Bitcoin Forum
May 25, 2024, 03:43:12 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Alternate cryptocurrencies / Altcoin Discussion / Re: Ripple Giveaway! on: June 03, 2013, 07:00:26 PM
I wonder if this is still limited to people who signed up in February or earlier (even though the amount of the giveaway has gone down considerably).
2  Alternate cryptocurrencies / Altcoin Discussion / Re: Ripple Giveaway! on: June 03, 2013, 06:10:59 PM
rL8ab1FDcnvuzv1JRVFuvercxZDSdAVyx8
3  Other / Beginners & Help / Re: Missed out on Ripple! on: June 03, 2013, 04:36:37 PM
If you are a developer (i.e. you write code), you can sign up for development updates--I did.  I am betting that at some point they will be giving away ripples to developers to encourage them to build client applications for ripple; and they will probably send instructions for the giveaway to those who sign-up for email updates.

https://ripple.com/developers/
4  Other / Beginners & Help / Re: How can I accept Ripples (XRP) ?? on: June 03, 2013, 04:52:55 AM
I love how no-one actually addresses the OP's question...
5  Other / Beginners & Help / Re: "Grabbing" multiple wallets from the ripple "wallet server" for offline cracking on: June 02, 2013, 07:01:20 AM
Awesome.  Thanks scintill!

I also got a response in the ripple forums from the forum moderator, dchapes, which confirms what you and I both just said--that you need to have the wallet name and passphrase first to get a wallet from the blob vault.

Here's the link to that post:

https://ripple.com/forum/viewtopic.php?f=5&t=2967

Since I don't have enough posts to have a signature yet, here's my ripple public address which I just barely got:

rL8ab1FDcnvuzv1JRVFuvercxZDSdAVyx8

I accept donations for interesting and helpful posts Smiley

I feel better about ripple now.
6  Other / Beginners & Help / Re: "Grabbing" multiple wallets from the ripple "wallet server" for offline cracking on: June 02, 2013, 05:53:06 AM
Quote from: mjc on June 02, 2013, 01:17:30 AM
No the once the blob is hel locally they can attempt to crack.  Use complex passwords and make the length > 20 characters.  Mine is > 40 characters and random a-z, A-Z, 0-9 and symbols.

From reading the api, it seems like to be able to get the blob in the first place from the blob vault, you have to have the wallet name and passphrase.  Then you use the same wallet name and passphrase to decrypt it.  So I don't understand this idea of first holding a blob locally and then attempting to crack it, unless you obtained the wallet from somewhere other than the blob vault.
7  Other / Beginners & Help / "Grabbing" multiple wallets from the ripple "wallet server" for offline cracking on: June 01, 2013, 08:34:06 PM
This quote from senior forum member on the bitcoin forum "scintill" has made me think twice about using ripple.

Quote

Re: ripple account hacked
May 06, 2013, 05:47:57 AM
 #12
Quote from: loudpete on May 06, 2013, 05:28:13 AM
So what were you using for passwords?  now that you wont be using them anymore...

Still, seems like they'd have to try 62,000 passwords per user account, wouldn't the ripple servers block more then 5 attemps (for like an hour) making this impossible?

No, the Ripple webclient wallet is decrypted client-side in the user's browser.  So they just grabbed the encrypted wallet and cracked it locally.  Blockchain.info wallets works the same way, so they can also be cracked like this.

It's possible they grabbed a bunch of wallets around the same time that maybe should have tripped an alarm on the Ripple wallet server, but we don't know, and there's nothing Ripple can really do to perfectly prevent this.  The user has to pick a good passphrase and ideally also a non-obvious wallet ID as well.


I think by "wallet server" he means the "blob vault".  If so--looking at the API, it seems you need to send an encrypted wallet name and passphrase to retrieve a wallet.  So why did scintill say that someone could "grab" multiple wallets at once and crack them locally?  Don't you potentially have to make thousands of api calls to be able to guess the password from a list of common passwords?  (This is still easy, but an important distinction to me, because it leaves a record that can be used to incriminate the attacker.)
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!