Pages:
Author

Topic: Warning about portable versions - page 4. (Read 126583 times)

legendary
Activity: 1806
Merit: 1164
October 27, 2015, 08:28:04 PM
#36
Latest Electrum 2.5.1 Portable with Trezor and Ledger support is available for download thanks ThomasV!
newbie
Activity: 20
Merit: 0
September 16, 2015, 09:29:07 AM
#35
Electrum_LTC portable on the other hand works as it should. Even the latest version, 2.4.3.1 works just fine, whether portable and or install versions. The portable version creates and or uses the folders, files and wallets within the same directory.

Hm, i did not know there is an LTC Version and that there already exists a portable version for 2.4.3.1. I'm puzzled why that is so. Is the team coding on both versions different?

I sometimes have the impression that old errors, that already had been fixed once, were reimplemented. For example the missing socks setting looks like such. I think i already have seen that error fixed some months ago.

Below are the links to the LTC version website and their downloads.

The current BTC version is on 2.4.4. and the latest LTC is on 2.4.3.1.The BTC version, for Windows, have no support hardware wallets and the account labels (used with multiple account like when you have a Trezor) still does not work. The LTC version (which is actually behind) have full hardware wallet support and the account labels works perfectly.

So I'm currently running 2.3.2 for the BTC version as I have a Trezor and 2.3.2 is the last stand alone that works properly and which have hardware wallet support. On LTC I run the latest version (2.4.3.1) without any problems with the stand alone version.

I posted earlier that the current BTC version is now essentially cripple ware in so far as a Windows/Trezor user is concerned.

https://electrum-ltc.org/

https://electrum-ltc.org/download/
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
September 16, 2015, 08:52:11 AM
#34
Electrum_LTC portable on the other hand works as it should. Even the latest version, 2.4.3.1 works just fine, whether portable and or install versions. The portable version creates and or uses the folders, files and wallets within the same directory.

Hm, i did not know there is an LTC Version and that there already exists a portable version for 2.4.3.1. I'm puzzled why that is so. Is the team coding on both versions different?

I sometimes have the impression that old errors, that already had been fixed once, were reimplemented. For example the missing socks setting looks like such. I think i already have seen that error fixed some months ago.
newbie
Activity: 20
Merit: 0
September 16, 2015, 08:19:58 AM
#33
I won't be arguing about security. But i have remark about behavior of the portable version. When this version by default creates wallet somewhere deep in the guts of OS where is portability here? I believe that really portable version should handle data file in the same folder where executable is.

I know there is way to assign wallet file from a defined folder. But not create one. Also there are plenty people who able to backup folder with his/her data, but not that many of them able to write shell file to assign wallet file for this binary. Ask them to find where wallet was created and it will be a real challenge.

Portable version should be really portable, otherwise what is the difference with installation?

The portable version was 'fully' portable up to and including version 2.3.2 meaning that it created all the data folders, files and wallets within the folder from where the exe was started. You could thus copy the electrum portable exe file to a usb drive, start it up and it would create all the folders, files and wallets in the same location on the usb drive which made it 'portable'.

The later versions of Electrum-BTC however no longer functions like this. The latest binaries that were released do not even support Trezor anymore so not to sure what is going on with Electrum but I'm personally not very impressed with the way things are going. The 2.4 binaries have been out almost a month already and still no update to add back in support for hardware wallets.

Electrum_LTC portable on the other hand works as it should. Even the latest version, 2.4.3.1 works just fine, whether portable and or install versions. The portable version creates and or uses the folders, files and wallets within the same directory.

Not sure why Electrum-BTC no longer works that way as Electrum-LTC is essentially a clone of it so not sure why the LTC version can work properly, including with all supported hardware wallets, while the BTC version seems crippled.
Stn
full member
Activity: 227
Merit: 100
September 15, 2015, 03:58:43 AM
#32
I won't be arguing about security. But i have remark about behavior of the portable version. When this version by default creates wallet somewhere deep in the guts of OS where is portability here? I believe that really portable version should handle data file in the same folder where executable is.

I know there is way to assign wallet file from a defined folder. But not create one. Also there are plenty people who able to backup folder with his/her data, but not that many of them able to write shell file to assign wallet file for this binary. Ask them to find where wallet was created and it will be a real challenge.

Portable version should be really portable, otherwise what is the difference with installation?
member
Activity: 97
Merit: 13
September 13, 2015, 08:28:14 AM
#31
Please, where is the last portable version for windows ?
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
August 05, 2015, 07:21:29 AM
#30
About keyloggers: why don't you implement a visual (mouse clicking) access check?

Movements of mouse or clicks can also be recorded. However, you can reduce it by using a scrambled virtual keyboard. But still, most users prefer to use their keyboards.

Note that, ThomasV has explicitly mentioned that portable build is not dangerous by itself. It is just like other builds but it encourages dangerous behaviour.

-snip-

It is not safe to use a portable version of Electrum on an insecure computer!

Don't get me wrong: I am not saying that a portable build is by itself more dangerous than a non-portable version.

 -snip-

In addition, portable builds encourage dangerous behaviour, because they make it very easy to use your wallet on third party computers, that might be infected with viruses and keyloggers.

 -snip-
hero member
Activity: 546
Merit: 500
LOL what you looking at?
August 03, 2015, 01:04:12 AM
#29
Since we now have a subforum for Electrum, I am rewriting here what I already said in other threads. I hope it's more visible in its own thread.

It is not safe to use a portable version of Electrum on an insecure computer!

Don't get me wrong: I am not saying that a portable build is by itself more dangerous than a non-portable version.
However, a portable version does not bring anything more in terms of security. It does not protect you from the computer you are using.
In addition, portable builds encourage dangerous behaviour, because they make it very easy to use your wallet on third party computers, that might be infected with viruses and keyloggers.

I was never enthusiastic about distributing portable versions of Electrum.
I did it because the demand for portable versions was so high that portable builds distributed by third parties were getting popular.
That's the only reason why I accepted to distribute portable builds: I do this in order to avoid an even worse situation.



About keyloggers: why don't you implement a visual (mouse clicking) access check?
hero member
Activity: 560
Merit: 509
I prefer Zakir over Muhammed when mentioning me!
March 08, 2015, 04:32:01 AM
#28
I think 'Standalone' will only have 1 .exe file and all the datas(wallets and other datas) will be in AppData. But 'Portable' Electrum put all the files in the folder from which Electrum is running, say USB. So whatever computers you use, all the files will still be in the USB.

   -MZ
hero member
Activity: 715
Merit: 500
March 04, 2015, 09:23:59 AM
#27
I don't think you need to maintain the "Standalone" version. Portable is great. Thanks!

 what is the difference between Standalone Executable and Portable?
member
Activity: 98
Merit: 10
Mine hard!
February 22, 2015, 10:33:24 PM
#26
I don't think you need to maintain the "Standalone" version. Portable is great. Thanks!
hero member
Activity: 715
Merit: 500
February 11, 2015, 09:39:29 AM
#25
 Hello! I think it would be a good idea to add TOTP (Time-based One Time Password Algorithm, RFC 6238)
member
Activity: 67
Merit: 13
December 16, 2014, 12:54:47 PM
#24
I think it would be interesting if a single install could create both a portable version that works just by plugging the USB into a computer and also a boot version which works by booting from USB. My reasoning is that, when possible, it would obviously be preferrable to boot into a secure environment, but that might not be practical in all situations.

Personally though, my main concern is using a portable version on a public computer. You can't boot from USB, but you can run it. There won't be a virus to worry about because these computers are instanced so that each day it refreshes and no unauthorized programs can be installed. The problem is two fold: First, if administrative access is required it would never work. Second, these computers are usually monitored.

With college or library computer labs there is usually someone on duty who can actully look at your screen from a remote device at any time and record your behavior. In fact, at my college, it isn't just a chance. They definitely will review what you are doing. In theory, a malicious user could copy down your addresses and funds to associate with an identey which takes away anonymity. This scenario is more likely at Library computers that often give similar access to the FBI.

For this scenario I think portable version should have a default setting of hiding address while leaving address labels visible. That way if you are just checking your balances you will know how much money was sent to which address and when without anyone else being able to see those addresses. Call it a stealth mode. It could even be set up to allow you to copy an address to clip board without showing the address. Of course, once added to clip board and pasted it will obviously be visible, but if the user only does this with one time use addresses it would still provide better security than turning off stealth mode to handle such transactions.

Two other thoughts: Couldn't a proxy program be integrated with a list of safe addresses and then have the program use a random rotating IP address so that when transactions are sent or received there is no connection an IP address to multiple addresses which might later be used to figure out the seed or otherwise compromise privacy? And couldn't the security features of Dark Wallet's Stealth and CoinJoin be applied at some point?

Finally, for portable versions - or all versions really - why not implement some kind of a file checksum? A non writable file could contain the information needed to check the integrity of the executable to make sure that it hasn't been compromised and for added security maybe even a mirror of the executable could run at the same time? Borrowing a trick from virus behavior, if one file is deleted or modified in any way outside of normal user behavior the other one repairs it. In this way a malicious program would need to modify both simultaneously and even then the checksum could be set to run when it opens and right before it exits to alert the user that the file was compromised at the very least.

