Pages:
Author

Topic: Reused R values again - page 11. (Read 121295 times)

hero member
Activity: 935
Merit: 1002
December 15, 2014, 08:22:52 AM
If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.
50MB and not GB? That is not so much just upload it here https://www.sendspace.com/ The max you can upload there is 300MB so a 50MB file is good.
full member
Activity: 217
Merit: 259
December 15, 2014, 07:42:59 AM
I omitted most of the important details of how to do the attack (e.g. how the RNG works, how you get the private key) and don't publish my scripts, so this step by step instruction won't help much  Grin

I have a list of the first million public keys/R values the random number generator can generate.  I think I have spotted every weak transaction now.  If someone is interested to host a 50 MB file (100 MB uncompressed), I can publish it. I also have the corresponding private keys / k values, but I want to keep those secret for now.   The R value list may be useful to check if I found all compromised addresses.

There are still weak transactions. Please, clear your browser cache.

http://btc.blockr.io/tx/info/afcb94f22ceee047fc2b59a55b452e5f9e2bcd697fa2a4056d5ac176020a960c
http://btc.blockr.io/tx/info/549cf7a5a11e7a50ccc634f2edcbcbcbc244a4a42de9f946d3c6a32ced27e6f2
http://btc.blockr.io/tx/info/3f79c9b06d46fbbc3ba6c3fdd0512beeb2e928818cdb7d83035b2575458f55ae

And there are some recent transactions paying to a weak key.



At last, regarding the pronunciation of my nick (since someone asked):  In IPA it is ['joːhø].  It sounds something like English yo-ho.
member
Activity: 116
Merit: 10
December 15, 2014, 07:30:38 AM
Quote from: johoe
Unfortunately my ssh session timed out and took my script with it  Angry
Have to run it again, it will probably find some more keys.

Try using screen:

screen -dmS sessionname to start a new session (disconnected)
screen -ls to list sessions
screen -r id to reconnect
ctrl+a d to disconnect
exit to ...exit!

If your connection craps out the screen will keep alive. You can even start a session on one PC then disconnect and reconnect to it from another.
legendary
Activity: 1106
Merit: 1026
December 15, 2014, 07:13:23 AM
I have to try if it works if the wallet was not rescanned.  If yes, this may be what  I need.

It should work fine for any unspent output.

The other question is how far should I spend the dust?  If the transaction fee goes to 90 % it does not really matter that we saved the money.  On the other hand, letting them lay around in the block chain for all eternity doesn't help either.

Redeeming dust is always to prefer imho. I guess you were referring to the case where, say for example, there is an output close to the dust threshold, which you could move once, but then there would be not enough coins left to move them again, if it were a single transaction where the fee is subtracted from the dust. In this case I'd try to bundle them. It's usually also possible to get away with somewhat lower-than-usual fees at the cost of a moderate confirmation delay. In fact, last time I checked, about three months ago, the average confirmation delay of a sample of 2170 transactions with a size of about ~600+ byte each, with an attached fee of only 0.00001 BTC, was only 20:15 minutes.

What OS are you using?

Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

I was thinking something similar, but on the other hand: once it was "out" that there are some transactions which can be sweeped, it was already too late, so to speak. And not only once it was mentioned people are doing this already. If I had to decide between trying to keep all this secret or a public database of endangered transactions, I'd choose the later - for the sake of awareness. Imho it is a bit similar to the chaos related to transaction malleability, which was "known for ages", but it still required a major incident to raise enough awareness to make users and service providers start to care about on a broader level.
full member
Activity: 168
Merit: 103
December 15, 2014, 06:12:35 AM
Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

 Roll Eyes

This has been done before, and it is obvious how to do it. It still requires a lot of skill and work to execute and you have to find the weak addresses in the first place.

EDIT: And by the way: Any wallet service which does not implement RFC6979 soon, is doomed anyway. This kind of bugs will always come up, especially if you run the crypto in a web browser.
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
December 15, 2014, 05:25:58 AM
Other people are going to start sweeping wallets.

This thread is pretty much a step to step guide on how to do it now.

 Roll Eyes
full member
Activity: 217
Merit: 259
December 15, 2014, 04:55:56 AM

Can you rephrase your questions and tell me what you intend to do and then how you do it right now?

Let's skip the part about how you get the information about endangered coins, but I assume you have a list of endangered outputs and you are looking for a handy way to check, if they are already spent. Is that correct?

I basically have a list of private keys.   I also imported them in bitcoind.  However without rescanning the wallet (this takes several hours now).

I have my own script that scans the block chain and searches for transactions paying to any of these keys (it also detects multisigs and p2sh but not p2sh to multisigs).  If it finds a transaction spending the output it removes it.  In the end I have a list of UTXO for all private keys.  However, this is based on the confirmed transactions only.

What I then do is to get the 10 or 20 most valuable UTXOs and build a transaction for them.  I sign it and send it to the network.  The problem is that sometimes this doesn't work.  Possible causes:
  • one of the inputs is already spent by an unconfirmed transaction
  • one of the inputs is a coinbase output and doesn't have 100 confirmations.

I mark coinbase outputs in my list so I can avoid them.  However the spent transactions are not so easy to avoid.  The effect can be that signing return "incomplete" or sending gives a strange error message.  In either case I don't know which input the culprit is.  Usually I have to check each input manually to see if there is an unconfirmed spent on it.

Quote
You may use:

Code:
$ bitcoin-cli help gettxout
gettxout "txid" n ( includemempool )

Returns details about an unspent transaction output.

I have to try if it works if the wallet was not rescanned.  If yes, this may be what  I need.

Quote
How do you sweep coins? What do you need to be more efficient? Do you have, besides a list of endangered transactions as I assume, also the associated private keys? Would it help to have a script to autosweep coins based on a list of transactions and private keys?
I think what I need is to make this fully automatic.  Take the list of all UTXOs, decide which ones can be spend and then spend them all in one or two larger transactions.  Of course, spent outputs by unconfirmed transactions are not well-defined and may differ from node to node.

The other question is how far should I spend the dust?  If the transaction fee goes to 90 % it does not really matter that we saved the money.  On the other hand, letting them lay around in the block chain for all eternity doesn't help either.  One could also try to suck them in with some high-priority free transactions.
legendary
Activity: 1106
Merit: 1026
December 15, 2014, 03:40:22 AM
I may give more details on the rng later.  At the moment there is still too much money lying around.

Does anyone know how to check if there is an unconfirmed transaction trying to spend an output?
Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

I hate that signtransaction or sendtransaction don't tell me which input it is that I shouldn't spend Roll Eyes.

Can you rephrase your questions and tell me what you intend to do and then how you do it right now?

Let's skip the part about how you get the information about endangered coins, but I assume you have a list of endangered outputs and you are looking for a handy way to check, if they are already spent. Is that correct?

You may use:

Code:
$ bitcoin-cli help gettxout
gettxout "txid" n ( includemempool )

Returns details about an unspent transaction output.

Arguments:
1. "txid"          (string, required) The transaction id
2. n               (numeric, required) vout value
3. includemempool  (boolean, optional) Whether to included the mem pool

It returns something, if an output is unspent and nothing or empty otherwise. It can only be used to test, if an output is unspent, but not, if an output is spent. Out of range values, invalid transaction hashes, ... are accepted input and result in "nothing" as well. As per default unconfirmed transactions are checked.

Checking an unspent output on mainnet:

Code:
$ bitcoin-cli gettxout ee0e927dc8a0523ca7892e36fb0dbc0dac3b75bdc17903150676fdc604da6628 2
{
  "bestblock": "00000000000000001060e25a1d458ab361863d9f3d5c95481c6caadd40190abc",
  "confirmations": 42629,
  ...
}
$

Checking a spent output on mainnet:

Code:
$ bitcoin-cli gettxout ee0e927dc8a0523ca7892e36fb0dbc0dac3b75bdc17903150676fdc604da6628 3
$

This transaction is few thousand blocks deep, but it should also work for in-mempool transactions.

How do you sweep coins? What do you need to be more efficient? Do you have, besides a list of endangered transactions as I assume, also the associated private keys? Would it help to have a script to autosweep coins based on a list of transactions and private keys?
legendary
Activity: 1974
Merit: 1029
December 15, 2014, 03:28:39 AM
Unfortunately my ssh session timed out and took my script with it  Angry

try 'screen' command (gnu screen)

keeps your shit running even if you connection goes down.

Then try mosh. Your connection won't go down. Even if your IP changes.
full member
Activity: 130
Merit: 100
December 15, 2014, 02:07:02 AM
Johoe, you just swept my keys!!!

Thank god your doing the right thing, you are my f*cking hero.

(will PM my address for further verification)

Yes he swept mine too and just emailed blockchain about it.  But yes Johoe is a great guy...tough to find those in this world most of the time.
donator
Activity: 2772
Merit: 1019
December 15, 2014, 01:53:13 AM
Another 500 keys cracked  Grin

I have computed more random values, but still have not captured all.
Unfortunately my ssh session timed out and took my script with it  Angry
Have to run it again, it will probably find some more keys.

try 'screen' command (gnu screen)

keeps your shit running even if you connection goes down. You can connect again with 'screen -x'
full member
Activity: 147
Merit: 100
December 14, 2014, 11:35:48 PM
Johoe, you just swept my keys!!!

Thank god your doing the right thing, you are my f*cking hero.

(will PM my address for further verification)
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
December 14, 2014, 11:13:02 PM
I think it'd be a good idea not to explain in any detail no matter how minor the process that allows you to get these private keys etc.

People with different intentions are going to learn how to do it.

True. A fix needs to be implemented soon so that other malicious bystanders do not gain access to his method(s) and wreak havoc.
legendary
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
December 14, 2014, 11:10:33 PM
@johoe,

I'll send you one of my brass coins (unloaded) to you for free.

PM me or email me your shipping information and I'll send it your way.

[email protected]

thanks for being honest! It is refreshing to have that around here.  Smiley
member
Activity: 68
Merit: 10
December 14, 2014, 10:55:12 PM
As always I plan to return it to bc.i and you can contact their support to get your refund.

I've had 1+btc "sweeped" into your account, and have requested to get it returned from Blockchain.info - this is their response:
    
Quote
Mandrik (Blockchain)
Dec 14 20:11

Thank you for this information. We require further investigation into this matter, which means we need to verify that this address was generated in your wallet. Unfortunately we can only do this with the wallet identifier + password. Please provide this information along with the total amount removed from the other address.

Be sure to *NEVER* use the compromised bitcoin address again. You should also generate a new wallet at https://www.blockchain.info/wallet/new, and never use the other wallet again, since you'll be sharing the password information with us.

This looks like the stupidest idea ever to me - to send them my identifier and password over email (I have other bitcoin in other wallets inside that account... not for long..)

I'm pretty shocked that this is their approach to helping me to SECURE my bitcoin? Is this even allowed / legit?



I guess you'd move your funds away from all other addresses generated in this wallet first. You will have to abandon this account anyway.

If you're still afraid of signing transactions with blockchain.info, you may sign these transactions offline with other clients like Electrum.
legendary
Activity: 1288
Merit: 1227
Away on an extended break
December 14, 2014, 10:23:20 PM
As always I plan to return it to bc.i and you can contact their support to get your refund.

I've had 1+btc "sweeped" into your account, and have requested to get it returned from Blockchain.info - this is their response:
    
Quote
Mandrik (Blockchain)
Dec 14 20:11

Thank you for this information. We require further investigation into this matter, which means we need to verify that this address was generated in your wallet. Unfortunately we can only do this with the wallet identifier + password. Please provide this information along with the total amount removed from the other address.

Be sure to *NEVER* use the compromised bitcoin address again. You should also generate a new wallet at https://www.blockchain.info/wallet/new, and never use the other wallet again, since you'll be sharing the password information with us.

This looks like the stupidest idea ever to me - to send them my identifier and password over email (I have other bitcoin in other wallets inside that account... not for long..)

I'm pretty shocked that this is their approach to helping me to SECURE my bitcoin? Is this even allowed / legit?

Are you sure this was sent by blockchain.info not some other scammer?
sr. member
Activity: 337
Merit: 250
December 14, 2014, 08:18:24 PM
As always I plan to return it to bc.i and you can contact their support to get your refund.

I've had 1+btc "sweeped" into your account, and have requested to get it returned from Blockchain.info - this is their response:
    
Quote
Mandrik (Blockchain)
Dec 14 20:11

Thank you for this information. We require further investigation into this matter, which means we need to verify that this address was generated in your wallet. Unfortunately we can only do this with the wallet identifier + password. Please provide this information along with the total amount removed from the other address.

Be sure to *NEVER* use the compromised bitcoin address again. You should also generate a new wallet at https://www.blockchain.info/wallet/new, and never use the other wallet again, since you'll be sharing the password information with us.

This looks like the stupidest idea ever to me - to send them my identifier and password over email (I have other bitcoin in other wallets inside that account... not for long..)

I'm pretty shocked that this is their approach to helping me to SECURE my bitcoin? Is this even allowed / legit?
legendary
Activity: 1246
Merit: 1002
December 14, 2014, 07:23:01 PM
Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

As I understand there's a new feature which will be introduced into bitcoind 0.10.0 to work with addresses without importing private keys (watch-only):
https://github.com/bitcoin/bitcoin/pull/4045
It should give you what you want with 'listtransactions', and should be working already in 0.10 branch in github, if you feel like working with it.


I'm confused here.

I have been using the reference (Satoshi) client, both the graphic version and the daemon version.  I did not check before posting, but I am pretty sure that I have used watch only addresses for a year or two.

hero member
Activity: 910
Merit: 1003
December 14, 2014, 06:49:11 PM
I feel like Sisyphos.  You think you swiped everything but in the mean time someone else sends you new money...
You need Bitcoin forwarder service, upload private keys and it forwards funds the moment it sees them on the blockchain. Since it doesn't exist, you'll have to write your own Wink

If there was a forwarding option in the protocol, the first thing a black hat hacker would do is to sweep the coins, the second thing would be to set up forwarding to his address (and set it again every time the original owner tries to reset it).
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
December 14, 2014, 06:43:16 PM
I think it'd be a good idea not to explain in any detail no matter how minor the process that allows you to get these private keys etc.

People with different intentions are going to learn how to do it.
Pages:
Jump to: