There is no intention for me to plagiarize. At that time, I was one of the IDEX campaign participants. So, I inevitably have to promote IDEX.
But unfortunately you did. Simple copy/pasting from the internet without linking to a source is plagiarism. You could have easily quoted it, attached the source in a foot note, or simply promoted it using your own words. That is not an excuse to copy/paste from websites.
|
|
|
Well, the problem with PBKDF2 is that it can be implemented with a small circuit. This means it can be bruteforced at a fast rate using an ASCI (or even a GPU). However, given that the keysize is way too big to even bruteforce a small portion of available keys, there are no practical security implications whatsoever. If the number used to create the mnemonic is random (and not generated by a shitty/faulty PRNG) there is no negative effect from the key derivation function. Gregg Maxwell comment "Effectively BIP39 is a thinly veiled brainwallet scheme with a woefully weak KDF. It's prone to misuse, and when misused it picks up all the bad properties you might expect it to pick up.)
This is completely quoted out of context. BIP39 has nothing to do with a brain wallet. Maxwell was referring to the use of a password to additionally protect the seed. If the original mnemonic code is known, it basically just is 'guessing' the correct password (which basically means that this layer of security is similar to a brain wallet). If an attacker has the mnemonic code, he can simply bruteforce the passwords very efficiently (because of PBKDF2). He was explicitly talking about the deniability in this context. Practically, BIP39 is secure. It all depends on the RNG used. If your seed is generated randomly (which then is being encoded into the mnemonic), you are fine. Further, the 'plausible deniability' is not as strong as people think it is. You can safely use BIP39 for cold storage, or you simply create a wallet using core (completely air-gapped of course), generate a few 100s or 1000s of addresses and use them to receive funds. There are multiple approaches for cold storage.
|
|
|
1. Open Source. At current moment we dont want to make source code free. (and one of the reason - so many scam project who fork open source solutions)
That's nonsense. Unless your wallet is open-source, it can't be verified and not many people would trust your wallet. Yes, its problem. But our team ready to contact with experts who want to see and audit code. Just text me) This won't fix the issue and does not justify and trust in your wallet. You could simply remove the backdoor before giving out the source code. And who knows whether the app on the playstore really is this exact version you are providing for 'auditing'. You either have to open source the wallet or expect that noone will use. People are not dumb. There are a lot good (open-source) wallets available. There is literally not a single reason to trust a new closed-source wallet announced by a new account.
|
|
|
So.. you got banned, register a new account and the first thing you do is to offer a service on this forum. That's crystal clear ban evading. I am inattentive. I don't know what i'd be doing without LoyceV. Probably walking around and talking garbage
|
|
|
If these are created by Electrum clearly something IS wrong, look at the transactions... and come back again to agree with me
Both of them look perfectly fine. Which 'issue' do you see in those transactions ? 1st transaction: 1 P2PKH input -> 1 P2SH / P2WSH output2nd transaction: 1 P2PKH input -> 1 P2SH output (can't be said whether nested segwit or multisig yet)
|
|
|
Did you disable change addresses? The transactions show change addresses are not used....
This is not related to the issue of the OP. Besides that, you can't 'disable' change addresses. That's how bitcoin works. You use one (or multiple) UTXO(s) and create one (or multiple) UTXO(s). OP has send the whole UTXO 'to someone else', therefore it is a 1 input 1 output transaction. OP, both of the transactions were received successfully. Which tumbler did you use? And where did your second transaction go to? A private person or some business / website ?
|
|
|
Update2019-06-25 18:52:29 2019-06-25 19:53:15 xx.xxx.xxx.xx XXXXXXXx, Germany 2019-06-24 22:00:53 2019-06-24 22:01:56 xxxx:xx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx XXXXXXXX, Germany 2019-06-24 20:03:48 2019-06-24 20:52:38 xxx.xxx.xxx.xxx XXXXXXX, Germany 2019-06-19 09:38:21 2019-06-20 14:02:48 42.201.183.65 Karachi, Pakistan Indeed, somebody from Pakistan used my account! But hey, you know.... I could have used a VPN.... I can confirm this matches https://bitcointalk.org/myips.php on zackie's account. There is no older entry than 2019-06-19 (and this log shows 30 days). You (zackie) should change your password again. You can also Reset your captcha code. I have removed my negative rating and left a neutral one instead. @zackie Did you use the same password for multiple sites ? If so, the chances are high that other accounts of you are compromised as well. If i were you, i'd check them and maybe change all passwords.
|
|
|
It'll be one session ID? I think it just pulls your id from the server and if you don't have one it assigns one. Then deletes it on logout for security (could be completely wrong though, haven't done much fiddling recently).
No, it creates a new session id for each browser/device. Simply pulling the session id from the DB would be a small security flaw. Invalidating all session IDs when logging out has its advantages. Imagine you logged into your account in a public place, left the place but forgot to log out. Instead of waiting for the session to invalidate (i.e. keep me logged in for X minutes), you can simply login from another device (e.g. your mobile) and logout. @pugman, so brave is like chromium? Also I couldnt install it it had a fatal error...
Brave is based on chromium, yes. Almost all browser are based on chromium now. Basically it is firefox vs chrome/chromium now.
|
|
|
Created FAKE ANNS from already existing Original ANNs where the Downlink for the Wallets is from github and has no dedection , and when you look at the Fake ANNs download link for the Wallets thats diffrent from the Original ANN and there you find a Malware dedection isnt an proof ? All was tested with VirusTotal and the Originals links never has an dedection but the links to bitbucket or others from the Fake ANNs has got and it was always the same Malware and all download links from the Fake ANNS that was created for diffrent coins was everytime the same link !!!!!!!
Search for the files and you will find them !
Most probably this is malware, yes. It is already a scam and deserves a flag. But i'd still like to check the files myself to investigate HTTP requests etc.. We might find the website / C&C server of him too. The bitbucket link seems to be down. That is the reason i asked whether someone still has access to the file.
|
|
|
A group of frauds and trust system abusers getting together doesn't change the facts no matter how much you think people are buying your horse shit.
So why are you still trying to abuse the system together with quickscammer if you admit that it doesn't change the facts ? My reputation is not under debate here, mindrusts is.
I wouldn't call that - what you have - 'reputation'. You keep pointing fingers and I will keep breaking them until you put them away.
Woa.. is this a threat ? Since i have to live in fear now, you did clear damage to my mental health.. You broke an implied agreement to not damage each other.. Can i start a flag against you now?
|
|
|
My guess would be 13135 That's what my magic cat told me when i asked her.
|
|
|
But my company provides us with several sites that uses shared login details between several partners and some of the sites are unfortunately not encrypted.
Are those internal sites only? Or accessed via the internet? I could not understand such a situation. Is there no IT administration or similar ? I can't imagine they approve that. TLS certificates are for free. There is not a single reason to not use them, especially when handling sensitive information.
|
|
|
Apparently Mindrust has not learned anything from this encounter, and is now excluding me from his trust list. While he has every right to do so, this is clearly retaliatory for me exposing his politically based abuses of the trust system.
Well.. maybe he excluded you from his trust list because you are not trustworthy at all ? Supporting falsely created flags, opposing valid and necessary flags (e.g. against quickscammer), trolling , illogical statements to protect scammer and fraudster, etc.. IMO there are tons of reasons to distrust you. In fact, you are trying to abuse the trust system to your favor. You received the most fitting neutral trust rating i have ever seen: wikipedia -"the Dunning–Kruger effect is a cognitive bias in which people mistakenly assess their cognitive ability as greater than it is. It is related to the cognitive bias of illusory superiority and comes from the inability of people to recognize their lack of ability. Without the self-awareness of metacognition, people cannot objectively evaluate their competence or incompetence." but hey the guy's competent when it comes to sending packages
|
|
|
wie kommst du in das forum wenn das PW nicht bekannt und auch nicht gespeichert ist? Vermutlich mit einer session (cookie) die unbegrenzt gültig ist. OP, wenn du Zugriff auf dein Mailkonto hast, dann ist das kein Problem. Einfach PW vergessen anklicken und auf die Mail warten. Sich von einer anderen IP einzuloggen ist auch kein Problem.. Du wirst ja nicht gezwungen dich ständig nur von einem Ort aus einzuloggen Außerdem bekommen die meisten eh immer eine dynamische IP zugeordnet die nur einige Tage gültig ist. Danach gibts wieder ne neue IP. Zudem sitzen viele auch hinter einem NAT, da die IPv4 Adressen knapp werden. Das heißt mitunter sind tausende von Accounts unter der selben IP Adresse (aus Sicht des Forums) eingeloggt.
|
|
|
What I noticed was my account got logged out on all devices after logging out on Microsoft edge, could anyone confirm as well if that's really how it is?
Yes. When pressing the logout button, the server invalidates all active sessions for this user. Invalidating sessions basically means all session id's are removed from the database. Therefore upon visiting (or reloading) the site, no active session is found and you have to login again. Doesn't matter from which browser you are trying / from which browser you have logged out.
|
|
|
Does anyone have the original (apparently malicious) file ?
AV engines often create wrong positives.
I'd like to check the files myself if there is no proof yet, that they are indeed malicious.
|
|
|
If you mean, "if the device itself was stolen", then assuming you have setup a good PIN (and possibly a passphrase), then the chances of them being able to steal the funds from the Nano S without prior knowledge of those two pieces of information is pretty much zero. (Outside of very well equipped forensics labs with very expensive equipment etc, the sort of stuff you can't just go and buy at your local electronics store)
Is this an assumption or is there any source on this ? The reason i am asking is because this would imply that a vulnerability would exist which allows to gain knowledge regarding the pin / seed. I doubt that this is possible even with professional equipment (at least it shouldn't, otherwise the nano s is vulnerable and shouldn't be used IMO). I can't really imagine which equipment could be used for that. Simply unsoldering it and trying to access the data can be done by anyone and shouldn't allow to access sensitive data.
|
|
|
But overall I agree that a non encrypted connection between you and the server should be avoided unless you absolutely trust the other party.
If you transmit sensitive information via the internet, you already have to trust the other party. Encryption does not protect you from the other party, you are basically encrypting for them to decrypt since you share the same key. Encryption is necessary because everyone in between (every router, server, basically anyone who wants to listen to that) can read and modify the information. You are protecting your data from a 3rd party, not from the server you are communicating with.
|
|
|
Yes, I coud do that. But I'm not very active and therefore I don't know which users are trustworthy. You have to name somebody and let me check.
I would suggest LoyceV, if he is up for that. He also logged into my throwaway account and confirmed the PM's. If you don't trust him or he doesn't want to do that, anyone from DT1 should be fine. Just make sure to change your password before handing it out, and afterwards again
|
|
|
|