I think the extra security of all these features together would help protect users who hae a need to use portable modes and would also help protect people who install onto their own machines that later become compromised. Is it feasible though?
newbie
Activity: 9
Merit: 0
November 07, 2014, 06:43:02 AM
#23
Since we now have a subforum for Electrum, I am rewriting here what I already said in other threads. I hope it's more visible in its own thread.

It is not safe to use a portable version of Electrum on an insecure computer!

Don't get me wrong: I am not saying that a portable build is by itself more dangerous than a non-portable version.
However, a portable version does not bring anything more in terms of security. It does not protect you from the computer you are using.
In addition, portable builds encourage dangerous behaviour, because they make it very easy to use your wallet on third party computers, that might be infected with viruses and keyloggers.

I was never enthusiastic about distributing portable versions of Electrum.
I did it because the demand for portable versions was so high that portable builds distributed by third parties were getting popular.
That's the only reason why I accepted to distribute portable builds: I do this in order to avoid an even worse situation.



using this vertsion is ok..if theres a higher version let me know...BTC
newbie
Activity: 19
Merit: 3
August 25, 2014, 12:27:26 PM
#22
I was incorrect in my description above. I have only been making images from my existing install for some time, had forgotten details until I set up another fresh one recently. Of course I did not compile from source, this is all python. I get the tarred source, and run the executable from that. As long as the MD5sum from Electrum-1.9.8.tar.gz matches the site, and you checksum the executable each time you run it, you are 100% assured you are not running a trojaned version.

I recently set up the Electrum LTC client on Tails as well. Great job, devs, thank you for your work.
newbie
Activity: 19
Merit: 3
August 22, 2014, 11:11:07 AM
#21
Sorry for so long in replying. Tails is a relatively hardened Linux, there is not an electrum.exe on the system. I compiled the executable from source code, and store an MD5sum checksum of the executable in another location in the encrypted storage. It takes 10 seconds to run md5sum  /path/to/electrum so that I can verify it is exactly the same one every time. The Tails USB stick's main use is for bitcoin, no casual browsing, and never any personal email/social networks, etc. I am confident in my ability to use it without getting malware.

My goal was to have a portable USB OS to be as secure as I can make it, to use with Bitcoin. At the same time, I don't want to have a One, Vital, Important Stick That I Cannot Lose.  I image the stick with the dd command (from another running and secure Linux), and can make one big file that I can recreate the USB key from. I have many of them in different locations. If I do lose it, the encrypted parts use a very long password. If it's lost, I have only lost a few euros worth of USB stick, not my information.

My interest in using .onion/Electrum servers is not because I am working with any large amount of BTC at all (to the contrary!) It is just part of this ongoing experiment in making it as secure and private as I can.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
July 02, 2014, 05:57:05 AM
#20
I've been using 1.9.8 (not a portable version) on a Tails USB key. You can funnel it through Tor nodes, but it requires for some kind souls to keep an Electrum server up on a Tor node. Unfortunately the .onion/Electrum servers seem to be infrequent.

If you use the -1 switch, it keeps it from trying other servers.

I consider this to be very secure. You could be on the most infected computer in the world, and it can't touch this. A hardware keylogger would be the only possible way to lose your passwords, and Tails has several virtual keyboards or Keepass that will defeat that.

Malware could replace the electrum.exe with one that reveals everything. I suggest not to be uncautious.

Why do you need to use onion servers? By using tor you still can use all normal servers. Or do you want to have a server whose location is unknown to authorities?
newbie
Activity: 19
Merit: 3
July 01, 2014, 07:12:03 PM
#19
I've been using 1.9.8 (not a portable version) on a Tails USB key. You can funnel it through Tor nodes, but it requires for some kind souls to keep an Electrum server up on a Tor node. Unfortunately the .onion/Electrum servers seem to be infrequent.

If you use the -1 switch, it keeps it from trying other servers.

I consider this to be very secure. You could be on the most infected computer in the world, and it can't touch this. A hardware keylogger would be the only possible way to lose your passwords, and Tails has several virtual keyboards or Keepass that will defeat that.
hero member
Activity: 715
Merit: 500
Bitcoin Venezuela
July 01, 2014, 12:35:30 PM
#18
Could you add an image based password?
That would make it perfect, probably.


Be careful with that. The system writes metadata into images (last date opened, last day modified) you will probably lose access to your wallet in a few weeks of use.
legendary
Activity: 2674
Merit: 1083
Legendary Escrow Service - Tip Jar in Profile
June 30, 2014, 11:39:55 AM
#17
Could you add an image based password?

What is that?

Using an image file. But i think its risky. The system would know files you often use. If you have a hybrid disc its even easier.
Pages:
Jump to: