Bitcoin Forum
December 13, 2024, 09:37:18 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 ... 173 »
  Print  
Author Topic: Blockchain.info - Bitcoin Block explorer & Currency Statistics  (Read 482658 times)
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500



View Profile WWW
March 02, 2012, 11:57:57 PM
 #481

In light of the recent hackings (I'm sure i've said this before Undecided ) I just want to add some clarity on security.

1) My Wallet is not vulnerable to hackings in the same way that happened to bitcoinica and slush. If the server root was compromised the attackers would not be able to empty any wallets as they are only stored encrypted.

2) What the attacker may be able to do is change the javascript files to intercept password overtime and then decrypt the wallets. This would only effect people who logged in during this time, but is weak point none the less.

I have made a small java app to help counter this:

https://github.com/zootreeves/My-Wallet-Integrity-Checker

Compiling from source is recommended but you can download here:

https://github.com/downloads/zootreeves/My-Wallet-Integrity-Checker/applet.jar

When you enter your wallet identifier it will download your My Wallet page and check:

a) The DOM for any inline javascript.
b) For any unrecognised external javascript file
c) Prompt for the user to review any inline javascript
d) Verify all local javascript files match those at https://github.com/zootreeves/blockchain.info

I have a cron job on my local machine to run this script regularly and alert me of any anomalies.

also note:

- It is recommended you enable double encryption which would keep your wallet safe if you only logged in to check your balance.
- Enabling two factor authentication protects from keyloggers on your own PC (and/or use the onscreen virtual keyboard to type in your second password).
- I receive SMS alerts on SSH login or when the tomcat context reloads (which is needed to alter any js).


How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers.

BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
March 03, 2012, 01:59:20 AM
 #482

Excellent to see that there is now a way to check the javascript.

How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers.
The simplest way would be to add a command to your .bashrc on that account. It could also likely be done with a PAM module but I haven't researched if there is a specific one available. There is one to send OTP via SMS using PAM. Google "SMS PAM".


piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
March 03, 2012, 10:56:13 PM
 #483

How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers.

Followed this:

http://askubuntu.com/questions/10294/run-system-script-on-ssh-login-and-or-logout

modified to call an AppleScript which tells Skype to IM me the ip and time.

-----

I made q quick port of the Java applet to a firefox add-on which serves the same purpose (to verify the javascript). It runs everytime you visit a My Wallet login page and will only alert when there is an error found but you can check it is working by viewing the javascript console.

https://addons.mozilla.org/en-US/firefox/addon/mywalletverifier/

https://github.com/zootreeves/My-Wallet-Integrity-Checker/blob/master/My_Wallet_Verifier.user.js

With two methods of verifying the javascript its highly likely any unauthorised modification would be found quickly.


BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
March 04, 2012, 01:34:17 AM
 #484

How did you setup your server to send a text when there is an SSH login? I'd like that for a couple of my servers.

Followed this:

http://askubuntu.com/questions/10294/run-system-script-on-ssh-login-and-or-logout

modified to call an AppleScript which tells Skype to IM me the ip and time.

-----

I made q quick port of the Java applet to a firefox add-on which serves the same purpose (to verify the javascript). It runs everytime you visit a My Wallet login page and will only alert when there is an error found but you can check it is working by viewing the javascript console.

https://addons.mozilla.org/en-US/firefox/addon/mywalletverifier/

https://github.com/zootreeves/My-Wallet-Integrity-Checker/blob/master/My_Wallet_Verifier.user.js

With two methods of verifying the javascript its highly likely any unauthorised modification would be found quickly.


Wow. That's even better! I was going to suggest a Firefox add-on but I thought it was a bit too overbearing. After all you have so much fantastic work already. I'll give this a try out now.

BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
March 04, 2012, 02:01:23 AM
 #485

I've tried this out. Installed fine. I did a brief source code review to make sure nothing looked malicious (and I didn't notice anything suspect). But when I go to the login page I get a lot of warnings in the error console. I was expecting a "Verified" message in the console (since I saw it in the code) but didn't get that. Maybe that happens only for some cases.

Below is a few of the the many many warnings in the error console. It would be nice if it didn't spit out quite so many but as long as errors aren't showing can we assume it was successfully verified?

Seem to be all related to bootstrap.min.css file
Code:
Warning: Error in parsing value for 'background-image'.  Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 283
...
Warning: Error in parsing value for 'filter'.  Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 296
...
Warning: Unknown property 'transition'.  Declaration dropped.
Source File: https://blockchain.info/Resources/bootstrap.min.css
Line: 322

piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
March 04, 2012, 04:55:09 PM
Last edit: March 04, 2012, 05:08:55 PM by piuk
 #486

I've tried this out. Installed fine. I did a brief source code review to make sure nothing looked malicious (and I didn't notice anything suspect). But when I go to the login page I get a lot of warnings in the error console. I was expecting a "Verified" message in the console (since I saw it in the code) but didn't get that. Maybe that happens only for some cases.

Thanks for testing it out. I think maybe when I packaged it up something must may have messed up. I have uploaded a new version if you could try that:

Firefox: https://addons.mozilla.org/en-US/firefox/addon/mywalletverifier/ (Pending review)

Chrome: https://chrome.google.com/webstore/detail/kcapglakfcodkajgllmkiddclghogkic

Safari: https://raw.github.com/zootreeves/My-Wallet-Integrity-Checker/master/mywallet.safariextz (Pending acception into safari web gallery)

I've put up some info explaining what you should see in the console here:

https://blockchain.info/wallet/verifier

Quote
Below is a few of the the many many warnings in the error console. It would be nice if it didn't spit out quite so many but as long as errors aren't showing can we assume it was successfully verified?

The verifier does not check the css (perhaps it should, i'm not sure). These are "standard" firefox css warnings, there is not much I can do about them.

beckspace
Hero Member
*****
Offline Offline

Activity: 931
Merit: 500


View Profile
March 04, 2012, 05:06:48 PM
 #487


I've put up some info explaining what you should see int the console here:

https://blockchain.info/wallet/verifier


Brilliant! Installing now.

You can't get this level of security without being open-source.
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
March 05, 2012, 12:42:56 AM
 #488

Tested again and it appears to be working fine. It shows the expected console messages this time.
Super excellent. It closes a potential attack vector and makes the wallet that much better.
It also appears the source code was really cleaned up and that makes it easier to audit.
I didn't see anything suspicious.

---

Something else I was thinking about is whether MyWallet could have a maximum spend limit where an attempt to spend more could trigger a side channel verification, like maybe send an email that needs a confirmation (or other method). Of course, it would need the same confirmation to be able to change the limit.

Anyway, just thinking out loud how MyWallet could be more secure in an environment like Bitcoinica where even if your password was exposed there would be a limit to damage.

HostFat
Staff
Legendary
*
Offline Offline

Activity: 4270
Merit: 1209


I support freedom of choice


View Profile WWW
March 05, 2012, 12:59:11 AM
 #489

You are really improving it Grin
I think that you should advertising it on Facebook / Twitter / Google plus now Smiley

NON DO ASSISTENZA PRIVATA - https://t.me/hostfatmind/
bitprotection
Member
**
Offline Offline

Activity: 103
Merit: 10



View Profile
March 05, 2012, 01:03:27 AM
 #490

great website btw Smiley   been using the wallet service pretty slick!

Working on protecting the community!
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
March 05, 2012, 04:28:28 AM
 #491

A bug report here. 

When I attempt to spend the full amount in my wallet without considering the 0.0005 fee, I am presented with the dialog "Miners Fee Recommended".  If I click the Add Fee button, nothing happens.  This is presumably because I don't have enough in my wallet to cover the payment + fee.  If I instead spend only enough so that I have 0.0005 (or more) available for the fee, the Add Fee then is accepted an I am able to proceed.

A second problem.  If I have an empty wallet but attempt a new transaction using Send Money, after clicking Review Transaction I am presented with the error message: "Error getting unspent outputs. Please check your internet connection.".     Is there no way to discern that the problem is not connectivity but that there are no funds?

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


dooglus
Legendary
*
Offline Offline

Activity: 2940
Merit: 1333



View Profile
March 05, 2012, 10:16:54 AM
 #492

Chris Moore kindly made a python script to decrypt My Wallet backups offline. I'm positing it here to archive:

I updated it so it now shows the private keys in 'sipa format', ready for importing into the official 0.6.x client, once it's released:

http://bitcoin.stackexchange.com/a/3037/659

Check that it was last edited Feb 29th 2012.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
dvide
Newbie
*
Offline Offline

Activity: 59
Merit: 0



View Profile
March 05, 2012, 08:25:46 PM
Last edit: March 05, 2012, 08:52:17 PM by dvide
 #493

Am I the only person having trouble decrypting their wallet all of a sudden? I use google authenticator, which might be related. I didn't access it for a few days and now there's an 'Error Decrypting Wallet'. The password is the same, I'm sure of that.

Nobody else?

EDIT: Just tried it on Firefox and it works fine. Must be some problem with Chrome 18, on the beta channel.

EDIT: Or not. Now it works on Chrome too. Did you just this moment change something to fix it, piuk?
piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
March 06, 2012, 11:14:48 AM
 #494

Please submit and vote for favourite suggestions at:

http://blockchain.uservoice.com/forums/152743-general-ideas

Thank you for the bug reports and feedback.

piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
March 07, 2012, 01:53:10 PM
Last edit: March 07, 2012, 02:16:11 PM by piuk
 #495

You can now choose the number of confirmations for alerts



If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick)

0.01 BTC per SMS
0.01 BTC per minute for balance enquiries

Minimum purchase 1 BTC (100 SMS's)

How many people would be interested in this?

D.H.
Sr. Member
****
Offline Offline

Activity: 311
Merit: 251


Bitcoin.se site owner


View Profile WWW
March 07, 2012, 02:42:34 PM
 #496

Small bug report. Total bitcoins in circulation in the realtime API is not correct (or I don't know how to interpret the number). I don't think that this is a new problem, it might always have been like this.

www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
March 08, 2012, 01:36:30 AM
 #497

If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick)

0.01 BTC per SMS
0.01 BTC per minute for balance enquiries

Minimum purchase 1 BTC (100 SMS's)

How many people would be interested in this?
This seems reasonable. I wouldn't be able to use it since I'm in Thailand and Twilio currently only supports SMS within US, Canada and UK (as far as I can make out). They do have an International SMS Beta though and if you sign up then they allow sending to 600 carriers worldwide for the same cost (for now, I'm sure costs will change after the testing). Their site says "currently Intl SMS is cost prohibitive" but that's clearly untrue as I've used Clickatell several times for SMS to Thailand.

All that said, I would do so little volume that even if you had Intl support the actual SMS income would be tiny. I think 1 BTC minimum is a bit high for this reason. I could see it being years to use that much credit and so wouldn't want to just throw that BTC away unless it was something I'd actually need vs. just a neat thing to play with.

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
March 08, 2012, 02:17:35 AM
 #498

0.01 BTC per SMS

Is this being offered primarily to serve those who cannot just receive an e-mail at their mobile phone's e-mail address (which gets delivered as a text message)?   e.g., 3456789012@tmomail.net for T-Mobile?  Or is this a different alert?

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


gnar1ta$
Donator
Hero Member
*
Offline Offline

Activity: 798
Merit: 500


View Profile
March 08, 2012, 04:19:41 AM
 #499

I would be happy to pay the fee, and receive a simple SMS and an ad supported email.

Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
piuk (OP)
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1005



View Profile WWW
March 08, 2012, 12:51:15 PM
Last edit: March 08, 2012, 02:19:12 PM by piuk
 #500

Small bug report. Total bitcoins in circulation in the realtime API is not correct (or I don't know how to interpret the number). I don't think that this is a new problem, it might always have been like this.

Thanks, I'll take a look.

Is this being offered primarily to serve those who cannot just receive an e-mail at their mobile phone's e-mail address (which gets delivered as a text message)?   e.g., 3456789012@tmomail.net for T-Mobile?

Yes for those providers who don't offer this service and for those who want immediate notifications, without the email to sms delay.

If I were to do SMS Notifications and Call for balance / spoken list of recent transactions using twilio (suggested by Stephen Gornick)

0.01 BTC per SMS
0.01 BTC per minute for balance enquiries

Minimum purchase 1 BTC (100 SMS's)

How many people would be interested in this?
This seems reasonable. I wouldn't be able to use it since I'm in Thailand and Twilio currently only supports SMS within US, Canada and UK (as far as I can make out). They do have an International SMS Beta though and if you sign up then they allow sending to 600 carriers worldwide for the same cost (for now, I'm sure costs will change after the testing). Their site says "currently Intl SMS is cost prohibitive" but that's clearly untrue as I've used Clickatell several times for SMS to Thailand.

I'll apply for the international beta and see what they say. Clickatell seems quite expensive and the API isn't quite as good.

I would be happy to pay the fee, and receive a simple SMS and an ad supported email.

At least that would be one customer Smiley

----------------

The site reached 5k wallets yesterday, that means...

New disclaimer: https://blockchain.info/disclaimer and privacy policy https://blockchain.info/privacy

Disclaimer may seems a little harsh, but I want to make it clear that the Site is not a bank. It is an Interface Only - I don't care what wallets are stored or transactions made through the site but equally will not be held liable for them. This is part of the reason I removed the transaction fees.

Uptime has been much better recently.



Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 [25] 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 ... 173 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!