I decided to use some spare time to get some accounts - which are up to sale - flagged.


I found 2 threads claiming to sell forum accounts:

1) https://bitcointalk.org/index.php?topic=5155184.0 (archived link): User 'SeW900'
2) https://bitcointalk.org/index.php?topic=5139800.0 (archived link): User 'Rueduciel'

Both of them contained their telegram ID, so i just went ahead and contacted both of them.


1)
The accounts provided by 'SeW900'  (or better: @TrustedAccSeller on telegram) were:

• cicizhang  (https://bitcointalk.org/index.php?action=profile;u=935809)
• TanClan98 (https://bitcointalk.org/index.php?action=profile;u=1045919)
• zackie (https://bitcointalk.org/index.php?action=profile;u=99997) [Proven that the account is really up to sale and owned by the seller]
• Zedster (https://bitcointalk.org/index.php?action=profile;u=78317) [Proven that the account is really up to sale and owned by the seller]
• Ntrain2k https://bitcointalk.org/index.php?action=profile;u=167659 [Proven that the account is really up to sale and owned by the seller]
• nonnakip https://bitcointalk.org/index.php?action=profile;u=69046
• narousberg https://bitcointalk.org/index.php?action=profile;u=61971 [Proven that the account is really up to sale and owned by the seller]
• pant-79 https://bitcointalk.org/index.php?action=profile;u=203430

According to him, some of them (the first and/or the second one) are already banned.
However, the remaining ones - which he wanted to sell - are not banned yet.


2)
The accounts provided by Rueduciel were:

• J Gambler (https://bitcointalk.org/index.php?action=profile;u=821674)
• fitty (https://bitcointalk.org/index.php?action=profile;u=25298) [Proven that the account is really up to sale and owned by the seller]

I asked both of them to send me (user: alice321, just created today to receive those messages) a proof that they indeed own that account.


1)
After requesting proof of ownership of cicizhang and TanClan98 from SeW900, he told me that 'the account' already is banned.
Therefore he proposed me 2 other accounts, which i can buy (zackie and Zedster).

He told me to contact @TrustedAccSeller (via telegram), which i did.


After a long conversation with him and multiple excuses i brought up to not buy an account which he had proven the ownership of (because i wanted to tag as much accounts as possible), i finally got the proof of ownership of multiple accounts and names of a few accounts without proof of ownership.

The accounts proven to be for sale and owned by him (zackie, Zedster, Ntrain2k and narousberg) should definitely receive a negative trust rating.
I am not sure about the accounts without proof (cicizhang, TanClan98, nonnakip and pant-79). I'll let some DT member decide how to handle this.




2)
Rueduciel offered me J Gambler.But he did not send me a proof for ownership because he noticed that this account already is reserved for some other buyer.
Therefore he proposed me the account fitty, which he proved that he indeed has control over this account via a PM.

But now i really wanted to also have his first account (J Gambler) to be flagged too. I asked him whether i can have this account if i additionally pay 50$ on top (not like 400$ aren't enough already).
He agreed.

Unfortunately i made a big mistake by leaving him a negative trust rating BEFORE contacting, paired with my sense of humor regarding the chosen username, which interfered my plan. He came to the conclusion that my alt (alice321) is related to me (bob123).


While it is not proven that J Gambler is really under control of him, i still believe that he indeed wants to sell this account.
I am not sure about leaving a negative trust rating on this account, therefore i will let the DT members decide how to handle this.

fitty definitely should receive a negative trust rating.


Screenshots of the chat history:

• 1) with SeW900 ('Walter' on telegram): https://i.imgur.com/7lTjZxs.jpg
  
  • with @TrustedAccSeller (telegram):
  • • part 1
    • part 2
• 2) with Rueduciel ('Mara Mae' on telegram): https://i.imgur.com/dt4l4KX.jpg

Screenshot of my received PMs: here and here.



I have sent a negative trust rating to fitty, zackie, Zedster, Ntrain2k and narousberg.
Now i need a few (at least 1) DT member to also leave a negative trust rating.

Especially for Ntrain2k, since he has 6 positive trust feedbacks.

No one should trust an account which is up to sale. Especially not Hero / Legendary ones and some with a positive trust rating.

You need to download and process the whole blockchain, always.

With pruning you just simply automatically delete the old blocks.

You can set it in the 'Options' menu of core. prune=550 would be standard and means that core should keep 550 MB of blocks.


But using a SPV client is probably the preferred way since you also don't need to keep the blockchain synchronized to send funds.
Make sure to download electrum from the ONLY official source: https://electrum.org/#home and verify the signature of the file. You can find a short tutorial here: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/.

Verifying the signature is the only way to be absolutely sure that the software you are running is indeed from the developer of electrum (ThomasV).

Almost all cracked versions of valuable Software (windows, photoshop, etc..) are infected with malware.
If you are using cracked software, you should definitely regard your computer as compromised.

Just because noone stole cryptos from you yet, it doesn't mean that they can't. Chances are high that they have access to your computer and/or it is used for spam mails / any other kind of botnet.


Cracking a software so it is able to run without activation keys etc. is not an easy task. It takes quite some time and they want to be paid for that work.

If you REALLY insist on using cracked software, use linux as main OS and run all of this cracked stuff in a virtual machine if you really can't just use the open source alternatives.

No, as long as you have your private key of the address which received the funds (e.g. backup of armory / wallet file) you did NOT lose your coins.

You have multiple options now:
1) Enable pruning in core. You can set a maximum amount of storage core should be allowed to use (550 MB default value).
Blocks are going to be downloaded, processed and deleted afterwards. Only the last X blocks (prune size) will be stored.

2) You can decide to use a lightweight client which does not need the whole blockchain to be downloaded / processed (e.g. electrum).
The preferred way to move funds to such a wallet would be to first create a new wallet, then create a 'second (temporary) wallet' by importing the private key which received the funds and then create a transaction sending your funds to an address from your new wallet.

You are not fully synced yet.

Currently there are 581885 blocks.

Block 427031 was mined 2016-08-27. So you don't see any transactions which happened past this date.
You need core to finish syncing (at least past the block where your transaction was included) for it to be reflected in your wallet.

The attack itself? No.
The vulnerability itself? No.
The consequences? Yes.

The attack itself with the firefox exploit was that you have to visit a prepared page. That's all you need to do to trigger the exploit.
With the VLC player, you need to download and start a specifically crafted file.

Firefox hat a type conversion vulnerability. This means when handling different types of data (when converting them) one could get firefox to crash.
In VLC you can trigger a heap overflow (writing beyond the space you are allowed to write data to) and/or a double-free (which means you can free up the same space of memory twice, allowing to insert your own data (e.g. code to execute)).


Note, that whenever you can get a program to crash because of an overflow (stack- or heap-) or a double-free, the chances are high that you can also insert own code to be executed.
Which also is the case for firefox and VLC.

That's usually not a problem.
Updates can always be installed incremental.

If you can't update from 1.0 to 2.0 directly, update 1.0 -> 1.2 -> 1.4 -> whatever -> 2.0.
This can either be done by the user manually (if all updates are available) or be handled by the updating software (like it is the case with ledger live).



This user didn't update the firmware for roughly 2.5 years.
Also, the reason for incremental updates not to work is that they released ledger live and changed quite some things regarding the upgrade process.

And since the old update-applications (chrome apps) don't work anymore, an update isn't possible anymore if you have a version which is too old.

If you could still use the chrome apps to update the firmware, this wouldn't be a problem.

Security-wise both are identical.

They both require your computer to be clean.
If your computer is compromised (e.g. via download malware / open malicious email attachment), both (armory and electrum) are equally prone to your coins getting stolen.

Most dekstop wallets have the same level of security (except for some shit wallets like jaxx or other closed source wallets).
They all extremely depend on the security of your PC.


If you keep your PC clean (which is not as easy as it sounds) and you use your common sense, a desktop wallet is perfectly fine as long as you don't store amounts inside of it which you definitely can not allow to lose.

Repsos ? Who does count to 'repsos people' ?

Also.. electrum is one of the best SPV wallets out there.




Each wallet has and had vulnerabilities in the past.
Electrum did not have more or less.

But the time it takes the devs to fix it, is very low actually.

A 'shitton' of time is simply wrong.




Yes.. the message allowed HTML to be displayed, which some malicious server made use of.
So.. what ?

This vulnerability wasn't even of medium severity. In fact, it was 'low' based on CVSS.

No malicious actor could abuse it to do ANY harm without a lot of mistakes by the end user.


The user had to be plain stupid to download electrum from a non-official website AND to not check the PGP signature.

Each user who lost coins this way is 100% responsible for this. Common sense is mandatory when dealing with crypto currencies.

No reason to blame electrum / devs here.




I guess you were one of these absolutely non-techy people who click on every link and are still running windows XP or 7 ?

Accept, that it was completely your fault and learn from your mistakes.

Electrum is perfectly fine.

You can receive coins without being synced.

You need it to be fully synced to send your coins, but not to receive them.

To check whether you received them, you can head over to a block explorer (e.g. https://live.blockcypher.com/), enter the address, and check whether you received a transaction and check the amount of confirmations.

