|
Yesterday's story too involved a blockchain.info wallet and funds sent to the wrong address. (the bitcoinstore and Roger Ver drama)
Could these two problems have a common cause? I mean, a software problem at blockchain.info.
|
|
|
|
|
"WARNING - a webwallet is AS SAFE AS ITS ADMINS"
|
|
|
|
It should also be noted that ThomasV runs a competitor to Blockchain.info
That is correct, but Electrum is not a commercial operation. It is a free software project, that involves multiple developers, not just me. |
|
|
|
I just wanted to mention that a skilled blockchain.info admin can perfectly steal your funds. He just needs to change the javascript sent to your browser in order to get your password.
This is not true. See here: https://blockchain.info/wallet/verifierwhat is the percentage of your users that install it? |
|
|
|
|
reserved too!
I just wanted to mention that a skilled blockchain.info admin can perfectly steal your funds. He just needs to change the javascript sent to your browser in order to get your password.
|
|
|
|
|
Roger, can you please cool down, blank your first post, and seek a better outcome than a flamewar?
I don't want the next news article about Bitcoin to be entitled "In the lawless Bitcoin world, business owners seek revenge by publishing customer information"
|
|
|
|
I would also like to see the whole thread removed No way. Everyone should see how Roger is destroying his business for few bucks. it's not just going to hurt his business, it will also hurt blockchain.info, and Bitcoin. please remove the thread ASAP |
|
|
|
I would also like to make it clear that I didn't make any of his Blockchain account info public.
I emailed him his own information.
He then posted it on this forum himself. (Not me)
You posted his name and address. if I was you I would remove that information asap. You are destroying the reputation of your business for 4.5 BTC. do not let anger guide your reactions, try to be rational. |
|
|
|
I hope that action above was covered in your terms of use and privacy policy.
There was a discussion between some of my friends recently about releasing personal information by e-shop owner and most of them disagree with this kind of "revenge".
It may bring negative attention.
I agree. Posting the private information of one of your customers will bring negative attention to your business, and it will not get your money back. Not very professional, IMO. If want to do something about a scammer, report him to the police. Do not try to be your own police, or your business will be affected. |
|
|
|
It worked now with -w -param when especially naming the dat-file.
yes, that's how the -w parameter is supposed to work. please read the manual next time. Only dates of transactions seems corrupted.
This is not corruption. This is because you upgraded to a version with SPV. With SPV, the dates of transactions will be displayed only once transactions are verified. this might take a few minutes (time to download the blockchain headers). So how portable is this now? Are there data stored in registry or some other files out of my own directory?
there is a new file called blockchain_headers. this file does not store any information that is specific to your wallet. I added a -P option in the 1.5.7 version, that makes it portable. with this option, the client will always write that file in the same directory as the wallet. What i dont understand is why you say a portable version has a higher risk. I would say a nonportable version is the higher risk. A hacker only has to go into the directory he knows all the walletfiles are lying and bang... there is the money. If its encrypted its another thing. But a portable wallet can be encrypted too. So i dont see how it could be safe to store your wallet at a place windows wants it at. Its like putting your money under the mattress because all people are doing it so and its the safest place. Its the safest for thieves, because they dont need to search long time.
Because portable wallets can (and will, it is only a matter of time) be used by some people on third party computers. The administrator of the computer where you use your "portable wallet" might install a keylogger, get your password and decrypt your wallet. And please don't tell me that you are not stupid enough to do that. Some people will. I don't care if it's you or someone else. |
|
|
|
|
Also, please understand that "portable wallets" were never officially supported in Electrum.
Flatfly's version is not the official version, so it is not as if I was removing support that existed in the past.
Please note that "portable wallets" expose users to a big risk of theft. This is why I never really wanted to support this function.
However, there seems to be a strong demand for it, and we cannot prevent users from doing what they want, so I guess it is better to include proper support for it.
I have been talking with slush about it, and we plan to support it soon.
|
|
|
|
The -w param doesnt work. Electrum starts for a second then it dies. And $400 for a portable version or judging from the number of posts in that thread my wallet looks dead. Looks like i have to find a replacement. Too bad that i have to spend time now to find out how to save my previous addresses and replace them at services so that they arent used anymore at some point.
