Topic: my wallets were stolen just now, can any one help me? - page 4. (Read 12204 times)

How is the Trezor solution flawed?


What problem do you imagine there?


You buy a cheap dedicated laptop and cleanly install an OS. Go to bitcoin.org and download Bitcoin-Qt. Go to bitcoinarmory.com and download Armory. Disconnect it permanently from the Internet. Proceed to use Armory for paper backups, storing and spending coins.

What problem do you imagine?


What happens if you're away from home? Blockchain.info can give users similar access to spending bitcoins as online email services give users for accessing email, which is access anywhere in the world. Keeping a few hundred dollars worth of spending money in a Blockchain.info wallet seems very convenient and low risk to me.

I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed, and the least-flawed solution remains paper wallets. Storing 50K on your phone is unwise, but frankly I wouldn't trust that much to a Trezor either, or even a laptop with Armory; physical and inert media seems to be the only method with a low enough risk.

Android/Mycelium has it's own advantages the other solutions do not. So does laptop/Armory. And so does Trezor. Unfortunately, Trezor isn't out yet, and as far as Mycelium vs. Armory, I'm not convinced bitcoins sitting on a dedicated smartphone are significantly less safe than bitcoins sitting on a laptop with Armory, especially after the difficulty of setup and use is factored in. Still, I completely understand those taking a different stance. (And hey, one could always hedge their bets and do both.)

I think we at least agree that paper wallets remain the most secure storage method for now.



I disagree. While I think it's true no one should use it for savings and storage, I see no reason to use it at all any more, even for spending, if it's at all possible to avoid doing so. If you have a home computer, there are good clients available to use. If you have an Android smartphone, the same is true (I just think one happens to be better.) If someone cannot learn to use one of those clients to spend bitcoins, or cannot afford to do so, or just finds them too inconvenient, then I would question whether they should be using bitcoins in the first place. Maybe next year, or a couple of years from now, but not at this point, sadly.

Well, it uses a mnemonic code of 12 words for the seed:

http://www.bitcointrezor.com/faq/#software-design-security

It generates this when the device is first initialized after plugging it into a computer, so yes I think it would grab some randomness from there. At least I hope so. It would then probably use that to randomly choose from an internal dictionary of words.


They are not idiots. Staying away from Windows is prudent advice for anyone, especially types interested in Tor. There are several reasons. Even apart from software vulnerability Microsoft has been shown willing to work with the NSA. There were hidden NSA labelled keys found in the operating systems starting from Windows 95, the purpose of which is unknown.

I think they did.  See the link in post #57 above.

Yeah, there are a lot of idiots running the TOR project who recommend to stay away from Windows too http://threatpost.com/tor-urges-users-to-leave-windows

 I sure hope we can get to the bottom of this

It feels like android phones have the most secure random number generator even with the crippled 64 bits of entropy, compared to this case.

GOOD NEWS (maybe).  If it can be shown that you lost your BTC due to a bug in the blockchain.info wallet it looks like you may get your BTC back from the owner of blockchain.info (nice guy).  See:  

https://bitcointalksearch.org/topic/blockchaininfo-security-funds-stolen-277595

Specifically this post:

Your post is mostly correct except there is no "trial and error" about it.  If the same random value is used in the creation of two different signatures then the private key can be directly and immediately calculated from the information publicly available in the block chain.

See my post here for the technical details:  

https://bitcointalksearch.org/topic/m.2910339

To say that r is "not a random number" because it is derived from a random number is silly.  The mod of the x coordinate of k*G of a random number k is a random number.

BTW if anyone wants to calculate the private key the formula is:  private key = (z₁*s₂ - z₂*s₁)/(r*(s₁-s₂))

where r is the repeated random number.  Well, technically, the identical mod of the x coordinate of k*G of the repeated random number k.

Funny vanity address to which the funds where sent, quite a lot of stolen money in very few days: 1HackerRpwYH7F6uGu8422dScNxaHAtWYz (https://blockchain.info/address/1HackerRpwYH7F6uGu8422dScNxaHAtWYz)

Good catch.

Still... in the particular case of what happened to the OP, it wouldn't explain why the thief would leave change (with both addresses.)

I'm betting that something similar to the StrongCoin shuffle occurred: the thief didn't actually have access to the keys, but rather had the ability to manipulate the transaction before signing.

It seems that the web-based blockchain.info wallet was also affected by yet another problem with random number generation. This is likely to be what's happened to the OP. User piuk, who runs the site, has said in the technical thread that the problem has been fixed and that affected people will be refunded in full. See: https://bitcointalksearch.org/topic/m.2970668

AFAIK the Trezor has got no RNG at all. It is seeded with randomness by the host that it is connected to.

the only web wallet I would consider using as of today is inputs.io

Which is absurd. What chance does bitcoin have if people can't use it on their home PC for fear of theft?

Online wallets and clients need 2FA and maybe online banking style "enter letters 3, 5 and 7 from your password" to help improve security.

For anyone moving coins around - buying and selling, day trading, etc - paper wallets or offline storage really isn't practical.

Don't use Windows...

Your post is mostly correct in that by trial and error you can find the private key if transactions exist having used the same random number "k".

However it is incorrect to say "... the signature consists of the random number r ...", the number "r" is not random but a result of k*G. This k IS random and may not be revealed.


Also on topic:
BitAddress.org can be downloaded to an offline USB key with Ubuntu AND you can change the private key MANUALLY under the wallet details tab.

This means: No RNG attack whether accidental or malicious, no password cracking, no trojans, no corrupted .DAT files and so on.

(Seriously though this is messed up, my grandmother can't take care of this level of security...)

No, I don't like that idea. The problem is Android is still an operating system and therefore vulnerable to malware. It also wasn't built with Bitcoin in mind. You tell people it's safe for them to use as cold storage for 50K then the recent Android bug with random number generation can wipe them out. The Trezor is designed for security and Bitcoin specifically so it's far more unlikely to have such a glaring software flaw.

If people are storing substantial coins then they shouldn't mind spending either the time or money necessary to ensure their coins are safe. For about the same cost they can buy a simple dedicated laptop to use with Armory and be assured their coins are safe, including easy paper wallet backups.

Blockchain.info should be used as a convenient spending wallet, not storage wallet.

Hi all - heartbroken to see this thread, and I do also see the offending address has played a lot on SD today.  Forwarding this on to our team to see what some logical steps might be; really appreciate you tipping me off in the thread that SD is involved.  By the way, I also run the Support email ([email protected]) - so anytime you know of any suspicious activity, alert me, I'm more than happy to help.  Want to keep the community safe and supported; that's first and foremost.

Thanks to all of you helping the victim track this down.

Kat at SatoshiDICE

It would also be very helpful of the dice folks to provide some info in your assistance, given that it seems just about everywhere Bitcoin is valued as currency and a theft has occurred.

Not sure what the odds are tho.