Communication, Transparency and the tools that help.

Shannon here wearing my communication’s hat today. One of the big goals recently has been the streamlining of communication both within the foundation but as well as communicating with the community. Since that time I have been working to pull many of our channels of communication into one location and working with David and Adam to make the channels we do have be easier to search and consume. I’m releasing some of those tools now and want to take a few minutes to explain what we are currently doing and my goals moving forward.

In a post by David he mentioned a program developed I think for GitHub called HUBOT which was an automated interactive agent that a team can communicate with to do various tasks, like answering queries or relaying messages. The project is widely used and respected. I back-burnered the addition of this software into our internal stack early on. About a month and a half ago I was reading an article about the executive who created flickr as an internal project for a video game project that eventually went belly up (Read more here). The article went on to talk about a new piece of software “Slack” that his current team developed to handle internal communication and I was intrigued. I promptly installed and started trying to understand the pull power of what it could do.

Sslacklack on the surface looks much like a web based IRC implementation, complete with rooms prefixed with a # (#general, #random) that are easily created by any user using the system. But looking a little deeper at the concept of integration, the true of power of slack slowly starts to creep in. At it’s heart the Slack environment encourages adding integrations to your system. An integration is essentially an API connected to the slack infrastructure.

They offer roughly 60 connections to various API’s, some of which open up other APi lists. They also offer simple web hooks and event based scripting. This opens the door for nearly unlimited combination of actions that can be scripted. You can have external forces or events trigger things to happen in one or all of your slack “rooms” you can have events that happen in a slack room trigger something to happen externally. The options are really quite amazing. But as with most things that have such a powerful capability, it’s up to the user to decide how best to harness this.

Quickly an example of a task that I was able to automate in a matter of minutes without writing any code is as follows: The reminding of team members, publicly about their blog posting schedule.

First I created a calendar specifically to keep events that correlate with each member’s blog posting day.
I created an event that fires a few minute before each event.
when this event fires it triggers an HTTP POST call that takes the details of the calendar event and passes the values into the “slackbot” api
Slackbot APi takes the values and sends a message to the #general channel: slack.reminderThis automation will run until I turn it off and took literally minutes to create. This was sort of a whimsical automation because I could and I needed a way to gently remind people of what’s being published today and by who.

Part of our goal of transparency was making our Skype group chats more easily accessible, stage 1 of this is complete and we now have 4 skype channels that are logged and the messages pumped into a slack channel representation of the skype group. Stage 2 will be to relay these same messages to http://mastercointalk.org to allow people without skype to be able to see what’s going happening. I’ll issue another update when the skype=>forum integration is complete. Here is the github repository that contains the application I wrote to help log the Skype group chats. It requires only your slack api endpoint and api key along with the groups you are interested in logging and the matching slack channel.

Interest

Another feature we are working on is a singular publishing point from within slack. We created plugins for both Facebook and Twitter that interface with slack through a project very similar to HUBOT called MMBOT, a C# port of HUBOT, I’m at heart a .Net and Java developer so I jumped at a C# bot that I can use to tie together the missing pieces.

Here are the plugins I wrote to facilitate the publishing of tweets and facebook posts. This particular integration uses the Zapier API which brings with it over 80 additional API connections that can be consumed using slack, hubot, mmbot, etc.

 

 

Communication, Transparency and the tools that help.

Integration with Mastercore Volume 2

Shannon Code here: During my AmA I was asked about monitoring an address so they could log incoming deposits into a database. I researched a bit, asked the core developers here on the development team and came up with a pretty elegant solution.

Continuing with the integration demonstration here: http://mastercoin.io/mastercore-integration-nodejs/ I’ll demonstrate how this can be done.

This example is of course a simplistic version, there is very little error handling and only the simplest “mvp” Minimum Viable Product has been demonstrated. I handled it this way to make things easier to follow along with.

Lets get started:

First off lets clone the example files so you can follow along:

> git clone https://github.com/genecyber/Mastercore-Node-App.git

This should get you a copy of the files needed. I (being a .Net developer) am writing this app in node, but I’m using the visual studio node tools for VS2013, I have included the project files in the event that you would like to also use Visual Studio.

You will need to install the dependencies. npm is used to install the dependencies.

If using Visual Studio
1

 

If using bash
2

Modify your copy of config.js to reflect the information needed to connect to your Mastercore instance.
3

Start the application

> node server.js

or if in Visual Studio click the play button
4

 

You should now be able to access the application via your web-browser.
5

You can also check out my live version here: http://162.242.208.46:3000/

 

Diving In

First things first, bitcoind has the walletnotify flag built right in, I’m illustrating how to harness this capability. I found a great resource via this post

Wallet notify works by telling bitcoind you want to execute some command locally whenever a wallet event happens. Incoming tx, confirmations, outgoing tx, etc.

~/.bitcoin/bitcoin.conf

walletnotify=~/.bitcoin/notify.sh %s

This excerpt is from my bitcoin conf file and simply says run notify.sh and append any parameters. In this case it will be a transaction id.

My Notify.sh simply runs curl on my notify endpoint to persist the transaction
6

So looking back at the node app we can visit the /notify url to monitor transactions: http://162.242.208.46:3000/notify/ You will notice an address we want to monitor. Sending any transactions to this address should now create records in our database.

Testing it out

Nothing in the database:
7

 

Make a deposit
8

Now we have a transaction id stored in our database!
9

 

How’d That happen?

I’ll dive into the node just a bit now to show how that works behind the scenes.

Here we now include the sqlite3 library
10

 

Here are our routes for handling the /notify view and the /notify/:txid/ endpoint
11

I hope this helps answer how to monitor an address using Mastercore.

Shannon Code
Mastercoin Developer Evangelist & Head of Security

Integration with Mastercore Volume 2

Security in the Blockchain: Past, Present and Future

This weekend I went to my first Bitcoin Expo here in Raleigh NC. It was pretty exciting. I got to meet a bunch of local enthusiasts, discovered I had a few friends from other circles that overlapped into Bitcoin. I also got to meet face to face with some of the Mastercoin team and network: Sam Yilmaz  , Brian Deery from the NotaryChains.com team & the entire Merchantcoin team.

One of the reasons I was attending the Cryptolina Bitcoin expo was to present a talk about security. Security is important to me and the entire Mastercoin group. Many of our decisions come from thinking about security early in the requirements and design phase of development. I followed CrowdCurity CEO Jacob Hansen who spoke also on security. I would like to point out that here at Mastercoin we utilize the services of CrowdCurity to offer ongoing crowd based security audits on Mastercoin products.

I’d like to offer a condensed version of my security talk for you today:

Security in the Blockchain: Past, Present and Future

One early mistake discovered was the use of an un-random source of entropy to generate key pairs for wallets or sign transactions. Attackers were able to scan the blockchain looking for collisions of public keys. Details of this heist can be seen here.

Another exploit as seen on Blockchain.info was when an an XSS was placed into a transaction by running hex on the outputs of the transaction potentially resulting in code execution on user’s browsers. Details can be read about here

This next story is a warning to anyone who is thinking about using a brain wallet: Don’t
When I decided to get back into bitcoin ~8 months ago I decided I’d buy some bitcoin and transfer it to a wallet, I had read about brain wallets and liked the idea, I used the following string because for some strange reason I still remember it from high school “IWentToTheWoodsBecauseIWishedToLiveDeliberately“. Within seconds of my transfer into the generated wallet my coin was transferred out. I was hooked. After researching and testing with a few other transfers I discovered a huge network of brain generated addresses that were being monitored. It’s fair to assume that if it’s been written down in any language, ever it’s not safe to derive a wallet address from.

The most common vulnerability seen by Bitcoin heists these days is the old fashioned SQLInjection attack, Un-sanitized inputs result in the ability for bad guys to modify the sql statements used to display custom information on a page. This type of attack is easily mitigated through testing and crowdsourced security testing.

The ideas of meta layers on top of the Blockchain, self generated assets & decentralized applications, while not new are only now becoming technologically possible, experimented with and deeply thought through. Because of the fast movement of the technology and the rate at which new features are developed, often security is forgotten. An issue I have seen is bestowing some incorrect level of trust to things within the Blockchain. We have to remember things are in the blockchain because someone asked and ultimately paid a miner to persist it there. That being said, with meta coins they will most often include things like a description, name, more information url. This information is delivered to users in their wallets, exchanges, explorers, often as sanitized strings.

A coin titled “ExploitCoin'<scrip t>Alert(‘doing bad things now’)</scrip t>” might allow the execution of JavaScript on users’s devices. As developers remember to sanitize both inputs and outputs.

A potential attack that I made known to the Bitmain representative at Cryptolina describes how, using a search engine that indexes hardware or “The internet of things” one can find over 550 AntMiner Bitcoin miners publicly available on the internet. It’s probably the case that some of these devices did not change their default username and password.

Bitcoind instances should always be upgraded, I showed another query that identified over 2000 Bitcoind instances vulnerable to the HeartBleed vulnerability.

My Slide deck can be seen here:  and anyone can ask me anything Mondays on Reddit (Here’s Today’s AMA)

Security in the Blockchain: Past, Present and Future

Shannon Developer Evangelist – Ask Me Anything

Hello Masterminds,

I’d like to introduce myself. I’m Shannon Code. My position here at Mastercoin is an exciting one. I have been named the Developer Evangelist. In an attempt the pool resources and tighten integration within the team I am also going to be taking on many of the responsibilities we were looking for a communications director to fill. I started off my adventure here at Mastercoin as head of Security and will continue to triage security issues as they arise.

I’d like to welcome everyone to join me on Reddit today for an Ask Me Anything Session

What is a “Developer Evangelist”?
Wikipedia defines a technology evangelist (Which I’m going to use for the purpose of discussion) as a person who builds a critical mass of support for a given technology. Promoting the use of the technology through talks, blogging, user demonstrations, or the creation of small projects. I like this definition because it embodies much of what I’ll be doing with Mastercoin and the Crypto Currency  community.

Who is Shannon Code?
I’m Shannon Null Code, I’ve been a software developer since I can remember. (apparently before that too but I don’t remember) No kidding I would bang away at my IBM PC that would boot into Basic. I knew from an early age that this is exactly what I wanted to do with my life. I have worked with a number of startups over the years and excelled at the task of “Someone said this is impossible, can you take a crack at it” type tasks. At one place of employment I co-developed software that would play the game of World of Warcraft Autonomously. (Gold Farming, Power Leveling)

These positions allowed me to build up a large catalog of knowledge that many people in traditional jobs to not have the opportunity of obtaining. I also developed a love for API’s and Mashups. I really enjoyed taking a few API’s and inventing something new. As the years progressed I was introduced to the concept of Agile & Extreme programming, testing and automation. Circle all the way around back to today. I find myself telling people all the time that the secret to success it to do what you love. No seriously, it’s cliche for a reason. If you really do what you love for a living, you will love what you do.

So how about that name?
My wife and I, both lovers of technology, both in the software community agreed on the name change of code when we got married. (Later we issued this Announcement that we were pregnant in code) This was after a bunch of involvement from twitter, voting by all the members of the family (My kids came up with some cool names, notably “Maya Hacker Johnson” ) The tester / hacker in me wanted to have more fun and decided we should change our middle names also. So I became Shannon Null Code and my wife, Dawn Test Code. (Yes drop tables was a strong contender)

Moving forward
I plan on working closely with Craig Sellars, David Johnston, Judith Jakubovics, Adam Chamely & Faiz Khan to reach out and communicate with the community, to represent the users to our team and to represent the team to the community. Together we will work  to hear your needs. I will listen and ask questions. I will help with integrations, I will participate in group brainstorm sessions. I will be available to talk over the communication network of your choice. My plan largely involves helping inspire the developers who are not working with the Mastercoin Protocol. To offer them the support that they need, even if it’s not directly related to Mastercoin.  I plan on releasing tutorials and blog posts  regularly about my adventures experimenting with the technologies that Mastercoin releases along with crypto currency technology in general here: http://mastercoin.io

Follow us on Twitter, Youtube, Google+, Facebook, Reddit. IRC and any others I might not be thinking about right now. Please don’t hesitate to ask for help, ask for guidance, ask me anything.

Starting today on Reddit and continuing through the other networks as well.

(Name Change) http://www.agileconnection.com/interview/one-expert-another-dawn-and-shannon-code
(IBM Basic) http://en.wikipedia.org/wiki/IBM_BASIC#mediaviewer/File:IBM_BASICA.png
(Wow Bot) https://github.com/genecyber/Cerebrum

 

Shannon Developer Evangelist – Ask Me Anything

All your attack surface are not belong to Omni.

Omniwallet is not built like most other web applications. We built Omni from the ground up with security in mind. First of all, as a rule omni never sends your password to the server. Your password is only used locally to unlock your private key(s). Speaking of keys, they are also not stored un-encrypted on the server.  https://github.com/mastercoin-MSC/omniwallet/blob/master/design/login.md

Continue reading here as we  go through our login and send transaction workflows with a technical eye.

-Shannon

Mastercoin Security.

All your attack surface are not belong to Omni.