giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 04, 2013, 06:58:53 PM |
|
Nooo!!! Please don't! The privacy implications of having control not to mix keys when sending is quite valuable. Sure, getting the change back to the same key is a privacy drawback but please think up something that solves both issues.
please bring forth your suggestions on how to solve this. I would if it was easy. Just wanted to raise voice to what we loose by changing the behavior. On bitcoinqt I generate a new address for each incoming transaction and label them accordingly, so I have "[from eric for his $x pizza] received yɃ from [eric]". This way I kind of label the transaction. Handling with only few addresses, I would want to label the transactions, too, so the current design is far from perfect for me. Maybe some "Insufficient funds in the currently selected address. [add random addresses[check to make default]] [add specific addresses [check to make default]] "Problem" is the sender would think to be sending from his Giszmo address but as Giszmo is at 0Ƀ, Giszmo would not show up at all in the resulting transaction. It's really tricky You don't have "Balance 2Ƀ (total: 5Ƀ)" but "Balance 2Ƀ (total: 5Ƀ, spendable: 1Ƀ)" with "Balance [current address]Ƀ (total: [all addresses]Ƀ, spendable: [addresses with private key ready]Ƀ)" Oh, and this will be funny, if users keep their private keys off the device all of the time and for some transactions have to show to the device 5 addresses for the signing process. Also I want a swipe all functionality to consolidate all keys into one, leaving exactly zero in all the addresses paying minimum fees. regarding the new akp attack: obviously it is neccessary to patch it. BUT the way i see it currently the following can happen:
user downloads an apk. any MITM could now alter the apk. with "regular" apps this is also not a problem, except if they use other exploits.
it is a problem if the user downloads a "system" apk and installs it. for example an update to HTC sense. if an attacker now manages to modify the apk before it is installed - for example via malware on the server, a router or an intermediary PC - he can execute whatever code he likes with the access privileges of the original app.
i still don't know why play store is unaffected - it is kind of hard to MITM play store downloads and additionally the play store installer might do some more checksum checking.
An admin in the play store is the worst case I could think of, and on the long run I guess it's very likely to have all such wallets get wiped out in some incident. The reward is just too huge to not do it. (Ok, so far all huge hacks went without spending their coins but with ZeroCoin they become spendable again and I'm sure some day we will have that.)
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
apetersson
|
|
July 05, 2013, 08:01:23 AM |
|
An admin in the play store is the worst case I could think of, and on the long run I guess it's very likely to have all such wallets get wiped out in some incident. The reward is just too huge to not do it.
For now, the best you can do is have your keys on a paper wallet. We will further improve usability when spending from paper wallets. I think you will see more product offerings from Mycelium in the future that eliminate even these threats.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 05, 2013, 03:15:43 PM |
|
An admin in the play store is the worst case I could think of, and on the long run I guess it's very likely to have all such wallets get wiped out in some incident. The reward is just too huge to not do it.
For now, the best you can do is have your keys on a paper wallet. We will further improve usability when spending from paper wallets. Well, the second best is to compile mycelium on my own box, so it doesn't get updated itself. An admin taking a different app to attack would need to infect many more phones. I think you will see more product offerings from Mycelium in the future that eliminate even these threats.
I'm eagerly waiting for the bitcoincard to come real and count me in to buy one if the conditions are ok (security without third party risk but with backup?, price below $40, usability, etc). To big surprise a friend told me it already is!?!? He told me he saw a map of many of these cards being active in some area!?!? I couldn't find such a map.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
hgmichna
|
|
July 05, 2013, 03:29:35 PM |
|
I'm eagerly waiting for the bitcoincard to come real and count me in to buy one if the conditions are ok (security without third party risk but with backup?, price below $40, usability, etc). To big surprise a friend told me it already is!?!? …
Be very careful. Fraudsters could offer such a card on a shiny web page, knowing full well how much many people are longing for one.
|
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
July 05, 2013, 03:51:08 PM |
|
I'm eagerly waiting for the bitcoincard to come real and count me in to buy one if the conditions are ok (security without third party risk but with backup?, price below $40, usability, etc). To big surprise a friend told me it already is!?!? …
Be very careful. Fraudsters could offer such a card on a shiny web page, knowing full well how much many people are longing for one. Andreas and I are part of the team developing bitcoincard. Prototype hw was shown at the San Jose conference, but there are no devices in circulation. Here is the official page: http://bitcoincard.org/Content is partially outdated, but will be updated once we are ready.
|
Mycelium let's you hold your private keys private.
|
|
|
hgmichna
|
|
July 05, 2013, 09:16:40 PM |
|
Be very careful. Fraudsters could offer such a card on a shiny web page, knowing full well how much many people are longing for one.
Andreas and I are part of the team developing bitcoincard. Prototype hw was shown at the San Jose conference, but there are no devices in circulation. Here is the official page: http://bitcoincard.org/Content is partially outdated, but will be updated once we are ready. Ah, I thought you were talking about a bitcoin-based credit or debit card. Now I know what you mean. Yes, a hardware wallet is a very interesting development. I hope that would finally be a safer way to handle bitcoins, not to mention possible additional functions.
|
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
July 06, 2013, 09:22:22 AM |
|
I guess mycelium wallet is a commercial project?
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
July 07, 2013, 09:48:33 AM |
|
Jan, for a vacation week, you're posting quite a lot Woops... Guilty. I am not coding, posting is different yes, it's easier and less rewarding.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 07, 2013, 02:00:23 PM |
|
I guess mycelium wallet is a commercial project?
I guess so, too but the client is open source with an easy-ish API, so you could make some server fit to it. The client does not connect to standard nodes yet and the mycelium people don't intend to implement such a part.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
Jan (OP)
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
July 07, 2013, 03:21:39 PM |
|
I guess mycelium wallet is a commercial project?
Yes. However, the wallet is free and the sources available. We are also working on the Mycelium Payment System, which allows physical shops to: - Sell products/services for BTC - Sell BTC back to customers - Buy BTC from customers All in all things that let your local Bitcoin economy flourish. The Mycelium Payment System was demoed at the San Jose conference but is not fully developed yet. We develop the wallet because we believe that better mobile wallets are needed, and we are going to integrate the wallet with our payment system (locate shops, view invoices in transaction history, etc), while letting it be the greatest mobile Bitcoin wallet on the planet. The Mycelium Bitcoin Wallet and Mycelium Payment System are not ready for primetime yet, but we are constantly getting closer. If you are looking for candidates for Commercial Product of the Month I think it would be better if we get nominated in one or two months.
|
Mycelium let's you hold your private keys private.
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 07, 2013, 04:12:48 PM |
|
How do you want to approach shops? Would you need a representative in Chile?
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
July 07, 2013, 09:09:22 PM |
|
I guess mycelium wallet is a commercial project?
Yes. However, the wallet is free and the sources available. We are also working on the Mycelium Payment System, which allows physical shops to: - Sell products/services for BTC - Sell BTC back to customers - Buy BTC from customers All in all things that let your local Bitcoin economy flourish. The Mycelium Payment System was demoed at the San Jose conference but is not fully developed yet. We develop the wallet because we believe that better mobile wallets are needed, and we are going to integrate the wallet with our payment system (locate shops, view invoices in transaction history, etc), while letting it be the greatest mobile Bitcoin wallet on the planet. The Mycelium Bitcoin Wallet and Mycelium Payment System are not ready for primetime yet, but we are constantly getting closer. If you are looking for candidates for Commercial Product of the Month I think it would be better if we get nominated in one or two months. Thanks for the info. Good idea to make every shop an exchange.
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 08, 2013, 12:46:31 AM |
|
I guess mycelium wallet is a commercial project?
Yes. However, the wallet is free and the sources available. We are also working on the Mycelium Payment System, which allows physical shops to: - Sell products/services for BTC - Sell BTC back to customers - Buy BTC from customers All in all things that let your local Bitcoin economy flourish. The Mycelium Payment System was demoed at the San Jose conference but is not fully developed yet. We develop the wallet because we believe that better mobile wallets are needed, and we are going to integrate the wallet with our payment system (locate shops, view invoices in transaction history, etc), while letting it be the greatest mobile Bitcoin wallet on the planet. The Mycelium Bitcoin Wallet and Mycelium Payment System are not ready for primetime yet, but we are constantly getting closer. If you are looking for candidates for Commercial Product of the Month I think it would be better if we get nominated in one or two months. Thanks for the info. Good idea to make every shop an exchange. Isn't it funny to see every day how a security company comes to the supermarkets to pick up the collected cash from the supermarket, guarded with guns and armored vehicles that don't stop the engine outside, while an hour later another security company comes by doing the same security circus to fill the ATMs? Replace fiat with bitcoin and they all loose their jobs.
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
hgmichna
|
|
July 11, 2013, 08:30:08 AM |
|
Isn't it funny to see every day how a security company comes to the supermarkets to pick up the collected cash from the supermarket, guarded with guns and armored vehicles that don't stop the engine outside, while an hour later another security company comes by doing the same security circus to fill the ATMs? Replace fiat with bitcoin and they all loose their jobs.
Very true, but I would formulate it more positively, like: Replace fiat with bitcoin, and they can all do something more useful, like creating value, rather than merely protecting it.
|
|
|
|
apetersson
|
|
July 12, 2013, 10:34:39 AM |
|
we released a new version with some improvements: apart from bugfixes i changed the build system to gradle. this should make it trivial to build it from source if you have java +android SDKs installed. (i think you need android v17 and v8 support installed) see github project https://github.com/mycelium-com/walletgit clone git@github.com:mycelium-com/wallet.git ./gradlew build gradle then downloads the whole internet - if everything is configured correctly you should have your build from source and the (unsigned, non-proguard) apk please not you cannot keep both the play store + your own version installed on the same device because of the signing keys. if you are simply interested in the latest versions you can become a beta tester to recieve updates earlier: to be eligible for testing you need to join the g+ group at https://plus.google.com/communities/102264813364583686576you can then activate beta builds at https://play.google.com/apps/testing/com.mycelium.walletv0.5.6 Fixed bug that occurs when trying to create an Address from a null string Adding scrollbar to Enter PIN Dialog Now correctly updating Clear PIN setting menu item when PIN has just been set or cleared Address book now has a '+' button that allows you to add an address from clipboard or by scanning an address. Allowing to import BitcoinSpinner backup from clipboard Added Keys & Addresses + Transaction History more consistent font styles v0.5.5 App name is now Mycelium Wallet instead of Barcode Scanner removed png and kept only jpg export ability since most printers do not support it v0.5.4 Fixed an issue that made the app appear sluggish in most views (you will notice that one) Added add-to-address-book button on send summary Displaying name of receiver in send summary if the receiving address is in the address book Made back-button in Keys & Addresses take you to balance view instead of quitting Properly centering of "Show to Sender" text when receiving coins Displaying a warning if you request to receive coins to an address which is not associated with a private key
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
July 12, 2013, 01:15:11 PM |
|
Displaying a warning if you request to receive coins to an address which is not associated with a private key
thank you!!!
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
vitalemontea
|
|
July 13, 2013, 05:56:08 PM |
|
Any way I can recover my Spinner wallet if I deleted app data earlier?
|
|
|
|
apetersson
|
|
July 13, 2013, 08:42:20 PM |
|
i think it would make sense to not allow deletion of private keys when it is sure that it has never been exported (freshly generated, never exported in any way)
|
|
|
|
vitalemontea
|
|
July 13, 2013, 08:57:46 PM |
|
i think it would make sense to not allow deletion of private keys when it is sure that it has never been exported (freshly generated, never exported in any way)
So is there such thing in Bitcoin Spinner?
|
|
|
|
giszmo
Legendary
Offline
Activity: 1862
Merit: 1105
WalletScrutiny.com
|
|
July 14, 2013, 02:46:40 AM |
|
i think it would make sense to not allow deletion of private keys when it is sure that it has never been exported (freshly generated, never exported in any way)
If the key has coins in it, I guess the corner cases of people having access to the key without the app knowing about it, are rare enough to insist in exporting the key. On the other hand I would make a screen with red font letting the user confirm twice that he has a backup, even if the app thinks he can't. Are you sure you want to delete key 1xcvz... with 1034.2234Ƀ? [Export key first] [Cancel] [Delete! I want to loose these 1034.2234Ƀ] -> [Really really delete it now!]
(I hate installing Linux to hard drives I just bought. In the one screen they ask you, which disk to install to: Samsung 250GB, Hitatchi 80GB. You know you just bought this neat little SSD of 250GB and click A. 3 Screens later it asks you "Are you sure you want to completely erase hd0,0. This can not be undone." Every single time in this screen I want to click "back" to check if I picked the right disc cause there is no "Samsung" and no "250GB" which was what I based my choice on before. Many products have these silly security screens where a modal window that covers your selection asks you, if you want to delete the selected item. Please be explicit when you have security questions. Thanx. )
|
ɃɃWalletScrutiny.com | Is your wallet secure?(Methodology) WalletScrutiny checks if wallet builds are reproducible, a precondition for code audits to be of value. | ɃɃ |
|
|
|
|