Why are private keys safe? - page 2.

amspir

member

Activity: 112

Merit: 10

Quote from: itod on March 25, 2014, 06:03:32 PM

I know, amspir, how that works, but isn't it that by default in Bitcoin-QT wallet new address is used for a change? My question was how realistic is that change ends up on an imported address?

I use blockchain as my hot wallet, but I keep most of my BTC on paper wallets. Usually, when I buy a large amount of BTC, it goes into a paper wallet.

On my blockchain wallet, when I need some BTC, I import a paper wallet, and write "Exposed" on it, then put it in a separate envelope.

So, in my blockchain wallet, I several addresses that came from exposed paper wallets.

When I send some BTC, I believe it works (not 100% on this) by using the oldest address with a balance on it then using newer addresses until the transaction amount is equaled or exceeded as the input to the transaction. The entire amount from all the source addresses are used as input to the transaction, then an output from the transaction is sent back as change to the newest address (rather than a new address)

If the newest address gets a change transaction, the scammer would watch for this, then sweep it -- if I had imported a scam private key.

DeathAndTaxes

donator

Activity: 1218

Merit: 1080

Gerald Davis

Quote from: itod on March 25, 2014, 06:03:32 PM

Quote from: amspir on March 25, 2014, 05:59:42 PM

Quote from: itod on March 25, 2014, 05:46:04 PM

Quote from: amspir on March 25, 2014, 02:27:54 PM

You do realize that this is a scam attempt. If someone imports a formerly private key into their wallet, and the wallet starts using it for a change address, the scammer simply sweeps the address and steals your money.

I must admit investing 0.22019748 BTC in a long term scam attempt is not a small amount. These scammers are getting serious.

How long until scammer can seriously except that amount of change lands on that address? Even if he gets lucky and gets some change, he has to be the fastest to collect it.

Wrapping my had around the fact that someone is really attempting this kind of scams.

The scammer would be using software to continually monitor transactions on the address, and sweep it as soon as the transaction appeared (send out the spend transaction).

The gullible would import the "private" key into their wallets, thinking they might find some free money on the address eventually, and then forget about it.

I know, amspir, how that works, but isn't it that by default in Bitcoin-QT wallet new address is used for a change? My question was how realistic is that change ends up on an imported address?

In QT client the chance is exactly 0%. Change addresses (and requests for new address) are always pulled from the keypool not active keys.

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: itod on March 25, 2014, 06:03:32 PM

My question was how realistic is that change ends up on an imported address?

That depends on what wallet you import the address into.

I'm pretty sure that, blockchain.info, and MultiBit use an existing address in the wallet for change.

Furthermore, if the victim forgets that they imported the address, and is receiving bitcoins from someone, there is a chance that they will give out the imported address as a receiving address.

itod

legendary

Activity: 1988

Merit: 1077

Honey badger just does not care

Quote from: amspir on March 25, 2014, 05:59:42 PM

Quote from: itod on March 25, 2014, 05:46:04 PM

Quote from: amspir on March 25, 2014, 02:27:54 PM

You do realize that this is a scam attempt. If someone imports a formerly private key into their wallet, and the wallet starts using it for a change address, the scammer simply sweeps the address and steals your money.

I must admit investing 0.22019748 BTC in a long term scam attempt is not a small amount. These scammers are getting serious.

How long until scammer can seriously except that amount of change lands on that address? Even if he gets lucky and gets some change, he has to be the fastest to collect it.

Wrapping my had around the fact that someone is really attempting this kind of scams.

The scammer would be using software to continually monitor transactions on the address, and sweep it as soon as the transaction appeared (send out the spend transaction).

The gullible would import the "private" key into their wallets, thinking they might find some free money on the address eventually, and then forget about it.

I know, amspir, how that works, but isn't it that by default in Bitcoin-QT wallet new address is used for a change? My question was how realistic is that change ends up on an imported address?

amspir

member

Activity: 112

Merit: 10

Quote from: itod on March 25, 2014, 05:46:04 PM

Quote from: amspir on March 25, 2014, 02:27:54 PM

You do realize that this is a scam attempt. If someone imports a formerly private key into their wallet, and the wallet starts using it for a change address, the scammer simply sweeps the address and steals your money.

I must admit investing 0.22019748 BTC in a long term scam attempt is not a small amount. These scammers are getting serious.

How long until scammer can seriously except that amount of change lands on that address? Even if he gets lucky and gets some change, he has to be the fastest to collect it.

Wrapping my had around the fact that someone is really attempting this kind of scams.

The scammer would be using software to continually monitor transactions on the address, and sweep it as soon as the transaction appeared (send out the spend transaction).

The gullible would import the "private" key into their wallets, thinking they might find some free money on the address eventually, and then forget about it.

itod

legendary

Activity: 1988

Merit: 1077

Honey badger just does not care

Quote from: amspir on March 25, 2014, 02:27:54 PM

You do realize that this is a scam attempt. If someone imports a formerly private key into their wallet, and the wallet starts using it for a change address, the scammer simply sweeps the address and steals your money.

I must admit investing 0.22019748 BTC in a long term scam attempt is not a small amount. These scammers are getting serious.

How long until scammer can seriously except that amount of change lands on that address? Even if he gets lucky and gets some change, he has to be the fastest to collect it.

Wrapping my had around the fact that someone is really attempting this kind of scams.

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

Just want to say I told you so

BurtW

legendary

Activity: 2646

Merit: 1138

All paid signature campaigns should be banned.

Well I am glad we got that all figured out.

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: Kenshin on March 25, 2014, 05:09:12 PM

Quote from: rmines on March 24, 2014, 09:09:17 AM

I'm no cryptography expert myself, but I believe what you describe is known as 'rainbow 'tables'.
In short, there's no use in trying to generate rainbow tables for SHA-256 (the hash algorithm Bitcoin uses) as it would take way too much computing power and storage space.

SHA256 Rainbow table does exist!! But lucky, it is only in 6 - 7 characters.
http://www.cryptohaze.com/gpurainbowtables.php#sha256

Also lucky, it is not enough to just use SHA256 to find address.

You would need a rainbow table that is generated with ECDSA, followed by SHA256, and then RIPEMD-160.

Kenshin

sr. member

Activity: 280

Merit: 250

Quote from: jonald_fyookball on March 25, 2014, 02:30:06 PM

Someone really needs to compile a list of all the ways you can get your coins stolen

I am sure a lot of Unethical Hackers already have a list. Grin

Also Ethical Hacker like myself knows a lot of ways, but I am not going to list them out. Cool

Kenshin

sr. member

Activity: 280

Merit: 250

Quote from: rmines on March 24, 2014, 09:09:17 AM

I'm no cryptography expert myself, but I believe what you describe is known as 'rainbow 'tables'.
In short, there's no use in trying to generate rainbow tables for SHA-256 (the hash algorithm Bitcoin uses) as it would take way too much computing power and storage space.

SHA256 Rainbow table does exist!! But lucky, it is only in 6 - 7 characters.
http://www.cryptohaze.com/gpurainbowtables.php#sha256

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

I've never seen a private key that started with a 9, what type is that?

cp1

hero member

Activity: 616

Merit: 500

Stop using branwallets

Here's my private key 5KMWWy2d3Mjc8LojNoj8Lcz9B1aWu8bRofUgGwQk959Dw5h2iyw

jonald_fyookball

legendary

Activity: 1302

Merit: 1008

Core dev leaves me neg feedback #abuse #political

Someone really needs to compile a list of all the ways you can get your coins stolen

amspir

member

Activity: 112

Merit: 10

Quote from: roslinpl on March 25, 2014, 01:34:48 PM

I forgot about it because there was 0 btc on it and it was some kind of joke I was thinking!
I totally forgot! Because I do not use my blockchain.info wallet to revieve or send money, and I import that key over there because I though as for experiment I can do it there, as I do not keep any money there!

You do realize that this is a scam attempt. If someone imports a formerly private key into their wallet, and the wallet starts using it for a change address, the scammer simply sweeps the address and steals your money.

roslinpl

legendary

Activity: 2212

Merit: 1199

Quote from: DannyHamilton on March 25, 2014, 01:55:39 PM

Quote from: roslinpl on March 25, 2014, 01:34:48 PM

I totally forgot about that I DID import private key into my blockchain!

I forgot about it because there was 0 btc on it and it was some kind of joke I was thinking!
I totally forgot! Because I do not use my blockchain.info wallet to revieve or send money, and I import that key over there because I though as for experiment I can do it there, as I do not keep any money there!

look:
https://bitcointalksearch.org/topic/public-knowledge-well-is-open-516987

So, you imported someone else's private key, and then became concerned that someone else had the same private key as you?

