[ANN] Free Bitcoin Vanity Address Generation Website.

[Taiko3615]

Sad news  indeed....

Please refund my two addresses :
1HugoGCZnGgLhRKHHDrWiDPHACjdbFXY3N
1FiveD3UqxjK3ryNpBHAFRiodj9LdrNJon

Send the funds to 1HYkxU8gioGWJRbMyoMcEKgqJdkWpZcnS9

Thanks...

[1714065914]

1714065914

[1714065914]

1714065914

[TheRealSteve]

and now Never use vanity addresses not generated by yourself

Just to note (you did allude to this, so I'm sure you know - just clarifying for others), you can use vanity addresses not generated by yourself - but you cannot trust it if it was generated solely by the third party's keys.  You must use your own public key in a Split Key generation setup.  If the service you use only uses its own generated keys or doesn't use Split Key at all, you should avoid them.  In this case, the site generated its own keys but you could paste in your public key.  It would probably have been wise not to include the key generation at all (leaving it to other parties to deal with) but I can see why it was added as a service.
The tl;dr of Split Key is that you generate a challenge key pair and give the service the public challenge key, they use that public challenge key to generate a vanity address that matches your request, and give you a private solution key.  That private solution key cannot be used to spend from the generated address.  Then you combine that private solution key with your private challenge key to generate a new private spending key that can be used to spend from the generated address.  You destroy all keys except for that last private key.

[MICRO]

Really guys? You trust a stranger with your private keys.. All you would have to do is search the forums to see you could easily do it yourself. This is worse then trusting a stranger with your wallet and bank account. This had red flag written all over it. No sympathy here.

For me the biggest mistake I made was probably laziness. I took the fast and easy way of using their calckey instead of taking the extra effort to generate my own keys. Those who generated their own keys weren't affected. Yes I know all about never ever, ever using addresses not generated by your ownself, but I thought it wouldn't hit me. Guess I learned my lesson. So far the lessons I've learned:

Never put btc into exchanges (mt.gox incident)
Never put btc into an online wallet or so called bank (flexcoin incident)
Never mine on a pool (btcguild incident)
Never keep btc in your harddrive (guy who threw out his 7500btc containing harddrive incident)
and now Never use vanity addresses not generated by yourself

So I guess to ONLY way to keep your btc is in a paper wallet kept inside a maximum security vault under constant surveillance. Or am I still missing something?

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door ? Its all fucked up in this world , there is no safety , and that is one of big problems of bitcoin, but well we get more aware as we go, we learn expensive lessons, but we LEARN them . Mine cost me all 90% of my bitcoins, so...

[TheRealSteve]

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door?

Because even if it did - how would anybody access it if the computer it's on is offline?  That's the same reason e.g. bitaddress.org suggests that you save the page and use it offline to remove all doubt.
( Plus, vanitygen's source code is available so you can conceivably compile it yourself.  I know the javascript of this service was also plainly available if anybody bothered to check - just that nobody did. (I did check vanitygen's code - was safe last I saw.. but don't trust me, check it yourself. ) )

[bredy]

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door?

Because even if it did - how would anybody access it if the computer it's on is offline?  That's the same reason e.g. bitaddress.org suggests that you save the page and use it offline to remove all doubt.

This doesn't help. The attack was made through GET request to an picture outside of the site (big security issue of web browsers) . The attack will work even if you open that page from disk. Only protection is pull out the ethernet cable.

[MICRO]

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door?

Because even if it did - how would anybody access it if the computer it's on is offline?  That's the same reason e.g. bitaddress.org suggests that you save the page and use it offline to remove all doubt.
( Plus, vanitygen's source code is available so you can conceivably compile it yourself.  I know the javascript of this service was also plainly available if anybody bothered to check - just that nobody did. (I did check vanitygen's code - was safe last I saw.. but don't trust me, check it yourself. ) )

That's the thing. We did not know , many people don't have idea about scripts , or anything. This site said they doing it in java, and that they are NOT storing ours keys. Its "safe" , fast .... bla bla bla.... There shoulda been warnings all over the site. But well they will send me back 0.003 i paid for addy will help alot ! Just so i lost all my bitcoins , 0.4 coz i stored it all on that stupid addy , and saved that private key very safe offline ! I guess they stored it good to . I wanted to have all my btc in one place so i can access it all when i need, coz i don't have much to split. But well... Now its to late.

[MICRO]

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door?

Because even if it did - how would anybody access it if the computer it's on is offline?  That's the same reason e.g. bitaddress.org suggests that you save the page and use it offline to remove all doubt.

This doesn't help. The attack was made through GET request to an picture outside of the site (big security issue of web browsers) . The attack will work even if you open that page from disk. Only protection is pull out the ethernet cable.

I guess that will not help to, it will be still stored . Only way is to do it on pc that never connects to internet , but well who knows all that , he would never bother making "cool" vanity addy in a first place. We just did not know, never even crossed my mind  that they will store our private keys.

[TheRealSteve]

Only protection is pull out the ethernet cable.

... isn't that what 'offline' means?  Or are you familiar with some manner of HTTP GET request that bypasses the browser's offline setting / disabling the network interface on the OS, etc?

[bredy]

Only protection is pull out the ethernet cable.

... isn't that what 'offline' means?  Or are you familiar with some manner of HTTP GET request that bypasses the browser's offline setting / disabling the network interface on the OS, etc?

Application is still able to wait until you mistakenly switch to online. It can store all values in local storage and send them later.

[TheRealSteve]

Application is still able to wait until you mistakenly switch to online. It can store all values in local storage and send them later.

At which point you're using the application online again.  If you're trying to say "well we don't know if the application is secretly still running in the background", welllllll.. sure.  But then there's a whole world of increasingly unlikely but certainly possible scenarios to explore   In each of them, you're using it online, knowingly or otherwise

[bredy]

Application is still able to wait until you mistakenly switch to online. It can store all values in local storage and send them later.

At which point you're using the application online again.  If you're trying to say "well we don't know if the application is secretly still running in the background", welllllll.. sure.  But then there's a whole world of increasingly unlikely but certainly possible scenarios to explore  In each of them, you're using it online, knowingly or otherwise

When you paying?

Bitcoin has one big issue, which may make it unusable in the future. You cannot have easy-to-use true offline wallet. Because if you want to pay - spend funds - you need to go online, download all unspend outputs, then create transaction and sign it at offline, and then switch back to online and broadcast it. Every time you are going to online, there is a chance, that unwanted piece of software running in your offline wallet will get chance to leak your private key.

Alternatively you can use online computer and offline wallet and carry the request through no-internet medium, such a QR code, but it still need device with camera and display and it is not easy-to-use.

Bitcoin protocol need an improvement, which should allow to create partial transaction signed by the private key that allows to 3rd party spend your coins up to specified amount. 3rd party can be merchant. 3rd party can take any of your unspend outputs and create transaction to any address that he chooses, but only up to specified (and signed) amount  (transaction should send rest of coins back to source address). Result transaction is finally signed by another private key... so you will need two private keys to create such a transaction, but second private key is used only to protect transaction against unwanted change. Second private key can be supplied by the 3rd party.

This can help to not only create true offline wallet, but to simplify money transfer between customer and merchant, Customer only needs HW wallet with display able to show QR code and keyboard to type amount and pin. Merchant will need online application to sign transaction and broadcast it.

[nuff]

Really guys? You trust a stranger with your private keys.. All you would have to do is search the forums to see you could easily do it yourself. This is worse then trusting a stranger with your wallet and bank account. This had red flag written all over it. No sympathy here.

For me the biggest mistake I made was probably laziness. I took the fast and easy way of using their calckey instead of taking the extra effort to generate my own keys. Those who generated their own keys weren't affected. Yes I know all about never ever, ever using addresses not generated by your ownself, but I thought it wouldn't hit me. Guess I learned my lesson. So far the lessons I've learned:

Never put btc into exchanges (mt.gox incident)
Never put btc into an online wallet or so called bank (flexcoin incident)
Never mine on a pool (btcguild incident)
Never keep btc in your harddrive (guy who threw out his 7500btc containing harddrive incident)
and now Never use vanity addresses not generated by yourself

So I guess to ONLY way to keep your btc is in a paper wallet kept inside a maximum security vault under constant surveillance. Or am I still missing something?

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door ? Its all fucked up in this world , there is no safety , and that is one of big problems of bitcoin, but well we get more aware as we go, we learn expensive lessons, but we LEARN them . Mine cost me all 90% of my bitcoins, so...

The outcome of this is I will be much more careful with my bitcoins from now on. Well if it's any solace, think of those who fell victim to mt.gox (no offence to those who actually got gox'ed). Well, live and learn bro. So much for vanity eh? there I said it.

[jgbreezer]

Really guys? You trust a stranger with your private keys.. All you would have to do is search the forums to see you could easily do it yourself. This is worse then trusting a stranger with your wallet and bank account. This had red flag written all over it. No sympathy here.

For me the biggest mistake I made was probably laziness. I took the fast and easy way of using their calckey instead of taking the extra effort to generate my own keys. Those who generated their own keys weren't affected. Yes I know all about never ever, ever using addresses not generated by your ownself, but I thought it wouldn't hit me. Guess I learned my lesson. So far the lessons I've learned:

Never put btc into exchanges (mt.gox incident)
Never put btc into an online wallet or so called bank (flexcoin incident)
Never mine on a pool (btcguild incident)
Never keep btc in your harddrive (guy who threw out his 7500btc containing harddrive incident)
and now Never use vanity addresses not generated by yourself

So I guess to ONLY way to keep your btc is in a paper wallet kept inside a maximum security vault under constant surveillance. Or am I still missing something?

U are right, but.... U should not generate vanity even by ur self, how do u know that vanity generator software don't have back door ? Its all fucked up in this world , there is no safety , and that is one of big problems of bitcoin, but well we get more aware as we go, we learn expensive lessons, but we LEARN them . Mine cost me all 90% of my bitcoins, so...

The outcome of this is I will be much more careful with my bitcoins from now on. Well if it's any solace, think of those who fell victim to mt.gox (no offence to those who actually got gox'ed). Well, live and learn bro. So much for vanity eh? there I said it.

From following the style of rules here, I've also learnt never to walk next to a road; never to drive a vehicle or fly (how many thousand car fatalities and injuries per year, and flights although much safer are still risks); even never to live in a house (so many fatal accidents happen at home) or go to work (because some people die in work related injuries). I'm currently looking at moving to a secure safe 500m underground where I aim to grow my own food from resources gained from my very rare trips to ground level and filter the water out of the rock. I shall forsake all technology I haven't built/invented myself from scratch and avoid personal contact (people have colds and other diseases and antibiotic-resistant strains are getting stronger).

I think the more practical lessons are to be more cautious in these early days (I still think it is early days, even if its years) of bitcoin and not invest money that you can't afford to lose if you plan to store it anywhere other than secure cold storage (and if you're really paranoid, even cold storage paper in a top-secret government-standard safe is a bit risky). If you want to invest and support and use and share a currency that is, in currency terms, very very new still, expect risk (and the potential gains/usage are higher because of that).

Mt.Gox seemed safe while it was working, but people following it closely already saw warning signs - and moved out in time to avoid too big a loss. Professional investors who deal with risk like this often are practiced at spotting warnings like that and are very methodical about weighing the risk/benefit, so if you're not one of them you're at a slight disadvantage and should be ready to be on the losing side occasionally.

[Beans]

Really guys? You trust a stranger with your private keys.. All you would have to do is search the forums to see you could easily do it yourself. This is worse then trusting a stranger with your wallet and bank account. This had red flag written all over it. No sympathy here.

And what about your wallet software. Are you sure, that there is no back-door, which logs your private key to an hidden server every time your wallet software generates one? To have source code of that software is no win. Hack has been written in javascript, everybody was able to see that hack directly on the web page. And nobody did during three long months.

