Author

Topic: BTCapsule is now FREE and logs year from Bitcoin Core’s mediantime (Read 284 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
And talking about pruned node, do not forget that pruned node still download whole blockchain (with current size 432.91GB[3]). If they have slow hardware or internet, it could take weeks.
I don't know how BTCapsule works with this, but last time I checked pruned node for Bitcoin was around 5.1 Gb in size, that is significantly less than full blockchain that is around 86 times bigger.
https://prunednode.today/

It's true storage requirement for pruned node isn't that big. But i was talking about downloading whole blockchain which, unless you're suggesting OP to use Bitcoin Core pruned data from https://prunednode.today/.

I’m working on a macOS version. It hopefully won’t take too long. I’m building all these ports in virtual machines, so it probably won’t work for Apple’s M chips until I can afford a new MacBook.

FYI, Apple use Rosetta 2 which let user run x86/x86_64 Mac application on Mac device which use ARM device.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
I don't know much about python, but saw this:
Code:
bitcoin = AuthServiceProxy("http://%s:%[email protected]:8332"%("user","pass"))

info = bitcoin.getblockchaininfo()
date = info['mediantime']
If this does what I think it does, it's just as easy to fake as a time server: the user can simply fake a date on local port 8332.

[...]

In order to hack the time, you would have to do what NotATether mentioned, as well as fake some blocks to get the mediantime. I would assume you need a lot more than 11 fake blocks for RPC to check, but this is well outside of my hacking knowledge.
I don't think that's accurate. LoyceV is right.
Checking whether all RPC methods exist is a pretty weak method to detect a modified bitcoind; besides the fact that it's not too hard to do what I did here or actually, ETFBitcoin's RPC-capable implementation here for all RPC calls, you may not even need that. You could whip up a script that tunnels all RPC calls to the real bitcoind running locally, without modifications, except for the blockchaininfo call. That command's result will be altered before being forwarded to your software, to display a different timestamp.
No need to mess with any blockchain files; just intercept the result and alter it as needed.

Structure:
Code:
┌────────────────────┐
│Bitcoin Core on 8338│
│ (modified port)    │
└────────────────────┘
   ▲
   │
   ▼
┌─────────────────────┐
│Custom script on 8332│
└─────────────────────┘
   ▲
   │
   ▼
┌─────────┐
│BTCapsule│
└─────────┘

Is there anything stopping me from modifying Bitcoin Core's RPC port and writing the small script in the middle?
member
Activity: 74
Merit: 83
Is there any difference in security of BTCapsule runing on Linux and wInD0ws operating system?
There are significant number of people who are using MacOS (maybe higher than Linux), so it would be good if you could add BTCCapsule software for MacOS.

I updated the OP to explain the difference in security. There’s not really a security difference, but since Linux is free, it’s much easier to dual-boot and destroy the OS. Sorry, I’m trying not to repeat myself because I keep getting messages from the mods and they have to edit my posts.

I’m working on a macOS version. It hopefully won’t take too long. I’m building all these ports in virtual machines, so it probably won’t work for Apple’s M chips until I can afford a new MacBook.


legendary
Activity: 2212
Merit: 7064
And talking about pruned node, do not forget that pruned node still download whole blockchain (with current size 432.91GB[3]). If they have slow hardware or internet, it could take weeks.
I don't know how BTCapsule works with this, but last time I checked pruned node for Bitcoin was around 5.1 Gb in size, that is significantly less than full blockchain that is around 86 times bigger.
https://prunednode.today/

I will look into this some more. Anything to make BTCapsule easier to use is great. I think the program works just fine though, and I feel like it’s extra secure with the new Linux version. I realize it will be annoying to wait for Bitcoin Core to download, but if you get a whole Bitcoin out of it, then it’s got to be worth the wait.
Is there any difference in security of BTCapsule runing on Linux and wInD0ws operating system?
There are significant number of people who are using MacOS (maybe higher than Linux), so it would be good if you could add BTCCapsule software for MacOS.
member
Activity: 74
Merit: 83
Based on discussion on other thread[1], IMO you take wrong approach. When your target isn't technical or power user, you shouldn't ask them to install and configure Bitcoin Core manually. If you want to utilize median time on Bitcoin network, there are another approach such as connecting to several Bitcoin node, ask for recent block header and verify received block headers.

[1] https://bitcointalksearch.org/topic/m.61133095

I’m not really sure how to connect to other nodes and receive information without Bitcoin Core.

In short, you utilize P2P communication protocol[1] and implement SPV/basic verification functionally[2]. But honestly it's more complex compared by connecting to Bitcoin Core through JSON-RPC.

I think the steps to use BTCapsule are simple enough. They might have to wait a few days for Bitcoin Core to download to see the private keys, but it would be worth it.

The directions are:

1. Install Bitcoin Core
2. Choose Settings>Options>Open Configuration File
3. Add rpcuser=user rpcpassword=pass to configuration file and save
4. Wait for blockchain to download and view the keys

With the option to prune the blockchain, this shouldn’t be an inconvenience at all.

As i said, it depends on your customer target. People with bare minimum technology literacy will experience some difficutly. And talking about pruned node, do not forget that pruned node still download whole blockchain (with current size 432.91GB[3]). If they have slow hardware or internet, it could take weeks.



[1] https://developer.bitcoin.org/devguide/p2p_network.html
[2] https://en.bitcoin.it/wiki/Thin_Client_Security
[3] https://blockchair.com/bitcoin

I will look into this some more. Anything to make BTCapsule easier to use is great. I think the program works just fine though, and I feel like it’s extra secure with the new Linux version. I realize it will be annoying to wait for Bitcoin Core to download, but if you get a whole Bitcoin out of it, then it’s got to be worth the wait.
member
Activity: 74
Merit: 83
I don't know much about python, but saw this:
Code:
bitcoin = AuthServiceProxy("http://%s:%[email protected]:8332"%("user","pass"))

info = bitcoin.getblockchaininfo()
date = info['mediantime']
If this does what I think it does, it's just as easy to fake as a time server: the user can simply fake a date on local port 8332.

I previously setup a fake local time server, and was able to hack the program when requesting the time from Google’s time servers. I can confirm that this hack no longer works.

BTCapsule is pulling the mediantime from Bitcoin Core. I’m sure you know this already, but this is the accepted timestamp compared to the previous 11 blocks. It’s written in Unix time and BTCapsule converts it to ISO format.

https://en.bitcoin.it/wiki/Block_timestamp

In order to hack the time, you would have to do what NotATether mentioned, as well as fake some blocks to get the mediantime. I would assume you need a lot more than 11 fake blocks for RPC to check, but this is well outside of my hacking knowledge.



Based on discussion on other thread[1], IMO you take wrong approach. When your target isn't technical or power user, you shouldn't ask them to install and configure Bitcoin Core manually. If you want to utilize median time on Bitcoin network, there are another approach such as connecting to several Bitcoin node, ask for recent block header and verify received block headers.

[1] https://bitcointalksearch.org/topic/m.61133095

I’m not really sure how to connect to other nodes and receive information without Bitcoin Core. I think the steps to use BTCapsule are simple enough. They might have to wait a few days for Bitcoin Core to download to see the private keys, but it would be worth it.

The directions are:

1. Install Bitcoin Core
2. Choose Settings>Options>Open Configuration File
3. Add rpcuser=user rpcpassword=pass to configuration file and save
4. Wait for blockchain to download and view the keys

With the option to prune the blockchain, this shouldn’t be an inconvenience at all.



OP, I think you're overlooking some important facts about basic network security. Simple TCP/IP wasn't designed with security in mind, and will always be susceptible to man-in-the-middle attacks unless the data being transmitted is properly encrypted.

As DaveF said in your other thread: "Anything that at any time needs an outside service that is an open standard is never going to be secure." For example, you can use packet-sniffing programs like Wireshark to capture, modify and re-send every packet that comes in and out of your application.


By the way, I think it would be better if you keep the discussion in one thread so that we can keep track of each other's comments.


Can Wireshark be used to capture information that is being sent within localhost without the internet enabled? The only thing being sent is the mediantime of the blocks from Bitcoin Core, and these are installed locally.

Also, this will be my last thread about BTCapsule. I will post all updates here. Changing the method of receiving the year was huge, and it’s my final attempt. Anything else will just be small upgrades.



It's going in a good direction and it's a work in progress so he can keep updating it as we give more suggestions.
EVERYTHING is going to have some sort of vulnerabilities so long as they are being addressed as they are discussed.

The point of doing it this way seems to be the fact that you can download core, disconnect from the net and have a bit more security.
Not 100% perfect, but getting better. It boils down to what I said and you commented on about TCP/IP and services.

But, it also gets back to having a hardware wallet and PIN is vulnerable to the $5 wrench. ($6 wrench with inflation)

-Dave

Thanks for the encouragement.

I’m working on porting BTCapsule to Linux so that the private keys can be entered and decrypted with a temporary Linux OS that can be deleted afterwards.

I looked into the $5 wrench, and it seems the only known protection is multi-sig. BTCapsule is not a wallet, and anything can be typed into the private keys sections.

If someone has three children, they could copy BTCapsule to three separate flash drives, type a different private key into each, and then require all the children to decrypt the keys.
legendary
Activity: 2212
Merit: 7064
I’m sorry to create another post, but this is a significant upgrade.
This is your third topic about exact same thing and it was not needed at all.
I appreciate you are working on this project, going open source and giving it for free, but there is still a problem I initially wrote..
someone can fake the data and abuse your program, and he doesn't even have to be super-duper hacker at all to do this.
I am not saying your idea is bad, but you need to rewrite everything from scratch and use some different method of calculating time, maybe by using multiple sources of information.
This is not easy problem to solve, but I think you are going in right direction, so maybe try asking suggestion and opinion from known bitcoin security experts.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
OP, I think you're overlooking some important facts about basic network security. Simple TCP/IP wasn't designed with security in mind, and will always be susceptible to man-in-the-middle attacks unless the data being transmitted is properly encrypted.

Speaking of encryption, this app should make a self-signed certificate to connect to a backend service of its own. Of course, this will require a domain name, but you could try setting an entry in the hosts file of the computer hosting the service, and then listen on 0.0.0.0.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
It's going in a good direction and it's a work in progress so he can keep updating it as we give more suggestions.
EVERYTHING is going to have some sort of vulnerabilities so long as they are being addressed as they are discussed.

The point of doing it this way seems to be the fact that you can download core, disconnect from the net and have a bit more security.
Not 100% perfect, but getting better. It boils down to what I said and you commented on about TCP/IP and services.

But, it also gets back to having a hardware wallet and PIN is vulnerable to the $5 wrench. ($6 wrench with inflation)

-Dave
legendary
Activity: 1820
Merit: 2700
Crypto Swap Exchange
OP, I think you're overlooking some important facts about basic network security. Simple TCP/IP wasn't designed with security in mind, and will always be susceptible to man-in-the-middle attacks unless the data being transmitted is properly encrypted.

As DaveF said in your other thread: "Anything that at any time needs an outside service that is an open standard is never going to be secure." For example, you can use packet-sniffing programs like Wireshark to capture, modify and re-send every packet that comes in and out of your application.


By the way, I think it would be better if you keep the discussion in one thread so that we can keep track of each other's comments.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I don't know much about python, but saw this:
Code:
bitcoin = AuthServiceProxy("http://%s:%[email protected]:8332"%("user","pass"))

info = bitcoin.getblockchaininfo()
date = info['mediantime']
If this does what I think it does, it just as easy to fake as a time server: the user can simply fake a date on local port 8332.

They'd have to emulate a full JSON-RPC service on port 8332 with all Bitcoin Core methods - the JSON-RPC implementation used in Core allows someone to HTTP GET the root "/" and it returns a list of implemented methods. If none of these work of if any of them are missing, then it can be concluded that the service is a fake.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I don't know much about python, but saw this:
Code:
bitcoin = AuthServiceProxy("http://%s:%[email protected]:8332"%("user","pass"))

info = bitcoin.getblockchaininfo()
date = info['mediantime']
If this does what I think it does, it's just as easy to fake as a time server: the user can simply fake a date on local port 8332.
member
Activity: 74
Merit: 83
I’m sorry to create another post, but this is a significant upgrade.

BTCapsule is an open source Bitcoin time capsule for your private keys. I have been listening to the community, and I really think I have addressed all issues with the previous version.

BTCapsule now uses Bitcoin Core’s 'mediantime' to log the year from Bitcoin’s timestamp and decrypt your private keys. This actually solved two problems. Not only does BTCapsule use the only fully decentralized clock straight from the Bitcoin blockchain, but it also means BTCapsule never has to use the internet. This is not an API call to a centralized block explorer website. You can install Bitcoin Core, download the blockchain, and check the date offline.

I have also made BTCapsule free to download. If you find value in BTCapsule, please consider donating some sats on my website. I still have a lot to do; like port BTCapsule to Linux, work on the UI, and clean up the code. I also want to throw it out there that I would love to work in the Bitcoin industry if anyone is hiring. My style is dirtier than fiat money, but I will hack away at a problem until it’s solved.

You can view the source code here:

https://github.com/BTCapsule/BTCapsule

And to download BTCapsule that’s been converted to C and compiled to an .exe, please visit my website:

https://btcapsule.com

Update 10/19/22

Linux version has been temporarily removed

Jump to: