So sad... I signed up, but didn't win!  So, I signed up again (mailinator email addresses FTW!)... and now apparently I need to deposit 0.02 to claim my "free" 0.0045... ROFL   Obvious scam is obvious... but sadly, there are a LOT of desperate people on these forums (and the internet in general) for whom 0.0045 BTC is a LOT of money and very tempting  Great work on keeping tabs on these scams team! |
|
|
|
To be honest... the "fake update message" exploit isn't really that much different to blind spamming people an email that says "There is a problem with your bank account, please log in <HERE> to check your security details"-type phishing scams... or cold calling from "Microsoft Support" offering me a refund. The only real difference is that it was a lot better targeted as it was aimed directly at Electrum users... as opposed to me getting an email that says "There is a problem with your Bank of America account"... when I don't live in America or bank there The exploit itself did not actually affect the security of the wallet... the attackers could spam you with fake popup messages all day, every day... and your coins would be safe. You could deliberately connect to a "bad server" and your coins would still be safe. They could not hack your wallet directly using this exploit. Users only lost coins when they downloaded, installed and ran a fake version of the wallet. Was the exploit clever? Ya damn skippy it was! It had been in the codebase for years and no-one noticed it... or figured out a way to exploit it... but that is generally how these things work. As for being "diligent", even the Heartbleed OpenSSL bug was around for a couple of years before being "discovered". The devs patched the issue pretty quickly after it was identified... unfortunately, that doesn't stop bad actors from spooling up bad servers and trying to catch out unfortunate users who haven't seen the news. Just like there are still folks who fall for the Microsoft Support and Nigerian Prince scams. Sadly, some humans are just scum... and use their powers for evil |
|
|
|
Alternatively, simply click the "Show Audit Log" link shown in your screenshot... it'll show the commandline output... you should see: gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: Good signature from "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [unknown]gpg: aka "ThomasV <thomasv1@gmx.de>" [unknown] gpg: aka "Thomas Voegtlin <thomasv1@gmx.de>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 You can safely ignore the "warning: this key is not certified with a trusted signature", as TryNinja explained, it just means that you haven't personally trusted ThomasV's signature  Again, as long as you see the bold line that says: "gpg: Good signature", then everything is OK.
For the record, if the signature was "invalid", Kleopatra would warn you with a big red highlight like this:  "Invalid Signature"... and "Bad Signature"... and in the "show audit log" (or on the commandline), you'd see: gpg: Signature made 02/14/19 11:08:30 New Zealand Daylight Time gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 gpg: BAD signature from "Thomas Voegtlin ( https://electrum.org) <thomasv@electrum.org>" [unknown] |
|
|
|
What version of Armory do you have? Where did you download it from? What version of Bitcoin Core do you have installed? Is it fully synced? Does Armory say "Connected" in green text in the bottom right corner of the main Armory window, and is the number of blocks shown greater than or equal to: 571130?  If you don't see this text in green... your Armory is NOT online. |
|
|
|
|
Before anyone else jumps in... I have been in communication with the OP via PM as well and this issue has now been resolved.
OP used the "I lost my password" link in Ledger Live login screen... then used the "Use an initialised device" option... connected the device when prompted... created a new password and then re-added their crypto asset accounts to their portfolio in Ledger Live.
|
|
|
|
Hmmmm that fake "multibit" app is indeed a bit concerning... It certainly has no relationship to the "real" multibit, aside from the stolen name and icon If the OP did indeed use that fake app, then that is going to make recovery very difficult... as looking at "multibit.bitcoinwallet.com" would indicate that this is a custodial wallet (ie. users simply have an "account" and no access to the private keys... Q. What is the storage strategy?
A. Initially customer funds are pooled. We are working on optional individual storage with user accessible private keys, multi-sig withdrawals and insured storage. Our cold storage wallets are distributed in physical vaults throughout the country and require multiple people to access. Our cold storage wallets are not accessible via any system. There is no automatic replenish of the hot wallet from cold storage.
Further more, it would seem that "multibit.bitcoinwallet.com" is actually a user account named "multibit" operating from the bitcoinwallet.com domain... Q. Where can I find my bitcoin address? A. Your bitcoin address is available in three places. Anyone can see your official bitcoin address on your public profile page. Your profile page address is your user name.bitcoinwallet.com (example https://price.bitcoinwallet.com). Your bitcoin address (and any external addresses you added to your account) is also available via API at user name.bitcoinwallet.com/api (example https://price.bitcoinwallet.com/api). Your bitcoin address is also shown on your dashboard when you log in, under the text "Deposit bitcoin". Which would indicate that the "multibit.bitcoinwallet.com" app... is simply encouraging users to deposit coins into someone elses wallet on bitcoinwallet.com! Hopefully the OP was just mistaken... and had been using another Android wallet... or the backup files they have come from the "real" multibit desktop app. |
|
|
|
Im only confused with this. Say they got the 24 word seed and need the 25th passphrase. They are going to have to manually enter that on the nano ledger s right? No. It's a standard BIP39/44 setup... this can definitely be scripted. The "btcrecover" scripts can be modified (relatively trivially) to do exactly this. Okay so let say the nano ledger s got stolen. This person wants to get his bitcoin now. With no ledger nano s, he would have to download electrum and enter the 24 word seed and the 25th phrase and then the btc shows in electrum wallet? Not necessarily Electrum... They could use ANY wallet capable of accepting BIP39 compatible seed mnemonics and supports BIP39 passphrases. But to answer your question... Yes, if you put your Ledger 24 word seed mnemonic into a BIP39 compatible wallet... and then type in the BIP39 passphrase, you will see EXACTLY the same wallet/addresses/transactions as you would using the Ledger device and Ledger Live. Now let say this person buys a new ledger nano s to replace the old one that got stolen. He can enter the 24 word phrase on the nano legder s and then the 25th phrase and now the btc will be restored in ledger live?
Yes, the same wallet/addresses/transactions will then show up in Ledger Live (assuming the user installs the Bitcoin app on the device, and adds the Bitcoin account into Ledger Live) |
|
|
|
hi thanks for the response. So do most ppl do this with the nano ledger s? Would you recommend it? Here are my thoughts on it.
You keep asking "do most ppl do X?"... there is logically no way that anyone can definitively answer these questions... Also, you shouldn't necessarily do something, just because "most people do it"... ask the lemmings! You write down the 24 word seed on paper and most likely write it in 1 or 2 or maybe 3 pieces right?
But do you write down the passphrase on it?
Definitely NOT! That defeats the entire purpose of having the passphrase! Because if you do, well anyone that gets physical access to it can get your wallet.
But if you don't, anyone with physical access cannot get your wallet.
Exactly! The other issue is you have to remember it. But the other issue is if someone thing happens to you, well you need the other person or persons who has access to your 24 word seed, the passphrase. Thus them having the 24 word seed is useless without the passphrase. So what is the best way to handle this situation?
That all depends on your situation and how you want to plan for the future... you can put passphrases in secure locations like safety deposit boxes or stored with trusted lawyers etc that are only able to be opened if you are dead/incapacitated etc. This obviously requires trusting other individuals/institutions... The other thing is this. If that is the case, then could a hacker/thief try to bruteforce the passphrase? Or thats impossible? Because you are manually entering it on it as oppose to like a computer doing the work like trying to bruteforce an email address password? Because they have no idea how many words or letters is used right?
Correct... not only is the length and makeup of the passphrase unknown... but ANY passphrase used, will generate a "valid" wallet, that will generate "valid" addresses... so you don't get the instant "invalid password" error like you do when normally testing passwords. An attacker would therefore have to manually check every single wallet they generated (and then generate a set number of addresses for that wallet), and then scan the blockchain looking for these generated addresses to see if they had hit the right passphrase. The time necessary to do this greatly adds to the time required to successfully bruteforce a BIP39 passphrase. Say they got the 24 word seed and need the 25th passphrase. They are going to have to manually enter that on the nano ledger s right?
No. It's a standard BIP39/44 setup... this can definitely be scripted. The "btcrecover" scripts can be modified (relatively trivially) to do exactly this. So imagine it was a long sentence or a long word. I mean it could be something like zootopia100 or babylikestoeat. I mean isn't that going to be already so tough as long as its not a really foolish word?
"Standard" rules to generating a "strong" password apply... absolute minimum of 8 chars, although I'd probably recommend 10+... and a "random" mix of upper/lowercase, numbers and special characters. Use of "actual" words is discouraged. |
|
|
|
To be fair... WarpWallet (which put up a 2x 20 BTC(!) bounties for a "simple" 8 char alphanumeric password) suggests using your email address as a "salt"... and as far as I'm aware, neither of those bounties was ever claimed before the expiry date. #devilsAdvocate WarpWallet adds two improvements: (1) WarpWallet uses scrypt to make address generation both memory and time-intensive. And (2) you can "salt" your passphrase with your email address. Though salting is optional, we recommend it. Any attacker of WarpWallet addresses would have to target you individually, rather than netting you in a wider, generic sweep. And your email is trivial to remember, so why not?
But at least WarpWallet admit they're really just a "brainwallet" with extra security! WarpWallet is a deterministic bitcoin address generator. You never have to save or store your private key anywhere. Just pick a really good password - many random words, for example - and never use it for anything else.
This is not an original idea. bitaddress.org's brainwallet is our inspiration.
To me, Bitfi simply looks like an implementation of the WarpWallet/Brainwallet methodology on a modified mobile device... this doesn't bother me nearly as much as the attitude displayed to the crypto-analysis community. From a relatively neutral position (insofar that I don't have any direct affiliation with any hardware wallet manufacturers other than I happen to use them)... it seems to me that rather than just accepting that their device got "pwned", thanking the community for their assistance in highlighting the flaws and then fixing the issues, they appeared to "double-down" on their "unhackable" claims and started trying to use semantics to argue that their device wasn't "hacked". To try holding onto that claim... and then say: The vulnerabilities discovered now almost year ago were on the first version of device and we are now shipping DMA-2 which had all potential vulnerabilities fixed. is just disingenuous Additionally, some of the responses on this thread would appear to show some gaps in their knowledge of how competitor's devices actually work... Just my 0.00000002 BTC |
|
|
|
How would you guys recommend a paranoid way to sweep a paper wallet into a Trezor?
Sadly, Trezor don't support sweeping within their wallet software So, I would recommend using Electrum in conjunction with your Trezor. You would need to do the following: 1. Download Electrum from official website: https://electrum.org/#download2. Verify digital signature of Electrum3. "Standard Wallet -> Use a hardware device -> [select your trezor] -> then select "legacy" (1-type addresses) or "p2sh-segwit" (3-type addresses) depending on how you have configured the Trezor" 4. Once the wallet is "created", confirm that it is indeed generating the addresses you think it should (compare with the Trezor wallet) 5. Once you are satisfied you have it setup properly in Electrum, simply use the following menu option: "Wallet -> Private Keys -> Sweep" This will allow you to enter multiple private keys... and will automatically select the first unused address from your Trezor to send the coins to. You can change that address if you wish. Note that Electrum supports sweeping from multiple different address types, so when you enter the private keys in the "sweep" dialog, they need to be entered in the following format(s), based on the the script type of the address you are trying to sweep FROM: "legacy" private key (1-type address) => p2pkh:KxZcY47uGp9a... "p2sh-segwit" private key (3-type address) => p2wpkh-p2sh:KxZcY47uGp9a... "native segwit" private key (bc1 address) => p2wpkh:KxZcY47uGp9a... Given you did this a long time ago, I'd guess that your paper wallet is a "legacy" address starting with a "1"... so use the p2pkh:YourPaperWalletPrivateKeyGoesHere format |
|
|
|
Is there are universal way to decrypt BIP38 if you do KNow your pass?
Further to this, the methods for encrypting and decrypting are publicly and well defined in the published "BIP38" standard here: https://github.com/bitcoin/bips/blob/master/bip-0038.mediawikiBasic method for decryption is: Decryption steps:- Collect encrypted private key and passphrase from user.
- Derive derivedhalf1 and derivedhalf2 by passing the passphrase and addresshash into scrypt function.
- Decrypt encryptedhalf1 and encryptedhalf2 using AES256Decrypt, merge them to form the encrypted private key.
- Convert that private key into a Bitcoin address, honoring the compression preference specified in flagbyte of the encrypted key record.
- Hash the Bitcoin address, and verify that addresshash from the encrypted private key record matches the hash. If not, report that the passphrase entry was incorrect.
There are also some test vectors at the bottom of the page that would allow you to "practice" decryption if you felt the need. |
|
|
|
OK, I had installed the portable version, I now have my coins back and a working Electrum wallet after installing the windows version.
Glad to hear that you managed to get it working... but the issue most likely isn't related to any difference between portable or "installed" version... the simple answer is that the network of Electrum Servers is under attack at the moment and being DoS'd heavily. Server connections are timing out, servers are "lagging", synchronising can take a while etc. Users will just need to exercise patience, and manually try different servers if they get the "red dot"... Click the "red dot", Right-Click a server in the list and then select "Use as server"... then wait at least 2-3 minutes before trying another. (You can also try the servers on the "server" tab if you deselect the "select server automatically") |
|
|
|
When setting up my standard wallet with Electrum, I am given a seed, which I record, then I am asked for a password to encrypt it. When I go back into the new wallet after logging out, I am asked for my password and can then view my seed. Yet we are advised not to store the seed on computer.Is that safe?
If you have set a password, then either the seed mnemonic (and other private key data) is stored "encrypted" within your wallet (password, no file encryption) and/or the entire wallet file itself is encrypted (default option)... using your password. You can tell which option you are using depending on whether or not you're prompted for a password when you start Electrum (or open your wallet)... If you're prompted for a password, you are using full file encryption. If it opens up and you can view transactions and only prompts for a password when you are attempting to view the seed/private keys, then you do not have full file encryption. As long as you have chosen a relatively "strong" password ( minimum of 8 chars, and have included upper/lowercase, numbers and special chars), that should be fine... providing you don't have any other malware on the PC (keyloggers, fake wallet etc). The wallet's security is entirely dependent on the password and encryption. If I then store that wallet offline, would it still be vulnerable when connecting to transact? Is there any good way around this? Please spell it out, I'm a noob.
Actually, the wallet's security is also dependent on your general usage and security habits... if you're constantly downloading things from "questionable" sites... eventually you are likely to get hit with a virus/malware. If you practise "safe interneting"™, you will have less to worry about. Other solutions are to go with the online/offline "airgapped" setup as explained by bob123... or consider using Electrum in conjunction with a hardware wallet (seed is then generated/stored within the hardware wallet and never on the PC) |
|
|
|
I've personally used that "electrs" server... It seemed to run OK, even tho I was possibly "abusing" it a bit by running it in the Ubuntu "app" on Windows 10!!?! (the one that uses the "Windows subsystem for Linux"). Obviously, it requires a Bitcoin Core Full Node, but otherwise the requirements are relatively low. After the initial indexing time (took a few hours from memory)... it actually ran pretty well. |
|
|
|
Now I have not bought my paypal account, why does he mark me?
Like I said... regardless of whether or not you actually did manage to purchase a PayPal account, you attempted to do so... It would appear that Vod does not trust people who use or want to use "bought" Paypal accounts. You'll need to contact Vod directly to see if there is any chance he'll remove the negative feedback, although, with your previous comments about his mother, I doubt he is going to be very receptive to anything you have to say now... I'd suggest maybe deleting all those messages. |
|
|
|
I purchased some bitcoin a few years ago using Multibit on a Android Tab. I no longer have access to that tablet. This is what I have.
Are you certain it was MultiBit? As far as I am aware... MultiBit was never available on mobile devices... it was Windows, Linux and MacOSX only. A Bitcoin address verifiable on Blockchain Explorer.
A backup file that looks like this: bitcoin-wallet-keys-date-bytes but seems to have a null ext.
Also have a file called: date6othernumbers.key.
Not sure what the "bitcoin-wallet-keys-date-bytes" is... but MultiBit generally created "backup" files like: multibit-20190410143351.key multibit-20190410143351.wallet multibit-20190410143351.wallet.cipher MultiBit HD created files like: mbhd.wallet.aes My question is, since Multibit is no longer supported, what wallet would give me the best chance of recovery.
Your best bet might be to actually just install an old version of MultiBit (available here: https://multibit.org/release-info/classic/v0.5.19.html) and try to at least open the .key file that you have using that wallet... it may not be able to sync and/or send transactions, but if you could at least open the file, you might be able to then export the keys and then import them into the wallet of your choice. In MultiBit classic, you use the "tools -> import private keys" menu option, and then the "import from ..." button:  That will allow you to open the .key file... enter the password and click the unlock button... if the password is correct, it should populate the "Number of Keys" an "Replay Date" fields:  Once you have the keys imported... you can use the "tools -> export private keys" option to create a plaintext export file (don't set an export file password, otherwise you won't actually be able to read the generated .export file as it will be encrypted and you'll be back at square one! )  NOTE: I've been trying to simply decrypt the .key file on the commandline using OpenSSL following the information posted by the MultiBit devs... but that doesn't appear to be working However, when I try to load the .key file into multiBit and use exactly the same password as with OpenSSL, it works perfectly and will import the .key file??!?  That's why I recommend to try reading it directly into MultiBit |
|
|
|
I contacted him on March 21, 2019 to buy a paypal account.
Not an idiot? I said not to trade with paul9000, he is a liar
Roll your mother, I'm the victim.
While this "Paul" guy may indeed have scammed you, it would appear that you were attempting to purchase a "fake" Paypal account, ie. one that does not belong to you... and was most likely setup using stolen or fake credentials. Apparently, Vod deems this to be untrustworthy behaviour and has tagged you accordingly. |
|
|
|
Github repo and entire account look like they have been removed as well... nice work |
|
|
|
|
Show Posts
