Bitcoin Forum
December 05, 2016, 08:38:45 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 ... 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 [182] 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 »
  Print  
Author Topic: Armory - Discussion Thread  (Read 481800 times)
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2086



View Profile
May 03, 2014, 05:17:28 AM
 #3621

Basically there's an attack they can't talk about yet, just get updated. The attack makes armory generate addresses from the virus.

 Shocked

1480927125
Hero Member
*
Offline Offline

Posts: 1480927125

View Profile Personal Message (Offline)

Ignore
1480927125
Reply with quote  #2

1480927125
Report to moderator
1480927125
Hero Member
*
Offline Offline

Posts: 1480927125

View Profile Personal Message (Offline)

Ignore
1480927125
Reply with quote  #2

1480927125
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480927125
Hero Member
*
Offline Offline

Posts: 1480927125

View Profile Personal Message (Offline)

Ignore
1480927125
Reply with quote  #2

1480927125
Report to moderator
1480927125
Hero Member
*
Offline Offline

Posts: 1480927125

View Profile Personal Message (Offline)

Ignore
1480927125
Reply with quote  #2

1480927125
Report to moderator
1480927125
Hero Member
*
Offline Offline

Posts: 1480927125

View Profile Personal Message (Offline)

Ignore
1480927125
Reply with quote  #2

1480927125
Report to moderator
superbit
Hero Member
*****
Offline Offline

Activity: 693



View Profile
May 03, 2014, 05:21:00 AM
 #3622

He has 2 of these. One that is "online", used for email signing and encryption, one marked as "offline" used for release signing. Also you could try to verify the bitcoin signature.

How would I get an "offline" key?

https://bitfinex.com/?refcode=UInJLQ5KpA <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with the refcode
My feedback thread: Forum thread
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 05:59:50 AM
 #3623

Basically there's an attack they can't talk about yet, just get updated. The attack makes armory generate addresses from the virus.

 Shocked

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 06:00:06 AM
 #3624

He has 2 of these. One that is "online", used for email signing and encryption, one marked as "offline" used for release signing. Also you could try to verify the bitcoin signature.

How would I get an "offline" key?

http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x4AB16AEA98832223


Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
flipperfish
Sr. Member
****
Offline Offline

Activity: 312


Dolphie Selfie


View Profile
May 03, 2014, 11:05:25 AM
 #3625

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Can you explain this a little further? AFAIK, the addresses generated on the offline wallet and the watch only copy are the same? Wouldn't be of much use otherwise...
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 11:12:39 AM
 #3626

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Can you explain this a little further? AFAIK, the addresses generated on the offline wallet and the watch only copy are the same? Wouldn't be of much use otherwise...

A virus can compromise your watch only copy to generate addresses that aren't yours. This completely bypasses all security.

You could generate it then glance at the cold storage copy to make sure it's in the list. You may have to generate extra ones to get the number of addresses the same.

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
jl2012
Legendary
*
Offline Offline

Activity: 1484


View Profile
May 03, 2014, 01:38:44 PM
 #3627

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Can you explain this a little further? AFAIK, the addresses generated on the offline wallet and the watch only copy are the same? Wouldn't be of much use otherwise...

A virus can compromise your watch only copy to generate addresses that aren't yours. This completely bypasses all security.

You could generate it then glance at the cold storage copy to make sure it's in the list. You may have to generate extra ones to get the number of addresses the same.

Is that a malware, or a bug in Armory?

Donation address: 1CiZPrEJdN4FJcqdLdgVLzT8tgCXxT5ion
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
Bitcoin Wizards Wiki: https://8333.info/
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 01:39:55 PM
 #3628

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Can you explain this a little further? AFAIK, the addresses generated on the offline wallet and the watch only copy are the same? Wouldn't be of much use otherwise...

A virus can compromise your watch only copy to generate addresses that aren't yours. This completely bypasses all security.

You could generate it then glance at the cold storage copy to make sure it's in the list. You may have to generate extra ones to get the number of addresses the same.

Is that a malware, or a bug in Armory?

Malware, armory is solid.

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
TierNolan
Legendary
*
Offline Offline

Activity: 1036


View Profile
May 03, 2014, 02:09:54 PM
 #3629

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Interesting, to say the least.

Is that being added to the next version or already in the current version?

1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 02:11:57 PM
 #3630

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Interesting, to say the least.

Is that being added to the next version or already in the current version?

There's no new feature per se

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
jl2012
Legendary
*
Offline Offline

Activity: 1484


View Profile
May 03, 2014, 06:05:22 PM
 #3631

This also means new best practice is sending to offline wallet using an address created on there. Previously I got an address from the watch only copy.

Can you explain this a little further? AFAIK, the addresses generated on the offline wallet and the watch only copy are the same? Wouldn't be of much use otherwise...

A virus can compromise your watch only copy to generate addresses that aren't yours. This completely bypasses all security.

You could generate it then glance at the cold storage copy to make sure it's in the list. You may have to generate extra ones to get the number of addresses the same.

Is that a malware, or a bug in Armory?

Malware, armory is solid.

So there is not much the Armory team could do. Actually this doesn't only affect Armory. For example, a malware could replace Bitpay's address on the invoice. Even payment protocol won't help as the malware could bypass the signature check.

The lesson is no bitcoin address shown on an online computer is reliable. We need some simple solutions to verify bitcoin addresses and payment requests. Dedicated hardware wallet is the way to go.

Donation address: 1CiZPrEJdN4FJcqdLdgVLzT8tgCXxT5ion
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
Bitcoin Wizards Wiki: https://8333.info/
kentt
Member
**
Offline Offline

Activity: 103


View Profile
May 03, 2014, 09:39:20 PM
 #3632

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 10:25:15 PM
 #3633

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

I don't think anyone was. I think a white hat tipped them off about it.

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 10:29:01 PM
 #3634

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

Generate the new addresses on your cold system first, and then verify that the addresses you generate on the hot watch-only system match the addresses in the cold system.

Do not get scared if they don't match at first! Look at the whole list and address number! They won't be synced.

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
kentt
Member
**
Offline Offline

Activity: 103


View Profile
May 03, 2014, 10:52:19 PM
 #3635

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

Generate the new addresses on your cold system first, and then verify that the addresses you generate on the hot watch-only system match the addresses in the cold system.

Do not get scared if they don't match at first! Look at the whole list and address number! They won't be synced.
Generating addresses on the cold rig matched all the generated addresses on the broadcast wallet so I guess I'm good.  Thanks for the heads up.

By "Do not get scared if they don't match at first!" do you just mean don't that I shouldn't be worried if I haven't generated the same addresses on the cold system as on the broadcast system?  Eg I've generated a few on the cold rig, but 50 on broadcast rig.  That is they should still be in generated in same order once generated.
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 03, 2014, 11:04:59 PM
 #3636

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

Generate the new addresses on your cold system first, and then verify that the addresses you generate on the hot watch-only system match the addresses in the cold system.

Do not get scared if they don't match at first! Look at the whole list and address number! They won't be synced.
Generating addresses on the cold rig matched all the generated addresses on the broadcast wallet so I guess I'm good.  Thanks for the heads up.

By "Do not get scared if they don't match at first!" do you just mean don't that I shouldn't be worried if I haven't generated the same addresses on the cold system as on the broadcast system?  Eg I've generated a few on the cold rig, but 50 on broadcast rig.  That is they should still be in generated in same order once generated.

Exactly

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
jl2012
Legendary
*
Offline Offline

Activity: 1484


View Profile
May 04, 2014, 03:39:53 AM
 #3637

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

Generate the new addresses on your cold system first, and then verify that the addresses you generate on the hot watch-only system match the addresses in the cold system.

If a computer is infected, it is completely hopeless

Let say you generated an address with the cold system, which is "1User". You send a withdrawal request to the exchange, asking them to send bitcoin to 1User. A sophisticated malware could secretly replace the address with "1Hacker" before sending the request the exchange.

Donation address: 1CiZPrEJdN4FJcqdLdgVLzT8tgCXxT5ion
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
Bitcoin Wizards Wiki: https://8333.info/
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 04, 2014, 11:38:21 AM
 #3638

One day we will be able to lock an exchange to a public key and they can make addresses guaranteed for us

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
May 04, 2014, 12:25:33 PM
 #3639

One day we will be able to lock an exchange to a public key and they can make addresses guaranteed for us

I like that idea very much.

Could that be done without forcing the masses to learn PGP?

EDIT: or at least exchanges could make it an option for those who do wish to use PGP.

Actually no pgp, just a public seed

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
kentt
Member
**
Offline Offline

Activity: 103


View Profile
May 05, 2014, 06:06:54 AM
 #3640

Regarding the virus, how would one double check that I was not victim to this attack.  **nervous**

Generate the new addresses on your cold system first, and then verify that the addresses you generate on the hot watch-only system match the addresses in the cold system.

If a computer is infected, it is completely hopeless

Let say you generated an address with the cold system, which is "1User". You send a withdrawal request to the exchange, asking them to send bitcoin to 1User. A sophisticated malware could secretly replace the address with "1Hacker" before sending the request the exchange.

Extremely valid point.

Some users on Reddit have actually been having this problem caused by extensions on google chrome. Though it could be any sort of malware, google chrome extensions just seem to be the thing lately.

Always a good idea to send a small test transaction out of an exchange before sending the whole amount.
I should be able to avoid that by noticing that I'm signing the txn to 1User on the offline rig.
Pages: « 1 ... 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 [182] 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!