Restrictions on input characters are often as strong indication that a cryptographic key derivation function (or even just a salted cryptographic hash function) isn't being used to store the passwords.
It had simply been some time since I had worked with MySQL.
I didn't fully understand prepared statments when I began creating the site (as I had never worked with them before), so I put in a check to make sure that nobody was trying to inject anything via SQL when registering, but I realize that is all for nothing now when using prepared statements.
Needless to say, I have removed the password restrictions... now the only restriction is that it must be at least 6 characters in length, and must be no more than 5,000 characters in length. You should be able to use any kind of crazy UTF8 combination of characters you can muster.
Not only that, but attackers are limited to 3 attempts per IP per hour when trying to log in via brute force.
Seeing the link title I thought "nice, an HN like with focus on my domain and less bitcoins related crap". Wow, I couldn't be more wrong. "crypto, security and privacy" should not mean "bitcoin, bitcoin, and vaguely web security stuffs, and bitcoins". That plus the obviously fake upvotes… I won't even try to register, too bad.
At the risk of engaging in self-promotion, I've been toying with a blog for discussing crypto/privacy topics [1], because I do think there's an unfilled need for such. Bitcoin and other cryptocurrencies are within the scope as cryptographic technologies, but my idea is to keep it focused on the technical issues. There's not much content now, just news links to articles I've found interesting.
Creator, here! I agree, it's a little Bitcoin heavy at the moment... but you have to admit the cryptography sphere has been dominated by the recent Satoshi Nakamoto debacle, and it was only launched a few days ago.
My apologies for pre-populating the site with some articles and upvotes. I read that's how reddit got started so I figured I would give it a try.
I first submit Cryptanalys.is to HN a few days ago with just 8 posts from myself and no extra upvotes, and it didn't get a single pageview: https://news.ycombinator.com/item?id=7339368
So yes most of the stories and karma values on there are not submit by real people... yet. Here's to hoping.
If you have any ideas on sources for better/more-interesting information I would love to hear them.
On thing is true: the site only begins and users can make it whatever they want. However, since you start by giving more karma to people in the Bitcoin community, you already drive the website to focus heavily on Bitcoin (also, look at the "library" page https://cryptanalys.is/library.php it is only Bitcoin related). Which is entirely okay! There are many people interested by that (and if it could relieve HN from the contant Bitcoin noise that would be awesome). You even say so in your FAQ: "Fellow Redditors and HNers may think of us as the cryptocurrency subreddit of Hacker News". That is a valid choice, and I think you should present your site like this rather than "Hacker News for crypto, security, and privacy".
> you have to admit the cryptography sphere has been dominated by the recent Satoshi Nakamoto debacle
No, I don't agree. I'm doing a PhD in the field of crypto, follow multiple mailing lists related to my field, watch for the new papers arriving on the IACR ePrint [1], follow many blogs and subreddits… and I can assure you the real crypto sphere don't give a damn about "the recent Satoshi Nakamoto debacle". Bitcoin enthusiasts do, however.
[1] http://eprint.iacr.org/ (btw, this is a very good source of security related original content).
PS: in your "what is this" at the top of the page you are not consistent with "r/subreddit" and "/r/subreddit" (leading '/'), you should fix that.
Cheers p4bl0, I appreciate your comments very much.
You're right, the site is heavily targeted towards cryptocurrencies, but my goal is to keep it filled with more of the high level talk surrounding cryptocurrencies. The articles about the search for Satoshi were a poor choice to list on the frontpage, I agree. Consdering there was next to no evidence in any of them.
I have just made a note to look for more information on http://eprint.iacr.org/ daily, and the /r/funny inconsistency has been changed to r/funny.
I must admit (if it wasn't obvious from my username) that I am primarily a Bitcoin fan. I posted the resources I know best about to the library.php page because I want it to be accurate.
You can now find eprint.iacr.org and iacr.org in the library under the Cryptography heading ;) (And I must say, I found it humorous that iacr.org does not employ TLS)
Again, I really appreciate your comments. Thank you for taking the time to look through the site. I wish you the best of luck in completing your PhD.
Articles like "Bitcoin's Satoshi Nakamoto Is Reportedly Worth Over $400 Million" or "Insuring the Bitcoin loss with another digital currency" have no relation to crypto (especially, cryptanalysis), security or privacy.
There is a downvote button, so presumably once more people start using the site those posts wont make it to the top so easily.
Right now it's just me myself and I researching the most popular stuff being talked about that's somewhat related to "cryptucurrencies, cryptography, and privacy" which those two titles fall under.
It doesn't interest me. For various reasons which mainly includes political ones.
> maybe you just have to accept that a lot of the HN and crypto audience is interested in bitcoin.
I entirely accept that (however I'd remove "and crypto" from your sentence to make it closer to the truth). I'm not complaining that people on HN post a lot of Bitcoin related content. It's a community website, not my own. If Bitcoin interest people in the community then it should be there. There is too much Bitcoin for my taste, but I just don't click on it and look for the other stuff that actually are of interest to me. And there are still a lot of interesting discussions on HN that are not about Bitcoin.
Bitcoin isn't really the point. If they put up a site claiming to be about "crypto, security and privacy", but 80% of the posts they attract (or post themselves because they don't have critical mass) are on a single topic, then either it's really not about "crypto, security and privacy", or they're doing a really bad job building out the site. It's not like there isn't a whirlwind of activity in cryptography outside of hashes, nor a lack of security incidents to discuss.
The site launched just a few days ago. I've been splitting my time the last few days between buying up marketing spaces and quickly skimming the crpyto/security world so the quality and depth of the articles certainly need some work, I agree.
The site was originally conceived as a HN version of /r/Bitcoin so that's the reason for the bitcointalk.org karma collection.
If I get more complaints about it I will surely remove it. the site just went live a few days ago and I thought it was a good idea when creating it. So that's why it's there.
My expectations were set by the HN headline: "Hacker News for crypto, security, and privacy." But I see now you didn't submit the item. You might want to consider putting a banner on the site: "Hacker News for Bitcoin". That would make transferring accounts from bitcointalk seem more reasonable.
>You might want to consider putting a banner on the site: "Hacker News for Bitcoin".
That is a great idea.
I had been toying with the idea of some kind of banner for the last few days, either relating to a crypto-contest or karma-contest, but was worried it might detract from the "HN Look" which I had worked so hard to achieve.
Thinking it over now it looks like more of a necessity than a distraction.
They don't even seem to have been seeded with faked values, but rather pinned to fake values. I upvoted one article and downvoted another, and several minutes later the scores remain unchanged.
I can see the upside to manually tweaking the votes until you get critical mass, but pinning the votes to faked values makes the transition more difficult than just seeding with fake values and letting the community adjust from there.
My thoughts. lobste.rs is the only really remotely viable alternative to HN and it doesn't have near that many upvotes for items on the front page, but it has some discussion.
I just lowered the random karma value for new auto-submitted stories.
The majority of the website is currently populated by me, the site's creator, but that will stop once it gains a large enough userbase to sustain regular submission rate.
Thank you for taking a look! (I created cryptanalys.is)
Well! So the second I go to sleep the other night, markmassie re-posts my baby to HN and it actually gets some traction. Just my luck :P
I have worked on Cryptanalys.is for about 2 months part time. It's a complete re-write of the HN platform in PHP and Javascript. I posted this the other day and was all ready for HN stardom only to receive exactly 0 votes and ~45 visitors: https://news.ycombinator.com/item?id=7339368
Needless to say, after seeing the "popsicle stick bomb" upvoted to the top of HN literally the next day I was quite disappointed. So, thanks for finally checking it out everyone!
The site just went live a few days ago so yes there will be some problems. But if you'll post your qualms below I am all ears to try and fix them!
I don't see the point of forcing js on a site like this, though, and it's bound to turn a lot of crypto people away.
Also, where is the source code? I looked for a link to it but couldn't find it. You can't expect to run a site for security/crypto people without code they can at least pretend to audit.
I am the creator here. Thank you for taking a look!
You raise a good point, as others in this thread have. Forced-javascript + security just don't jive. I should have known that. But one aspect of the site's small server-footprint make the javascript somewhat necessary. For commenting and voting at least...
I plan on making a text only version of the homepage, and linking to that at the bottom footer as I do the rss feed: https://cryptanalys.is/rss.php (which is currently not visible due to an encoding error apparently!)
The source code is not public, yet. I don't see what good it would do to publish the source of a website from a security perspective, though. It's not like you can take the digest of a webpage and prove that it's coming from the source code on github.
I understand using js to push some of the rendering time off on the user but surely you could mitigate some of the overhead with caching headers. I mean, the pages themselves are not that big...
As far as the source code goes, true enough (that seems to be a fundamental problem with applying open source ethics to the web) but as long as you're trying to attract security-minded individuals, maybe let them make pull requests and improve the security of the site?
Still though, it looks nice and I do like the collapsing threads.
I appreciate your comments. I'm surprised you noticed the collapsing threads due to the lack of comments on Cryptanalys.is thus far, but there have been some.
I'm working on a read-only version of the homepage that users without JS will be redirected to (And more politely informed that they must enable JS in order to participate) but nobody should be stopped from reading the website simply for not being able to run JS. You are right.
