Bitcoin Forum
December 05, 2016, 08:39:12 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 ... 232 »
  Print  
Author Topic: Armory - Discussion Thread  (Read 481811 times)
fornit
Hero Member
*****
Offline Offline

Activity: 989


View Profile
March 27, 2012, 12:45:56 PM
 #461

Could something like this remove the risc of transfer between two computers.

LOK-IT Secure Flash Drive

what exactly does that device do that enhances security in this case?

1480927152
Hero Member
*
Offline Offline

Posts: 1480927152

View Profile Personal Message (Offline)

Ignore
1480927152
Reply with quote  #2

1480927152
Report to moderator
1480927152
Hero Member
*
Offline Offline

Posts: 1480927152

View Profile Personal Message (Offline)

Ignore
1480927152
Reply with quote  #2

1480927152
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480927152
Hero Member
*
Offline Offline

Posts: 1480927152

View Profile Personal Message (Offline)

Ignore
1480927152
Reply with quote  #2

1480927152
Report to moderator
1480927152
Hero Member
*
Offline Offline

Posts: 1480927152

View Profile Personal Message (Offline)

Ignore
1480927152
Reply with quote  #2

1480927152
Report to moderator
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
March 27, 2012, 01:50:49 PM
 #462

Could something like this remove the risc of transfer between two computers.

LOK-IT Secure Flash Drive
http://www.pcmag.com/article2/0,2817,2381269,00.asp

Or perhaps this company should make a safe bitcoin storage?



the problem is that once you plug it in to your online pc and unlock it, the contents are exposed to a USB specific exploit that could load malware onto it.  unlikely, but still possible.
take5
Jr. Member
*
Offline Offline

Activity: 41



View Profile
March 27, 2012, 01:55:16 PM
 #463

But if the only thing loaded on there is armory transactions and whatnot, is there really any place for that malware to hide?
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 27, 2012, 02:21:18 PM
 #464

Offline wallets are not threatened by the physical security of the data moving back and forth.  I don't care if an attacker has access to the data I'm moving back and forth between the computers because it's only raw transaction data, which is all going to end up in the public blockchain anyway.  What I'm concerned about is what nasty things an attacker can do to a USB key to "autorun" and compromise the offline system when it is plugged in.  While autorun.inf is the most vulnerable way to induce arbitrary code execution, there's other creative ways attackers have been able to compromise system.

In Windows, there was a vulnerability in the ...png?...library that is used to render the icons embedded in files to be displayed in the file explorer next to the file name (for instance, you always see .exe files that have custom icons when displayed in file browser or on the desktop).  An attacker only needed to modify the icon header of the file to exploit that vulnerability which gives it root access to your system.  And simply the act of viewing the file in a file browser--you don't even click on it--will cause the malicious icon code to be executed and compromise your system.  This is not USB-specific, as it could be easily executed via email if you can get the person to simply download the file... compromised as soon as the download directory is viewed in a file explorer)

And to do this, the attacker wouldn't even be adding any files to the key: it would simply be bloating one of the existing files with a new icon header.  In the same way, he could pull a private key off the system by embedding it in slack space in one of the existing files, or injecting it into the icon header, or using steganography to hide it in an existing image file (if there were any on the USB key).  Unfortunately, private keys are small enough that they could be embedded just about anywhere.

EDIT: How could I forget NTFS alternate data streams!.  Windows was trying to improve compatibility using them, but opened up a massive security hole in their filesystem:  the ability to embed data and even executables in files in such a way that it doesn't even show up in file explorer!


I'm not suggesting any of this is likely -- it requires very resourceful attacker.  But these things are possible.  I'd rather come up with a 100% solution now and never think about it again.  That's why I started this thread.  It seems that USB-serial port cables are good way to move raw ASCII back and forth without any risk of the online computer inducing remote code execution on the offline system.  i.e. the offline system doesn't even receive a file via serial, it listens on the serial port for an ASCII-only stream of bytes that can be parsed successfully as a BIP 0010 packet.  The only potential vulnerability there would be if the "unserializeAscii" method in Armory had an exploitable vulnerability in it -- but that is ludicrously far-fetched for an text-parsing-only method that fails to do anything else unless the received data passes a sha256 checksum and matches the BIP 0010 format.

EDIT: On that last note, anything that will be processing the BIP 10 "packet" would be vulnerable, not just the BIP validation method.  If for instance, I had an "eval(packet[i:i+j])" as part of the BIP 10 parser, an attacker might be able to construct a valid BIP 0010 packet that has malicious executable [python] code between byte i and byte i+j.  This is one reason I avoid "eval()" function at all costs in all python programs.  But as you can see, the available attack vectors are cut down to virtually nothing with a few precautions.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
runeks
Legendary
*
Offline Offline

Activity: 924



View Profile WWW
March 27, 2012, 07:23:03 PM
 #465

^ Very interesting, etotheipi. Also, for those of us running Linux thinking we're safer, that's not necessarily true. Here's a guy writing a USB exploit for Linux that circumvents the lock screen of a running computer. I'm sure he could have managed to copy some data over to the USB stick if that was his objective: http://www.youtube.com/watch?feature=player_detailpage&v=cNK2PDZI8fs#t=2913s
Red Emerald
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
March 28, 2012, 06:40:09 AM
 #466

I've got a (hopefully) small feature request.  Armory doesn't seem to show generated transactions until they are confirmed.  It would be nice if generated funds that were younger than 120 blocks counted into the "unconfirmed" total.

torusJKL
Hero Member
*****
Offline Offline

Activity: 594


View Profile
March 28, 2012, 10:41:33 AM
 #467

I've got a (hopefully) small feature request.  Armory doesn't seem to show generated transactions until they are confirmed.  It would be nice if generated funds that were younger than 120 blocks counted into the "unconfirmed" total.
+1

If you find my post useful send some BTC: 167XM1Za8aG9CdbYuHFMpL2kvPsw6uC8da
Bitrated || bitcoin-otc || Moon Bitcoin Faucet
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
March 28, 2012, 11:27:15 AM
 #468

How can I use a satoshi client on a different PC? I have a good node running elsewhere in my network. Can I pass the RPC info?

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 28, 2012, 12:02:52 PM
 #469

How can I use a satoshi client on a different PC? I have a good node running elsewhere in my network. Can I pass the RPC info?

You know,  I never put this in but I don't know why not.   I can add that as a CLI option.   I'll do that tonight if I think of it.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
March 28, 2012, 12:31:32 PM
 #470

perfect, i can add the -flag to a shortcut
or do you need actual access to the block file?
also, the satoshi and armory wallets NEVER mingle?

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 28, 2012, 12:40:39 PM
 #471

perfect, i can add the -flag to a shortcut
or do you need actual access to the block file?
also, the satoshi and armory wallets NEVER mingle?

Ack... that's why I didn't do it yet...

Because Armory currently relies on the blk0001.dat produced by the Satoshi client (Satoshi client maintains it, Armory only reads it).  That means that what I just said I would do... won't work.  I can't wait until Armory doesn't rely on the Satoshi client anymore, but it's going to be a lot of work to cut that umbilical cord. 

One day...

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
bitpop
Legendary
*
Offline Offline

Activity: 1918


https://keybase.io/bitpop


View Profile WWW
March 28, 2012, 12:47:50 PM
 #472

ooh noes

Reputation  |  PGP  |  DigitalOcean  |  OpenVPN 2GB Free  |  TorGuard  |  Ethereum Classic
Bitcoin: 3DSh6AnmvBpDJFUz2mnLirMLmTMcFs9nDm
Bitmessage: BM-2cXN9j8NFT2n1FxDVQ6HQq4D4MZuuaBFyb
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 28, 2012, 08:05:33 PM
 #473

I've got a (hopefully) small feature request.  Armory doesn't seem to show generated transactions until they are confirmed.  It would be nice if generated funds that were younger than 120 blocks counted into the "unconfirmed" total.

Interesting.  That was not intentional:  I intended for them to be shown and marked as unconfirmed for 120 blocks.  But it seems I botched something in the unconfirmed count, anyway -- I put in logic for change-to-self and sent-to-self as automatically confirmed, but it didn't seem to work.  Therefore, if you have only one unspent output and you send 1/10th of it, your entire balance will look unconfirmed because you sent 9/10 back to yourself.  Perhaps the two problems are related. (I even have a unit test for this, I'll have to dig it up)

I'm adding that to my list of stuff to do after RAM reduction:  p2pool/mining outputs, and unconfirmed balances.


Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 28, 2012, 08:21:00 PM
 #474

I've got a (hopefully) small feature request.  Armory doesn't seem to show generated transactions until they are confirmed.  It would be nice if generated funds that were younger than 120 blocks counted into the "unconfirmed" total.

Interesting.  That was not intentional:  I intended for them to be shown and marked as unconfirmed for 120 blocks.  But it seems I botched something in the unconfirmed count, anyway -- I put in logic for change-to-self and sent-to-self as automatically confirmed, but it didn't seem to work.  Therefore, if you have only one unspent output and you send 1/10th of it, your entire balance will look unconfirmed because you sent 9/10 back to yourself.  Perhaps the two problems are related. (I even have a unit test for this, I'll have to dig it up)

I'm adding that to my list of stuff to do after RAM reduction:  p2pool/mining outputs, and unconfirmed balances.



Coincidentally, just now I was working on merging my RAM-reduction branch into the master, which I forked a month or two ago.   Apparently, I made the the exact changes I just said I thought I had made, but I guess I made them in the RAM-reduction branch by accident instead of master.  So, that might actually be fixed in the RAM-reduction release...

Hopefully Friday, I will have version (0.70-alpha)-alpha -- the alpha version of version 0.70-alpha Smiley  (for Linux/OSX only)

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1722

Let's talk governance, lipstick, and pigs.


View Profile
March 29, 2012, 02:29:53 AM
 #475

Feature request:
Well not really a feature. I would like to see a client that works without a stored wallet. If a simple (ha!) client could be created that only works with paper Bitcoin bills that can print and scan, but never shows any keys on the computer screen itself. It could show an amount being scanned or transferred, and can also verify the bitbill in the blockchain, but unless there is a physical Bitcoin present, no transaction can be made. I think this would go a long way toward taking the geek factor out of the equation. I also think that people could then print their own bitbill "checks" that can be very secure with multisig protection. If someone wants to spend them online, there can be sweeping software that sends the hash string and automatically alerts the user when the transaction has acquired the required confirmations.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
beckspace
Sr. Member
****
Offline Offline

Activity: 385


Aimed at Jupiter


View Profile
March 29, 2012, 03:26:54 AM
 #476

I would like to see a client that works without a stored wallet. If a simple (ha!) client could be created that only works with paper Bitcoin bills that can print and scan, but never shows any keys on the computer screen itself.

Nice idea.

I think this would go a long way toward taking the geek factor out of the equation.


You guys have really come up with somethin'
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1722

Let's talk governance, lipstick, and pigs.


View Profile
March 29, 2012, 01:21:45 PM
 #477

I would like to see a client that works without a stored wallet. If a simple (ha!) client could be created that only works with paper Bitcoin bills that can print and scan, but never shows any keys on the computer screen itself.

Nice idea.

I think this would go a long way toward taking the geek factor out of the equation.
Thanks. I posted here instead of starting a new thread because etotheipi probably already has everything it needs in Armory.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Matoking
Sr. Member
****
Offline Offline

Activity: 352

Firstbits: 1m8xa


View Profile WWW
March 30, 2012, 02:02:31 PM
 #478

The program automatically gives me one Satoshi for each generated wallet. How generous. Smiley
I'm running it without a blockchain.

EDIT :
Oh wait, it means I get one negative Satoshi for every created wallet.

BTC : 1CcpmVDLvR7DgA5deFGScoNhiEtiJnh6H4 - LTC : LYTnoXAHNsemMB2jhCSi1znQqnfupdRkSy
Bitcoin-otc
BitBin - earn bitcoins with your pastes!
torusJKL
Hero Member
*****
Offline Offline

Activity: 594


View Profile
March 30, 2012, 04:06:30 PM
 #479

The program automatically gives me one Satoshi for each generated wallet. How generous. Smiley
I'm running it without a blockchain.

EDIT :
Oh wait, it means I get one negative Satoshi for every created wallet.

That must be the auto-donation feature.  Wink

If you find my post useful send some BTC: 167XM1Za8aG9CdbYuHFMpL2kvPsw6uC8da
Bitrated || bitcoin-otc || Moon Bitcoin Faucet
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
March 30, 2012, 04:22:47 PM
 #480

The program automatically gives me one Satoshi for each generated wallet. How generous. Smiley
I'm running it without a blockchain.

EDIT :
Oh wait, it means I get one negative Satoshi for every created wallet.

Oh yeah.   I should clean up that part of the display for offline mode...

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [24] 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 ... 232 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!