Warning about portable versions

[DuddlyDoRight]

calculate the checksum of the electrum file, and put it in a text file next to it, and rename that file to something like blablabla.txt

that way every time you run it, you can check if it has been replaced with a malicious one or not. It works for me, so it should work for you.

And if you rename the file to a random stuff, then the virus wont know whats in the txt file.


Also rename the electrum executable too to something random.

Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..

[1714009591]

1714009591

[1714009591]

1714009591

[RealBitcoin]

Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..

Ok that sounds complicated and i dont really understand, but what i get is that you will attack post execution by corrupting my memory.

Ok but for that you still need some pre-installed malware on the PC, a trojan , that will allow you to do this and remote control my pc like this.

As with any virus, first you need to get your virus on the PC, and then attack like this.


Any electrum user with a quarter brain knows not to download shit or open random links if they have money on their PC.

So how would you get the virus on the PC?

[DuddlyDoRight]

Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..

Ok that sounds complicated and i dont really understand, but what i get is that you will attack post execution by corrupting my memory.

Ok but for that you still need some pre-installed malware on the PC, a trojan , that will allow you to do this and remote control my pc like this.

As with any virus, first you need to get your virus on the PC, and then attack like this.


Any electrum user with a quarter brain knows not to download shit or open random links if they have money on their PC.

So how would you get the virus on the PC?

"pre-installed" what? My process just has to run and intercept any time you put in the encryption data to unlock the wallet..

How do I get it on your box with the wallet software?

• Ads and zero-day
• zero-day or MITM via DNS hijack
• zero-day or MITM via TOR entry or exit nodes
• Header parsing zero-day in your POP3 or IMAP client
• "spear-phishing"
• infect something on a USB drive and wait for you to use it if you use an air-gap(works with crypto drives too)
• MITM non-TLS non-signed executable over subnet box via AP or infected box
• Brute-force RPC or try SMB zero-day on subnet or AP

A FUD packer or uncommon compiler or compiler-switches so your AV doesn't detect it before I detect and kill your AV or quit before HIPS detects it.

There are others too like Manufacturing backdoors and codec vulnerabilities.

[RealBitcoin]

"pre-installed" what? My process just has to run and intercept any time you put in the encryption data to unlock the wallet..

How do I get it on your box with the wallet software?

• Ads and zero-day
• zero-day or MITM via DNS hijack
• zero-day or MITM via TOR entry or exit nodes
• Header parsing zero-day in your POP3 or IMAP client
• "spear-phishing"
• infect something on a USB drive and wait for you to use it if you use an air-gap(works with crypto drives too)
• MITM non-TLS non-signed executable over subnet box via AP or infected box
• Brute-force RPC or try SMB zero-day on subnet or AP

A FUD packer or uncommon compiler or compiler-switches so your AV doesn't detect it before I detect and kill your AV or quit before HIPS detects it.

There are others too like Manufacturing backdoors and codec vulnerabilities.

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.

[DuddlyDoRight]

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.

Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..

[RealBitcoin]

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.

Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..

To my understanding Trezor is not that secure because it updates it's firmware from the internet, thats a major attack vector.

Social engineering or the company goes rogue and the signign keys can be compromized, so the entire hardware is worth trash afterthat. That is a major design flaw if you let your "secure" hardware keep contact with the internet.

Best method to store btc is to put it in a cold storage and use QR code to sign the transactions in the offline space. Buy a 2$ cheap webcam, that should do the trick.


Ok but I`m still concerned about online vulnerabilities, if what you say is true, then every online account can be theoretically hacked.

[DuddlyDoRight]

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.

Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..

To my understanding Trezor is not that secure because it updates it's firmware from the internet, thats a major attack vector.

Social engineering or the company goes rogue and the signign keys can be compromized, so the entire hardware is worth trash afterthat. That is a major design flaw if you let your "secure" hardware keep contact with the internet.

Best method to store btc is to put it in a cold storage and use QR code to sign the transactions in the offline space. Buy a 2$ cheap webcam, that should do the trick.


Ok but I`m still concerned about online vulnerabilities, if what you say is true, then every online account can be theoretically hacked.

That's only insecure if they don't internally do a signature check on the image. You have to update firmware from a network.

The only way it can still be vulnerable with an internal signature check is if the transfer or signature code has memory corruption. This code can be done very primitive though where you can give strong attention to crypto implementation and memory handling.

Hardware isolation remedies everything if properly implemented. It's such a small set of function it's not that hard to secure. Even targeted attacks become impossible at some point, because there is only this little query interface to give input to.

[DuddlyDoRight]

That's only insecure if they don't internally do a signature check on the image. You have to update firmware from a network.

The only way it can still be vulnerable with an internal signature check is if the transfer or signature code has memory corruption. This code can be done very primitive though where you can give strong attention to crypto implementation and memory handling.

Hardware isolation remedies everything if properly implemented. It's such a small set of function it's not that hard to secure. Even targeted attacks become impossible at some point, because there is only this little query interface to give input to.

Thats the soft problem. It has a small risk of the signature getting corrupted itself.

What is more likely that the company goes rogue, or gets coerced by the government to hand over the keys and update the device with backdoored updates.

My demands are: complete isolation or junk , there is no other option if you hold millions of $ of bitcoin.

That's a problem with the CPU you're using too. They can get microcode updates with backdoors, and no security product will be able to detect it. Security products also don't check BIOS ROMs. A small isolated device in that environment with crypto is secure though. The NSA would have to find a vulnerability in that small exchange interface or modify the image between repo and signing with a stable backdoor.

[Darra]

Hello.
No matter which version of the portable electrum for Windows I run, I keep on getting:

Microsoft Visual C++ Runtime Library

Runtime Error!
Program A:\electrum-2.7.11-portable.exe

R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.



but after clicking ok, the application seems to run normally..
I am using Windows 10 64-bit..
The installation setup runs fine, but due to privacy (and SAFETY!) reasons, I prefer to use the portable one on a crypted drive..
Any idea why do I keep on getting that runtime error message? (i even tried it on a normal,non-crypted drive.. the same happens..)
Do I need to install something on my win 10,or copy some more files to the portable electrum directory?
Thanks for help, in advance.

edit:
I found the answer myself..
The portable version is built without a manifest...
You need to have "electrum.exe.manifest" from the installer version to be included in the same directory with the portable
version, renamed the same as the portable version.. (eg. electrum-2.6.4-portable.exe.manifest )

(see: https://msdn.microsoft.com/en-us/library/ms235560(v=vs.90).aspx     )

[bitcoin-shark]

just download stand alone version and it s fine for me...

[Thirdspace]

I downloaded electrum portable version 2.9.2
when I tried to run it, I'm getting "Error loading Pyton DLL: C:\DOCUME...  \python27.dll (error code 14001)"
what does it mean? how to solve this problem
If I download the Windows Installer version will I be getting the same problem?
also there's a signature file... how do I use this to verify

[Jiddu]

I downloaded electrum portable version 2.9.2
when I tried to run it, I'm getting "Error loading Pyton DLL: C:\DOCUME...  \python27.dll (error code 14001)"
what does it mean? how to solve this problem
If I download the Windows Installer version will I be getting the same problem?
also there's a signature file... how do I use this to verify

This should help: https://www.reddit.com/r/Bitcoin/comments/1t70ud/electrum_fatal_error_fix_re_python27dll/
(run as admin)

To verify the file, you need GPG. Using a search engine, you should find many tutorials about that.

[kelstasy]

Thanks for the heads up! Don't mind using the portable version because I'll use it on my personal desktop.

[Silviulung]

could we use electrum and electron cash on the same laptop?
cause before 1 august, alot of rumor about don't use both at the same laptop for claiming BCC...
thanks

[zurylostboys]

so far with me nothing happend .. maybe i use diffrent location not the same data cash and btc ...

[Sauaba]

Using both. Standalone and Portable. But I have a question. Is there a way to visualize not just the coins I have but also their value in $?

[HCP]

"Tools -> Preferences -> Fiat"

Set the value and server as you wish. Note that this will only give you a fiat value for your total balance (it doesn't show fiat values in the transaction history or transaction details)... and when you try to create a send it will show a "fiat value" text entry box next to the "btc value" text entry box.

[Sauaba]

Thanks HCP,

Worked fine here.

[bakgwei]

For me, the portable version is the only option I have to use Electrum on my work laptop, where I dont have any admin right (so theisntall-version wot work). Thanks for making this possible - and yes, I do understand the devs concern about being tempted to use it on unsafe PCs.

[jackjjohnson]

Assuming that it is Windows, your work may have keylogging and screencap software. My workplace does, because they deal with customers' money.

Recent versions of Tails https://tails.boum.org/ include a version of Electrum, that works over TOR, for better privacy and safety on your work laptop. You have an option to spoof the MAC address, but on a work network, that could raise red flags as well. Network access could also be tied to an Active Directory user(employee). It has numerous security features: encrypted home directories, disabling scripts, and so forth.

In that case (with Tails), just bring the work laptop home, or use it somewhere other than work. If you are serious about privacy, while using Tails/Tor don't check your real-world email, or Facebook, or Ebay, or anything that ties it to your real existence.

Tails is Linux, so you should be or become somewhat familiar with it before you commit much BTC to Electrum on it. I keep it on a USB key, so I can (mostly) boot up any laptop or PC to it, and have "my stuff". Because it's a USB key, it's easy to clone several/many of them, and keep them in multiple locations. I also scan the contents of my wallet, have copies of important docs, all in the encrypted Tails persistent home directory.