1 2014-05-23 00:36:46 <maaku> I rebased the CMoney type pull request (#4067) against master. This pull request is a bitch to rebase (that's why it is suggested for bitcoin core), so any reviews would be most welcome
 2 2014-05-23 00:37:00 <maaku> I'll swap reviews if someone has a PR they need some eyes on
 3 2014-05-23 03:35:41 <shibeKBVE> Hey guys
 4 2014-05-23 03:40:08 <shibeKBVE> Have you guys checked out, https://apicoin.io/?
 5 2014-05-23 03:47:22 <poutine> shibeKBVE, Looks like a site devoid of any meaningful information on what exactly it is that they do...
 6 2014-05-23 03:49:57 <shibeKBVE> I just found this documentation, https://apicoin.io/api/v1/doc/
 7 2014-05-23 05:04:18 <michagogo> davout: pretty sure redeemscript is the sPK
 8 2014-05-23 05:05:12 <michagogo> Oh, no, nvm
 9 2014-05-23 05:05:33 <michagogo> you can get it from getrawtransaction or decoderawtransaction
10 2014-05-23 06:16:17 <gigamike>  hello, anyone around :)
11 2014-05-23 06:17:29 <michagogo> gigamike: nah, the 506 users in this channel are fakes
12 2014-05-23 06:17:33 <michagogo> :P
13 2014-05-23 06:17:41 <gigamike> lol
14 2014-05-23 06:18:07 <justanotheruser> michagogo: 506? Wow, it's shrunk!
15 2014-05-23 06:18:38 <michagogo> justanotheruser: don't you have the number in your client?
16 2014-05-23 06:19:06 <justanotheruser> michagogo: If I scroll us enough or google the command in IRSSI to find that out :P
17 2014-05-23 06:19:55 <michagogo> Ah, I just have it displayed on the userlist
18 2014-05-23 06:21:33 <gigamike> guys, maybe you can give me a suggestion. I have a site which i send payouts through BTC. I pull a computation on my DB and pay...question, what if my db was hacked, what's the best solution that im making sure im sending a correct computed payouts...sorry for looooong text lol :)
19 2014-05-23 06:23:12 <justanotheruser> gigamike: very frequent backups? I may not understand the question
20 2014-05-23 06:24:09 <gigamike> i see
21 2014-05-23 06:24:28 <Arnavion> What do you mean by "correct" computed payouts?
22 2014-05-23 06:25:09 <gigamike> some hackers are real good that they manipulate data that you as admin dont notice that they edit data and hence computation is altered, you know what i mean
23 2014-05-23 06:25:19 <Arnavion> I know what hacking means
24 2014-05-23 06:25:24 <Arnavion> I'm asking what you define as "correct"
25 2014-05-23 06:25:40 <Arnavion> Does that mean the value / recipient of the payout is what you expected it to be?
26 2014-05-23 06:25:43 <Arnavion> or something else
27 2014-05-23 06:25:52 <gigamike> ok, let say my computation is based on percentage for sales on payouts
28 2014-05-23 06:26:11 <gigamike> then hacker manipulate data
29 2014-05-23 06:26:35 <Dizzle> gigamike: in an enterprise environment, you might have every transaction going to some kind of pubsub. One of the subscribers to this pubsub might put all the transactions and small numbers in an append-only log. Another subscriber might do the calculation for a derived number that is later written to the DB (and potentially an append-only log). These logs could then be played back to see if derived numbers matc
30 2014-05-23 06:26:35 <Dizzle> h whats in the db. The hacker in this scenario has a much bigger task ahead of him or her.
31 2014-05-23 06:26:37 <gigamike> they manipulate via altering db
32 2014-05-23 06:28:11 <Dizzle> Though, in the pubsub scenario, if the hacker suddenly gains publish-access, they could cause some real damage, but the numbers would probably add up at least :)
33 2014-05-23 06:28:28 <gigamike> oks oks
34 2014-05-23 06:28:33 <Arnavion> So you're asking how to detect someone ran ```UPDATE payouts SET payout = 100 * payout``` on your DB?
35 2014-05-23 06:28:40 <Arnavion> The answer is to not let them do that
36 2014-05-23 06:28:51 <Arnavion> and as Dizzle said, maintain a separate ledger of updates to said DB
37 2014-05-23 06:29:09 <wumpus> <gigamike> they manipulate via altering db <- if 'they' own your DB, you're screwed in any way
38 2014-05-23 06:29:11 <gigamike> @arnavion, you are right, im trying to explain it to my client, that's the best solution not to be hacked
39 2014-05-23 06:29:55 <Arnavion> And as justanotheruser said, always have a backup to restore to
40 2014-05-23 06:30:06 <gigamike> even i do some manual check if i depend on db then its useless to manually check
41 2014-05-23 06:30:19 <Dizzle> gigamike: if your application is on AWS, SNS and SQS make a pretty easy pubsub model to work with. It's a *little* expensive to keep polling the queues if you aren't getting many transactions at first, mind you.
42 2014-05-23 06:31:13 <wumpus> isolate the critical parts of the database apart from the less important ones on a secure server, tightly control access to that and which operations can be done by who, keep frequent reliable backups, and still write auditing tools that check everything periodically
43 2014-05-23 06:32:05 <gigamike> @wumpus...auditing tools...nice :)
44 2014-05-23 06:32:38 <gigamike> guys many thanks for the help :)
45 2014-05-23 06:33:27 <Dizzle> Thanks for trying not to be the next MagicalTux.
46 2014-05-23 06:33:33 <wumpus> yes :)
47 2014-05-23 06:33:41 <Arnavion> Is that the mongodb guy?
48 2014-05-23 06:33:47 <Arnavion> Was*
49 2014-05-23 06:33:54 <michagogo> That's the MtGox guy
50 2014-05-23 06:33:58 <Arnavion> Oh right
51 2014-05-23 06:34:27 <Arnavion> So many fails in the bitcoin world. Hard to keep them all apart in my head
52 2014-05-23 06:36:23 <wumpus> frequent an early failing is good, it keept people on edge instead of putting too much trust in a single actor
53 2014-05-23 06:40:52 <Dizzle> gigamike: not to keep us on the off-topic from bitcoin core discussion, but here's another thing to consider when trying to not to get your DB hacked: https://s3.amazonaws.com/dizzle/dont-use-php-2014-05-23.png
54 2014-05-23 06:41:39 <Dizzle> That's what it looks like when I turn on security exception emails for an app on just about any public IP out there.
55 2014-05-23 07:33:35 <dizko> ^^^   yea controlling very carefully how you deal with user input is probably the #1 thing after proper network isolation /control, etc
56 2014-05-23 07:34:20 <mus1cb0x> validate that data
57 2014-05-23 08:58:33 <jaromil_> lulz http://www.globalnerdy.com/wordpress/wp-content/uploads/2010/03/licenceplatecamerasqlinjection.jpg
58 2014-05-23 09:15:28 <deeprock2> is anyone here familiar with how stealth addresses work, that I can message in private ? want to understand more about them
59 2014-05-23 09:18:29 <wumpus> I think it's more effective to just ask your question here, then someone who knows can answer
60 2014-05-23 09:19:37 <Luke-Jr> sigh, always fun when your memcpy function is broken
61 2014-05-23 09:20:13 <wumpus> memcpy broken? how can that happen? some funky new architecture?
62 2014-05-23 09:20:55 <deeprock2> ah ok, i didn't want to spam the chat, the main problem i'm finding hard to understand is in the proposal by pete, is when you do the BIP 32 key derivation part which is written as (Q+c)G... (c is the diffie-hellman shared secret that Alice and Bob have created). From my understanding Q and G are two points on a curve so you cant multiply them... i think it might be a typo, but then i'm not sure what happens at this point.