Each release version is tagged, so for example: git clone https://github.com/bitcoin/bitcoin.git cd bitcoin git checkout tags/v0.9.2.1
|
|
|
Just a heads up -- There are some people that find signature campaigns really annoying, either because "who wants to see more ads?" or simply because some people who use them write tons of short useless posts just for the extra cash... try not to be one of them
|
|
|
As others have said, screen is your friend.
Ubuntu Server 13 also has byobu (installed by default I believe), just run byobu-enable, and then choose your activation key (press Ctrl-a, and choose an option, I prefer the first). Then instead of logging out, use Ctrl-a d (on either an SSH session or the console).
I'll bet that the underlying cause is that you enabled home directory encryption -- your home directory will only remain decrypted while you are logged in. You can relocate the datadir and start bitcoind with -datadir=/new/dir as another way to get around this.
|
|
|
[...] If the wallet files are encrypted, the attacker must [...] simply wait for you to type it in. At that point, they can gain access to all of your private keys.
That's the point of OTP in addition to typing in a static password. The attacker is not able to push the button of Your Yubikey from inside the computer or even plug it to the USB slot at first The password safe "KeePass" has a YubiKey plugin, to exactly preventing such keylogger attacks. So it seems, that it is possible to protect a local software with OTP. What would be the difference between a online service (which is basically an application running on a webserver) and a local application anyway? It gets pretty complicated from here... (and there are real experts who know far more than me that would make both our heads spin! ) The wallet that's on your hard drive (or the KeePass file) is encrypted with a something called a "symmetric" key. That just means the the encryption key is the same as the decryption key, and it's always the same until it's changed, typically manually by you. With KeyPass, you can use your YubiKey in one of two different modes. In "static password" mode, the YubiKey simply remembers one portion of your password. The encryption/decryption key is created by adding the password you remember to the one the YubiKey remembers, and it's always the same (unless you manually change it). If there's malware on your computer, it can wait for both you and the YubiKey to input your passwords, and then the malware has all it needs to decrypt your KeyPass passwords (or your wallet file). The second mode is called One-Time-Password mode (which sounds good, but keep reading...). This mode is similar to "static password" mode, but it automatically changes the symmetric encryption key each time you log in. This means that if a piece of malware captures the full password (both the one you type in and the one from the YubiKey which is different each time you log in), and if the malware then tries to use this password, it's probably too late because the symmetric key has already been changed and is no longer valid. The problem is that there's a simple attack the malware can use to get around this. The malware takes a copy of the encrypted data before you or the YubiKey enter your passwords, and stores it temporarily. The next time you and the YubiKey enter your passwords, the malware records the password. As I said above, at this point the symmetric key for the encrypted data is now automatically changed... but it's only changed for the "legitimate" file. The temporary file which the malware took a copy of doesn't have its key changed -- its password is still the same, it's the one that was captured by the malware. Now the malware has both the decryption key and the older encrypted file that the decryption key will work on. With a good* online service, the malware never has access to the encrypted data because it's only stored on the server, and so it can't take a temporary copy of it for later decryption. The bottom line is that while a YubiKey makes things a little more difficult for malware, it's doesn't really help that much for local wallets. Local wallets are only safe if there's no malware present on the system. Good* online wallets on the other hand can have their security improved with a YubiKey (or similar). * A good/strong online service has Bitcoin keys stored in (at least) two places: partially on your computer and partially on the server. At no time are the keys both stored in the same place. Blockchain.info doesn't fit this description, because there is only one key -- if you're malware infested, this one key can be stolen by malware on your computer. Of course, all online services require a certain trust level on your behalf...
|
|
|
Did you have any luck retreiving your password highereducation with this script? I have an idea of what my password is, and want to give this software a go. Would rather donate to the open source software, but I am willing to try the wallet receovery guy too.
Although Higheducation92 did get the script working, I don't know if he ended up finding his password. I don't think he ended up installing PyCrypto. The PyCrypto install is optional (it speeds up Electrum and MultiBit searches), and on OS X it might be tricky. I did update the Tutorial with instructions on how to install PyCrypto on OS X, but I don't know if the instructions actually work.... (On Linux and Windows, installing PyCrypto is a bit easier.) At any rate, if you have any specific questions, I'll try my best to answer them. -Chris
|
|
|
(original quote is below before it was edited...) Or maybe im just fixing up the code that was distributed yesterday? There are so many copies of this about, who do we know who the actual author is?
I don't begrudge you the fixing up of code, after all that's part of what open source software is all about. But a single Google search will clearly show who the original author is, and will leave no doubt that the original author is not choosing to distribute the code as open source. There's no excuse for intentionally burying your head in the sand (as it seems you're doing, but maybe you're simply unaware that this is not open source software?) You are distributing the code, the fact that others have done so does not make your actions any more ethical.
I'm all for open-source software, but it's the original author's right to decide how they want to distribute their software. What you're doing is either woefully misguided, or intentionally malicious. Which is it?
Okay, Fair enough, Ive removed it from github for the sake of you guys whining. If anyone needs help fixing up https://github.com/felinegambler/BitcoinDice please let me know and I will help youmy email is vexica1987@gmail.comIt's not a matter of whining, it's a matter of supporting individuals who try to write code for a living. I may not want anything to do with gambling sites, but I certainly support the right of developers to write and sell software. If you choose to undermine that... well that's your choice, I doubt the copyright police will come knocking down your door anytime soon. But if you're doing it willingly and with full knowledge of what you're doing, then you're little better than scammers such as Theospaul. Edited to add: sorry if this came off as a personal attack... Theospaul is certainly scum, and it's unfair to group you in with that character. Hopefully your original posting of this code up on GitHub was just an honest mistake.
|
|
|
Do not call anyone a scammer until it's proven. Thank you for contributing.
Will check the script for flaws.
No need to "check the script for flaws"... It is illegally distributed code. Maybe read a little more before jumping to the defense of something. LOL, Illegally, I wouldn't go that far. Once I have been prosecuted I will take the code offline happy? it looks like this code is distributed a few places around github ( https://github.com/colinkelly/coinDice), I'm only fixing the code that was distributed freely, I did not distribute the code, go to the other thread and complain to theospaul. In most countries, copyright infringement is illegal. There are plenty of people who do it anyways... as you are doing, and you're even going a step further. Your asking for donations sent to you for somebody else's code! I did not distribute the code
You are distributing the code, the fact that others have done so does not make your actions any more ethical. I'm all for open-source software, but it's the original author's right to decide how they want to distribute their software. What you're doing is either woefully misguided, or intentionally malicious. Which is it?
|
|
|
Did he really have this? <h1>Wallet</h1> <div class="zprava"> <b>Receiving address:</b><br> <big> <?php echo "1B91svQchkzkykRmYcJJQorGZqN2A813tS"; ?> </big>
Not sure if this guy is serious or just a huge scammer. I recommend to not use the script. Here is the fix anyways. Change this : echo "1B91svQchkzkykRmYcJJQorGZqN2A813tS"; Change to this : echo $wallet->getnewaddress(); That would fix this one issue, but it's pretty clear that this is not a bug but an intentional scam. And where there's one scam, there could be others... I'd recommend everyone stay as far away from this software as possible.
|
|
|
YubiKey does offer additional security for web-based wallets, especially those with per-transaction two-factor checks such as greenaddress.it and bitgo.com. In these cases, two-factor auth offers very effective (but not perfect) protection against malware.
Two-factor tokens typically work by storing a shared key. The website also stores that same shared key. This allows both the token and the website to generate the same authorization codes, which are then simply compared during login (or during each new transaction). As long as nobody else has access to the shared key, it can provide additional security. Two-factor authentication is only to verify the user has the same share key -- two-factor tokens are not used to do any wallet encryption.
With desktop wallets, there is no login process, only an encryption process. Desktop wallets store their private keys inside of files which are encrypted by the user's password. Encryption is not something that two-factor tokens can do. An attacker (or piece of malware) who has access to your PC has direct access to your wallet files. If the wallet files are encrypted, the attacker must either try to brute-force the password, or simply wait for you to type it in. At that point, they can gain access to all of your private keys.
In short, two-factor authentication doesn't add any security to desktop wallets.
(Hardware wallets are much different -- they can do encryption.)
|
|
|
I see a problem in admin/pages/wallet.php on line 52 to 54 <?php echo "1NPTYuzo2imRi7oiow6gszX3QQccnPWAGJ"; ?>
it just echos a hardcoded wallet addy. instead of it being dynamic. Sorry about that guys it was an honest mistake, Very glad you spotted it before anything came of it .
I have also added a donation address to the original post
Thanks to all
Or... maybe it wasn't an honest mistake and you are still a scammer? Just to be clear, this is (as has already been said) a straight ripoff of CoinDice with the deposit address replaced by Theospaul's address. This is a scam, it was intentional.Shortly after being discovered, Theospaul "fixed" this "bug" in this commit, and then an hour later Theospaul had the nerve to switch it right back. There's no way it was an honest mistake. Although we shouldn't be surprised since this isn't the first time Theospaul has run a scam.
|
|
|
I recommend you to to write a dedicated post for your tool, I think it deserves it!
I agree it is a fantastic piece of work! Thanks a lot!!! (or thank the alot if you prefer) It doesn't get a lot of attention (which is just fine), so I'm not sure about it's own thread... but if I do, do you think I should start it in the Tech Support forum? That seems like the right place to me.
|
|
|
Btcrecover seems the very best password recovery tool, the tool set is impressive. Did anyone go through the code to check that it doesn't do anything malicious?
I'll take that as a compliment But as far as I know, nobody has done so. The Python code is long (approaching 4k lines mostly in a single file) and complicated, and "evolved" into its current somewhat messy state (as opposed to being well planned out, sorry...). However I did write some "extract" scripts that are short and fairly easy to understand documented here: https://github.com/gurnec/btcrecover/blob/master/extract-scripts/README.md. The idea was that you could run one of the extract scripts directly on your wallet file, copy/paste the base64-encoded results into a VM w/o network access, and then not worry about what btcrecover might do with it (assuming you read and understood the short extract script). At worst, it could waste a bunch of CPU/GPU time, but at least it couldn't steal you wallet. Of course, all that only really helps if you're already somewhat of a "techie" who knows how to set up a VM. I suspect that many people who choose to run btcrecover are not techies, and are putting themselves at risk (speaking as objectively as I can, of course as the code monkey who wrote it, I claim it's perfectly safe ).
|
|
|
Thank you very much Chris for Btcrecover! It is an amazing program, with lot of possibilities, which will suite every weird password around I have forgotten a complex password, which is constructed from: 1. <keyboard pattern> 2. word1, word2, Word1 or Word2 3. word3, word4, Word3 or Word4 4. in between of every word or/and at the end of the whole phrase I use one or two special characters. I am having trouble defining the pattern in a single tokens.txt file. Could I possibly PM you with detailed info on the pattern, so you would probably help me? Thanks in advance! Have to say, your software is a peace of art! You're welcome to PM me if you'd like. Please be as detailed as you can (without the actual words in your password though). If you include a couple of examples of complete passwords that btcrecover would guess, and a couple that it wouldn't guess, that would help. In particular, are 1, 2 and 3 from above always in the same order, or can they be in any order? The one or two special characters you mentioned, do they only appear once, or can they appear more than once between different words? Or do they always appear between words?
|
|
|
It's a trivial change, but one that requires some testing and no one has had any chance to test it. It has previously been ~zero priority. (the second pull request isn't a separate one, it's just a rebase). It's somewhat annoying to test because you really want to test it from an IP which hasn't previously run a node so you can verify that it successfully gets connections. If it's interesting you please test it and provide feedback.
I am interested, but only if you think such feedback would be helpful (not necessarily sufficient, but at least helpful). I was thinking of a simple test scenario such as this: Linux-VM-w/Bitcoin ----- VM-NAT-router-w/Public-IP ----- mainnet Two tests with different Public IPs (likely never running Bitcoin before*), one where VM-NAT-router is running UPnP, one without. I could do a testnet-in-a-box, but it doesn't seem any easier to me... If I have extra time, I might do an additional tests with both 32 and 64-bit versions (so a total of 4 tests on 4 different IPs). I might be able to run a single Win64 or Win32 test as well, behind a residential cable modem NAT box, again likely never running Bitcoin before. I don't have the resources to run any OS X tests. Before each test, I should verify that UPnP is working (or is not working) as expected. I'd need to verify the existence of inbound connections, preferably on the VM-NAT-router. In the non-UPnP case, I'd need to manually forward a port first. I'll save the log files for future reference. I should probably save a packet capture as well. Anything else? Do I have to wait for a full blockchain download (I wasn't planning to)? For building, I'll probably rebase your branch from a month ago to master. * All of these IPs are dynamic, so although none have intentionally been running a Bitcoin node, I can't be sure. For the VM tests, I can leave the VM-NAT router running for an hour or so before beginning each test and check that no inbound connections are occurring before the test starts.
|
|
|
It's because he has a Primedice ad in his sig. He's just trying to increase his post count, he doesn't really care whether the things he says are accurate or not. I've found that bitcointalk.org makes a lot more sense and is a lot easier to use if you just click "ignore" on any user that has a Primedice ad in their sig.
That's some pretty good advice, thanks! PRIMEDICE PRIMEDICE 666 HAS LAUNCHED! Guaranteed returns! You can't lose! Click Here!
|
|
|
Do you guys think there is other way to fix the wallet if bitcoind autofix fails?
pywallet can scan a file (or a hard drive) for mkeys and ckeys (everything required to recover encrypted private keys/addresses), try decrypting them in various combinations, and then reconstruct a wallet.dat file. It almost works, except that the reconstructed wallet.dat doesn't work right unless you choose for it to be unencrypted (which is an undocumented feature). I've submitted a patch which will hopefully be included one day, because aside from that last step it works quite well.
|
|
|
I'm all for removing the check to dyndns.org, but it seems like the two pull requests which attempted this were trickier to get exactly "right" then was first imagined... it's too bad, but sometimes there are bigger fish to fry. Thanks to gmaxwell and laanwj for giving it a try, though.
|
|
|
@Chris This file is getting complicated, they ask me if i repair/remove/change...I do not I klick somewhere--But i think i did not right cuz,warning: can't find pycrypto..maybe give me a more detail Hoe to put pycrypto in btc-recover
Please give this a try. 1. Go to Start -> Control Panel. 2. Click on Uninstall a Program. 3. Find everything that has "Python" in the program name, you should find at least two, maybe more. 4. Double-click each one to remove it. 5. Install Python 2.7.8 Windows X86-64 Installer from here. 6. Install PyCrypto 2.6 for Python 2.7 64bit from here. Let me know if you still get the "warning: can't find pycrypto" message...
|
|
|
Does anyone have a comparison of how long this would take with a script/interpreter language like Ruby or Python, vs. a compiled and highly parallized computation on a GPU? I guess we're talking 4-5 orders of magnitude here?
Much much faster. Try 20x. Still it will take many years to bruteforce. Dictionary attack will be faster if they have a weak password. Maybe you could program rainbow tables if you have many wallet.dat files to crack The wallet.dat password is seeded, rainbow tables wouldn't help. While there is a speed difference between Python and native code, for this particular application it's much closer than 20x. Most of the time is spent inside cryptographic code, and most scripting languages implement cryptographic primitives in native code. Here's a comparison between btcrecover and John the Ripper, including columns which show what language each cryptographic primitive is actually written in. The interesting comparisons are the Bitcoin Core lines, which show a speedup of 2.75x from 44 P/s to 128 when going from btcrecover to JtR, and the speedups that you get with GPU acceleration (pretty good speedups with Bitcoin, but a measly 4 - 6x speedup for Armory which uses a memory-hard KDF). All of these tests were run on my aging i5-2500k and 2x 560 Ti's. Wallets were created on the same system using default KDF parameters, except for the Blockchain.info wallet with 10,000 iterations (10 is the default). BBcode tables are pretty ugly, the original spreadsheet if you want to see it is here. Wallet | Software | Language | KDF | | Hash | | AES-256 | ECDSA? | Iterations | Memory | GPUs | P/s | Armory | BTCR | Python 2.7 | ROMix | C++ | SHA-512 | C++ | C++ | Yes | 4 | 2 MiB | | 20 | Armory | BTCR | Python 2.7 | ROMix | OpenCL (GPU) | SHA-512 | OpenCL (GPU) | C++ | Yes | 4 | 2 MiB | 1 | 79 | Armory | BTCR | Python 2.7 | ROMix | OpenCL (GPU) | SHA-512 | OpenCL (GPU) | C++ | Yes | 4 | 2 MiB | 2 | 128 | Bitcoin Core | BTCR | Python 2.7 | PBKDF1 | Python | SHA-512 | C | C | No | 67,908 | | | 44 | Bitcoin Core | JtR | C w/OpenMP | PBKDF1 | C | SHA-512 | asm | asm w/AES-NI | No | 67,908 | | | 121 | Bitcoin Core | BTCR | Python 2.7 | PBKDF1 | OpenCL (GPU) | SHA-512 | OpenCL (GPU) | C | No | 67,908 | | 1 | 1,070 | Bitcoin Core | BTCR | Python 2.7 | PBKDF1 | OpenCL (GPU) | SHA-512 | OpenCL (GPU) | C | No | 67,908 | | 2 | 2,110 | Blockchain.info | BTCR | Python 2.7 | PBKDF2 | Python | SHA-1 | C | C | No | 10 | | | 27,000 | Blockchain.info | BTCR | Python 2.7 | PBKDF2 | C | SHA-1 | C | C | No | 10 | | | 82,000 | Blockchain.info | JtR | C w/OpenMP | PBKDF2 | C | SHA-1 | C w/SSE4.1 | asm w/AES-NI | No | 10 | | | 533,000 | Blockchain.info | JtR | C w/OpenMP | PBKDF2 | OpenCL (GPU) | SHA-1 | OpenCL (GPU) | asm w/AES-NI | No | 10 | | 1 | 3,996,000 | Blockchain.info | BTCR | Python 2.7 | PBKDF2 | Python | SHA-1 | C | C | No | 10,000 | | | 41 | Blockchain.info | BTCR | Python 2.7 | PBKDF2 | C | SHA-1 | C | C | No | 10,000 | | | 262 | Electrum | BTCR | Python 2.7 | PBKDF1 | Python | SHA-256 | C | Python | No | 2 | | | 25,000 | Electrum | BTCR | Python 2.7 | PBKDF1 | Python | SHA-256 | C | C | No | 2 | | | 396,000 | MultiBit | BTCR | Python 2.7 | custom | Python | MD5 | C | Python | No | 3 | | | 26,000 | MultiBit | BTCR | Python 2.7 | custom | Python | MD5 | C | C | No | 3 | | | 415,000 |
|
|
|
What i can do now? Just restart but it would provide the same results. Or i was wrong about password, but it is unusual that is a long pw, i am too lazy, It is 100% a word not combination of letters and numbers. But maybe something like Number1, but is ridicolous such a word i would not write.
So what should i do write notepad to enlarge the bruteforce?
First, just a reminder, if there was an umlaut over any of the vowels, btcrecover will never find it. It can't handle non-ASCII. The only option would be to try more passwords. I guess I'd try this: #--pause --no-dupchecks --wallet multibit.key --autosave progress.sav %ia%0,5a%d %ia%6a
This tries passwords that have a single number at the end, and also passwords that are 7 letters long. It will take 36 times longer to run, so it's pretty important that you install PyCrypto 2.6 for Python 2.7 64bit from here first. It will autosave to a file in the same directory, so you can close it and restart it without losing any progress (but only after the initial counting phase). I just added a small improvement related to autosave, so you should probably download a new copy of btcrecover first.
|
|
|
|