Pages:
Author

Topic: BitcoinSpinner - page 19. (Read 55544 times)

Jan
legendary
Activity: 1043
Merit: 1002
December 12, 2012, 09:57:04 AM
From the BitcoinSpinner announcement thread:
BitcoinSpinner v0.8.0b is out. You can download/upgrade it from the Google Android market (god know why, but they call it Google Play these days), or fetch it directly from the project site. The differences may seem subtle, but it is backed by 1 1/2 months of hard full time work where most of the time has been spent on the backend system.
User visible changes:
 - Even faster: The next generation BCCAPI is simpler, has fewer lines og code, requires fewer server roundtrips during startup, while being as secure as before.
 - In addition to displaying "coins on the way to you" on the main screen it also displays how many coins you are currently sending.
 - Transaction history color coded to make it easier to distinguish receives and sends
 - Transaction history now displays the address you received coins from instead of displaying which address you received the coins with.
 - Better error messages when trying to spend your last coins while you cannot afford the miner fee.

BitcoinSpinner is now backed by another version of the BCCAPI, which makes it much easier to manage multiple redundant servers as they no longer need to share anything but the block chain.  I will maintain backwards compatibility with version 0.7.3b for about a month, leaving people time to upgrade, whereafter I'll scrap the old server. This allows me to manage multiple redundant copies of the new backend, which has been requested by several.
 
Enjoy
For those of you who are using the raw BCCAPI there will be a little integration work to get to the next generation. The good news is that:
1. The new API is simpler and more powerful, as it allows you query on any Bitcoin address
2. The old API will continue to work for a month or so.

Look for bitlib and bccapi here: http://code.google.com/p/bitcoinspinner/source/browse/#svn%2Ftrunk
bitlib is a self-contained Java library for dealing with transactions (creating, parsing wire-format, signing, ...)
bccapi builds on top of that and connects to a server etc, so if you don't like that you can still use bitlib

There is a brand new version of the ASCII based SimpleClient showing how to use it here: http://code.google.com/p/bitcoinspinner/source/browse/trunk/bccapi/src/com/bccapi/ng/example/SimpleClient.java

I haven't updated the official BCCAPI page yet, but I am working on it.
sr. member
Activity: 430
Merit: 250
November 27, 2012, 04:55:33 AM
The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)

Isn't the key encrypted with the pin when stored on non-volatile mem?

I know Jan said it's trivial to brute-force that, but still, it'll add some time, right?
If someone gets to it, it would take a minute to write a script AND bruteforce the password. No security there. Where it does help is, if someone steals your phone, they actually have to connect it to a computer and copy the necessary data in order to get to the key, possibly giving you enough time to restore from backup and clear the wallet.
donator
Activity: 2772
Merit: 1019
November 27, 2012, 04:52:22 AM
The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)

Isn't the key encrypted with the pin when stored on non-volatile mem?

I know Jan said it's trivial to brute-force that, but still, it'll add some time, right?
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
November 26, 2012, 12:41:24 AM
Just guard your phone from eavesdroppers the same way you cover the keypad when at a bank ATM machine withdrawing money. The pin is just to slow down any attack. When you suspect that someone is trying to get your coins (trying to crack your PIN), you simply send all of them to another new wallet.

The only other attack I can think of against BitcoinSpinner is extracting your backup wallet which is the same as getting your private key, which is probably more a problem of your phone or OS more than the software itself, (or if some malware gets root on your android phone, because of some stupid game you installed that wasn't in the google play store, that you picked up from some random web site = this is now user error.)
newbie
Activity: 49
Merit: 0
November 24, 2012, 02:07:42 AM
Thanks for looking into it so fast. Whatever you did to clear the old transaction worked and the second attempt went through.
Jan
legendary
Activity: 1043
Merit: 1002
November 24, 2012, 01:25:07 AM
Is there a server outage or problem about now?
I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed.
The transaction doesn't show up in block explorer.
The app seems to think it's talking to the server just fine and I'm not having any network trouble.

The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5
Block tracking stalled for some reason. It is currently catching up, I'll look into the reason why.
newbie
Activity: 49
Merit: 0
November 23, 2012, 09:21:55 PM
Is there a server outage or problem about now?
I made a transaction at 5:11 Pacific time (for 0.40950000) and an hour later it's still unconfirmed.
The transaction doesn't show up in block explorer.
The app seems to think it's talking to the server just fine and I'm not having any network trouble.

The wallet address is: 152U2YVT27mWTbnDT5XnWxeGSjmr2Dk9e5
sr. member
Activity: 438
Merit: 291
November 22, 2012, 07:42:08 PM
Hi Jan,

Are you planning on open sourcing or at least providing the server to selected individuals so that redundancy can be achieved by community effort?
I am currently in negotiations with a company in the Bitcoin world around this. I am sorry, but I cannot say more right now.

Someone has released an opensource backend..

https://bitcointalksearch.org/topic/ann-announcing-code-availability-of-the-bitsofproof-supernode-122013
donator
Activity: 2772
Merit: 1019
November 19, 2012, 04:33:55 PM
keep it simple ;>
Quote
Wow, solomining, I wish I was around back in those days.
Nice PIN workaround  Wink
Keeping BitcoinSpinner simple and secure is on the top of my list.

you're on the right track, don't fuck it up by listening to weird suggestions like mine ;>

Jan
legendary
Activity: 1043
Merit: 1002
November 19, 2012, 04:28:48 PM
I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin

uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets:

  • brainwallet for long-term savings
  • satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
  • electrum for shopping or whatever, everyday use
  • bitcoinspinner for on-the-go action

I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though Wink

I want to retract my suggestion of "alternating pins", because I have found a nice workaround:

  • enter first half of PIN
  • turn 180 degrees
  • enter second half of PIN

thanks for your consideration, though.

keep it simple ;>
Wow, solomining, I wish I was around back in those days.
Nice PIN workaround  Wink
Keeping BitcoinSpinner simple and secure is on the top of my list.
Jan
legendary
Activity: 1043
Merit: 1002
November 19, 2012, 04:25:36 PM
I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard.
Hmm... seems to be related to the hardware keyboard. I have a device with a hardware keyboard that I normally never use. I'll try it out and see if I can reproduce it. Thanks for the report.
donator
Activity: 2772
Merit: 1019
November 19, 2012, 01:55:02 PM
I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin

uhm ok, jan. I can see why you would use bitcoinspinner as savings wallet. I don't. I have 4 levels of wallets:

  • brainwallet for long-term savings
  • satoshi client for mid-term stuff and to retain glorious early mining history (I actually mined a block solo)
  • electrum for shopping or whatever, everyday use
  • bitcoinspinner for on-the-go action

I'll load up bitcoinspinner with what I suspect I could need before getting back home. As you saw personally in London when you looked at my phone this can be quite a lot, though Wink

I want to retract my suggestion of "alternating pins", because I have found a nice workaround:

  • enter first half of PIN
  • turn 180 degrees
  • enter second half of PIN

thanks for your consideration, though.

keep it simple ;>
sr. member
Activity: 340
Merit: 250
GO http://bitcointa.lk !!! My new nick: jurov
November 19, 2012, 01:53:40 PM
Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps.
I have restarted the phone, however problem persists, did a screenshot. After I reinstalled bitcoinspinner and restored the backup, the button worked until the moment i activated hardware keyboard. Since that it doesn't work anymore again. I'm using sony xperia mini pro with qwerty hardware keyboard.



And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords.
If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten.
This is what I do myself, and it works really well.
I meant the server can verify pin code and enforce delays if there are too many unsuccessful tries.
Jan
legendary
Activity: 1043
Merit: 1002
November 19, 2012, 09:19:51 AM
I don't understand what you mean with 2 qr-code backups?

I have two different QR-code backups for BitcoinSpinner, each is for a different wallet (savings/spending wallet)
Whenever I am running low on coins on my spending wallet I do this (at home):
1) restore the backup of my savings wallet by scanning a QR-code
2) send some coins to my spending wallet (I have the address in my address book)
3) restore the backup of my spending wallet

Whenever you restore a wallet the previous wallet is wiped from the device. This way no one can get to my savings wallet unless they do a firehose attack in my home.

The way to create two QR-code backups:
1) Install BitcoinSpinner
2) Make QR-code backup
3) uninstall BitcoinSpinner
4) Install BitcoinSpinner (new random address generated in each install)
5) Make QR-code backup

Now you can switch back and forth by just scanning a QR-code.  Grin
donator
Activity: 2772
Merit: 1019
November 19, 2012, 09:02:31 AM
I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.

Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode.
In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other.


The situation in which this occurred to me was when I was selling some bitcoin to a dude at a McDonalds. He could well have had a friend behind me observing me input the pin. He would only get one chance at this.

Spinner could display "enter pin #1" or "enter pin #2" to alleviate the second problem.

Alternating-PIN should of course be optional.

I don't understand what you mean with 2 qr-code backups?
Jan
legendary
Activity: 1043
Merit: 1002
November 19, 2012, 08:57:17 AM
I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.

Hmm.. I am not sure I like it. If some guy can observe you enter one PIN he can also observe you enter two. Also, I'll have to remember two PINs, and get frustrated whenever I enter the wrong one, which will happen 50% of the time as I cannot possibly remember which one I use last time. In the end my head will explode.
In the end I think it is much better to have two QR-code backups. The one with the large amount is only loaded briefly to recharge the other.
donator
Activity: 2772
Merit: 1019
November 19, 2012, 08:47:33 AM
I recently had an idea:

how about having 2 pins which have to be entered alternatingly.

That way, if some dude sees you enter pin and takes your phone it wont help him because next time he'll need the other one and you have enough time to move the coins.
Jan
legendary
Activity: 1043
Merit: 1002
November 18, 2012, 04:35:34 PM
Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4
Good to hear that your bitcoins survived a mainboard replacement. I haven't heard about the Send button being permanently disabled before. Try and restart BitcoinSpinner (it is not enough to exit the application). You can stop apps somewhere in system settings, or alternatively restart the phone. Let me know whether that helps.

And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
If you have access to the mainboard and the right skills/equipment I am pretty sure that you can get to the keys. However, encrypting the keys with the 6 digit PIN doesn't really help, as brute forcing it is trivial. Having the user enter a very long passphrase on a phone is not feasible (you need about 128 bits of entropy), and people are notoriously bad at choosing "safe" passwords.
If you use BitcoinSpinner to store more coins than you are comfortable loosing from a physical attack I suggest that you have two different backup QR-codes. Switching between them is as easy as scanning a QR-code. Once you scan a different backup the old keys are overwritten.
This is what I do myself, and it works really well.



Instead I suggest that you

To be on the safe side you should move your coins. If you reinstall BitcoinSpinner it will generate a new address
sr. member
Activity: 340
Merit: 250
GO http://bitcointa.lk !!! My new nick: jurov
November 18, 2012, 02:51:17 PM
Hello,

my phone came from warranty repair with replaced mainboard (= completely wiped), I upgraded it to android 4, reinstalled bitcoinspinner and restored it from backup. Now all looks fine, only the "Send Bitcoins" stays always disabled, no matter what amount I put in.

Version 0.7.3b
System version: 4.0.4

And I have a question: Seems like the old mainboard was not dead completely, perhaps only battery management circuits failed. If I connected the phone to a PC, it did detect it. In this situation, would someone examining the board be able to extract the private key? If yes, it would be worthwhile to add passphrase encryption to bitcoinspinner.
legendary
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
November 15, 2012, 09:54:08 AM
h jan,

thank you for your effort.

what will happend if the server is not reachable ?
will the bitcoin spinner app has also a malfunction ?
can i have access to my bitcoin wallet and bitcoins ?

what is happend in this case ?

regards
pazor



You should make sure to export the private key in any case. Then you can simply use a different wallet should bitcoinspinner fail in any way and for whatever reason.
Pages:
Jump to: