Pages:
Author

Topic: my wallets were stolen just now, can any one help me? - page 3. (Read 12255 times)

member
Activity: 61
Merit: 10
GOOD NEWS (maybe).  If it can be shown that you lost your BTC due to a bug in the blockchain.info wallet it looks like you may get your BTC back from the owner of blockchain.info (nice guy).  See:  

https://bitcointalksearch.org/topic/blockchaininfo-security-funds-stolen-277595

Specifically this post:

Jesse James has informed me of a problem with the rng used by blockchain.info javascript clients being poorly seeded when initialised in a background webworker task. In some browsers this could lead to duplicate R values being used when signing transactions (Firefox is likely to be particularly vulnerable). This issue effects the transaction signing code only, not the generation of private keys.

Patches have now been deployed, Please ensure you upgrade to the latest version of your Blockchain.info client.

Chrome extension - v2.85
Fixefox extension - v1.97
Mac client - v0.11

Users of the web interface should clear their browsers cache before next login.

Only a handful of addresses are known to be affected thus far. Likely if you have been affected by this problem your coins will have been taken already. All affected users will be refunded in full, please PM me or email [email protected].
Any one can know I lose my BTC due to a bug in the blockchain.info wallet ?
legendary
Activity: 2198
Merit: 1311
My storage solution is an offline Armory installation on a Windows To Go installation on a thumb drive using the Windows 8 Enterprise trial downloaded directly from Microsoft.  This is the easiest and most secure install-and-go method I've found.  What's convenient about this method is that the Windows To Go USB thumb drive is bootable on any system and can be setup with whole drive encryption.  In addition to whole drive encryption Armory wallets should also be encrypted.  From that system I print paper backups of the keys I generate with Armory and print them with an old offline printer.  Also, on first boot of the Windows To Go installation I uninstall all network drivers to ensure that it never connects to a network.

If you have thousands of USD worth of bitcoin, you need to do something like this.  Keys should be generated on freshly installed, and offline OS.  You should make physical backups.  You should encrypt any digital backups.  You should never keep more than an amount your willing to lose in an online wallet or an exchange.

OP, I'm truly sorry for your loss and wish you the best of luck with recovery.

Edit: I know it's popular to bag on bitcoins on Windows, but if you setup the OS correctly, can reasonably trust the source ISO, and keep the installation from ever connecting to a network, theft is very unlikely.  I formerly used an offline live Ubuntu installation for this system, but tried it out with Windows To Go as a proof of concept for my friends who don't want to mess with Linux and dependency issues.  I think offline Windows To Go brings offline, encrypted storage closer to the experience of less tech savvy people, though it still takes some technical know how.
legendary
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...

How is the Trezor solution flawed?

Storing 50K on your phone is unwise, but frankly I wouldn't trust that much to a Trezor either

What problem do you imagine there?

It's a black-box solution created by someone else and shipped to me, the only inhibitor of it being cracked open and tampered with being a sticker. There's no way I'm just going to order one, open the box, write down the keys, and drop $50K onto it, feeling secure in the safety of the thing. Expecting that of consumers is just asking for trouble on a massive scale.

In addition, from what I understand it also:

Doesn't display your private keys in plaintext, meaning no importing your keys to other wallets without at least running code to convert the passwords (or, ideally I'm sure, just buying another Trezor.)

Requires physical connection to a computer (so at the very least you need Trezor and another device, one you personally control, and that can access the Trezor, to retrieve your bitcoins.)

Is immediately identifiable for anyone in the know as a definite repository of bitcoins.

...So while it's not as if I won't use one, we can't pretend it has no flaws compared to other bitcoin storage methods.


, or even a laptop with Armory;

You buy a cheap dedicated laptop and cleanly install an OS. Go to bitcoin.org and download Bitcoin-Qt. Go to bitcoinarmory.com and download Armory. Disconnect it permanently from the Internet. Proceed to use Armory for paper backups, storing and spending coins.

What problem do you imagine?

It's the current resource requirements of Armory (and the "disconnect it permanently from the Internet" part) that has me skeptical.

Then of course, there's also the fact that a laptop with applications just lacks the simplicity and longevity of paper wallets. If I want my bitcoins to continue having use even in the event of my sudden demise, this just adds another layer of complexity and issues.

Unless you're just talking about using Armory for the paper wallets it creates. But at that point, once you have the paper wallet, also keeping the keys on your laptop is unnecessary, since what we're looking at here is simple storage. Now, if the scenario is a business where they need somewhat-ready access to all those funds, then yes, Armory makes more sense. Otherwise, printing out the paper wallet (using Armory if desired), wiping any trace from local devices, and storing the wallet and the backups in separate secure locations away from home seems far more sensible.


Quote
Blockchain.info should be used as a convenient spending wallet, not storage wallet.

I disagree. While I think it's true no one should use it for savings and storage, I see no reason to use it at all any more, even for spending, if it's at all possible to avoid doing so. If you have a home computer, there are good clients available to use.

What happens if you're away from home? Blockchain.info can give users similar access to spending bitcoins as online email services give users for accessing email, which is access anywhere in the world. Keeping a few hundred dollars worth of spending money in a Blockchain.info wallet seems very convenient and low risk to me.

If the idea is to use one's home and work desktops to access the same wallet, yet you're not a business managing an account of bitcoins, then I have to imagine we have different ideas of what a "spending wallet" would mean. I see a mobile phone as ideal for that; I see no reason to put one's spending wallet online, and limit access to it to browsers only, when it's clear that that method is compromised, unless one must. If one wants to do that for the convenience (rather than necessity,) knowing that at any time the owner of the business or a successful hacker can manipulate your transactions, then all I can say is, we also have very different expectations of people, of ourselves, and of technology in general. I'm rather confused as to how someone can look forward to a dedicated bitcoin hardware device, yet opt to keep their bitcoins in an online wallet rather than on their own open-source smartphone when they don't absolutely have to.
legendary
Activity: 1050
Merit: 1002
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?

I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.

Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it.

We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save.

Using the Trezor with Windows would be a perfectly secure way to store and spend coins. (But people should really try migrating away from Windows)
hero member
Activity: 910
Merit: 1005
It is correct. Click "Show scripts & coinbase" for these both transactions. You will see that both used the same random number: 04b8c7b27846a1df35a87763f75b421a4f8148d17ca91c2daab6838aa5b04d48e373bba0cc1e081 be696bc626296febcdccab5336a43b8861a91afa57865bbb3f5

That is the public key of the address, not the random number (public keys always being with 04). These addresses are not affected by the random number issue.
legendary
Activity: 1148
Merit: 1014
In Satoshi I Trust
What wallet were you using?  

Do you have an android phone?

Do you have a Bitcoin wallet on your android phone?  If so which one?

The fact that the thief gave you change is interesting.  Why not steal all the BTC?
i don't use android phone. i use  blockchain.info
he stole all btc in these 2 address.

man -.- ! you had all your coins at blockchain? an online wallet? maybe thats your lesson...
legendary
Activity: 1148
Merit: 1018
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?

I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.

Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it.

We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save.

The majority of users only use a browser and using Chrome or Firefox on a Linux box is no different than on Windows. 260 BTC lost is a good reason to consider making a few changes. Lots of money is lost to thieves  from malware compromised Windows machines, but the banks and CC companies will replace your stolen funds. If someday bitcoins become mainstream and a common medium of exchange, simular protection are surely to be put in place. Until that day arrives it may be prudent to take some precautions.

I'm not so sure that using Chrome or Firefox on a Linux box is no different than on Windows. There are much more vector attacks on Windows, plus there is much more malware/RATs/viruses coded for that SO. Honestly, Linux might scare a lot of people but Ubuntu and its derivatives made wonders in terms of ease of use... Then you have OSX, which is not invulnerable at all as some think, but in any case is order of magnitude more secure than Windows. I use both OSX and Linux, and I never got any type of malware in aprox. 10 years, and I don't follow any type of special "security protocol", I just disable Java, activate the firewall + a reverse firewall (in OSX Little Snitch, for example), and I scan for viruses files downloaded from untrusted sources (but I never have it running in the background). In Windows, if you do not regularly tweak your system to enforce security, run an antivirus on the background, etc. you will end up with some kind of spyware/malware etc. almost for sure.
sr. member
Activity: 279
Merit: 250
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?

I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.

Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it.

We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save.

The majority of users only use a browser and using Chrome or Firefox on a Linux box is no different than on Windows. 260 BTC lost is a good reason to consider making a few changes. Lots of money is lost to thieves  from malware compromised Windows machines, but the banks and CC companies will replace your stolen funds. If someday bitcoins become mainstream and a common medium of exchange, simular protection are surely to be put in place. Until that day arrives it may be prudent to take some precautions.
full member
Activity: 131
Merit: 100
Still trying to figure out how the thief accessed account if you had google authenticator activated?
m19
full member
Activity: 186
Merit: 100
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?

I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.

Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it.

We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save.
legendary
Activity: 1148
Merit: 1018
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?

I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.
m19
full member
Activity: 186
Merit: 100
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
sr. member
Activity: 279
Merit: 250
I am sorry for your loss. Most people here learn how to secure and backup their bitcoins the hard way. I am sorry that your loss is relatively a big one. But from now on it will only get better if you decided to learn.

- Stop using Windows operating system.
- Stop using closed sourced or untrusted sourced software.
- Stop being ignorant to healthy security practices.

What I found really helpful if you still don't want to do all the above in your daily routines, Do them at least in a dedicated device for your bitcoins. I suggest a small netbook. I think I should start a thread for that....

I agree with the advice given here. A cheap desktop or notebook running some flavor of Linux. Use it only for Bitcoin transaction and management. Windows is a malware magnet. A dual boot on a pc would work as well. I use Manjaro with is a arch linux distro, small footprint and very fast and secure. I use it in virtualbox vm and its offline unliess Im doing bitcoin stuff, I dont browse or use if for anything else, just to access my bitfunder acct and to move funds into. However I doint have that much to worry about.
hero member
Activity: 924
Merit: 1001
Unlimited Free Crypto
I am sorry for your loss. Most people here learn how to secure and backup their bitcoins the hard way. I am sorry that your loss is relatively a big one. But from now on it will only get better if you decided to learn.

- Stop using Windows operating system.
- Stop using closed sourced or untrusted sourced software.
- Stop being ignorant to healthy security practices.

What I found really helpful if you still don't want to do all the above in your daily routines, Do them at least in a dedicated device for your bitcoins. I suggest a small netbook. I think I should start a thread for that....
legendary
Activity: 1050
Merit: 1002
Obviously my message has the SARCASM tag missing Wink

Sorry I missed that  Cheesy

I thought it seemed strange.
hero member
Activity: 715
Merit: 500
Bitcoin Venezuela
Don't use Windows...
Which is absurd. What chance does bitcoin have if people can't use it on their home PC for fear of theft?

Online wallets and clients need 2FA and maybe online banking style "enter letters 3, 5 and 7 from your password" to help improve security.

For anyone moving coins around - buying and selling, day trading, etc - paper wallets or offline storage really isn't practical.

Yeah, there are a lot of idiots running the TOR project who recommend to stay away from Windows too http://threatpost.com/tor-urges-users-to-leave-windows

They are not idiots. Staying away from Windows is prudent advice for anyone, especially types interested in Tor. There are several reasons. Even apart from software vulnerability Microsoft has been shown willing to work with the NSA. There were hidden NSA labelled keys found in the operating systems starting from Windows 95, the purpose of which is unknown.

Obviously my message has the SARCASM tag missing Wink
legendary
Activity: 2338
Merit: 2106
watching
legendary
Activity: 1050
Merit: 1002
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...
How is the Trezor solution flawed?
Here's a video
[OHM2013] Trezor Bitcoin Hardware Wallet

I've watched the Trezor video at their website and also the talk given at the Bitcoin 2013 Conference. The video you linked is 45 minutes long, but I doubt it will specify the Trezor is a flawed solution. Does it?
hero member
Activity: 743
Merit: 500
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...
How is the Trezor solution flawed?
Here's a video
[OHM2013] Trezor Bitcoin Hardware Wallet
hero member
Activity: 815
Merit: 1000
Your post is mostly correct except there is no "trial and error" about it.  If the same random value is used in the creation of two different signatures then the private key can be directly and immediately calculated from the information publicly available in the block chain.

Hmm I suppose you can see if two Rs are the same right away yes.

Quote
To say that r is "not a random number" because it is derived from a random number is silly.  The mod of the x coordinate of k*G of a random number k is a random number.
The private key is also a random number, but the public key derives from it, so is the public key a random number? No it is not.

Saying r is random is confusing people.
Pages:
Jump to: