Topic: BrainWallet Defcon Attack Discussion, Advice, Q&A, Brainflayer Info, etc. - page 2. (Read 12417 times)
March 15, 2018, 09:47:17 PM
I plan to release an update adding support for this "passphrase plus xor" brainwallet variant, so don't go using it.
December 12, 2017, 09:51:12 AM
I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt
Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code). Grin
Maybe need to add or change anything else? Just PM me.
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt
Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code). Grin
Maybe need to add or change anything else? Just PM me.
Cant make up my mind if this is phishing or an honest typo, but the rating suggests phisher!
November 21, 2017, 03:24:58 PM
Out of curiosity, where does the vulnerability originate? Is it in the seed phrase itself, or the way it makes use of the seed phrase? This is important because I noticed that with electrum wallets it will accept any seed phrase I give it meaning that I could technically just think up my own seed phrase to use the same way I'd use a brain wallet. If the issue is with the 12 word seeds it would mean that no seed wallet is safe, but if the issue is something else I'd like to know what that is and what if anything it might mean for other wallets.
November 04, 2017, 09:15:51 PM
I have several times changed the source of https://brainwalletx.girhub.io/ for supporting a different coins,
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt
Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code). Grin
Maybe need to add or change anything else? Just PM me.
but now I was not too lazy and took the time to write a universal brainwallet for all coins.
You can download test it here "CКAЧATЬ": http://rgho.st/8hlwbSy98
1. Unzip to the folder.
2. Drag and drop index.html -> to the tab of your browser.
3. See changes.txt
Just for you all I did add random_seed and XOR
and also I did unlock the "Secure random" button (just found it in the source code). Grin
Maybe need to add or change anything else? Just PM me.
August 31, 2015, 07:04:05 PM
Wow. Just read about this tonight. Experimenting with Brain Wallet and found an empty wallet with 2 previous transactions.
It's true. People have no imaginations :/
edit ... up to 4 now ..
all empty though
edit.. make that 6 ...
It's true. People have no imaginations :/
edit ... up to 4 now ..
all empty thoughedit.. make that 6 ...
August 28, 2015, 04:31:56 PM
ryanc, I would like to see more documentation about brainflayer as there is almost none.
The initial release of brainflayer deliberately has very limited documentation to keep unskilled people from using it. I will be releasing an enhanced version (with better documentation) soon, now that it's made some news and convinced some people to stop using brainwallets.
In regards a commentary you made in your presentation on how to advert people that they have a weak address. You said that it could be thought sending a small amount to a vanity address but you could send it to a burn address like '1DontUseThisWeakBrainWa11etAf1F98T'. Here you have a python scrypt for generating them, also check the bitcoin address validation wiki entry.
This would pollute the UTXO set, and I don't think it's really any better than using multiple vanity addresses in the same transaction. I was going for subtle at the time.
August 24, 2015, 01:08:38 AM
I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.
You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
ryanc, I would like to see more documentation about brainflayer as there is almost none.
In regards a commentary you made in your presentation on how to advert people that they have a weak address. You said that it could be thought sending a small amount to a vanity address but you could send it to a burn address like '1DontUseThisWeakBrainWa11etAf1F98T'. Here you have a python scrypt for generating them, also check the bitcoin address validation wiki entry.
August 11, 2015, 06:54:57 PM
So no news for my Bitcoins?
No, not really. Someone else stole them. It is very unlikely that it was BrainWallet's operators who stole them, so it simply can be concluded that you just used a weak passphrase to generate the wallet.
August 11, 2015, 04:07:17 PM
So no news for my Bitcoins?
August 11, 2015, 12:59:20 PM
On paper, the idea of Brainwallet sounded great. But the biggest problem is the human element in the equation 
If you remove the human part, you're stuck with a third party.
There is no proper implementation to do this in a trustless environment.
If you remove the human part, you're stuck with a third party.
There is no proper implementation to do this in a trustless environment.
The problem is that BrainWallets don't implement a random number generator in any way. That's the thing that pretty much every other wallet implementation has in common - they don't trust the user to supply the piece that everything is generated from.
August 11, 2015, 05:11:05 AM
I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.
If you memorize Electrum seed, it will be a brainwallet.
Yeah, but as far as I know it can't be cracked as easy as brainwallet.org keys. That's what I was questioning
August 11, 2015, 03:38:16 AM
On paper, the idea of Brainwallet sounded great. But the biggest problem is the human element in the equation
If you remove the human part, you're stuck with a third party.
There is no proper implementation to do this in a trustless environment.
If you remove the human part, you're stuck with a third party.
There is no proper implementation to do this in a trustless environment.
August 10, 2015, 07:06:21 PM
I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.
If you memorize Electrum seed, it will be a brainwallet.
Different type of brainwallet. You seem like the kind of person who shows up at a crane convention, and while everyone else has a little bird, you show up with this giant crane for lifting things.
The brainwallet in this case refers to those generated by Brainwallet.org (which uses SHA256(passphrase) to generate the private key).
August 10, 2015, 06:40:09 PM
If you memorize Electrum seed, it will be a brainwallet.
There's a couple of things people use the term "brainwallet" to mean.
1. The weak cryptocurrency private key generation scheme of SHA256(passphrase)
2. Brainwallet.org, a site implementing the SHA256(passphrase) algorithm as well as some miscellaneous tools
3. Any scheme turning a user chosen passphrase into a cryptocurrency private key
4. Any scheme where a user memorizes a generated passphrase representing a cryptocurrency private key
Brainflayer specifically targets number one in that list.
August 10, 2015, 10:08:03 AM
So who is that whitehat who has 800BTC.
btcspry said that based on a misunderstanding of some sort. What I said was that I ran a "peak balance analysis" on all the brainwallets I cracked, and the total was about 733 BTC. This does not reflect the balances they had when I found them - it's the most they ever held. I do not know how much of this was moved out by the legitimate owners and how much was stolen.
hero member
Activity: 560
Merit: 506
I prefer Zakir over Muhammed when mentioning me!
August 10, 2015, 08:52:50 AM
I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.
If you memorize Electrum seed, it will be a brainwallet.
August 10, 2015, 08:05:49 AM
I was never a fan of brainwallet... The idea sounded too insecure to me. I hope those seed words used by electrum are safer.
August 10, 2015, 07:54:06 AM
Quote
I originally thought there was a backdoor to the key generation algorithm. After reading the PDF, I believe it's boarder list generation and more efficient way of checking balance. At the end, boils down to weak phrases: Brainwallet users believe they can created a phrase that no one could ever think of.
I don't use brainwallets because I do not trust myself with remembering the phrase. If I need to write it down, it defeats the purpose of using brainwallets.
August 10, 2015, 06:01:27 AM
I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.
You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
i'm glad we have a white hacker like you. you inform us about bug on brain wallet and didn't steal anyone bitcoin.You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
mostly people will take their bitcoin if they found the bug, but you are not. thanks to you.
August 10, 2015, 05:13:31 AM
I want to be absolutely clear - other than by accident (and those coins were returned within minutes) - I have not taken anyone's bitcoins. I will be following up with a blog post sharing more details of my research soon.
You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
So you mean you not only don't have my BTC you don't have anyone's BTC?So who is that whitehat who has 800BTC.I already messaged robinhood but he didn't seem to post for months.And I don't need to get my passphrase back I have a private key of that wallet. You could try asking btcrobinhood on reddit - they have a bot that sweeps brainwallets. I believe that their policy is to return 100% if you are able to demonstrate ownership sufficiently.
I would consider helping to recover forgotten brainwallet passphrases (using a tailored search), but I don't have a policy on this at the moment.
Jump to: