Multisig Addrss UTXO spent (hacked) | Bitcointalksearch.org

amaclin

legendary

Activity: 1260

Merit: 1019

Quote

using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKÇ¨+`P

Quote

How would a computer guess the above password?

How would human remember the password above? Roll Eyes

It will be more easy to remember the private key in hex/wif format itself

rapport

full member

Activity: 157

Merit: 100

Quote from: Luke-Jr on August 25, 2014, 03:06:38 PM

Quote from: antonimasso on August 25, 2014, 03:04:14 PM

Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKÇ¨+`P should be secure enough.

Not likely. Humans are a terrible source of entropy.
Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly.

How would a computer guess the above password?

antonimasso

member

Activity: 73

Merit: 10

Quote from: amaclin on August 26, 2014, 02:47:24 AM

Quote

Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash
Do you think it is possible to check them manually? Grin

Not manually one by one, but if you knew mine and tried to get the public keys values from the redeem script.

amaclin

legendary

Activity: 1260

Merit: 1019

Quote

Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash
Do you think it is possible to check them manually? Grin

antonimasso

member

Activity: 73

Merit: 10

Please do share your knowledge, the Bitcoin community will thank you for doing so.

amaclin

legendary

Activity: 1260

Merit: 1019

Quote

Soon before you tried to steal my funds Tongue

I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know.
Let us say that you have bought some knowledge for small price. And I can sell you more.
Just ask me. I will be happy to share my knowledge with everyone else.

Quote

I made a TX with no fee and now these funds seem to be blocked or lost.

Bitcoins can not be lost such way. The game is not over.

antonimasso

member

Activity: 73

Merit: 10

Quote from: amaclin on August 26, 2014, 12:17:28 AM

Quote from: antonimasso on August 25, 2014, 02:55:49 PM

I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:

"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys Grin

two of three to redeem:

Code:

{ "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote

Any bitcoins sent to such an address or public key are very likely to be quickly stolen.

Unfortunately, my script had a bug Roll Eyes

No luck yet

Did you select my Multisig address manually or do you have a script that tries combinations of public keys?
Soon before you tried to steal my funds Tongue

I made a TX with no fee and now these funds seem to be blocked or lost.

dreamhouse

hero member

Activity: 1073

Merit: 666

Quote from: amaclin on August 26, 2014, 12:17:28 AM

Quote from: antonimasso on August 25, 2014, 02:55:49 PM

I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:

"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys Grin

two of three to redeem:

Code:

{ "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote

Any bitcoins sent to such an address or public key are very likely to be quickly stolen.

Unfortunately, my script had a bug Roll Eyes

No luck yet

how? by brute force?

amaclin

legendary

Activity: 1260

Merit: 1019

Quote from: antonimasso on August 25, 2014, 02:55:49 PM

I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

Multisig redeem script contains public keys.

this was your transaction:

https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806
public keys are:

Code:

"043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"
"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"
"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"

it was not too difficult to check associated private keys for these public keys Grin

two of three to redeem:

Code:

{ "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },
{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },

Quote

Any bitcoins sent to such an address or public key are very likely to be quickly stolen.

Unfortunately, my script had a bug Roll Eyes

No luck yet

antonimasso

member

Activity: 73

Merit: 10

Well I think you're right, I might need to generate new addresses for my bitcoins...

DannyHamilton

legendary

Activity: 3472

Merit: 4794

Quote from: antonimasso on August 25, 2014, 03:24:04 PM

Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?

Brute force? Yes.

But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior. Such a program could significantly reduce the search space necessary to find the password used.

At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)? Wouldn't it be simpler to just randomly generate a private key?

antonimasso

member

Activity: 73

Merit: 10

Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?

instagibbs

member

Activity: 114

Merit: 12

Much better off just making a wallet with mnemonics, and memorizing the word list.

Luke-Jr

legendary

Activity: 2576

Merit: 1186

Quote from: antonimasso on August 25, 2014, 03:04:14 PM

Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKÇ¨+`P should be secure enough.

Not likely. Humans are a terrible source of entropy.
Anything you come up with that you think seems random, a computer can guess easier than actually trying to find it randomly.

antonimasso

member

Activity: 73

Merit: 10

Brainwallets are dangerous if using simple passwords, but using a more complex password, for example: enfjakn/(&/gfjhbafnmjknHGV7&456DED$··"·%!!!/())/OJNDJKNJDKÇ¨+`P should be secure enough.

Luke-Jr

legendary

Activity: 2576

Merit: 1186

Quote from: antonimasso on August 25, 2014, 02:55:49 PM

I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

It's pretty easy, and he can attack all multisigs at once.
This is why brainwallets are the dumbest idea ever...

antonimasso

member

Activity: 73

Merit: 10

I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

DannyHamilton

legendary

Activity: 3472

Merit: 4794

Quote from: antonimasso on August 25, 2014, 02:45:11 PM

Hello,

My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).
https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE
Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys?

Either you accidentally leaked the private keys, or you didn't use randomly generated private keys.

Quote from: antonimasso on August 25, 2014, 02:45:11 PM

I used very simple passwords to generate the public keys.

Rainbow tables have been created for all private/public key pairs generated from simple passwords. Any transaction that uses a public key or bitcoin address that was generated from a password instead of being generated randomly should be considered insecure. Any bitcoins sent to such an address or public key are very likely to be quickly stolen.

Quote from: antonimasso on August 25, 2014, 02:45:11 PM

Could this person have used an application that uses multiple private keys to test and build a valid TX?

yes.

This was all explained to you already in the past:

Quote from: piotr_n on August 23, 2014, 01:37:35 PM

Quote from: antonimasso on August 23, 2014, 01:34:55 PM

I used very simple passwords to generate the bitcoin addresses

yeah, that's probably it.
many easy keys have some bots, that capture money from them as it comes.
as well as many stolen keys - such are definitely being monitored for a potential theft and robbed immediately as they receive any coins.

antonimasso

member

Activity: 73

Merit: 10

Hello,

My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).
https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE
Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX?

Thanks

Topic: Multisig Addrss UTXO spent (hacked) (Read 2382 times)