGE - Bootstrap Service Economy - Shibes helping Shibes for Dogecoins - Add yourself to this list in the comments!
Huge ups to calyxa for taking the time put this crazy list in order and add categories. Thank you!!
Engineering and Industry:
Game Tutorial - On-line and Board Games:
Graphics, Video and Art - Tutorial and Service:
Hardware Repair - Tutorial and Service:
Health and Agriculture:
Human Languages:
Programming and Web Development:
School Tutoring
Writing / Editing:
Projects in need of your attention!
submitted by GoodShibe to dogecoin [link] [comments]

Blockchain Online Training

Blockchain Online Training Hyderabad | Blockchain Course
What is Blockchain?
The blockchain is like the tracking tool which helps the users to track the records of the transactions on all the digital currency without any kind of central recording. Every lump is connected to the computer thereby a copy is recorded automatically.
You can attend Blockchain online training India from Hyderabad, Delhi, Bangalore, Pune, Noida, Kolkata and anywhere from USA UK Singapore through online. online Best BlockChain Training institute in Hyderabad called Blockchain architecture training.
New Batch Schedules: You can attend blockchain free Demo also
Blockchain Online Training start on jan12, 2019 7:30 AM IST
Blockchain Course Details:
· Course Duration:45 Days
· Mon-Fri 7:30 am (IST)
· Mode of Training Online only
· Real-time Trainer
· After Blockchain classes, we will provide class recording for reference purpose
Note:- Plz Watch below Blockchain Online Training Demo and Class1, Class2, Class3, Class4 recording before attending the session. (total 5 Videos here) VLR TRAINING 9985269518
For course details visit this link: https://www.vlrtraining.in/blockchain-online-training-hyderabad/
Visit follow link for free Demo: https://www.youtube.com/watch?v=ElwREV0gL1E&list=PLXx2-0oYp1LNri7bsDwSOEl56-eDtjwFw
What is Blockchain Telugu | Blockchain Demo 2019| VLR Training

Blockchain Class 1 | What is Blockchain |Concepts in Blockchain

Blockchain Class2 | How Blockchain works| VLR Training Jan2

BlockChain class3 Jan3 |Nodes and Consensus| What is AES RSA Cryptography

Blockchain class4 jan4| Hash Function| What is Blockchain Distributed Ledger |

Why should you take this Blockchain Online training
1 BlockChain developer ranked 2nd among 20 fastest growing skillsets. 2.salary of “Blockchain Developer” ranges from $85k for Application Developer to $115k for Senior Software Engineer as per indeed.com 3.Bill & Melinda Gates Foundation goals to use Blockchain technology to help the two billion people worldwide who lack bank accounts 4. As per the World Economic Forum, In 2025 18% of the world’s GDP will be on Blockchain associated technologies
Financial Institutions, Insurance Sectors as well as Government Sectors are all using Block Chain technology steadily to roll-out multiple services to the customers
Who can Learn blockchain Technology Online?
Blockchain Online Training can learn everyone based on interest from any platform. 1.System administrators and DBA 2.Software Programmers/Developers 3. Students/Fresher’s 4. Software developers 5. Specialists in the banking and financial sector 6. Media and Entertainment Sector 7. Government and Public Sector 8. Healthcare and Life science sector 9. Anyone can learn interested in new technology can take this Blockchain course
Blockchain Pre-Requisites:📷
· Should have a fundamental knowledge of Linux and Command Line.
· Having a Basic knowledge of NodeJS and JavaScript are useful.
· here are nothing prerequisites required to learn this course. It’s good to have a basic
· knowledge of programming languages like python. But not compulsory.
· Trainers of VLR training will start with all the required basics of Online Training
Objectives of the Blockchain Online Training course:
· Work with Ethereum BlockChain.
· Study designing and deployment of private BlockChain and monitoring.
· Work with Multichain and private BlockChain.
· Understanding the application of Market Friction.
· Using the BlockChain transactions and miner validations.
· Installing Hyperledger composers.
Which Industries use the blockchain
As per the reports, the Blockchain Technology market is segmented in various fields such as 1.Insurance Sectors. 2.Banking Sector. 3.Media and Entertainment Sector. 4.Financial Institutes. 5.Government and Public Sector. 6.Automotive Sector. 7.Healthcare and Life science sector. 8.Banking Sector. 9.Retail and ECommerce Sector. Others as well.
The scope of Blockchain Market:
· By 2030, significant developments in the world’s standard of living will be attributable to the development of blockchain technology.
· Managing World trade with the help of Blockchain Technology
· By the end of 2030, most of the world trade will be conducted advantage blockchain technology.
· Blockchain will remove the requirement of the third party By the end of 2030, there will be extra trillion-dollar tokens than there will be trillion-dollar companies.
· Blockchain in Cyber Security
· By 2030, maximum governments around the world will create or adopt some form of virtual currency.
Benefits of Block Chain Technology?
Transparency: Block Chain technology maintains transparent business transactions. There is nothing like a centralized system of transactions in the block chains. Accounting: Recording and maintaining the transactions through the blockchain technology is very high. Faster Transactions: In Block Chain technology the currency is digitized and transacted within seconds. Reduces the transactional costs: In blockchain, the users can transact the digital currency with each other the sender without any intermediates like banks.
Block Chain Course Content
Decentralized Money

· Exploring Blockchain
· Bitcoin & Blockchain
o Bitcoin and its History
o Why use Bitcoins?
o Where and how to buy bitcoins

· Ethereum
· What is Ethereum?
· Ethereum Private Blockchain and Smart contracts
· Solidity basics
· Advance Solidity
Client-side signing and remotes nodes for Dapps
· Deploying DAPP using Truffle and Web3J
Running the DApp on the Ethereum node using Metamask
For Blockchain online Training contact us VLR Training 998526951
submitted by kannadhanush to u/kannadhanush [link] [comments]

xvultx4llltx7w2d.onion is 18 months online today

TLDR; The site that has been running nice and quietly on TOR for 18 months. We thought today is a good day to make the url public outside of our group of amigos.
PGP: 3DB6 FF02 6EBA 6AFF 63AF 2B6E DCE5 3FA2 EC58 63D8 Bitcoin: 18FNZPvYeWUNLmnS6bQyJSVXYPJ87cssMM TOR: http://xvultx4llltx7w2d.onion

Vultronix encrypted social network.

