amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
March 08, 2015, 08:35:57 AM |
|
I used an Android wallet, which I do not want to name just yet, pending the developer's response to the situation. With the wallet, I generated the new address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F
1) when? 2) is this your site? http://kidcratedigger.weebly.com/contact--donations.html
|
|
|
|
amspir (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
March 08, 2015, 11:03:19 AM |
|
The key was "generated" on Mar 7th. Not my site. None of the transactions are mine, except for the input transaction on that date for 2.57~ btc which was initiated by myself by sending coin from localbitcoins. I have verified that I do have the private key by signing then verifying a message with that address.
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
March 08, 2015, 11:13:01 AM |
|
The key was "generated" on Mar 7th.
Can you sign a message with a private key of 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F to be sure that you own this private key? Seems to me that your application has bad random number generator.
|
|
|
|
amspir (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
March 08, 2015, 11:33:32 AM |
|
The key was "generated" on Mar 7th.
Can you sign a message with a private key of 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F to be sure that you own this private key? Seems to me that your application has bad random number generator. IFLrTIFGi3t8H1zVuKhr4FScU0RUgUWU26U8dpIyCT7XMXB0HmEFJt6ouyBTwpyhOz+3WcydRU7FQauHuyBxZGg= I think it is probable that it is a weak PRNG, but it may be that the device was compromised and altered the PRNG seed in some way. Mostly, I am wondering if the output transactions appear "suspicious", such as going to a mixer, which would imply that the other key owner targeted this address on purpose. The address does have a public label, not set by me, on blockchain.info of "000000"
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
March 08, 2015, 11:58:00 AM |
|
I think it is probable that it is a weak PRNG, but it may be that the device was compromised and altered the PRNG seed in some way.
tertium non datur
|
|
|
|
Newar
Legendary
Offline
Activity: 1358
Merit: 1001
https://gliph.me/hUF
|
|
March 08, 2015, 01:17:40 PM |
|
Have you tried to contact kidcratedigger? Might be he thought that was a donation...
|
|
|
|
amspir (OP)
Member
Offline
Activity: 112
Merit: 10
|
|
March 08, 2015, 02:55:22 PM |
|
Have you tried to contact kidcratedigger? Might be he thought that was a donation...
I just realized because I didn't read carefully before. Just sent off the email. It is now looking a lot more like a PRNG bug than a malicious hack.
|
|
|
|
Reynaldo
Legendary
Offline
Activity: 1143
Merit: 1000
|
|
March 08, 2015, 06:49:57 PM |
|
PRNG bug for sure or a hack. Its not possible to generate the same priv key for a random address that was used, this might be a PRNG bug that actually made that event possible or someone has hacked the way onto your cellphone.
Not revealing the wallet is a really big mistake and unethical thing to do.
|
|
|
|
Cryptowatch.com
|
|
March 20, 2015, 04:55:32 PM |
|
PRNG bug for sure or a hack. Its not possible to generate the same priv key for a random address that was used, this might be a PRNG bug that actually made that event possible or someone has hacked the way onto your cellphone.
Not revealing the wallet is a really big mistake and unethical thing to do.
An unethical dev could also insert code in the wallet that would occasionally "generate" an address that he already has the privkey for. These might be pre-made and hardcoded into the walletsoftware, so there wouldn't even be signs of nefarious network traffic, or previous usage of said keys. The only way to be reasonably sure the wallet software is legit is to review it's source, then compile it yourself. In general with mobile wallets, don't store more BTC than you can afford to lose. On the other hand, it's also important to present proper evidence, as anyone could really make an accusation against any wallet-developer. But if the wallet developer chose to, he could make available the source code for review, which would prove without doubt that the source code does not contain anything nefarious. Of course there could be malicious code inserted in the distribution process by a party with the necessary resources to do so. I am not very familiar with deterministic builds myself, but here's an article about it: http://www.conifersystems.com/2008/10/17/build-determinism/Basically, the same input, should give the same output, so interested parties can run sha256sum on the binaries, to check they're legit, also checksums can be signed by the developer. If you download an app from any appstore, and there's no such security mechanisms in play, how can you be sure the software is legit? Also, it's worth noting that for a very popular mobile wallet, if only a very low percentage of users are hit with theft, the overall negative impact will probably not be very big, so for the unethical dev, this brings a small but steady income stream. Personally I think all possible details should be disclosed to the community as early as possible
|
|
|
|
|
|
notlist3d
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
May 21, 2015, 02:44:44 PM |
|
PRNG bug for sure or a hack. Its not possible to generate the same priv key for a random address that was used, this might be a PRNG bug that actually made that event possible or someone has hacked the way onto your cellphone.
Not revealing the wallet is a really big mistake and unethical thing to do.
Also it helps track if other users get this error with wallet. I see no reason it is a secret on wallet. Since you already had a problem, releasing the wallet is not going to hurt you more. I would switch wallets from whatever it is. Do you install any games/apps from "untrusted sources"? For the fun of it have you tried to use one of the phone anti virus's to see if it finds anything? *After reading and typing all this just saw date.... I hate when old threads are bumped up.
|
|
|
|
sl@ppy
Member
Offline
Activity: 65
Merit: 10
|
|
May 25, 2015, 05:15:56 PM |
|
amazon apk
|
|
|
|
Andre#
|
|
May 27, 2015, 06:56:02 AM |
|
|
|
|
|
|
tspacepilot
Legendary
Offline
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
|
|
May 29, 2015, 06:33:42 PM |
|
If I'm following this thread correctly, we still don't know which wallet software was used? Is that correct?
@amaclin above who mentioned law of excluded middle. While it's true that any proposition is true or it's contradictory is true, it's completely possible that dude has a bad PRNG & was hacked. There's no logical reason why both can't be true---they're not contradictories.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3038
Merit: 1032
RIP Mommy
|
|
May 29, 2015, 07:07:37 PM |
|
If I'm following this thread correctly, we still don't know which wallet software was used? Is that correct?
Incorrect. We know which wallet it was, it's the same one that has had the same crap PRNG code gmaxwell has been complaining about for years: Blockchain.info Wallet. See post #35 directly above yours.
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
findftp
Legendary
Offline
Activity: 1022
Merit: 1008
Delusional crypto obsessionist
|
|
May 29, 2015, 07:42:31 PM |
|
If I'm following this thread correctly, we still don't know which wallet software was used? Is that correct?
Incorrect. We know which wallet it was, it's the same one that has had the same crap PRNG code gmaxwell has been complaining about for years: Blockchain.info Wallet. See post #35 directly above yours. You're sure? I did not see OP say it was blockchain.info wallet. Only someone else who had similar problems which could also be accidentally another wallet.
|
|
|
|
tspacepilot
Legendary
Offline
Activity: 1456
Merit: 1081
I may write code in exchange for bitcoins.
|
|
May 29, 2015, 07:55:35 PM |
|
If I'm following this thread correctly, we still don't know which wallet software was used? Is that correct?
Incorrect. We know which wallet it was, it's the same one that has had the same crap PRNG code gmaxwell has been complaining about for years: Blockchain.info Wallet. See post #35 directly above yours. Got it now (although post #35 contains some links to reddit, which I didn't click, I suppose that's where I woulda found the info). Anyway, I guess the best that can be done is to downvote the app on google play store? The only android wallet I've used is Andreas' and it's been great.
|
|
|
|
TheButterZone
Legendary
Offline
Activity: 3038
Merit: 1032
RIP Mommy
|
|
May 29, 2015, 07:57:00 PM |
|
If I'm following this thread correctly, we still don't know which wallet software was used? Is that correct?
Incorrect. We know which wallet it was, it's the same one that has had the same crap PRNG code gmaxwell has been complaining about for years: Blockchain.info Wallet. See post #35 directly above yours. You're sure? I did not see OP say it was blockchain.info wallet. Only someone else who had similar problems which could also be accidentally another wallet. You think any other wallets are coded to use exactly the same crap entropy source as Blockchain.info Wallet and generate the same exact private key for 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F from exactly the same crap entropy source as Blockchain.info Wallet? Anyway, I guess the best that can be done is to downvote the app on google play store?
I would if Google+ wasn't required to leave reviews. Even if it wasn't, we'd need a significant amount of the 58,208 out of 70,278 total reviewers to downgrade their 3-5 stars to 2s and 1s to lower the average enough for anyone to pay attention.
|
Saying that you don't trust someone because of their behavior is completely valid.
|
|
|
|