molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
July 23, 2012, 07:05:01 PM |
|
maybe a dumb quesiton:
with very expensive bcrypt hashing with added salts, could a 6 digit pin maybe provide reasonable protection against bruteforcing? so it would maybe take 5 seconds on a phone to calculate the correct decryption key, which is thrown away as soon as the app is closed.
I don't think so, by being 6-digit numeric password there are few combinations to try. I guess it could be bruteforced in two months max. one could bruteforce that with 1.000.000 phones in 5 seconds
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
July 23, 2012, 08:23:08 PM |
|
maybe a dumb quesiton:
with very expensive bcrypt hashing with added salts, could a 6 digit pin maybe provide reasonable protection against bruteforcing? so it would maybe take 5 seconds on a phone to calculate the correct decryption key, which is thrown away as soon as the app is closed.
Define reasonable. What is reasonable security for one person with enough bitcoin on his phone to pay for a night on the town is going to be different than reasonable security for a cash mule trying to stay alive and deliver goods to the Zeta's.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
apetersson
|
|
July 24, 2012, 02:02:02 PM |
|
Define reasonable. What is reasonable security for one person with enough bitcoin on his phone to pay for a night on the town is going to be different than reasonable security for a cash mule trying to stay alive and deliver goods to the Zeta's.
I think we need to talk about our target audience.
|
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
July 24, 2012, 10:58:36 PM |
|
Define reasonable. What is reasonable security for one person with enough bitcoin on his phone to pay for a night on the town is going to be different than reasonable security for a cash mule trying to stay alive and deliver goods to the Zeta's.
I think we need to talk about our target audience. Which is what?
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
fabrizziop
|
|
July 24, 2012, 11:23:22 PM |
|
Define reasonable. What is reasonable security for one person with enough bitcoin on his phone to pay for a night on the town is going to be different than reasonable security for a cash mule trying to stay alive and deliver goods to the Zeta's.
I think we need to talk about our target audience. Which is what? Crypto-nerds?. Personally I think that the program should be left this way, or just with encryption that protects you for like 3 days bruteforcing with several GPUs. (I think) You shouldn't break the balance between practicality and security, specially if it's a mobile system that nobody should use with 10k USD. Weak encryption is practical(using thousands of PBKDF2 rounds), specially if someone steals your device, you can get to your home and sweep your addresses easily.
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
July 25, 2012, 04:49:21 PM |
|
maybe a dumb quesiton:
with very expensive bcrypt hashing with added salts, could a 6 digit pin maybe provide reasonable protection against bruteforcing? so it would maybe take 5 seconds on a phone to calculate the correct decryption key, which is thrown away as soon as the app is closed.
When it comes to crypto stuff there are no dumb questions. The technique you refer to is often called key stretching, and I would not use it in this scenario. 1. Android processor speed is varying a lot from device to device. What takes 5 seconds on one device takes 30 seconds on another and 1 second on a third. Personally I would be annoyed if I had to wait 30 seconds to send a small transaction. 2. What takes 5 seconds on some Android my desktop computer could do in a fraction of a second. Making brute force attacks very plausible. In the end doing this would give an annoying user experience and a false sense of security (some would call it kindergarten cryptography).
|
Mycelium let's you hold your private keys private.
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
July 25, 2012, 04:53:39 PM |
|
I had the same question.. But everyone seemed to misunderstand what I was asking.. I would like to use my own wallet and private keys in B spinner.. Or be able to use the backup spinner provides anywhere else.. And how.. The key format used by BitcoinSpinner when you go to Settings -> Advanced -> Export private key is the Sipa format. As far as I remember Blockchain.info used to support this format, but it seems not to support it anymore. I have PM'ed Puik on this, and asked whether he will support it.
|
Mycelium let's you hold your private keys private.
|
|
|
Herodes
|
|
August 04, 2012, 07:35:34 AM |
|
Just installed bitcoin spinner after doing some research as to which android wallet to chose. So far I'm rather impressed.
I got some 'illegal operation' message, and I didn't understand why. So I tried to quit the app, but didn't see an exit option ? Not even when clicking menu, so I rebooted the phone, and when I started bitcoin spinner again, the same error was present.
Then I checked the bitcoin address, and it seems I had pasted an extra space at the end. Perhaps it would be a good idea to trim spaces automatically ? I copied mine from an sms message, and the extra space seemed to be added automatically.
Also, perhaps there would be some very easy method of adding addresses ? As it is noe, I first typed in an a entire bitcoin address for hans, which is fine because I'm a computer geek, but would still like to have it easier, so what about some feature where you can insert an address to the bitcoin spinner website, get a short code (4 alphanumeric) in return, and you could then import this on the phone by entering that code (app would connect to server and get the address). Or there could be a registration system that could sync bitcoin addresses betwen an online wallet and the bitcoin spinner.
I like the transaction history, and overall I think the app is well made. Great that you keep the infrastructure ready for this. Perhaps it would be possible to offer premium editions with some of the features I listed above ? Will throw some coin your way if this works as good over some time as it is working currently. Impressed. I also saw the ratings on Google Play (what an odd name!), and almost all were very positive, so this was absolutely some great work!
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
August 04, 2012, 10:58:30 PM |
|
I had the same question.. But everyone seemed to misunderstand what I was asking.. I would like to use my own wallet and private keys in B spinner.. Or be able to use the backup spinner provides anywhere else.. And how.. The key format used by BitcoinSpinner when you go to Settings -> Advanced -> Export private key is the Sipa format. As far as I remember Blockchain.info used to support this format, but it seems not to support it anymore. I have PM'ed Puik on this, and asked whether he will support it. Version 0.7.1b is out. Find it on Google Play or on the BitcoinSpinner project page for Kindle and other devices that do not use Google Play. The only change from 0.7.0b to 0.7.1b is a private key export bug fix: It turns out that BitcoinSpinner had a bug where the exported private key some times (more often that not) is formatted for testnet instead of prodnet. More details here: https://bitcointalk.org/index.php?topic=53353.msg1078070#msg1078070
|
Mycelium let's you hold your private keys private.
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
August 04, 2012, 11:31:29 PM |
|
Just installed bitcoin spinner after doing some research as to which android wallet to chose. So far I'm rather impressed.
Thanks! I got some 'illegal operation' message, and I didn't understand why. So I tried to quit the app, but didn't see an exit option ? Not even when clicking menu, so I rebooted the phone, and when I started bitcoin spinner again, the same error was present.
What did you do to get the 'illegal operation'? Many android devices allow you to send an error report if this happens. If you do I get a stack-dump that tells me exactly where it happened, which is very useful for debugging. Then I checked the bitcoin address, and it seems I had pasted an extra space at the end. Perhaps it would be a good idea to trim spaces automatically ? I copied mine from an sms message, and the extra space seemed to be added automatically.
This must be when sending coins? I have added some trimming to avoid this. This will be included in the next release. Also, perhaps there would be some very easy method of adding addresses ? As it is noe, I first typed in an a entire bitcoin address for hans, which is fine because I'm a computer geek, but would still like to have it easier, so what about some feature where you can insert an address to the bitcoin spinner website, get a short code (4 alphanumeric) in return, and you could then import this on the phone by entering that code (app would connect to server and get the address). Or there could be a registration system that could sync bitcoin addresses betwen an online wallet and the bitcoin spinner.
Bitcoin addresses are not very handy, and easy to get wrong. I think that this is why more and more Bitcoin sites allow you to just scan a QR code, which is by far the easiest way to get the address into your device. There are two very easy ways of adding addresses to your address book with BitcoinSpinner: 1. Scan a QR code containing a Bitcoin address - More and more web-sites display QR codes, and if you have an address as a string you can for instance paste it in the Search field on Blockchain.info and it will display the QR code for you. 2. Add an address from 'recent receivers' - If you have sent some coins to an address this feature allows you to select the transaction and add the receivers address to your address book. Other wallets ask you whether you would like to add the receiver to your address book whenever you do a transaction. This really annoys me as most of the time I don't want to do this as I send to one-time addresses, like when doing a purchase. This is why I made option 2 above instead. I like the transaction history, and overall I think the app is well made. Great that you keep the infrastructure ready for this. Perhaps it would be possible to offer premium editions with some of the features I listed above ? Will throw some coin your way if this works as good over some time as it is working currently. Impressed. I also saw the ratings on Google Play (what an odd name!), and almost all were very positive, so this was absolutely some great work!
Great, and thanks. BTW, there is a 'Donate' option you can access if you click the option button on your phone on the main screen of BitcoinSpinner. It hasn't been tested much
|
Mycelium let's you hold your private keys private.
|
|
|
Herodes
|
|
August 05, 2012, 03:58:41 AM |
|
BTW, there is a 'Donate' option you can access if you click the option button on your phone on the main screen of BitcoinSpinner. It hasn't been tested much Thanks for the reply. What about increasing the fee a tad and make some of it go towards your reward ? There could still be the option for the cheapskates to compile it themselves and remove that extra fee. Not sure how the user base would respond to that. Your time and resources ain't free, so..
|
|
|
|
westkybitcoins
Legendary
Offline
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
|
|
August 05, 2012, 04:47:11 AM |
|
BTW, there is a 'Donate' option you can access if you click the option button on your phone on the main screen of BitcoinSpinner. It hasn't been tested much Thanks for the reply. What about increasing the fee a tad and make some of it go towards your reward ? There could still be the option for the cheapskates to compile it themselves and remove that extra fee. Not sure how the user base would respond to that. Your time and resources ain't free, so.. Depends on the amount. If the mandatory 0.0005 BTC fee was increased to 0.001 BTC, with half going to donations and half as a transaction fee, I doubt anyone would even notice. For that matter, I'd recommend at least a 0.0015 BTC fee, with 0.001 BTC being for donations. With current BTC prices of ~$10, that's less than 2 cents total per transaction. Extremely reasonable. But anything more than 0.005 BTC total, it might limit my use. Anything more than 0.01 BTC would have me reconsider using BitcoinSpinner.
|
Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
... ... In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber... ... ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)... ... The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1114
WalletScrutiny.com
|
|
August 05, 2012, 04:52:19 AM |
|
BTW, there is a 'Donate' option you can access if you click the option button on your phone on the main screen of BitcoinSpinner. It hasn't been tested much Thanks for the reply. What about increasing the fee a tad and make some of it go towards your reward ? There could still be the option for the cheapskates to compile it themselves and remove that extra fee. Not sure how the user base would respond to that. Your time and resources ain't free, so.. As much as I believe he deserves some acknowledgement for this cool app I'm pretty sure all that did great stuff like this will get their fair share when the big players search for people to get them started in bitcoin. Rolling my own spinner is high on my todo list and probably I would put it to the market under my account for my friends that might trust me more than some guy they don't know/takes money with every transaction. I have a cool non-bitcoin app, too and really would love to make it open source but to be honest I don't see how to make money with it. One approach I was thinking about was to make the core app open source and the shiny frontend only wraps this. I would have to provide a non-shiny front-end to provide a full app others would consider worth working with, so my base framework would be there to establish a standard within this area and my nice front-end would stand out and be worth paying for. Similarly would I not be mad if further development on the spinner-UI would be non-open-source and only available for a fee but I would find it sad if bug-fixes to the core functionality would not find its way into a lib-spinner.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
Stephen Gornick
Legendary
Offline
Activity: 2506
Merit: 1010
|
|
August 08, 2012, 04:31:47 PM |
|
BitcoinSpinner is minimalistic, to the point, and is intended for broad adoption.
Will there ever be a way to redeem a private key (e.g., scan a QR and redeem?) Because Bitcoin Spinner uses deterministic keys, it couldn't store the private keys that are scanned. But what it could do is create the transaction that spends the private key scanned to a new bitcoin address in the Bitcoin Spinner wallet. This will allow Bitcoin Spinner to remain the only Bitcoin app I need on my mobile.
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
August 08, 2012, 08:57:06 PM |
|
BitcoinSpinner is minimalistic, to the point, and is intended for broad adoption.
Will there ever be a way to redeem a private key (e.g., scan a QR and redeem?) Because Bitcoin Spinner uses deterministic keys, it couldn't store the private keys that are scanned. But what it could do is create the transaction that spends the private key scanned to a new bitcoin address in the Bitcoin Spinner wallet. This will allow Bitcoin Spinner to remain the only Bitcoin app I need on my mobile. To do this the BitcoinSpinner server back-end has to be able to determine the unspent outputs of the private key in real-time. Today it can't. This would be an awesome feature, and my plans are actually to do something that is even more interesting. However I am sorry that I cannot reveal more details on this for the next month or two.
|
Mycelium let's you hold your private keys private.
|
|
|
teflone
|
|
August 08, 2012, 11:01:28 PM |
|
Fyi...
I took a peak at a back up qr..
I formatted my own personal key into the QR code..
restored the wallet..
It made a wallet, but does not have the money I had sent into it.. therefore it must be a new/diff wallet..
I grabbed a key from Vanitygen.. of course.. this is a vanity address and priv key I want to import..
I have no idea what "type" of priv key vanity spits out..
Im actually suprised it did anything let alone make a wallet that is not the intended one I want to use, mind you I never tested its functionality, I would just assume it works.. but.. not how I wanted it to...
Any tips ?
|
|
|
|
niko
|
|
August 09, 2012, 04:47:28 AM |
|
I've been using spinner happily for a month. One detail bugs me: descriptions on Google Play and the wiki repeatedly refer to "private keys" in plural. And yet, from what I see there is only one private key involved, and its corresponding address. The only way to obtain a new key is to erase app data folder, so the new key pair is generated on the next start.
Am I missing something here?
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
August 09, 2012, 06:20:27 AM |
|
I've been using spinner happily for a month. One detail bugs me: descriptions on Google Play and the wiki repeatedly refer to "private keys" in plural. And yet, from what I see there is only one private key involved, and its corresponding address. The only way to obtain a new key is to erase app data folder, so the new key pair is generated on the next start.
Am I missing something here?
Not really, the client only uses one key at the moment but is more than capable of handling more. The one key rule has more to do with conserving bitcoin spinner's server resources.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
August 09, 2012, 06:43:12 AM |
|
Fyi...
I took a peak at a back up qr..
I formatted my own personal key into the QR code..
restored the wallet..
It made a wallet, but does not have the money I had sent into it.. therefore it must be a new/diff wallet..
I grabbed a key from Vanitygen.. of course.. this is a vanity address and priv key I want to import..
I have no idea what "type" of priv key vanity spits out..
Im actually suprised it did anything let alone make a wallet that is not the intended one I want to use, mind you I never tested its functionality, I would just assume it works.. but.. not how I wanted it to...
Any tips ?
The backup QR code contains a random 256-bit seed, not a private key. From that random seed the bitcoin 2 private keys are deterministically generated. The first key is your login key, the second one is your bitcoin private key. Gory details here: http://code.google.com/p/bccapi/source/browse/trunk/src/com/bccapi/api/BitcoinClientAPI.javaIf you use a bitcoin private key as the seed it will just be treated as a 256-bit random seed from which there will be generated keys which ties up to the next question: I've been using spinner happily for a month. One detail bugs me: descriptions on Google Play and the wiki repeatedly refer to "private keys" in plural. And yet, from what I see there is only one private key involved, and its corresponding address. The only way to obtain a new key is to erase app data folder, so the new key pair is generated on the next start.
Am I missing something here?
The BCCAPI, which BitcoinSpinner is built on top of, allows you to manage a number of Bitcoin addresses. However, the main drivers for BitcoinSpinner are security and simplicity. And managing just one Bitcoin address/private key does make the UI much simpler to use. Now, as noted above there are two private keys in play, but the other one is used for login purposes. This being said, there is a trick you can do to manage more than one address. 1. Install BS, which automatically generates a new random account and bitcoin private key 2. Make a backup, and print it on paper 3. Uninstall BS 4. Install BS, which automatically generates a new random account and bitcoin private key 5. Make a second backup, and print it on paper. Now you have two different wallets, and you can switch between them by restoring from your two paper backups. Whenever you do a restore the previous keys are wiped from your device, making this a very useful feature for cold storage. I do this myself for the bulk of my coins. Yes, this could (should) be built more seamlessly into the app.
|
Mycelium let's you hold your private keys private.
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
August 09, 2012, 06:44:06 AM |
|
I've been using spinner happily for a month. One detail bugs me: descriptions on Google Play and the wiki repeatedly refer to "private keys" in plural. And yet, from what I see there is only one private key involved, and its corresponding address. The only way to obtain a new key is to erase app data folder, so the new key pair is generated on the next start.
Am I missing something here?
Not really, the client only uses one key at the moment but is more than capable of handling more. The one key rule has more to do with conserving bitcoin spinner's server resources. Yes, also that.
|
Mycelium let's you hold your private keys private.
|
|
|
|