Bitcoin Forum
December 08, 2016, 08:17:50 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 »
  Print  
Author Topic: BitcoinSpinner  (Read 51201 times)
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 15, 2012, 10:08:09 AM
 #301

Hi Jan,

Are you planning on open sourcing or at least providing the server to selected individuals so that redundancy can be achieved by community effort?
I am currently in negotiations with a company in the Bitcoin world around this. I am sorry, but I cannot say more right now.

Mycelium let's you hold your private keys private.
1481185070
Hero Member
*
Offline Offline

Posts: 1481185070

View Profile Personal Message (Offline)

Ignore
1481185070
Reply with quote  #2

1481185070
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481185070
Hero Member
*
Offline Offline

Posts: 1481185070

View Profile Personal Message (Offline)

Ignore
1481185070
Reply with quote  #2

1481185070
Report to moderator
Richy_T
Legendary
*
Offline Offline

Activity: 1246


1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k


View Profile
November 15, 2012, 02:54:08 PM
 #302

h jan,

thank you for your effort.

what will happend if the server is not reachable ?
will the bitcoin spinner app has also a malfunction ?
can i have access to my bitcoin wallet and bitcoins ?

what is happend in this case ?

regards
pazor



You should make sure to export the private key in any case. Then you can simply use a different wallet should bitcoinspinner fail in any way and for whatever reason.

1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
rini17
Sr. Member
****
Offline Offline

Activity: 340


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
November 18, 2012, 07:51:17 PM
 #303

Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4

And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 18, 2012, 09:35:34 PM
 #304

Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps.

And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords.
If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten.
This is what I do myself, and it works really well.



Instead I suggest that you

To be on the safe side you should move your coins. If you reinstall BitcoinSpinner it will generate a new address

Mycelium let's you hold your private keys private.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
November 19, 2012, 01:47:33 PM
 #305

I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 19, 2012, 01:57:17 PM
 #306

I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.

Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode.
In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other.

Mycelium let's you hold your private keys private.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
November 19, 2012, 02:02:31 PM
 #307

I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.

Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode.
In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other.


The situation in which this occurred to me was when I was selling some bitcoin to a dude at a McDonalds. He could well have had a friend behind me observing me input the pin. He would only get one chance at this.

Spinner could display "enter pin #1" or "enter pin #2" to alleviate the second problem.

Alternating-PIN should of course be optional.

I don't understand what you mean with 2 qr-code backups?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 19, 2012, 02:19:51 PM
 #308

I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin

Mycelium let's you hold your private keys private.
rini17
Sr. Member
****
Offline Offline

Activity: 340


GO http://bitcointa.lk !!! My new nick: jurov


View Profile WWW
November 19, 2012, 06:53:40 PM
 #309

Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps.
I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard.



And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords.
If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten.
This is what I do myself, and it works really well.
I meant the server can verify pin code and enforce delays if there are too many unsuccessful tries.

CoinBr.com: First online MPEx brokerage launched beta! Easy to use interface and reasonable fees. Charts for MPEx stocks: live.coinbr.com * My Blog *
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
November 19, 2012, 06:55:02 PM
 #310

I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin

uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets:

  • brainwallet for long-term savings
  • satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
  • electrum for shopping or whatever, everyday use
  • bitcoinspinner for on-the-go action

I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though Wink

I want to retract my suggestion of "alternating pins", because I have found a nice workaround:

  • enter first half of PIN
  • turn 180 degrees
  • enter second half of PIN

thanks for your consideration, though.

keep it simple ;>

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 19, 2012, 09:25:36 PM
 #311

I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard.
Hmm... seems to be related to the hardware keyboard. I have a device with a hardware keyboard that I normally never use. I'll try it out and see if I can reproduce it. Thanks for the report.

Mycelium let's you hold your private keys private.
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 19, 2012, 09:28:48 PM
 #312

I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin

uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets:

  • brainwallet for long-term savings
  • satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
  • electrum for shopping or whatever, everyday use
  • bitcoinspinner for on-the-go action

I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though Wink

I want to retract my suggestion of "alternating pins", because I have found a nice workaround:

  • enter first half of PIN
  • turn 180 degrees
  • enter second half of PIN

thanks for your consideration, though.

keep it simple ;>
Wow, solomining, I wish I was around back in those days.
Nice PIN workaround  Wink
Keeping BitcoinSpinner simple and secure is on the top of my list.

Mycelium let's you hold your private keys private.
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
November 19, 2012, 09:33:55 PM
 #313

keep it simple ;>
Quote
Wow, solomining, I wish I was around back in those days.
Nice PIN workaround  Wink
Keeping BitcoinSpinner simple and secure is on the top of my list.

you're on the right track, don't fuck it up by listening to weird suggestions like mine ;>


PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
nibor
Sr. Member
****
Offline Offline

Activity: 348


View Profile
November 23, 2012, 12:42:08 AM
 #314

Hi Jan,

Are you planning on open sourcing or at least providing the server to selected individuals so that redundancy can be achieved by community effort?
I am currently in negotiations with a company in the Bitcoin world around this. I am sorry, but I cannot say more right now.

Someone has released an opensource backend..

https://bitcointalk.org/index.php?topic=122013.0
ScriptGadget
Jr. Member
*
Offline Offline

Activity: 49


Clever saying.


View Profile
November 24, 2012, 02:21:55 AM
 #315

Is there a server outage or problem about now?
I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed.
The transaction doesn't show up in block explorer.
The app seems to think it's talking to the server just fine and I'm not having any network trouble.

The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5

My Canary: I will never ask for a loan or offer escrow services. If someone does with this account, consider it compromised.
Jan
Legendary
*
Offline Offline

Activity: 1042



View Profile
November 24, 2012, 06:25:07 AM
 #316

Is there a server outage or problem about now?
I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed.
The transaction doesn't show up in block explorer.
The app seems to think it's talking to the server just fine and I'm not having any network trouble.

The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5
Block tracking stalled for some reason. It is currently catching up, I'll look into the reason why.

Mycelium let's you hold your private keys private.
ScriptGadget
Jr. Member
*
Offline Offline

Activity: 49


Clever saying.


View Profile
November 24, 2012, 07:07:42 AM
 #317

Thanks for looking into it so fast. Whatever you did to clear the old transaction worked and the second attempt went through.

My Canary: I will never ask for a loan or offer escrow services. If someone does with this account, consider it compromised.
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1526


64blocks.com


View Profile WWW
November 26, 2012, 05:41:24 AM
 #318

Just guard your phone from eavesdroppers the same way you cover the keypad when at a bank ATM machine withdrawing money. The pin is just to slow down any attack. When you suspect that someone is trying to get your coins (trying to crack your PIN), you simply send all of them to another new wallet.

The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)

64blocks.com Social Multiplayer Dice (Gambling) - Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
molecular
Donator
Legendary
*
Offline Offline

Activity: 2142



View Profile
November 27, 2012, 09:52:22 AM
 #319

The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)

Isn't the key encrypted with the pin when stored on non-volatile mem?

I know Jan said it's trivial to brute-force that, but still, it'll add some time, right?

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
prezbo
Sr. Member
****
Offline Offline

Activity: 422


View Profile
November 27, 2012, 09:55:33 AM
 #320

The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)

Isn't the key encrypted with the pin when stored on non-volatile mem?

I know Jan said it's trivial to brute-force that, but still, it'll add some time, right?
If someone gets to it, it would take a minute to write a script AND bruteforce the password. No security there. Where it does help is, if someone steals your phone, they actually have to connect it to a computer and copy the necessary data in order to get to the key, possibly giving you enough time to restore from backup and clear the wallet.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!