Pages:
Author

Topic: BitcoinSpinner - page 4. (Read 55555 times)

hero member
Activity: 695
Merit: 500
August 22, 2013, 01:04:18 AM
Cold storage is fine …

Cold storage does not create security. It only makes it a little bit more difficult for a Trojan to grab the private key. It does not deter malware programmers—it merely challenges them. Perhaps it attracts them. Smiley

It is probably better to prevent malware in the first place, but that is also difficult. Essentially you should not keep large amounts on a phone, and if you do, keep all other software and updates to the absolute minimum.

I am hoping for a separate piece of dedicated hardware to keep the private key in and to do any signing, with an observable, minimal data channel to the phone or computer that does the external communications. We don't have that yet, it is a hope for the future.
Jan
legendary
Activity: 1043
Merit: 1002
August 22, 2013, 12:58:55 AM
Sorry if I missed it, but how does Mycelium calculate Bitcoin price, and is there some standard that everyone uses now that Gox got Goxed?
If you have chosen USD as your local currency the market price is determined by the latest trade on Bitstamp and MtGox and calculating the weighted average according to trade volume. For the other currencies we currently only use MtGox (Bitstamp only trades in USD). This is obviously not optimal, especially given the current circumstances. We actually happened to discuss this yesterday, and I am delighted to tell that Peter Šurda (Bitcoin blogger and economist) has joined our team in Vienna Wink

Here is our current thinking:
1. Let the user choose which exchange to base the price on. Initially available choices would be Bitstamp and MtGox. We can expand the list as we go (the default will probably be Bitstamp)
2. Take the USD price of the selected exchange. (It occurs to me that USD is the only currency with any significant volume on MtGox, and the only currency traded on Bitstamp.)
3. Convert the USD price to the selected local currency using official public foreign exchange rates.
4. Display that price on the main view including the chosen exchange "1 BTC~103 USD (Bitstamp)"

Displaying the name of the exchange is important in situations where two users are doing an in-person trade, as this helps them understand why they see different prices.

We are going to discuss this further internally today, and if you have any suggestions we'd love to hear them. It will take a week or two before we have an update ready.
legendary
Activity: 1680
Merit: 1035
August 21, 2013, 07:25:03 PM
Sorry if I missed it, but how does Mycelium calculate Bitcoin price, and is there some standard that everyone uses now that Gox got Goxed?
hero member
Activity: 900
Merit: 1000
Crypto Geek
August 21, 2013, 06:47:26 PM
In mycelium,
 how do you backup your encrypted wallet.dat?

I just backed up the private key to the SD card

Every app on your phone has access to that, it's unencrypted and if it goes missing you're probably going to find it impossible to trace. Trust me... from someone who's lost >600BTC in various ways.
hero member
Activity: 900
Merit: 1000
Crypto Geek
August 21, 2013, 06:45:43 PM
Not sure if this got clear here:
Of course other apps can access the clipboard and if they request it in the manifest (the user gets warned about that) also to the sdcard.
Users should be aware that it is as easy as 3 lines of code to get any app to wake up whenever anybody puts anything into the clipboard.
Such an app can then parse and granted it has internet access, send the private key home.

I guess watching a folder on the sdcard is about as trivial.

Conclusion: This will happen. Some greedy guy at rovio or whatever app that has millions of users will put these 3 lines there and enjoy some extra money. Take this serious and follow Jan's advice to not trust hundreds of apps with your money. It's bad enough that any core dev at google could essentially do the same but I guess the Q&A is quite tight there. Expect it to happen there, too and don't put all into one basket (note to myself).

Agreed. I hope it can be improved. It is extremely easy to write an closed source app to grab the file off the sdcard. I would prefer a normal encrypted wallet.dat backup.
Of course it could be argued that it's futile to have decent security without a permissions monitoring system running or using a separate system like an old phone.
I for one don't run many different apps. I used to use permissions controlling apps but it was a lot of work to keep on top of so when the built in permissions in the new Android came out I've been using that... but it only has some protections and it doesn't help against this problem.

I might instead try to take a photo with something but it seems a bit of an odd thing to do.

Coinsidently, I wonder how many linux Bitcoin users have their browser as the same user as their electrum binary... and what Chrome extensions they are running.

Security is still a big stumbling block for Bitcoin. All it takes is for someone to lose $10 and they might say "I'm never using that again!"

Cold storage is fine but I'm really hoping apps like BitcoinSpinner and Electrum and make it easier for people.
legendary
Activity: 1862
Merit: 1114
WalletScrutiny.com
August 21, 2013, 04:20:33 PM
Not sure if this got clear here:
Of course other apps can access the clipboard and if they request it in the manifest (the user gets warned about that) also to the sdcard.
Users should be aware that it is as easy as 3 lines of code to get any app to wake up whenever anybody puts anything into the clipboard.
Such an app can then parse and granted it has internet access, send the private key home.

I guess watching a folder on the sdcard is about as trivial.

Conclusion: This will happen. Some greedy guy at rovio or whatever app that has millions of users will put these 3 lines there and enjoy some extra money. Take this serious and follow Jan's advice to not trust hundreds of apps with your money. It's bad enough that any core dev at google could essentially do the same but I guess the Q&A is quite tight there. Expect it to happen there, too and don't put all into one basket (note to myself).
Jan
legendary
Activity: 1043
Merit: 1002
August 21, 2013, 11:43:45 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
Mycelium works differently then Bitcoin-QT in many ways. One of which is that it has no wallet.dat file.

For backup there are 3 basic approaches, all of which is done in the Keys & Addresses view. Long clicking on a key lets you choose Export, which allows you to:

  • 1. Click "Show QR-code", which displays a QR-code that contains you private key in SIPA format. You can scan that with another Mycelium wallet instance to import it, or take a picture with a camera, and later print it out, or keep it on the SD card in a safe place.
  • 2. Same as above, but additionally click "Copy Private Key to Clipboard". The SIPA formatted private key will go to the clipboard as text, and from there you can use it with other apps. Please note that other apps on your device have access to it, so be careful.
  • 3. Click "External Storage". If your device has an SD-card which contains a folder called "mycelium-export" this will export a JPG file to it, which contains the bitcoin address and private key as strings and QR-codes. From there you can print it out directly on a printer that accepts SD cards. Here is a demo that shows how it is done. This is what I always do.

If you use Mycelium for large amounts I suggest that you use a dedicated device for optimal security. Personally I use an old second hand Android 2.2, which I got for free, and which I nuked to factory defaults, installed cyanogenmod, no SIM, and only installed mycelium. I keep the device in my safe along with paper backups. Whenever I want to "load up" my spending wallet on my daily phone I use the Cold Storage feature. There is a nice demo of it here.
I presume the above warning about the clipboard access also applies to a jpg exported to the SD card...?
Yes.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 21, 2013, 11:09:34 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
Mycelium works differently then Bitcoin-QT in many ways. One of which is that it has no wallet.dat file.

For backup there are 3 basic approaches, all of which is done in the Keys & Addresses view. Long clicking on a key lets you choose Export, which allows you to:

  • 1. Click "Show QR-code", which displays a QR-code that contains you private key in SIPA format. You can scan that with another Mycelium wallet instance to import it, or take a picture with a camera, and later print it out, or keep it on the SD card in a safe place.
  • 2. Same as above, but additionally click "Copy Private Key to Clipboard". The SIPA formatted private key will go to the clipboard as text, and from there you can use it with other apps. Please note that other apps on your device have access to it, so be careful.
  • 3. Click "External Storage". If your device has an SD-card which contains a folder called "mycelium-export" this will export a JPG file to it, which contains the bitcoin address and private key as strings and QR-codes. From there you can print it out directly on a printer that accepts SD cards. Here is a demo that shows how it is done. This is what I always do.

If you use Mycelium for large amounts I suggest that you use a dedicated device for optimal security. Personally I use an old second hand Android 2.2, which I got for free, and which I nuked to factory defaults, installed cyanogenmod, no SIM, and only installed mycelium. I keep the device in my safe along with paper backups. Whenever I want to "load up" my spending wallet on my daily phone I use the Cold Storage feature. There is a nice demo of it here.
I presume the above warning about the clipboard access also applies to a jpg exported to the SD card...?
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 21, 2013, 11:04:00 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
On water skis, how do you pump tires?
Aww...   Be nice
I was nice... it was a zen koan!
Jan
legendary
Activity: 1043
Merit: 1002
August 21, 2013, 10:46:32 AM
Ooooooh, Android Bitcoin Wallet just announced they're working on offline transaction sending via bluetooth (create transaction, sign, and transmit over bluetooth to the other phone, which can then broadcast to the web). You guys better step it up!  Grin

(granted their wallet doesn't even do private/public key management yet, and they keep insisting it's a bad idea, despite using just one key for all transactions, anyway)
Hey Rassah.. always pushing the envelope  Grin
That is an interesting feature. Andreas and I discussed today, and we like it. We do however have some other awesome features in the pipe-line.
We will revisit "bluetooth bridging" going forward.
Jan
legendary
Activity: 1043
Merit: 1002
August 21, 2013, 10:43:11 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
Mycelium works differently then Bitcoin-QT in many ways. One of which is that it has no wallet.dat file.

For backup there are 3 basic approaches, all of which is done in the Keys & Addresses view. Long clicking on a key lets you choose Export, which allows you to:

  • 1. Click "Show QR-code", which displays a QR-code that contains you private key in SIPA format. You can scan that with another Mycelium wallet instance to import it, or take a picture with a camera, and later print it out, or keep it on the SD card in a safe place.
  • 2. Same as above, but additionally click "Copy Private Key to Clipboard". The SIPA formatted private key will go to the clipboard as text, and from there you can use it with other apps. Please note that other apps on your device have access to it, so be careful.
  • 3. Click "External Storage". If your device has an SD-card which contains a folder called "mycelium-export" this will export a JPG file to it, which contains the bitcoin address and private key as strings and QR-codes. From there you can print it out directly on a printer that accepts SD cards. Here is a demo that shows how it is done. This is what I always do.

If you use Mycelium for large amounts I suggest that you use a dedicated device for optimal security. Personally I use an old second hand Android 2.2, which I got for free, and which I nuked to factory defaults, installed cyanogenmod, no SIM, and only installed mycelium. I keep the device in my safe along with paper backups. Whenever I want to "load up" my spending wallet on my daily phone I use the Cold Storage feature. There is a nice demo of it here.
ffe
sr. member
Activity: 308
Merit: 250
August 21, 2013, 10:08:05 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
On water skis, how do you pump tires?
Aww...   Be nice
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 21, 2013, 09:56:03 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
On water skis, how do you pump tires?
hero member
Activity: 752
Merit: 500
bitcoin hodler
August 21, 2013, 06:29:36 AM
In mycelium,
 how do you backup your encrypted wallet.dat?

I just backed up the private key to the SD card
hero member
Activity: 900
Merit: 1000
Crypto Geek
August 21, 2013, 06:17:29 AM
In mycelium,
 how do you backup your encrypted wallet.dat?
legendary
Activity: 1680
Merit: 1035
August 20, 2013, 04:21:18 PM
Ooooooh, Android Bitcoin Wallet just announced they're working on offline transaction sending via bluetooth (create transaction, sign, and transmit over bluetooth to the other phone, which can then broadcast to the web). You guys better step it up!  Grin

(granted their wallet doesn't even do private/public key management yet, and they keep insisting it's a bad idea, despite using just one key for all transactions, anyway)
hero member
Activity: 668
Merit: 501
August 20, 2013, 04:02:50 PM
some cameras apparently have troubles switching between macro mode and normal mode. for qr code scanning you normally need normal mode. especially the Nexus 4. turning off this feature disables macro mode.
on the N4 we already detect this and set autofocus to false. if you provide us with the exact Build.MODEL and other constants we could put this on the "blacklist" too.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
August 20, 2013, 10:48:13 AM
Back to the autofocusing (non)issue. The last few updates presumably include the autofocus fixes, however - my Note was still not able to focus. Then I went to the settings and turned the continuous autofocusing off - and voilà! - the continous autofocus works, and my Note can scan small, close-up QR codes!

I just love the European absurdist sense of humor. Now I can laugh on my way to the coffee shop, and finally start using Mycelium to pay there.
sr. member
Activity: 448
Merit: 250
Changing avatars is currently not possible.
August 20, 2013, 03:26:03 AM
I have Mycelium, but don't really use it much.  Some of the other ones for android I found lacking.
donator
Activity: 2772
Merit: 1019
August 15, 2013, 06:18:51 AM
Wallet PIN is entered a lot less frequently. My one is longer, too and I take good care that noone watches (the whole sequence) when I enter it.

Please note that the pin protects you from a kid grabbing your smartphone while on the toilet. it can not protect against a dedicated attacked with physical access to the phone, or root-level malware, any 6-digit pin would be cracked in minutes anyways. what could work is server side pin support with 2-of-3 multisig. that could in fact help against root level malware (but we are not there yet)

therefore, the pin does NOT encrypt your private keys it is just a UI measure.

I'm aware of that. The kid some dude in a bar grabbing my phone is a real possibility and I want to protect against that. Don't want to have to be paranoid about my phone all the time.
Pages:
Jump to: