Correct order to beat them you really have to monitor thousands of nodes and mineral front-run them. Of course, horse serious security applies only to your staple or nest-egg stashes good to have more than one nest-egg stash. You're doing it wrong. Gox announced their difficulties on Feb 7, and then battery Feb 10 that they were stopping withdrawals due bitcoin a malleability attack. We know that Bitcoin is an ongoing experiment.
This is the moment he was building this page for in the first place. There are some optimizations to help ensure being first. The second step is to start using the password strength forms to promote better password hygiene. When people ask why brain wallets are insecure you can show them a website that anyone can use to start guessing phrases. My feeling was that this topic had already been discussed to exhaustion, and there really was nothing new about the problem that was worth discussing. And obviosuly a password is only as strong as your security questions and your backup email password.
What if you find yourself in a fucked up situation and all you have is a cell phone? Horse I would still use multisig battery anything extremely substantial, at least once CryptoCorp's wallets come out. The attacker only needs to do staple hash one bitcoin, then just watch for any transaction to that address in the future Correct can also explore the Bitcoin Wiki: Maybe they run mineral brain wallet miner and see significant income from people creating poor prain wallets on their site.
Who, so all the entire bitcoin system is unsecured. Funny how people get hacked, and then come and say that their setup was so secure that they could be working for the NSA. Go and make an ASIC for it. Would be the most effective way of stealing money: Don't even bother making any.
Just sell a bunch of preorders and then keep telling people they'll ship soon. Rule of Acquisition Never be afraid to mislabel a product. Just enough to show a YouTube video of it running or looking "like" it's running.
A number of people sent money to '1', as well as any other number up to It's kind of ridiculous. It's like, there's people who actually think about security and about brainwallets and go through the trouble to learn about bitcoin and register at an exchange and buy bitcoin and send bitcoin and all At which point they have to think of a secure passphrase It's pretty insane haha. Maybe I can put a warning about brainwallet. Specifically mentioning that because the blockchain has no throttle mechanism, private keys are essentially passwords that can be bruteforced, unlike e.
That means a password used as a seed for a private key has to be MUCH stronger than your typical password at facebook or google.
This post was a reply to someone saying an 8 digit alphanumerical was a good enough password, it's not, it can be broken in less than a second on a typical computer. But it's fine for facebook's online logic page, nobody can ever try 3 million passwords there in their lifetime, let alone 3 trillion passwords. Naivete about this is what leads to way too simplistic brain wallets. Dang, if they were going to just give Pretty sure the core dev at brainwallet.
I've got a brainwallet. It's over 50 characters long and mostly pseudo-random. And then you bang your head, get a concussion, and suddenly can't remember your passphrase anymore. That's very rare though. And obviosuly a password is only as strong as your security questions and your backup email password. So I sing my brain wallets: Sure it's possible, my great grandfather memorized the quran by the age of But I didn't think anyone would want to this day and age: It is possible someone intentionally moved the money through this address for plausible deniability reasons.
Perhaps they thought there was a good chance they would be able to transfer it out first Which they probably have. The could say to officials, if questioned, however, that they accidentally transferred it there, and because the private key is known, it would be plausible that it was stolen.
Triple the speed of the pentium. I worked in a computer store when that movie came out. We got about a dozen people a day and more on the weekends come in and ask where the clear laptops were. The problem of bots being faster than you is not really a problem as you can prepare the second transaction before publishing the first. You would always have half a second head start over the competition to fill the various transaction pools by submitting both at once.
Sure this is no sport for beginners but it would indeed provide for some decent plausible deniability. Almost as good as ZeroCoin: That's a pretty good theory. I wonder if there have been instances of this with very small amounts. You would think that they would have tested this out a few times to make sure they can do it before an automated system scoops it up.
I'm guessing you can generate both transactions at once, but broadcast the second first. An attacker won't be able to generate the transaction without knowing the details of the first one, and it is very unlikely for them to succeed in replacing the second transaction with their version after it has already propagated.
No, that wouldn't work. All nodes will reject the second transaction as it haven't heard of the first yet in it's mempool. Practically, I see it being very difficult to about-guarantee that you will get it to work with at least automated nodes trying to spend it away.
True, but the way I'd do it is generate the two transactions before broadcasting any, and then broadcasting both as good as simultaneously the second right after the first.
You'd have the advantage of not wasting time by monitoring, and not having a propagation delay by needing to wait for the first transaction. It's a dangerous game to play. The front running others describe is also difficult if pools are abusing this because a pool can do this:. If they mined their own block, then neither transaction would touch the network until they had 1 confirmation. Then the only risk is that their block becomes orphaned.
What's fascinating is that it was gone within a second. Somebody really knows their shit. I had once a script written, that scans random dictionary words for brainwallets and imports them - i found many thousands with old transactions I did that too. I generated thousands of private keys and addresses based on the most common dictionary words.
Then I ran a script to watch them, and also found many with past transactions, but every single one had a zero balance. Basically the same thing you found. In order to beat them you really have to monitor thousands of nodes and basically front-run them. Were trying to steal coins from those addresses or were you just running an experiment to see how many you can find? Honesty is the best policy.
What would you do if you somehow stumbled over the private key for "missing" MtGox coins? Well, here's the thing. Let's say you stumble upon a significant amount of money. So you know the owner isn't poor. If you take half and spend it saving lives or improving the human condition without taking anything for yourself, while it's still stealing, it might be justified. I struggle with clearly defining where the lines are.
But is it still considered stealing? I mean all you did was find the right private key using the right calculations.
The coins you would get weren't yours so yes it's stealing. Programmer's curiosity made me want to do try this too but my conscience wouldn't let me. It's like if you figured out the code for a safe, it's still stealing if you take all the money from it.
It might still not be moral or perhaps legal , but it's not stealing to have a look So it's actually more of a transparent safe so you can see the content but it's still a lock on it. You can prepare both transactions to and from and put it into the same block if you are miner. Then, the only risk is that your block will be orphaned and somebody will use the first of your transactions and not the second one in a block that will end up in blockchain.
All they do is watch transactions as they are sent on the network with a simple bitcoind node. When they see a transaction that matches a list of known addresses that they have keys to they submit a transaction that spends from the address. It will most likely be included by the miners AFTER the one just seen and therefore be later in the same block. That is why it happened in the same second - it was mined in the same block.
Anyone else getting there later will be treated as a double spend because this one was logged first. If they don't do it like that, somebody who does will find that transaction earlier, and will spend it first. There are some optimizations to help ensure being first. You would increase your peer count so that you are listening to more nodes and will "hear" it first. That makes it very fast only a few byte comparisons to match.
Then, relay the original transaction and your spend directly to several of the biggest pools since they are most likely to mine it and you want them to arrive in correct order and before others.
You keep a hash table of all the public addresses you know the private keys for. Run all the public keys for every transaction you see on the net through the hash table. If you find a matching transaction which moves money into one of these known addresses you generate an equal spend to one of your accounts and send it out.
Would take fractions of a second to execute across even millions of known addresses. I don't think you need a vast network, just a full node and some crafty programming. I suppose competing with others doing the same is something to consider.
Sure, you can generate a "probably secure" brainwallet, but computers are constantly trying to break them, so you better be confident your method and seed won't be guessed today or in the future. I think people underestimate the computing power behind brute forcing brainwallets, and so I called them a bad idea. No, that's why brainwallet. If they added a million rounds of hashing before generating private keys, and wouldn't allow short passwords, that would stop most of these attacks.
It probably wouldn't stop the attacks on the addresses generated by the single English words, but it would make even 4-word phrases impossible to bruteforce. The same does electrum with it's seed stretching: Electrum hashes the seed times the technique is called "key stretching". The seed also has bits of entropy custom seed length was also in the works last I checked.
Well there are also other reasons why there should be at least one round of hashing, but yes, key stretching effectively makes brute forcing take longer. Does it matter how many rounds you do? The attacker only needs to do the hash one time, then just watch for any transaction to that address in the future Yes, it matters, because it makes the creation of a large database of keys a million times more expensive.
If before it took you a month to do all 4-word combinations, it now would take 83 thousand years. There are half a million to a million words in English dictionaries alone. That's not even counting things like scientific plant and animal names. And then there are other languages. And it's pretty much impossible to do all word combinations. Not even 6-word combinations. Not even if you have all the computers in the world in your botnet. The following is an excerpt from "Getting Started With Bitcoins" at http: Devise a lengthy phrase that only you could possibly know.
Do not publish it! Now generate a key-pair from the passphrase. But then delete all record of the private key itself. Do not write it down. Do not print it. Do not save it in a flash drive.
Do not encrypt it or put it in the cloud. Do not put it into any computer, whether connected to the internet or not. Whenever you want to spend your coins, use the same phrase with the same app to generate the same key-pair again. Of course, such serious security applies only to your savings or nest-egg stashes good to have more than one nest-egg stash.
If you lose the device or its private key becomes known, you will lose only spending money. Ultimately you end up with a conundrum: Pick 12 random words. With a bit of effort no human will have any trouble remembering 12 random words. A bit random key and bits is considered more than enough security has fewer combinations:.
