[ANNOUNCE] Electrum - Lightweight Bitcoin Client - page 64.

Tuxavant

hero member

Activity: 784

Merit: 1010

Bitcoin Mayor of Las Vegas

Quote from: ThomasV on June 01, 2012, 04:43:21 AM

I am saying it is not safe to use a sentence from a book as your seed. Do not do that. Never.

Except in Hollywood movies. This is what future blockbuster Bitcoin movies will be about. I still see it as somewhat useful because there are things you can do to the phrases to break the attack model (nuff said).

Xenland

legendary

Activity: 980

Merit: 1003

I'm not just any shaman, I'm a Sha256man

Quote from: ThomasV on June 01, 2012, 04:43:21 AM

Quote from: Xenland on June 01, 2012, 03:42:22 AM

So you just saying google predicted how many estimated titles their are? I can throw out a big number too (sarcasum)

So then the average user probubly have nothing to worry about as not many people to my knowledge have access to search against the google book database with bitcoin seeds and i doubt those who have the entire google book database will only attack those wallets with high amounts of value in it(which if this is the case i doubt someone/entity would use a sentence from a book and would instead use a randomly generated password that is like a million characters in length)

I am saying it is not safe to use a sentence from a book as your seed. Do not do that. Never.

Anyone can access a digitized library, loop over all sentences, derive Bitcoin addresses from them, and check them against the Bitcoin database. It does not take a vast amount of resources, and time is on the side of the attacker. There is already an instance of Bitcoins that have been stolen because someone created an address derived from a short phrase (it was something like 'fuckyou' iirc). It only a matter of time until someone uses a large book database to feed their search algorithm.

And, no, I was not throwing a big number. 130 million books is ridiculously small in terms of search. If we assume that each book contains on average 10000 sentences (a very generous estimate), we get around 10^15 sentences to test. In contrast, a random seed with 128 bits of entropy yield 3.4x10^38 combinations. Do you understand the difference between those numbers?

Do not trust people who tell you that you can safely derive the seed yourself. Train your memory and learn a purely random seed.

Ah i see high rate of probability of figuring out the seed now with the formula you presented.
I guess it really isn't a good idea, but to be fair 'fuckyou' is more like a dictionary attack or a commonly used password then a complete sentence out of a book.

Regardless of my perspective/opinions,
Thank you again for your insight.

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Xenland on June 01, 2012, 03:42:22 AM

So you just saying google predicted how many estimated titles their are? I can throw out a big number too (sarcasum)

So then the average user probubly have nothing to worry about as not many people to my knowledge have access to search against the google book database with bitcoin seeds and i doubt those who have the entire google book database will only attack those wallets with high amounts of value in it(which if this is the case i doubt someone/entity would use a sentence from a book and would instead use a randomly generated password that is like a million characters in length)

I am saying it is not safe to use a sentence from a book as your seed. Do not do that. Never.

Anyone can access a digitized library, loop over all sentences, derive Bitcoin addresses from them, and check them against the Bitcoin database. It does not take a vast amount of resources, and time is on the side of the attacker. There is already an instance of Bitcoins that have been stolen because someone created an address derived from a short phrase (it was something like 'fuckyou' iirc). It only a matter of time until someone uses a large book database to feed their search algorithm.

And, no, I was not throwing a big number. 130 million books is ridiculously small in terms of search. If we assume that each book contains on average 10000 sentences (a very generous estimate), we get around 10^15 sentences to test. In contrast, a random seed with 128 bits of entropy yield 3.4x10^38 combinations. Do you understand the difference between those numbers?

Do not trust people who tell you that you can safely derive the seed yourself. Train your memory and learn a purely random seed.

Xenland

legendary

Activity: 980

Merit: 1003

I'm not just any shaman, I'm a Sha256man

Quote from: ThomasV on June 01, 2012, 01:45:19 AM

Quote from: Xenland on June 01, 2012, 01:30:39 AM

Quote from: ThomasV on June 01, 2012, 01:27:45 AM

Quote from: interlagos on May 31, 2012, 06:49:44 PM

Not sure if it was discussed here or not,
but I think the easiest way to memorize your seed is to:

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

this is not safe. An attacker can (and will) try all the sentences of the known litterature.

That could be why is mentioned picking up your favorite book making the literature unknown(unless the attacker was there when you picked up the book to type in your sentence)

http://www.geek.com/articles/news/google-books-calculates-the-total-number-of-books-ever-written-at-almost-130-million-2010086/

So you just saying google predicted how many estimated titles their are? I can throw out a big number too (sarcasum)

So then the average user probubly have nothing to worry about as not many people to my knowledge have access to search against the google book database with bitcoin seeds and i doubt those who have the entire google book database will only attack those wallets with high amounts of value in it(which if this is the case i doubt someone/entity would use a sentence from a book and would instead use a randomly generated password that is like a million characters in length)

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Xenland on June 01, 2012, 01:30:39 AM

Quote from: ThomasV on June 01, 2012, 01:27:45 AM

Quote from: interlagos on May 31, 2012, 06:49:44 PM

Not sure if it was discussed here or not,
but I think the easiest way to memorize your seed is to:

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

this is not safe. An attacker can (and will) try all the sentences of the known litterature.

That could be why is mentioned picking up your favorite book making the literature unknown(unless the attacker was there when you picked up the book to type in your sentence)

http://www.geek.com/articles/news/google-books-calculates-the-total-number-of-books-ever-written-at-almost-130-million-2010086/

Xenland

legendary

Activity: 980

Merit: 1003

I'm not just any shaman, I'm a Sha256man

Quote from: ThomasV on June 01, 2012, 01:27:45 AM

Quote from: interlagos on May 31, 2012, 06:49:44 PM

Not sure if it was discussed here or not,
but I think the easiest way to memorize your seed is to:

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

this is not safe. An attacker can (and will) try all the sentences of the known litterature.

That could be why is mentioned picking up your favorite book making the literature unknown(unless the attacker was there when you picked up the book to type in your sentence)

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: interlagos on May 31, 2012, 06:49:44 PM

Not sure if it was discussed here or not,
but I think the easiest way to memorize your seed is to:

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

this is not safe. An attacker can (and will) try all the sentences of the known litterature.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: bitcats on May 21, 2012, 06:59:30 AM

For "balance", in this context you can say "Umsätze", thats the common term.
For "freeze" you could say "lock" = "sperren".
"Unlock" = "freischalten" (1) or "entsperren" (2).

"Quellschlüssel" (source key) could be used for "seed".

"balance" is more like "Saldo" than Umsätze, right?

"Quellenschlüssel"... hmm, hmmm. "seed" ist auf jeden fall ne harte Nuss. Könnte man wohl auch unübersetzt lassen. Wie wärs mit "Grundschlüssel" oder "Basisschlüssel", vielleicht auch ganz salopp: "Basiszahl"?

Tuxavant

hero member

Activity: 784

Merit: 1010

Bitcoin Mayor of Las Vegas

Quote from: interlagos on May 31, 2012, 06:49:44 PM

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

seems to suggest that "restore" command requires network connection while "create" doesn't.

Say WAAAAAAAAT? That is some hotness right there... Will play with this tonight!

Also, use the -o option if you are offline with pretty much any command option or you'll get a (process) hang of death. In my experience anyway.

interlagos

hero member

Activity: 496

Merit: 500

Not sure if it was discussed here or not,
but I think the easiest way to memorize your seed is to:

1) Pick up your favorite book
2) Remember the page number
3) Remember the number of the sentence from the top of the page
4) Compute md5 of that sentence and you got your seed!!!

So it comes down to remembering just two numbers and your favorite book instead of twelve random words.

I've just discovered Electrum for myself and I think it's awesome!!!
I'm gonna test offline transactions tomorrow.

Also this wiki page: https://en.bitcoin.it/wiki/Electrum
seems to suggest that "restore" command requires network connection while "create" doesn't.
They both seem identical to me with respect to network connection as one command generates random seed and another one takes it from the user. Both commands shouldn't require network connection IMHO.

ThomasV

legendary

Activity: 1896

Merit: 1353

I just released version 0.53

Changes:

- internationalisation.
Messages have been translated in 4 languages:
si :46/70
de :37/70
fr :45/70
vn :62/70
note: if you use the version from the git repo, run mki18n.py to generate the .mo files.

- The import of modules has changed a bit. It is now possible to run 'electrum' without having run the install script; this should make it easier for users trying to use Electrum on other platforms than Linux

- improved error messages

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Tuxavant on May 30, 2012, 08:04:13 AM

Trying to import some keys from an old wallet and all I get is "error". It is very likely it's just a duplicate key, but is there anyway to increase the debugging information?

yes, I just changed that

Tuxavant

hero member

Activity: 784

Merit: 1010

Bitcoin Mayor of Las Vegas

Trying to import some keys from an old wallet and all I get is "error". It is very likely it's just a duplicate key, but is there anyway to increase the debugging information?

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: flatfly on May 30, 2012, 02:54:35 AM

Quote from: duncant on May 30, 2012, 01:18:17 AM

Quote from: Tuxavant on May 28, 2012, 10:40:28 AM

Just curious, what's keeping this from working on a Mac?

I think you just need to have the right libraries installed. I run a Mac and after I installed the requisite libraries with macports, everything runs just fine. (I just installed the libraries listed as required for linux)

Nice, perhaps the homepage could mention Mac support then?

not as long as there is no easy to install solution for mac users

flatfly

legendary

Activity: 1092

Merit: 1016

760930

Quote from: duncant on May 30, 2012, 01:18:17 AM

Quote from: Tuxavant on May 28, 2012, 10:40:28 AM

Just curious, what's keeping this from working on a Mac?

I think you just need to have the right libraries installed. I run a Mac and after I installed the requisite libraries with macports, everything runs just fine. (I just installed the libraries listed as required for linux)

Nice, perhaps the homepage could mention Mac support then?

duncant

jr. member

Activity: 53

Merit: 2

Quote from: Tuxavant on May 28, 2012, 10:40:28 AM

Just curious, what's keeping this from working on a Mac?

I think you just need to have the right libraries installed. I run a Mac and after I installed the requisite libraries with macports, everything runs just fine. (I just installed the libraries listed as required for linux)

flatfly

legendary

Activity: 1092

Merit: 1016

760930

Indeed better forget about setup.py on windows, at least for now. What happens when you run electrum manually, by typing "Python electrum" at the cmd prompt?

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Lumpy on May 28, 2012, 11:17:34 PM

I'm having trouble running Electrum on Windows -- anyone care to give some tips?

What I did:

-Installed Python 2.7
-Installed PyQt-Py2.7-x64-gpl-4.9.1-1
-Ran setup.py build. Seemed successful.
-Ran setup.py install. Got:

oh, the setup.py script has been designed for Linux;
there is probably a way to adapt it for Windows, but I do not know how to do that

Lumpy

full member

Activity: 237

Merit: 100

I'm having trouble running Electrum on Windows -- anyone care to give some tips?

What I did:

-Installed Python 2.7
-Installed PyQt-Py2.7-x64-gpl-4.9.1-1
-Ran setup.py build. Seemed successful.
-Ran setup.py install. Got:

Code:

C:\Python27\lib\distutils\dist.py:267: UserWarning: Unknown distribution option:
'install_requires'
  warnings.warn(msg)
running install
running build
running build_py
running build_scripts
running install_lib
running install_scripts
running install_data
Traceback (most recent call last):
  File "C:\Users\Lumpy\Desktop\Electrum-0.52\Electrum-0.52\setup.py", line 42,
in
   long_description = """Lightweight Bitcoin Wallet"""
  File "C:\Python27\lib\distutils\core.py", line 152, in setup
   dist.run_commands()
  File "C:\Python27\lib\distutils\dist.py", line 953, in run_commands
   self.run_command(cmd)
  File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
   cmd_obj.run()
  File "C:\Python27\lib\distutils\command\install.py", line 575, in run
   self.run_command(cmd_name)
  File "C:\Python27\lib\distutils\cmd.py", line 326, in run_command
   self.distribution.run_command(command)
  File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
   cmd_obj.run()
  File "C:\Python27\lib\distutils\command\install_data.py", line 58, in run
   dir = convert_path(f[0])
  File "C:\Python27\lib\distutils\util.py", line 204, in convert_path
   raise ValueError, "path '%s' cannot be absolute" % pathname
ValueError: path '/usr/share/applications/' cannot be absolute

~~I've tried the flatfly executables but they don't seem to work with command line options...~~
Figured out the SHIFT trick with the flatfly executables but I would still love to know what I'm doing wrong.

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: Tuxavant on May 28, 2012, 03:02:13 PM

Saw this featured hinted at in another thread...

How, exactly, does electrum monitor off-line address balances?

use 'deseed' if you want to watch an offline wallet
if you want to monitor a random address, there's a script named watch_address

Topic: [ANNOUNCE] Electrum - Lightweight Bitcoin Client - page 64. (Read 274537 times)