MrFreeDragon
|
|
December 13, 2019, 10:57:17 AM |
|
I still beleive that the most brain wallets are not serious wallets, and used for test/education/fun transactions. For these transactions (as well as for some quick transit transactions) no need to create the crypto secured wallet, and the brain wallet is used. Of course there are some real wallets generated in "brain wallet way", but such wallets can be counted on one hand. By the way, what do you think about time locked wallets based on easy brain wallets? Let's say we take the easy passphrase " bitcoin", hence the corresponding brain compressed address to it is 18VkRiDhFu2Z17AvtpU3vL2LbTXDzCvDVo (this address has already been used of course). However, we take the public key of this address ( 02218ad6cdc632e7ae7d04472374311cebbbbf0ab540d2d08c3400bb844c654231) and create the time locked wallet (for example with the help of this tool: https://coinb.in/#newTimeLocked), let's say with time lock 31 December 2019: https://coinb.in/?verify=0450650a5eb1752102218ad6cdc632e7ae7d04472374311cebbbbf0ab540d2d08c3400bb844c654231ac#verifyWe receive the P2SH address 3NTavRnFZHkMmSFYVMz5PPb48WsNyVszDW, which could be accessed only by both redeem script and private key/signature from that easy address ( 18VkRiDhFu2Z17AvtpU3vL2LbTXDzCvDVo). The redeem script will not by available in blockchain till the funds are released from the address.
|
|
|
|
daboehla
|
|
December 20, 2019, 02:55:10 PM |
|
WOW big transaction to a brainwallet: 0,50000000 16qVRutZ7rZuPx7NMtapvZorWYjyaME2Ue -> 400453AC5E19A058EC45A33550FDC496E0B26AD0 / 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 / Brainwallets
|
|
|
|
stalker00075
Newbie
Offline
Activity: 54
Merit: 0
|
|
December 20, 2019, 05:44:13 PM |
|
WOW big transaction to a brainwallet: 0,50000000 16qVRutZ7rZuPx7NMtapvZorWYjyaME2Ue -> 400453AC5E19A058EC45A33550FDC496E0B26AD0 / 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 / Brainwallets brainwallet "password"
|
|
|
|
daboehla
|
|
December 20, 2019, 06:28:46 PM |
|
WOW big transaction to a brainwallet: 0,50000000 16qVRutZ7rZuPx7NMtapvZorWYjyaME2Ue -> 400453AC5E19A058EC45A33550FDC496E0B26AD0 / 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 / Brainwallets brainwallet "password" shit, true stroy! I don't save this in my database... why should somebody do this :O
|
|
|
|
MrFreeDragon
|
|
December 21, 2019, 10:12:43 AM |
|
WOW big transaction to a brainwallet: 0,50000000 16qVRutZ7rZuPx7NMtapvZorWYjyaME2Ue -> 400453AC5E19A058EC45A33550FDC496E0B26AD0 / 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 / Brainwallets brainwallet "password" It seems that sombody "was listening" to this brainwallet address because the outgoing 0.5BTC transaction was included in the same block as incoming transaction (block 608894)
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
December 22, 2019, 06:20:54 AM |
|
WOW big transaction to a brainwallet: 0,50000000 16qVRutZ7rZuPx7NMtapvZorWYjyaME2Ue -> 400453AC5E19A058EC45A33550FDC496E0B26AD0 / 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 / Brainwallets brainwallet "password" It seems that sombody "was listening" to this brainwallet address because the outgoing 0.5BTC transaction was included in the same block as incoming transaction (block 608894) Very likely. Some block explorers show double spend attempts. Some of the earlier messages in this thread include links to show that double spends happened multiple times shortly after a known brainwallet was funded. Presumably the double spend attempts are by several different "brainwallet stealer" bots. I've even seen funds sent to dictionary word brainwallets on testnet vanish instantly. Wonder if the person who lost 0.5 BTC used a brainwallet generator that helpfully prefilled the password field with the word "password", intending the user to replace it with their own text?
|
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
January 20, 2020, 04:19:34 AM |
|
A couple of months ago someone sent 3.4 BTC to a brainwallet Funds were appropriated immediately; sweep transaction was included in the same block as the funding transaction. https://www.blockchain.com/btc/address/13QZd78daoq3HaMKN9KAdFsVY9iYLKLfbmSince it's so recent I won't post the passphrase, but it seems to be just a simple saying, perhaps also referring to a book title. 3.4 BTC!!!
|
|
|
|
BTCW
Copper Member
Full Member
Offline
Activity: 193
Merit: 235
Click "+Merit" top-right corner
|
I have discovered what I called "perturbed SHA256 hashes". Like this: SHA256("398") leads to 188c1fdca79d927f6e812133173fc41d3a4e57074de521020274caa9bb29af7d (found in "all" hash databases) 5J16cPLSHRR7CLQuKRWzCWDeXfrzDWYRUksjaTSH86x349BxuUk 17XNdhPkz8eSWibrMRjYY292Y9B6uRFvir which is probably in every bot's database. However, check this out 188c1fdca79d927f6e812133173fc41d3a4e57074de521020274caa9bb29ae57 (found in "no" hash databases) 5J16cPLSHRR7CLQuKRWzCWDeXfrzDWYRUksjaTSH86x2Uzb2iY9 19rDLwxcP9Y3hEjXAkpkuMamKjLs1dgtiA Both are found on the blockchain. Notice the pattern? The two differ only by a few bytes at the end of the hexadecimal string. The latter one is with an extraordinarily high certainty not the SHA256 hash of a known input. Looks like someone took a known hash and changed it just a little. Clever! My recommendation is perturbing well-known hashes.
|
|
|
|
|
ashraful1980
Newbie
Offline
Activity: 24
Merit: 0
|
|
July 11, 2020, 07:53:16 AM |
|
Dear Sir, You are really great. But i have a question that the value of '\xF0\x9F\x92\xA9' how to find and where from found......
|
|
|
|
vapourminer
Legendary
Offline
Activity: 4382
Merit: 3703
what is this "brake pedal" you speak of?
|
|
July 11, 2020, 12:32:16 PM Last edit: July 11, 2020, 12:59:12 PM by vapourminer |
|
I think it would be a good idea if wallet software included a blacklist of such addresses, as well as known weak brainwallets, showing an additional dialog with a strong warning that funds may be permanently lost (or stolen) if the transaction proceeds. Checking any generated (inbound) addresses against the list would also help catch any glaring address generation bugs. (An assert that the result must not equal <hash of empty string> after each call to sha256 or ripemd160 would have caught this error.)
centralized database of bad addys? may sound good on 1st glance but nope for me. maybe check against some private, local blacklist maintained by the user but thats up the user. EDIT: saw that post was 7 months old oops
|
|
|
|
BASE16
Member
Offline
Activity: 180
Merit: 38
|
|
July 11, 2020, 05:09:06 PM |
|
Dear Sir, You are really great. But i have a question that the value of '\xF0\x9F\x92\xA9' how to find and where from found...... Hi please see emoji bytecode here https://apps.timwhitlock.info/emoji/tables/unicode
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
July 20, 2020, 04:18:36 AM |
|
I think it would be a good idea if wallet software included a blacklist of such addresses, as well as known weak brainwallets, showing an additional dialog with a strong warning that funds may be permanently lost (or stolen) if the transaction proceeds. Checking any generated (inbound) addresses against the list would also help catch any glaring address generation bugs. (An assert that the result must not equal <hash of empty string> after each call to sha256 or ripemd160 would have caught this error.)
centralized database of bad addys? may sound good on 1st glance but nope for me. maybe check against some private, local blacklist maintained by the user but thats up the user. EDIT: saw that post was 7 months old oops The blacklist check doesn't need to block the transaction, just strongly advise that it's a known compromised/problem address and to double check that everything is correct before clicking on OK. It's not a general blacklist, just specifically for addresses where the keys are widely known (SHA256 dictionary words, low range private keys) or they are 99.99999999% likely to be unspendable (address of 0, RIPEMD160 hash of dictionary words, RIPEMD160 hash of empty string). Perhaps you think I was suggesting that there should be some global "this person ripped me off so I want to add their address" kind of thing... no. BTW, wallet software is pretty centralized anyway, right? I would actually appreciate if a wallet popped up a warning that my funds were likely to be lost.
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3360
Merit: 16969
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
July 20, 2020, 06:01:25 AM |
|
BTW, wallet software is pretty centralized anyway, right? I would actually appreciate if a wallet popped up a warning that my funds were likely to be lost. I see no point in this. If I'm paying someone who sent me a compromized address, he could just as well scam me by using a brand new address so this doesn't help. If my own wallet generates a new address, proper random generation should ensure it's not part of such a list. You could easily create and publish billions of private keys, I don't want such a database bloating my wallet. If you're manually creating such an address using dumb methods, you're on your own
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
July 20, 2020, 08:03:10 AM |
|
BTW, wallet software is pretty centralized anyway, right? I would actually appreciate if a wallet popped up a warning that my funds were likely to be lost. I see no point in this. If I'm paying someone who sent me a compromized address, he could just as well scam me by using a brand new address so this doesn't help. I don't understand your point. Why would a scammer invite you to send money to an address where the private key is known by multiple people? This is nothing to do with scamming - it's about preventing mistakes. Like people sending to the brainwallet "password", or software having a brain fart and sending to the hash of a blank string. Original post for more context: https://bitcointalk.org/index.php?topic=4768828.msg52494961#msg52494961
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3360
Merit: 16969
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
July 20, 2020, 08:51:23 AM |
|
Why would a scammer invite you to send money to an address where the private key is known by multiple people? I had a different interpretation of what you meant. This is nothing to do with scamming - it's about preventing mistakes. Like people sending to the brainwallet "password", or software having a brain fart and sending to the hash of a blank string. Still, that's going to be a very long list. Brainwallets must be brute-forced by many different attackers who check billions of addresses.
|
|
|
|
almightyruler
Legendary
Offline
Activity: 2268
Merit: 1092
|
|
July 21, 2020, 12:45:35 AM |
|
This is nothing to do with scamming - it's about preventing mistakes. Like people sending to the brainwallet "password", or software having a brain fart and sending to the hash of a blank string. Still, that's going to be a very long list. Brainwallets must be brute-forced by many different attackers who check billions of addresses. Yeah, there's no way it could be a comprehensive list (and with user passphrases, no list could be near 100% complete anyway), so I could imagine it getting out of hand, however even a list with say 50k entries could still prevent some silly mistakes. (I wonder if anyone has ever trolled a victim by convincing them to send funds to a provably unspendable address? The troll gains no financial benefit, but the victim still suffers a loss.)
|
|
|
|
naufragus
Newbie
Offline
Activity: 29
Merit: 50
|
|
July 21, 2020, 12:59:48 AM |
|
that is almost silly we need to be sure the parametre space is large enough
|
|
|
|
DaCryptoRaccoon
|
|
July 21, 2020, 09:05:45 PM |
|
This is nothing to do with scamming - it's about preventing mistakes. Like people sending to the brainwallet "password", or software having a brain fart and sending to the hash of a blank string. Still, that's going to be a very long list. Brainwallets must be brute-forced by many different attackers who check billions of addresses. Yeah, there's no way it could be a comprehensive list (and with user passphrases, no list could be near 100% complete anyway), so I could imagine it getting out of hand, however even a list with say 50k entries could still prevent some silly mistakes. (I wonder if anyone has ever trolled a victim by convincing them to send funds to a provably unspendable address? The troll gains no financial benefit, but the victim still suffers a loss.) This sounds horrible I sometimes wonder about funds that end up sent to these known addresses it would be nice if there was somewhere you could check this like you do with haveibeenpwnd password checker it would be nice to be able to throw a public key into something similar to see if it's known already on the network I know a simple check on explorer would do but if there were a way to collect all the known brainwallets or "weak" addressing i'm sure people would use it. Anyone found anymore interesting ones recent?
|
┏━━━━━━━━━━━━━━━━━┓ ┃ 💎 Mine Solo with CKPool 💎 ┃ ┃ ➤ Hit Blocks on Your Own! ┃ ┃ ███▓▓ ███▓▓ ███▓▓ ███▓▓┃
|
|
|
|