Pages:
Author

Topic: Transferring BTC from Electrum That Has Not Been Updated? (Read 356 times)

legendary
Activity: 2758
Merit: 6830
Thanks.  So if you click okay, is that the same as clicking the x?  Thus only way to download it is by clicking on that link right?
Yes. You would need to click the link, download the file and run it to risk your coins.

Electrum only sees that as a error message and there is no way the hacker can pass “actions”, like opening a link, downloading a file or running a command in your wallet/PC.
full member
Activity: 1750
Merit: 186
Thanks.  So if you click okay, is that the same as clicking the x?  Thus only way to download it is by clicking on that link right?
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
First result from Google was this one.


There's an x a help and an OK.
full member
Activity: 1750
Merit: 186
Is there a picture that someone took of how the message looks like?  I saw another thread where someone showed a picture of it but it only shows like an okay to click on and no X on the top corner?


Also because i still have not claimed my btc cash and gold yet... would you say its probably better idea to claim those first... and then send the rest of the btc from my electrum to hardware wallet?  I ask this because if you do download that software, wouldn't that mean any btc cash or gold that you have and didn't claim, a hacker could claim that as well?  Also does anyone know if those ppl who downloaded the fake electrum from that message, did it infect their entire computer such as if they use a password program like lastpass or keepass, it infected that as well so all your password and accounts from a password manager is now infected?  Or its only the electrum? 


legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum? 

Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.

Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process?

You will be fine sending from the old version. If you connect to a fake server, when you try send the funds you get a scary message telling you to upgrade, go to electrumfakeserver yadda. Just ignore it; change the server to a legit one and try again.

In a legit server, you also get another scary message telling you to upgrade because your Electrum is "vulnerable" but the broadcast was successful (sigh). Ignore that too, you are done.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
fronti, it is true that we need to trust to companies like Trezor or Ledger, but so far they have proved to have a good product for keeping our private keys safe. Phishing and hardware wallets, hm? Where you get that theory?

Hardware alone isnt great... Unless you pick it up from ledger hq or trezor hq there is always a risk you don't have a genuine device. Multisig with other devices (even another online one is preferable). The chances of a mail carrier hijacking are low in developed countries but high on less developed ones and not all post comes in as good a condition as it was promised. Some parcels that come through customs have suspicious appearances sometimes that makes them look like they've been opened.

A hardware wallet is greatly beneficial in a lot of cases but shouldn't wholly be relied upon.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
fronti, it is true that we need to trust to companies like Trezor or Ledger, but so far they have proved to have a good product for keeping our private keys safe. Phishing and hardware wallets, hm? Where you get that theory?

Private keys never leave hardware wallet, and you can use Electrum as UI, or Ledger Live for Nano S - phishing is dangerous for online wallet/exchanges. For clipboard malware which can change your address Ledger is implemented checking of sending address/receiving address, so if you enough careful there is no way that malware can trick you.

Nothing is not 100% safe, but I always look for the best possible option.
legendary
Activity: 2912
Merit: 1309
Hardware wallets are a logical choice, for 60-70$ you can get much better security then with most desktop wallets.

but you need to trust the hardware wallet vendors.
Also if you use a hardware wallet there are still phishing possibilities.
For example change a shown btc address on a website

Security is never easy!
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
so to use electrum i have to trust other softwares?

Exactly, only way to be 100% sure that you download correct file is to verify that file, and for that you need some tool/software. But you have possibility to check that software integrity in the way that it is described in post by pooya87.

You do not need to install Electrum first to verify it, it is actually the opposite procedure - you need to verify Electrum files which you download before installation, because otherwise the whole procedure does not make sense.

Electrum is easy to use light desktop wallet, but as you can see it is not 100% safe, especially for inexperienced users. Does this mean that you should stop using Electrum? It all depends on you and how much you really care about your coins, and accordingly to that you can take steps to increase security of coin storage. Hardware wallets are a logical choice, for 60-70$ you can get much better security then with most desktop wallets.
legendary
Activity: 3682
Merit: 1580
so to use electrum i have to trust other softwares?