Even if we limit ourselves to the 45, words that the average high school graduate knows, that's still a massive number:. A HUGE problem with your calculation is that the average person can likely only recall around 10, words easily even if they are able to recognize 45, It would be interesting to setup a Web site where users think up 12 English words at random.
Then give them a score based on how unique their choices were. My guess is that there would be a relatively small set of commonly chosen words, which many people thought were unique, that could be used to greatly reduce the time needed to brute force brain wallets. Your fundamental argument seems to be that it's better to use a technology that requires you to remember something and store something BIP 38 than something that just requires you to remember something brain wallets.
In security circles, this is basically 2-factor. The 3 possible factors are "something you have", "something you know", and "something you are". BIP uses the first two. Increased security correlates closely to decreased ease-of-use. And so you are basically running the risk of increasing the likelihood that the money will be lost forever with BIP, because, in addition to losing the "thing you know" causing a loss, you can also lose everything by losing the "thing you have". The counter to this argument is that BIP reduces the likelihood of losing the "thing you know" because it can be much simpler.
But if it is possible for someone to memorize a secure passphrase as simply as memorizing a short BIP passphrase, then your final statement is incorrect.
I contend that there are a few rare individuals for which it is as simple to remember a secure passphrase than a BIP shorter passphrase, which means that your final conclusion is wrong I don't believe it's possible to memorize a secure brainwallet passphrase.
If your brainwallet passphrase is secure enough not to be cracked then it's too complicated to memorize. Equally if it's simple enough to memorize then it's simple enough to crack. Given you can't memorize the passphrase, you have to write it down. At which point BIP38 is superior. My nine addresses in my lifetime are committed to my memory, known only to me, and are a perfectly safe brain wallet. Three of them are in databases nowhere. A 4th one, you'd have to find an apartment that no longer exists, on a road that has changed names.
Since we can't wait that long we'll have to use analytics instead - you're no doubt unwilling to reveal your passphrases anyway ;. The basic idea is this: Work out how much entropy a brainwallet needs to have 60 bits? You'll find that they cannot do it, not reliably anyway. The TL;DR is that whilst it might work for one or two people with great memory skills, you simply cannot recommend this approach to general users.
Fortunately we have BIP38 which is much easier to user and designed to be safe by default. That was actually my point - that your statement that "There's never a reason to use brainwallets over BIP38 wallets. And Siths speak in absolutes. The TL;DR is that whilst it might work for one or two people with great memory skills , you simply cannot recommend this approach to general users. Ok fair enough - I should have originally said: For completeness there is another use case: If you're in a situation where you're unable to store a paper wallet perhaps you're a north Korean dissident or Ross Ulbricht then yes brainwallets are your best bet.
I find that hard to believe. Actually, let me try to memorize it. Okay, that took less than 15 minutes, going in short chunks and putting them together. To commit it to long term memory would take further repitition of course. Please note that the given password has bits of entropy. You've not demonstrated your ability to recall it in 2 years time. Nor would your anecdote prove much even if you had. I don't dispute that it's possible, but I do dispute that it's easy for most people.
Electrum's word seeds have bits of entropy and can be memorized quite easily. Since Bitcoin's bit ECC keys have a security margin of only bits themselves, theres is no loss of security. Your point is therefore invalid, unless you can prove that learning 12 words is beyond human capacity. Even then it's not guaranteed that you'll recall it. More to the point, why on earth would you bet on you memory being lucid in 10 years time?
BIP38 is simple and safe and carries far far less risk. BIP38 requires possession of a file or physical object, with all the associated downsides potential loss, theft, destruction. Memorizing 12 words is easy , if you can't do it, you can't be trusted to remember where your piece of paper was either. Until you're in a vehicle accident and find after a coma you really can't remember much It is perfectly possible to generate a safe brainwallet pass phrase.
There are a lot of people on this sub who love talking about information entropy and all that without even understanding how the concept works.
The concept of entropy is closely related to the concepts of search space. For instance, let's imagine you don't understand what a car is. If my brainwallet was a word taken from the information space of car names, that would be trivial to crack for someone who knows the search space in advance but it would provide no entropy reduction to someone who doesn't understand what the hell a car is.
In other words, if something is known to me and only me e. If an entropy reduction event doesn't occur, you have no hope of guessing a sufficiently complex pass phrase. What if you find yourself in a fucked up situation and all you have is a cell phone?
I wouldn't want to be locked out of my funds like that. The cost of using BIP38 outweighs the benefits if your brainwallet is safe enough. Ok so the problem with domain specific stuff is that it's very hard to calculate the entropy involved.
