|
ErebusBat
|
 |
August 06, 2012, 01:51:00 PM |
|
Does anyone know if this is the same format as Electrum? I am away from my laptop or I would check.
I don't think so, Electrum has a more sophisticated deterministic algorithm. Do you have any plans to implement this? If not what would you consider a decent bounty? I see two very useful use cases for this: 1. Import the master public key for watch only balance/notifications. I *love* the MyWallet service and the iPhone app. Being able to see my balance or if a payment has been confirmed / received is awesome. However this breaks when using Electrum because of the way it handles payments and change addresses. See http://acceptbit.com/ 2. Actually importing the wallet seed (hex or mnemonic) and using MyWallet as a backup/clone/whatever. If you go this route please make sure that you don't limit yourself to the seed size that Electrum gives you, it actually supports much bigger seeds (I have successfully feed it a 512 bit seed and it worked). |
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
RandomQ
|
|
August 06, 2012, 10:47:48 PM |
|
Got this interesting error.
Error pushing transaction Error Pushing. Previous Tx is Double Spend 13e4e79afb4eb0f32896c6b611c88b2799f4bf0fa027d6d2e255c39e45f297a0
That transaction was newly generated coins from p2pool.
Any insight whats going on here?
First time i've seen this error message
|
|
|
|
|
|
|
Kupsi
Legendary
 Offline
Activity: 1193
Merit: 1003
9.9.2012: I predict that single digits... <- FAIL
|
|
August 07, 2012, 10:02:24 PM |
|
After reading the 2 million unspent bitcoin thread I started thinking of two charts that could be interesting... 1. Daily bitcoin days destroyd in percent of daily new bitcoin days. Yesterday it was 3497490 bitcoin days destroid and 9631650 (roughly estimate) new bitcoin days. That's 3497490 / 9631650 = 36,31%. 2. Total bitcoin days destroyd to date in percent of total bitcoin days to date. Thoughts? |
|
|
|
|
|
IveBeenBit
|
|
August 08, 2012, 04:19:58 PM |
|
Once I click "Login now" in the wallet section, the page formatting in Opera 12.01 on Windows 7 is all screwed up and it doesn't display correctly once logged in. It looks like all the text is crammed into a table on the left side of the screen, if that makes sense. Let me know if you'd like to see a screen shot.
|
|
|
|
|
|
ErebusBat
|
|
August 08, 2012, 04:38:17 PM |
|
Once I click "Login now" in the wallet section, the page formatting in Opera 12.01 on Windows 7 is all screwed up and it doesn't display correctly once logged in. It looks like all the text is crammed into a table on the left side of the screen, if that makes sense. Let me know if you'd like to see a screen shot.
Why on earth are you using Opera? |
|
|
|
ripper234
Legendary
Offline
Activity: 1358
Merit: 1003
Ron Gross
|
|
August 09, 2012, 04:01:27 AM |
|
I just realized something - 2-factor auth in Blockchain.info doesn't really protect you from trojans!
At least, if you're using a Dropbox backup...
I mean, the wallet is synched to your Dropbox, where it is stored only encrypted with your main password. If a keylogger sniffs it, it can then find and decrypt your wallet.
I don't think there is a solution until proper m-of-n transactions are implemented.
Either the server has to know the full private key, or the client does:
If the server does, then it can run away with your money - this is not aligned with Blockchain.info's security model.
If the client does, trojans can sniff your key.
Bitcoin 0.7 ... we badly need you.
|
|
|
|
|
ErebusBat
|
|
August 09, 2012, 04:40:59 AM |
|
I just realized something - 2-factor auth in Blockchain.info doesn't really protect you from trojans!
At least, if you're using a Dropbox backup...
I mean, the wallet is synched to your Dropbox, where it is stored only encrypted with your main password. If a keylogger sniffs it, it can then find and decrypt your wallet.
I don't think there is a solution until proper m-of-n transactions are implemented.
Either the server has to know the full private key, or the client does:
If the server does, then it can run away with your money - this is not aligned with Blockchain.info's security model.
If the client does, trojans can sniff your key.
Bitcoin 0.7 ... we badly need you.
Use email backup that also has two factor auth. |
|
|
|
ripper234
Legendary
Offline
Activity: 1358
Merit: 1003
Ron Gross
|
|
August 09, 2012, 04:59:26 AM |
|
I just realized something - 2-factor auth in Blockchain.info doesn't really protect you from trojans!
At least, if you're using a Dropbox backup...
I mean, the wallet is synched to your Dropbox, where it is stored only encrypted with your main password. If a keylogger sniffs it, it can then find and decrypt your wallet.
I don't think there is a solution until proper m-of-n transactions are implemented.
Either the server has to know the full private key, or the client does:
If the server does, then it can run away with your money - this is not aligned with Blockchain.info's security model.
If the client does, trojans can sniff your key.
Bitcoin 0.7 ... we badly need you.
Use email backup that also has two factor auth. Yeah, but: 1. For some reason I feel better with Dropbox backup ... I like seeing the files there. Not a good reason, I admit. I'm currently using both. 2. Email backup is still vulnerable, it just takes a bit more effort. It's not that hard to write a trojan that opens up your browser when you're away and downloads your email messages. |
|
|
|
|
P4man
|
|
August 09, 2012, 09:53:36 AM |
|
I have to say, I absolutely love the blockchain.info wallet service. It allows me to monitor paper wallets, draws pretty charts, it works like a dream on my android, the features are fan-tas-tic.
I do have one obvious concern Id like some feedback on: security.
How hard would it be to write some malware or a browser expoit that would target blockchain.info wallets, duping the user in to entering his password and then stealing the coins?
Also, I understand blockchain itself doesnt have the private keys, but if someone manages to hack the server, it would still allow him to obtain the key from the user when he enters it, or not?
|
|
|
|
|
BkkCoins
|
|
August 09, 2012, 11:11:53 AM |
|
I have to say, I absolutely love the blockchain.info wallet service. It allows me to monitor paper wallets, draws pretty charts, it works like a dream on my android, the features are fan-tas-tic.
I do have one obvious concern Id like some feedback on: security.
How hard would it be to write some malware or a browser expoit that would target blockchain.info wallets, duping the user in to entering his password and then stealing the coins?
Also, I understand blockchain itself doesnt have the private keys, but if someone manages to hack the server, it would still allow him to obtain the key from the user when he enters it, or not?
You might want to install the browser plugin that checks the site javascript code against the github source. It gives you another layer of protection that makes it difficult to just hack the server or intercept and change code. I've noticed that despite piuk going to the effort of making that very few users have actually downloaded it (according to the count on the Firefox add-on page anyway). https://www.blockchain.info/wallet/verifier |
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1002
|
|
August 09, 2012, 11:53:17 AM |
|
The problem is it's not being advertised anywhere.. For instance if you go to blockchain.info and click the wallet link, you can't find the link you posted and I've said this to piuk before but it seems he hasn't had the time or perhaps forgot to address it. |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
August 09, 2012, 01:06:37 PM |
|
I just realized something - 2-factor auth in Blockchain.info doesn't really protect you from trojans!
At least, if you're using a Dropbox backup...
I mean, the wallet is synched to your Dropbox, where it is stored only encrypted with your main password. If a keylogger sniffs it, it can then find and decrypt your wallet.
I don't think there is a solution until proper m-of-n transactions are implemented.
Either the server has to know the full private key, or the client does:
If the server does, then it can run away with your money - this is not aligned with Blockchain.info's security model.
If the client does, trojans can sniff your key.
Bitcoin 0.7 ... we badly need you.
Actually, if you are using a MtGox yubikey as 2FA, you are similarly not protected by keyloggers - they don't validate the whole token, they just use the first so many digits (the serial number of the key) as the second factor.  Unfortunately, LastPass does the same damn thing for offline access. |
|
|
|
|
piuk (OP)
|
|
August 09, 2012, 02:10:06 PM |
|
Does anyone know if this is the same format as Electrum? I am away from my laptop or I would check.
I don't think so, Electrum has a more sophisticated deterministic algorithm. Do you have any plans to implement this? If not what would you consider a decent bounty? I see two very useful use cases for this: 1. Import the master public key for watch only balance/notifications. I *love* the MyWallet service and the iPhone app. Being able to see my balance or if a payment has been confirmed / received is awesome. However this breaks when using Electrum because of the way it handles payments and change addresses. See http://acceptbit.com/ 2. Actually importing the wallet seed (hex or mnemonic) and using MyWallet as a backup/clone/whatever. If you go this route please make sure that you don't limit yourself to the seed size that Electrum gives you, it actually supports much bigger seeds (I have successfully feed it a 512 bit seed and it worked). I'll see what I can do. Got this interesting error.
Error pushing transaction Error Pushing. Previous Tx is Double Spend 13e4e79afb4eb0f32896c6b611c88b2799f4bf0fa027d6d2e255c39e45f297a0
That transaction was newly generated coins from p2pool.
Any insight whats going on here?
First time i've seen this error message
This is a new error, blockchain will now refuse to relay transactions it deems as double spends. However in your case I think it was erroneously flagging the coinbase transaction as a double spend, it should be fixed now. I mean, the wallet is synched to your Dropbox, where it is stored only encrypted with your main password. If a keylogger sniffs it, it can then find and decrypt your wallet.
You could setup a dedicated dropbox account. Blockchain should remember your dropbox login details for up to a month so you only need to login once to the dedicated account, mixing the window of opportunity for a keylogger to intercept your password. But yes the only full-proof way is to keep a backup on an eternal USB drive or a paper wallet. How hard would it be to write some malware or a browser expoit that would target blockchain.info wallets, duping the user in to entering his password and then stealing the coins?
The malware wouldn't be difficult to write, however getting it on your computer is more difficult. All bitcoin users need to be careful about what programs they install on their PC's. If any malware is installed that is able to modify the html of a page you are viewing virtually nothing is safe (including MT.Gox or other online wallets). The only practical solution to this is Multisig (paper wallets are good as well but not convient for everyday use). Also, I understand blockchain itself doesn't have the private keys, but if someone manages to hack the server, it would still allow him to obtain the key from the user when he enters it, or not?
This is possible but would be very difficult in practice. There are lots of server side checks to ensure the the correct js is being served, if there are any unexpected file changes I get notified immediately. As hazek mentioned there is also https://www.blockchain.info/wallet/verifier which is a simple browser extensions that checks that the js being served is identical to the js at https://github.com/blockchain/My-Wallet. The problem is it's not being advertised anywhere.. For instance if you go to blockchain.info and click the wallet link, you can't find the link you posted and I've said this to piuk before but it seems he hasn't had the time or perhaps forgot to address it.
I've added a link to it on the [Account Details] security page. ----------------------------- Changes- SMS Notifications Now available. Currently limited to 5 free SMS's per day, you'll be able to purchase more shortly.  - Lots of bug fixes (Websocket permissions error, Problem with orphaned coinbase transactions, Fix js error in old versions of FF, Fixed blockchain.co.uk redirect (affects facebook), Fixed error on claiming SMS). - Offering 0.25 BTC bounty for all bug reports. Must be repeatable by me and an expected error. |
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1002
|
|
August 09, 2012, 02:17:39 PM |
|
The problem is it's not being advertised anywhere.. For instance if you go to blockchain.info and click the wallet link, you can't find the link you posted and I've said this to piuk before but it seems he hasn't had the time or perhaps forgot to address it.
I've added a link to it on the [Account Details] security page. Awesome, thanks! Keep up the great work. |
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
Khanduras
Full Member
Offline
Activity: 168
Merit: 100
Movin' on up.
|
|
August 10, 2012, 03:00:08 AM |
|
So I just started working on a website which makes use of the My Wallet service from Blockchain.info for not only handling Bitcoin payments from the members of my site, but also for monitoring transactions sent to their deposit addresses. In doing so, I seem to have run into a few issues with the service that I'm HOPING are just oversights on my part.
First thing's first - I'm using automatic payment notifications in order to know when a payment arrives to any of the addresses in my wallet. Seems simple enough, I figured, but apparently it's a lot more complicated than I had originally thought. I'm trying to return results of deposits into the wallet, but on parsing the JSON payload, it ends up never having that information in the same place. Is there some more detailed documentation somewhere about parsing the data more accurately?
The second concern, also with the automatic HTTP payment notifications, is that I'm wanting to only receive notifications about confirmed payments. I see an option to change this, but no matter what I set it to, it always falls back to "Instantly" instead of the 2 confirmations I would like to use. I've tried everything from changing the order in which I fill out the form to switching browsers and even praying to every God known to mankind, and it still isn't changing. If anyone can help me with this, it'd be greatly appreciated.
|
Bitcoin Address: 1N1sex4rktWdxBJcFTczYZF5Xa75C47j4c |
Mining Income Address: 15wgpV7fDN8fVYn1q9QaPb9XSLjGRhry5L |
|
|
|
|
P4man
|
|
August 10, 2012, 09:27:01 AM |
|
This is possible but would be very difficult in practice. There are lots of server side checks to ensure the the correct js is being served, if there are any unexpected file changes I get notified immediately. As hazek mentioned there is also https://www.blockchain.info/wallet/verifier which is a simple browser extensions that checks that the js being served is identical to the js at https://github.com/blockchain/My-Wallet. I installed it; is there any way to know its actually working? Does it check before or after entering my password? |
|
|
|
|
BkkCoins
|
|
August 10, 2012, 10:39:37 AM |
|
This is possible but would be very difficult in practice. There are lots of server side checks to ensure the the correct js is being served, if there are any unexpected file changes I get notified immediately. As hazek mentioned there is also https://www.blockchain.info/wallet/verifier which is a simple browser extensions that checks that the js being served is identical to the js at https://github.com/blockchain/My-Wallet. I installed it; is there any way to know its actually working? Does it check before or after entering my password? You can open the Error Console in your browser and you'll see when it emits some messages about verifying. It happens when you load any wallet page including login. (It throws heaps of css warnings too so you have to set the console for "info messages only") On FF the Error console is Ctrl-Shift-J (Tools, Web Developer, Error Console). |
|
|
|
nedbert9
Sr. Member
Offline
Activity: 252
Merit: 250
Inactive
|
|
August 10, 2012, 07:09:42 PM |
|
Anyone have issue importing a private key and getting 'Error backing up wallet?"
|
|
|
|
|
|
piuk (OP)
|
|
August 13, 2012, 02:43:40 AM
Last edit: August 13, 2012, 02:56:45 AM by piuk |
|
Anyone have issue importing a private key and getting 'Error backing up wallet?"
Are there any errors in the javascript console ( http://webmasters.stackexchange.com/questions/8525/how-to-open-the-javascript-console-in-different-browsers)? What format is the private key you are trying to import? If you run the "Integrity Check" found in Account Details are any errors displayed? Apologies for the slow response. Updates- Faster Ledger Generation (e.g. http://blockchain.info/address/1VayNert3x1KzbpzMGt2qdqrAThiRovi8 used to take up to 20 seconds to display) - Google Authenticator should now be working properly for both Android and iPhone (There was a bit of a bug causing it to generate an invalid secret causing mismatched codes) - SatoshiDICE players can now see their profit / loss under the transaction form.  I'm not a big player but am up slightly. - Added the ability to lock a wallet down to a specific ip or set of ips. Highly recommended for users of the API. The mobile apps are able to bypass this restriction once paired. e.g. https://blockchain.info/wallet/piuk is lock to my home ip.  - Added the ability to set password hints and have them emailed to you upon request.   |
|
|
|
|
