Bitcoin Forum
April 24, 2014, 01:57:15 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
  Home Help Search Donate Login Register  
  Show Posts
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [23] 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
441  Economy / Service Discussion / Re: How can My Wallet be made more auditable? on: December 19, 2012, 11:53:32 PM
I believe this thread indicates that Roger Ver was able to trace the ownership of one of your anonymous addresses via administrative access on your systems.  At least based on a quick review this would appear to be conclusive proof that your claims about logging were inaccurate.  Or to be more specific, you in fact had a web query page available to staff/support/investors which allowed querying by data that you above claimed not to log. Not only was the data being logged, but it was intentionally being logged and there was an easy to use lookup tool. Can you correct my understanding?

Your understanding is incorrect. The address was not a mixer address, it was a regular wallet address which was in a wallet with notifications enabled. It has always been stated that the public keys are extracted from a wallet when notifications are enabled (https://blockchain.info/wallet/anonymity). This has been altered now to store hashed addresses only.
442  Economy / Service Discussion / Re: WARNING - Blockchain.info is NOT SAFE on: December 19, 2012, 06:59:22 PM
It is unclear if "access to this information" means specifically "access to the admin panel" or "access to all personal information".  It could still be possible for Roger to access personal information without access to the admin panel depending on blockchain.info's network and database security.

Roger has never had access to the database, backups or any server access. He now has no elevated privileges over normal users.
443  Economy / Service Discussion / Re: WARNING - Blockchain.info is NOT SAFE on: December 19, 2012, 05:11:27 PM
Also - why did he need this kind of access in the first place ? Were blockchain.info customers alerted about his access to this system ?

He was given access to this information because I was getting bogged down in support tickets and Roger kindly offered to help with some of them. Requests to recover lost identifiers are one of the most common queries. At the time it had not occurred to me that there could be a conflict of interest. In the blockchain.info thread I posted that a minority stake in the site had been sold, but did not specifically mention the admin panel.

I'm sure this is just a lack of comprehension on my part, but what would prevent someone from calculating the SHA256 of a bitcoin address on their own, and using that to look up the wallet? Does the SHA256 include a secret key as well as the address, to prevent others from calculating the hash?

Addresses are hashed with a secret. With access to the secret it would be possible to hash every bitcoin address with a none zero balance and use that to compare against subscribed hashes to determine addresses in a wallet. The sacrifice of some anonymity when notifications are enabled has always been stated https://blockchain.info/wallet/anonymity. However it is no longer possible for admins to lookup an arbitrary wallet by address.
444  Economy / Service Announcements / Re: [ANN] BitcoinStore.com (Beta) - Electronics super store with over 500K items! on: December 19, 2012, 04:37:28 PM
I cannot in good faith (and will not) recommend blockchain.info to anybody ever again unless they do one of the following:

I posted my response here https://bitcointalk.org/index.php?topic=131608.msg1409489#msg1409489
445  Economy / Service Discussion / Re: WARNING - Blockchain.info is NOT SAFE on: December 19, 2012, 04:34:06 PM
What happened
I do not know the sepcifics but there was some disagreement between Roger and a customer of bitcoinstore.com. The customer claimed not to own a particular bitcoin address that a incorrect amount had been refunded to. Roger used his access to the blockchain.info admin panel to lookup the information on a wallet which held that bitcoin address. This email address associated with the wallet and the email address of the customer matched.

Why is even possible?
Wallet are stored fully encrypted, so they appear as random text to us. However when notifications are enabled the client extracts the public keys from a wallet and asks blockchain.info to subscribe to those addresses. The ability too lookup a wallet using this information was added so that when newbies come to us and say "I just created a bitcoin wallet, but forgot to record the wallet identifier how can get I get my money back?" we can ask for their bitcoin address or ip and and are normally able to recover the identifier.

Screenshot of Admin Panel:



Why does Roger have access to the blockchain admin panel
He owns a minority stake in the company and helps with support. His funding has been tremendously helpful in allowing me to work on the Site full time, buy new servers, security hardware and fund free features.

Who else has access to this information?
Me, Roger and a customer support agent.

What has been changed
  • Roger and the support agent's access to this information has been revoked.
  • Bitcoin addresses stored for notification purposes have been deleted. Addresses are now stored as a SHA 256 hash of the address, which removes the ability to lookup a wallet by bitcoin address.
  • The secret phrase is now no longer shown to any admins

What other information could be used to identify a wallet
We store the ip address a wallet was created with and the ip address a wallet was last updated with.

A wallet can be looked up by SMS number or email if that information has been added in [Account Settings].