Unless you need a app on your phone for doing small transactions I would stick to the normal client. I would definitely not trust the website of some random nobody. If I had a really large amount I would generate keys offline. Vanitygen only takes a second to download and can be used safely, which makes this guys site nothing but a security risk. Most likely built for the sole purpose of stealing coins. Even if you could verify the source code it could be changed anytime by him or a 3rd party.

[Light]

And what about your wallet software. Are you sure, that there is no back-door, which logs your private key to an hidden server every time your wallet software generates one? To have source code of that software is no win. Hack has been written in javascript, everybody was able to see that hack directly on the web page. And nobody did during three long months.

Just out of reference if you were really truly in want of making sure you were secure, you could run armory offline, use vanitygen to generate addresses and import those addresses into your cold storage/air gapped device. From there you could create transactions on your internet connected device, then move that transaction to the offline device and have it signed then move that back to the online device to be broadcast. It's a lot of work, but it pretty much guarantees that it's impossible for your keys to be stolen. It's simply a matter of how lazy you are.

[MICRO]

And what about your wallet software. Are you sure, that there is no back-door, which logs your private key to an hidden server every time your wallet software generates one? To have source code of that software is no win. Hack has been written in javascript, everybody was able to see that hack directly on the web page. And nobody did during three long months.

Just out of reference if you were really truly in want of making sure you were secure, you could run armory offline, use vanitygen to generate addresses and import those addresses into your cold storage/air gapped device. From there you could create transactions on your internet connected device, then move that transaction to the offline device and have it signed then move that back to the online device to be broadcast. It's a lot of work, but it pretty much guarantees that it's impossible for your keys to be stolen. It's simply a matter of how lazy you are.

Whats the point of bitcoin and crypto currency if u need to go throu all that just to pay something. U should be able to pay from ur phone , from pc at any time fast and easy. That is huge problem of bitcoin.

But well i guess there are many risks with fiat also.

1 more thing is vanitygen that u run on pc , secure for making vanitiy addy ? I made new 1MicroXV8cAyggKeXRJWhRsv1yZaqtiWTE addy if i known that is that easy i woulda never made it on that stupid scam site and lost 0.4 btc. But well now its to late.

[Cryptoweez]

Well i'm also one of those who was not careful, and didn't had the proper knowledge, to make a vanity address on the site.
Yes of course i could've look the code, source, but i don't know any of this. 
I didn't lose much, thankfully i was a little suspicious( Bitcoin is the most paranoid community i know, they helped me in that sence) and didn't put all the BTC i own.

I don't have a lot of faith of having some fund back but i'll still give a try:

Vanity address gotten by the site-that-shouldn't-be-name: https://blockchain.info/fr/address/1weezoVx2zDnogLRabRcDawTVQ33VrbmB
the amount spent to get the vanity address: https://blockchain.info/fr/tx/1656b29b85d7e8f693ccb3273d63a1e2e00c0e978601a8767dcd205a4532ae34

And finally the address for refund(if that ever happen): 1LJ1GPj5Fkkh2Xgee9bWkwhF1K4yRZmZYY

P.S. I know the amout i've lost is small compare to some others that have been stolen from, but for me it is.
May this lesson help some other newly, or veteran, users of bitcoins.

[tronic1704]

Hello,

Prefix         : 1Tommy
Your Public Key: 
04A56918BB58EED3129EEE7B08535EC99B941D16226F798692BC3B2F7D90B165299103335C3929F 5B24BBB99DAC5FA4388A330E5E6267982764E9472D19D80A5A2
Time Found     : 2014-01-10 06:57:47.293860

Please send refund to 173cGs9J6CzPj4U8jwpFhzjrNogzYT5edP

[Kyraishi]

" we are hacked"

this excuse reminds me a lot of scams.

[perogi]

Hello nibor,m

I paid 0.1 btc for 1perogijwqgDFN2HAhQZQfehiCyAadc3L

Please send refund to: 1D8ADgs37jobPjeNFKRc3sge2nLismc1zk

Thank you very much and have a great day!
perogi.

btw: I never received my payment.