I just installed mycelium on my android tablet and I have a question about the backup.
The pdf says it contains "keys." Does it contain keys or does it contain one key? Basic users (who don't operate in expert mode) only have one key, from what I understand. A previous post in this thread seems to indicate that the backup does include other imported keys. The pdf wording is pretty skimpy. If it's backing up the entire wallet, it should say so. Could you please explain it better?
The "Keys" tab is really only needed if you want to do complicated things in expert mode, or if you want to restore a backup. If you have a default install you have only one key. Yes, the PDF could be nicer and more precise in its wording. We have good reasons to rewrite the PDF rendering (UTF support) but we are still looking for the right library to do this. most libraries which do it properly use proprietary closed source binaries. the very nice PdfDocument is unfortunately only for Android 4.4: https://developer.android.com/reference/android/graphics/pdf/PdfDocument.htmlAnd to answer your question: YES, it backs up the entire wallet, and if you verified the backup you don't need anything else. unlike bitcoin-core you will not be required to repeat the backup process.
|
|
|
Our systems have been patched to be protected from CVE-2014-0160. Nevertheless, we must assume that - for 8 hours after publication of this bug - it was theoretically possible to extract the ssl private keys. therefore, we will exchange the hard-pinned SSL keys on the clients to continue to protect the privacy of our users. see also: http://filippo.io/Heartbleed/#mws1.mycelium.comhttp://filippo.io/Heartbleed/#mws2.mycelium.comof course, this has nothing to do with the user private keys. even if we kept that bug open, your funds would still be safe.
|
|
|
If someone were to steal my phone, what would be the fastest way to use my backup to recover the coins without another android device?
You have to send the bitcoins to another wallet before the thief does. Note that it may take the thief some time, because he first has to cut through your protection, like a 6-digit PIN. For this you need a computer or smartphone. With a Mycelium backup the easier route is to use another smartphone, install Mycelium on it, restore the backup, and send all bitcoins to other wallets, for example to new wallets you create. You could ask a trustworthy friend with a smartphone to do it for you, if you cannot obtain another new phone quickly enough. There is a way to restore the wallet to a computer from the Mycelium backup, but I believe it is much more work. i did create a backuputil.jar that allows you to restore the encrypted key to a desktop unencrypted. i will post a link to this tomorrow the link will be: https://mycelium.com/wallet/tools.html but i did not upload it yet
|
|
|
Just hitting back and getting to the main wallet screen is enough to wipe the Cold Storage key from memory.
the key is also deleted if you finish the wizard successfully.
|
|
|
Think I disovered a small backup related bug. (Does not affect integrity of backups)
My wallet currently has 1 active address, 8 watch only addresses and an archived address. In the backup, the active one is listed as 1 out of 9, and then the 8 watch only addresses are listed as 1-8 of 9. There is no 9 out of 9.
Any comment? I know we had a bug in the labels of the PDF. i assume just the numbering is wrong and the actual backup is fine. if so, i'll put it in the low-prio bug category. we will eventually fix it someday or sooner if we get a pull request for it. (what is more annoying is the lack on UTF-8 support in the pdf... ) this needs a major rewrite with a different PDF generation engine.
|
|
|
Let me add that you need to install an app that exploits the back door to be vulnerable (or update an existing app which adds an exploit)
This is not true. The exploit gives access to anybody broadcasting a pirate signal from capable equipment also. Correct? As far as i understand, you need to have actual malware installed, which in turn can bypass the process isolation. Of course, this malware can request access rights to Internet, Bluetooth or whatever, which could be used to abuse this remotely. But this is still quite fresh now, maybe i'm wrong.
|
|
|
One more thing: I had the chance to use message signing for the first time the other day, and it got me thinking - it's currently only possible to do this for keys that are stored on the device - would it be possible to integrate this feature with the cold storage spending functionality, so that we can sign messages on an ad-hoc basis, without needing to fully import the private key?
yes. this makes a lot of sense. it is just a question of how to integrate it in the UI.
|
|
|
if there is any remote plan to move to a new format, it is a good idea to include that change early, and already migrate.
so if you some day drop BDB completely from the standard distribution, you can say, wallets v0.XX or later do not need a migration.
|
|
|
but no double-space sentence ending. how do we know the posting from feb.11 was not someone else?
|
|
|
how exactly did you obtain the pin that you had to enter later?
|
|
|
Would it be considered "unsafe" to test a cold wallet address (properly generated, live USB, BIP 38, dumb printer etc.) with the Mycelium cold storage spending function. All this on a dumb smartphone (factory reset, not connected to GSM network, just connected to wpa2 secure wifi to D/L mycelium to make the test spend)
Or should I be more paranoid and this address should be considered not "cold" anymore by having touched breifly the network? And using Armory is the only solution ?
that depends on your paranoia level. i'd say it is cold enough. since i don't know anything about root exploits of that dumb smartphone, be sure to ONLY install mycelium.
|
|
|
Security question here: I store my backup online, but the 15 character password locally. If someone were to get ahold of my encrypted backup, how quickly could they bruteforce it? With 26 characters to choose from, there is 26^15 possibilities, but how long does it take to test each one?
I just measured it using this program: @Test @Ignore public void testSpeed() throws InterruptedException { long start = System.currentTimeMillis(); int tries = 1000; for (int i = 0; i < tries; i++) { KdfParameters params = new KdfParameters("123" + i, TEST_SALT_1, MrdExport.V1.DEFAULT_SCRYPT_N, MrdExport.V1.DEFAULT_SCRYPT_R, MrdExport.V1.DEFAULT_SCRYPT_P); EncryptionParameters.generate(params); }
double duration = (System.currentTimeMillis() - start)/1000.0; System.out.println("duration:" + duration+" s"); double speed = (double) tries / duration; double secondperTry = 1/speed;
System.out.println("secondperTry "+ secondperTry+" / s "); } output: duration:104.771 s secondperTry 0.10477099999999999 / s i ran it with -server VM in sun JDK so it does about 10 tries/second under near-optimal conditions on a fast CPU. (i7 4770K) in single-thread mode, with JIT compiler. this means a single core takes 390 times the age of the universe to crack a single backup. when you speed that up to graphics cards, asics if becomes shorter but still outside human lifespans.
|
|
|
this is an important topic.
without having read the full spec, i have to comment the following:
1) make liabilty proofs decoupled from asset proofs liabilty (user balances) can and should be updated in real-time, while cold storage signatures can be updated manually each time the cold storage is accessed, or even less frequently. this does not protect against "losing the keys" but i cannot see how you can have a millisecond accurate proof when we are talking about cold storage.
2) it would be enough to sign+publish an HD wallet pubkey for the cold storage. a smart application could be checking the proofs by expanding the keys with a known lookahead window.
3) the asset proofs must include unique identification for an exchange, otherwise the exchanges
4) the liability proofs must include user email/id in a meaningful schema (part of the spec?)
5) the spec could also provide a target of cold storage funds (90% 98% etc) - the signed cold storage should typically be slightly lower than the stated liabilities, except if you commingle fees there.
Mycelium would love to see this implemented on exchanges, and we would implement an independent audit client, since our software already provides some of the needed infrastructure to query addresses.
|
|
|
I would like to make a simple feature request, if it's not already available (I was not able to find it): give the possibility to copy to the clipboard a public key in the address book or in the wallet.
Use case is when I'm chatting with someone or browsing a site requesting an address to make a payment I would be able to choose one of my addresses and give it to them.
Keep up the excellent work!
When you press receive you can copy your address to clipboard
|
|
|
v1.1.10 published.
(changes from 1.1.6) *) message signing (go to Keys tab) *) Hebrew, French, Korean, Polish translation *) canonical S-values in signatures. *) improved handing of exchange rates *) remove Mtgox *) added Kraken, Bitpay, Coinbase *) new high-res launcher icons
|
|
|
they did release their source but i think they need to reconsider the licensing the eula states the software is shipped in two blocks, but in fact it is one single source tree apparently they added /* * This is KnC Software * Please see EULA for more information */ to all new classes. the eula contains a few clauses that are incompatible with the GPL, such as If you are under the age of 18 you must get your parent or guardian’s permission to download and use the KnC Software which forms a part of the App.
|
|
|
We know nothing certain about mtgox. for now, the coins are in limbo.There are enough threads to speculate about the situation, lets keep it to the facts here.
|
|
|
A feature that should be implemented if it's not already, every month or other interval, mycelium should remind users to verify their backup again, and if they can't to create a new backup. This will ensure that users always have a working backup and won't forget to keep it up to date, even though mycelium reminds them when they have un-backed-up keys.
EDIT: Also, something after using the wallet for a while that I would find useful, a button to turn on the QR scanner right on the main balance screen instead of having to go into the send menu first. Not sure how others feel about this.
having the qr code scanner more accessible makes sense, has been suggested already. https://github.com/mycelium-com/wallet/issues/20i am not so fond of that other suggestion, for many reasons.
|
|
|
|