Abstract: Since time began, social interaction has always been private to those within the same vicinity. Today, however, much data is sent encrypted to a third party, gets decrypted on arrival and then stored among mountains of un-encrypted data, stored for financial gain creating giant honeypots. These giant honeypots of un-encrypted data are just too irresistible to those who have the power to request access.
We propose a solution to these centralized honeypots by enforcing client side encryption in such a way that the server has no access to the encrypted content, we believe this can be achieved via a mix of key hashing, PGP, AES and Onion routing. We acknowledge the current JavaScript anonymity problem and see a future where secure hardware will encrypt/decrypt the data for the user. We propose the below as a simple POC for inspiration of future development, open for all to copy, enhance and most importantly, to scrutinize.
1. What is the example? A truly client side TOR based encrypted centralized social network. Allowing users to interact anonymously online without the ability of the host to spy on the user. Trust with the host is established via signed open source Javascript. Everything is delivered directly from the host via TOR without any use of CDNs.
2. Centralized over decentralized? The greatest problem available to implementing encryption to the masses is user experience. We developed Vultronix to allow the user to interact with others securely via a familiar feeling platform. More experienced users can download the code and setup their own .onion domain, further removing the risk of a centralized authority.
3. Registration The user is required to fill in 3 fields. For familiarity we've named them the following - Email address, Password and Words list. The user is not required to enter their actual email but is encouraged to generate a string with a lot of entropy; it is acknowledged that the less experienced user will probably make up an email address, both the password and words field should be as random as possible. The entropy of these 3 fields is on what the user's encryption depends.
Note: as the system is not decentralized, the logins are only available to brute force attack by the host or if/when the database is compromised and dumped online. To achieve the best security a password tool should be used with 3 very random strings. A more user friendly solution is to make up a very random but easy to remember email address via a random mnemonic seed generator similar to BIP39, a difficult password the user can remember and a short word list.
Given a user selects the following log in details which, let's assume, were created by a BIP39 generator. + email: [email protected] + password: liquid sketch husband + Word list: shove proof dismiss gauge
The above contains 12 completely random words.
The browser will concatenate these to [email protected] sketch husbandshove proof dismiss gauge This value would then be hashed, creating the following hash. 90bc6ba57145e2116ea10d136ec49061e9a15c5694b171ba1e5753ab02e141e4
This hash is hashed forward 5001 times, on the 2000th hash the sha-256 becomes a sha-512 hash in the following fashion. SHA512(2000th hash + 2000th hash) and is stored momentarily as the "loginHash" variable. The loop continues on with all further loops taking a different path that can't be reached by hashing forward the login hash. The 3000th hash is saved as the "passphrase" variable The 4000th hash is saved as the "encryptionKey" variable and the 5001st hash ends up being Hashed again for good measure. loginHash = SHA512(loginHash + 5001st hash);
At the same time during registration the user's browser will generate a 4096 PGP key pair. The PGP password is the "passphrase" variable. Both the passphrase and the encryptionKey never reach the server. The PGP pub/priv keys are both AES encrypted with the encryptionKey as the password and sent to the server.
Note: The PGP public key is never sent to the server unencrypted as we don't want someone with access to the Database to be able to analyze who is friends with who.
Also generated at sign up is a UUID, this is AES encrypted as well.
Sent to the server on sign up is the following. + encrypted: PGP public key - AES encrypted string. + encrypted: PGP private key - AES encrypted string. + encrypted: UUID - AES encrypted string + loginHash: SHA-512 hash.
Upon signing in, the user fills out his profile. This data (including any images uploaded) is encrypted client side by the user, the user encrypts a copy to himself using his own PGP public key, which is currently decrypted in his browser session, then encrypts this again with his AES encryption key.
4. Login A user will login with the same credentials used at sign up, the loginHash will reach the server and the server will find a match and send back the user's encrypted credentials. The user's client will decrypt these with his "passphrase" and "encryptionKey", neither of which have ever been sent to the server.
Note: If a MITM intercepts a user loginHash over the wire, the MITM will be able to retrieve the encrypted data from the server, but will never be able to decrypt it, and won't have any further access to the user's data.
Once the user decrypts his credentials data, he'll have access to his UUID, the client will then request from the server an encrypted friends list object, the client will decrypt this and populate client side his friends list. This will contain the public PGP key of each of his friends along with a friendship key unique to each friendship as well as a generated shared password unique to each friendship. The client will also send requests to the server to look for feed updates, inbox messages, new friend requests and accepted friend requests etc.
5. Friend requests To keep friendships private, a user must send another user a friend request token. Since everything in the Database is encrypted , it isn't possible for a user to simply look up a friend. Via the friend request page the user will fill out a short message and press a button. The user is presented with a SHA-256 hash that will expire after 2 weeks. The user simply needs to pass this hash onto his friend via other means of contact, the friend then enters the hash into the friend request page, the friend will then see a thumbnail of the user (or whatever logo the user has chosen for his profile picture) followed by the short message the receiving friend should recognise, e.g. "Hey Alice it's Bob, please accept my friend request", Alice accepts the friend request and they're now friends, Alice won't have access to Bob's profile page until Bob next logs in.
Behind the scenes, the following happens: Bob's message is concatenated to a generated UUID This string is hashed many times like the loginHash An object is created containing Bob's following encrypted data: + PGP Pub Key + friendshipUUID unique to this friendship + sendersFriendshipUUID + acceptersFriendshipUUID + Bob's Name + Bob's thumbnail (all images are converted to base64 strings in the browser then encrypted/decrypted client side) + Request message etc.
This encrypted data is sent to the server, the friendship token is equivalent to the final login hash that a user generates on login. Bob doesn't, however, send Alice this final hashed token, he sends her an earlier version of a hash. Alice will enter this hash, her browser will roll it forward creating the decryption key and eventually the friendship token that resides on the server, her client will send this to the server, the server will respond with the encrypted data. Only she can decrypt the data as only she has the earlier hash of the friend request token.
She decrypts Bob's friendship data, adds it to her FriendsList data, encrypts the latest copy and sends it through to the server for safe keeping. Alice's client will now create an encrypted accepted friendrequest object submitting it to the server. Alice will then use Bob's PGP key and their new friendship password they share to double encrypt her profile to Bob.
When Bob logs in next (or if currently online via web sockets) he will receive the accepted friendrequest token. Bob's client will then do what Alice's did and update his friends list etc and send a copy of his profile through to Alice. Bob and Alice will now see each other's new status updates, album updates etc.
Note: A new friend can never see old status updates, this should be considered a feature.
6. Chat and instant messages Users can see when other users are online and chat via web sockets, they can also send offline messages via their inbox. These messages are double encrypted. If Bob sends Alice a message, the following happens: Bob's client will encrypt the message using Alice's PGP public key and a copy using his own PGP public key, he'll then encrypt both using their shared friendship password and place 2 entries into the database. If Alice is online the server will push up her messages instantly via web sockets, if not, she'll see the message the next time she logs in, she'll notice this as the inbox icon will be red to signify unread messages.
Note: If a user has Vultronix open in another tab, he'll hear a sound when a new message is received as well as a keyboard sound when his friend is typing.
7. Group invites Groups allow shared users to associate online in private without having any access to who other members of the group are, users can also send private encrypted messages to other users of a group in full privacy. Anyone can create a group. On group creation the group's admin client will generate a random password, the admin can give the group a logo and message etc. The admin can then create a group invite token and the recipient of the token can sign up to the group in the same way that a user would accept/decline a friendship request. Once a user is a member of a group, he too can invite friends. All of these people will share an AES encryption key which they'll get via decryption of the encrypted invite request. Each user will be able to download a shared membership list of the group, which will not be able to identify any users. This list will contain user PGP keys that are used when a member sends another member of the group a private 1 - 1 message.
TLDR; Everyone in the group can start threads, comment in threads, invite new friends etc, no one outside of the group will even know of the group's existence, the group's description, name, members list etc. All of it is encrypted and private. No member will know that other members have privately messaged each other. No member will be able to find another member's profile. However, if they wish to be friends, they can private message a friendship request token. Members can have their own groups and private message friend request tokens through to members to join other private groups.
8. Status updates When a user creates a new status message, the user's friends will see the message appear in their feed either in real time if they're online, or the next time they login. When a user fills in the status box, the user can optionally add a photo or youtube video link (caution: external services could be used to track you) and then press save. After the user saves the status the following happens:
The status is encrypted and saved to the server. To reduce client computation time as well as server storage, only one copy of the status is saved to the server. The client will encrypt and upload a new encrypted message for each of his friends, this message will simply hold a AES decryption key and a status ID, the friend's client will then request this status and decrypt it. All of the user's friends can comment on the status, only the user will be able to click through to their profiles. It's impossible for user's friends to be able to interact with each other outside of their shared friend's status comment box.
9. Shops Private encrypted shops would be easily implemented via the following: The shop owner would setup shops in a similar way to setting up a group, inviting customers to his private shop with tokens. He could send these tokens to his friends in his friends list or new people he meets in a private members group via private message. This would allow the shop owner to sell to only people he trusts, e.g. his grandmother or aunt etc. The shop owner would have complete privacy. The shop owner would keep control of all his bitcoin private keys. He would enter a list of bitcoin addresses, then add items to his shop. Upon adding an item, the client would submit an encrypted copy of the item to the server for each customer of his store. Customers would browse his store and see an item, the item would have a bitcoin address to pay to. The customer would enter a message, be it his email address for a digital order or a postal address for a physical order. He would then pay to the bitcoin address and hit submit. The shop owner would see a page with orders and see the email address and manually check the bitcoin address has funds.
This would allow sellers and buyers online to have great protection, providing they're buying/selling from people they trust. If the server is hacked and database stolen, no one will have access to any bitcoin as no private keys would ever be on the server and everything is encrypted, so no one would know what shops even exist, unless they have a personal invite to that store.
This kind of private store could be very useful for people living under oppressive regimes. If, for example, someone wants to learn about Capitalism and would like to buy Capitalist literature but they live in a censored Communist state, they could access via TOR and order anonymously without ever having to worry about the site being hacked and their government going through the data and heavily punishing them, possibly with death. They would be at risk though of the literature being confiscated in the mail so they'd be better off to order a digital copy and have it emailed or, perhaps, the seller could simply copy and paste the text into a private message to the seller.
The possibilities would be endless for the above, we have not implemented this though as we're not sure of the legality. If someone decided to sell something illegal and law enforcement wanted information on the buyeseller, we would never be able to retrieve it from the database. If, however, they managed to become a member of a store, they could perhaps tell us a UUID that might represent the store and we could delete the shop at their request, but not much else. For this reason we're not going down this path, it is however fascinating to think of.
We'd predict that OpenBazaar would one day offer the ability of hidden stores, not just the ability to route via TOR. For any OB users we've added a OpenBazaar field to the member profile info page.
The goal of this project is to show that client side end to end encryption is possible for intermediate users and not that difficult to implement. We hope this inspires people to build something similar and better or, perhaps, fork the code and fix some bugs etc.
We appreciate your time, if you enjoyed this or atleast appreciate our effort, our bitcoin address is below. Bitcoin: 18FNZPvYeWUNLmnS6bQyJSVXYPJ87cssMM
PS: The code will be uploaded to a public Github profile this week.
http://xvultx4llltx7w2d.onion Latest version: Content hash: 1aa450c4a4bef1ddee92d6572f81aa14baad959402563064f0ff81e6f42b69d9 lib.js hash: 8704461878818f5f00f18c61789e03c1b90bfc07bc21a15301ce876e7f71829c
submitted by Vultronix to onions [link] [comments]

[HIRING] Looking for web developer

Looking for an experienced web developer that could build a website (running on node.js) with Bitcoin payment system The website should be a very simple licenses (used in our standalone desktop app) buying place. Paying with Bitcoin would be the only payment method needed. The user would be able to purchase as many licenses as he wants (each with their refund period). After the first purchase user would get a chance to create his account (no public registration page). When logged in the user would be able to generate his license (and regenerate if he wants or if his license code gets 'in to the wrong hands'). Each license should be used only once i.e. only on one computer (each license session could send 'heartbeat' requests to the backend with unique hardware ID - session would last up to 5mins without a hearbeat i.e. after 5mins other computer could use the license). Admins should be able to see all users list with their non-sensitive data (email, account creation date, refund expiration date), filter them and if needed remove their license(s) (e.g. if user asks for refund, since refunds will be handled manually, admin should also be able to remove the license manually). Also, admins should be able to generate discount coupons that would be used on checkouts and filter them.
Technologies to be used: - node.js (with JavaScript or TypeScript); - MongoDB; - angular2+; - bootstrap;
Bitcoin payments should be directed to our wallet with new addresses generated for each transaction.
The code should be written in a clean, idiomatic way (preferably with comments)!
List of required pages:
Publicly accessible pages: - Home/landing page with all products (different types of licenses) info (including their prices and 'Add to basket options'), features descriptions, images, etc; - FAQ page; - Documentation page, where users would find all the info needed to properly use the product they buy; - Log in page (no registration page, user would be able to create his account only when his purchase is confirmed); - Cart page;
Private (authorized/logged in users) pages: - Standard users account dashboard where user would be able to generate (and regenerate) his license on button press, email and password change options, refund expiration date; - Admin page where admin would be able to see a list of users with their non-sensitive info (email, account creation date, refund expiration date) and filter them. Admin should also be able to remove user's license (e.g. when user asks for refund); - Admin page where admin could create discount coupons with additional filterable metadata (e.g. event's name);
User should be able to always see his basket button and when pressed be able to confirm it and check out. On checkout page the user would need to pay with Bitcoin to confirm his purchase. After purchase confirmation he should be able to create an account to generate his licenses.
submitted by needadev1 to Jobs4Bitcoins [link] [comments]

AMA Brandan Eich - Creator of Javascript, Mozilla Firefox & Brave Software in Ark slack

boldninja @brendaneich hi Brendan welcome to Ark slack - Brendan is the creator of JavaScript, co-founder of Mozilla / Firefox & Brave Software and today we'll host AMA with him regarding his upcoming project http://basicattentiontoken.org/ BasicAttentionToken
moobox i think i'm gonna forget about bitbay and keep it
dr10 hi brendan
brendaneich hi
dr10 nice to have you here :smile:
boldninja hi Brendan - thanks for joining us today
brendaneich happy to be here @boldninja
tranzer hi @brendaneich , I have a question regarding BAT. Will you have limited number of tokens or will you have inflation? When do you plan to start ICO? (edited)
michaelthecryptoguy Hello Brendan. Nice to have you in the ark community slack channel
mward Hello
moobox the ironies of old age. you can afford the sports car you dreamed of as a kid, but your back hurts too much to sit in it.
dr10 Will Mozilla- and Chrome-Plugins be usuable for Brave browser? Will Brave Browser be able to sync bookmarks?
mike hi brendan
cannabanana is the BAT token just an ETH asset or will it be a new blockchain technology? if the first, why ETH instead of your own block chain? :smile: (edited)
brendaneich @dr10 two questions, first one first
jonathansampson @dr10 Chrome extensions are supported today, I wrote a short walkthrough on how we (I'm an engineer on Brave) test extensions before adopting for official support. https://blog.brave.com/loading-chrome-extensions-in-brave/ Happy to answer any questions you may have. (edited)
brendaneich 1. Brave on laptop/desktop uses chromium and we support chromium extensions, but curate them into our own S3 from the Chrome Web Store ah, there is @jonathansampson on to second q
jakethepanda @brendaneich How will Brave detect bots designed to give fake attention? (edited)
brendaneich 2. Brave's client-encrypted sync is in beta now, if you use iOS i can connect you with the devs to get a beta build. it works between laptop/desktop systems already, and is coming up in Android too @cannabanana BAT is an ERC20 token on Ethereum. we need smart contracts and benefit from multiple token launches proving the tech and approach no desire to do our own blockchain
mward The BAT wallet will be implemented in Brave browser as a plug-in?
brendaneich we are pragmatists, use bitcoin already in Brave for auto-microdonations
cannabanana will you only accept ethereum for the ICO or will you also be accepting bitcoin?
brendaneich @jakethepanda please see https://www.reddit.com/BATProject/comments/61kw7f/question/dfxkuus/ reddit Question • BATProject We have answers, you may not be surprised by them: 1. Rate-limiting. Bots can fake human ad viewing (see https://whiteops.com/methbot), but we'll... @mward no, deeper integration than an extension (plugin still is overloaded for old-style stuff like Flash) can have
brendaneich @cannabanana ETH only, as BAT is an ERC20 token -- we are not launching a new exchange or anything, so other currencies have to be exchanged to buy BAT
boldninja When do you plan to start your initial token offer, will there be any hard cap?
jakethepanda @brendaneich Is this right? Users opt into the BAT system and get paid for their attention. Advertisers pay for ads with BAT. Through a smart contract, BAT is unlocked as users give the ad attention. The unlocked BAT is split up between users, Brave, and publishers.
brendaneich @mward we have BitGo provided bitcoin wallet integration in Brave already, ofc the wallet is on the blockchain not in Brave but the deeper integration is for the private, "chartbeats in your browser" auto-microdonation analytics, and the anonize.org-based ZKP protocol over VPN to communicate your donations w/o loss of anonymity or fingerprinting via the list of your top sites
@jakethepanda that is the goal but doing it with real-time BAT flow is in the future, the "Apollo" (or Mars mission) space program phase; we're in "Mercury Redstone" rn, monkeys in buckets on parabolic paths
nt91 When is ico
brendaneich @boldninja @nt91 we haven't announced the date but will very (very) soon, just getting logistics and final audits done
@boldninja cap is $15M of ETH so we have to pin the ratio close to launch given recent vol.
dr10 How will you get Brave Browser to the masses? Any marketing campaign you like to sum up? Any bigger announcement or plan?
jakethepanda How is the split determined between users, publishers and Brave?
brendaneich @dr10 we are growing, mostly organically right now, under 1M MAU but we will (in best case of crowdsale) spend more to growth-hack, which is advertising + funnel analytics / retention analysis loop
tranzer @brendaneich don't know if you have been following tokencard ICO, but they had kind of a fuckup with their smart contract, also they didn't give their address of contract literally before it started. How will you go about this? Will smart contract, address be known beforehand?
brendaneich an important point: if we hit cap we will found a trade group for attention apps and get other apps on board to use BAT and help us get to scale faster with buy side of ad-tech system, also with bigger donor cohorts via membership in trade association
nt91 Once launched how quickly isit likely to join the exchange
brendaneich @tranzer we followed that closely, it was Not Good. we are using a super-simple contract based on FirstBlood, Golem, StandardToken
mward How will you make the crowdsale? Like Gnosis? (Dutch action) The BAT token wil have fixed price at the time of ico?
brendaneich @nt91 can't say, not our biz and we are building the "in game" economics first so exchanges can come any time
brendaneich @mward fixed ratio of BAT for ETH
fixcrypt @brendaneich will all the tx recorded on eth blockchain, or will you manage some sort of payment channels?
dr10 Do you plan to integrate decentralized VPN or Tor-Like stuff? Your browser is really fast, will these things slow it down? Or didnt plan any of this?
brendaneich @fixcrypt all on chain, no preselling, no funny stuff -- we believe in simplicity first, given all the experience in this space
mike would you be interested in using a different blockchain to eliminate all the overhead of paying such a huge network of computers on ethereum to each process every single contract on each computer? (edited)
cannabanana I hope you guys will reconsider accepting more than just eth for the ICO. I have not been able to invest in any of the past like 5 good ones. There's a whole segment of people who wont touch ETH.
tranzer @brendaneich ok I know this is not about BAT, but did you know that Ark is built in JavaScript :smile: ?
fixcrypt @brendaneich how many tx are we talking about? 1 each time there is a basic attention detected? (edited)
brendaneich @dr10 we are going to do Tor private tabs, see https://github.com/brave/browser-laptop/wiki/Brave-Tor-Support GitHub brave/browser-laptop browser-laptop - Brave browser for Desktop and Laptop computers running Windows, OSX, and Linux
we will make it possible to pick a region for exit node from Tor relay network -- so you can unlock region-locked videos, e.g.
yes, Tor slows things down and Tor private tabs turn on fingerprinting protection, turn off most JS, etc. -- that's a good thing
michaelthecryptoguy Very Nice!!
brendaneich @mike i'm a pragmatist and will use whatever blockchain is big enough, robust enough, has functionality we need (smart contracts, ZKP anonymity coming along, etc.). Zcash adding token support this fall, i hear. we don't multiply risk by jumping on bandwagons whose wheels are still off :wink:. we do not try 10 hard things at once -- space program from monkey in can to moon
@cannabanana we are launching an ERC20 token on Ethereum, you buy with ETH, we are not an exchange
the few launches whose contracts hardcoded a bitcoin address were launching exchange-like projects, so could take the risk
we are not doing that
separate concerns
@tranzer i heard :wink:
twitchard What do you think the adoption function for BAT looks like. Do you think there's a critical mass at which adoption will drastically speed up? Or do you think it is more gradual
brendaneich @fixcrypt no, in early phases of BAT program we cannot put each attention event on chain
obv. the chain is too costly, also: not anonymous! big tracking prob
fixcrypt agree
brendaneich we build in hybrid fashion
Brave already has anonize.org v2 ZKP integrated
requires centralized but open source accounting server
fixcrypt ah yes make sense
brendaneich we'd like someone else to run that (escrow, also could add exchange to fiat as publishers like being paid in fiat)
dr10 Can I visit websites, that block Users, that use addblock? Is there a way to work around this? Currently I use brave browser and some pages block me, because of using addblock. What is your solution to this or do you think these website will change their behaviour?
brendaneich if we can do server to client remote attestation (see https://www.npmjs.com/package/secureworker) we will npm secureworker Run JavaScript inside an Intel SGX enclave
jonathansampson @dr10 That's a bug; let us know which sites are detecting Brave as an ad-blocker, and we'll file Issues on GitHub. We're constantly making improvements in this space, and recalibrating as necessary :slightly_smiling_face:
brendaneich eventually it should all decentralize but that requires the blockchain (a blockchain; could be red-headed lovechild of Ethereum and Zcash lol) to do anonymity and microtransactions both very well
fixcrypt so payment are done on blockchain, but it basically validates on a daily basis a centralised payment channel between all stakeholders
mike like the chart on ad percentages of sites in the whitepaper. I've noticed for a long time the mainstream news sites are the worst to go to, a literal assault on the browser visiting them - have avoided going to them as a result, think you're on to something to mitigate this.
dr10 I visited a german boulevard magazine www.bild.de
brendaneich bild.de makes my eyes bleed
dr10 so normally this wouldnt be the case?
yeah its just an example lol
because I know they block addblock people
jonathansampson @dr10 I'll file an issue immediately!
brendaneich @dr10 we get around forbes, wired, latimes, many other anti-adblockers
michaelthecryptoguy Will these be done on a multi - channel?
brendaneich publishers who put up such user-hostile dialogs tend to lose alexa/comscore share
gotta catch up on the Qs
@fixcrypt next
tell me if i missed you
fixcrypt no pb
tranzer Haven't used Brave yet, might try after today, but is it same memory hungry as Chrome is?
twitchard :wave:
1nfinite concerning the ICO - will there only be one? meaning all 700m coins will be distributed through this initial $15m ICO (meaning $1 will net you about 46BAT)? sorry if I'm misunderstanding some of the info you've put out in asking this
dr10 What if I want to support Live-Streams (twitch) or youtube videos by watching their ad (which is not part of the brave system) Can I still turn off this mechanism?
brendaneich @fixcrypt yes, we buffer automicrodonations over 30 days of your uptime (varies by user; if you go on vacation those days don't count) and send Anonize ZKP votes (one per voting session, all over VPN) to our accounting server, along with the total bitcoin per 30 days you pledged. this goes into settlement wallet, the votes go into accounting db
we want to decentralize this as noted, just repeating in case anyone missed
fixcrypt decentralize this will be hard, maybe when segwit is enabled on bitcoin, but ETH, i have no idea (edited)
brendaneich @michaelthecryptoguy sorry, what did you mean by multi-channel?
jonathansampson @dr10 You can track the bild.de issue here: https://github.com/brave/browser-laptop/issues/6758 (Thank you again for reporting) (edited)
fixcrypt i think decentralizing everything is not always the best solution
brendaneich @tranzer we use less memory than chrome by virtue of ad and tracker blocking but we have some bugs to fix pre-1.0 (which i think will be in june) -- i use brave on all OSes, also use a bit of other browsers to keep up with joneses but i've cut back and tried to live in brave. on macOS i am still bugged by mem use (i'm a tab hoarder) and some lag bugs but we are on them -- will fix this month!
michaelthecryptoguy one blockchain ledger with multiple transactions, instead of being signed one at a time (edited)
brendaneich @1nfinite yes, selling 700M, floating 300M on side for user growth pool (100M), trade association, team, and future reserve
1nfinite thanks!
tranzer so 70% to ICO and 30% for team / user growth? Sounds reasonable (more than gnosis :joy: )
moobox this is great to talk to brave devs - pls to make websites look like this: http://i.imgur.com/00mQ8mc.png (173kB)
brendaneich @fixcrypt you could be right, centralization or let's say trusted third parties have existed since at least agriculture (10K years?) so we as pragmatists must consider some -- but we don't like "trust me" / "don't be evil", we prefer "trust Math" / "can't be evil"
michaelthecryptoguy then the last transaction is added to the blockchain
dafty what failsafes are planned to stop bots (eg, running selenium) from mocking a real human and gaining bat tokens? how do you know a user is actually a user?
jonathansampson @moobox We will support themes in a future release, as well as extensions to modify page presentation. If you have any favorites, please let us know :slightly_smiling_face:
moobox thank you sir
michaelthecryptoguy to improve the cost of using eth network
dr10 There are lot of small companies, Twitch/Youtube content creators which live by ads. These ads aren't yet part of the Brave-System. Will there be a smooth transition? Can I still turn off the brave-mechanism and watch these ordinairy ads, to support individuals or are they forced to switch over to Brave?
fixcrypt @brendaneich trust the code that can be hacked, or trust the people that can be evil… Make your choice. DAO vs Banks
brendaneich @michaelthecryptoguy yes, we must batch -- at first in-browser. auditable open source required, verified builds if OS/toolchain support them. there is a level of endpoint software trust in any attention ecosystem but part of the trade association idea is to standardize stuff, including ZKP and VPN rules for submitting the private ledger to the blockchain or equivalent, also auditing requirements to use BAT
cannabanana I trust bitcoin but I don't trust bitmain is not evil
brendaneich @moobox are you just asking for a dark theme? on our roadmap
moobox well this is a plugin for firefox that swaps out all website colors - nothing like it for chrome yet except an ugllly one
brendaneich @tranzer yeah, GNO didn't sell enough IMHO but i'm not on team so won't throw stones -- just sayin' as observer
mward Why only 15M$ max? Don't you think the ico will end very fast?
moobox i am just hoping maybe some person sees it and says "i want that too"
tranzer @brendaneich are you still active in JavaScript development? Could there be any kind of cooperation with Ark in the future (also asking main dev of Ark @fixcrypt ) ?
brendaneich @dafty did you see the reddit link above? besides real (costs money, boots on ground; we're evaluating Blockscore rn) KYC, we have rate limits in mind based on humans, and flow limits so a compromised real user or convincing fraudster can't get $MMs of BATs from friends and family and then pass KYC to send off to a mixer
cannabanana :trollbounce: not to mention two of us are in the bay area
brendaneich start with in-game economics, no exchanges
1nfinite any chance you'll incorporate certain requirements for investments above xx number of Eth for the crowdsale? to prevent 20 big players from buying up the whole thing?
axente How are you guys legally setup? Swiss foundation?
jonathansampson @moobox We have heard similar requests from other users, and are eagerly working towards a release that supports both theming of the browser, and styling of the content. Let us know if you have any other ideas/requests :slightly_smiling_face:
brendaneich add KYC on publishers getting donations (done in prototype form in Brave using bitcoin rn)
add KYC for users wanting to withdraw -- this also means rate/flow controls
fixcrypt @tranzer well the only point would be to use ark as the payment network, instead of ETH, i don’t see any other interaction. Also maybe make brave agnostic enough so people can choose their network payment
brendaneich but for many users the opt-in zero-knowledge ad revenue is not enough to withdraw and they'll donate it
you can net-zero your monthly spend: make ad rev on non-top-20 sites, donate to top 20
I should add we want to start with user-private ad channels, like WeChat
we won't put ads on publishers's slots without their consent and partnership
some will come fast but bigs will be slow
so we're looking for user private ads: in separate tab, wechat-like bot, fullscreen channel, etc.
these can pay most rev share to user
still rate limited, no couch potato as a service lol
dr10 what about the twitch/youtube question? How could this work out?
brendaneich @dr10 we've always had a design that denotes payee with URL including path to youtube/twitch account, not just domain name
but we start with domain name for beta/MVP
will get team on twitch/youtube in coming months, it's hot topic
everyone wants it, we're just busy (24 people now)
crowdsale will help
can hire more to parallelize a bit
dr10 so you are working on a solution to pay off individuals within the brave-system, right?
@ yt / twitch
brendaneich @mward we debated cap on basicattentiontoken.slack.com and consensus was to keep at $15M -- but a few still suggest raising or no cap, much concern about fast sell-out and whales buying too much
mward yes, that is my concern.
look at gnosis distribution..
brendaneich @tranzer yes, i'm on Ecma TC39 and still active / consulted
mward you need a lot of small investors, not whales
dr10 When you implement Tor-like stuff. Can I also Download stuff via ToVpn? just using the Tor-Tab to download
brendaneich @1nfinite we aren't going to change the contracts, in third audit currently. we can't really limit whales who have tools to buy from lots of addresses
@axente we are not swiss but looking at tax optimization structures pre-launch; brave is delaware (US) c corp; trade group would be 501c6, need to pass IRS muster so that is many months after launch
axente Oke thanks
1nfinite got it, thanks. So will there be a cap for how much can be donated per address?
brendaneich @fixcrypt code is hacked, security never done; no silver bullets. but people are easier to hack and hack themselves lol
dr10 Is the brave browser running in a sandbox like chrome?
dafty how are inappropriate ads handled on the network, is there some form of reputation system for advertisers?
brendaneich @mward GNO sold too little, cetaceans eat too much agreed. GNT sold more and we can't find on-chain huge buys
@dr10 use Tor private tab, yeah
jonathansampson @dr10 That is correct.
brendaneich btw does everyone know Brave supports magnet: and .torrent now via WebTorrent integration?
@dr10 yes, we use chromium with the same sandbox -- had to fork electron hard (twice) to do this, btw. Slack uses unsandboxed chromium renderer processes :disappointed:
tranzer I think I'm sold on brave today will definately try it out
jonathansampson @tranzer Awesome. Let us know if you have any feedback!
brendaneich @dafty we haven't taken any ads at all yet so start from clean slate. no exchanges, ads bearing malware get thru, also https://whiteops.com/methbot fraud on sell side steals revenue by putting real ads into fake slots clicked by fake users whiteops.com Methbot | White Ops Digital Advertising Security. Enterprise Security Solutions. Bots are bad for business; we're bad for bots. (4kB)
our plan is to go direct to agencies who get ads from brands
our ads are opt in
no surprises for our users who want and expect baseline Brave to block
djselery @brendaneich what are your feelings about IPFS?
dr10 Will the Paying/receiving of tokens in the brave system be easy to understand for non-tech people? Is there some kind of tutorial or easy buttons or something like that? This is a total new environment for people. You have any plans for "educating" people or making it easy to use. Like a browser-integrated Balance? Easy overviews?
brendaneich if you opt in, you can start with light touch but to get BAT out you must KYC
@dr10 have you used Brave Payments (beta) yet? the support is built in
usable UX
tranzer will you need to do KYC also if you transfer to Brave and after that decide to put it out on exchange?
brendaneich we are moving (with new name, not "Payments") to second beta with Stripe as partner for users to fund automicrodonation wallet without seeing bitcoin
dr10 I have it installed and browse with it, but it is not taking me by the hand. I wouldnt know whats going it. I will look deeper into it.
brendaneich @djselery juan DMed me and we chatted about their JS implementation following WebTorrent into Brave -- it could happen. couldn't take the Go impl :wink:
@tranzer if you buy BATs as investor, no KYC -- just send ETH to token contract once launched, get BAT back
dr10 Maybe implementing something like a tutorial when starting brave browser would be nice. I am thinking of people who dont know any of this stuff and are not interested into researching it a whole lot
alexius89 @brendaneich are there partnerships with any exchanges (Bittrex, Bitshares etc.) planned or already confirmed after the crowdfund has ended?
geezee @brendaneich you should accept ARK :smile: :smile:
brendaneich @tranzer if you are a user of Brave after we launch BAT and have it integrated, and want to opt into ads, no KYC at first but the funds (to which you will have multisig custody, similar to bitcoin setup with BitGo wallet today in Brave for donations) flow in API-keyed and browser-automated fashion toward the accounting server that settles donations behind the anonize barrier
@tranzer if you want to send BATs from your wallet to other destinations then KYC needed
@dr10 go to Preferences / Payments; the Coinbase buy widget integration is US-only and a bit much for average users, wherefore our Stripe partnership
if you have BTC already, you can just fund your wallet and start
we have pinning (Patreon in the browser) in 0.15.2 now
so you can support sites with x% of your monthly budget whether you browse there or not
dr10 Will I earn more then I pay, when I chose to accept to watch these ads?
brendaneich @dr10 you don't have to pay at all, you can just earn
both donations (currently and in future) and ads (still to come, after BAT launch) are opt-in and separate
dr10 so basically what you say... the average dude can earn money just by browsing? It will be of couse small amounts, but better then nothing
fixcrypt @brendaneich on a business model side, is Brave team earning directly from this (ie part of the revenue redirected to the team for further development)?
tranzer Will bat have finitive coins and nothing added after few years or is there some subsection where you can increase token numbers via smart contract in the future ?
brendaneich @fixcrypt we are selling 70% and 30% floats on side. 10% is user growth pool. remaining 20% is reserves for team, bat.org (shorthand for basicattentiontoken.org; also have attentiontoken.org, attentioneconomics.org) and poss. user growth reserve
dr10 what if nobody choses to donate to pay money to the ad-publishers/BAT. doesnt the concept break down? I mean many people just want to earn. They watch these ads and get money.
brendaneich @fixcrypt biz model for Brave is not fundraising, though -- that's mostly burned down as non-recurring engineering, marketing (ads and growth hacking), etc.
biz model is small percentage (currently 5%) of automicrodonation gross, and larger (maybe 15%) off gross ad spend
these will be public numbers, we want transparency
if we do user-private ads, 85% of rev could go to user
part of Brave's brand is a set of promises: your data only on your devices in clear; we don't track, or store cleartext; rev share to you for opt-in ads at least as our share.
fixcrypt @brendaneich i see some maintenance with regular upgrades from chrome and advertisers relationship, so it needs a regular funding from transations i agree.
brendaneich @dr10 if everyone free-rides then system collapses; note this is risk today on Web, without Brave (which is small-share browser)
on Web today you can use a strong ad blocker like Brave, or Chrome+uBO+Disconnect.me
fixcrypt also will the revenue from donations will be contractual on the blockchain?
cannabanana do you have a contingency plan in case of critical ETH failure in the future?
brendaneich @tranzer contract is super-simple, we are making 1e9 BATs, no plans for more. can subdivide, expect appreciation but then use mostly as medium of exchange and unit of account, not store of value. don't want everyone hoarding. as with real world economies if everyone saved the system would collapse
michaelthecryptoguy for example the double spend issue like bitcoin had
dr10 What are your arguments for people donating for ads/keeping the money circulated. Why shouldn't they just cash-out their money?
Can you tell me an example of how much I would earn by browsing an hour? What is it depending on? Is there a good example to tell to people?
tranzer How are you going to counter exchange BAT price fluctuations? We all know tokens are highly volatile can go up 200% in a day or fall 50% in a day. How will you determine how much is someone paid ? Will you use USD value at time of contract with publisher / advertiser?
cannabanana @brendaneich wouldn't it be better to have a better distribution of BAT tokens during the ICO? currently in our environment with ICOs which have been selling out instantly is that there are like 10 whale ETH investors who get all the coins and hoard leaving out like 99.5% of the people who would have invested. (edited)
dr10 Dont know if I missed it. How much BAT will I get for 1 ETH?
fixcrypt @tranzer agree volatility is something advertisers don’t like (edited)
brendaneich @fixcrypt good q about transactional on blockchain, we do it all on bitcoin blockchain currently. we want transparency
have i mentioned ad tech is full of non-transparency, price gouging, etc.?
see http://digiday.com/marketing/proverbial-black-box-open-exchange-auctions-transparency-problem/ Digiday ‘A proverbial black box’: Open-exchange auctions have a transparency problem - Digiday Demand-side platforms are unclear about how supply-side platforms charge their publisher partners, and they can't tell if a bid price is inflated. (199kB) Yesterday at 6:00 AM
@dr10 we haven't pinned the ratio and won't till close to launch date in view of ETH volatility
we are raising $15M equiv
dr10 tranzers question is good
like to know that too
brendaneich @cannabanana global war, giant meteor impact, etc. -- "exiguous circumstances" -- leave us with no good alternative, i mean this in deep civilizational sense. BAT launch will be least of our concerns. Short of these, the risk to Ethereum is low. could have primal flaw in design exposed. would have to rebase on another blockchain -- would be hard, tons of risk
catching up...
cannabanana do you guys even believe in blockchain?
tranzer Rebase to Ark :trollbounce:
cannabanana ok, nm.
brendaneich @tranzer can't volatility hedge yet (gamma hedge) as far as i know -- anyone know diff?
@cannabanana i believe in blockchain -- as with standards, the great thing about blockchains is there are so many :stuck_out_tongue:
@cannabanana we see no whalesign in GNT; if you mean GNO, see above. they sold too little
cannabanana well I also believe but not in ETH so you are basically only allowing ETH believers to partake in your project
michaelthecryptoguy Wow!! You are doing great @ brendaneich :goodjob: In the dedication and effort department! ::ghostfaceuk_node: (edited)
mward @cannabanana you can simply exchange btc to eth for ico. After ico ends and you have tokens, sell them for profit :trollbounce:
cannabanana and many projects recently "sold out" within minutes by 2m equivalent single transactions
@mward I wont ever buy any eth ever
brendaneich @cannabanana we are not religious about it, as noted above: tokens on Ethereum are proven tech (still young, mistakes and latent bugs, risk for sure but less than alternative token/smart-contract platforms). we are using Ethereum for smart contract based tokens and that's it
cannabanana that's not the point
you still must believe in it if you are only accepting eth
brendaneich @cannabanana did you actually check "many projects" to prove whalesign? we looked at some and aside from GNO couldn't find it
cannabanana :slightly_smiling_face: g/l
brendaneich @cannabanana we believe stuff, yes; have to believe to get up in morning, do anything
cannabanana i've been following altcoins since 2013
yes, i've seen them sell out in minutes
brendaneich but we are not Ethereum true believers in some zealot sense
cannabanana then why not accept bitcoin for the ICO
because of hte risk you said.
brendaneich i will say ETH price rise is scary; but EEA (JP Morgan -- federal reserve founder!) backing Ethereum is huge
mike i had a very bad experience with HEAT using Ethereum, still have to pursue it to track it down - time consuming so have put it off. Used an online wallet, jaxx, i think, since installing and waiting days for blockchain was a lot more than i wanted to deal with. Maybe there are better alternatives now.
cannabanana sorry man, didnt mean to hijack your ama
brendaneich @cannabanana accept bitcoin how?
hardcode a bitcoin address in the token contract?
Zooko's XCAT scheme?
it's cool but no thanks
K.I.S.S. rules
we will not multiply risk (odds ratios) of independent events
that's a good way to die
cannabanana wow you are a jerkoff man
I just wanted to invest in your project
but wont touch eth
brendaneich i was at a startup before Netscape (MicroUnity), talked to Jim Clark when I got to Netscape. said "we were doing ten hard things at once that all had to work for success" and Clark said "odds were 1e-10!"
cannabanana good god, good for you man
1nfinite way to be respectful @cannabanana - just because of some feud you have with ETH, too
brendaneich @cannabanana i'm not the one calling names here
techbytes let's not digress... stay on topic please
brendaneich i do like XCAT, check it out. cross chain atomic transactions
1nfinite thanks for the transparency here and taking the time to answer our questions @brendaneich
brendaneich np
i think i'm over time
did i miss anyone's q?
dr10 dr10 What are your arguments for people donating for ads/keeping the money circulated. Why shouldn't they just cash-out their money?
Can you tell me an example of how much I would earn by browsing an hour? What is it depending on? Is there a good example to tell to people?
brendaneich @dr10 thanks
dr10 np :smile:
tranzer Thanks brendan for answering all of my questions - good luck with the project I'll be sure to participate
brendaneich if people see ads and cash out, the ad business is working and perhaps it dominates
moobox thank you for answering my questions also
brendaneich today's web relies mostly on ads, few paywalls and they convert poorly
i have a feeling with automatic, anonymous microdonations and payments we will see more of that and less reliance on ads
but cannot count ads out, for sure
mike any chance of eliminating the KYC so people can just withdraw their BAT and trade it?
brendaneich @dr10 comScore had a figure of 100 page views per user per day
devin Bitcoin is to slow
mike i don't see where kyc adds any value for the users.
tranzer @mike you won't need KYC if you are just going to trade as far as I got this (edited)
brendaneich assume we partner on one ad per page (just for easy math; i don't like this model and think user-private ad channel with one ad per day might be much better)
100 ad impressions per day, 3000/month, if $3CPM that is $9/month
twitchard Is there some way/what do you think would be the best way for developers interested in advancing your mission to contribute?
brendaneich if we put the ads in user private channel and share 85% to user, that is $7.65/month to user
$3CPM is low figure
dr10 CPM means?
mike like the idea very much over all.
noslawxtrafries cost per impression I believe
brendaneich it's an ad cost model: Cost Per Mille (Mille from Latin for 1000 impressions)
video ads pay more; not just CPM but CPX for X = watch a video by quartiles; watch to end; click on download promotion after end (usually game ad)
mike so KYC is just to withdraw to fiat, but to withdraw to an exchange or another wallet is unrestricted?
brendaneich @devin yes, bitcoin too slow; no privacy either (edited)
devin Screw bitcoin
I want a project that accepts both
brendaneich @mike KYC is required or fraud kills the system faster than regulators (who will kill it too) (edited)
@devin there are projects doing this but they are "upstream" of ours
dr10 What are your 3 major arguments for mass adoption of Brave Browser. - Some Slogan you would give to magazines, etc.
brendaneich Fast (3-7x, see next link), Private, and you get paid for your attention
but remember we want the 501c6 trade association if we sell out. BAT is for multiple apps
mike have you looked at Blockstack for ID as an alternative to KYC?
brendaneich more than Brave
@mike yes (I know founders and saw them recently); that doesn't help
dr10 yeah but Brave will be the flagship of BAT token, right? Or any other big vision planned? (edited)
brendaneich @dr10 Brave will be first, yes
eventually everything here should be a standard
nothing's proprietary
twitchard Could BAT be implemented as a plugin/extension to other browsers? (Would it be more practical to fork?) (edited)
dr10 good question
mike or is KYC just needed for a threshold to withdraw above. it does seem there would be a pratical limit of how much organic ad traffic a user would be exposed to.
brendaneich blockchain, ZKP, even functional specs for KYC, definitely payments -- all should be standards used by lots of apps and services and people
@mike please find "rate" and "flow" above
ryano Dpos is probably the best consensus approach for things like this
devin @brendaneich thanks
brendaneich @twitchard BAT in extension is unclear as extensions have limited APIs, and often must be loaded from a store that has rules
kik got thrown out of iOS app store for doing its own payments some years back
CWS kicked out Ad Nauseum
mike i can see where someting is needed to mitigate clickfarms in low wage regions.
brendaneich i'm half hour overtime so have to go soon
@mike yes, and sybil attacks to route funds to a mule
stuff like that
ryano Thanks for your time Brendan
twitchard Thank you
brendaneich np, it was fun (except for the jerkoff thing :-/)
tranzer Thanks good luck
dr10 thank you very much
ryano Let me guess canna ?
cannabanana lol
man I asked a legit question and got shit on
so fuck it
jakethepanda Hi everyone. As Brendan mentioned, he will be wrapping up the AMA. @brendaneich Thank you for your time.
1nfinite thanks @brendaneich , learned a lot just from the terminology you've been using. Will spend time looking into all this, but your project sounds great
ryano Still dude, it's not good if you are predictably the one causing trouble
brendaneich @dr10 here's the "Fast" money shot
cannabanana well some people can't all be agreeable
brendaneich uploaded this image: Pasted image at 2017-05-09, 10:33 AM Add Comment
ryano You are the only one where this is an ongoing issue
It's bad for our community
cannabanana no, it's not. it's good because I give a different perspective on things. I'm not like you and I don't agree.
you think the success of ark has been on the backs of all the "good" ones?
brendaneich @cannabanana us taking ETH and me giving the reasons why we won't multiply risk is not me shitting on you -- we will have to just miss out on you this time. i wish we could take multiple currencies but it's an exchange problem at this point. maybe XCATs help in future
cannabanana I asked a legit question about what if it fails. what about hte investors?
is that not a legit question?
cannabanana if you want me to put money in, I want to put in something I believe in
not something I dont
mike yes, if they want to stick with ETH, it's their call. Obviously plenty of ICOs have been successful with it, so it will continue in the future.
cannabanana consumers too, it's the same thing if it fails then the system is gone then the peopel who bought the bat to use are all out too.
brendaneich @cannabanana that's (https://arkecosystem.slack.com/archives/C41QFMCKH/p1494351381880292) fair and it means in a market, sometimes you don't make a deal -- you hold out for better product later (edited)
calling names and getting mad because someone won't do what you demand -- not fair. my 2 cents anyway
ryano You can't be calling guests jerk offs and trolls every time they don't tell you what you want. This is an ongoing issue with you. Nobody else here is lashing out at people except you and there are nearly 2000 people here.
jamiec79 oh lordy...
jamie exits the room quietly
cannabanana you know what nm
techbytes @brendaneich appreciate you stopping by today. Will put AMA on Reddit for others to find out more about your project.
brendaneich @techbytes thanks for having me
ryano Thanks Brendan
nt91 Brendan thank you for coming
ominous.shark Yeah, thanks for the AMA! @brendaneich ARK community appreciates it!
mike thanks for taking the time to talk with us about BAT, good luck with it.
michaelthecryptoguy :goodjob: Brendan and :goodluck: with the BAT ICO (edited)
boldninja Thanks @brendaneich - good luck with BAT
brendaneich thanks again
submitted by Jarunik to ArkEcosystem [link] [comments]

[Table] IAmA: I am CloudFlare CEO and co-founder Matthew Prince, AMA

Verified? (This bot cannot verify AMAs just yet)
Date: 2014-05-02
Link to submission (Has self-text)
Questions Answers
How is it possible to charge one flat rate to all customers despite the fact that some of them use a couple of TB's a month and other PB's? At a high level: People hate their cell phone providers because their bills are unpredictable. We don't want to be thought of like a cell phone provider.
The scale economics in our business are significant. Our primary variable cost is bandwidth. However, the rate at which bandwidth prices drop is very fast as you start to get to scale. We're now at the scale where we can peer off a significant portion of our traffic, making it effectively free to us. If we can continue to push bandwidth toward zero then it makes sense for us to not charge customers more based on that.
The other thing is that we get smarter about stopping threats with every request that routes through our network. If we charged for bandwidth then it would cause customers to potentially avoid routing traffic through us. That goes against the core value that we provide: effectively a neighborhood watch for the Internet.
Hi Matthew, what are your thoughts about the recent news surrounding the FCC's new net neutrality proposal? How do you think it will affect services like CloudFlare? We're watching the FCC's moves on Network Neutrality very closely. My cofounder Michelle (@zatlyn) sits on the Open Internet Advisory Committee for the FCC. CloudFlare is the only startup represented on the committee. We recently retained a DC lobbying firm in part to advocate for network neutrality and we hired our first in-house counsel out of Google and the FCC. This is an important issue for us.
It's hard to overstate the benefits an uncensored, open Internet has created for the world. We're strong proponents of preserving the principles of Network Neutrality that have allowed open innovation. If governments around the world start to chip away at those principles, I'm hopeful that CloudFlare can use our scale and size in the market in order to ensure our customers will still be as fast as possible around the world.
Would CloudFlare ever get involved in a peering dispute if it would mean a better internet in the long term, even though it might result in temporary performance problems? We negotiate peering agreements daily. There are occasionally disputes. But, generally, most of the world's ISPs are still open to reasonable peering with us.
Notice anything different about SSL on Link to blog.cloudflare.com ? (Hint: you shouldn't.) We just enabled something very, very cool. :-)
One of the things that is critical to get mass adoption of CloudFlare in highly secure environments like financial institutions is a way to handle SSL without us ever having to be trusted with our customers' SSL keys. We've built something that does that and it's now running on a handful of customers' sites as well as on portions of cloudflare.com (the blog included). That's all I can say for now, but it's pretty cool and we'll be talking about it a lot more in the next few months.
Don't tell me it's a solution to P=NP. Please. No, it's not.
Hey Matt! What qualities do you look for when you're hiring, and how does one maximise their chances to land an internship? :-) Link to www.cloudflare.com
What does a community evangelist do? Sets up AMAs. :-)
Do you think the danger from Heartbleed was overexaggerated? Why? Do you code at all any more, or do you have lackeys do do such menial work for you now? Generally, I think that a lot of these Internet vulnerabilities are overhyped. Heartbleed was an exception. It was literally like the plot of that bad Sandra Bullock movie "The Net." There was, effectively, a button that you could push on any server in the world to have it dump the contents of its memory. While everyone focused on it being a crypto vulnerability, the bigger risk continues to be stealing things like login session IDs. That wasn't hypothetical. People were doing it with major services like Yahoo Mail for days after the vulnerability was disclosed. My hunch is we'll still be finding problems created by Heartbleed 2 years from now.
WHen you started up CloudFlare, how far did you see it going? I don't code much anymore. Every once in a while I'll bang out a little Javascript or something in order to prototype something, but there's no way my coding skill is anywhere close to where it would need to be in order to program for CloudFlare.
Hmm. Don't know what my favorite startup is other than CloudFlare. One thing that has been fun is having young startups by the office to brainstorm. Michelle (@zatlyn) and I try and make time to help them out as there were a lot of people who did the same for us when we were getting started.
2) Railguns association. This is a must, we currently track associations in an Excel spreadsheet. That's pretty bad. Any idea when you might associate that in the partner portal? We want to allow root domains behind CloudFlare via partners. We've got a few different ways of doing that we're playing with. The challenge is we want to maintain flexibility to move customers between IPs in order to isolate them when there's an attack. Since the DNS RFC doesn't allow CNAMEs at the root, it makes it tricky. But we're working on it. I'm told the Railgun associations should be in the partner account portal relatively soon.
Hey Matthew - Are there any plans to provide security against state-sponsored APT attacks? With a massive network like CloudFlare, there may be an opportunity to track signatures and develop an enterprise product - any thoughts? We see what appear to be state-sponsored attacks quite often, although we spend more time on defense than we do on attribution so it's tough to really know the source of the attacks. Right now, for instance, there are news organizations on both side of the conflict in Ukraine using CloudFlare in order to stay online in the face of very large DDoS attacks. I agree with you that, over time, there's a lot we can do with our scale and data to better protect customers from more sophisticated attacks.
Did you write much of the original cloudflare code base?...if so, what was the most difficult thing about transitioning into your current non-coding role? What do the 3 remaining lines you wrote in CloudFlare do? Lee Holloway, one of my co-founders, was the technical genius behind CloudFlare and wrote the vast majority of the code. I built the first version of our front end and some other random bits of code along the way. The last bit of my code that is left is around our Always Online feature. If you look at how it handles background AJAX requests to see if the site has come back online and think, "That's janky," now you know why.
Hey Matt, What exactly is happening in your system to trigger a domain to bypass CloudFlare (in case of an attack)? Is there a pps limit? Is there a gbps limit? Also, if you enable the DDoS protection page in a reasonable amount of time (e.g. by checking cpu load and calling the api if it's high with a script ran by cron every minute) would you ever risk to get disabled? For free/pro accounts, the criteria is when the attack starts to negatively affect other customers. That threshold really depends on the circumstances of the attack. If, for instance, an attack is very regionalized and only hitting one data center then it actually is more likely to cause issues than if it is distributed. That makes it difficult to give hard and fast thresholds. For business/enterprise accounts, we have a policy of keeping them on the system no matter what. We have gone to pretty extraordinary lengths to keep biz/ent customers online under large attacks.
How do you manage to keep so active on social media while keeping up with all of your other management duties? Does your team sometimes post as you? Ha. No, no one else posts as me (@eastdakota). I don't post as @CloudFlare -- that's Damon on our team who was our 8th employee and literally invented the position of social media manager once upon a time when he was an early employee at PayPal. For my personal account, I think I tend to post mostly when I'm traveling (usually to complain about United Airlines). If it seems like I'm posting a lot it probably means I'm traveling a lot. Incidentally, still weirds me out a little when people come up to me and say: "I follow you on Twitter."
How did you get some of your first customers? Any strategies you can share? CloudFlare was born, in part, out of Project Honey Pot (Link to www.projecthoneypot.org, an open source project that Lee (@icqheretic) and I started 10+ years ago. CloudFlare's first users were Project Honey Pot members. Our first email to them asked for a helluva leap of faith. Originally, the way you signed up for CloudFlare was by giving us your registrar's username/password. We wrote a little crawler that would login to your registrar, scrape all the DNS info, and then update your name servers. When we first emailed people we didn't have a UI beyond a little box that said something like: "Give us your GoDaddy username/password." It was pretty crazy that people did it, but we'd built a ton of trust with them over the years running PHPot without ever asking for anything in return.
The other fun PHPot story was that when we were first starting we didn't have any money for equipment. Michelle (@zatlyn) suggested that we email all the PHPot users who lived around the Bay Area to see if they had any extra servers. So we did. Emailed about 100 people. Got a ton of replies. Michelle drove around in her little Jetta picking up all the servers. None of them worked, but we were able to take parts from them to cobble together 2 that kind of ran. It was on those two servers we built the first prototype of CloudFlare.
When are we getting a CloudFlare datacenter in India? I know bandwidth is super expensive here but I am guessing you have a lot of users here! India makes Brazil look like a cakewalk. The problem in India is the government and their propensity to pass retroactive taxes on data service providers. There are horror stories of network providers that get hit with tax bills based on "the value of the data" flowing through their networks. That uncertainty makes it very hard. We've actually explored putting a facility in Nepal. It made a lot of sense on paper since the country is within ~5ms of Delhi and has a lot of in-bound traffic, but not a lot of out-bound traffic. Unfortunately, we did the math and our volume of traffic, even just from India, would significantly burden Nepal's infrastructure. We haven't given up on India, but it's a great example of how very physical, old world things impact doing business even as a software/services company.
I hear good things, mostly, all over about CloudFlare. Can you give your top 3 reasons a smaller WordPress blogger should use your services? 1) It's free 2) Faster is always better 3) We work closely with the WordPress team and usually get early word of new vulnerabilities and are able to virtually patch them before they're announced.
Any chance that sub-accounts will ever become a feature? If by sub-accounts you mean the ability for multiple users to manage an account with different permissions then yes. It's coming with the rollout of the new customer site before the end of Q2.
What about transferring a domain to a different CF account? That'll be possible once multi-user is enabled.
What do you think are the biggest threats to the Internet these days? Is it governments, hackers, ourselves, etc.? Government action to "regionalize" the Internet. Brazil's proposal to require local data residency would have made building a modern web company very difficult. - The UN's attempt to take control away from ICANN concerns me. The Internet has always been self-governed by its stakeholders. I'm concerned with the ITU or other governmental organizations stepping in and messing that up. - Concentration of services behind a few giants worries me. The challenges of hackers and ISP fast lanes puts pressure to huddle behind the Google's Amazon's and Facebook's of the world. I think that risks something very special about the Internet. That's part of the motivation of CloudFlare: to give you the resources of a giant without forcing you to live in their walled garden.
This is a more specific question about net neutrality: What do you think about ISP's charging Netfliz for bandwidth? There's an expression in the law that hard cases make bad law. Netflix is a hard case, so it's hard to generalize from them. At their peak they are responsible for 30% of Internet bandwidth in the United States. That's enough that it imposes real costs on ISPs who have to install new routers, upgrade their backbones, etc. Those costs are real and so the dispute is really over who should have to pay for them. If the cost is imposed on the ISP then they'll, in turn, pass them on to customers. That doesn't seem fair to someone like me who isn't a Netflix subscriber. On the other hand, the ISP's customers are paying the ISP to access any service online, Netflix included. It's a tricky problem.
A lot of the problem comes from the fact that the market developed with all-you-can-eat/flat-fee pricing. That means low bandwidth users end up subsidizing high bandwidth users. You'd probably have a lot fewer market distortions like Netflix if end users paid on a usage basis. Of course, that's an unpopular option, and it's hard to imagine how you transition from one model to the other, but it would be easier for ISPs to get behind network neutrality if they knew they could bake costs of services like Netflix into their pricing. And, incidentally, it's not clear that, over time, customers would be worse off.
(I recognize there's a significant amount of irony in my suggesting that after, earlier in this conversation, saying that CloudFlare has fixed-rate pricing because people hate the surprises inherent with variable-rate pricing.)
The other thing that's gotten a bit lost in the conversation is that I'd guess Netflix is paying less for bandwidth through Comcast directly than they were via Cogent. People don't object to Netflix paying Cogent, but they do to people paying Comcast. The reason, of course, is that Comcast is a terminating access monopoly. Comcast has a monopoly over the access to all their subscribers (i.e., if Netflix wants to reach a Comcast subscriber, one way or another, they need to pay Comcast). That suggests that even if you have competition among end-user ISPs, the ISPs will still have a lot of market power over content providers.
These are hard problems.
What do you think of the progress of HTTP 2? Will Cloudflare be an earlier supporter of it once it gets released like you have done with SPDY? Yes.
When will Cloudflare have stickers again? I'm dieing to get one ;_; We just got a new order of stickers in. I think Damon is planning on doing a give-away next week. Stay tuned!
Big fan. When are you opening an office in Portland? :) There are a lot of good people here. No plans for a Portland office. We run a data center nearby to handle data processing so we may open something at some point, but we believe it's pretty important to have as much of our team in the same office as possible. San Francisco is pretty nice too if anyone wants to move down.
What were your initial reactions to the Spamhaus incident that happened a long time ago? I was Spamhaus's attorney very briefly once upon a time, so I've known that team for a while. When their website got knocked down we were happy to help. At first the attacks were big but nothing out of the ordinary. I was out to dinner (on a date) when the big volume. My reaction was: "300Gbps?! Shit. How's the network holding up?" Good news was we'd designed the network to handle quite a bit more traffic. That said, based on how the attack was launched, it was easy to see how the attacker could have scaled it another 10x+. That would have been very bad, and not just for us. Thankfully, while the size of attacks has continued to grow, we're still within an order of magnitude of what Spamhaus saw.
Do you have statistics on the amount of requests that are served over IPv6? How is IPv6 usage growing over time for you? Also, thanks for your work to encourage the usage of IPv6, including the free gateway. We do, but I don't have them at hand. Martin Levy (@mahtin) on our team is working on a blog post where we'll be sharing them. There's been a marked uptick in IPv6 over the last 6 months, which is great news.
Hey Matthew, First off, I love your service and I am enjoying it every day. But how did you manage to go from a small startup to where you are today? Secondly, my cat says meow. Or something like that. One step at a time. I still think of us as a small startup. I walk into the office regularly and still think: where'd all these people come from. I think there's a fiction that startups often have a silver bullet that explains their success. Think about Facebook. There's nothing on its own that is so amazing about Facebook. For them to have built what they did was a million good, small decisions. Then, one day, they woke up and they were huge. There's nothing I can point to as a silver bullet in our story either. We've tried to make a million good, small decisions and tackle problems as they come up. One thing I've learned is that it takes as much effort to solve a big, daunting problem (like CloudFlare) as it does to solve something that seems more manageable. In some ways, big, gnarly problems are actually easier because they attract really smart people to help work on them. And, I don't have a cat, but if I did it would say meow right back.
What do you use to monitor your servers all around the world? We use a combination of open source tools like Nagios as well as a number of things we've developed internally -- although those too are usually build on open source tools like OpenTSDB and SystemTap. Our SRE team is amazing to keep everything running as we are growing as quickly as we are.
Also, must say I love the blog, it's a great insight. The blog has been a real surprise. If you go back and read the early posts it started out much more like a traditional marketing blog. At some point we started writing more technical posts and they really resonated. Some of the posts that get the most readers are those that are the most technical. We encourage our engineering team to talk about what they're working on.
What were some of the challenges you faced when starting up CloudFlare in the beginning? If you could sum up the first few years of CloudFlare in one word, what would it be? Everyone thought we were crazy. "You're going to get people to switch their DNS to you, route their traffic through you, and you're going to do it by shipping equipment to locations around the world?! You're nuts." I saw someone Tweet the other day that every entrepreneur's superpower is naivety. I think that's right. Had we known all of what was really involved in building CloudFlare I don't think we'd have ever gotten started. But I'm glad we did and enjoy coming to work every day to build something that is literally help build a better Internet.
How do you explain the recent hoarding of your latest IP range assigned, when static IPs aren't required for websites at this point, making the SSL point moot? We have millions of customers, so it's not a surprise we've got a lot of IPs. We're going to make SSL available to all our customers, even free ones. That will end up chewing up a bunch of IP addresses. Getting a large allocation of IPs was one of the last stumbling blocks we needed to overcome before we could do that. We just received a /12 from ARIN, so that plan is moving forward. I can't think of any other company that uses IPs as efficiently as we do. We've also been a big proponent of IPv6, so we're doing what we can to help with the transition to the future.
You've really taken a lot of the last /8... Wonder how you justified that as '3 months' usage with the current state of IP affairs. And, PS, Akamai just got a /10.
Hey Matthew ! First of all thank you for the good tools you providing. I would like to know how did you come up with this idea ? Can you tell us more about your two previous start-up ? Was them totally different from CF? The first startup I worked for wasn't my idea. I was the first non-founder employee. It was completely different: an online health benefits brokerage based in Chicago. It was actually a lot like Zenefits, which is a new hot startup doing the same thing 15 years later. I learned a ton in the process.
My second startup is Unspam Technologies. It was in the anti-spam space and is still around (and profitable!) today. I still serve on the Board and Lee (@icqheretic), one of my co-founders at CloudFlare, was our first non-founder employee at Unspam.
Any server in Portugal soon? We've talked with some Portuguese ISPs about putting in what we call mini-PoPs directly into their data centers. That'll likely happen before the end of 2014. Madrid is coming even sooner: likely by the end of Q2 or early Q3.
Matthew, congratulations on the success of Cloudflare -- it's been fun to watch it grow. Here's my question: Cloudflare took the lead on Heartbleed and worked in a very open way with other companies and individuals to determine the risks of the defect and how to validate if your site was affected. Cloudflare also helped the NYT deal with a denial of service attack from the SEA about a year ago. That's part of what seems to be an ethos of "it's all of us against the bad guys" ethos in the security community. Do you see that cooperation continuing even though in some circumstances it may not be to the short-term benefit of some companies to "help" their competitors solve problems? I hope so. I really dislike the FUD marketing that many old-school security companies engage in. What I'm proud of is that the adjectives that our customers most often describe us with are "smart" and "helpful." We try and keep an ethos across the whole company of never saying: "That's not our problem." It means our support team spends a bunch of time helping people write their Apache configs and other things that don't directly have to do with us. The upshot, however, is that when the NYT comes under attack, we're someone the CTO trusts to call and help out.
What's your favorite color? Hmm. Not sure. I just painted my apartment and everything ended up being some shade of gray. That's such a boring answer. Probably something in the cool tones: blue or green more than red, orange or pink. Although... I do like CloudFlare Orange. (But CloudFlare's logo was almost blue: Link to blog.cloudflare.com)
Clouflare Brazil DataCenter, when? Brazil doesn't make doing business there easy. We've had equipment sitting in customs for 3+ months. What my team didn't tell me when we started the Brazil project is that if Brazil customs denies your equipment entry then they burn it. Glad I didn't know when I approved the PO. The other thing that is a pain about Brazil is there's a 100% import duty on all equipment sent there. That means it's 2x the cost to turn up servers in Brazil as it is almost anywhere else in the world. Good news: equipment cleared customs and, last I heard, it was in the process of being racked. Barring something unexpected, Sao Paulo will be online before the end of the month.
Hey there! Whats the biggest attack you have ever mitigated? The biggest one we've talked about publicly was just shy of 400Gbps. We've seen a few others that have been bigger than that, but nothing yet that's crossed 500Gbps. I think it's inevitable we will sometime in the next 12 months.
What's one business offshoot you wanted to pursue with cloudflare but couldn't because of whatever reason? I wanted to create a Gmail alternative to compete with Google. Start with a solid mobile app. Build crypto and security in from the beginning. Notify when your messages were passing over a non-secure SMTP session. Monetize on a simple per-seat basis rather than through ads. I think there are a lot of big companies adopting Google Apps but not excited about it. That feels like a market opportunity.
I wanted to create a stock exchange that leveled the playing field and limited access to high frequency traders. Potentially even go back to fractional share pricing to give margin back to stock brokers and encourage market research. Was interesting to read Michael Lewis's new book ("Flash Boys") and see that someone is actually trying it.
About a year ago, you told me Kanye West's Stronger was a good song to describe the success of Cloudflare. Considering the last year's experience, would you say that is still an accurate sentiment or would another song better describe it? Well, Kayne threatened to sue us because Coinye (the parody crypto coin) was a customer. Can't decide if that makes me more or less likely to do a CloudFlare remix of Stronger.
You guys dropped some hints on your blog about a new website with new analytics etc, any ETA on that ? We've been testing a whole new customer website for the last 6 months. Our plan is to begin rolling out the beta over the next few weeks and have it out broadly by the end of the quarter (June). The first version won't have a completely new Analytics frontend, but we're working on the design for that and should roll it out in Q3.
Is your system going to get less annoying? Got nothing but errors from CloudFare stockholm over the past couple of days. Submit a ticket with the RayID and we can figure out what's going on. No known problems in Stockholm recently.
CloudFlare recently took away the ability for people to run CF on top of Incapsula's service, in essence proxying over a proxy and utilizing two CDNs at once. Now this situation, which previously worked fine for a long time, results in an error, "DNS points to prohibited IP". What gives? If it doesn't cause a problem why block it? Link to blog.cloudflare.com
Submit a ticket and we'll figure it out. That said, proxying through multiple proxies is probably not a good idea.
What's brown and sticky? Rice from Koh Sumoi and the Monkey, the Thai place near our office in San Francisco. ;-)
When will you accept PayPal payments? You've said for so long you will accept this but still nothing. Thanks. I promise it's still something we're working on. A complete rework of billing is scheduled for Q3. That will include PayPal (and Bitcoin).
And, ps, don't think you're alone in being frustrated in how long it's taken. Kills me.
Cloudflare blog mentioned SSL will be available for free customers, any schedule or eta at the moment? We're shooting for end of Q2/beginning of Q3.
Is CloudFlare committed to keep the free plan for ever and never charge? Yes.
Do you have any plans for mainland china in the future. We use one of the big chinese cdns and the service is terrible. I think there is a big market for global CDN that could offer ICP approved services like ChinaCache. Stay tuned.
Last updated: 2014-05-06 16:35 UTC
This post was generated by a robot! Send all complaints to epsy.
submitted by tabledresser to tabled [link] [comments]

How to find the transaction ID in your Blockchain.info ... Casa Node - Using Bitcoin Lightning Payments IOTA für Einsteiger + Hands-On Session  CM Meetup How To Use Session With ExpressJS How Bitcoin Works Under the Hood - YouTube

We suggest that Bitcoin developers focus on providing various security levels in Bitcoin clients, for example transfers between the user's own Bitcoin wallets should not be treated the same as transfer to a trader. Security alerts and notifications should be more clear and concise, and users should be notified when confidential settings are accessed or when there is any change. Important ... Most of the websites store their user's login state into the session, and if an attacker has the session id, he has got the privileges of the logged in user as well. In other words,the two concerns of maintaining the session and authentication are often coupled. One problem is that, it is easy to make session fixation attacks. In this case an ... In modern web applications, JWTs are widely used as it scales better than that of a session-cookie based because tokens are stored on the client-side while the session uses the server memory to store user data, and this might be an issue when a large number of users are accessing the application at once. Since JWT is sent along with every request and contains all the user information, even ... So basically, while storing a random session ID in a cookie directly isn't necessarily insecure (as long as the ID is unpredictable and sufficiently long), encrypting and signing the session information offers a number of additional capabilities (like the ability to store expiration information in the cookie itself, and the ability to identify attempts to forge a session ID) which can be used ... I think you misunderstood the concept of session, session is a server side per-user-data-store which allows you to save user data on the server side. thus, you have 2 options, resort to use cookies, which will give the illusion of session(but not quite the same), you can access cookies very simply by document.cookie .

[index] [3133] [30116] [7847] [7288] [40198] [38787] [22244] [2289] [28583] [50495]

How to find the transaction ID in your Blockchain.info ...

In this episode I walk you through getting your first mobile bitcoin wallet with an app called CoPay. SUPPORT THE SHOW My website: http://btcsessions.ca/ Buy... Cara Mencari User ID, Session ID, dan External ID untuk Dragon City di Android - Duration: 4:24. Rio Zaki 29,296 views. 4:24. How To Get Documents Signed Online Using SignRequest - Duration: 2:59. ... Today on the BTC Sessions I dive into the CasaHODL, or the Casa Node. This plug and play device allows you to run a full Bitcoin node with its own built in wallet, as well as a lightning node to ... IOTA für Einsteiger + Hands-On Session 0:45 - CM News Update 15:10 - IOTA Vortrag (Einsteiger) 42:30 - Q&A Sesssion Bei unserem Meetup heute Abend wird es um... This video shows you how to extract session id for browser