Bitcoin Forum
November 03, 2024, 06:48:03 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Save your PK, or any message into an image file.  (Read 220 times)
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 10, 2020, 06:25:37 PM
 #1

Do you write your Prive Key to a paper or any media?

What if an image file, looks nothing special might contain a Prive Key inside it?
Even more, if the PrivateKey or any message inside it is encrypted?

If you secure both the paper notes and an image file saved in external media in the same Safe,
which do you think is safer?

You can do it with your phone.

[Android]
https://play.google.com/store/apps/details?id=com.ethereummiddleman.secretimage

[iPhone]
https://apps.apple.com/app/id1489854686

[Web Service]
http://www.ethereummiddleman.com/secretimage.html
(in WebService case, all your data is encrypted first on your machine and transferred to the WebService, so fear not)

Hope this helps.
noorman0
Hero Member
*****
Offline Offline

Activity: 1778
Merit: 706


[Nope]No hype delivers more than hope


View Profile WWW
January 11, 2020, 01:02:21 PM
 #2

_snip_
(in WebService case, all your data is encrypted first on your machine and transferred to the WebService, so fear not)
Are you sure ? Roll Eyes
In the cases of importing PK, we are strongly recommended not to be connected to the internet at all. And here you recommend handing over PK people to a new platform owned by random people and through internet as well.
If you mean to insert any message code into an image, you can do it yourself offline using the hex editor. That has less risk than your tips.

I don't recommend your way.

This space for rent.
Available in mid January 2024 - PM me
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 12, 2020, 08:49:38 PM
 #3

Thanks @noorman0

Regarding the Web Service, even though it's encrypted, it's delivered.
So I understand your concern.

But regarding the mobile App, is there any reason you think it will be delivered to somebody else?

By the way, even with the Web Service, it's encrypted with 256bit AES and deleted after a while.

It seems you are accusing somebody or some product even without checking the fact,
resulting in a false impression over the whole service.

What do you think?

Thanks Smiley
qwk
Donator
Legendary
*
Offline Offline

Activity: 3542
Merit: 3413


Shitcoin Minimalist


View Profile
January 12, 2020, 09:45:29 PM
 #4

regarding the mobile App, is there any reason you think it will be delivered to somebody else?
There's malware out there that will screen capture android phones.
https://www.forbes.com/sites/zakdoffman/2019/07/08/warning-for-users-of-android-banking-apps-new-malware-is-recording-password-screens/

So, when you're thinking about creating private keys on a phone: don't.

Yeah, well, I'm gonna go build my own blockchain. With blackjack and hookers! In fact forget the blockchain.
LoyceMobile
Hero Member
*****
Offline Offline

Activity: 1696
Merit: 701


LoyceV on the road. Or couch.


View Profile WWW
January 12, 2020, 09:51:44 PM
 #5

By the way, even with the Web Service, it's encrypted with 256bit AES and deleted after a while.

It seems you are accusing somebody or some product even without checking the fact
Fact is: you are asking people for their private keys, while claiming it's encrypted. Let me guess: you can and will decrypt the private keys.

Reminder: member never trust anyone with your private keys!

LoyceV on the road Advertise here for LN Don't deal with this account (exception)
Advertise here for LN Tip my kids Exchange LN (20 coins). 1% fee. No KYC <€50/month
My useful topics: Meritt & Trust & Moreee Art Advertise here for LN Foru[url=https://bitcointalk.org/m
Artemis3
Legendary
*
Offline Offline

Activity: 2030
Merit: 1573


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
January 12, 2020, 10:07:00 PM
 #6

Private keys should never be casually handed, period. The current best practice is to use the seed words, and copy that with your hands avoiding electronic devices.

Once copied, you could in a secure disconnected PC do things like typing them in a text file, and encrypt that, or steno-graph it yourself in one of millions ways, then encrypt that, etc, etc. No apps, no sending things to others.

There are various free open source tools that can help you do this, if you are inclined to do so electronically, but you could just do it physically as well. Pick a book, mark some words, done.

Ideally you should never watch the actual pk ever yourself, only once when you create the wallet and type the seed words but never make the pk display anywhere. The practice of the old paper wallets have been discontinued for its dangers.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
Naida_BR
Member
**
Offline Offline

Activity: 980
Merit: 62


View Profile
January 13, 2020, 02:16:33 PM
 #7

I don't find it safe.
What is the guarantee that this file is not being compromised?
Still saving your PK in a paper and keep it in a safe place is the best choice for me.
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 13, 2020, 07:15:48 PM
 #8

regarding the mobile App, is there any reason you think it will be delivered to somebody else?
There's malware out there that will screen capture android phones.
https://www.forbes.com/sites/zakdoffman/2019/07/08/warning-for-users-of-android-banking-apps-new-malware-is-recording-password-screens/

So, when you're thinking about creating private keys on a phone: don't.

So why do you think this APP is related to creating keys or involves that specific moment?
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 13, 2020, 07:25:29 PM
 #9

By the way, even with the Web Service, it's encrypted with 256bit AES and deleted after a while.

It seems you are accusing somebody or some product even without checking the fact
Fact is: you are asking people for their private keys, while claiming it's encrypted. Let me guess: you can and will decrypt the private keys.

Reminder: member never trust anyone with your private keys!

Ok, so you are worried about the situation that
"I can somehow bruteforce to find the key for the encryption and decrypt yours?"

Got your point.
Technically possible, even though I am not that kind of guy and got no time&resource for that.
That latter word means nothing to the users so I will revise the WebSite with warnings.
Not to test serious data on the WebSite.

But my point was rather about the mobile Apps, which seems you guys just worrying that I leak your data somehow.
You can simply spoof the network packet if it ever sends any data while it's doing it.
Basically, this is not just an assumption but seems false accusation to me. Smiley




1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 13, 2020, 07:33:58 PM
 #10

Private keys should never be casually handed, period. The current best practice is to use the seed words, and copy that with your hands avoiding electronic devices.

Once copied, you could in a secure disconnected PC do things like typing them in a text file, and encrypt that, or steno-graph it yourself in one of millions ways, then encrypt that, etc, etc. No apps, no sending things to others.

There are various free open source tools that can help you do this, if you are inclined to do so electronically, but you could just do it physically as well. Pick a book, mark some words, done.

Ideally you should never watch the actual pk ever yourself, only once when you create the wallet and type the seed words but never make the pk display anywhere. The practice of the old paper wallets have been discontinued for its dangers.

I agree that proposition.

Tough you do use metamask or other tools right?
the role of the App is to save any data to an image.
Once it's saved once your phone encrypted, I believe users can save it somewhere.

Are you suggesting to revise function to cover that 'afterward' scenario
, or suggesting that this kind of encryption and steganography is meaningless anyway?
Ucy
Sr. Member
****
Offline Offline

Activity: 2674
Merit: 403


Compare rates on different exchanges & swap.


View Profile
January 14, 2020, 07:34:36 AM
 #11

I wouldn't save too much with this method. It's quite risky. By the way, is this open source project... been tested by others?
Quote
If you secure both the paper notes and an image file saved in external media in the same Safe,
which do you think is safer?

None, I guess. as long as you copy from the  internet.

████████████████████                                                    OrangeFren.com                                                ████████████████████
instant KYC-free exchange comparison
████████████████████     Clearnet and onion available #kycfree + (prepaid Visa & Mastercard)     ████████████████████
Negotiation
Sr. Member
****
Offline Offline

Activity: 1204
Merit: 270


Hire Bitcointalk Camp. Manager @ r7promotions.com


View Profile WWW
January 14, 2020, 09:14:58 AM
 #12

I don't think we should have personal keys with phones because it's too risky for us Never call personal information at work Save your PK or any message to an image file and then encrypt it at a lower risk Keep it safe and do not charge any product without verification And it's better not to use PK.

█████████████████████████████████
████████▀▀█▀▀█▀▀█▀▀▀▀▀▀▀▀████████
████████▄▄█▄▄█▄▄██████████▀██████
█████░░█░░█░░█░░████████████▀████
██▀▀█▀▀█▀▀█▀▀█▀▀██████████████▀██
██▄▄█▄▄█▄▄█▄▄█▄▄█▄▄▄▄▄▄██████████
██░░█░░█░░███████████████████████
██▀▀█▀▀█▀▀███████████████████████
██▄▄█▄▄█▄▄███████████████████████
██░░█░░█░░███████████████████████
██▀▀█▀▀█▀▀██████████▄▄▄██████████
██▄▄█▄▄█▄▄███████████████████████
██░░█░░█░░███████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
R7 PROMOTIONS Crypto Marketing Agency
By AB de Royse Campaign Management

███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
██████████████████████████████████████████████████████████████████████████████████████████████████
WIN $50 FREE RAFFLE
Community Giveaway

██████████████████████████████████████████████████████████████████████████████████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
████████████████████████
██
██████████████████████
██████████████████▀▀████
██████████████▀▀░░░░████
██████████▀▀░░░▄▀░░▐████
██████▀▀░░░░▄█▀░░░░█████
████▄▄░░░▄██▀░░░░░▐█████
████████░█▀░░░░░░░██████
████████▌▐░░▄░░░░▐██████
█████████░▄███▄░░███████
████████████████████████
████████████████████████
████████████████████████
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 14, 2020, 01:47:59 PM
 #13

Thank you @Ucy, @Negotiation

I think there are 2 points here.

1. Level of security.

If you guys think 'even just copying the PK string from the Internet' is not safe, all the PC/Mobile S/Ws are not safe.
Though you guys use PC wallets, Metamask, other S/Ws.
And this App doesn't create PKs, just work based on the value given from the user or QRcode scan.
Even if saving in a Safe is not enough, I doubt how do you guys think cold-wallet (storage) is better.

2. Verified?
Even though it's simple codes, why would you reveal all your codes if you want to make profits even just from an Ad?
B.t.w, From WebService site you can get all encryption/decryption source code from JS script there. Anyone can see that from web browser.
So, Let alone GooglePlay and AppStore, what will be the organization that you think will do some verification for this kind of S/Ws?

I'm just asking your opinion.

thanks
boyptc
Hero Member
*****
Offline Offline

Activity: 3178
Merit: 681


~!BTC to $100k!~


View Profile
January 14, 2020, 09:10:07 PM
 #14

With those apps?

No.

Writing on a paper is the most secured way of keeping our PK if not for the others.


░▄██████████████▀█▀▀████████▄░
███████████░░▀██▄░▀▄░█████████
███████████▄▄▄░▀▀▄░░█░████████
██████████▀▀░░░▄▄░░░▀░░███████
████████▀░░░░▀▀█▀░░░░░████████
███▀████▀░░░░░░░░░░░░████▀▀██
███▄████▀▀▀████░░░░░░░████▄▄██
█▀▀▀▀▀▀▀▀▀▀█████░░░░░░██▀▀▀▀▀█
█▄▄▄███████▀█░░░░░░░░▀███▄▄▄█
█████▄▄▄▄███▄▄▄▄▄▄▄▄▄█████████
█████▀▀▀███████████████▀▀██▄██
░▀████████████████▄▄▄▄██████▀░
First Ever⠀⠀⠀───── Powered by: BSC Network
Leverage Driven CLMM + DLMM Model
───▸Dynamic Fee Structure   ───▸Revenue Sharing⠀
.
.       █
.  █   ███
. ███  ███   █
. ███▄▀███▄ ███
▀▀███  ███ ▀███ ▄
. ███  ▀█▀  ███▀█▀
. ███   ▀   ███
.  █        ▀█▀
.            ▀
Trade
.
. ▄▄▄▄▄▄▄    ▄▄▌‎▐▄▄
▄█▀  ▄  ▀█ ███▀▄▄▀███
█    █    ████ ▀█▄████
█    ▀▀▀▀ ████▀█▄ ████
▀█▄      ▄ ███▄▀▀▄███▀
. ▀▀█▄▄█▀   ▀▀█▌‎▐█▀▀
.▄▄▄▄▄
.████████▀▄ ▄▄▄██▀
.   ▀▀▀██████▀▀
Lend
.
.        ▄█
.     ▄███▄▄▄
.   ▀██████████
.     ▀███▀▀▀███
▄    ▄▄  ▀    ▀█
███▄▄███▄
▀█████████▄
. ▀▀▀████▀
.    █▀
Swap
.
.     ██▄▄
.   ██████
.    ████
.  ▄██▄▄▄██▄
.▄████▀ ▀█████
▄█████ ▀███████
██████▀▀ ██████
███████▄███████
.▀▀█████████▀▀
Earn
.
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
WHITELIST ME

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 15, 2020, 02:17:01 PM
 #15

With those apps?

No.

Writing on a paper is the most secured way of keeping our PK if not for the others.

Thanks,
Just curious. Don't you trust Crypto Exchanges and their Cold Storages also?
noorman0
Hero Member
*****
Offline Offline

Activity: 1778
Merit: 706


[Nope]No hype delivers more than hope


View Profile WWW
January 15, 2020, 04:15:22 PM
 #16

If you guys think 'even just copying the PK string from the Internet' is not safe, all the PC/Mobile S/Ws are not safe.
Yes it's not safe at all, copying any sensitive data including PK is not recommended when the internet is active.

And this App doesn't create PKs, just work based on the value given from the user or QRcode scan.
There you have it, pasting PK to other sites (including the web you mentioned) is also not recommended except for wallet service sites where PK is generated. Maybe you already understand what the "Clipboard Hijacking" is.

Even though it's simple codes, why would you reveal all your codes if you want to make profits even just from an Ad?
A valid ad won't ask customers for any sensitive data.

B.t.w, From WebService site you can get all encryption/decryption source code from JS script there. Anyone can see that from web browser.
Not sure, can you name one of the sites? can i also see it. If there are, then they dont last long because it destroys the "privacy" of customers.

So, Let alone GooglePlay and AppStore, what will be the organization that you think will do some verification for this kind of S/Ws?
I don't know, but I'm not sure if big companies like Google and Apple would do would do something so insignificant. Not that I trust 100% in them.


Don't you trust Crypto Exchanges and their Cold Storages also?
The Exchange doesn't provide PK to customers, so I think this is a bit off topic.

This space for rent.
Available in mid January 2024 - PM me
1000guess (OP)
Newbie
*
Offline Offline

Activity: 12
Merit: 0


View Profile
January 15, 2020, 08:54:39 PM
 #17

Thanks, @noorman0 for very constructive comments.

Regarding the code, here on my web site, you can see the code from any web browser in developer mode.
http://www.ethereummiddleman.com/secretimage.html

And regarding this comment as far as Mobile App concerned,
I think it's a bit unlikely because you will usually type in, or scan the QRcode from the App.

Quote
There you have it, pasting PK to other sites (including the web you mentioned) is also not recommended except for wallet service sites where PK is generated. Maybe you already understand what the "Clipboard Hijacking" is.

Well, I meant whether you trust what they manage PK there.

Quote
The Exchange doesn't provide PK to customers, so I think this is a bit off-topic.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!