Can blockchain.info access funds the funds in my blockchain wallet?
No, the information available gives only enough information to prove the user may own a wallet with that address. He could not have accesses the wallet, even if he had wanted to. No other individuals have access to the blockchain.info servers or code apart from me.
446  Other / Archival / Re: Bitcoinstore.com has encountered our first scammer. on: December 19, 2012, 02:41:02 PM
Roger has pointed me to this thread.

Roger owns part of blockchain, so has access to the admin panel along with me. The admin panel is very basic but there is the ability to query wallets based on certain information. Recently the ability to query a wallet by bitcoin address was added, when notifications are enabled.

These queries are designed to help users recover a forgotten wallet identifier and is not supposed to be used for any other purpose.



If a wallet is found the results are shown as follows:

[Wallet {email='zootreeves@gmail.com'
, guid='abf66471-fe0a-6820-8977-55d7e8c1f6b2'
, shared_key='XXX-XXX-XXX-XXX'
, secret_phrase='My Secret'
, alias='piuk'
, created=Tue Jan 03 12:52:07 GMT 2012
, updated=Tue Dec 18 19:47:40 GMT 2012
, created_ip='81.187.238.52'
, updated_ip='127.0.0.1'
, sms_number='+44 7525431876'
, country='GBP'}
]

So you have the date the wallet was created, when it was last updated, the ip that created it and the ip that updated it. The secret phrase is the phrase required in order to reset two-factor authentication, not the password. The password, wallet balance, other addresses cannot be viewed.

I am going to change notifications to store SHA256(bitcoin_address) rather than the plain bitcoin address which will remove the ability to lookup a wallet by address entirely.


447  Bitcoin / Technical Support / Re: Satoshi Dice double spend. Transactions won't confirm! Balance wrong. No idea!! on: December 18, 2012, 10:17:11 AM
SatoshiDICE has occasionally been sending out some double spends recently. This does cause confusing behaviour in the blockchain.info interface as only one of the transactions will be shown and the amount available to spend may be different than the displayed balance. The problem should resolve itself in about 1-2 hours once one of the transactions confirms the double spend is removed.
448  Bitcoin / Development & Technical Discussion / Re: [SUCCESS] Double Spend against a satoshidice loss on: December 15, 2012, 05:48:20 PM
This should be a pretty reliable method.

1) Create a long chain of unconfirmed transactions (lots of free low priority transactions which depend on each other).
2) Send the final transaction in the chain to SatoshiDICE, including one input which isn't part of the unconfirmed chain. If the bet wins, great, keep rebroadcasting all the transactions in the chain and eventually they will confirm.
3) If the bet looses. Double spend the input from the betting transaction which is not part of the unconfirmed chain.

Because the chain will take a long time to confirm it gives a much larger window of opportunity for miners to pickup the double spending transaction. As miners join and leave the network they are much more likely to pickup the single double spend transaction, rather than the full chain of unconfirmed transactions (which you are no longer broadcasting). This technique was used to successfully double spend the blockchain.info mixer.

449  Economy / Scam Accusations / Re: Blockchain.info wallet SCAM - Stole $6 [PROOF] on: December 12, 2012, 04:46:38 PM
blockchain.info provides no customer support from what I've seen. If I create a wallet account, with my iphone the password doesn't work the next time I log in. I tested it 5 times. Lost a lot of coins because of it. They just refer people to bitcointalk..

What would be the email of your zendesk ticket?
450  Economy / Trading Discussion / Re: So how on earth am I supposed to get bitcoins in the UK? on: December 10, 2012, 08:40:29 PM
Bumping with new deposit method:

https://blockchain.info/wallet/deposit-bank-transfer
451  Economy / Service Discussion / Re: Sofort Blockchain.info deposit processing UK & elsewhere on: December 04, 2012, 11:19:05 PM
Sofort logs into online banking on your behalf and makes the transaction. The payment is made using BACS faster payments and is usually instant.

Normally banks recommend that you never give you login details to a third party however it is a pretty well renowned payment gateway. Skype accepts it for example http://www.skype.com/intl/en/prices/ways-to-pay/sofortbanking/?country=GB. https://bitcoin-24.com also uses sofort for euros.
452  Bitcoin / Bitcoin Discussion / Re: My first experience with bitcoin was NOT positive :( on: December 04, 2012, 06:07:39 PM
  • The site knows all your transactions, your balances and your IP addresses. So it's not very private.

Not really, once logged out wallets are just random bytes. Queries made using the API and by the wallet interface are not differentiated and there is no differentiation made between watch only addresses and addresses with a private key which would make it difficult to record the balance if we wanted to.
453  Economy / Service Discussion / Re: How can My Wallet be made more auditable? on: December 03, 2012, 03:02:53 PM
(0) The software can silently be replaced with malicious copies that redirect funds or steal keys.  There exists JS pinning plugins for browsers but they aren't practically usable (the software changes all the time), and even if they were the systematic exposure I'm concerned about here isn't answered by it being possible for a savvy to make secure, to prevent disaster it must be secure by default.

This concern is valid. I'm not sure what you mean by the software changes all the time but the browser extension to mitigate this risk (https://blockchain.info/wallet/verifier) has not been updated in several months. The iPhone/android apps are not vulnerable to this. This will be solved in time by using keys split between the native apps and the web app.

(1) A significant fraction of users use insecure passwords which a hacker could attack. While it's possible for users to secure themselves, experience shows that even savvy people are remarkably bad at choosing passwords.

Yes the responsibility is with the user to choose a secure password which is no different than any client offering wallet encryption. We do enforce a minimum password length of 10 characters and try and detect weak passwords on sign up.

(2) Even without any modification to the client software a server compromise could result in users seeing confirmed payments which were never made (and never even possible— e.g. the attacker paid you 30 million bitcoin), this is doubly bad because there is effectively no second source for clientless user to check even if they were very paranoid.  

Fairly easy to verify using 3rd party sources. Difficult for the server operator or hacker to profit from deceiving users in this manner.

(2a) Nowhere on the site are these security complications explained.

https://blockchain.info/wallet/technical-faq
https://blockchain.info/wallet/security
https://blockchain.info/wallet/anonymity
http://bitcoin.stackexchange.com/questions/5249/how-secure-is-blockchain-info/5255#5255

(3) If the site is shutdown without notice or has its data and backups (if they exist at all) destroyed a large fraction— I'd guess a super-majority— of their users would lose all of their funds.

Email backups are enabled by default. Wallets are backed up server side in multiple locations including Amazon S3. The average user probably cannot be trusted to make their own backups regardless of what client they are using. On every login the options to backup are clearly presented, Bitcoin-Qt does not provide any backup instructions or recommendations.

(4) Use of the site degrades user's privacy relative to normal SPV and Full clients.  The site may currently be doing detailed logging of all operations and queries. A major privacy loss event would be harmful to the ecosystem. They may even be selling this information to the highest bidder.  

No requests are logged apart from unexpected error responses. The same logging is possible with electrum servers but in that case it might not be known who is running the servers or their privacy policies. As for running a full node, multiple entities are probably monitoring the bitcoin network itself using the "first relayed" method and IP loggers. Besides the biggest weakness to the anonymity of bitcoin is at the time of exchange not whether your ip address leaks.
454  Economy / Service Discussion / Re: Blockchain.info not sending confirmation emails on: December 03, 2012, 12:04:38 PM
Notifications will no longer be sent for SatoshiDICE transactions or any transactions involving addresses on this page http://blockchain.info/popular-addresses. This is to help reduce increasing costs of SMS messages.

If the transactions do not involve popular addresses then I am not sure what the problem is. Perhaps you have reached the daily notifications limit?

455  Bitcoin / Bitcoin Discussion / Re: Happy halving day on: November 28, 2012, 03:18:16 PM
At least 700 people watching on blockchain right now. There should be a little something extra on the #210000 page.
456  Other / Beginners & Help / Re: Satoshidice Double spend coins - I lost my coins???? on: November 27, 2012, 01:38:06 PM
Please could you post your bitcoin address. It is possible some SatoshiDICE payouts may still be pending (https://bitcointalk.org/index.php?topic=77870.msg1358596#msg1358596 - https://bitcointalk.org/index.php?topic=127961.0)
457  Economy / Service Announcements / Re: Blockchain.info - Bitcoin Block explorer & Currency Statistics on: November 26, 2012, 07:41:46 PM
No, this is not what I suggested. I suggested a Directory Listing with map, of places that accept Bitcoin. Maybe you understood wrongly because my bad English.

Ah ok, sorry I misunderstood. Similar to http://www.bitcoinmap.com?
458  Economy / Service Announcements / Re: Blockchain.info - Bitcoin Block explorer & Currency Statistics on: November 26, 2012, 07:18:09 PM
You should have your spider also go to bitcoin-otc user pages and get the addresses from there Grin

http://blockchain.info/tags?filter=4

The left-axis should be labeled in USD, not in BTC. This leads to confusion.

Fixed, thanks.

Piuk, I'll suggest another feature. Hope you are adding to TODO list.

I would like to see a page with map, listing the places that accept Bitcoin. See my suggestions:

1- I think you should request and add information to www.openstreetmap.org
2- Openstreetmap already have tags for bitcoin payment, see: http://wiki.openstreetmap.org/wiki/Key:currency and here: http://wiki.openstreetmap.org/wiki/Key:payment
3- Look this great example that it's opensource, from bewelcome: http://alpha.bewelcome.org/searchmembers
3.1- See on map the amazing option to (search using map boundaries).
3.2- The javascript library of the map is: http://leafletjs.com/
3.3- bewelcome information about switch from Google to Osm, http://www.bewelcome.org/wiki/Switch_to_OSM

What do you think?

So you would like to be able to tag transactions with a location? I could see how this would work, perhaps a live map of markers "X sent 1 BTC to X".

However there is a danger of people revealing too much about themselves without being aware of what they are doing (even with it being optional). Not only might somebody be able to predict your wallet balance and potentially what you have purchased but also your location. Thank you for the suggestion, I will add it to the list but I think perhaps this data is best suited for social networks.

Because blockchain.info/wallet allows people to make wagers using funds from transactions that have not confirmed first, what happens is that you get cascading double spends, and players thinking they won big when in fact their wager was invalid if the funds for making the wager never confirm.

The users is warned when they spend a double spend. However with the recent SD double spends the user probably wasn't warned as the inputs were respent by SD several minutes after the original transaction. Therefore at the time blockchain.info received the original transaction it seemed ok but even so eventually some of them lost against later transactions.

I could disable spending double spends completely but it might be advantageous in some situations e.g. if miners consider the fees from an entire chain of unconfirmed transactions when deciding which transaction to eventually include in a block. SatoshiDICE seems to have fixed the double spend problem for now though.

I am trying to connect to the Blockchain.info wallet API, but i keep getting disconnected. I've tried the recommended wrapper for ruby https://github.com/jjeffus/rpcjson, and i've tried simply with net/http. I just keep getting this error

bc = RPC::JSON::Client.new 'https://e6152eDbf-85f7-527e-9adf-8b1dt7fa4312a:password@blockchain.info:443', 1.1 => #, @version=1.1> 1.9.3-p194 :018 > bc.getinfo Errno::ECONNRESET: Connection reset by peer

I have tried connecting through bitcoind and that works fine. Forgive me if im missing something obvious.

There have been reports of problems with that ruby library previously. Honestly i'm am not sure what is causing it. Will it connect to the Bitcoind RPC server?

-----

Please upvote http://news.ycombinator.com/item?id=4833338
459  Bitcoin / Mining / Re: Is 1PEDJAibfNetJzM289oXsW1qLAgjYDjLgN trolling the bitcoin ecosystem? on: November 26, 2012, 04:09:12 PM
On a related note: https://blockchain.info/address/1SEXYws5t1C8E4ziQTQbR9fMRAZbFxVkk

Seems like an attempt to spam the network as well, without paying any fees.
460  Economy / Service Announcements / Re: Blockchain.info - Bitcoin Block explorer & Currency Statistics on: November 24, 2012, 01:24:45 PM
What happened to this? I'd love to use that new method, but can't find the deposit button anymore.

For the UK this will be available again Monday or Tuesday. I don't have an ETA for europe at the moment.

Feature request

On transaction summary window, show the fee paid on transaction.

Can Do.

so sounds like you just need to add VIBRATE to the manifest...

Good catch, thanks.


piuk I really appreciate your service but what I just saw really ins't cool. I realize anyone who knows how to use google can find the same info, but I still don't see a reason why you need to display it automatically:

https://blockchain.info/address/1H4sGgNSRvRuiUsbucsQBNFWhZcLnL2KW1

At least give us an option to disable this in account settings or something.

It's not in anyway tied to a My Wallet account. All I did was write a quick spider to check the signatures on bitcointalk and create a tag for each one found. I can remove your signature if you like, however remember if blockchain can index them then any entity (with possibly more nefarious intentions) can also. I guess just be careful posting your bitcoin address publicly. Also be aware not only about information you may have revealed yourself but also also of information that people you have sent and received transactions from have also made public.

Tagging does not follow coins. However this is probably possible by determining the change output and attaching a confidence rating.

Is it possible to create a new address and then delete the private key without internet access?

Sorry the documentation needs updating. Instead just login as normal and then disconnect your internet. However you MUST clear your browsers cache after deleting the private keys and before reconnecting to internet or the point of going offline is voided.
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 [23] 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!