Losing wallet by update... i dont like that.
your wallet is not lost, even if your client cannot connect. there are at least 3 ways you can recover your bitcoins: 1. use the -w parameter: if that does not work with flatfly's version, it will work with slush's build. 2. recover your wallet from seed: start your old client, go to the seed dialog, and write down your seed. then, start the new version of Electrum, and instead of creating a new wallet, select 'restore from seed'. 3. if you don't want to use Electrum at all, you can export your keys to another client: you can do it offline, with the command: |
|
|
|
Thread title should read: "electrum - wallet for people with strong nerves"
can you please count how many users reportedly lost money because of Electrum? sorry, but this too had to be said. |
|
|
|
not meaning to hate, but swapping an easy-to-read jscript page for a piece of software is safer exactly... how?
You are completely missing the point. The security model of open source software does not mean that each end user has to inspect the code they use. Most users do not have the skills to do that. Electrum is an open source project with an active community of developers. This means that there is an open community of people who read the code, and inspect changes made to it. If one of the developers decided to introduce malicious code, others would detect it. This is how open source projects work. In contrast, Javascript code dynamically attached to a webpage does not give you that security. A malicious server operator can modify javascript code instantly, before it goes through a reviewing process. It can even send different code to different clients, in order to remain undetected. you can view and d/l the bitaddress code via github and run the local copy in the private mode of your browser. clearing cookies etc etc should suffice. if you're goint all-out, boot to a linux live-distro and run the code from there (now writing on the disc possible). Yes, you can download javascript from github, and execute it locally. But how many people actually do that? unskilled users won't, because it is too complicated for them. My point was that users should stay away from websites that dynamically send you javascript. This is a very different (and much more dangerous) situation than downloading code from github. Unfortunately, people who do not understand this distinction might interpret your answer as a refutation of what I said. Please clarify. |
|
|
|
1. stay away from brainwallet.org, bitaddress.org, or from any website that asks you to enter private keys, or that creates your private keys using javascript. It is very easy for the operator of such a website (or for a hacker getting access to the site) to covertly change the javascript sent with the page, and "disconnecting the internet" will not protect you from everything (malicious code can also save your private key in a cookie, or elsewhere, and send it later). 2. There are two types of "brain wallets": a single Bitcoin address, or a deterministic wallet, that creates as many addresses as you need, and better protects your anonymity. If you use a deterministic wallet, you must know this: never ever use "redeem private key" services offered by websites (such as mtgox); it might expose all the other keys of your deterministic wallet, not just the key you redeem. 3. Try Electrum : http://electrum.ecdsa.org . It is one of the easiest to use Bitcoin wallets, and it will protect you against your own mistakes. Of course it is a bit more difficult to download and install software than to use a website that runs with javascript. However, when you use a website, you are putting your funds at risk. 4. Do not donate to me. This advice is free. The Bitcoin world has had enough large scale scams. I decided to write Electrum after the mybitcoin.com fiasco, because I realized that a large and economically relevant fraction of Bitcoin users will always be attracted by wallet services where they do not need to download the entire blockchain. While I reckon that the security of Electrum is not as high as the official client (because it does not download the blockchain), it is much safer than any javascript wallet you'll find on the web, for the same level of convenience. |
|
|
|
Even if a BTC private key is not a random number, it is unique and is longer (thus more secure). If it can't be guessed, why would it be bad to use as a seed?
I did not say it would be bad. I use 128 bits because 128 bits is secure enough. Now, if you want to have more entropy, the correct way to do it would be to first pick a random number of n bits, then derive the key from it. A private key is not completely random, therefore its entropy is less than its length. Note that even though Bitcoin private keys are 256 bits long, their hash used to create Bitcoin addresses is only 160 bits. So the actual level of security offered by Bitcoin addresses is 160 bits. |
|
|
|
Quick question:
How does electrum ensure that each seed is unique and cannot be Brute-forced?
The seed is a 128 bits random number, generated by os.urandom() The seed is represented as a sequence of words in order to facilitate memorization and storage, but it can as well be represented as a hexadecimal string, or as a number. For some reason, people tend to perceive words as "less random" than numbers. That's an illusion. The only thing that actually matters is the number of bits of entropy in your seed (128 bits is considered as very safe, and will probably remain safe until real quantum computers are invented), and the quality of your source of randomness (electrum does not use python's random module) Wouldn't it make more sense to generate a Master BTC Private key and determine the random words from that key?
No, that does not make sense. A private key is not a random number. |
|
|
|
Also, is it possible to change the location of my electrum.dat file?
You can place it where ever you would like but you will have to supply the command line with the -w flag and the path to the wallet. you can also specify the default wallet path in /etc/electrum.conf |
|
|
|
Has anyone had any luck installing this on Arch Linux?
Any help would be appreciated, I had this client running on Ubuntu and it worked fine and I really liked it.
Which version of Python are you running? it looks like he is using python3 |
|
|
|
|
Show Posts
