Electrum replacement needed. | Bitcointalksearch.org

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: HCP on February 11, 2019, 11:51:23 PM

Quote from: pooya87 on February 11, 2019, 10:38:37 PM

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

One begins to wonder "why" someone would campaign so hard for Electrum to reduce security by switching to using simple hashes for binary file verification? Huh

Perhaps a "long con" to try and get the Electrum devs to help condition less knowledgeable users to implicitly trust file hashes to prove authenticity... so that they can then setup a fake site, with fake .exe and fake hashes to fool users who now believe that file hash = secure. Lips sealed

Although, I think I'm probably giving some people too much credit. Tongue

i think you are giving him too much credit, haha
and as i said above, this will never happen no matter how much he pushes for it. it is too obvious that it is not safe to do that and it has been discussed a very long time ago and Thomas. V. commented on it by the time.

besides if a user is too lazy to check the signature, they are also too lazy to check the hashes so it wouldn't even make any differences! they still have to open their terminal (in Linux) or install an application (in windows) to do the hashes and their verification so the steps are nearly similar!

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: pooya87 on February 11, 2019, 10:38:37 PM

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

One begins to wonder "why" someone would campaign so hard for Electrum to reduce security by switching to using simple hashes for binary file verification? Huh

Perhaps a "long con" to try and get the Electrum devs to help condition less knowledgeable users to implicitly trust file hashes to prove authenticity... so that they can then setup a fake site, with fake .exe and fake hashes to fool users who now believe that file hash = secure. Lips sealed

Although, I think I'm probably giving some people too much credit. Tongue

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: bob123 on February 11, 2019, 08:11:41 AM

1. Because it is way easier (especially for non-techy people like you who don't understand anything at all)
2. Because Microsoft has a very very bad security policy

actually Microsoft already has a similar mechanism at work with digital signatures using asymmetric cryptography using RSA keys, where you have to pay and buy a "certificate" if you want to have your applications have that.

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

AltcoinBuilder

copper member

Activity: 85

Merit: 5

Quote from: rokkyroad on February 07, 2019, 07:00:06 PM

Can anyone recommend a light wallet for btc? Must have a linux version. Multibit was fine but its been abandoned. I have 0 trust in Electrum.

I do have Jaxx and Exodus for scraps but I don't trust these do it all wallets with btc.

most of hardware wallets use electrum for SPV, it is one of the best SPV wallets. just ensure that you download and use original version.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

Quote from: bob123 on February 10, 2019, 09:21:20 AM

You can always trust the source code.

DONT

A computer does EXACTLY what is written in the code.

If YOU can't read or understand it, it is your fault.

Quote from: ?? on ??

Quote from: bob123 on February 10, 2019, 09:21:20 AM

There is a good reason to "not show security alerts". This offers way too much room for exploitation and would create new potential attack vectors.

lol so microsoft and security companies are stupid because they show users security alerts

Quote from: bob123 on February 10, 2019, 09:21:20 AM

There is nothing which needs to be fixed currently.

yes because microsoft and security companies are stupid

Actually, the brains behind microsoft are very clever.
They are gathering more information from you than allowed by law and make money out of it.

To be precise, YOU are stupid for using microsoft without turning off all spying settings.

Quote from: ?? on ??

Quote from: bob123 on February 10, 2019, 09:21:20 AM

I don't understand the big crying about this "vulnerability". All it allowed was to show a message from the electrum server.
That's nothing security-related at all.

This wouldn't even get a CVSS score of 3 of 10 (i calculated it myself). That's definitely just low severity.

it is 10/10 high risk security. Terrible mistake of a developer

I don't think you know how CVSS works.

Actually.. it doesn't effect:
- Confidentiality
- Integrity
- Availability

The vulnerability doesn't allow the attacker to do anything except just SHOWING A MESSAGE.

That's like sending you an email with the title of "electrum is vulnerable, plz udpate from this very very offcial siite: electrummalware.org/iamstupid/forclickingthis" (mistakes intended)

People like you actually would click on it and install malware Roll Eyes

Quote from: ?? on ??

stupid Legendary
FIRST OF ALL, Legendary, answer these questions:
1. Why Microsoft just let users verify files by hashes?
2. Why Microsoft doesnt recommend users verify files by signature?
3. Microsoft is encouraging poor security behaviour?
4. Microsoft just let users verify files by hashes is "false security"?
5. You and your ThomasV are smarter than Microsoft and Bill Gates?

1. Because it is way easier (especially for non-techy people like you who don't understand anything at all)

2. Because Microsoft has a very very bad security policy

3. Yes

4. Depending on the source of the hashes to verify with, yes

5. I am actually 99.9 % sure that TomasV is smarter than billy gates.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: ?? on ??

Quote from: TryNinja on February 10, 2019, 11:18:32 AM

Quote from: ?? on ??

Quote from: TryNinja on February 10, 2019, 10:50:34 AM

Quote from: ?? on ??

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

uh Legendary you are smarter than Microsoft and Bill Gates

Look at what I found. Where is your god (Bill Gates) now? Roll Eyes

Quote

The Microsoft Security Response Center uses this PGP key to sign all security notifications and encourages others to use this key when sending sensitive information to us. You should send all security vulnerability reports to [email protected].

https://www.microsoft.com/en-us/msrc/pgp-key-msrc

stupid Legendary. Not just microsoft, most softwares companies signed their softwares. But why they just let users verify their files by hashes?

As soon as you download a malicious software from a fake page, the hashes on the *fake* page will also be fake. How the heck do you use an information from the fake page to verify itself as legit? It’s like asking a scammer if he is a scammer. If he says “no”, you instantly trust him.

By verificating the file signature, which was previously set up from a trusted source, you don’t depend the confirmation bis from a single untrusted source, which is a fake website.

If you still didn’t understand that (somehow), then you are a moron and I will not discuss with you anymore. I’m not that patient with ignorent prople like you. Goodbye.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: ?? on ??

Quote from: TryNinja on February 10, 2019, 10:50:34 AM

Quote from: ?? on ??

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

uh Legendary you are smarter than Microsoft and Bill Gates

Look at what I found. Where is your god (Bill Gates) now? Roll Eyes

Quote

The Microsoft Security Response Center uses this PGP key to sign all security notifications and encourages others to use this key when sending sensitive information to us. You should send all security vulnerability reports to [email protected].

https://www.microsoft.com/en-us/msrc/pgp-key-msrc

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: ?? on ??

-snip-

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

he doesnt trust developer.

Yes, thats why i have suggested to check the source code.

You can always trust the source code.

Quote from: ?? on ??

Prebuilt binary and source code do the same things (show everything from servers to users, not show security alerts).

Of course they do the same thing. But you are SURE that the program is doing what it is supposed to do.
You are eliminating the risk of the source code and the binary being actually 2 different programs (e.g. prebuilt binary including backdoor).

There is a good reason to "not show security alerts". This offers way too much room for exploitation and would create new potential attack vectors.

Each user IS and SHOULD responsible for his/her own security.
If you are depending on others to tell you when it is safe or not safe to use a software, you are doing something wrong.

Quote from: ?? on ??

So if he wants to build from source code he has to fix source code first but he is not a developer. Solution? "Electrum replacement needed"

There is nothing which needs to be fixed currently.

Also he didn't mention anywhere that he is not a developer, even tho its pretty probable, it's just what you are assuming.

I don't understand the big crying about this "vulnerability". All it allowed was to show a message from the electrum server.
That's nothing security-related at all.

This wouldn't even get a CVSS score of 3 of 10 (i calculated it myself). That's definitely just low severity.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

Quote from: HCP on February 08, 2019, 11:02:20 PM

Quote from: rokkyroad on February 08, 2019, 07:03:56 PM

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

Don't trust, verify!

Which is why, regardless of the fact that I always download Electrum from electrum.org... I will always verify the digital signature before installing and using it. I also always check the Electrum website on a semi-regular basis to look for updates.

In my opinion, Electrum isn't "dodgy"... and at the end of the day... the real blame lies at the feet of the scumbags executing these attacks. Angry

verify what if he doesnt trust the developer?

Simple.. The source code.

Electrum is completely open source.

And if you don't trust the developer, simply check the whole code at github.
You only need to verify the source code once, then after each update you will simply be looking at the commits only to make sure no backdoor whatsoever has been built in.

You can even build it yourself from source if you don't want to download a prebuilt binary.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

For the newbies reading.

Use the Green Address wallet. It uses Segwit addresses that start with a "3" by default. You will not have any problems with compatibility when you're sending coins to a legacy address, unlike Electrum which uses the incompatible Bech32 address format as a default.

https://greenaddress.it/en/

With Green Address, there's no need to generate a BIP39 seed to use in Electrum, in generators like Ian Coleman's, https://iancoleman.io/bip39/

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: Mister1k on February 08, 2019, 06:56:04 AM

Quote from: pooya87 on February 08, 2019, 12:18:11 AM

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

Last hack issue on electrum caused this kind of thinking on having electrum wallet. I see there is no issue on last updated one on electrum. That will be perfect to have since the issue has been solved already.

wasabi is recommended by our admin hence op take it serious and then still there is not security complaints on wasabi so it does not cause the harm to users so security is there.

that is a dangerous way of thinking.
there are no 100% secure applications. there is always going to be some exploits in every code without an exception. it has been like this for as long as computer programming existed. thinking there is no more issues with Electrum or thinking there is no issues with other wallets is going to result in carelessness and losses.

HCP

legendary

Activity: 2086

Merit: 4361

Quote from: rokkyroad on February 08, 2019, 07:03:56 PM

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

Don't trust, verify!

Which is why, regardless of the fact that I always download Electrum from electrum.org... I will always verify the digital signature before installing and using it. I also always check the Electrum website on a semi-regular basis to look for updates.

In my opinion, Electrum isn't "dodgy"... and at the end of the day... the real blame lies at the feet of the scumbags executing these attacks. Angry

rokkyroad

legendary

Activity: 1090

Merit: 1000

I'm pretty sure the majority of users do not check bitcointalk for wallet warnings. They tend to show up after they're hacked.

Assume the hacked ones downloaded electrum from the proper place and verified the download. I'm sure they never expected a message from the wallet to update, to be anything but above board.

Yes, I agree people should have disregarded the message and went to electrum.org to get and verify the new version. You can't fairly make this a comparison to Nigerian and Microsoft scams. It was unexpected and pretty damned slick.

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

HCP

legendary

Activity: 2086

Merit: 4361

There are still people falling for the "Dear sir, you have won $60million USD in Nigerian State Lottery" emails... there are still people falling for the "Hello, I am calling from Microsoft Security about virus on your computer" phone calls...

Try as hard as you can, you simply cannot protect people from themselves... Unfortunately, some are going to learn "the hard way"™ about security and personal responsibility when dealing with cryptocurrency Undecided

Was the recent exploit serious... yes... was it downplayed... No. There was even a "News" link at the top of all Bitcointalk pages by Theymos warning about it when it first happened. The exploit is now weeks old and it has been patched. If users are not updating and not staying up to date when dealing with their personal finances, you cannot blame the software developers for this.

I've said it multiple times... "Be your own bank" also implies "Be your own Bank's security department".

rokkyroad

legendary

Activity: 1090

Merit: 1000

Yes, I have a few "scraps" in Jaxx and Exodus. Losing those scraps would not be a hardship. For the record, I did not lose funds from the recent electrum exploit but I am pissed off it happened. It would have been a huge loss for me. So, ya, I dodged a bullet.

Blaming unsuspecting users is not fair. Not everyone is as savvy as you. It's ok to be smug when you're not the ones that got hit.

Why do I keep seeing fresh reports of lost coins if people are being warned via electrums wallet?

There seems to be a concerted effort to downplay the exploit when in fact it was serious shit.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: TryNinja on February 07, 2019, 07:19:14 PM

[...]
AGAIN, I’m not saying it’s the users’ fault.
[...]

Let's be honest.. it was the fault of every single user who fell for this phishing scam.

Nothing is wrong with electrum security-wise. Some malicious electrum server exploited a low-severity-vulnerability in electrum to show a (very unprofessional) message (that's all they could do).

Electrum has never notified user about an update this way.
Each user who fell for this and downloaded the faked wallet without verifying the signature is fully responsible for their own loss.

@OP:
You have 0 trust in electrum, but use jaxx and exodus?
Both of them have already been proven to be exploitable (multiple times) which can easily result in a loss of funds / private keys.

Yet, there only was one severe vulnerability in electrum (the RPC vuln) which also required to have no password set in order to be really exploitable regarding stealing funds / private keys.

Mister1k

hero member

Activity: 896

Merit: 520

Quote from: pooya87 on February 08, 2019, 12:18:11 AM

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

Last hack issue on electrum caused this kind of thinking on having electrum wallet. I see there is no issue on last updated one on electrum. That will be perfect to have since the issue has been solved already.

wasabi is recommended by our admin hence op take it serious and then still there is not security complaints on wasabi so it does not cause the harm to users so security is there.

pooya87

legendary

Activity: 3472

Merit: 10611

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage and learning how to verify PGP signatures 1 and 2.
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

rokkyroad

legendary

Activity: 1090

Merit: 1000

Thanks for the suggestions. I'll check out wasabi and greenaddress.

Topic: Electrum replacement needed. (Read 528 times)