However, you will only be able to see it in your wallet if the syncing process has already processed the block where your TX got included into.

Both are correct.

As LoyceV has mentioned, the whole input has to be 'consumed'.

You can compare it to a dollar bill.
You can't just give someone 1/10 of bill. You give the whole bill (bitcoin's UTXO) and get new bills / change back (new UTXO's being created).

Your wallet should show that you still own these 4 BTC, is this the case ?
If so, everything went as expected.

Bitcoin core does not encode the seed into a mnemonic code.
OP probably only has a wallet.dat, if he is able to find that file.


OP, did you accidentally create a new wallet.dat ? Can you check the creation date of that file ?
If your (old) wallet.dat accidentally got deleted, you should stop using that hard drive and make an image of it to try some data recovery on the image.

If it has been deleted recently, your chances are high that you can recover it.

Nur der Vollständigkeit halber:

Das RBF-flag muss nicht gesetzt sein um einen Double spend durchzuführen.

Es gibt mehrere Ansätze eine noch nicht bestätigte Transaktion zu 'double-spenden'. Diese sind definitiv nicht trivial und haben keine Garantie zu funktionieren.
Dennoch besteht die Möglichkeit - unter gegebenen Vorraussetzungen - einen Double spend durchzuführen. Zumindest für technisch affine Personen. Selbst ohne RBF-flag.


Ein Beispiel wäre der 'Race attack':
Ein Angreifer bereitet beide Transaktionen vor (die double-spending und die, die das Opfer sehen soll).
Dann sorgt der Angreifer dafür, dass er direkt mit dem Opfer connected ist und zugleich mehrere 'Helfer-nodes' hat, die die double-spend Transaktion broadcasten.

Dann wird die 'originale' (zu ersetzende) Transaktion mit dem Node, welcher mit dem Opfer connected ist, gebroadcastet und gleichzeitig broadcasten die Helfer-nodes die Double-spend Transaktion.

Wenn dies richtig gemacht wird, sieht die Mehrheit des Netzwerkes die Double-Spend Transaktion als die 'erste' an und speichert diese im Mempool ab während das Opfer die zu ersetztende TX sieht und die zweite abweist (mempool conflict).

In diesem Fall stehen die Chancen gut, dass die Double-spend Transaktion bestätigt wird.


Es gibt mehrere solcher Angriffe. Und aus diesem Grund ist es auch nicht empfehlenswert 0-conf Transaktionen für 'höhere' Beträge zu akzeptieren.

The seed generated by the nano s shouldn't be entered anywhere else than the nano s itself.
That's the only way to be sure that the seed won't get compromised.

Why risk compromising the seed if you can check it using electrum where the private keys won't leave the nano s at all..



If the nano s contains the private key to this address, they are not lost or 'unreachable'.
And to check that (given that OP didn't verify the receiving address on the nano s), connecting the HW with electrum is definitely a better way than risking to compromise the seed.

What?
Do you even know what this topic is all about ?

OP has a hardware wallet. The last thing he should do is to enter the seed somewhere else than into his nano s...

---

OP, can you verify that the address is indeed part of your wallet ? Did you verify it on your nano s screen when asked to do so ?
If not, you might want to connect your nano s with electrum, open the console and enter:

If it returns true, it is just a connection / display issue.

On a technical level, there are no 'addresses'.

Bitcoin is based on a UTXO (Unspent Transaction Outputs) model.

You 'destroy' UTXO and create new ones. If you use UTXOs as input which do not exist, each node will ignore it when validating it using their 'list' of all UTXOs.
Validating a transaction happens upon receiving it.


Does this answer your question ?

Well, first.. If ViaBTC's mining pool went down, BTC.com still wouldn't have more hashrate than the remaining (honest) network.

Second, those are mining pools. Not single companies with all their mining equipment being in one place.
The majority of hashrate comes from individuals (private and business) which mine together in a pool.
So there is no power outage which could hit all miners inside of a pool.

Nope. No downsides.

But, if you already use ledger live to get an receiving address, you might as well just consolidate using ledger live (given that you simply want to consolidate all UTXO's).
Saves you one step.

But doesn't really matter tho. If you'd rather use electrum, use electrum  

Actually, i am not sure what OP exactly means either.

I also had in mind that you can only protect your wallet file once.
Unfortunately i currently don't have access to electrum and therefore couldn't search through the settings.

Might definitely be possible that he protected the file with a 3rd party program (which would automatically mean encryption tho).


However, as long as it is somehow protected from access without a password everything is fine privacy-wise. Regardless of how he accomplishes that  

OP has his wallet protected with a password.

Therefore without knowing the password, other people can't simply open the wallet and spy on his transactions.