|
Title: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 25, 2014, 06:45:11 PM Hello,
My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs). https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX? Thanks Title: Re: Multisig Addrss UTXO spent (hacked) Post by: DannyHamilton on August 25, 2014, 06:50:12 PM Hello, My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs). https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? Either you accidentally leaked the private keys, or you didn't use randomly generated private keys. I used very simple passwords to generate the public keys. Rainbow tables have been created for all private/public key pairs generated from simple passwords. Any transaction that uses a public key or bitcoin address that was generated from a password instead of being generated randomly should be considered insecure. Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Could this person have used an application that uses multiple private keys to test and build a valid TX? yes. This was all explained to you already in the past: I used very simple passwords to generate the bitcoin addresses yeah, that's probably it.many easy keys have some bots, that capture money from them as it comes. as well as many stolen keys - such are definitely being monitored for a potential theft and robbed immediately as they receive any coins. Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 25, 2014, 06:55:49 PM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: Luke-Jr on August 25, 2014, 06:56:56 PM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account. It's pretty easy, and he can attack all multisigs at once.This is why brainwallets are the dumbest idea ever... Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 25, 2014, 07:04:14 PM Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough.
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: Luke-Jr on August 25, 2014, 07:06:38 PM Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough. Not likely. Humans are a terrible source of entropy.Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly. Title: Re: Multisig Addrss UTXO spent (hacked) Post by: instagibbs on August 25, 2014, 07:23:25 PM Much better off just making a wallet with mnemonics, and memorizing the word list.
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 25, 2014, 07:24:04 PM Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: DannyHamilton on August 25, 2014, 07:28:55 PM Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password? Brute force? Yes. But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior. Such a program could significantly reduce the search space necessary to find the password used. At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)? Wouldn't it be simpler to just randomly generate a private key? Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 25, 2014, 07:58:28 PM Well I think you're right, I might need to generate new addresses for my bitcoins...
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: amaclin on August 26, 2014, 04:17:28 AM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account. Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806 public keys are: Code: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7" it was not too difficult to check associated private keys for these public keys ;D two of three to redeem: Code: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },Quote Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug ::) No luck yetTitle: Re: Multisig Addrss UTXO spent (hacked) Post by: dreamhouse on August 26, 2014, 05:17:48 AM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account. Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806 public keys are: Code: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7" it was not too difficult to check associated private keys for these public keys ;D two of three to redeem: Code: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },Quote Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug ::) No luck yetTitle: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 26, 2014, 06:15:29 AM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account. Multisig redeem script contains public keys. this was your transaction: https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806 public keys are: Code: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7" it was not too difficult to check associated private keys for these public keys ;D two of three to redeem: Code: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },Quote Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug ::) No luck yetDid you select my Multisig address manually or do you have a script that tries combinations of public keys? Soon before you tried to steal my funds :P I made a TX with no fee and now these funds seem to be blocked or lost. Title: Re: Multisig Addrss UTXO spent (hacked) Post by: amaclin on August 26, 2014, 06:36:51 AM Quote Soon before you tried to steal my funds :P I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know. Let us say that you have bought some knowledge for small price. And I can sell you more. Just ask me. I will be happy to share my knowledge with everyone else. Quote I made a TX with no fee and now these funds seem to be blocked or lost. Bitcoins can not be lost such way. The game is not over. Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 26, 2014, 06:42:18 AM Please do share your knowledge, the Bitcoin community will thank you for doing so.
Title: Re: Multisig Addrss UTXO spent (hacked) Post by: amaclin on August 26, 2014, 06:47:24 AM Quote Did you select my Multisig address manually or do you have a script that tries combinations of public keys? There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash Do you think it is possible to check them manually? ;D Title: Re: Multisig Addrss UTXO spent (hacked) Post by: antonimasso on August 26, 2014, 07:00:58 AM Quote Did you select my Multisig address manually or do you have a script that tries combinations of public keys? There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash Do you think it is possible to check them manually? ;D Not manually one by one, but if you knew mine and tried to get the public keys values from the redeem script. Title: Re: Multisig Addrss UTXO spent (hacked) Post by: rapport on August 26, 2014, 09:54:48 AM Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P should be secure enough. Not likely. Humans are a terrible source of entropy.Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly. How would a computer guess the above password? Title: Re: Multisig Addrss UTXO spent (hacked) Post by: amaclin on August 26, 2014, 10:35:22 AM Quote using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKǨ+`P Quote How would a computer guess the above password? How would human remember the password above? ::) It will be more easy to remember the private key in hex/wif format itself |