Topic: New to Bitcoin got a few questions. (Read 393 times)

Okay that makes sense thank you.

Pretty much this, and not just in relation to hardware wallets. With a powerful enough electron microscope and enough time and knowledge, you can at present extract pretty much anything from any electronic device.

This particular attack vector was discussed at length a few months ago following this press release by Ledger, detailing vulnerabilities in Trezor devices (vulnerability 3 & 4): https://www.ledger.com/our-shared-security-responsibly-disclosing-competitor-vulnerabilities/

Trezor responded with this (issues 5 & 6): https://blog.trezor.io/our-response-to-ledgers-mitbitcoinexpo-findings-194f1b0a97d4

There's also a good reddit thread about it here with some input from Ledger's CTO: https://www.reddit.com/r/Bitcoin/comments/b00s6e/ledgers_team_has_found_multiple_vulnerabilities/eica5xu/

The TL;DR is this: With access to a powerful enough lab with sufficiently knowledgable lab technicians (or enough money to rent such a lab), any hardware wallet is potentially crackable, and your seed could be extracted from the device. This is not a simple or a quick process, so you should have time to move your funds if you notice your hardware wallet is missing. More importantly, this vector of attack is completely mitigated by using a strong passphrase. An attacker could still extract your seed, but without your passphrase they would not be able to access your coins. If you are worried about the physical security of your hardware wallet (of any brand), you should absolutely be using a passphrase.

I vaguely recall reading somewhere (possibly in the old Ledger Nano S FAQ) that secure elements are classified as "tamper resistant" and designed to make attacking them costly in terms of time/effort/$$$ etc.

Indeed... From the old Ledger FAQ (via the wayback machine):

And a more recent article by Ledger...

And also published reports like this one talking about (semi) invasive attacks against secure chips: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.html

Given physical access to a device and enough time and money and resources, I'd expect almost anything is "vulnerable".

Is this an assumption or is there any source on this ?

The reason i am asking is because this would imply that a vulnerability would exist which allows to gain knowledge regarding the pin / seed.

I doubt that this is possible even with professional equipment (at least it shouldn't, otherwise the nano s is vulnerable and shouldn't be used IMO).
I can't really imagine which equipment could be used for that. Simply unsoldering it and trying to access the data can be done by anyone and shouldn't allow to access sensitive data.

If you mean, "if the device itself was stolen", then assuming you have setup a good PIN (and possibly a passphrase), then the chances of them being able to steal the funds from the Nano S without prior knowledge of those two pieces of information is pretty much zero. (Outside of very well equipped forensics labs with very expensive equipment etc, the sort of stuff you can't just go and buy at your local electronics store)

If you enter an incorrect PIN 3 times in a row, the device will wipe itself, so you can't just attempt to bruteforce... the addition of a passphrase makes it even more unlikely they'll be able to access your wallet... as it could literally be anything.

In any case, as long as the theft was discovered in a relatively timely manner, you should be able to recover from your 24 word seed mnemonic into another wallet/device and move the funds before the thief would be able to access them anyway.

  So to be clear... if it were to ever get stolen by someone they can't access my Wallet through my Ledger Nano S? Plus my Computer etc.

What is a hot wallet, your Leger wallet?
Don't let the terms confuse you. Your ledger device will be connected to the internet but security wise you have nothing to worry about. Your private keys never leave the 'safe spot' on your hardware wallet. Even when you send and sign transactions.

All you have to do is keep your 24 words seed phrase secure and make sure that it isn't saved on your computers or used online in any way.
Even when you use your Ledger together with Electrum you will not be asked to enter your seed.

Well.. security hole is a bit exaggerated.
The interface itself is not a vulnerability. But it poses as an additional attack surface.

I mean.. if there would be a vulnerability in the firmware which allows me to trigger a transaction without confirming the button, one might be able to abuse it by standing near the device, while a direct USB connection would be required without bluetooth available.

In both cases the vulnerability would be extremely dangerous. But bluetooth would make it even more serious because it could be exploited without even touching the device / a computer.


This is just a theoretical case on why bluetooth might be more dangerous in some circumstances given that a vulnerability exists. This doesn't mean that bluetooth itself is bad / vulnerable / etc.


However, i personally prefer a hardware wallet without an interface besides USB. More security doesn't hurt IMO.

Not only does it have more storage capacity but also allows user to connect with another device using Bluetooth. For some people, it is a clear security hole. If you don't intent to move your hardware wallet around and don't mind uninstalling apps (it's not a real issue if you are not interested in altcoins) then go for the older model.

Your explanation is a bit unclear, but assuming the seller only uses each address once, nobody else should use that address. That means any payment received on that address comes from you, so it's very easy to know who made the payment.

Be careful here: you should only buy hardware wallets through the official channels.

In blockchain.com wallet, when you click on the transaction and it shows all the details... you can click the "Transaction Confirmed ->" link on the right hand side (note, the link is the box with arrow):


Clicking that little blue square with the arrow will take to you something like this page: https://www.blockchain.com/btc/tx/1a700c1d3cd6a12d145513d1c2e6f2214a6631c22859de50256a2b21858d20f3


The long string of numbers/characters at the top is your TransactionID (it should also be shown in the Browsers URL address bar)

I think I explained this wrong a little here... I did not mean to ask about the I.D. Login Address meant for Me only but the Sending Address to the Person which I wrote an example of what I think I need to do just using a receiving Address Information from Coinmama.com


"How will you know that it was Me who sent the Bitcoin. What details should I provide besides the product I ordered and the amount of money and Bitcoin I sent and what time I sent it? Is there anything else I can do to make sure you can confirm my purchase which I plan to make either today or tomorrow." the Email Reply was "You can Send us your Bitcoin Transaction I.D."


  This is the question I asked the person who said I can just Send Him the "Bitcoin Transaction I.D." right now I am simply using www.blockchain.com "Online Web Wallet" or whatever the exact Name I repeatedly get quoted on Calling it "This or that" you all have your personal definition of a "Hot Wallet" but from what I understand unless it is a "Cold Wallet" like a Computer Offline before someones explains the obvious of what a "Cold Wallet" is which I read and tried creating an Electrum Account and now I got Money I can't get out of that damn Account because it has a new BC1 Receive Address and I assume Sending Address.


  Point is I am planning to Buy a Ledger Nano S instead of the X as what someone Posted in a thread somewhere it's just "storage capacity is bigger for the Ledger Nano X". Hence it is more expensive and it's made partially of Glass or something and prone to breaking if it falls". Point I am trying to make is if it Connects to the Internet it is a "HOT Wallet" whether it is a "Online Desktop/Web Account Wallet" unless it is a "Cold Wallet" on a Computer with an Electrum Wallet Installed on a Computer not ever used Online etc. etc. so I figured instead of going through all that hassle it would probably be easier and less of a problem to


  That all being said I went onto my Blockchain.com Online Web Wallet Account and all it says is after I clicked on the Received address it gave Me the details which is from Coinmama.com do I just Copy and Paste this Information but for the Sent Address when I go Send the Bitcoin Payment to my Receiving Bitcoin User for my purchase I am planning to make?



Received
June 2 2019 @ 3:12 AM
To: My Bitcoin Wallet
From: 38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
$97.11
0.00880567 BTC
Description
Add a description
Value When Received
$75.65
Sent From
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
3F5wzneCAdeES1duGGoNtEC7S5vK69HBDS
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
38f8RHFQ8v6avZqCmaYTga5bTYiuhoM6fh
3C6E4UPwUX26DtcELV4LgENtd9FN6RfQoH
Received By
32DJCZt7CnXWV19ijWNdwMjETrmuPXzqzZ
1NY39q2yX9gZH5dfN42MGVx6Nkn2vQPYHR
3BwTJcBWqZb16JAASDTBDEkUrm8UzH25ZL
38Rz2F8YPB55To33j3ff976KfpdLTaJsKK
15MWGUcxn5DtB5f2RBUbKhbFgwu6oWsxeX
1J6drWL1mgdziJFJczoNjdgEXMTC7deTGN
1EocQExyvF61xLmzTsDJKmEAcy1Wgje5Wf
3JXW2jmPBJqyeeJgwXJayzCNmRe51k9Vov
1164qogHGjsq8PDaR6AQ3oJcXxo4R65JpD
34LcEKqbhdfBSHWt6S1MmpcbVDESaAZogc
114VjK4qMRiovrinhx8zUZFmnzMeKzooC8
3LwxHgJRuG2Cw8FSD16ZDvr3KHoob7dVqa
1PYmSzRP29dUiauNJZ3Ck28qFhxf52j9zq
1Jrd1cXPGDvhfMgf5kJ2vFGW2wrMXUQaPJ
1KjvVMEhAzf5WAVNqfrffZQHhhWU8zupCZ
1K7Ek7d2AXMP6uczhXKnyHcdk1qqFNFVUc
Status
Transaction Confirmed



  If anyone can help Me figure this out and once I figure out how the "Merit Points System" works I will be sure to Send you a Merit Point not sure how much that means to anyone that offers Me help incentive to do so but I am stuck in a between a rock and a hard place right now. I was very tired when I typed the OP... I am currently working the "Night Shifts" and sleeping very few Hours in the Day so I am barely home and when I am I can barely think.

And don't worry about giving someone the transaction ID if he asks. The transaction ID does not contain any information that could lead to you losing your bitcoins. It contains information about transactions and addresses and it's all publicly available on blockchain explorers.   

Which wallet are you using? If you're using a desktop wallet such as Bitcoin core or Electrum, a right or double click on the transaction should open you a window, giving you the TXID and other info.

You can also search for your sending in a blockexplorer like Blockchain.com/explorer, and then see your previous transaction, the text in yellow here represent the TXID.

No. The transaction ID is a alphanumberical string which is 64 characters long. The transaction ID is unique to every transaction and it should appear in with the details of your transaction in your wallet.

You can also use your address to get your transaction ID by going to a block explorer and searching for your address. You should be able to see the transaction that you've sent, along with the transaction ID.

I got a person asking Me for my "You can give us the Bitcoin transaction ID" and I am New to Bitcoin Transactions so does this mean the Sending Wallet Address I used to Send the Bitcoin.