The necessary secrets are split between the user’s device and ZenGo’s servers.
How can you claim that the user does not have to store/protect a 'private key' (which basically just is sensitive information) if in your concept the user has to store and protect a 'mathematical secret' (which serves as sensitive information). That's basically the same. Each wallet has to store sensitive information. Your concept just creates more security flaws than it solves. It’s not correct that both are stored on the server.
Well.. your website says the following: An encrypted copy of your device share is stored on the ZenGo server, and the decryption code is stored separately in your personal iCloud account.
So.. one of you is lying. If either the server or the device is hacked or lost, the funds remain secure.
No. That's not true. If the device is hacked or lost, the attacker can simply start a transaction. All he needs to do that is 1) the shared secret and 2) biometric data. Both can be found on the mobile. The data of the fingerprint is stored on the mobile. The same applies to the shared secret. I'll say this again, even if someone hacked ZenGo’s server, the user would stay protected.
Which makes it as secure as a web wallet (in this specific case only). Your concept only creates downsides. A standard mobile wallet is - by far - more secure. By design. |
|
|
|
What are you trying to accomplish? Example: UTXO-1 UTXO-2 UTXO-3
------------------------------------------------------------------------
2 BTC -> 1 BTC + 1 BTC
UTXO-2 UTXO-99 UTXO-4 UTXO-5 UTXO-6
-----------------------------------------------------------------------
1 BTC + 1 BTC -> 0.5 BTC + 0.5 BTC + 1 BTC
What do you define as 'all addresses that contain UTXO' ? Please explain it with UTXO-2 as an example. I am not sure whether you have understood how it works.. because your question doesn't really make sense. |
|
|
|
An option you could consider is ZenGoZengo is the first wallet based on threshold cryptography. ZenGo eliminated the need for a private key while still remaining non-custodial. What the hell is this approach... That's even worse than a web wallet. With no single point of failure
So many points of failure..  Backing up your wallet is just as simple. An encrypted copy of your device share is stored on the ZenGo server, and the decryption code is stored separately in your personal iCloud account. Only with your 3D biometric face map can you access the encrypted share.
I really can't believe what i am reading here.. So.. both of the 2 necessary secrets are on your server. The decryption key is also stored online. And oh.. i forgot.. the bio-metric features of a mobile phone are sooo secure. You guys realize that most of them can be circumvented by holding a printed image in front of the camera ? I would NOT recommend to use that wallet. The whole concept is flawed. |
|
|
|
Wie mixaxel bereits gesagt hat, ist es vollkommen normal, dass sich die Adresse jedes mal ändert. Das dient der Privatsphäre. Ein Wallet ist eine Software (oder in einem Fall: Eine Software die mit einer sicheren Hardwarekomponente kommuniziert), welche deine private keys managed. Die BTC an sich sind an die public keys (abgeleitet von den private keys) gebunden. Solange du die private keys hast (dein nano s behält immer alle private keys; sie können auch vom Backup wieder hergeleitet werden), kannst du immer Coins die an deine Adressen geschickt worden sind ausgeben. Dein nano s erstellt nach jeder Transaktion eine neue zusätzliche Adresse. Die alten bleiben dennoch gültig. Dass sie nicht angekommen sind, ist natürlich komisch. Gut möglich ist, dass es sich einfach um ein Netzwerkproblem handeln (quasi ledger server down etc.). Teil uns deine Adresse doch mal mit, oder wenn du die nicht teilen möchtest, gib sie doch mal in einen Blockexplorer ein (z.B. https://live.blockcypher.com/) und schau wieviele Transaktionen dort 'angekommen sind'. Wenn die zweite Transaktion dort nicht auftaucht, dann überprüfe doch bitte ob du sie an die richtige Adresse geschickt hast oder ob du eventuell eine falsche eingegeben hast. |
|
|
|
Correct me if I'm wrong, but I believe there was never hacks or something else at blockchain.com's wallet.
Blockchain.com is a web wallet. This makes it way less secure compared to other wallets - by definition. You hear a lot of people here shouting to never upload your private keys. Not even encrypted. Well.. that's exactly what you are doing with a web wallet. There are countless attack vectors against a web wallet, which do ONLY work against a web wallet. For example.. if i gain access to the database of blockchain.com (either by hacking into it or by paying some employee a big amount of money), i could try something like DNS poisining to get people to visit my site (which they will think is blockchain.com). I wouldn't need to crack any passwords in this case. I would have the encrypted private keys AND the passwords from the user once they try to access the web wallet. This simply is not possible with desktop wallets. @OP: With 1000$+ it is worth buying a hardware wallet (IMO). But else, i'd go for electrum on your desktop and a mobile wallet on your phone (e.g. mycelium). |
|
|
|
Isn't hacking illegal?  Not necessarily. 'Hacking' without permission is illegal. But Cyber security researcher, penetration tester, bug bounty hunter, ... all are white hats. They do 'hacking' for a living - in a completely legal way. Who do you think is auditing companies and banks ? You need 1) 'real' auditors (who audit the processes inside of the company) and 2) penetration tester to successfully find security flaws which can be exploited. P.s. I do not know what kind of website this is, neither did i ever visit it. |
|
|
|
[...] You could create what is known as a brain wallet using words from a poem, but this is an extremely bad idea and your coins would likely be stolen by a simple brute force attack within a matter of hours. No one would need access to your Ledger, seed, wallet, or anything else to be able to brute force a brain wallet. Don't do this.
