Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 15, 2012, 10:08:09 AM |
|
Hi Jan,
Are you planning on open sourcing or at least providing the server to selected individuals so that redundancy can be achieved by community effort?
I am currently in negotiations with a company in the Bitcoin world around this. I am sorry, but I cannot say more right now.
|
Mycelium let's you hold your private keys private.
|
|
|
Richy_T
Legendary
Offline
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
November 15, 2012, 02:54:08 PM |
|
h jan,
thank you for your effort.
what will happend if the server is not reachable ? will the bitcoin spinner app has also a malfunction ? can i have access to my bitcoin wallet and bitcoins ?
what is happend in this case ?
regards pazor
You should make sure to export the private key in any case. Then you can simply use a different wallet should bitcoinspinner fail in any way and for whatever reason.
|
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
|
rini17
|
|
November 18, 2012, 07:51:17 PM |
|
Hello,
my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.
Version 0.7.3b System version: 4.0.4
And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 18, 2012, 09:35:34 PM |
|
Hello,
my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.
Version 0.7.3b System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps. And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords. If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten. This is what I do myself, and it works really well. Instead I suggest that you To be on the safe side you should move your coins. If you reinstall BitcoinSpinner it will generate a new address
|
Mycelium let's you hold your private keys private.
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
November 19, 2012, 01:47:33 PM |
|
I recently had an idea:
how about having 2 pins which have to be entered alternatingly.
That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 19, 2012, 01:57:17 PM |
|
I recently had an idea:
how about having 2 pins which have to be entered alternatingly.
That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.
Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode. In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other.
|
Mycelium let's you hold your private keys private.
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
November 19, 2012, 02:02:31 PM |
|
I recently had an idea:
how about having 2 pins which have to be entered alternatingly.
That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.
Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode. In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other. The situation in which this occurred to me was when I was selling some bitcoin to a dude at a McDonalds. He could well have had a friend behind me observing me input the pin. He would only get one chance at this. Spinner could display "enter pin #1" or "enter pin #2" to alleviate the second problem. Alternating-PIN should of course be optional. I don't understand what you mean with 2 qr-code backups?
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 19, 2012, 02:19:51 PM |
|
I don't understand what you mean with 2 qr-code backups?
I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet) Whenever I am running low on coins on my spending wallet I do this (at home): 1) restore the backup of my savings wallet by scanning a QR-code 2) send some coins to my spending wallet (I have the address in my address book) 3) restore the backup of my spending wallet Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home. The way to create two QR-code backups: 1) Install BitcoinSpinner 2) Make QR-code backup 3) uninstall BitcoinSpinner 4) Install BitcoinSpinner (new random address generated in each install) 5) Make QR-code backup Now you can switch back and forth by just scanning a QR-code.
|
Mycelium let's you hold your private keys private.
|
|
|
rini17
|
|
November 19, 2012, 06:53:40 PM |
|
Hello,
my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.
Version 0.7.3b System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps. I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard. And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords. If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten. This is what I do myself, and it works really well. I meant the server can verify pin code and enforce delays if there are too many unsuccessful tries.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
November 19, 2012, 06:55:02 PM |
|
I don't understand what you mean with 2 qr-code backups?
I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet) Whenever I am running low on coins on my spending wallet I do this (at home): 1) restore the backup of my savings wallet by scanning a QR-code 2) send some coins to my spending wallet (I have the address in my address book) 3) restore the backup of my spending wallet Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home. The way to create two QR-code backups: 1) Install BitcoinSpinner 2) Make QR-code backup 3) uninstall BitcoinSpinner 4) Install BitcoinSpinner (new random address generated in each install) 5) Make QR-code backup Now you can switch back and forth by just scanning a QR-code. uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets: - brainwallet for long-term savings
- satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
- electrum for shopping or whatever, everyday use
- bitcoinspinner for on-the-go action
I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though I want to retract my suggestion of "alternating pins", because I have found a nice workaround: - enter first half of PIN
- turn 180 degrees
- enter second half of PIN
thanks for your consideration, though. keep it simple ;>
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 19, 2012, 09:25:36 PM |
|
I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard.
Hmm... seems to be related to the hardware keyboard. I have a device with a hardware keyboard that I normally never use. I'll try it out and see if I can reproduce it. Thanks for the report.
|
Mycelium let's you hold your private keys private.
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 19, 2012, 09:28:48 PM |
|
I don't understand what you mean with 2 qr-code backups?
I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet) Whenever I am running low on coins on my spending wallet I do this (at home): 1) restore the backup of my savings wallet by scanning a QR-code 2) send some coins to my spending wallet (I have the address in my address book) 3) restore the backup of my spending wallet Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home. The way to create two QR-code backups: 1) Install BitcoinSpinner 2) Make QR-code backup 3) uninstall BitcoinSpinner 4) Install BitcoinSpinner (new random address generated in each install) 5) Make QR-code backup Now you can switch back and forth by just scanning a QR-code. uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets: - brainwallet for long-term savings
- satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
- electrum for shopping or whatever, everyday use
- bitcoinspinner for on-the-go action
I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though I want to retract my suggestion of "alternating pins", because I have found a nice workaround: - enter first half of PIN
- turn 180 degrees
- enter second half of PIN
thanks for your consideration, though. keep it simple ;> Wow, solomining, I wish I was around back in those days. Nice PIN workaround Keeping BitcoinSpinner simple and secure is on the top of my list.
|
Mycelium let's you hold your private keys private.
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
November 19, 2012, 09:33:55 PM Last edit: November 23, 2012, 10:18:20 AM by molecular |
|
keep it simple ;> Wow, solomining, I wish I was around back in those days. Nice PIN workaround Keeping BitcoinSpinner simple and secure is on the top of my list. you're on the right track, don't fuck it up by listening to weird suggestions like mine ;>
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
nibor
|
|
November 23, 2012, 12:42:08 AM |
|
Hi Jan,
Are you planning on open sourcing or at least providing the server to selected individuals so that redundancy can be achieved by community effort?
I am currently in negotiations with a company in the Bitcoin world around this. I am sorry, but I cannot say more right now. Someone has released an opensource backend.. https://bitcointalk.org/index.php?topic=122013.0
|
|
|
|
ScriptGadget
Newbie
Offline
Activity: 49
Merit: 0
|
|
November 24, 2012, 02:21:55 AM |
|
Is there a server outage or problem about now? I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed. The transaction doesn't show up in block explorer. The app seems to think it's talking to the server just fine and I'm not having any network trouble.
The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
November 24, 2012, 06:25:07 AM |
|
Is there a server outage or problem about now? I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed. The transaction doesn't show up in block explorer. The app seems to think it's talking to the server just fine and I'm not having any network trouble.
The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5
Block tracking stalled for some reason. It is currently catching up, I'll look into the reason why.
|
Mycelium let's you hold your private keys private.
|
|
|
ScriptGadget
Newbie
Offline
Activity: 49
Merit: 0
|
|
November 24, 2012, 07:07:42 AM |
|
Thanks for looking into it so fast. Whatever you did to clear the old transaction worked and the second attempt went through.
|
|
|
|
Dabs
Legendary
Offline
Activity: 3416
Merit: 1912
The Concierge of Crypto
|
|
November 26, 2012, 05:41:24 AM |
|
Just guard your phone from eavesdroppers the same way you cover the keypad when at a bank ATM machine withdrawing money. The pin is just to slow down any attack. When you suspect that someone is trying to get your coins (trying to crack your PIN), you simply send all of them to another new wallet.
The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
November 27, 2012, 09:52:22 AM |
|
The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)
Isn't the key encrypted with the pin when stored on non-volatile mem? I know Jan said it's trivial to brute-force that, but still, it'll add some time, right?
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
prezbo
|
|
November 27, 2012, 09:55:33 AM |
|
The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)
Isn't the key encrypted with the pin when stored on non-volatile mem? I know Jan said it's trivial to brute-force that, but still, it'll add some time, right? If someone gets to it, it would take a minute to write a script AND bruteforce the password. No security there. Where it does help is, if someone steals your phone, they actually have to connect it to a computer and copy the necessary data in order to get to the key, possibly giving you enough time to restore from backup and clear the wallet.
|
|
|
|
|