Bitcoin Forum
July 24, 2017, 04:39:27 AM *
News: Due to BIP91, it would starting now be prudent to require 5 times more confirmations than usual before trusting transactions.
 
   Home   Help Search Donate Login Register  
Pages: « 1 ... 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 [209] 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 »
  Print  
Author Topic: Armory - Discussion Thread  (Read 505413 times)
pitiflin
Sr. Member
****
Offline Offline

Activity: 355



View Profile
October 01, 2014, 09:45:02 PM
 #4161

Stupid (maybe not) question.

I want to update Armory, should I update Bitcoin Core as well?

You don't have to but latest core is more critical than latest armory

Thanks Smiley


▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██████████▀▀▀▄▄▄▄▄▄▄▀▀▀██████████
███████▀▄▄█▀▀▀▄▄▄▄▄▀▀▀█▄▄▀▀██████
████▀▄█████████████████████▄▀████
███ ██████████▀▀▀████████████ ███
██ ███████████   █████████████▄▀█
█ █▌████████▀▀   ▀▀▀▀████████▐█ █
▌▐█ ██████████  ▐████████████▌██▐
▌██▐████████         ████████▌▐█▐
▌▐█ ██████████  ▐████████████▌██▐
█ █▄██████████  ▐████████████▄█ █
██ ███████████▄  ▀▀▀ █████████▀▄█
███ ████████████▄▄▄▄█████████ ███
████▄▀█████████████████████▀▄████
██████▄▄▀▀██▄▄▄▀▀▀▀▄▄▄█▀▀▄▄██████
██████████▄▄▄▄▀▀▀▀▀▀▄▄▄██████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
Target Coin



.







       ▄▄▄▄▄▄
    ▄████████
    █████▀▀▀▀
   ▐████
   ▐████
████████████
████████████
   ▐████
   ▐████
   ▐████
   ▐████




                 ▄████▄▄    ▄
██             ████████████▀
████▄         █████████████▀
▀████████▄▄   █████████████
▄▄█████████████████████████
██████████████████████████
  ▀██████████████████████
   █████████████████████
    ▀█████████████████▀
      ▄█████████████▀
▄▄███████████████▀
   ▀▀▀▀▀▀▀▀▀▀▀




   ▄▄████████████████▄▄
 ▄██▀                ▀██▄
▐██                ██  ██▌
██▌      ▄▄████▄▄  ▀▀  ▐██
██▌    ▄██▀▀  ▀▀██▄    ▐██
██▌   ▐██        ██▌   ▐██
██▌   ▐██        ██▌   ▐██
██▌    ▀██▄▄  ▄▄██▀    ▐██
██▌      ▀▀████▀▀      ▐██
▐██                    ██▌
 ▀██▄                ▄██▀
   ▀▀████████████████▀▀



.



.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1500871167
Hero Member
*
Offline Offline

Posts: 1500871167

View Profile Personal Message (Offline)

Ignore
1500871167
Reply with quote  #2

1500871167
Report to moderator
1500871167
Hero Member
*
Offline Offline

Posts: 1500871167

View Profile Personal Message (Offline)

Ignore
1500871167
Reply with quote  #2

1500871167
Report to moderator
segeln
Sr. Member
****
Offline Offline

Activity: 476


View Profile
October 02, 2014, 11:02:55 AM
 #4162

when will 0.92.2 be out of testing?
I ask this question again
Hope I and cypherdoc get an answer
bitpop
Legendary
*
Offline Offline

Activity: 2100


https://keybase.io/bitpop


View Profile WWW
October 02, 2014, 11:06:21 AM
 #4163

when will 0.92.2 be out of testing?
I ask this question again
Hope I and cypherdoc get an answer

I don't think there's bugs so it doesn't really matter. Armory just likes to call everything testing.

Reputation  |  PGP  |  DigitalOcean  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
October 02, 2014, 12:14:45 PM
 #4164

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

https://github.com/adamcaudill/Psychson
segeln
Sr. Member
****
Offline Offline

Activity: 476


View Profile
October 02, 2014, 12:17:00 PM
 #4165

when will 0.92.2 be out of testing?
I ask this question again
Hope I and cypherdoc get an answer

I don't think there's bugs so it doesn't really matter. Armory just likes to call everything testing.
Thanks,hope you are right
segeln
Sr. Member
****
Offline Offline

Activity: 476


View Profile
October 02, 2014, 12:24:26 PM
 #4166

are only USB sticks right from the factory affected or old used ones as well?
As I understand it,USB Sitcks in use cannot get compromised
chrisrico
Hero Member
*****
Offline Offline

Activity: 496


View Profile
October 02, 2014, 01:29:04 PM
 #4167

are only USB sticks right from the factory affected or old used ones as well?
As I understand it,USB Sitcks in use cannot get compromised

Nope, the whole reason why this is such a bad exploit is that most USB devices (not just flash drives) can have their firmware reprogrammed via software.
Perlover
Full Member
***
Offline Offline

Activity: 155


View Profile
October 02, 2014, 02:17:50 PM
 #4168

I don't know somebody wrote to here or not.
But i think the Armory and other programs could have a potential vulnerability.

For example what if your computer with installed Armory (watch-only wallet mode) is infected and trojan/virus which modifies a receiving address in Armory's interface? How can i trust to my online watch-only computer that all generated addresses are my addresses? What if trojan/virus modifies installed DLLs/Shared libraries of Armory and substitute watch-only generated addresses or seed to hacker things? If i will send to money to generated address how can i sure that this address is my address for private key at offline computer? :-/

What do developers think about this?
segeln
Sr. Member
****
Offline Offline

Activity: 476


View Profile
October 02, 2014, 02:58:29 PM
 #4169

are only USB sticks right from the factory affected or old used ones as well?
As I understand it,USB Sitcks in use cannot get compromised

Nope, the whole reason why this is such a bad exploit is that most USB devices (not just flash drives) can have their firmware reprogrammed via software.
that is indeed a bad exploit.
What about antimalware/antiviruses programs like Norton,kaspersky,avira.Mc affee?
Could they detect those malicious software,when they are widespread and known ?
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
October 02, 2014, 03:11:35 PM
 #4170

What about antimalware/antiviruses programs like Norton,kaspersky,avira.Mc affee?
Could they detect those malicious software,when they are widespread and known ?
No.

USB firmware exploits happen outside the control of the CPU and any software that may be running on it.

For now, you should probably use CD-Rs to move unsigned transactions across the air gap discard them after each use.

There might not be any exploitable CD drive firmware vulnerabilities that can be triggered by malicious data on a disc. Maybe.
SimonBelmond
Full Member
***
Offline Offline

Activity: 210



View Profile
October 02, 2014, 03:13:49 PM
 #4171

I don't know somebody wrote to here or not.
But i think the Armory and other programs could have a potential vulnerability.

For example what if your computer with installed Armory (watch-only wallet mode) is infected and trojan/virus which modifies a receiving address in Armory's interface? How can i trust to my online watch-only computer that all generated addresses are my addresses? What if trojan/virus modifies installed DLLs/Shared libraries of Armory and substitute watch-only generated addresses or seed to hacker things? If i will send to money to generated address how can i sure that this address is my address for private key at offline computer? :-/

What do developers think about this?

I jsut double check the address before broadcasting. That's more or less all I can do. Of course you could take appart the unsigned and signed transaction before broadcasting. However, as long as I don't hear anything else I consider it safe enough...
segeln
Sr. Member
****
Offline Offline

Activity: 476


View Profile
October 02, 2014, 03:43:04 PM
 #4172

What about antimalware/antiviruses programs like Norton,kaspersky,avira.Mc affee?
Could they detect those malicious software,when they are widespread and known ?
No.

USB firmware exploits happen outside the control of the CPU and any software that may be running on it.

For now, you should probably use CD-Rs to move unsigned transactions across the air gap discard them after each use.

There might not be any exploitable CD drive firmware vulnerabilities that can be triggered by malicious data on a disc. Maybe.
thanks,justusranvier
Newar
Legendary
*
Offline Offline

Activity: 1218


https://gliph.me/hUF


View Profile
October 02, 2014, 03:59:37 PM
 #4173

What about antimalware/antiviruses programs like Norton,kaspersky,avira.Mc affee?
Could they detect those malicious software,when they are widespread and known ?
No.

USB firmware exploits happen outside the control of the CPU and any software that may be running on it.

For now, you should probably use CD-Rs to move unsigned transactions across the air gap discard them after each use.

There might not be any exploitable CD drive firmware vulnerabilities that can be triggered by malicious data on a disc. Maybe.

There's audio too, easier on the planet: https://bitcointalk.org/index.php?topic=735111.0

OTC rating | GPG keyid 1DC91318EE785FDE | Gliph: lightning bicycle tree music | Mycelium, a swift & secure Bitcoin client for Android | LocalBitcoins
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
October 02, 2014, 04:01:24 PM
 #4174

Stupid (maybe not) question.

I want to update Armory, should I update Bitcoin Core as well?

You don't have to but latest core is more critical than latest armory

so latest Bitcoin Core is compatible with ARmory 0.92.1?
bitpop
Legendary
*
Offline Offline

Activity: 2100


https://keybase.io/bitpop


View Profile WWW
October 02, 2014, 04:39:19 PM
 #4175

Stupid (maybe not) question.

I want to update Armory, should I update Bitcoin Core as well?

You don't have to but latest core is more critical than latest armory

so latest Bitcoin Core is compatible with ARmory 0.92.1?

Yeah the bitcoin rpc i dont think ever had deprecation

Reputation  |  PGP  |  DigitalOcean  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
Perlover
Full Member
***
Offline Offline

Activity: 155


View Profile
October 03, 2014, 04:10:20 PM
 #4176

I jsut double check the address before broadcasting. That's more or less all I can do. Of course you could take appart the unsigned and signed transaction before broadcasting. However, as long as I don't hear anything else I consider it safe enough...
I am about getting from Armory the address for receiving bitcoins. It's not neeeded for broadcasting...
As i think you about a sending of bitcoins...
Ente
Legendary
*
Offline Offline

Activity: 2016



View Profile
October 03, 2014, 08:42:43 PM
 #4177

I don't know somebody wrote to here or not.
But i think the Armory and other programs could have a potential vulnerability.

For example what if your computer with installed Armory (watch-only wallet mode) is infected and trojan/virus which modifies a receiving address in Armory's interface? How can i trust to my online watch-only computer that all generated addresses are my addresses? What if trojan/virus modifies installed DLLs/Shared libraries of Armory and substitute watch-only generated addresses or seed to hacker things? If i will send to money to generated address how can i sure that this address is my address for private key at offline computer? :-/

What do developers think about this?

I totally agree on that.
So, I try to pay a bitcoin to my landlord.
How do I get his adress? Via his website, or mail, or I noted it down in my Armory adressbook.
All of these can be easily replaced, without noticing, by malware.
Malware might also change stuff so the change adress isn't mine, but his. Not sure about that though.

That is no Armory-specific or even Bitcoin-specific problem. Same problem arises with regular bank account transfer, if I don't know the account details by heart.

The only thing Armory can secure, and does so well, is that you only lose that one transaction. As soon as your landlord kicks your butt, you know something is wrong with your computer. All other coins should still be safe on the offline computer.

Please, someone tell me what I overlooked here?

Ente
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
October 03, 2014, 09:27:35 PM
 #4178

can someone remind me how to check the signature of the offline *.deb installer?

i'm able to check the sha256sum of the initial downloaded *.tar.gz file but can't remember how to check the sig. is it done on the online or offline computer?  

Edit: running the dpkg-sig against the armory*.deb extracted from the *.tar.gz for 0.92.1 is unsuccessful.
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
October 04, 2014, 03:37:08 AM
 #4179

can someone remind me how to check the signature of the offline *.deb installer?

i'm able to check the sha256sum of the initial downloaded *.tar.gz file but can't remember how to check the sig. is it done on the online or offline computer?  

Edit: running the dpkg-sig against the armory*.deb extracted from the *.tar.gz for 0.92.1 is unsuccessful.

I'll have to double-check the release scripts.  It's possible that it's bundling the .deb before it signs it.  If that's the case, then just grab the correct .deb not from the offline bundle.  It's the same thing, but should be signed.   

On the other hand, if you check the hashes file, that will be accurate.  That lists the hash of the tar.gz with whatever .debs are in there, signed or not.  Even though the .deb itself was not signed, the bundle was created on the same secure machine, hashed, and put in the sha256 file which is signed.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
October 04, 2014, 04:39:10 AM
 #4180

Armory Version 0.92.3 Released

We have officially released 0.92.3.  It's not on the website yet (that's not automated in our release process yet), but it will be shortly.

This release not only officially brings the Tor/Privacy fix out of testing, it also fixes a rather scary-but-actually-benign bug that we found in the Armory code related to random number generation when signing Bitcoin messages (not transactions, just message signing).  For more details about this, read the full report here:

https://s3.amazonaws.com/bitcoinarmory-media/CVEs/ArmoryCVE-2014-002.pdf

Armory Tech has pretty thoroughly investigated the incident and believes that no action is needed by anyone, even if you have signed thousands of messages.  Armory Technologies itself would be the most vulnerable since we use that feature to sign all of our releases.  We have determined that no exposure has occurred and still consider our offline signing key 100% safe.  Nonetheless, we have fixed the issue in this release.

Before asking lots of questions please read the above PDF which I spent an exceptional amount of time writing.  It is extremely thorough, both in terms of our own analysis and concerns raised by Sergio Del Lerner, whom we contacted to provide an independent third-party opinion.  We also posted this to the our recently-formed Security Working Group and received positive feedback from two members, and no one raised any concerns about the analysis.

On that note, here's the download links for the new version, but as always, we encourage you to use the secure downloader to get the new version if possible  (at this point most people should have 0.91+ and can use the secure downloader).



  Armory 0.92.3 for Windows XP, Vista, 7, 8+ (32- and 64-bit)
  Armory 0.92.3 for MacOSX 10.7+ (64bit)
  Armory 0.92.3 for Ubuntu 12.04+ (32bit)
  Armory 0.92.3 for Ubuntu 12.04+ (64bit)
  Armory 0.92.3 for RaspberryPi  (armhf)


  Armory 0.92.3 Offline Bundle for Ubuntu 12.04 exact (32bit)
  Armory 0.92.3 Offline Bundle for Ubuntu 12.04 exact (64bit)
  Armory 0.92.3 Offline Bundle for RaspberryPi  (armhf)

  Armory 0.92.3: Signed hashes of all installers




GOOD NEWS:  The latest Bitcoin Core release relaxed the isStandard() logic, so you should be able to up to 7-of-7 Armory Lockboxes on mainnet.  I haven't actually tested this, but I expect by now that a critical mass of miners have upgraded to Core 0.9.3, so spending 7-of-7 (or smaller) coins should work. 

The only requirement is that you upgrade your own version of Core to 0.9.3 -- which has been updated in the secure downloader as well!



Other fixes: 
  • URI handling bug fix (Coinbase-generated links were not working with Armory)
  • Raspberry Pi install script and offline bundle was hosed.  Some empty debs have been replaced, and the double-click script should work properly now.  Please test it out for me!
  • The Ubuntu offline bundles have been upgraded to support 12.04.5 now (since 12.04.3 was difficult to find).

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: « 1 ... 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 [209] 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!