Is your question how the transactions are being sent via internet without risks ? Or is your question how the nano s (the hardware wallet you have) creates the transactions without leaking your private keys ?
Regarding the first:
If you have received 1 BTC to an address from the nano s, this 1 BTC is 'assigned' to a public key (here called public key A). In order to spend this BTC, you need to create a transaction which says 'send 1 BTC from public key A to public key B'.
Since anyone can create such a transaction (saying 'send 1 BTC from public key A ... '), you need to sign the transaction. Signing is done with the private key which corresponds to the public key. So in this case you would need to sign the transaction with private key A.
Signing is a cryptographic process, which ensures that noone can change information inside of the transaction without the signature being invalid (signatures depend on the content they sign). Since transactions are only valid if the signature is valid, you can now send the signed transaction via the internet without any risks of tampering etc..
The only sensitive information here is the private key. Anything else can be seen / accessed by everyone without any risks.
Regarding the second: The nano s has a secure element. This is not simply a memory chip, but a micro chip which can sign transaction with the private keys it has stored. If you want to send BTC, your computer creates a transaction (non-sensitive information) and sends it to the nano s.
Then the nano s reads the transaction and displays the information for you to approve. Once you click the 'accept' button, the secure element signs the transaction and sends it back to the computer (no sensitive information).
The sensitive information (private keys only) are stored inside of the secure element. They never touch your computer or anything outside of the secure element.
If this still didn't answer your question, feel free to describe your concerns more precisely.
|
|
|
Wait which seed? Also if I made payments and received payments through Ledger Live doesn't that mean it's 100% authentic, (I did buy it off a friend).
What do you mean with 'authentic' ? You did generate the seed yourself, right ? If not, regard the seed as compromised and move your funds to a new one (generated by you) as soon as possible. When I made a new wallet and tested the seed with a online desktop it worked, so I have no idea what went wrong.
And you are 100% sure that you used that exact mnemonic code ? You might try entering it into a desktop wallet again. But regard that seed as compromised afterwards. If you will be able to access your coins, move them to a new seed. But i doubt it will be accepted as a valid seed in a different wallet, if the nano s doesn't accept it.
|
|
|
Is there any decentralized mixer? It is not always easy to hide identity when doing btc transactions and direct p2p mixers would facilitate that.
Not directly a p2p mixer, but coinjoin probably is what you are looking for. This is a method to combine multiple transactions (from multiple senders) into one large transaction to obfuscate the the recipient. Wasabi ( https://github.com/zkSNACKs/WalletWasabi), a desktop wallet for windows, linux and mac, has this feature included. Currently the minimum amount to queue for coinjoin is 0.1 BTC. In this process, there is no centralized entity which is required to be trusted.
|
|
|
- Full nodes client isn't required to use Lightning Network wallet
If you want to participate in the lightning network without any trust, you need to run a full node. You don't need it on your mobile. A simple connection to your full node is enough. But a full node is mandatory if you don't want to rely on 3rd parties. However, i don't see any reason to have a full node running on your mobile. Rather set up a small raspberry pi at home and connect to it with your mobile. Saves CPU power and therefore battery.
|
|
|
There doesn't even need to be a real backdoor.
Just a purposely included vulnerability would be enough to completely compromise your server which you are running the exchange software on.
This would be hard to detect. Especially in a non-running environment. Also, no one guarantees you that the developer knows how to create such a software properly. Even if no vulnerability has been placed in there on purpose.
If you really want to use that template, you should set up a test environment and purchase a full security audit / penetration test for webapp. And don't choose a test which only lasts 5 days. You'd need 10 - 15 at least. With an average price of 1k - 2k$ per day, that would be between 10k$ and 30k$.
If you don't have enough money to perform such an audit, don't start an exchange.
The chances that a fully working and secure template for an exchange is available for free.. are almost zero. Why would someone give it away for free if they can earn money by selling it? What is their business model? How do they make money from that template ? Selling it is lucrative.. what would be more lucrative?.. Just think about it.
|
|
|
I decided that it would be a very good idea to create a brain wallet and use it with Electrum. In the course of my research I found out how to achieve that using Electrum.
You made 2 mistakes. 1) Brain wallets are always bad. The entropy is way too low to not be guessable by a computer. 2) You probably have chosen the most error-prone way of generating a brain wallet in electrum. What you should have done is to create a 'big random number' with your brain. For example with taking a sentence, words, whatever and hashing it to get a 128 bit number. Then you'd encode this 128 bit number as a mnemonic code which is accepted by electrum. This way you would have to memorize / backup your 12 word mnemonic code, which you can always use to derive your xpriv. But using a random phrase, converting it to hex, deleting the new-lines and pasting that into electrum can easily go wrong (and it unfortunately did). Since you already tried 'millions' of variations of your seed, i can't come up with an idea to recover your funds. Checking the address type, as mentioned by HCP, is probably one of the last things you can try.
|
|
|
[...] in order to prevent from a birthday paradox attack on the signature.
A birthday attack is applicable to hash functions, not encryption or signatures. Further, with the birthday paradox you would calculate the probability of creating 2 messages which result in the same hash (any random hash!). Not a second message with the same (given) hash which the signed one has. This is not applicable in this case. Neither theoretical nor practical.
|
|
|
Mate here you are exposing your node details, IP, Port are clearly visible and shows its open for 0.0.0.0.
I suggest you remove the last link.
So what ? An IP address is public information. If anyone wants to communicate with you, he needs your IP address. This includes all other nodes you are connected to, all websites you visit, your email provider/server and all other online services you are using. Giving out an IP is not a problem at all.. at least not if you aren't doing shady business. And the port is the standard port for the bitcoin protocol. It is set in the specification. Every BTC node listens on port 8333. That's part of the protocol specification.
|
|
|
You might have a corrupted HDD/SSD there is an old thread here that solve this issue by reinstalling the bitcoin core.
To quickly check that, download a tool which reads out the S.M.A.R.T. values of your hard drive. For windows, you can use HDD Health or CrystalDiskInfo. Both are able to exactly show you what the problem with your HD is (if any at all). Might be faster than reinstalling core, and you will know whether you have to backup your whole drive / buy a new one.
|
|
|
I can't believe everyone got this wrong:
There is only one way certain way to prove ownership, and that is by giving your PRIVATE KEY to that someone.
~snip~
If you want to prove ownership of an address that has funds, you move the funds out first, and give out the private key [...]
Then a malicious actor just needs to gain access to your master public key (xpub) to derive all of your private keys belonging to this HD wallet (non-hardened only). Signing messages is fine to prove ownership. 1) Having a signed message that belongs to that public hash does NOT prove you have ownership, it's mearly proves to someone, that you possess that signed message, but you might or might not be the orginal actual signer or owner. [...] A good real life example of the misconceptions of 1 or 2 is all the OTC scams that take place, where the scammer is a man in the middle but appears to be an owner.
Of course you wouldn't sign a message like "i own this address". You would include your name, the current date and the reason for signing this message. And eventually even a random token from the person who wants you to prove the ownership. A MitM wouldn't be useful in any way here.
|
|
|
1. If your ledger would be hacked, all funds would be gone already. 2. If the total amount of your coins inside of your wallet still is correct, it indeed is a change address of yours. Bitcoin transactions work with inputs and outputs. For example: You (A) have 1 input (i.e. received 1 transaction) with 1 BTC. You want to send 0.1 BTC to B. The transaction looks like this (ignoring fees here): Input: Outputs: - 0.1 BTC (to B)
- 0.9 BTC (to yourself)
Your wallet will show 0.1 BTC being transferred. On a block explorer however, you will see that your whole BTC has moved (which is true, but 0.9 of them moved to a different address of yours).
|
|
|
[...]Other users have also reported this problem using MCX and other wallets [...]
I'm using the plugin with 3 wallets: Coinbase (coinbase.com), Bitgo (bitgo.co) and Market Coin Exchange (mcxchange.co) and only one is compromised. So it must be coinbase's security. Blockonomics also strikes me as a scam.
Why is your conclusion that something is wrong with coinbase ? Coinbase can't protect you if a 3rd party gains access to your credentials (did you use 2FA ?). The preferred way to accept BTC on a website is always to do it yourself. And if this is not an option because the effort wouldn't be worth the amount you expect to get, use a payment processor. But if possible do it without WP plugins. Only very few of them have an security audit being done. Vulnerabilities in WP plugins wouldn't be something new.
|
|
|
Are you somehow worried that you might have to enter your mnemonic code ? You have asked that quite a lot whether you will have to enter them. You should always(!) have a backup of your mnemonic code. Are you missing those words ?? I could do it on linux virtualbox machine but each time nano s disconnects from computer I have to manually enable usb device again in the virtualbox machine so the virtual machine can recognise it. Is there a way in virtualbox that keeps the usb device constantly on and recognised when the software update disconnect the usb devices to avoid prompts on screen and avoid manual enabling?
Yes, you need the guest additions installed. Then navigate into the setting folder -> USB -> add an filter "empty". Then all USB devices which will be plugged in while the VM has the focus will be auto mounted in the VM.
|
|
|
Private keys don't contain the address type. This is just a feature in electrum to let it know what addresses you wan't to derive. The private key is for each address type the same.
You can simply import your private key into electrum and then change the script type by clicking on the QR (should show: Tap for Bech32 / Tap for P2PKH / Tap for P2SH below the QR). Just tap it (minimum 1, maximum 2 times) until you get your bech32 address.
|
|
|
Yes reload is there too. The icon you posted is for refresh (check for new). Reload, starts from the beginning and reloads / re-imports everything. -Dave
There is just one button (call it refresh or reload). But there is no button which re-imports everything (why should it, this doesn't make sense). You just need one button, to 'refresh' (i.e. check for new transactions related to the addresses inside of the wallet). @OP This seems to be a connection issue. Do you connect via TOR or VPN ? If so, try without. Sometimes (but rarely) mycelium server are kind of busy, delaying the appearance of new transaction for a few days.
|
|
|
Yeah i did try that on what HCP mentioned and I get ledger live app manager saying the following message oops, your device should not be in Bootloader mode Please restart your device or contact us.
But, in windows or the linux VM? HCP mentioned you might try to connect it via your windows host, which you replied with the mentioned message being shown. If this message comes when you access it with your VM, that's weird. Can you try the following (if you haven't already in this particular order) on your VM: - Start ledger live
- Connect the nano s with the button pressed
- Activate the USB connection to your VM
- Try to start the firmware upgrade
What happens then? Do you get the message which says ".. device should not be in bootloader mode.." ? Note that it might take a few minutes to update the firmware. Especially if their server are busy currently. How do i restart the device?
Usually just unplugging and re-plugging it.
|
|
|
Loved the app Roughly 15 minutes after registering, the one and only post is this here. Seems legit Just a general warning for everyone: Never trust closed-source applications from a newbie. You can't know whether there is some backdoor / malware or whether he actually knows how to securely write an application which handles sensitive information.
|
|
|
It would not really be possible to make using a mixer illegal.
Delivering android updates can be made illegal (at least in the US)... I don't think there is anything (in the US) which can't be made illegal Never heard of the guy who tried to kill himself, survived and afterwards was sentenced to death for his attempted suicide?
|
|
|
Props. That's probably the first (real) merit-worthy thread from a newbie account. I really like your idea. It counters quite some attack vectors in comparison to simply a bootable linux live distro etc. (keyword: trusted hardware / bootloader). Even though hardware wallets already are very user friendly and can be accessed without much hassle, if you are storing a very high amount of BTC on your hardware wallet you might want to use this as a 2nd wallet (to circumvent some 0day HW exploits). I just have 1 thing to add: [...] these SBCs are small enough that you can keep them at your main desk and simply plugin your main monitor/keyboard/mouse as needed[...]
One could simply set up an ssh agent to be started upon booting, then connect to it via live usb boot for example. IMO it is more convenient to power up the PI, boot your PC from a live linux and connect via SSH to it, instead of re-plugging monitor/keyboard (but maybe that's just me because of my setup at home ) If you make sure to not permit root-login, set a strong-enough password and shutdown the ssh agent after ~3 failed login attempts (or simply use fail2ban, etc.. ), this also results in a pretty secure setup (not as secure as without any connection between your PC and the PI, but very close to that). This idea of a 2nd wallet / banking station (regardless of whether with or without SSH connection) is already way more secure than the 'main' wallet of the majority of BTC user.
|
|
|
|