Yes starting with your BIOS and OS. You also have to trust your hardware manufacturer.
legendary
Activity: 3682
Merit: 1580
Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.
gpg4win has a signature to verify file? Or how to verify gpg4win?

They use code signing. More details here: https://www.gpg4win.org/package-integrity.html
legendary
Activity: 3472
Merit: 10611
For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.

i believe he is talking about checking the signature of GPG4Win itself as like any other application this .exe file is also being released with a signature. like this is for the last version: https://files.gpg4win.org/gpg4win-3.1.5.tar.bz2.sig
so verifying its signature looks a bit odd since the application you use for signature verification is the same thing you want to verify! here is the documentation for how to do it though: https://www.gpg4win.org/package-integrity.html

you can also check it using Linux since most of them already come with GPG installed.
legendary
Activity: 2758
Merit: 6830
Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.
Please don’t... all that the AVs do is check for malware signatures. This means that if a piece of software doesn’t have a signature that matches with one in their database, it won’t flag as a virus. This doesn’t say sh*t about the legitimacy of a software.

You could use a fake version of gpg4win that shows a specifc software signature as legit even if its not and it wouldn’t be flagged by your AV.

Btw, Electrum is commonly flagged as a trojan by many AVs. Does that mean I should “stop”? Wink
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
For verifying the download I use Gpg4win.

gpg4win has a signature to verify file? Or how to verify gpg4win?

Lol, you need to install it before you can validate it.  Undecided

The nice thing about gpg4win is it's trusted by windows defender and almost all anti-virus programs.  If you get something that isn't trusted by your AV stop.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Hey all.  So just to confirm...

There is no danger for your coins even if you use Electrum 3.0.5, that message may appear, but it certainly does not affect security of the wallet. Only danger is if you click on link posted in that message and manually download fake wallet, nothing happens automatically.

If that message appear just close it with x, and then change server by click on Tools -> Network -> Select any other server -> Untick option "Select server automatically". Check post from Abdussamad if you need more detailed explanation (with pictures).
legendary
Activity: 2758
Merit: 6830
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum?  
You should just download the latest version right now. If for some reason you want to keep using 3.0.5, ignore the message and restart Electrum to get a new server or change it manually.

Quote
Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.
Nothing bad will happen unless you download the fake Electrum.

Quote
Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process?  
Just download the latest version. Why try to send anything with the vulnerable version?

And no, it’s not a “click and you’re doomed” thing. You would have to download and run it.
full member
Activity: 1750
Merit: 186
Hey all.  So just to confirm.  Would it just be fine right now if i open electrum 3.0.5 as is and then try to send the remaining btc i have in my wallet to somewhere else?  But if i get that message, then i close it.  Then i close electrum.  Then go to the official electrum site and download electrum? 



Right now i just want to get any btc i have in electrum out of it and do not want to use it until later on when there is very little concerns on it.



Also the message that does pop up if it gives you that message, is it a link where if you click on it, it automatically downloads it?  So if you click on it by accident, could you still immediately cancel the download or once you click on that link, that is it?  Or do you have to download it fully and also go through the installation process? 
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?

Since you are still using 3.0.5 version there is a possibility that such message can pop up if you are connected to bad server. But there is no danger to your transaction, only danger is if you follow link posted in message and download fake Electrum. Problem is solved in latest version 3.3.3, instead of   
receiving such messages, user can only get error message if it is connected to a bad server.

it is funny those servers are still there to have questions like this (where are you electrum developers why bad servers are still in the servers list for users to connect to?).

I think developers can not remove bad servers from server list, everyone can set up server and there is no way to determine which one is bad or good. Even if they remove them, hackers can add more new severs much faster than they can be removed. In short, Electrum is not perfect wallet.

legendary
Activity: 3682
Merit: 1580
Here's a guide to verifying the gpg sig. I suggest you update your electrum from electrum.org. That way the only problem you might face is difficulty spending bitcoins at which point you can simply switch servers and try again.
full member
Activity: 1750
Merit: 186
You say if i try to send the btc and the server im using is compromised, then yes i would get that message to update electrum.  But i also have the option to x the message right and cancel the transaction?  But most likely the outcome is when i try to send btc now, i won't get the message?


Pages:
Jump to: