Pages:
Author

Topic: Warning about portable versions - page 3. (Read 126560 times)

newbie
Activity: 23
Merit: 3
October 10, 2017, 07:50:33 AM
#56
Using both. Standalone and Portable. But I have a question. Is there a way to visualize not just the coins I have but also their value in $?
member
Activity: 88
Merit: 10
Earn Need Patient's
September 01, 2017, 12:45:12 AM
#55
so far with me nothing happend .. maybe i use diffrent location not the same data cash and btc ...
newbie
Activity: 11
Merit: 0
September 01, 2017, 12:06:22 AM
#54
could we use electrum and electron cash on the same laptop?
cause before 1 august, alot of rumor about don't use both at the same laptop for claiming BCC...
thanks
full member
Activity: 130
Merit: 100
Blocklancer - Freelance on the Blockchain Close
August 24, 2017, 05:57:04 AM
#53
Thanks for the heads up! Don't mind using the portable version because I'll use it on my personal desktop.
sr. member
Activity: 390
Merit: 250
into the clusterfuck
August 23, 2017, 08:59:45 AM
#52
I downloaded electrum portable version 2.9.2
when I tried to run it, I'm getting "Error loading Pyton DLL: C:\DOCUME...  \python27.dll (error code 14001)"
what does it mean? how to solve this problem
If I download the Windows Installer version will I be getting the same problem?
also there's a signature file... how do I use this to verify

This should help: https://www.reddit.com/r/Bitcoin/comments/1t70ud/electrum_fatal_error_fix_re_python27dll/
(run as admin)

To verify the file, you need GPG. Using a search engine, you should find many tutorials about that.
hero member
Activity: 1232
Merit: 738
Mixing reinvented for your privacy | chipmixer.com
August 05, 2017, 07:22:09 AM
#51
I downloaded electrum portable version 2.9.2
when I tried to run it, I'm getting "Error loading Pyton DLL: C:\DOCUME...  \python27.dll (error code 14001)"
what does it mean? how to solve this problem
If I download the Windows Installer version will I be getting the same problem?
also there's a signature file... how do I use this to verify
hero member
Activity: 2968
Merit: 605
July 28, 2017, 02:52:02 AM
#50
just download stand alone version and it s fine for me...
newbie
Activity: 2
Merit: 0
November 06, 2016, 04:43:41 PM
#49
Hello.
No matter which version of the portable electrum for Windows I run, I keep on getting:

Microsoft Visual C++ Runtime Library

Runtime Error!
Program A:\electrum-2.7.11-portable.exe

R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.



but after clicking ok, the application seems to run normally..
I am using Windows 10 64-bit..
The installation setup runs fine, but due to privacy (and SAFETY!) reasons, I prefer to use the portable one on a crypted drive..
Any idea why do I keep on getting that runtime error message? (i even tried it on a normal,non-crypted drive.. the same happens..)
Do I need to install something on my win 10,or copy some more files to the portable electrum directory?
Thanks for help, in advance.

edit:
I found the answer myself..
The portable version is built without a manifest...
You need to have "electrum.exe.manifest" from the installer version to be included in the same directory with the portable
version, renamed the same as the portable version.. (eg. electrum-2.6.4-portable.exe.manifest )

(see: https://msdn.microsoft.com/en-us/library/ms235560(v=vs.90).aspx     )

sr. member
Activity: 318
Merit: 260
February 23, 2016, 03:44:56 PM
#48

That's only insecure if they don't internally do a signature check on the image. You have to update firmware from a network.

The only way it can still be vulnerable with an internal signature check is if the transfer or signature code has memory corruption. This code can be done very primitive though where you can give strong attention to crypto implementation and memory handling.

Hardware isolation remedies everything if properly implemented. It's such a small set of function it's not that hard to secure. Even targeted attacks become impossible at some point, because there is only this little query interface to give input to.

Thats the soft problem. It has a small risk of the signature getting corrupted itself.

What is more likely that the company goes rogue, or gets coerced by the government to hand over the keys and update the device with backdoored updates.

My demands are: complete isolation or junk , there is no other option if you hold millions of $ of bitcoin.

