mechs (OP)
|
|
July 11, 2013, 04:22:51 AM |
|
Wow Jesse, that is very kind of you to return the funds! It is amazing you even by chance happen to read this threat. I am definitely not running a competing bot, as you can tell by the weak brainwallet I created. I was not even that upset about losing the change, it could have been much more than that. Thank you again! mechs I decided to mess around and make a brain wallet. I used the website www.brainwallet.org. Supposively, this javascript is client side only. Anyway, I made a brain wallet and decided to test it. I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2". Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2Mechs, the coins in question have been returned directly to the address in your sig: https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606The brainwallet.org author is not the culprit, my bot is. Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them. PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back. Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3k
|
|
|
|
favdesu
Legendary
Offline
Activity: 1764
Merit: 1000
|
|
July 11, 2013, 08:00:07 AM |
|
I decided to mess around and make a brain wallet. I used the website www.brainwallet.org. Supposively, this javascript is client side only. Anyway, I made a brain wallet and decided to test it. I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2". Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2Mechs, the coins in question have been returned directly to the address in your sig: https://blockchain.info/tx/8a91cca81bcb8ce4b9483e7d933b84b9363cd1dc0c40d37521f796403047e606The brainwallet.org author is not the culprit, my bot is. Since you don't come off as one of the people running a competing bot (and trust me there are lots), I'm fairly confident these coins are indeed yours and am happy to return them. PSA: Picking a bad brainwallet password is like throwing your money on the sidewalk ... except instead of just the people around you scrambling to pick it up, the entire internet can and most of the internet has no interest in giving your money back. Worse yet, it's actually impossible for someone wanting to give them back to do so with 100% confidence they are giving them to their rightful owner. I agree with the sentiment expressed in the thread that if it's memorable, it's eventually gonna find its way into someone's rainbow table and I leave all you brain wallet users with this to ponder: https://www.youtube.com/watch?v=a6iW-8xPw3kwow, that turn of events! +1
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
July 11, 2013, 09:23:09 AM |
|
OP - I think the "security breach" part of your topic title should be changed (a poor password that was cracked is hardly a security breach IMO) although it has been a good reminder for people that brainwallets are a dangerous thing (and should not be recommended to people without some specific education about how to go about creating a secure enough password).
|
|
|
|
Lohoris
|
|
July 11, 2013, 09:35:30 AM |
|
Oh, I'm impressed by this turn of events So you defend the stupid so they can continue using weak passwords on brainwallets? Why not take a 50% recovery fee? The money moved again? Is the account in his sig the the brainwallet(WTF!) ? I'm puzzled as well. dafuq happened?
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
July 11, 2013, 10:10:05 AM |
|
Perhaps Brainwallet.org should use their own rainbow table. You can still keep everything client-side for generating the address. However once the address is generated, it can be submitted to the site for checking. Users may be surprised to learn the the chorus from their favorite song (with common mishearings and spellings) is actually in the dictionary. As has been mentioned earlier in this thread, if you can easily memorize it, it is probably not a secure passphrase. The rule of thumb I use is that If it has ever been published anywhere, it is probably not a secure password. Do you really think the sum total of human knowledge has over 64 bits of entropy? (that data-set is only about 46 bits of entropy).
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
|
Mike Hearn
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
July 30, 2013, 09:00:39 AM |
|
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.
Whoever runs this site needs to shut it down now. It's negligent to do anything less.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
July 30, 2013, 09:06:55 AM |
|
Personally I think that if people are silly enough to "secure" their bitcoins with nothing more than a poorly chosen password or pass phrase then they probably are best to be relieved of them.
The brainwallet itself is actually a useful "offline" tool (and anyone silly enough to use it "online" well...).
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3038
Merit: 1032
RIP Mommy
|
|
July 30, 2013, 09:33:39 AM Last edit: July 30, 2013, 09:46:45 AM by TheButterZone |
|
^ Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.
Whoever runs this site needs to shut it down now. It's negligent to do anything less.
Joric, I found him in #bitcoin-dev once, and IIRC he ragequit because of the core team bitching about bw.org https://www.bitaddress.org has a brainwallet tab Not to mention the "SHA256 hash calculators/generators" all over the net - hello, Private Key Hexadecimal Format. Can't get security through obscurity...
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
prof7bit
|
|
July 30, 2013, 04:40:45 PM |
|
The brainwallet itself is actually a useful "offline" tool (and anyone silly enough to use it "online" well...).
The problem of this thread has nothing to do with online or offline. Its a useful tool because it creates key/address from a passphrase. This is useful.
|
|
|
|
ErebusBat
|
|
July 30, 2013, 04:49:58 PM |
|
The problem of this thread has nothing to do with online or offline.
Its a useful tool because it creates key/address from a passphrase. This is useful.
Not to mention all the other tools it has in it. The problem is people *think* they know what they are doing, or think things like S00p3r53kri7 are secure.
|
|
|
|
Financisto
|
|
August 11, 2013, 03:48:01 AM |
|
Talking about that topic,
I got a doubt and maybe someone else have already done it, though I've never tried this out before:
At the "Transaction" function of brainwallet.org, is it possible to send BTC to same address: "Source Address" = "Destination Address"?
e.g: I was wondering if I could send from a total of 10BTC at address "x", 9BTC to address "y" and 1BTC remaining change back to same address "x".
Does that work through brainwallet.org?
P.s: fees disconsidered in order to simplify the example.
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
August 11, 2013, 03:52:42 AM |
|
e.g: I was wondering if I could send from a total of 10BTC at address "x", 9BTC to address "y" and 1BTC remaining change back to same address "x".
Does that work through brainwallet.org?
P.s: fees disconsidered in order to simplify the example.
Yes - that's how it creates the tx by default (if you want change to go to another address you'd have to edit it). BTW - I would not use the tx tab of brainwallet as it only works *online* and it requires you to provide your private key (so a malicious version could simply broadcast your private key).
|
|
|
|
Financisto
|
|
August 11, 2013, 04:07:01 AM |
|
BTW - I would not use the tx tab of brainwallet as it only works *online* and it requires you to provide your private key (so a malicious version could simply broadcast your private key).
I'd never suggest that too. For everyone new to that script, I only suggest that you test it offline, then copy and paste the tx to blockchain. Thanks for the help. Cheers!
|
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3080
|
|
August 11, 2013, 12:13:51 PM |
|
Does anyone know who runs that site or how to contact them? The site itself has no contact info on it, the source code is owned by a user just called "brainwallet", the only thing resembling a contact address is a twitter account also called "brainwallet", etc.
Whoever runs this site needs to shut it down now. It's negligent to do anything less.
For someone who lives in a direct democracy that has a lot of personal freedom, and hence, a lot of required personal responsibility, you sure as hell like to impose your moral standards on other people. Bitcoin source code was authored by some unknowable pseudonym, SHUT IT DOWN, PADRE-MIKEHEARN SAYS NO ANONYMYMOUS CODINGZ!!!
|
Vires in numeris
|
|
|
Financisto
|
|
November 09, 2013, 01:57:12 AM |
|
I don't think you understand what a rainbow table is.
Somebody generated the exact same brainwallet you did, long before you ever thought of using that passphrase.
They've actually generated millions of brainwallets, and they're just waiting for someone naive enough to use the same weak passprases and deposit money into one of their addresses.
[..]
Is it manageable watching the balances of thousands/millions of generated wallets like that everyday (with today's tech resources)? Another thing you can do is repeat hash hundreds and hundred of times. And use a salt - with the original phrase and added to each hash. You can even have a simple formula that changes the salt each hash.
57899@##$% as me salt. "I like big butts" as my passphrase.
Each hash I change the salt according to the number performed and add it to the previous hash, changing the salt so it grows each time, resulting in a huge salt by last hash.
Reapeat, say, 722 times.
All I have to remember is the salt (write it down), the pass phrase, and the algorythm I used to alter the salt each iteration. [...]
Is that simple to do by command line (Linux Terminal)?
|
|
|
|
BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
November 09, 2013, 02:01:15 AM |
|
Is it manageable watching the balances of thousands/millions of generated wallets like that everyday (with today's tech resources)?
Very easy.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
gmaxwell
Staff
Legendary
Offline
Activity: 4270
Merit: 8766
|
|
November 09, 2013, 02:13:43 AM |
|
It's run by "Joric". As was the similar wallettools.appspot stuff which predated it in the role of helping fools and their Bitcoin split ways.
I have some pretty fun IRC logs surrounding the creation of Brainwallet.org... e.g. Joric searching for guessable sha256 keys and redeeming them.
He was really resistant to using a strong KDF. Not because he's malicious, as far as I can tell, but simply because anything worthwhile is going to be slow in javascript.
|
|
|
|
VTC
Member
Offline
Activity: 84
Merit: 14
|
|
November 09, 2013, 02:37:07 AM |
|
Why write custom scripts and remember various variables when you can just make your brainwallet a bit longer. Add your name and ID/passport number before your complex passphrase, easier to remember, increase entropy by a lot.
|
|
|
|
mises
|
|
November 09, 2013, 02:47:01 AM |
|
I decided to mess around and make a brain wallet. I used the website www.brainwallet.org. Supposively, this javascript is client side only. Anyway, I made a brain wallet and decided to test it. I moved my spare change (I keep most of my BTC in cold storage) about 0.178 BTC to the new brain wallet I made "15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2". Literally within seconds, it was moved to a new bitcoin address not owned by me "1Lp3S4PajwhuFCyrAXSFdVGxLuqTsXtVQC" https://blockchain.info/address/15WjmFwpZ1mp3fG55JGoGv3p5y9jtehEB2I am very security conscience and am certain my wallet file was not compromised. My only thought is the brainwallet website has been compromised instead and some bot is stealing the private keys generated there and then instantly transfering any funds deposited to these compromised wallets to their own bitcoin addresses. DO NOT USE www.brainwallet.org and if you have used it, then immediately move your funds to a new location ASAP. I am not complaining though, I only lost 0.178BTC - it could have been much worse. That's unfortunate! Thanks for letting us know OP.
|
|
|
|
|