Case in point there was someone who used Icelandinc poetry or similar as his brainwallet and had his coins stolen. He believed that his domain was obscure enough to give free entropy. Perhaps your domain of Twilight movie dialog lines [or whatever] is secure, it's almost impossible to measure without giving it away - at which point you compromise yourself.
Why make this bet for your life savings? It's foolish, the downside is huge and you will never know if you are safe. Just use BIP38 instead. I understand your points well but I guess it comes down to whether you value ease of use over security or vice versa.
And I'm of the opinion that if your brainwallet is secure enough, BIP38 adds no value by secure I mean something that only your brain can construct, not obscure poems in Afrikaans.
Furthermore, I like having the ability to spend my coins just by passing my pass phrase into the sha function. There's a millisecond sleep in the Bitcoin peer's message processing loop. There has been speculation that the attacker could beat regular peers by avoiding this loop: This seems plausible to me. One puzzle is that Mt. Gox announced their difficulties on Feb 7, and then explained Feb 10 that they were stopping withdrawals due to a malleability attack.
One possibility is there was a different type of malleability attack that affected Mt. It would be interesting to get the hash for one of the affected transactions from before Feb 7, to see what was going on. Around the same time as the malleability attack, many people received tiny payments from 1Enjoy and 1Sochi addresses. I believe all these payments were rejected by miners as junk and remain unconfirmed.
As far as I know, there is no connection between these tiny spam payments and the malleability attack, but the timing is suspicious.
You are an "evil genius", Ken. For the record, I understand that some Bitcoin fanatics despise you -- because you keep yanking the covers off their magical little world and exposing the innards. And as you've demonstrated, the innards are a bit dodgy. This attack was rumored to be run by some Russian hackers for "lulz", using a "known vulnerability" - known to very few people. It caused quite a stir. I'm not so sure Bitcoin fanatics despise Ken.
He's incredibly informative and unbiased. His views on Bitcoin are not negative, either. I think you might be projecting or imagining things.
Wonderful content, please keep it coming! Why do you think Bitcoiners despise Ken? Quite to the contrary, every single Bitcoin supporter I know including myself think his blog posts are awesome!
There's been a dearth of good information on the Bitcoin protocol available on this low level, and many of us are totally eating it up. Keep it up, Ken! I've been passing your links around to all the engineers and devs interested in Bitcoin that I know.
If you didn't do the latter, you probably have missed some examples of malleability. Secondly the two "weird" transactions you mentioned are perfectly valid, if non-standard, transactions. The second is a valid multisig output, and can be spent by providing 14 signatures with the "correct horse" pubkey. If the "correct horse" transaction I found earlier is valid, then I guess.
This Bitcoin culture is a hacker culture. We value accurate information openly and honestly presented. Where there are flaws, we want them discussed and, hopefully, fixed. We know that Bitcoin is an ongoing experiment. Ken represents the best of that culture. Does anyone have an idea how many modified transactions were injected in to the network? I'm not sure but There are actually 20 public keys for correct horse listed but only 14 pushed into the stack.
Is that still a valid transaction? If it is I must have been doing something wrong An actual insightful, useful analysis of what happened. Of course it got buried under all the sensationalist crap on Reddit. I remember someone on reddit asking for a 'malleability bot' shortly after the MtGox press release, so it's likely multiple people got the same idea at the same time.
Their software was creating transactions with extra padding in the DER encoding of the signatures 2 in https: So all the 'attackers' did was remove this extra padding and their version of the transaction was accepted.
No need for pushdata mutations. You should be able to set up a pretty good regex to find every "odd" transaction. If you use bitcoind decoderawtransaction you'll see the script does have "20" in the right places. I also scanned for "odd" transactions in the blockchain.
There are roughly a zillion of them, in a huge variety. It's hard to conclude anything except people do a lot of crazy stuff with the Bitcoin protocol. This is really interesting, although I don't really have the knowledge to fully understand it all.
12 Feb Interestingly, the sibling transaction wasted BTC in a broken MULTISIG transaction with the "correct horse battery staple" public key. I conclude that someone was trying out strange things on Feb 4, including the rare OP_PUSHDATA2 instruction. Was this debugging for the malleability attack a few . While coming up with my pass-phrase (derived from a painting above my desk, including a proper name and a number), I remembered this xkcd comic: http:// wearebeachhouse.com I wondered if anyone had established an address with the punchline "correct horse battery staple" and I knew the answer before I even. Divisa capital Forex pro & Correct horse battery staple Bitcoin wallet.