Bitcoin Forum
December 14, 2024, 04:35:36 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Why is Armory sending our *USERNAMES* to bitcoinarmory.com ‼️  (Read 9270 times)
1a5f9842524 (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 09:01:23 PM
Last edit: August 09, 2014, 09:54:51 PM by 1a5f9842524
 #21

It's not hard to imagine how this would be connected with the transactions a person makes just due to the timings of the requests.

Running armory doesn't necessarily mean that you are performing transactions, so i don't think any connections can be made by that.

Sure they can.

You know that the user won't be making transactions when the application is closed, so you can start to eliminate transactions on the chain which couldn't possibly have been theirs. Armory doesn't use compressed point pubkeys, and does not reuse addresses which you can use to further filter the transactions you see. With the last two features alone you can eliminate a large portion of all transactions in each block as being not possibly being made by Armory.

Having 32 bits of the home folder hash is actually pretty devastating to your privacy as well. Within that space you could search bitcointalk user names for example with only a 1 in 4 billion chance of a false positive per attempt. I'd bet on a lot of people having user names that very much match with their bitcointalk ones.
Gummo
Newbie
*
Offline Offline

Activity: 15
Merit: 0


View Profile
August 09, 2014, 10:21:02 PM
 #22


You know that the user won't be making transactions when the application is closed, so you can start to eliminate transactions on the chain which couldn't possibly have been theirs.

Not really. One can broadcast the raw tx let's say on blockchain.info when the client is closed. I did it a few times myself.
1a5f9842524 (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 09, 2014, 10:32:48 PM
 #23

Not really. One can broadcast the raw tx let's say on blockchain.info when the client is closed. I did it a few times myself.

You're of a very small majority.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1013



View Profile
August 09, 2014, 11:07:33 PM
 #24

As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.
A more responsible way to do this would be to generate a random unique identifier, instead of one that could be guess ahead of time, and make phoning home an opt-in feature.

Your claim that user can opt out is disingenuous - most users aren't going to know how to change a .desktop file to alter command line options.

For practical purposes options that can't be configured through the GUI don't exist.
Dabs
Legendary
*
Offline Offline

Activity: 3416
Merit: 1912


The Concierge of Crypto


View Profile
August 10, 2014, 12:16:23 AM
 #25

Measure userbase by number of downloads. Truecrypt did that for 10 years.

bassclef
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1000



View Profile
August 10, 2014, 12:21:44 AM
 #26

As a company, we have to have some way to measure our userbase, and we felt this was the least intrusive way possible.  And you can opt-out.
A more responsible way to do this would be to generate a random unique identifier, instead of one that could be guess ahead of time, and make phoning home an opt-in feature.

Your claim that user can opt out is disingenuous - most users aren't going to know how to change a .desktop file to alter command line options.

For practical purposes options that can't be configured through the GUI don't exist.

I'm not a programmer and certainly wouldn't assume manually modifying a file to be "opting-out."

This is pretty alarming behavior. Guess I won't be using Armory anytime soon.
etotheipi
Legendary
*
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
August 10, 2014, 12:22:24 AM
 #27

Sorry guys, I've been out all day, but I've been thinking about this.  You all are absolutely right.  We made two mistakes:

(1) We assumed that because we choose not to store/process the IP data, that users would believe us that we don't
(2) We incorrectly assumed the that space of user home paths on your desktop was big enough that the 4 byte identifier would not have adverse privacy implications. I did not consider that people's home usernames might be, say, their username on bitcointalk.org

It's quite clear that those two pieces of data do have pretty serious privacy implications.  I want to fix this ASAP.  

To be clear, the reason we made the unique identifiers is because we don't want to store any IP data for the reasons described: if there was a subpoena of some sort, we'd prefer to not have anything to reveal.  And we don't store it.  But, we incorrectly assumed that the unique identifiers would be sufficiently non-privacy-leaking while still allowing us to remove duplicates (in response to justus: we want an identifier that will be persistent between loads so that users that start the program over and over are not counted for each start--as we all know, a lot of users have difficulty with Armory and will start it 300 times to try to get it to work).  It is clear these were bad assumptions since we technically could be storing both which would be quite bad.  

I hope we've generated enough good faith with the community that we get a little slack that this was not our intention.  I take the blame for not realizing that, and I want to make sure that it is fixed.  ASAP.  I will happily take feedback on how this should be adjusted so that we can meet our goals without compromising the privacy of the users.  

I agree we should decouple the option from the announcement fetching.  We consider announcements to be extremely important, and why we made that difficult to disable:  if there's a critical security (or privacy!) vulnerability in Armory, there is a very short window where someone might try to exploit it to steal peoples' coins, and there's no better way to help users than to make sure a big scary warning pops up the next time they start Armory.  The fact that we coupled the OS/version reporting with meant that it was as hard to disable that as it is the announcement fetching.  We can easily separate them and will happily make it easy to disable the OS/version reporting.


Re privacy policy:  On the advice of our lawyer, we included the "may collect IP addresses" because we have no way to prove that we don't.  And since our website uses google-analytics, we don't have control over what google does with the access patterns of users to our website.  It was a bit of CYA that companies have to abide by, especially in the US.  Note we describe at the bottom of that page we describe how to disable it with a link to our troubleshooting page.

On the upside: another positive example of the power of open-source software.  We have casually encouraged users to go through the code base, and we even contacted the Open Crypto Audit Project to try to get a code review (and never heard back from them).  We are obviously believers in open-source, and here's the first solid example of Armory getting better because of it.  We will get this fixed.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
sesam
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
August 10, 2014, 12:23:02 AM
 #28

Thank you for "'fessing up" Smiley and good choice to separate announce and statistics.

But most problematic though is (as was reported above) that these requests are not going through the configured Proxy. If that is really so, then Armory users are quickly and easily identified by their ISP, which can be very problematic in some countries.
1a5f9842524 (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
August 10, 2014, 12:41:40 AM
 #29


It's quite clear that those two pieces of data do have pretty serious privacy implications.  I want to fix this ASAP.  


Thank you.
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 10, 2014, 01:49:39 AM
Last edit: August 10, 2014, 03:48:21 PM by ForgottenPassword
 #30

But most problematic though is (as was reported above) that these requests are not going through the configured Proxy. If that is really so, then Armory users are quickly and easily identified by their ISP, which can be very problematic in some countries.

It isn't that Amory doesn't use the configured proxy rather that Armory doesn't have the ability to configure one as the only connection it makes to the internet are these pings (as far as I know).

Armory uses bitcoind as a backend. Bitcoind connects to the bitcoin network via the proxy it is configured to connect to. This is how people use Tor with Armory, you configure bitcoind (not Armory) to use Tor. Most of the people who do this likely have no idea that Armory is connecting to the internet at all nevermind outside of Tor. I assumed that I had to press "Check for updates" for it to dial home. This is obviously bad for many reasons. A lot of people use bitcoind over Tor to hide the fact they are a bitcoin user from their ISP. The ISP can see these regular pings to bitcoinarmory.com every 30 minutes and figure out they are likely a bitcoin user.

It should be possible to disable the announcement pings in the GUI, maybe have a big scary popup appear when the user tries to disable them that lets the user know that they should manually press "check for updates" and periodically check the website for updates.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 10, 2014, 01:56:40 AM
 #31

I'm really glad this was found and the response from the Armory dev was very reassuring after my inital panic. Thank you for all your hard work etotheipi!

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
r04r
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
August 10, 2014, 03:55:37 AM
 #32

I hope we've generated enough good faith with the community that we get a little slack that this was not our intention.  I take the blame for not realizing that, and I want to make sure that it is fixed.  ASAP.  I will happily take feedback on how this should be adjusted so that we can meet our goals without compromising the privacy of the users.

Suggestion: Generate a completely random token upon first run. Store this token in the armory data directory, and optionally remove it upon uninstall.
Bonus points: Make it opt-out during install.
Additionally: Destroy all previously collected hashes. To retain usage data just replace them with unique random values, or an incrementing counter.
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
August 10, 2014, 07:03:05 AM
 #33

Armory will always be the best.

tss
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500


View Profile
August 10, 2014, 07:12:13 AM
 #34

i smell poo.. OH SHIT.. its on my shoe.  just stepped in some armory poo and its too late
bananaControl
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250


Decentralize All The Things!


View Profile
August 10, 2014, 08:50:15 AM
 #35

Once again we have just witnessed the true beauty and power of open source. Thank you 1a5f9842524 for ringing the alarm, and thank you etotheipi for fixing it.
QuantumQrack
Sr. Member
****
Offline Offline

Activity: 337
Merit: 250


View Profile
August 10, 2014, 10:46:02 AM
 #36

Once again we have just witnessed the true beauty and power of open source. Thank you 1a5f9842524 for ringing the alarm, and thank you etotheipi for fixing it.

Ditto
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 10, 2014, 11:02:48 AM
Last edit: August 10, 2014, 03:47:55 PM by ForgottenPassword
 #37

Why exactly would you need to bypass proxies to "measure our userbase"?

You're misunderstanding that. Try to configure Armory to use a proxy: you can't.

It isn't that Amory doesn't use the configured proxy rather that Armory doesn't have the ability to configure one as the only connection it makes to the internet are these pings (as far as I know).

Armory uses bitcoind as a backend. Bitcoind connects to the bitcoin network via the proxy it is configured to connect to. This is how people use Tor with Armory, you configure bitcoind (not Armory) to use Tor. Most of the people who do this likely have no idea that Armory is connecting to the internet at all nevermind outside of Tor. I assumed that I had to press "Check for updates" for it to dial home. This is obviously bad for many reasons. A lot of people use bitcoind over Tor to hide the fact they are a bitcoin user from their ISP. The ISP can see these regular pings to bitcoinarmory.com every 30 minutes and figure out they are likely a bitcoin user.

It should be possible to disable the announcement pings in the GUI, maybe have a big scary popup appear when the user tries to disable them that lets the user know that they should manually press "check for updates" and periodically check the website for updates.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
TimS
Sr. Member
****
Offline Offline

Activity: 250
Merit: 253


View Profile WWW
August 10, 2014, 12:30:48 PM
 #38

I will happily take feedback on how this should be adjusted so that we can meet our goals without compromising the privacy of the users.
Here's a suggestion: randomly generate a 32-bit unique identifier, store it in the Armory config files, and report that. It's not perfect, since someone with multiple folders will be counted multiple times, but it's pretty good.
ForgottenPassword
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
August 10, 2014, 12:34:20 PM
 #39

I will happily take feedback on how this should be adjusted so that we can meet our goals without compromising the privacy of the users.
Here's a suggestion: randomly generate a 32-bit unique identifier, store it in the Armory config files, and report that. It's not perfect, since someone with multiple folders will be counted multiple times, but it's pretty good.

Or just don't use an identifier at all and only send the stats once and keep track of whether they have been sent or not somewhere in the data directory. In the case of an update include the last version that it was updated from so that you guys can adjust your stats.

There is very little reason to need to have a unique identifer for each install. No other wallet does this that I know of.

I have private messages disabled. Send me an email instead. My contact details can be found here.

Tip Address: 13Lwo1hK5smoBpFWxmqeKSL52EvN8U7asX
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
August 10, 2014, 12:39:57 PM
 #40

Blockchain constantly tracks you

Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!