Can you please go through all of your recent posts and delete all this alarmist trash before you scare some newbie that thinks this might be a real problem?

Sure I can I just edited my thread about this and in this thread I did deleted those posts.

I am so sorry for that rumor

Eh... but tell me how stupid is to put your private key in public...

and tell me how stupid is to import it and forgot about?

So sorry!

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: roslinpl on March 25, 2014, 01:34:48 PM

I totally forgot about that I DID import private key into my blockchain!

I forgot about it because there was 0 btc on it and it was some kind of joke I was thinking!
I totally forgot! Because I do not use my blockchain.info wallet to revieve or send money, and I import that key over there because I though as for experiment I can do it there, as I do not keep any money there!

look:
https://bitcointalksearch.org/topic/public-knowledge-well-is-open-516987

So, you imported someone else's private key, and then became concerned that someone else had the same private key as you?

Can you please go through all of your recent posts and delete all this alarmist trash before you scare some newbie that thinks this might be a real problem?

roslinpl

legendary

Activity: 2212

Merit: 1199

Quote from: DannyHamilton on March 25, 2014, 01:06:03 PM

Quote from: ?? on ??

If he is a blockchain.info wallet service user and they create for him same public address as for me, this is going to be huge!

blockchain.info does not create the public addresses and assign them from their servers.

The private key is randomly generated locally in your own wallet. Then your wallet calculates the public address from that private key. Finally your wallet encrypts the private key with your password and sends the encrypted private key to blockchain.info for them to store on their servers.

What device were you using when you created that address and how long ago did you create it?

There was a known problem in the Android operating system a few months ago. Android was not properly generating random numbers. Perhaps you used an android device long enough ago to generate the address and therefore ended up with a non-random private key? If so, and if other users used a similar device long enough ago, then it is possible that due to a faulty operating system multiple people generated the same address.

You didn't import that address from a brainwallet or any other address generating program (such as vanitygen), right?

OK! I am so sorry Blockchain.info and all users!
Look at this!

+100 to blokchain.info

I totally forgot about that I DID import private key into my blockchain!

I forgot about it because there was 0 btc on it and it was some kind of joke I was thinking!
I totally forgot! Because I do not use my blockchain.info wallet to revieve or send money, and I import that key over there because I though as for experiment I can do it there, as I do not keep any money there!

look:
https://bitcointalksearch.org/topic/public-knowledge-well-is-open-516987

I am so sorry .... but at least we prove that Blockchain.info is SECURE!

DannyHamilton

legendary

Activity: 3528

Merit: 4945

Quote from: ?? on ??

If he is a blockchain.info wallet service user and they create for him same public address as for me, this is going to be huge!

blockchain.info does not create the public addresses and assign them from their servers.

The private key is randomly generated locally in your own wallet. Then your wallet calculates the public address from that private key. Finally your wallet encrypts the private key with your password and sends the encrypted private key to blockchain.info for them to store on their servers.

What device were you using when you created that address and how long ago did you create it?

There was a known problem in the Android operating system a few months ago. Android was not properly generating random numbers. Perhaps you used an android device long enough ago to generate the address and therefore ended up with a non-random private key? If so, and if other users used a similar device long enough ago, then it is possible that due to a faulty operating system multiple people generated the same address.

You didn't import that address from a brainwallet or any other address generating program (such as vanitygen), right?

BurtW

legendary

Activity: 2646

Merit: 1138

All paid signature campaigns should be banned.

https://blockchain.info/address/17G7VMdNvAMc6fyvB1C2PxtVVvWgsJ9Mp7

36 transactions
Current value 0 BTC

First transacation: 2014-01-28 18:41:00
Most recent transaction: 2014-03-21 22:13:48

Was it you or the "other guy(s)" that played Satoshi dice with this address?

Which transactions are yours? How many out of the 36 transactions are yours?

Do you (or anyone) recognize this address: https://blockchain.info/address/1Gy2DTd7sXQNLSTrsJE8BYTuoLZdgsVV6D

A pretty good chunk of related BTC dust was collected to this address.

Topic: Why are private keys safe? - page 2. (Read 5037 times)