If it is permanently offline, then an old OS is far less of a risk.
If we assume that it is completely air-gapped and never goes online at all, how does it make any difference at all whether he is using windows 2000 or windows 10 ? Correct me if i am missing something.. but if it truly is air-gapped without any interface to communicate, i don't see any difference regarding the security. Whether it is MS-Dos or windows 10 or even linux. What am i missing ? |
|
|
|
Nope, users won't be able to encrypt it themselves.
So users supposed only know what file they receive after they decrypt it? I think he meant that user won't have access to the file (to encrypt it themselves). Whether they know what they receive or not should(!) be handled by the smart contract. But since it seems like the files are hosted on some centralized storage.. that whole idea sounds strange to me. I don't know.. maybe it is because i don't have enough information about it yet to understand the concept. |
|
|
|
|
Der private key wird benötigt um BTC welche dem zugehörigen public key "zugewiesen sind" zu versenden.
Jeder, der den private key besitzt, kann alle coins von diesem public key versenden.
Jede Adresse in deinem Wallet hat einen public key von dem diese "abgeleitet" wurde. Und jeder public key hat einen dazugehörigen private key. Und dieser ist der Schlüssel für alle BTC auf dieser Adresse.
Der Seed (welcher so gut wie immer in einen mnemonic code encodiert wird, also 12 oder 24 Wörter) wird genutzt um private keys deterministisch herzuleiten. Alle private keys in deinem Wallet werden von diesem Seed hergeleitet.
Um deine Coins zu versenden, braucht jemand:
1) Entweder deinen Seed (um alle coins von deinem Wallet versenden zu können) oder
2) einen private key (um die coins von dieser einen dazugehörigen Adresse versenden zu können) oder
3) dein Wallet-file und das dazugehörige Passwort (um ebenfalls alle coins versenden zu können)
|
|
|
|
I don't have access to the private key of users.
Users should be able to decrypt files using their private keys
Ah, this makes sense. But you still have access if the files are on your machine ? And if you let the people encrypt it themselves, they can simply use another algorithm (e.g. a symmetric one). I still don't get the reason to use ETH for that. However, you most probably want to look at ECIES (Elliptic Curve Integrated Encryption Scheme). For example, you can implement that in nodejs using bitcore-lib and bitcore-ecies. |
|
|
|
Ledger hat nicht direkt gesagt es gibt kein Risiko. Die haben damals gesagt der einzige Weg gescammt zu werden wenn du alles prüfst ist wenn du ein gebrauchtes ledger kaufst, und die Mnemonic Phrase benutzt die "mitgeschickt" wird.
Das bedeutet genau das selbe wie "Genuine + neu initialisieren = safe". Sonst hätten die garantier von gebrauchten Ledger abgeraten, was sie aber nie getan haben.
Ja.. ledger hat das behauptet. Und was anderes wurde bewiesen: But Saleem Rashid showed that a third party vendor can set it up so that even if you configure the device yourself and generate the seed from it, a malicious vendor can predetermine what the seed will be that is displayed by the Ledger. And you wouldn't know that you've got a compromised device. Auch wenn dieser Exploit gefixt wurde, heißt es nicht, dass es nicht immernoch (auf eine andere Art) möglich ist. Außerdem gibt es immernoch die Möglichkeit der manipulierten Hardware. Ledger's statement schließt diese Möglichkeit nicht ein. Klar, wenn man die Firmware checkt (durch verbinden mit Ledger Live) und einen neuen Seed generiert, ist man so gut wie sicher. Aber vor manipulierter Hardware ist man immer noch nicht geschützt. |
|
|
|
I have one solution but would love to know if it's viable or if other solutions would be more suitable.
The files will be zipped with random passwords containing special characters and letters (ah321D*£$...)
The password will be encrypted with the ethereum address of each user and will be decrypted with their private key.
Don't use a zip password. That's just insecure. There was a vulnerability for like 10 years where zip files could be decrypted without the password because the initialization vector was extremely weak. I think you are over complicating things too much. You want to decrypt files using your ETH private key. I don't really understand the reasoning for that approach, but ok. Just use symmetric encryption with the private key as encryption key. That's the easiest and most straight-forward approach. You don't really need to use an asymmetric encryption algorithm. Or why do you want to use asymmetric encryption ? Do you have any reason for that ? |
|
|
|
It is time to upgrade your windows system, as both manufacturer are recommending (windows and ledger)
This. You are basically using an outdated operating system with a lot of security measurements missing, which are present in windows 10. Any data stored on your computer is at high-risk getting compromised. Please update your OS as soon as possible. If i am not mistaken, the free upgrade is still available (the official updater can still be downloaded). There is literally not a single reason to keep using windows 7. Even the extended lifetime support is coming to an end soon. Afterwards there will be not a single update anymore. |
|
|
|
it print correct result but in outputfile.txt file always containing the last line in file1  Then you are most probably calling it in the wrong place. You need to write it to the file when you are checking (and printing) the line which is present in both files. If we take the code from above: // open file writable, in this example as: "file"
firstfile= [line.rstrip('\n') for line in open("textfile_containing_first_list.txt")]
secondfile= [line.rstrip('\n') for line in open("textfile_containing_second_list.txt")]
for firstline in firstfile:
if firstline in secondfile:
print(firstline)
file.write(firstline+"\n")
file.close()
|
|
|
|
Did you check the address on a block explorer ? Head over to https://live.blockcypher.com/btc/ and enter the address into the field and check it for transactions. Do you see the 'missing' transaction ? If yes, your desktop client has a network/connection issue. The transaction went through in this case. If you don't see the transaction, it wasn't sent at all. Please tell us which version of electrum you are using. Where did you download it from ? |
|
|
|
|
Since your hard drive doesn't seem to be damaged, simply connect it to your new computer.
Do you intend to install a new system ? If so, you at least need to boot once from this hard drive to recover anything you need.
If you want to keep your current system, you don't need to do anything. Just connect it to your new hardware and boot from it.
You will be back at your 'old' system without any differences. All your data will be kept. This includes all software installed and of course also the private keys stored.
|
|
|
|
OP lost money, he is angry, frustrated, maybe sad. All of that is understandable. When he reads the above post of yours and the rest he will realize that he made a series of mistakes that led to the loss of funds.
I wish this would be the case. A lot of people lose funds through multiple mistakes in a row, but quite a high percentage of them never sees themselves at fault. They will keep blaming electrum (or any other wallet/service/whatever). The majority of user here just want to get rich. They don't understand BTC and neither how to securely store their coins. Instead of learning the basics on how to secure digital information, they just do whatever they are told on their colorful screen. That's also one reason why it still is a long way until we reach mass adoption. We need idiot-proof hardware wallets built into smartphones with double- or triple checking of each transactions. If then someone is going to lose funds by sending them to a wrong address.. well.. then they can't be helped anymore. |
|
|
|
Ich hoffe du bist dir aller Risiken bewusst bei Hardware Wallets welche nicht direkt vom Hersteller oder offiziellen Resellern kommen.
Hör doch bitte auf mit diesen Unsinn. Ledger selbst sagt das es so gut wie risikofrei ist. Und wenn du schon von Ledger direkt kaufst, die bauen die Teile auch nichts selbst. Die Gefahr die dir so viel Angst macht gibt es sowiese in der ganzen Supply Chain. Ob jetzt Ledger direkt oder nicht macht da gar keinen Unterschied solange du Physisch und Softwaremässig prüfen kannst ob das Produkt genuine ist. Und das kann man. "So gut wie risikofrei" wenn man bei irgendjemandem auf ebay einen nano s kauft ? Wo bitte finde ich dieses Statement von ledger ? Man sollte sich allen Risiken bewusst sein. Viel mehr als 30-40€ und ein bisschen Know-How ist nicht notwendig um einen Nano S zu manipulieren. Das man überprüfen kann ob alles original ist, stimmt. Desswegen habe ich ja auch vorgeschlagen dies zu tun. Die Firmware wird ja automatisch von Ledger Live überprüft. Die Hardware muss man sich selber anschauen. Und das muss man eben auch tun wenn man sicher sein will. Es reicht nicht, dass man es kann. Man kann auch die Signatur bei electrum executables überprüfen.. trozdem machen das viele nicht und laden sich Malware runter. Die, welche die Signatur überprüfen werden niemals so eine Malware auf ihrem Rechner installieren. Er wird sicher nicht zu ebay gegriffen haben, weil er sich dort 5€ spart.. Dann frage ich mich wie ein "neuer und original verpackter" Nano S dort so viel günstiger sein kann.. Ich persönlich würde das Risiko auf keinen Fall eingehen.. wofür auch.. um sich ein paar € zu sparen ? Kenne inzwischen mehrere Leute, die mit nagelneuen Originalledger und einer notierten Passphrase der Stick nicht aktivieren konnten und dadurch keinen Zugang zu Ihren Coins haben.
Empfehle nun nur noch Trezor.
Inwiefern bitte ? Meinst du mit Passphrase wirklich das Passwort oder den Mnemonic Code ? Wenn es nicht an einem fehlerhaften Firmware update liegt, dann ist es in 99%+ der Fälle menschliches Versagen. |
|
|
|
You do know how AV engines check a file, do you ? Mostly 2 steps: 1) Check whether this file is known already 2) Runtime analysis. AV's are weak. They never find malware if it is coded properly. Just because 2/70 AV's regard that as malware, that's neither an argument that it is malware, nor that it isn't malware. This just means it is not known yet and that it doesn't raise too many red flags (e.g. like encrypting system folder). The results i posted are from a proper analysis with detailed reports, not from simple AV scans. I honestly don't understand how they can't check the IP the software is connecting to. This IP is related to several other illegal (hacking-) activities. Just one additional argument that AV's are extremely weak and only useful for very well-known malware. Isn't this a ban-able offense?
Yes. |
|
|
|
Original topic: https://bitcointalk.org/index.php?topic=5182888.0Archived: https://archive.fo/8xKAHReasons to believe this user is spreading malware: I run an analysis on the software he declares as "NEW PORTABLE ELECTRUM ENCRYPTED BITCOIN WALLET RELEASED!!!"Results: 1. It contacts server 84.33.95.3 on an IRC port (6667) and transmits data which is a technique commonly used for C&C server. 2. Malicious artifacts related to 84.33.95.3 found: URL: http://84.33.95.3/powershell_attack.txt (AV positives: 6/71 scanned on 09/08/2019 18:21:14)
URL: http://84.33.95.3/crypto-arbitrage_9-8-2.exe (AV positives: 7/71 scanned on 09/08/2019 16:40:08)
URL: http://84.33.95.3/auto-btc.exe (AV positives: 5/71 scanned on 09/08/2019 13:39:30)
URL: http://84.33.95.3/bit-trader_bot_3_7_8.exe (AV positives: 9/71 scanned on 09/08/2019 13:33:39)
URL: http://84.33.95.3/bitcoin_auto_trader-6-8-1.exe (AV positives: 5/71 scanned on 09/08/2019 13:14:10)
File SHA256: 788c42f7acee185be4743fea3a1762d78cfeb16d76ecf20975b7944802d4012e (AV positives: 51/71 scanned on 09/07/2019 15:14:14)
File SHA256: a5865823989aff1e26767625f98ea59e028a10d521ad7a09b980b30bb6bf2c37 (AV positives: 24/72 scanned on 09/07/2019 14:09:06)
File SHA256: bfabf136cc96db595ce8dd3a3bbbf4f52c979bbc740403d791713be92935f630 (AV positives: 13/66 scanned on 09/07/2019 12:29:42)
File SHA256: bdb3f9c296b79aaa2b919b5b29ae3a07a9936fd626ae47ff6290117591e9b331 (AV positives: 53/72 scanned on 09/06/2019 16:40:49)
File SHA256: 5273aa63893f04cb54478a790878dea326908e8235741dbfb80273fb148cde5e (AV positives: 37/70 scanned on 09/01/2019 07:08:21) 3. Touches files in the windows directory: "electrum-3.5.8-portable.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"electrum-3.5.8-portable.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
4. It cointains techniques to detect sandboxing and to counter debugging (not good enough  ) Created a Type1-flag: FLAG |
|
|
|
Oh.. how could i forget our Data-scraping-AI-machine Thanks  Based on last week: TECSHARE is included by 9 DT1's: OgNasty
CanaryInTheMine
qwk
Ticked
Rmcdermott927
teeGUMES
WhiteManWhite
bobita
Matthias9515
TECSHARE is excluded by 10 DT1's Vod
Foxpup
Flying Hellfish
TMAN
TheNewAnon135246
mindrust
suchmoon
owlcatz
nutildah
The Pharmacist
Seems like Kalemder included him. |
|
|
|
Oh nice, TECSHARE made it back into DT1, what a time to be alive According to the latest trust data dump: TECSHARE is included by 10 DT1's: OgNasty
CanaryInTheMine
qwk
Ticked
Rmcdermott927
teeGUMES
WhiteManWhite
Kalemder
bobita
Matthias9515
TECSHARE is excluded by 10 DT1's Vod
Foxpup
Flying Hellfish
TMAN
TheNewAnon135246
mindrust
suchmoon
owlcatz
nutildah
The Pharmacist
Unfortunately i am not keeping the history of data dumps. I only always work with the latest data, so i can't say what exactly changed here. |
|
|
|
Another Info: TheBitcoinExplorer is his alt. I will also state here the accounts connected to him, as far as I remembered he told me about that. Connected to User: Ararbermas
intoy_victor
Koro-SenseiEvidence: User Daboy_Lyle just named those account as his relatives (maybe an alt) Source:Messenger (Convo) Is there any proof for the connection between those accounts ? |
|
|
|
And if I import my wallet into Mycelium through a trezor, will the wallet developers not get my private keys, can I somehow get them from the trezor using third-party software like this wallet?
No. Your private keys never leave the device. You can not access them in any way (except for vulnerability which might exist, but are not known yet). A hardware wallet keeps your private keys secured and only uses them to sign transactions/messages. The signing process is completely done within the device. It just has one interface which accepts unsigned (or partially signed) transactions and gives back a signed one. |
|
|
|
The real problem is the person who has this user included. He just entered DT1 again. His name starts with T and ends with ECSHARE  |
|
|
|
|
Show Posts
