Bitcoin Forum
December 13, 2024, 03:51:51 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 [118] 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 ... 173 »
  Print  
Author Topic: Blockchain.info - Bitcoin Block explorer & Currency Statistics  (Read 482660 times)
zebedee
Donator
Hero Member
*
Offline Offline

Activity: 668
Merit: 500



View Profile
April 27, 2013, 09:10:44 AM
 #2341


In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):

1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed.
2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1)
3. A picture + phrase verification while logging in with (alike Bank of America etc.)

Any other suggestions welcome.
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack.  They seem to get the private keys somehow.
shibaji
Full Member
***
Offline Offline

Activity: 308
Merit: 102



View Profile
April 27, 2013, 09:14:24 AM
 #2342

I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack.  They seem to get the private keys somehow.

That's scary!  Shocked

May be piuk can say something - if this has any truth - any withdraw must get suspended until things are resolved. At least piuk should advise people to pull out coins till things get resolved  Sad
2_Thumbs_Up
Sr. Member
****
Offline Offline

Activity: 323
Merit: 251


View Profile
April 27, 2013, 12:13:25 PM
 #2343

I tried to add a tag for donations to http://www.gimp.org/

However, blockchain said that it can't find the adress in question at the website. You are not looking hard enough. It's in the bitcoin: URI format. Blockchain.info should preferably notice this.
Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
April 27, 2013, 02:01:29 PM
 #2344

I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack.  They seem to get the private keys somehow.

That's scary!  Shocked

May be piuk can say something - if this has any truth - any withdraw must get suspended until things are resolved. At least piuk should advise people to pull out coins till things get resolved  Sad
From what I understand the problem is with rooted phones. For me, I have uninstalled the app completely and setup another watch-only wallet on BCI. Installed the app again and will handle transactions from bitcoin-qt, I never had a lot in the BCI wallet to begin with, but a theft would be painful anyway, more so, if the reason is known.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
BurtW
Legendary
*
Offline Offline

Activity: 2646
Merit: 1138

All paid signature campaigns should be banned.


View Profile WWW
April 27, 2013, 02:09:08 PM
 #2345

From what I understand the problem is with rooted phones.
His most recent post on the subject says otherwise:

https://bitcointalk.org/index.php?topic=187822.msg1954147#msg1954147

Our family was terrorized by Homeland Security.  Read all about it here:  http://www.jmwagner.com/ and http://www.burtw.com/  Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
jubalix
Legendary
*
Offline Offline

Activity: 2660
Merit: 1023


View Profile WWW
April 27, 2013, 05:59:42 PM
 #2346

Changes to Alias Resolving

When a wallet is accessed using an alias if the browser does not already have the wallet identifier saved or have an authorised login session email authorisation will now be required.



If the browser is perviously recognised by blockchain no authorisation is required. Wallets can still be accessed directly by identifier, which provides 128 bits of entropy and should always be kept secret.

For example if you visit my personal wallet: https://blockchain.info/wallet/piuk if will appear as if no wallet exists however I will receive an authorisation email.

A number of users have reported their wallet being compromised to me, the exact cause is unknown (I suspect malware) however in pretty much all cases the user has set a wallet alias which is the same as their bitcointalk username (and used on other sites). This is common practice, however it much more secure if the wallet identifier and alias are kept secret. The above changes are meant to address this problem.

I will respond to the above posts shortly, apologies for the delay.


so the question is why did this change all of a sudden...why are browsers that were reconised, now not, and identifiers not put in?? as they were before....this is how they are attacking you something here...

Admitted Practicing Lawyer::BTC/Crypto Specialist. B.Engineering/B.Laws

https://www.binance.com/?ref=10062065
jubalix
Legendary
*
Offline Offline

Activity: 2660
Merit: 1023


View Profile WWW
April 27, 2013, 06:08:25 PM
 #2347


In the light of recent mysterious stealing of coins despite having 2FA and double password, will it be possible to offer any more protection against withdrawal ? Few suggestions in addition to the existing ones (of course the user will have to enable these, and not default):

1. A email reconfirmation (with hotlink to be clicked) before withdrawal. No reconfirmation, no withdrawal processed.
2. Option to completely disable withdrawal with a radio button / option, for which enabling withdrawal is email hot link confirmation dependent (like #1)
3. A picture + phrase verification while logging in with (alike Bank of America etc.)

Any other suggestions welcome.
I doubt these help, as the attacker doesn't seem to be using blockchain.info software to attack.  They seem to get the private keys somehow.

must be cracking hashes, or injecting .js

Admitted Practicing Lawyer::BTC/Crypto Specialist. B.Engineering/B.Laws

https://www.binance.com/?ref=10062065
JonSnow
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
April 27, 2013, 07:54:44 PM
 #2348

HELP!!!

Everytime I go to my wallet page I get notified that an illegal imbedded object has been found and the popup states that I should not continue!!

WTF is going on with blockchain.info?

Apologies this was a problem cause by me. The error should be fixed now if you reload the page a few times.

Also please remove the verifier and use one of the packaged browser extensions http://blockchain.info/wallet/chrome-extension

I had to reinstall my OS and everything from scratch, and when I set up my wallet as before using the firefox extension, it asks for my identifier, but when given then results in the page reloading, the identifier being blank, and an email sent to me.  I click the link in the email, as instructed, but for whatever reason the firefox extension never seems to work or remember the identifier even after I've "allowed" the login attempt.
TheButterZone
Legendary
*
Offline Offline

Activity: 3066
Merit: 1032


RIP Mommy


View Profile WWW
April 27, 2013, 11:20:12 PM
Last edit: April 28, 2013, 08:31:21 AM by TheButterZone
 #2349

Is anybody else not getting SMS notifications on their watched addresses?

ETA: Just got one at 0820 UTC 4-28-13, yay.

Saying that you don't trust someone because of their behavior is completely valid.
Newar
Legendary
*
Offline Offline

Activity: 1358
Merit: 1001


https://gliph.me/hUF


View Profile
April 28, 2013, 03:48:36 AM
 #2350

From what I understand the problem is with rooted phones.
His most recent post on the subject says otherwise:

https://bitcointalk.org/index.php?topic=187822.msg1954147#msg1954147
Thanks for that link.

Could it be two different attacks? The OP on reddit mentioned he had 2FA enabled and the app installed, whereas I don't see any mention of 2FA in the thread you linked to.

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1227


Away on an extended break


View Profile
April 28, 2013, 04:32:46 AM
 #2351

Is anybody else not getting SMS notifications on their watched addresses?

I'm not getting email notifications on my watched addresses - strange.
piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
April 28, 2013, 01:25:15 PM
Last edit: April 28, 2013, 05:50:09 PM by piuk
 #2352

New Version of Android App

https://play.google.com/store/apps/details?id=piuk.blockchain.android&feature=nav_result#?t=W251bGwsMSwyLDNd

  • PIN Protection
  • Improved Fee Handling - The Fee policy set in the web interface will now be honoured in the android app
  • Second Password will be cleared after a transaction is sent
  • Fix Pairing Issues



How PIN protection works

1) When the PIN is created a unique secret is generated and stored on the server.
2) The users password is then encrypted with the new secret and saved on the device.
3) When restoring the wallet if the correct PIN is provided the server responds with the secret allowing the device to decrypt the password.
4) If the PIN is entered incorrectly 4 times the key is removed from the server and the main password will need to be re-entered.

Prevents malicious app on rooted devices from reading the password directly from app data however more sophisticated malware that reads the app memory or keyloggers will still be possible.

hazek
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003


View Profile
April 28, 2013, 01:39:54 PM
 #2353

Great job piuk.

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
willphase
Hero Member
*****
Offline Offline

Activity: 767
Merit: 500


View Profile
April 28, 2013, 01:49:10 PM
Last edit: April 28, 2013, 03:41:53 PM by willphase
 #2354

Hey Piuk - good job on the new version.  I looked briefly through the changes, but couldn't determine why the new version requires the new

 <uses-permission  android:name="android.permission.GET_TASKS"/>

can you explain this new permission?

EDIT 15:41Z: I see this has now been removed.  Cheers!

Will

ingrownpocket
Legendary
*
Offline Offline

Activity: 952
Merit: 1000


View Profile
April 29, 2013, 07:31:55 AM
 #2355

Down? Cannot access my wallet.
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500

I am the one who knocks


View Profile
April 29, 2013, 03:32:24 PM
 #2356

New Version of Android App

  • PIN Protection
  • Improved Fee Handling - The Fee policy set in the web interface will now be honoured in the android app
  • Second Password will be cleared after a transaction is sent
  • Fix Pairing Issues
Any plans to port this to the iOS version?

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
picobit
Hero Member
*****
Offline Offline

Activity: 547
Merit: 500


Decor in numeris


View Profile
April 29, 2013, 06:19:11 PM
 #2357

Any plans to port this to the iOS version?

+1

I would really like to see the PIN and the fee policy being honored. 
piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
May 02, 2013, 04:02:46 PM
Last edit: May 02, 2013, 04:16:47 PM by piuk
 #2358

New Android Version

- New Send types (Quick, Custom & Shared)
- Better transaction summary dialog
- Transaction notes
- Currency set in the web interface will now change the android app and visa versa
- Ability to scan a private key and view the balance + optionally sweep.
- Fix support for scanning watch only private keys
- Compressed private key support
- Better exchange rates view
- Toggle between local currency and BTC by tapping account balance
- Ability to generate a shared address in the request coins view
- Ability to backup the wallet to external storage.
- Ability to pair manually if the QR code is not working.

https://blockchain.info/wallet/android-app

Great job piuk.

Thanks hazek.

can you explain this new permission?

Was suggested here http://stackoverflow.com/questions/4414171/how-to-detect-when-an-android-app-goes-to-the-background-and-come-back-to-the-fo as a method to detect if the app is running in the background on older devices. Was not needed in the end though.

Any plans to port this to the iOS version?

+1

I would really like to see the PIN and the fee policy being honored.  


Yep, the iphone app will be getting an update very soon.

hazek
Legendary
*
Offline Offline

Activity: 1078
Merit: 1003


View Profile
May 02, 2013, 04:23:45 PM
 #2359

New Android Version

- New Send types (Quick, Custom & Shared)
- Better transaction summary dialog
- Transaction notes
- Currency set in the web interface will now change the android app and visa versa
- Ability to scan a private key and view the balance + optionally sweep.
- Fix support for scanning watch only private keys
- Compressed private key support
- Better exchange rates view
- Toggle between local currency and BTC by tapping account balance
- Ability to generate a shared address in the request coins view
- Ability to backup the wallet to external storage.
- Ability to pair manually if the QR code is not working.

https://blockchain.info/wallet/android-app

Great job piuk.

Thanks hazek.

Man oh man, you are one hell of a dev, awesome job yet again!

My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)

If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
May 06, 2013, 05:54:14 AM
 #2360

hello,

I'm investigating building an escrow service using multisig.

Building the multisig address requires users of the escrow to supply the pubkey of their addresses.

I can't seem to find this feature in blockchain.info wallet.

piuk, are there plans to enable users to retrieve the pubkeys of addresses in their wallets?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Pages: « 1 ... 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 [118] 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 ... 173 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!