 Show Posts
|
|
Pages: [1] 2 3 4 5 6 »
|
|
Don't use WarpWallet, the manual key management is a nightmare, and it uses uncompressed addresses. Just memorize a random 12 word seed phrase.
|
|
|
|
|
I am the the author of Brainflayer. Please be aware that this poster is violating my copyright, and any software they offer (if it exists at all) may include malware.
Brainflayer is not free (as in speech) software. Distributing modified versions of it (with the sole exception of forked repositories on github) is illegal. Distributing precompiled binaries is illegal without exception.
As gmaxwell pointed out, a lot of what was posted by btc-room101 is "technobable nonsense".
|
|
|
|
Does anyone know how the private key is generated?
I'm really hoping (but really not, for the sake of their customers) that it's something stupid and obvious, like a single SHA256 of the passphrase.
I wrote up the algorithm here last month: https://rya.nc/bitfi-wallet.html |
|
|
|
McAfee and Bitfi are very confident about their crypto-wallet's security.
Highly overconfident, as the wallet is utter garbage security wise. It's like they *tried* to make it insecure. |
|
|
|
Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.
I think "screech" is a good description of their social media "strategy". |
|
|
|
Bitfi's hardware wallet was confirmed to be a brain wallet variant. I reversed it and published the algorithm. These addresses can be cracked without any access to the device. https://rya.nc/bitfi-wallet.html |
|
|
|
|
They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.
This is false - I engaged on a very similar crusade when the now defunct ether.camp site was offering brain wallets without explaining what they were.
The siren call of brain wallets is strong, but we must fight back.
|
|
|
|
|
I'm the author of Brainflayer. This dude is full of shit. It's true that GPU-based software would be faster, however not 100x faster. Also, cracking elliptic curve keys has nothing to do with prime factoring.
The baby-step giant-step attack described can only be used on specific public keys - it does not work on addresses and it does not work on multiple simultaneous keys.
At best this person is selling snake oil. At worst, it's malware that will drain your wallet.
|
|
|
|
I am also interested in using the sequential hash function of brainflayer to sequence ALL inputs; not just sequencing from left to right.
For example:
./brainflayer -v -I 0A00E00F00000F000008000000000E0000000000F000000E000080000C000001
I would like the A, E, F, F, 8,E, F, E, 8,... to sequence simultaneous or is there a command to break down sequencing into 8 digit partitions, using all fields or characters other than zero to que into the sequence command. Is this even possible?
0A00E00F
00000F00
00080000
00000E00
00000000
F000000E
00008000
0C000001
I'm not entirely sure what you're asking here. If you'd like to do a masked search iterating though only specified bits, I would consider adding that feature if you are willing to pay for it. However, my consulting fees are substantial. |
|
|
|
i am from 3rd world, so its not expensive once the box is built, its just cheap electricity that matters and it gives me hope.
edit: the main struggle is keeping electricity on 24x7 and keeping internet on. as the power outages are common.
Whatever money you're spending on electricity would be better spent on gambling. |
|
|
|
|
I plan to release an update adding support for this "passphrase plus xor" brainwallet variant, so don't go using it.
|
|
|
|
|
I'm also getting a bunch of spam with "?bounty=timr" - they've all bee to the email address I'm registered to btc-e with, which got leaked a while back.
|
|
|
|
I've been trying to experiment with P2SH addresses and non-standard scripts. I've sent some coins on testnet to 2NGDaDjuNuXz1wzHkusqUKCEtvwGr1q3JUc, but I'm having a hard time spending the output. The redeemScript is $ bitcoin-cli -testnet decodescript 210251ec22f0bd150d3ffd84f627b1e65b9b17921dd1676c5e90627ab21d18158df7043133333775ac
{
"asm": "0251ec22f0bd150d3ffd84f627b1e65b9b17921dd1676c5e90627ab21d18158df7 926102321 OP_DROP OP_CHECKSIG",
"type": "nonstandard",
"p2sh": "2NGDaDjuNuXz1wzHkusqUKCEtvwGr1q3JUc"
}
I was able to add it to my wallet using importmulti, but when I do listunspent it is not shown as spendable, and I haven't been able to spend via signrawtransaction. Can anyone point me to a tool that I can use to build the spending transaction? I tried following along with this example: https://github.com/petertodd/python-bitcoinlib/blob/master/examples/spend-p2sh-txout.pybut when i call VerifyScript(txin.scriptSig, txin_scriptPubKey, tx, 0, (SCRIPT_VERIFY_P2SH,))I get "P2SH inner scriptPubKey returned false" Edit: Got it working, needed to use python3 |
|
|
|
I don't know about arch and suse, but Debian signs their packages with gpg, and a number of the mirrors are https (e.g. mirrors.kernel.org). |
|
|
|
Yea you posted a 2 instead of a 1. I can confirm that signature is legit!  I still can't see where it was screwed up, lol. |
|
|
|
I am not sure what the difficulty is for the addresses with numbers mixed in, but it generally takes me under a minute to create those.
How long did it take for you to generate the address with only lowercase letters and no numbers, and what kind of specs did the AWS instance have? You're referring to 1woukheyeacxfpxtpkxjqxureevdkbywj? I spent about a day and a half on that address with several dozen instances of various sizes. |
|
|
|
There are bad ways to create bitcoin private keys besides brainwallets. Broken PRNGs being one of them, and keys people have deliberately made weak being another. |
|
|
|
On that qx again: Is it really a security issue if I do: qx{./hook-start} if (-x './hook-start');
And similar with the other hooks? I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection? That would be the case if the argument to qx would be (there are other places) in a variable - yes? But not in these cases. Just asking... Rico If there's no arguments, or the command is hard coded, there's no security issue with backticks/qx to the best of my knowledge. |
|
|
|
|
Since I'm looking at the code anyway, I notice that there's a bunch of command execution using qx{} which IIRC is equivalent to backticks, and potentially vulnerable to shell injection. This should probably be replaced with `open` or `system`with arguments passed as an array.
|
|
|
|
|
But hey - why not?
