casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
August 04, 2011, 05:59:16 AM |
|
whoa, downloaded your binary. very cool. you're right; now i'm worried its gonna run some kinda wallet stealer what do i do at this point? just send some coin to one of my generated pub keys and save the private key? Try it with a trivial amount to see if you can get the coins back into your wallet using the patched bitcoind. Lobby MtGox, TradeHill, etc. and the developers to allow redemptions of private keys right in their websites/program, so it doesn't have to be so difficult for the average user.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
August 04, 2011, 06:10:48 AM |
|
what exacly do the arrows do
The arrows convert one thing to the next. For example, you can freely convert between hex private keys and WIF private keys. But you can only go from private key to public key (not vice versa) which is why there is only one arrow. i type some stuff into the 1st fied and push an arrow and it gives a .net error i guess you call it.
I fixed that and updated github. (my binary will still crash if you enter an invalid WIF, I will update it when there are more significant changes to make)
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 04, 2011, 12:52:53 PM |
|
whoa, downloaded your binary. very cool. you're right; now i'm worried its gonna run some kinda wallet stealer what do i do at this point? just send some coin to one of my generated pub keys and save the private key? Try it with a trivial amount to see if you can get the coins back into your wallet using the patched bitcoind. Lobby MtGox, TradeHill, etc. and the developers to allow redemptions of private keys right in their websites/program, so it doesn't have to be so difficult for the average user. Sending private keys via browsers? They are the most critical part of bitcoin it's just crazy MITM attack, browser history, sniffers if not https, etc........ Just use pywallet, it's infinitely safer and its web interface makes it really simple to import a key
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
casascius (OP)
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
August 04, 2011, 06:45:41 PM |
|
Sending private keys via browsers? They are the most critical part of bitcoin it's just crazy MITM attack, browser history, sniffers if not https, etc........
Just use pywallet, it's infinitely safer and its web interface makes it really simple to import a key
Pywallet is not simple for the average joe, as you know. Arguably, the entire Bitcoin client is hardly simple for the average joe. Paper wallets and the ability to redeem them on websites - AT THE TIME OF SPENDING - puts secure Bitcoins in the hands of average Joes and eliminates virtually all of the risk associated with hacking and online wallets. A private key is not much different from a Mt.Gox Redeemable Code, it's just that it holds real bitcoins that no one can steal. The holder of the private key is the holder of the coins, not Mt.Gox or anybody else. When a private key is entered via browser into a website, it becomes instantly used and invalidated. The correct action for a website that accepts a private key as a deposit method would be to simply send the entire balance to a different address under its control (possibly using a completely separate instance of bitcoind just for this purpose), and wait for confirmations just like any other external inbound transaction. So even if a private key could be found in "browser history", it wouldn't matter much. It would have no money on it. MITM attack, browser history, sniffers are all moot for websites that properly implement https. I am unaware of anybody with plans (or the lack of common sense) to implement a web-based private key redemption utility without offering https.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
August 05, 2011, 06:55:22 PM |
|
Cass: for max security i assume you'd want to only generate keys on a virgin computer thats never been connected to the internet? how can i be assured that when i want to spend the coins from a certain key pair that the client will accept the private key? also the pub key i assume has virtually no chance of colliding with another pub key? how does the blockchain know of the pub key? by sending coins to it?
|
|
|
|
bitplane
|
|
August 05, 2011, 07:06:25 PM |
|
I haven't read the source yet, but can we get some form of license for this, in case people want to fork and/or transcribe it into to other languages?
It would be cool if it were a license that is compatible with the official client so it can be added as a patch, or added to SafeBit or bitcoin-alt and so on.
|
|
|
|
ctoon6
|
|
August 05, 2011, 10:10:49 PM |
|
Cass: for max security i assume you'd want to only generate keys on a virgin computer thats never been connected to the internet? how can i be assured that when i want to spend the coins from a certain key pair that the client will accept the private key? also the pub key i assume has virtually no chance of colliding with another pub key? how does the blockchain know of the pub key? by sending coins to it?
i think the public key is a hash of the private key or something, so you can not realistically make a public key you want. the block chain does not need to know the public/private key. the key gets into the chain when coins get sent to it.
|
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
August 05, 2011, 10:14:49 PM |
|
Cass: for max security i assume you'd want to only generate keys on a virgin computer thats never been connected to the internet? how can i be assured that when i want to spend the coins from a certain key pair that the client will accept the private key? also the pub key i assume has virtually no chance of colliding with another pub key? how does the blockchain know of the pub key? by sending coins to it?
i think the public key is a hash of the private key or something, so you can not realistically make a public key you want. the block chain does not need to know the public/private key. the key gets into the chain when coins get sent to it. so the blockchain accepts any pub key presented to it that has the correctly signed bitcoin format?
|
|
|
|
ctoon6
|
|
August 05, 2011, 10:18:42 PM |
|
Cass: for max security i assume you'd want to only generate keys on a virgin computer thats never been connected to the internet? how can i be assured that when i want to spend the coins from a certain key pair that the client will accept the private key? also the pub key i assume has virtually no chance of colliding with another pub key? how does the blockchain know of the pub key? by sending coins to it?
i think the public key is a hash of the private key or something, so you can not realistically make a public key you want. the block chain does not need to know the public/private key. the key gets into the chain when coins get sent to it. so the blockchain accepts any pub key presented to it that has the correctly signed bitcoin format? you can send coins to a non existent public key if you want. but then nobody will be able to redeem them. collisions can happen, but it is extremely unlikely. and since its a hash, you can not go in reverse.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 05, 2011, 10:46:05 PM |
|
Sending private keys via browsers? They are the most critical part of bitcoin it's just crazy MITM attack, browser history, sniffers if not https, etc........
Just use pywallet, it's infinitely safer and its web interface makes it really simple to import a key
Pywallet is not simple for the average joe, as you know. Arguably, the entire Bitcoin client is hardly simple for the average joe. Paper wallets and the ability to redeem them on websites - AT THE TIME OF SPENDING - puts secure Bitcoins in the hands of average Joes and eliminates virtually all of the risk associated with hacking and online wallets. What can be simpler? My guide clearly states what to do: "run './pywallet.py --web' then open ' http://localhost:8989' in your brower" Then, wallet directory, wallet filename, version and format are autofilled, average joe just has to fill the key and clicks the button A private key is not much different from a Mt.Gox Redeemable Code, it's just that it holds real bitcoins that no one can steal. The holder of the private key is the holder of the coins, not Mt.Gox or anybody else.
When a private key is entered via browser into a website, it becomes instantly used and invalidated. The correct action for a website that accepts a private key as a deposit method would be to simply send the entire balance to a different address under its control (possibly using a completely separate instance of bitcoind just for this purpose), and wait for confirmations just like any other external inbound transaction. So even if a private key could be found in "browser history", it wouldn't matter much. It would have no money on it.
Absolutely, but in that case the key must be deleted from the wallet to avoid sending funds to it again MITM attack, browser history, sniffers are all moot for websites that properly implement https. I am unaware of anybody with plans (or the lack of common sense) to implement a web-based private key redemption utility without offering https.
Even with https, the browser history still contains the key. Maybe I wasn't clear though, I don't talk about navigation history, but form history Moreover, average joe doesn't know and doesn't care what is https
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
ctoon6
|
|
August 05, 2011, 11:22:17 PM |
|
Sending private keys via browsers? They are the most critical part of bitcoin it's just crazy MITM attack, browser history, sniffers if not https, etc........
Just use pywallet, it's infinitely safer and its web interface makes it really simple to import a key
Pywallet is not simple for the average joe, as you know. Arguably, the entire Bitcoin client is hardly simple for the average joe. Paper wallets and the ability to redeem them on websites - AT THE TIME OF SPENDING - puts secure Bitcoins in the hands of average Joes and eliminates virtually all of the risk associated with hacking and online wallets. What can be simpler? My guide clearly states what to do: "run './pywallet.py --web' then open ' http://localhost:8989' in your brower" Then, wallet directory, wallet filename, version and format are autofilled, average joe just has to fill the key and clicks the button A private key is not much different from a Mt.Gox Redeemable Code, it's just that it holds real bitcoins that no one can steal. The holder of the private key is the holder of the coins, not Mt.Gox or anybody else.
When a private key is entered via browser into a website, it becomes instantly used and invalidated. The correct action for a website that accepts a private key as a deposit method would be to simply send the entire balance to a different address under its control (possibly using a completely separate instance of bitcoind just for this purpose), and wait for confirmations just like any other external inbound transaction. So even if a private key could be found in "browser history", it wouldn't matter much. It would have no money on it.
Absolutely, but in that case the key must be deleted from the wallet to avoid sending funds to it again MITM attack, browser history, sniffers are all moot for websites that properly implement https. I am unaware of anybody with plans (or the lack of common sense) to implement a web-based private key redemption utility without offering https.
Even with https, the browser history still contains the key. Maybe I wasn't clear though, I don't talk about navigation history, but form history Moreover, average joe doesn't know and doesn't care what is https How mature is pywallet? how likely is it that it just looses coins. or should you only import the keys for immediate spending.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 05, 2011, 11:39:24 PM |
|
How mature is pywallet? how likely is it that it just looses coins. or should you only import the keys for immediate spending.
It was created about one month ago It never broke any wallet afaik, but backups are of course recommended
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
ctoon6
|
|
August 05, 2011, 11:57:58 PM |
|
i cant get the pywallet to run @echo off pywallet.py --datadir="C:\Users\****\Desktop\pywallet\wallet" --web pause Traceback (most recent call last): File "C:\Users\****\Desktop\pywallet\pywallet.py", line 22, in <module> from twisted.internet import reactor ImportError: No module named twisted.internet Press any key to continue . . . also i am using 2.7.2 i think
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 06, 2011, 12:48:03 AM |
|
i cant get the pywallet to run @echo off pywallet.py --datadir="C:\Users\****\Desktop\pywallet\wallet" --web pause Traceback (most recent call last): File "C:\Users\****\Desktop\pywallet\pywallet.py", line 22, in <module> from twisted.internet import reactor ImportError: No module named twisted.internet Press any key to continue . . . also i am using 2.7.2 i think Pywallet needs the twisted python package to work: http://twistedmatrix.com/trac/Also you don't need to use the datadir flag, everything will be asked in the web interface
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
ctoon6
|
|
August 06, 2011, 01:06:57 AM |
|
i cant get the pywallet to run @echo off pywallet.py --datadir="C:\Users\****\Desktop\pywallet\wallet" --web pause Traceback (most recent call last): File "C:\Users\****\Desktop\pywallet\pywallet.py", line 22, in <module> from twisted.internet import reactor ImportError: No module named twisted.internet Press any key to continue . . . also i am using 2.7.2 i think Pywallet needs the twisted python package to work: http://twistedmatrix.com/trac/Also you don't need to use the datadir flag, everything will be asked in the web interface should probably slap that in the wiki or readme or somthing.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 06, 2011, 01:12:42 AM |
|
should probably slap that in the wiki or readme or somthing.
I wrote it in the pywallet thread but you're right I'm adding that right now
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
ctoon6
|
|
August 06, 2011, 01:20:17 AM Last edit: August 06, 2011, 01:34:17 AM by ctoon6 |
|
some more issues, im running windows 7 x64 if that matters @echo off pywallet.py --web pause Traceback (most recent call last): File "C:\Users\****\Desktop\pywallet\pywallet.py", line 22, in <module> from twisted.internet import reactor File "C:\Python27\lib\site-packages\twisted\internet\reactor.py", line 37, in <module> from twisted.internet import selectreactor File "C:\Python27\lib\site-packages\twisted\internet\selectreactor.py", line 1 7, in <module> from zope.interface import implements ImportError: No module named zope.interface Press any key to continue . . .
i had a derp, on the page is says required, how do i put it in.
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 06, 2011, 01:39:44 AM |
|
some more issues, im running windows 7 x64 if that matters @echo off pywallet.py --web pause Traceback (most recent call last): File "C:\Users\****\Desktop\pywallet\pywallet.py", line 22, in <module> from twisted.internet import reactor File "C:\Python27\lib\site-packages\twisted\internet\reactor.py", line 37, in <module> from twisted.internet import selectreactor File "C:\Python27\lib\site-packages\twisted\internet\selectreactor.py", line 1 7, in <module> from zope.interface import implements ImportError: No module named zope.interface Press any key to continue . . .
i had a derp, on the page is says required, how do i put it in. Well I don't know actually... The download page shows "Zope.Interface (required)" just under the Twisted package itself, did you install it? If that works it's unbelievable it isn't automatically included in the Twisted package...
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
ctoon6
|
|
August 06, 2011, 01:52:03 AM |
|
i got it working, since i was running 64 bit i had to go through like 2 work arounds. if you run x64 use the 2.7 msi package here http://twistedmatrix.com/trac/wiki/Downloadsthen go here and grab ez_setup.py run that shit and go to C:\Python27\Scripts, if you have easy_install.exe your good to go for the next step download zone.interface here http://twistedmatrix.com/trac/wiki/Downloads#Windowsnow run easy_install.exe zope.interface-3.6.4-py2.7-win-amd64.egg you need proper paths too of course if your pywallet.py dont work then, idk what to say
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
August 06, 2011, 02:12:07 AM |
|
What a pain... I'm glad it finally works I'll add these instructions for other Win7 users, thanks!
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
|