electrum receives messages from server and show users in its way. Why servers can show messages?
Because that was the design decision they made originally... it could have been simple convenience, it could have been because they wanted the server to have the flexibility to be able to send different "error" messages without needing to update the client (so as to provide backwards compatibility) should the need arise in the future. Was it a poor design? In hindsight, yes.. absolutely it was Is there anything they can do about the past? No Is there anything they can do about the future? Yes, they already have... client has been patched to prevent arbitrary messages from bad servers... and server code has been modded so "good" servers can warn older clients to update (as per the example in the OP)
|
|
|
Why would the forged TX be unsafe in the case of a "PC&Electrum"? Once a transaction has been constructed and signed, you cannot modify it in any meaningful way... or are you implying that there is a possibility for the transaction to be constructed improperly? (ie. wrong address/amount due to malware interference etc?)
|
|
|
It is all rather moot anyway... it looks like you got your wish... they've added (opt-in) update notifications to Electrum, and apparently have started using "good" servers (via an ElectrumX update) to broadcast update notifications to older versions of Electrum that are vulnerable to the exploit.
|
|
|
electrum should protect its users. If op run electrum and it says "No. You are using old version and it has been hacked. It has been fixed in the latest version. Download the latest version from electrum.org" then we dont have topics like this
What kind of software doesn’t tell you when important updates are required?
And what happens when the centralised update server gets hacked... broadcasts a spam to all users that they need to update to new version and all the users blindly trust that because "it is the Electrum update server" and download a malware wallet and lose all their funds? You'd all be asking "why Electrum have forced update notification?" "Be your own bank" implies "Be your own Bank's security department as well". Everyone is all about the "freedom" of Cryptocurrency... no-one seems to want the added responsibility that comes with that freedom. There are ways and means to protect yourself... and the easiest is to ALWAYS verify the digital signature of the Electrum installer (or portable .exe). Even when I have downloaded it from Electrum.org, I will ALWAYS verify the digital signature of the downloaded file to confirm it is legit. So, even if I had received the spam message, ignored the fact it redirected to github instead of the official website and downloaded the malware installer, I never would have installed it... because the malware installer would have FAILED the digital signature verification.
|
|
|
why servers can show message? Electrum developers should disable that from the first version Why can windows run virus? microsoft should disable that from the first version What you're asking for just isn't possible. It is well known within the software development industry that there will always be bugs and exploits, regardless of how hard you try to make something 100% bug and/or exploit free. Seemingly innocent design choices can and do come back to haunt developers when some hacker figures out a new exploit of a flaw in the original design. It is very easy, with hindsight, to say the developers should have foreseen the dangers of allowing rich text error messages to be displayed... but they can't be expected to think of ALL scenarios and possibilities. Also, if you think about it... it took 6 1/2 years from when Electrum was released for this flaw to be exploited... that is how "non-obvious" this exploit was.
|
|
|
Well, technically that could also be used as "a single command to type while [your] script was going"... If you were to type: on the console when the script is running... then on the next win, the script will stop. In fact, that is how I generally use it. You don't even need the "if (profit)" check or anything other condition to set stoponwin for that matter... just the: if (win) then if (stoponwin) then stop() end end
|
|
|
Were you actually trying to send the 0.0215437 BTC to a different address when this transaction happened? It is also possible that you have fallen victim to clipboard malware that changes the BTC address when you use copy/paste.
|
|
|
Today I had 0.0215437 BTC stolen before i could send it to the address I wanted to.
I have had no messages saying "install a new version before sending out money" or anything like that and I have definitely downloaded the electrum from electrum.org, the newest verson.
Did you verify the digital signature of the downloaded Electrum installer? If you did not receive any strange error messages from Electrum and are 100% sure that the version of Electrum you are running is legit, then chances are that your wallet was compromised in some other way... did you store your 12 word electrum seed mnemonic in a digital format? (ie. backed up in a text file or screenshot on your hard drive or email or a cloud file storage service etc?) Have you attempted to claim any fork coins by putting your electrum wallet seed mnemonic into other wallets? Is there a way to recover the funds?
Unfortunately, No. As with all Bitcoin transactions, once the coins have been sent and confirmed, there is no way to cancel or reverse a transaction.
|
|
|
As far as I know, there is no stoponwin() function or anything like that... You have to code that into your script yourself. if <insert some condition> then stop() end
I've used a boolean flag before, to "stop on next win" etc... ... stoponwin = false ... function dobet() ... if (win) then if (stoponwin) then stop() end ... end ... if (profit > 0.001) then stoponwin = true end ... end
|
|
|
Ok, well personal insults aside... In my opinion, you don't seem to be able to back up your claims. I can see now, that after several attempts, this is going around in circles and there is no point asking you for any further evidence to substantiate the claims you are making... as you'll just call me ignorant, accuse me of not reading and then make the same claims again and still not provide any evidence to support them.
To anyone else following this thread, this is my summary of findings: - Rambotnic claims he had a more detailed plan involving tricking scammers into revealing detail and/or using escrow - Rambotnic claims "Gino" had "lack of interest" in paying him 0.1 btc for his services - Rambotnic has provided no demonstrable proof of any "lack of interest" on behalf of "Gino".- Chatlogs actually show "Gino" stated that he was willing to pay Rambotnic for help on three separate occasions (and up to as much as 3 BTC for said services). - Rambotnic told "Gino" he should talk to the "scammers" and offer to pay BTC to unlock account (but less than 5 BTC wanted) - Gino said he wouldn't pay the "scammers" any more money - Rambotnic never told "Gino" of his detailed plan of tricking scammers into revealing details or using Escrow. NOTE: I make no judgement on the intentions of either Rambotnic or "Gino". I'm just stating facts based on the evidence provided.
|
|
|
His ignorance and less interest of getting my services to pay me after success is enough proof.
All you keep stating is in direct opposition to what the chat logs show. You assert that "you didn't tell him the full plan because he wouldn't pay for your services". The chatlogs indicate that this assertion is false. Do you have any evidence that suggests he did not want to pay you?
|
|
|
I've read this entire thread. I even double checked to make sure I hadn't missed anything. You're avoiding answering my question, which makes me think you don't have an answer to it. You make multiple claims that he didn't want to pay... when the chatlogs clearly show he said he would... do you deny this? If so, do you have any further chatlogs that show he changed his mind and would not pay?
|
|
|
I'm only getting "Extend Seed" option in it, nothing else. Does it have anything to do with the version I'm currently using?
Are you using the Android version? If so, this doesn't support importing BIP39 seeds... only the desktop version of Electrum (Windows, MacOSX and/or Linux) support importing BIP39 seeds
|
|
|
New wallets, tons of 2fa.
Just before you go down the "2fa" road... you realise that 2fa wallets on Electrum incur extra fees charged by the TrusteCoin service (2fa provider) right? Make sure you have read and fully understood the implications of using 2fa on Electrum: https://api.trustedcoin.com/#/electrum-help
|
|
|
Yet another guy who don't even care to read but repeat old stuff...
I am reading. The idea of the "victim" was to confirm he would pay, not to do it. He were so "interested" to take his 38btc back just for 0.1btc help, he didn't even wanted to continue the conversation and understand the strategy.
You keep claiming that he didn't want to pay, but as I showed in your other thread... looking at the chatlogs he said THREE times that he would pay (and pay as much as 3 BTC! )... but as soon as he said he wouldn't pay any more coins to the scammers, all you did was say "I don't know what to say". This is the part that I do not understand -> He said he would pay you... So why did you not tell him the full plan (ie. pretend that he would pay scammers, use escrow etc)? You understand nothing, why you trying to with closed eyes and ignorance? My eyes are very much open... That is why I do not accuse, but I ask questions. So, can you please answer my question above?
|
|
|
You mean after you get your private key from ChipMixer? If so, of course... it is a private key, you can do with it what you like... Import or sweep... or they'll even send the funds to an address for you if you really want. Do you know withdrawn private key? Sadly, yes, we have created them and as long as two people knows private key, either of them can move funds. When you withdraw a chip, you receive a copy of private key encrypted on the mixer's server. You are free to sweep it yourself, ask us to send it to your address or keep it on chip for a while. Only the last option keeps your funds vunerable to our dishonesty, but it also extends your privacy. If you sweep funds from chip in first 12h after your input, you receive same privacy as you would get from standard mixer. If you trust us (as you already did when you sent coins into mixer) and spend chip when you need it, then you achive maximum privacy you can get.
|
|
|
a couple of thoughts: - is "forge" the correct word? to forge something has the meaning of "faking it" and you are not "faking" anything here. you are creating a real transaction here and don't broadcast it, that's all.
That is one meaning... forge can also mean "to create". But yeah, it probably isn't the best word to use, especially when talking about things that require signatures etc forge1 Dictionary result for forge /fɔːdʒ/Submit verb verb: forge; 3rd person present: forges; past tense: forged; past participle: forged; gerund or present participle: forging 1. make or shape (a metal object) by heating it in a fire or furnace and hammering it. "he forged a great suit of black armour" synonyms: hammer out, beat into shape, found, cast, mould, model; More 2. create (something) strong, enduring, or successful. "the two women forged a close bond" synonyms: build, build up, construct, form, create, establish, set up, put together "they forged a partnership with city government" 3. produce a fraudulent copy or imitation of (a document, signature, banknote, or work of art). "the signature on the cheque was forged" synonyms: fake, falsify, counterfeit, copy fraudulently, copy, imitate, reproduce, replicate, simulate; More antonyms: genuine
- there is a big problem with this specially when you talk about wanting to spend it. because price is volatile if you create a transaction with X amount at home and then go out, by the time you reach your destination your X may be worth higher or lower than the initial amount you create it at.
This is a very valid point tho...
|
|
|
One of the tings I wanted to attempt on doing this was to do it all OFFLINE!
Has anyone had any first hand experience of this? If so kindly share it here or in my other thread as stated above.
I can't say that I've done it offline as such, but I have certainly used python-trezor to interact with a Trezor device. So, I tried disconnecting my WiFi, and unfortunately, the example of signing a transaction shown at: https://github.com/trezor/python-trezor/blob/master/docs/EXAMPLES.rst does not work offline. As, if you're offline there is no way for it to find the transaction info necessary to complete the creation of the transaction Given that it is an open-source library, it should theoretically be possible to modify the python-trezor code so that you could pass in the appropriate transaction information (ie. raw hex) so that it could piece together all the information without needing to connect to the Trezor API... However, as has already been mentioned a few times, attempting to use a Trezor (or most of the common hardware wallets for that matter) offline is problematic as they all seem to rely on online APIs to retrieve information. Mainly because the design philosophy of the hardware wallet is that it doesn't need to be used offline to be secure.
|
|
|
Why you keep repeating thing that i already answer ?
I didn't see you answer this at all... You claimed you didn't tell him your full plan because he wasn't interested in paying you 0.1 BTC for your assistance... Also why would person who is losing 38BTC would refuse help with payment AFTER?
The interesting part was person losing 38btc was not really interested paying 0.1 btc which will cost him less than lawyer to try find solution.
I never mention my plan because he were not interested paying 0.1 after job to turn back his 38btc which is obviously a red flag.
4- I did say it multiply time and i would explain the strategy to him, if he were interested to pay 0.1 btc for chance to get 38btc. Paying after successful job. Everyone here is so blind how he was not even interested paying 0.1 for 38btc which makes me think his scam report is fake ... 7- My hopes were to help the guy turn back his 38btc and earn 0.1 If he wanted to give me 1btc i would never say no.
When it is quite obvious from the chatlogs that he said three times that he would be happy to pay you (and pay as much as 3 BTC)... once he had his 38 BTC back. So, given that we have now asserted that he was in fact willing to pay for your assistance, could you please explain why you didn't tell him the "secret plan" (ie. that he should try and use this opportunity to extract information from the scammer to expose him) and instead you just recommended that he pay the bribe to unlock his account? And then, after he just flat out refused to send more money to the scammers... you said "I don't know what to say". Why, at this point, did you not tell him your cunning plan that he should pretend to go along with paying the money and/or use escrow and try to extract info about the scammers?
|
|
|
|