Topic: My noob questions - page 2. (Read 685 times)

Think of bitcoin transactions like physical cash you hold in your hand, rather than like electronic cash you send via a bank transfer. If I have a 20 euro note, and I want to pay you 15 euros, then I have to use the whole 20 and get 5 back as change. If I have two 10 euro notes, and I want to pay you 15, then I have to use both of them, again getting 5 back as change. You can't cut a 10 euro note in half and call it 5 euros.

The same is true for bitcoin. All the coins in your wallet are part of discrete "unspent outputs" or "UTXOs". When you want to spend part of an output, you have to spend the whole output and get some of it back as change. Spending the output like this create two new outputs - one being sent to the person or address you are paying, and another being sent back to you with the change.

Your wallet has combined two outputs, one with 0.00034433 BTC and one with 0.02218800 BTC.

You wouldn't, but all bitcoin transactions are public, and so viewable to anyone. If you want to pick and choose which UTXOs to include in your transaction, then you need to use a wallet such as Electrum which allows you to do that.

Numbers 1 and 2 are two different UTXOs which you used in that transaction. Number 3 is the output you sent, and number 4 is the change being returned to your wallet.

Newbies can't post images. You need to rank up by spending more time on the forum.

---

As an aside, although you have blanked out the transaction ID and the addresses, simply showing the amounts involved is enough for someone to find that transaction on a block explorer in the space of a couple of minutes.

Question 6: can you help me understand how the transactions work?

So for example I sent 73,5 € to myself in May, this is the transaction as displayed by the wallet.
By this image, I can see that I sent 0.00853949 bitcoin, of which 0.00066542 bitcoin have been spent on the fees.





Now when I check the transaction on the blockchain, I would expect to see something like

from X (x= address of the sender) to Y (y = address of the receiver).

And the amount without fees, so 0.00787407 bitcoin.


Instead, if I look at the transaction on the blockchain, this is what I see.




What I don't understand:

1. Why is the "input total" 0.02253233 btc? What I sent was 0.00853949. Is this "input total" the total amount I had in my wallet when I made the transaction? If so, why on Earth would I want to show that to the person receiving the payment?

2. What do the numbers 1, 2, 3 and 4 indicate? I expected to see the amount of money I sent from my address to his address, instead I see 4 addresses and 4 different amounts of bitcoin.


How come the images don't show? I used the tag properly.

The vulnerability allowed the server to show a message to the client.
It wasn't really an update function. It was a warning message saying that the current version is vulnerable and that an update should be performed (with an link to the fake version of electrum).




It would only show that there is an update available. You still would have to visit electrum.org to download and install it.

I think this was also changed, not sure if with version 3.3.8 or an older one. I remember reading that it became possible for Electrum to check if you were using the latest version and if updates are available. I assume if they are, it would let you download and install them. I never used that option or care for it that much as that is not the way I plan to update my Electrum anyways.

I completely agree that a very large number of crypto users have a completely wrong attitude when it comes to crypto, it is a combination of ignorance and misunderstanding of the very idea on which BTC was created. There is no doubt that most are not ready to be their own bank, this is shown by all examples of hacking - but also the fact that millions of BTC are kept on crypto exchanges and online wallets.

There is also no doubt that all Electrum users are responsible for what happened to them, primarily because they were unaware that Electrum does not have an official update option from the program itself, and secondly that there is something that allows them to check the legitimacy of a file before installing.

But it’s also a fact that Electrum existed as much as 3 years before someone took advantage of this vulnerability, and that’s the only reason I say that part of the responsibility is also on those who didn’t discover it in time. Of course, what pooya87 wrote should also be taken into account, and that is that the license was issued by the MIT and that there is no material or criminal liability.

According to research from 2019, the value of BTC stolen in this way is measured at about $ 4 million, but it should be noted that at the end of 2018 the price of BTC was at least three times lower than today, and that all those who still have vulnerable versions remain potential victims. So far, the biggest known loss was $140,000, which is big money anywhere in the world.

---

This is true, and because of that you should never trust anything blindly, but check and verify every thing related to crypto.

Ok but the fake link came from the wallet itself as far as I understood, so that's not exactly like a scammy email.

I do realize that the victims don't really care about how a specific score is rating that vulnerability.
But with BTC and the whole be your own bank around it, people also need to secure their funds themselves.


And we are not talking about being extremely techy.
It is enough to internalize "simple" things like 1) only downloading from the official website and 2) do not click on random links / do not download random stuff.

I believe that you don't have to be techy or be working in the IT field to actually do that.

But a lot of people still fall for simple scam mails (e.g. nigerian prince or whatever the current equivalent of that is).
And those people are not ready yet for keeping their money safe - all on their own.

BTC does not have a system yet which is that fool-proof. And i doubt we will ever get that far.
So people actually have to learn new things. They have to learn basic IT stuff like not clicking on every random link.

We can just hope that the victims learnt it this way. And that their loss wasn't too huge.

I had no doubt you wouldn't comment this way, and I know very well your position when it comes to things like this. But you only look at these things from the position of someone who is some kind of expert in the IT industry. All those poor people who lost their BTC because the official wallet showed them a fake message don't care what the score is, that low score means nothing when they money is gone.

It is complete nonsense to compare an email client with an Electrum, but if it makes sense to you... This is about someone taking advantage of something that allowed him to cheat a lot of people, and part of the responsibility for that lies with the developer.

But that’s just my opinion, there’s no need to further discuss what someone should or shouldn’t have done.

"Such a security flaw" ?

The CVSS score of that vulnerability is somewhere between 2.5 and 3.5 out of 10 and therefore low severity.
It doesn't do anything else than just displaying a message.

If an user visits a fake github page with no source code and installs malware without verifying the signature, they are completely at fault.

It is almost like saying "I received an email in my mail client and clicked the link to install this program. The email client is at fault." That's not exactly the same since, but both is nonsense and comparable.

I agree with the part that such a vulnerability shouldn't have existed, but to be fair, it wasn't a vulnerability until bad actors made it one. The developers probably didn't consider it could become a problem since they don't share the same thought of hackers and various scammer and exploiters. Nobody and nothing is perfect.

We as users should do our part in following suggested standards. The blame is still very much on the individuals, not the software, although I agree that some small part is on the developers as well. Because even if those custom messages were present today, if the users verify the signatures, and pay attention that the software updates for the software stem from the genuine site, they would not be phished.

developers have no responsibility, and it is not just because of the MIT license that eliminates that responsibility entirely but because of the simple fact that any software that has ever been released and will ever be released has flaws. there is no escaping that. it doesn't matter how many developers spend how much time on that software, it will have flaws that will be exploited at some point and fixed afterwards.

the blame is on users exclusively in this particular case because they could have protected themselves with very simple and mandatory steps that includes signature verification and using cold storage.

It's like anything new - it can seem overwhelming at first, but stick with it and you will soon figure out all these quirks and nuances.

With bitcoin, you are "being your own bank". You are taking complete control of your money and not trusting any third party to look after it or manage it for you. Think about your average commercial bank. Think about how complicated their internal database must be, how robust their security systems are, how many employees they have working for them, and so on. With bitcoin, you are emulating all that for yourself. By necessity that comes with a degree of complexity.

It is possible to skip all this and use bitcoin in the most simple way possible - create an account on an exchange, buy bitcoin there, and leave it their storage. You don't have to worry about seed phrases, derivation paths, verifying signatures, or any of the things discussed here. But to do so is to miss out on the very essence of what bitcoin is - peer to peer, trustless, decentralized. If you are going to trust a third party like an exchange to do all the heavy lifting for you, then why use bitcoin at all? Why not just stick to fiat?

To be fair, the question regarding verifying signatures does not just apply to Electrum or bitcoin wallets. I verify everything from Tor to my password manager. When you are downloading or updating any piece of software, it is good practice to verify that it has not been tampered with.

My god why does it have to be so complicated.

Much like the private and public keys we use in bitcoin to sign and verify transactions, we can use private and public keys in general cryptography to sign and verify other data.

When Electrum is released, the main developor Thomas Voegtlin signs the release with one of his private cryptography keys. He also publishes the corresponding public key. Anyone who downloads Electrum can then use that public key to verify that the version of Electrum they downloaded is identical to the version of Electrum which was signed by Voegtlin. If you had accidentally downloaded a malicious version, someone had tampered or edited the code in the version you downloaded, malware had buried itself inside, etc., then the verification process would fail, alerting you that you had downloaded a malicious copy and not to use it. In short, verifying your download ensures that you are using a legitimate copy straight from the developer.

There's an explanation of this on the Electrum download page here:


For a newbie's guide on how to verify your download, have a look at the following links:
https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/
https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-mac/

What does it mean "verify your Electrum signature"?

The reason why many people are hacked via Electrum is not only in the fact that users did not verify the signature (but most had no idea it was possible), but also in the fact that this security flaw existed at all and was not previously detected and fixed. Most (at least on this forum) blame users exclusively for not doing something (verify signatures), but it is also a big responsibility of those who have publicly distributed software with such a security flaw.

I don't see that such things can be avoided in the future unless downloading such sensitive programs would only be possible by forcing users to verify downloaded files before installation.

Don't focus on the looks and the design of the wallet. The security and safety of funds should be your top priority. The correct use of Electrum fulfills those goals.

Electrum was never hacked. Certain users abused a loophole that allowed Electrum servers to send custom messages. These messages informed the users that their Electrum software was out of date and needed to be updated. They posted links to phishing websites. Those who clicked and installed the fake software lost their Bitcoin. This loophole has been patched since the 3.3.4 version of Electrum.

That is why we always say verify your Electrum signatures before you install the software. If those who were phished had done that, they would have noticed that the software they installed was fake and is not the original Electrum.

Well, in short, both are impossible to crack. If you want to know the math behind it, read this: https://bitcointalksearch.org/topic/12-word-vs-24-word-seeds-5078657

It's worth mentioning that some wallets (like Electrum and Trezor) allow their users to extend their seed with custom words which can be very helpful to add an extra layer of security.

Question 5: is a wallet with 24 words safer than one with 12 words? I have one with 12, should I switch to one with 24? I am getting serious with bitcoin now.

Congratulations to everyone on the Bitcoin Forum. Yes you can feel free to ask any question related to Bitcoin here but it is better if you follow the forum rules in a good. The moderators here are all very sincere. You can ask questions here to find out any useful bitcoin related information. Everyone will answer your question with a lot of sincerity. I'm telling you to get rid of the Atomic wallet. Lean towards the Electrum Wallet as soon as possible. It will be good for you.