
Cryptanalys.is – Hacker News for crypto, security, and privacy - markmassie
https://cryptanalys.is
======
throwwit
"Warning! Cryptanalys.is will not work with javascript disabled!" A crypto
site with mandatory javascript... seems legit

~~~
GigabyteCoin
The site relies quite heavily on javascript. Sorry about that.

All of the voting and commenting is handled with Ajax, and all of the comment
sorting is done by javascript to lessen the load on my tiny servers.

------
shomyo
> _Passwords can only consist of the following characters: a-z, A-Z, 0-9, and
> !@#$%^ &_()-_. Please choose another.

Sure.

Epic: [http://i.imgur.com/zT30wY1.png](http://i.imgur.com/zT30wY1.png)

No thank you.

~~~
GigabyteCoin
There really isn't a reason for the limit on the password characters. I
suppose I can lift that restriction now.

I don't get what you mean by "Epic:" and the link to the karma-collection
script.

If you care to explain what you don't like about the website I will try my
best to improve the experience.

The site just launched a few days ago and I need feedback from early-eyes like
yours to help shape the user experience.

I appreciate your taking a look at the website.

~~~
KMag
Restrictions on input characters are often as strong indication that a
cryptographic key derivation function (or even just a salted cryptographic
hash function) isn't being used to store the passwords.

See [http://plaintextoffenders.com](http://plaintextoffenders.com)

~~~
GigabyteCoin
It had simply been some time since I had worked with MySQL.

I didn't fully understand prepared statments when I began creating the site
(as I had never worked with them before), so I put in a check to make sure
that nobody was trying to inject anything via SQL when registering, but I
realize that is all for nothing now when using prepared statements.

Every user's password is hashed using the default PHP 'PASSWORD_DEFAULT',
which according to this page uses BCRYPT:
[http://www.php.net/manual/en/password.constants.php](http://www.php.net/manual/en/password.constants.php)

Needless to say, I have removed the password restrictions... now the only
restriction is that it must be at least 6 characters in length, and must be no
more than 5,000 characters in length. You should be able to use any kind of
crazy UTF8 combination of characters you can muster.

Not only that, but attackers are limited to 3 attempts per IP per hour when
trying to log in via brute force.

------
p4bl0
Seeing the link title I thought "nice, an HN like with focus on my domain and
less bitcoins related crap". Wow, I couldn't be more wrong. "crypto, security
and privacy" should not mean "bitcoin, bitcoin, and vaguely web security
stuffs, and bitcoins". That plus the obviously fake upvotes… I won't even try
to register, too bad.

~~~
nomailing
what's your problem with bitcoin? maybe you just have to accept that a lot of
the HN and crypto audience is interested in bitcoin.

~~~
drdaeman
Articles like "Bitcoin's Satoshi Nakamoto Is Reportedly Worth Over $400
Million" or "Insuring the Bitcoin loss with another digital currency" have no
relation to crypto (especially, cryptanalysis), security or privacy.

~~~
GigabyteCoin
Hello! Creator of Cryptanalys.is here.

There is a downvote button, so presumably once more people start using the
site those posts wont make it to the top so easily.

Right now it's just me myself and I researching the most popular stuff being
talked about that's somewhat related to "cryptucurrencies, cryptography, and
privacy" which those two titles fall under.

------
lisper
> Wow, lisper, is that really you?

Yeah, it was really me. But I don't have a bitcointalk.org account. There is
more to crypto, security and privacy than bitcoin.

~~~
GigabyteCoin
The site was originally conceived as a HN version of /r/Bitcoin so that's the
reason for the bitcointalk.org karma collection.

If I get more complaints about it I will surely remove it. the site just went
live a few days ago and I thought it was a good idea when creating it. So
that's why it's there.

~~~
lisper
My expectations were set by the HN headline: "Hacker News for crypto,
security, and privacy." But I see now you didn't submit the item. You might
want to consider putting a banner on the site: "Hacker News for Bitcoin". That
would make transferring accounts from bitcointalk seem more reasonable.

~~~
GigabyteCoin
>You might want to consider putting a banner on the site: "Hacker News for
Bitcoin".

That is a great idea.

I had been toying with the idea of some kind of banner for the last few days,
either relating to a crypto-contest or karma-contest, but was worried it might
detract from the "HN Look" which I had worked so hard to achieve.

Thinking it over now it looks like more of a necessity than a distraction.

------
brandonhsiao
I have to ask: is it just me, or are those upvotes on the frontpage faked?

~~~
KMag
They don't even seem to have been seeded with faked values, but rather pinned
to fake values. I upvoted one article and downvoted another, and several
minutes later the scores remain unchanged.

I can see the upside to manually tweaking the votes until you get critical
mass, but pinning the votes to faked values makes the transition more
difficult than just seeding with fake values and letting the community adjust
from there.

~~~
GigabyteCoin
The reason your upvote remained unchanged is that anybody with 10 karma points
or less bears no weight on the voting algorithms.

I'm experimenting with having higher karma-valued posters have more weight
when it comes to voting.

Was that you who registered as KMag? You now have 100 karma and your votes
will be counted from now on.

------
GigabyteCoin
Well! So the second I go to sleep the other night, markmassie re-posts my baby
to HN and it actually gets some traction. Just my luck :P

I have worked on Cryptanalys.is for about 2 months part time. It's a complete
re-write of the HN platform in PHP and Javascript. I posted this the other day
and was all ready for HN stardom only to receive exactly 0 votes and ~45
visitors:
[https://news.ycombinator.com/item?id=7339368](https://news.ycombinator.com/item?id=7339368)

Needless to say, after seeing the "popsicle stick bomb" upvoted to the top of
HN literally the next day I was quite disappointed. So, thanks for finally
checking it out everyone!

The site just went live a few days ago so yes there will be some problems. But
if you'll post your qualms below I am all ears to try and fix them!

------
krapp
It's ok.

I don't see the point of forcing js on a site like this, though, and it's
bound to turn a lot of crypto people away.

Also, where is the source code? I looked for a link to it but couldn't find
it. You can't expect to run a site for security/crypto people without code
they can at least pretend to audit.

~~~
GigabyteCoin
I am the creator here. Thank you for taking a look!

You raise a good point, as others in this thread have. Forced-javascript +
security just don't jive. I should have known that. But one aspect of the
site's small server-footprint make the javascript somewhat necessary. For
commenting and voting at least...

I plan on making a text only version of the homepage, and linking to that at
the bottom footer as I do the rss feed:
[https://cryptanalys.is/rss.php](https://cryptanalys.is/rss.php) (which is
currently not visible due to an encoding error apparently!)

Maybe a "retro" version of the homepage would be to your liking? Like this:
[http://retro.hackaday.com/](http://retro.hackaday.com/)

The source code is not public, yet. I don't see what good it would do to
publish the source of a website from a security perspective, though. It's not
like you can take the digest of a webpage and prove that it's coming from the
source code on github.

~~~
krapp
I understand using js to push some of the rendering time off on the user but
surely you could mitigate some of the overhead with caching headers. I mean,
the pages themselves are not that big...

As far as the source code goes, true enough (that seems to be a fundamental
problem with applying open source ethics to the web) but as long as you're
trying to attract security-minded individuals, maybe let them make pull
requests and improve the security of the site?

Still though, it looks nice and I do like the collapsing threads.

~~~
GigabyteCoin
I appreciate your comments. I'm surprised you noticed the collapsing threads
due to the lack of comments on Cryptanalys.is thus far, but there have been
some.

I'm working on a read-only version of the homepage that users without JS will
be redirected to (And more politely informed that they must enable JS in order
to participate) but nobody should be stopped from reading the website simply
for not being able to run JS. You are right.