I can't emphasize this enough. Even if you think you are safe when choosing a poem.. There are people out there bruteforcing brainwallets by using most common passwords (e.g. the rockyou.txt wordlist) or any kind of poems / stories / quotes / etc.. The chances are high that you will lose your coins. There is nothing better than a truly randomly generated seed. Human brains are not (and can never be) random enough. Trust math, not your brain. |
|
|
|
[...] (the leather case can block RFID/radio waves and microwaves afaik).
Leather does not stop RFID cards etc. being read. Leather does not block radio frequency. You'd need some aluminum for that. You know.. the material which also protects us all from the governmental mind control. can magnetic fields destroy them!?
Short answer: Yes. But this doesn't mean that you lose access to your coins. As long as you have your mnemonic code (the 24 words), you will be able to recover your coins. You should ALWAYS have the 24 words.. the device could always break or fail. Having a backup of these words is the only way to guarantee access. |
|
|
|
Apologies for bumping this again
No need to apologize for it. If your issue hasn't been solved yet or you still have other questions, feel free to post as much as you want. After doing a lot of reading. I think buying a new machine that's clean is my best option and then installing a new version of bitcoin core. I then just need to copy across the wallet.dat and let then run bitcoin core and let it sync. Can anyone confirm if anything else is required?
Did i miss something ? Why do you need to buy a new machine (hardware) which is 'clean' ? What exactly do you want to achieve ? Do you just want to access your BTC asap ? Or do you want to have core running ? You can access them the fastest way by using electrum (see posts above). If you want core running, simply reinstall it (make multiple backups of your wallet.dat!). Or do you have some kind of hardware problem ? |
|
|
|
As PhoenixFire said.. PureOS is based on debian, hence my commands will work. And he is also right with saying that permissions don't matter. You just need the files. Just copy it to your USB. For example, if you have mounted your USB in /mnt/usb, the command would be: sudo cp /var/cache/apt/archives/python-qt4.deb /mnt/usb/.
sudo cp /var/cache/apt/archives/python-psutil.deb /mnt/usb/.
Given that the files are named python-qt-4.deb and python-psutil.dev. But most probably they have a version number behind them. For example something like python-qt4_4.12.1+dfsg-2+b1_amd64.deb. Just look for them on your online machine and copy these files over. The insert the USB into your offline machine, copy it over and install the .deb files. |
|
|
|
Came to ask for advice about why my Electrum Wallet will not let the provided Bitcoin receiving address is not working it just says invalid and from what I read on Google I am not the only one.
 The provided 'receiving address' is valid. You might have a bech32 format address (starting with bc1..) which is not yet accepted by older (not updated) online services. Therefore, to get nested segwit (addresses starting with 3..) or legacy (starting with 1..) which are both accepted everywhere, recover your wallet with your seed. If I can't get Electrum Wallet working which I read you want to reinstall or use the Seed Keys to get it to set up so it has "Legacy" option or whatever they call the new "Standard" that's just the few limited pages I had time to read on google.
Yes, simply recreate your wallet and choose nested segwit (P2WSH / P2SH). But no need for anyone to being calling Me stupid for not knowing the recent Price of a hardware wallet lol it was an estimate and one I remembered from literally years ago and was in no way intended as a statement of fact. Yet here I am relentlessly getting my head ripped off after I made it very clear I am NEW to Bitcoin 100% Completely.
I don't think Lucius meant to insult you. Accentuation can change a lot when talking, which unfortunately can not be transmitted via text on the internet. I think he thought that you could simply google it (which literally takes less than 10 seconds) instead of calling numbers which are extremely high compared to the actual price. No one wants to 'rip your head off'. |
|
|
|
Yeah, I'm really surprised. I have no explanation for that but my account is NOT for sale! And I changed the password a few minutes ago.
How can I find out wheter I got hacked? I don't have these messages in the outbox, I haven't even used this account for weeks...
What a coincidence I hope you understand that this is hard to believe.. especially since you didn't post in the last ~8 months and coincidentally came online yesterday I don't see a way you can proof this certainly wasn't you or someone you tasked with selling your account. A signed message only shows that this is really you at the moment. And IP logs only show whether you used the same IP to log in. This doesn't say anything about someone you tasked with selling your account or a VPN / proxy you might have used. I don’t think he needs to prove his innocence. The OP needs to prove guilt. He can report the PMs to a moderator who can authenticate the PMs.
It is trivial to fake a screenshot....they have been faked in the past few months.
I think i have shown enough proof. It is quite amusing how you (as an account farmer) are trying to protect account seller with every possible way. Maybe @TrustedAccSeller is your seller / buyer ? Or is it simply you ? If bob123 gives me access to his throw away account alice321, I'll confirm the PM (if it's there  ). Done. I have send LoyceV a message containing the login credentials. He can verify the messages. |
|
|
|
i used malware bytes and removed all the (only 1) thing it found
Removing the file might be not enough. The first step after infecting a system (from the attackers point of view) is to gain persistent access. There are several methods of doing this. The most common is to simply migrate into another process (automatically on start up). If the malware has been created by some 13 year old script kiddie, your computer is clean. If that is not the first malware from the author and he knows what he is doing, it is still compromised. The only way to be sure is to reinstall your OS. It is completely up to you if you do this or not. But if you want to be somewhat sure, you need to do this. |
|
|
|
NICE! does that mean i dont have to format my pc and can get rid of it another way?
No, this means i can't say what the malware is exactly doing, since there is no source code. The source code you are looking at is the code from the legit project gekko. But the author of this malicious version changed 1 file (executable file). And THIS file contains the malware. |
|
|
|
You fell to a malicious fork of gekko (which itself is a legit trading bot). The original trading bot can be found here: https://github.com/askmike/gekkoThe malicious one, forked it from github and literally only made 1 commit: https://github.com/nodeoperate/gekko/commit/7474952aa05f80a3de0f244764702e8a3805e824. The author of it replaced a binary file ( EMA Cross ByBit v1.exe ). This most probably is the malware. What it exactly does, can not be told without runtime analysis (can be circumvented by malware through multiple checks whether run in a sandbox etc.) or reverse engineering (very time consuming). Honestly, i highly doubt the author put a lot of effort into the malware, therefore runtime analysis might be an option to see what it does. If you are interested in checking what files it changes, what network connections it opens etc.. you might want to upload that file to https://any.run/. This site requires an account (free), but i personally didn't use that site yet, but based on other opinions it should be pretty neat. |
|
|
|
I scanned my pc and deleted the files, the av didn't find anything so I'm assuming it's clean now
Simply deleting files usually doesn't clean your computer. Also AV's only find very well known threats (heuristics) or blatantly obvious malware (runtime analysis). Properly coded malware is not being detected by any AV software. Do not assume it is clean just because one or multiple AV's didn't report anything. I'd recommend to backup important files and reinstall your OS to be on the safe side. also the address didn't have any funds so maybe its hoping new funds come in and then transfer them out?
Very well imaginable. |
|
|
|
[...] found out about the trojan and removed it successfully.
Removing malware completely can be quite hard. What did you exactly do? Just deleted the file ? Using some AV ? What were the steps you took ? But now im wondering if the hacker got access to my bitcoin wallet private key (no funds but i used it to stake my account on bitcointalk) and any other things, any tips from the good folks here?
This fully depends on what kind of malware this was. Maybe it just was some clipping malware, maybe your whole system if compromised and maybe it even was a root kit where formatting the drive doesn't help you clean your PC. To be honestly, since it changed your clipping board, i doubt that it is a root kit. I also doubt (if your wallet is not empty yet) that it got access to your private keys (but still possible!). Just.. if i would create such a malware i would either: 1) Change clipping board and instantly steal all funds or 2) Slowly gather as many private keys as possible and later steal everything (hoping that you will own more cryptos in the future) Changing the clipping board instantly and still having your system compromised to wait for more funds doesn't make sense in my eyes. Either your malware is hidden until it steals everything, or it reveals itself and instantly steals everything it has access to. However, formatting the drive is still the preferred way. If you don't want to risk losing more, reinstall your OS (please NOT a cracked windows version; EVERY cracked software is infected with malware, that's their business model). Also should i do something about the staked address i have on bitcointalk now?
Preferably quote the post where you staked your address and sign 2 messages: Sign one message with a new address and sign another message where you state that you change it due to the fact that it might be compromised (using your old address). |
|
|
|
Definitiv ChipMixer. Ist aktuell wohl der most trusted (und nein.. das behaupte ich nicht nur weil ich an deren Signaturen Kampagne teilnehme). Im Gegensatz zu anderen Mixern ist ChipMixer schon lange dabei und hatte die ganze Zeit über keine 'Zwischenfälle'. Zudem erhältst du die Coins nicht direkt über eine Transaktion, sondern private keys um die Transaktion dann selber (zu einem beliebigen Zeitpunkt) broadcasten zu können. Das verhindert jegliche Blockchainanalysen und es kann keine Verbindung zwischen pre- und postmixing Coins hergestellt werden. |
|
|
|
|
Du solltest eventuell mehr Informationen dazu bereitstellen, gerne auch hier öffentlich im Thread.
Nutzer, welche einen higher ranked account suchen um etwas für sie vorzustellen, machen sich generell schon mal verdächtig.
Wenn es sich um keinen Scam handelt, finden sich sicherlich einige die dir helfen werden. Dazu werden aber mehr Informationen benötigt.
Da du ja eh ein Announcement planst, sollte es ja auch kein Problem sein das hier öffentlich zu posten.
|
|
|
|
|
Show Posts