That's a problem with the CPU you're using too. They can get microcode updates with backdoors, and no security product will be able to detect it. Security products also don't check BIOS ROMs. A small isolated device in that environment with crypto is secure though. The NSA would have to find a vulnerability in that small exchange interface or modify the image between repo and signing with a stable backdoor.
sr. member
Activity: 318
Merit: 260
February 22, 2016, 09:18:52 PM
#47

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.



Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..

To my understanding Trezor is not that secure because it updates it's firmware from the internet, thats a major attack vector.

Social engineering or the company goes rogue and the signign keys can be compromized, so the entire hardware is worth trash afterthat. That is a major design flaw if you let your "secure" hardware keep contact with the internet.

Best method to store btc is to put it in a cold storage and use QR code to sign the transactions in the offline space. Buy a 2$ cheap webcam, that should do the trick.


Ok but I`m still concerned about online vulnerabilities, if what you say is true, then every online account can be theoretically hacked.

That's only insecure if they don't internally do a signature check on the image. You have to update firmware from a network.

The only way it can still be vulnerable with an internal signature check is if the transfer or signature code has memory corruption. This code can be done very primitive though where you can give strong attention to crypto implementation and memory handling.

Hardware isolation remedies everything if properly implemented. It's such a small set of function it's not that hard to secure. Even targeted attacks become impossible at some point, because there is only this little query interface to give input to.
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
February 22, 2016, 05:12:31 PM
#46

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.



Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..

To my understanding Trezor is not that secure because it updates it's firmware from the internet, thats a major attack vector.

Social engineering or the company goes rogue and the signign keys can be compromized, so the entire hardware is worth trash afterthat. That is a major design flaw if you let your "secure" hardware keep contact with the internet.

Best method to store btc is to put it in a cold storage and use QR code to sign the transactions in the offline space. Buy a 2$ cheap webcam, that should do the trick.


Ok but I`m still concerned about online vulnerabilities, if what you say is true, then every online account can be theoretically hacked.
sr. member
Activity: 318
Merit: 260
February 22, 2016, 03:54:16 PM
#45

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.



Stop believing in "secure coding practices" and "secure design" and start believing in OSS hardware isolation with low-complexity.

TREZOR without the dishonest price-tag.. It's open source and the only way you can attack it is through memory corruption and a ARM payload that sends keys back over USB.

I don't have the funding else I could emulate their hardware with any cheap hardware. I've looked at the GIT changes for Electrum it's not hard to do. No way I'm paying $100 for a $10 piece of hardware though..
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
February 22, 2016, 03:50:04 AM
#44

"pre-installed" what? My process just has to run and intercept any time you put in the encryption data to unlock the wallet..

How do I get it on your box with the wallet software?
  • Ads and zero-day
  • zero-day or MITM via DNS hijack
  • zero-day or MITM via TOR entry or exit nodes
  • Header parsing zero-day in your POP3 or IMAP client
  • "spear-phishing"
  • infect something on a USB drive and wait for you to use it if you use an air-gap(works with crypto drives too)
  • MITM non-TLS non-signed executable over subnet box via AP or infected box
  • Brute-force RPC or try SMB zero-day on subnet or AP
A FUD packer or uncommon compiler or compiler-switches so your AV doesn't detect it before I detect and kill your AV or quit before HIPS detects it.

There are others too like Manufacturing backdoors and codec vulnerabilities.

Pretty large threats exist there. Do you know any ways to defend against these attacks?

What if electrum needs some king of memory obfuscation system, to hide it's computations in the memory so that viruses can't detect it. And rename the process name of it to a random name as well.

sr. member
Activity: 318
Merit: 260
February 21, 2016, 03:08:23 PM
#43


Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..

Ok that sounds complicated and i dont really understand, but what i get is that you will attack post execution by corrupting my memory.

Ok but for that you still need some pre-installed malware on the PC, a trojan , that will allow you to do this and remote control my pc like this.

As with any virus, first you need to get your virus on the PC, and then attack like this.


Any electrum user with a quarter brain knows not to download shit or open random links if they have money on their PC.

So how would you get the virus on the PC?

"pre-installed" what? My process just has to run and intercept any time you put in the encryption data to unlock the wallet..

How do I get it on your box with the wallet software?
  • Ads and zero-day
  • zero-day or MITM via DNS hijack
  • zero-day or MITM via TOR entry or exit nodes
  • Header parsing zero-day in your POP3 or IMAP client
  • "spear-phishing"
  • infect something on a USB drive and wait for you to use it if you use an air-gap(works with crypto drives too)
  • MITM non-TLS non-signed executable over subnet box via AP or infected box
  • Brute-force RPC or try SMB zero-day on subnet or AP
A FUD packer or uncommon compiler or compiler-switches so your AV doesn't detect it before I detect and kill your AV or quit before HIPS detects it.

There are others too like Manufacturing backdoors and codec vulnerabilities.
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
February 21, 2016, 03:14:46 AM
#42


Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..

Ok that sounds complicated and i dont really understand, but what i get is that you will attack post execution by corrupting my memory.

Ok but for that you still need some pre-installed malware on the PC, a trojan , that will allow you to do this and remote control my pc like this.

As with any virus, first you need to get your virus on the PC, and then attack like this.


Any electrum user with a quarter brain knows not to download shit or open random links if they have money on their PC.

So how would you get the virus on the PC?
sr. member
Activity: 318
Merit: 260
February 20, 2016, 05:05:40 PM
#41
calculate the checksum of the electrum file, and put it in a text file next to it, and rename that file to something like blablabla.txt

that way every time you run it, you can check if it has been replaced with a malicious one or not. It works for me, so it should work for you.

And if you rename the file to a random stuff, then the virus wont know whats in the txt file.


Also rename the electrum executable too to something random.

Just put a MD5 or SHA3 hash in any file anywhere(neither have practical collisions).

Disc image patching isn't where I the attacker am going to attack. I'm going to inline patch UI callbacks post-execution by using debug APIs on Windows, Linux, and OSX. You can't do this on Android or IOS without paring internal "services" to allow trans-sandbox communication and even then you have to give the attacker memory through mailbox buffers..

Jails and memory corruption protection on Linux and OSX and a special user and owning folder and EFS and DEP for Windows 7/8/10. Along with that hash. It'd take a specialized rootkit to get past this which rootkit authors probably won't do unless it become a big trend.

Things will get better when AMD gets something like SkyLake's SGX. This is basically like Truszone in IOS and Anroid by ARM. You'll be able to isolate processes with hardware protection and not even rootkits can interact..
hero member
Activity: 854
Merit: 1009
JAYCE DESIGNS - http://bit.ly/1tmgIwK
February 20, 2016, 02:35:09 AM
#40
calculate the checksum of the electrum file, and put it in a text file next to it, and rename that file to something like blablabla.txt

that way every time you run it, you can check if it has been replaced with a malicious one or not. It works for me, so it should work for you.

And if you rename the file to a random stuff, then the virus wont know whats in the txt file.


Also rename the electrum executable too to something random.
sr. member
Activity: 318
Merit: 260
February 09, 2016, 10:56:31 PM
#39
Portable version user here. Cold wallet that uses Electrum live and a FIPS USB drive with isolated crypto for wallet storage. Electrum is signed and jailed.. No NIC on when booting for signing.

Have fun showing me how vulnerable I am..
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
November 05, 2015, 11:39:50 AM
#38
I found some small bugs in the portable version.

I can not change the language. Regardless what i try.

I can not import private keys. There are only sweep and export options. And sweep sounds like a highly dangerous option.

I'm not sure but i believe the satoshi per kb option was set back by upgrading. I first thought it is an automatic calculation depending on net load that raised the fee but it is only satoshi per kb? Not sure yet.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
October 28, 2015, 01:47:08 PM
#37
Latest Electrum 2.5.1 Portable with Trezor and Ledger support is available for download thanks ThomasV!

Sounds great. Thanks ThomasV. Guess the next big building lot is the server software which had big problems with the spam attacks.
Pages:
Jump to: