Author

Topic: How to find real Electrum? (Read 18065 times)

brand new
Activity: 0
Merit: 0
February 12, 2019, 01:02:31 AM
#39
Even if you verify integrity of Electrum application by compare it's hashes from developer, you still need to trust the software to compute hash of Electrum application to implement hash function correctly and don't include malicious code (steal user data, send all hash activity, etc.)

So you're forced to trust some of the application you use

simple i just upload to virustotal.com. I dont use other softwares
brand new
Activity: 0
Merit: 0
February 12, 2019, 12:34:33 AM
#37
i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
Yes.

Just like the OS that you're running... unless you're compiling your own OS from source code and have personally verified and checked all the code Tongue

This is a very "chicken and egg" problem... the (less than ideal) "solution" is that unless you have a LOT of technical ability and knowledge... then, at some point, you have to trust something/someone.

uh instead just trust electrum with its hashes, i have to trust other softwares too. Why i have to trust other softwares if i just trust electrum?
brand new
Activity: 0
Merit: 0
February 11, 2019, 12:00:22 PM
#35
Wtf dude? I literally just linked you to a page where there are plenty of ways of verifying your gpg4win file. At this point I’m starting to wonder if you’re just troling me.

Again: https://www.gpg4win.org/package-integrity.html
yes i see your link but i just know verify by hashes. Should i verify by hashes?


i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
brand new
Activity: 0
Merit: 0
February 11, 2019, 11:49:12 AM
#33
< insert same link here >

how to verify gpg4win?

Yes. You can find its source in their download page.

how to build gpg4win from source code?
brand new
Activity: 0
Merit: 0
February 11, 2019, 11:32:28 AM
#31
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html

how to verify gpg4win? gpg4win is opensource?
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
February 12, 2019, 01:46:03 AM
#28
Even if you verify integrity of Electrum application by compare it's hashes from developer, you still need to trust the software to compute hash of Electrum application to implement hash function correctly and don't include malicious code (steal user data, send all hash activity, etc.)

So you're forced to trust some of the application you use

simple i just upload to virustotal.com. I dont use other softwares


So you trust virustotal and all anti-virus used by virustotal which are closed-source, but you hesitate to trust open-source software? This is contradictive.
legendary
Activity: 2758
Merit: 6830
February 12, 2019, 04:05:20 AM
#27
So you trust virustotal and all anti-virus used by virustotal which are closed-source, but you hesitate to trust open-source software? This is contradictive.

stupid Legendary. I just trust their SHA256

First of all, no one here is obligated to answer or help you, so stop with this “stupid Legendary” thing. Do you not know the word respect?

Second, do whatever you want. ThomasV isn’t publishing hashes of the files any time soon and there is nothing you can do about it. Either stop with this bullshit and verify the signatures yourself, or use any other wallet that publishes hashes. Easy.

Now goodbye. This stupid legendary here already gave you way too much attention; and my patient is over.
HCP
legendary
Activity: 2086
Merit: 4363
February 12, 2019, 12:06:38 AM
#26
i dont know how to build so i give up. I must use prebuild binary file. So to use electrum i have to trust other softwares?
Yes.

Just like the OS that you're running... unless you're compiling your own OS from source code and have personally verified and checked all the code Tongue

This is a very "chicken and egg" problem... the (less than ideal) "solution" is that unless you have a LOT of technical ability and knowledge... then, at some point, you have to trust something/someone.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:52:33 AM
#25
how to verify gpg4win?
Wtf dude? I literally just linked you to a page where there are plenty of ways of verifying your gpg4win file. At this point I’m starting to wonder if you’re just troling me.

Again: https://www.gpg4win.org/package-integrity.html

Quote
how to build gpg4win from source code?
https://github.com/gpg/gpg4win/blob/master/README
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:43:10 AM
#24
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html
how to verify gpg4win?
< insert same link here >

Quote
gpg4win is opensource?
Yes. You can find its source in their download page.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:27:31 AM
#23
gpg4win has a signature to verify or how to verify gpg4win?
https://www.gpg4win.org/package-integrity.html
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:18:27 AM
#22
Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.

AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).

YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE.

Yes I’m trying to remain patient and ask everything to you too
But in case i dont have that key and i go to a fake website?
Then you get scammed. Wink

That’s exactly my point. You SHOULD have ThomasV real PGP key before trying to download anything. Then, you verify the file and if the signature is valid, you are safe to use it.

Take some time to get his real PGP key once and everytime you download a new update, you can verify it.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 11:05:42 AM
#21
If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?

how to know that PGP key is real?
The fake sites have signatures for the fake versions so there is no point in verifying signatures

Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.

AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).

YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE FROM THE FAKE WEBSITE.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:54:02 AM
#20
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?


what is this? Where did you have this link?
Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.

why not from electrum.org? You said just download electrum from electrum.org but why i have to download a file from github.com? Bad servers ask users download fake electrum update from github.com too

If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:42:39 AM
#19
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?


what is this? Where did you have this link?
Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.
legendary
Activity: 2758
Merit: 6830
February 11, 2019, 10:08:28 AM
#18
The fake sites have hashes for the fake versions so there is no point in verifying hashes

The fake sites have signatures for the fake versions so there is no point in verifying signatures
Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6
legendary
Activity: 1624
Merit: 2481
February 11, 2019, 08:17:41 AM
#17
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

There is no need for this bullshit.

Just VERIFY THE SIGNATURE.

There is absolutely NO reason for checking the hashes. All files are signed by TomasV's PGP key.
Signatures should always be MORE TRUSTED than hashes compared with hashes posted on a website / forum.

There are quite a few tutorials available on how to get the PGP key and how to verify the signature.
If you want to be sure that you got the original electrum (and not a fake / malicious version), verify the signature or build it yourself from source.
legendary
Activity: 3710
Merit: 1586
February 11, 2019, 04:02:21 AM
#16
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

This would be a pointless exercise. Do you even know how people end up installing fake electrum versions? Most of them google electrum and follow a link in an ad to the fake electrum site. Others are falling prey to the phishing messages in old electrum versions. Non of these people frequent this or any other community forum. If they did they would know better and would only download from electrum.org.

Now consider what happens when people who have fallen prey to fake versions come here and complain. They never visited this forum before but when they need help they seek it out. What are we to tell them? Would it serve any purpose to ask them whether they verified the hashes? The fake sites have hashes for the fake versions so there is no point in verifying hashes. As HCP pointed out hashes alone do not let you authenticate the source of the software. A digital signature of the maintainer is required for that.

Why are you and other users so resistant to learning how to verify digital signatures? It only takes a few minutes to learn how to do this. Here's a guide if you're interested.
newbie
Activity: 11
Merit: 0
February 10, 2019, 12:33:16 PM
#15
yes, I know about sig https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.
But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing
legendary
Activity: 3710
Merit: 1586
February 07, 2019, 09:51:02 PM
#14
yes, I know about sig https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.
legendary
Activity: 2758
Merit: 6830
February 07, 2019, 06:49:21 PM
#13
This is serious shit!

Is there no way to warn users before they install the hacked wallet? If the hacker can still infect older wallet versions then devs should have no trouble sending out a general warning via all servers.
People are still losing money and its total bullshit.
There is nothing infected. It’s an vulnerability that lets the servers send customized messages to Electrum wallets connected to it.

The devs are already using the same vulnerability to warn the users on the affected versions.
legendary
Activity: 1090
Merit: 1000
February 07, 2019, 06:43:40 PM
#12
This is serious shit!

Is there no way to warn users before they install the hacked wallet? If the hacker can still infect older wallet versions then devs should have no trouble sending out a general warning via all servers.
People are still losing money and its total bullshit.

HCP
legendary
Activity: 2086
Merit: 4363
February 07, 2019, 05:27:52 PM
#11
electrum.org file is not safe! it contains a trojan!

I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?


It is a false positive... For some reason (shitty heuristics), a number of antivirus applications detect programs that use PyInstaller as having trojans... I think it is because a number of viruses/malware apps use PyInstaller... so the antivirus incorrectly marks ALL apps that use it as being trojans Roll Eyes Roll Eyes

If you downloaded from https://electrum.org/#download and follow the instructions here: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

And the digital signature checks out OK, you can be confident that you have a legitimate copy of Electrum and that it is safe. Ignore Windows Defender, it is a shit antivirus.
legendary
Activity: 3276
Merit: 2442
February 07, 2019, 03:13:10 PM
#10
Пoмoгитe ПOЖAЛУЙCTA,тoлькo чтo cдeлaл oтпpaвкy биткoйнoв чepeз микcep,нaжaл oтпpaвить выcвeтилocь oкнo гдe былo нaпиcaнo oбнoвитe вepcию и пoдoбнoe,ccылoк нa cкaчивaния вepcий нe былo,я нaжaл oк .Я нaжимaл oтпpaвить биткoйн нa aдpec,пocлe чeгo oкнo нaжaл oк,нaчaл oбнoвлять вepcию,cмoтpю a пepeвoд yжe пoшёл,пocлe чeгo нaчaл cмoтpeть тpaнзaкцию пepeвoдa,oтпpaвкa yжe пpoизoшлa a вoт нa aдpec yкaзaнный мнoю дo cиx пop нe пpишли биткoйны пpoшлo yжe 3 чaca и нe oднoй пoдтвepждeннoй тpaнзaкции пoмoгитe пoжaлyйcтa мyжики,я нe пoймy мeня oбoкpaли или кaк?Я пo ccылкaм нe кaким нe пepexoдил,пpocтo вcплылo oкнo мaлeнькoe и я нaжaл oк и вcё!



Help PLEASE, just made sending bitcoins through a mixer, clicked send a window appeared where update was written and so on, there were no versions download links, I clicked ok. I clicked send bitcoin to the address, after which the window clicked ok, I started updating version , I look and the translation has already gone, after which I started watching the transfer transaction, sending has already taken place, but bitcoins have not yet arrived at the address I have already received 3 hours and not one confirmed transaction please help the guys, I don’t understand me or what? I didn’t follow the links by any means, a small window popped up and I clicked ok and that's it!

If you send it as a RBF enabled transaction, you can try to send it again by paying a higher fee with different outputs but if you haven't done it before you'll probably fail to do it before your first transaction gets a confirmation. (I did it before long time ago but if I had to do it again, I wouldn't make it in time probably) You are racing with seconds right now.

You better google "child pays for the parent" and "replace by fee" right away.

This post here explains it quite well:
https://bitcoin.stackexchange.com/questions/49723/replace-by-fee-vs-child-pays-for-parent

electrum.org file is not safe! it contains a trojan!


I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?




Do not click anything. Delete that shit and never download it again. (don't delete your wallet files) Use only the core wallet.

Also fuck electrum. Just stop using that malware.

I am (was) also an electrum user but seeing these people getting scammed like this finished it for me.
CJR
newbie
Activity: 2
Merit: 0
February 07, 2019, 02:14:15 PM
#9
electrum.org file is not safe! it contains a trojan!


I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?

https://imgbbb.com/image/tyI0r
newbie
Activity: 3
Merit: 0
February 07, 2019, 11:04:58 AM
#8
Пoмoгитe ПOЖAЛУЙCTA,тoлькo чтo cдeлaл oтпpaвкy биткoйнoв чepeз микcep,нaжaл oтпpaвить выcвeтилocь oкнo гдe былo нaпиcaнo oбнoвитe вepcию и пoдoбнoe,ccылoк нa cкaчивaния вepcий нe былo,я нaжaл oк .Я нaжимaл oтпpaвить биткoйн нa aдpec,пocлe чeгo oкнo нaжaл oк,нaчaл oбнoвлять вepcию,cмoтpю a пepeвoд yжe пoшёл,пocлe чeгo нaчaл cмoтpeть тpaнзaкцию пepeвoдa,oтпpaвкa yжe пpoизoшлa a вoт нa aдpec yкaзaнный мнoю дo cиx пop нe пpишли биткoйны пpoшлo yжe 3 чaca и нe oднoй пoдтвepждeннoй тpaнзaкции пoмoгитe пoжaлyйcтa мyжики,я нe пoймy мeня oбoкpaли или кaк?Я пo ccылкaм нe кaким нe пepexoдил,пpocтo вcплылo oкнo мaлeнькoe и я нaжaл oк и вcё!



Help PLEASE, just made sending bitcoins through a mixer, clicked send a window appeared where update was written and so on, there were no versions download links, I clicked ok. I clicked send bitcoin to the address, after which the window clicked ok, I started updating version , I look and the translation has already gone, after which I started watching the transfer transaction, sending has already taken place, but bitcoins have not yet arrived at the address I have already received 3 hours and not one confirmed transaction please help the guys, I don’t understand me or what? I didn’t follow the links by any means, a small window popped up and I clicked ok and that's it!
newbie
Activity: 11
Merit: 0
February 07, 2019, 10:24:51 AM
#7
yes, I know about sig https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.
sr. member
Activity: 910
Merit: 351
February 07, 2019, 01:43:05 AM
#6
ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

You can already verify the sig. If you still don't trust it, you can build it from scratch as explained on the GitHub page. I'm not sure if Thomas would reply because he already gave his GPG fingerprint.
legendary
Activity: 2758
Merit: 6830
February 06, 2019, 01:52:28 PM
#5
Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?
Just verify the signatures.

Electrum is commonly acussed as a trojan by a few random AV’s. But that’s just a false-positive. It happens all the time.

Here is Electrum’s “official” explanation:
Quote
"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware.
Quote
Anti-virus software have (and always had) false positives, and some of them tag Electrum as malware. This is out of our control. This does not mean that Electrum is or contains malware.

The Windows binaries are signed using the native Windows signing scheme by an entity named Electrum Technologies GmbH. They are also signed using GPG by @ecdsa (ThomasV). The GPG key fingerprint is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

If you trust the developers of the project, you can verify the GPG signature, and ignore any anti-virus warnings.

If you don't trust the developers with not backdooring the binaries, you can (1) build binaries yourself; or (2) you can run from source. Some of the binaries are built reproducibly, so you can also check that those match.
More: https://github.com/spesmilo/electrum/issues/3198#issuecomment-458949319
newbie
Activity: 11
Merit: 0
February 06, 2019, 12:54:05 PM
#4
Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?
legendary
Activity: 3276
Merit: 2442
February 06, 2019, 12:53:10 PM
#3
Can't you just use a pruned bitcoin core wallet instead? It is not a download and go solution like electrum but once you set it up you can use it like the way you use electrum.

Whatever you do, don't click those pop-ups.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
February 06, 2019, 12:50:42 PM
#2
If you are on Windows check this thread with tutorial to verify signature : https://bitcointalksearch.org/topic/how-to-verify-your-electrum-windows-linux-mac-5105901

In general you should be safe if you download from official site, and if you verify signature. Nothing more then this can not be done, and if you follow all steps you should be good.

Regarding virustotal detection, it is in most cases false detection by some minor av engines, and I think this is also such case. There is few threads where this issue is explain in more details.

You should update to latest version, because developers fix problem with bad servers displaying links to fake wallets, but take your time and triple check every step to be sure that you have legit version.
newbie
Activity: 11
Merit: 0
February 06, 2019, 12:39:23 PM
#1
Hi, guys!
I have a question, first of all to developer @ThomasV

I'm using now Electrum 3.0, software asked me to update.
Because of huge amount of fakes, I'm afraid to do this.

How can I verify, that https://electrum.org/#download is good and real electrum, not fake?
Developers, could you in second source, post MD5 / SHA-1 of real Electrum? Here on BTtalk or in oficial twitter?

Is this real Electrum https://www.virustotal.com/#/file/09e877b25a518eba9c4b2b874f4af980f577764065e841e9066c15d7e802610a/detection
Why it's detected by AVs as trojan?
Jump to: