Why should one use an USB if the computer is completely air-gapped (all the time) ? There is no reason to use an USB in this case.. simply use the computer (with its hard drive) then.
Not all the time. Air-gapped when there is a need to sign transaction and online when to broadcast it. If it is not air-gapped all the time, you again have the problem with the rootkit scenario. Also.. if it is not completely offline all the time, why did you reply like this: snip They might be more secure than a hardware wallet (but only with a true air-gapped computer, not a stupid bootable USB.. that idea is not even close to being as secure as a hardware wallet), but lacks lots of convenience. snip
My initial post says "Use that USB stick solely offline" which implies that bootable USB with Kali + Electrum is attached to air-gapped machine, sorry, if you didn't get that. If a computer is not air-gapped all the time, you can't call that truly air-gapped. As i said.. truly air-gapped = good; sometimes air-gapped / sometimes online = bad. Besides, read my initial post once more.. it is alternative to ppl with low budget.
The topic is not whether it is for people with a low budget or not. The point is that this is not even close to a hardware wallet, and you made the impression that it is not much less secure than a hardware wallet. A hardware wallet consists of a secure element which handles the signing and where private keys can not be extracted. Anything else is not a hardware wallet. There are ways to securely store coins without a hardware wallet, yes. But you should never compare an USB flash disk to a hardware wallet the way you are doing it.
|
|
|
The top reply in the reddit post you linked is from the CTO of ledger, stating: You can update directly from 1.3.1 to 1.5.5
My assumption is, that if you update your nano s via the ledger manager from 1.3.1, it automatically first updates to the needed version, before finally updating to 1.5.5. Like incremental updates. Ledger live manager should handle the firmware updates automatically, so no user intervention (regarding firmware updates) should be necessary. Just plugging in and updating firmware.
|
|
|
Not even close to a hardware wallet. Neither security- nor usability-wise.
Turned upside down. Open source Electrum against proprietary Ledger and Trezor. Most of ledgers code is open source. The only thing which isn't is are parts of the firmware of the secure element (due to NDAs, they are working on open sourcing everything). Trezor, on the other hand, is completely open source. So that's not an argument. snip Is your computer infected with a root kit -> Doesn't matter what you boot, doesn't matter if you are offline when booting from the USB, your keys can get stolen. snip
Not correct. Root kit is only a great danger to the security of OS on machine, it has no potential to effect CPU microcode, so OS on air-gapped USB stick remains completely unchanged even if the machine is infected. No, that's simply wrong. Malware can infect the MBR / BIOS. Booting from a live USB does not protect against that. snip Air-gapped wallets are one of the least-convenient wallets to use. snip
Arguable issue. Are you really trying to say that it is more convenient to use a wallet on an completely air-gapped computer than plugging in a hardware wallet to your main OS and use this as your wallet ? I hope that was a joke. My initial post says "Use that USB stick solely offline" which implies that bootable USB with Kali + Electrum is attached to air-gapped machine, sorry, if you didn't get that.
I am sorry too, that i didn't get that. I assumed what you say has to make sense (therefore assumed that the computer is only air-gapped when accessing the wallet).. but obviously it doesn't have to fully make sense. Why should one use an USB if the computer is completely air-gapped (all the time) ? There is no reason to use an USB in this case.. simply use the computer (with its hard drive) then. This reduces the possible attack vectors compared to when additionally using an USB flash drive.
|
|
|
To "mimic" hardware wallet create bootable USB drive and install Kali Linux with persistent storage.
Not even close to a hardware wallet. Neither security- nor usability-wise. Offline USB sticks with Kali + Electrum are not vulnerable.
Uff.. that's a very extreme statement to make.. Anything which holds sensitive information is vulnerable. The question is.. vulnerable to what? A system which is completely offline is not vulnerable to threats from the internet.. but that's it. Is your computer infected with a root kit -> Doesn't matter what you boot, doesn't matter if you are offline when booting from the USB, your keys can get stolen. Also, there is no reason to install kali if you just want to have private keys stored + bootable OS. There are better options available in this case. Besides they are far more practical for those who are limited in budgets, not to mention their usability in comparison with both Ledger or Tresor.
Practical ? Usability ? Air-gapped wallets are one of the least-convenient wallets to use. They might be more secure than a hardware wallet (but only with a true air-gapped computer, not a stupid bootable USB.. that idea is not even close to being as secure as a hardware wallet), but lacks lots of convenience.
|
|
|
Was your 'first' electrum wallet a mobile wallet ? Or how did you scan the QR to send the funds ? In case you were sending from desktop wallet to desktop wallet: Can you briefly describe the process ? If you use 20+ addresses in Electrum and restore from seed (as OP did) it will only show the first 20 again untill you raise the gap limit.
That's now how the gap limit works. The gap limit describes a look-ahead. It tells electrum how many (empty) addresses it has to check before stopping searching further. For example (with a gap limit of 20): 1) If you have used the first 25 addresses, and restore the wallet, electrum will check the first 45 (25 used + 20 gap limit) addresses. 2) If you have used the 1, 2nd and 21st address and restore the wallet -> electrum will check the 1st, 2nd -> then up to 22 (finds funds at your 21st) -> then up to your 41st address.
|
|
|
Unfortunately Virustotal can only help you with already known threats and viruses by comparing the code to known threats. If you are unlucky and download a file that contains a fresh code with a virus then Virustotal will not be able to help you since it is the first time they see the code. The results can come back as clean while in fact you get infected and if you do a 2nd scan in a few days you see that some antivirus engines are already registering the file as a threat.
This is why I wrote those recommendations. Notes: - Please remember that this one is a free online service, it should be used only as substitution of professional antivirus or internet security softwares for someone who don't have those softwares on their devices (lack of money, or anything else). - You all should protect yourself better by spending money to own antivirus or internet security softwares on your devices. - It is very cost-effective investment for your assets.
Virustotal, and other online virus scanning sites, should only be used for people who don't have money to buy professional softwares. For someone, who already own professional softwares, they obviously can use those sites as supplementary stuffs to make pre-scan before downloading files and scan again by their softwares. Your recommendations do not mentioned what Pmalek said.. in any word. Virustotal and any other AV software can only recognize malware by 2 approaches: - Heuristics
- Behavior analysis
Regarding Heuristics: If the malware is either 1) new or 2) modified so that these AV's don't have it in their database yet -> No Heuristic to match the malware with. Regarding Behavior analysis: If the malware does not run malicious code when being analyzed (can be done with multiple techniques, e.g. checking whether being run in a sandbox) -> Not triggering the behavior analysis. Now, if we combine these two statements, it becomes clear that it is quite easy to create malware which is completely undetected from AV's (at least until enough people have been infected with it and AV's have manually reviewed and sigged the malware as such). Using AV's (whether paid ones on your computer, or online services like virustotal) does only protect you against 1) known and very wide-spread malware and 2) malware created by script-kiddies or any other non-commercial cyber criminals.
|
|
|
You sure and confirm that the 24 recovery seed won't be asked for during firmware update?
No. Noone can confirm this for you. If the update works as expected, no issues -> You don't have to reenter it. However, if something fails, you will need to reenter your mnemonic code again. You should NOT attempt to do an upgrade without having the 24 words. If you are not sure whether the words you have are the correct one, boot a live linux syste via USB on an disconnected computer (no internet) and check whether the words 1) are valid and 2) generate your addresses. Im on firmware 1.3.1 so how will this work?
Simply start ledger live, and do the firmware upgrade. It will handle everything itself.
|
|
|
I think after nearly 7 years using crypto of all sorts I'd be able to tell if its a syncing issue.
I'd also think that after 7 years you'd be able to correctly speak whether you imported a private key or an address.. But unfortunately that's not the case either.. You might start off with telling what you exactly did. 'I tried importing' doesn't tell what and how you tried to accomplish it. You can import private keys in the section: Wallet properties -> Import. Also, as nc50lc already said, you wan't to import the key, not sweep it. Note, that this private key will NOT be included in the backup you have of your armory wallet. It has to be backed up separately.
|
|
|
For Android (the app isn’t out yet) you will probably be able to see and edit them if your phone is rooted.
Not necessarily. If the application allows to be run in debug mode, there is a better way doing it (instead of rooting): - Enable developer options on android
- Connect phone to computer
- Access phone via adb shell
- Run the app in debug mode (via adb) -> Voila. You can access all files of this application
I'd also recommend everyone to never root your phone if it is not absolutely necessary. You compromise a lot of security when rooting your mobile. You are basically disabling all security measurements regarding application- / data- encapsulation.
|
|
|
That's simple. Money.
Scammers are everywhere where money can be made.
That's the reason it is important to only use well-known exchanges and not some new ones or ones with extremely low volume. The lower the volume is, the easier it is to manipulate the price.
Depending on your country of residence, you might not have access to all exchanges. But choose the most suitable for you (trading the coins you need, large enough, reputable).
|
|
|
Mine does the same for some reason.
Since when is this the case ? Unfortunately i am not at home currently, so can't test it. Did it happen after an update for something ? Or did it randomly occur ? I will definitely test signing a transaction via nano s + electrum when at home and report the result here.
|
|
|
Well, pooya87 already mentioned your two options.
The question is.. do you want to offer your customer the chance to buy your shirts with BTC while you receive euros ? Or do you want to receive bitcoins and decide for yourself whether / when to sell them ?
It is mandatory to know what kind of currency you want to receive. Any subsequent step depends on this.
|
|
|
Usually this is done pretty fast. How many inputs is your transaction consuming ? A (very) large amount of inputs can delay the process of signing by a lot. Additionally, please answer these questions: - What OS are you using ?
- What electrum version are you using ?
- What nano s firmware version are you using ?
- Is your BTC app (on the nano s) up-to-date ?
|
|
|
This is quite old already. Exodus is not a wallet which is very security-orientated. And neither is jaxx. [...] only people with very huge funds would want to go for the hardware wallet.
Anyone who can afford it should go for a hardware wallet. They cost around 60$. That's not too much considering the security and convenience it combines. If you have BTC worth 200$+, i would spend 60 of them for a hardware wallet. Better have 120$ worth of BTC protected, than risking losing all 200$ equivalent of BTC.
|
|
|
You do not have to actively do something to receive a transaction. As TryNinja already said, check your transaction on a blockchain explorer. If it shows as confirmed there (note: will show as unspent then -> unspent means you didn't spent them yet), you don't see it because you are not connected (indicated by the orange/red circle). If you aren't using a VPN and are not from a country which heavily restricts the internet, the electrum server you are connected to is under attack or otherwise not accessible. In this case, you might ask mocacinno to whitelist your IP for his private electrum server. Note: As long you have a backup of your seed (12 word mnemonic code), you will always have access to your BTC, regardless of the wallet used.
|
|
|
Yes but if you manage to reverse the address hashing function, you will be able to get a very large number of public key that match with the address
And how exactly do you think you are going to do that? With quantum computing It is magic machine.
|
|
|
bob123, based on this case where user is lost 5 from 24 words of his seed, HCP is calculated that some 20 years more or less would be necessary to get valid seed + some extra work after that. Since this is only 12 word seed, can we assume that time to recover this seed would be at least a half less then in mentioned case? Whether it is a 12- or 24- word mnemonic code doesn't matter, i think. It matters how many combination you have to try out, and this is dependent on the amount of missing words. Since the base character set is 2048, the difference between guessing 4 compared to 5 words should be 2048 times less time consuming. Which would mean that it should take 240 (months in 20 years) / 2048 = ~ 0.12 months. So about 3,5 days (given that 20 years for 5 words is the correct amount of time). But the 20 years were calculated according to this: Still even at 5 seconds for 1,000,000 mnemonics...
This might not be the actual time it takes. I currently don't know how many mnemonics are possible per second on which machine. So it additionally depends on the machine from OP and the program / algorithm used. My calculation above obviously assumes that all known words are in the correct order and the position of the missing words are known.
|
|
|
Whether it is recoverable with 8 of 12 words depends on two things: - Are the positions of the missing words known ?
- Is the Order of the 8 words known ?
If you know the position of the missing words AND the position / order of the known 8 words is correct -> It is possible. If you know the position of the missing words, but the order of the 8 known words is unknown -> Not possible. If you do NOT know the position of the missing words, but know the order of the 8 known words -> Should be possible (didn't calculate yet). We can give you a definite answer after you reply to these 2 questions (Order of 8 words known? / Position of missing words known?)
|
|
|
Also your argument proves to be wrong, considering how QC technology is under development right now: they scale qbit by qbit slowly but continuously. Once they've proved to be able to break ESDCA in like couple of years bitcoin community would have enough time to enhance their cryptography scheme and users could gradually move their funds to new addresses.
There it is again. The magic everything-solving-machine called quantum computer I like how people - who are extremely far away from that topic - believe that quantum computers are a magic machine which can solve almost any mathematical problem in a short amount of time. So.. quantum computing will break ECDSA in like a couple years ? Wtf dude, what did you smoke ? Quantum computing is BY FAR not developed enough to be used for something useful yet. And it definitely won't be in 'a couple of years'.. Even if quantum computers would be ready to do that by then.. there first has to be an efficient algorithm developed. There aren't much quantum computing algorithms available yet.. It is not like you say 'Hey quantum computer, give me private key of satoshi' and 10 minutes later you get the result.. It is slightly more complicated than that.. even if non-techy people like you can't believe it..
|
|
|
the only complication that i can think of is that unlike private keys (HD wallets) in a password manager you have no way of knowing how many passwords you have used because there is no "public key" and "blockchain" to check which one was used. which can be solved if you keep a backup on the cloud only from the "paths" like this: bitcointalk.org -> path=m/1/3 google.com -> path=m/2/5 ... the first number can be the "account" for different websites and the second number is the number of passwords you have already used like when changing the password every now and then you create the next one. of course there is the additional risk of not being careful and creating the same thing twice.
This would make it necessary to keep the backup up-to-date with the latest 'version' of your HD password manager file. Which.. destroys the purpose one want to use a HD password manager (to not having to update all backups after changing / updating a password). Different password policies for each site
easily solvable by treating the derived bytes as the fixed entropy used to derive a password from. or simply use a certain encoding that only gives you the allowed characters! for example if it doesn't allow symbols then use base-62 (10 num + 2*26 letter (lower+upper)! Password revocation
then you derive the next one. m/1/3+1=m/1/4 Again, both of these approaches need you to update your backup file regularly after changes. If you need to do this, you don't have a reason to use a HD password manager. The whole sense of a HD password manager is to have 1 backup file generated, and not having to update it anymore. Without this advantage, there is no good reason to use a HD manager instead of a standard password manager. You can't store already existing passwords / private keys / etc.[/li][/list]
the whole point is not storing them but creating them on the fly. But you still can't add other sensitive information which you want to be stored inside there. If i want to store my private key to a specific address there.. i can't. Obviously i do not want to create a new one in this scenario.. i want to save a specific one saved there. This works in standard password managers, but not in a HD one. In the end, if you need to update the backup file, you only have disadvantages - and no advantages - using a HD password manager compared to a 'normal' one.
|
|
|
|