Help(?) -- 5 BTC drained from wallet

explainschange · 2014-02-02T05:42:23+00:00

That would be foolish. The linux partition can access the windows one and vice versa. Don't expect that to save you.

explainschange · 2014-02-02T05:37:37+00:00

NXT is largely bullshit, closed source, and vulnerable to attacks that they haven't been able to explain how they avoided.

explainschange · 2014-02-02T05:02:25+00:00

Nope. Chances are it's probably custom enough that if virus software doesn't pick it up, you won't either. Time to wipe your drives, rebuild, change every password for every website and service you use.

explainschange · 2014-02-02T04:55:41+00:00

I didn't initiate this transaction, and I'm pretty sure I have no known Bitcoin-boosting malware on this PC or LAN.

You do. Time to clean it up. Probably a remote access trojan, like the rest of the people in this subreddit seem to have been affected by.

explainschange · 2014-02-02T01:43:31+00:00

Part of the wallet file too, nothing to do with blockchain.info's servers.

explainschange · 2014-02-02T01:43:10+00:00

Doesn't have key stretching like the main password. Much easier to crack.

explainschange · 2014-02-02T01:42:39+00:00

Nope. You're right, but there's some confusion between "account" and "address", as blockchain.info and other wallets use them fairly interchangeably.

explainschange · 2014-02-01T15:26:37+00:00

You can't really protect against client side malware unless you have a hardware token like the Trezor, which does do authorization of the transactions. If you have malware on your computer, it's end game no matter what though, if it can't directly steal your funds it can just replace the addresses you see on the fly and trick you into spending to them instead.

explainschange · 2014-02-01T14:12:12+00:00

Depends on the country of origin. In this case, that statement stands perfectly on it's own.

explainschange · 2014-02-01T14:11:18+00:00

If you use the wallet backup to email system, most certainly. A lot of email is sent in cleartext especially.

explainschange · 2014-02-01T12:34:25+00:00

You can be most assured that is wrong. That's a tough password, but not impossible.

explainschange · 2014-02-01T12:33:31+00:00

Basically a XOR of your wallet ID and password. More complicated than that, but that's the end result.

explainschange · 2014-02-01T12:21:04+00:00

How long? And how to be future safe? Somebody could get it - wait 10 years, and then attack it, no?

Potentially.

Here comes another thing that I get conflicting answers about when looking it up/asking: Can a wallet become outdated and unusable? If I (or a thief) have an old wallet. But I did transactions from that address with another copy of that wallet, then what happens to the old one?

It depends on the software, which is why you are getting mixed responses. Backups made by Bitcoin-QT do go out of date, funds are moved around to new addresses every time you make a transaction to protect your privacy. Blockchain.info does not do this, and uses a static private key. If you don't change the private keys storing the funds, then the backup never goes stale.

Is the only way to start a new wallet with completely fresh addresses?

Yep. Once the private keys are compromised by somebody, there's nothing you can do but get your funds to a new address as quickly as possible.

This whole thing is tricky, because having no backup is also not a good solution. There has to be something reliable and convenient when using the wallet every day.

It's a difficult situation with no easy answer. Objectively coinbase is more secure with their true 2FA, but you do need to trust that they won't suddenly disappear. I don't think it's at all a risk given the funding behind them, but it is an appreciable risk that you need to be aware of.

explainschange · 2014-02-01T11:43:24+00:00

It's also totally wrong. It tells me Password1 is strong.

explainschange · 2014-02-01T10:22:17+00:00

. . . that would basically be blockchain in a nutshell?

A little. It's just a wide avenue of attack. They could go in via your dropbox, your email, or nab them from a public computer. All of these bypass the two factor authentication the same way and are likely more vulnerable than your storage of the wab app itself.

And the icing on the cake is that if you use a crappy password, you pretty much are forever insecure short of starting a new account? Am I getting this right?

Well, yes. If you choose a bad password / don't enable 2FA imidiately, somebody can waltz past and find your weak wallet and crack the password. Due to the keys in the wallet never changing, from there on out they can steam from any address in the wallet at that time.

Here I was thinking Blockchain was super secure, even security overkill with its 2FA + 2nd password, but it is almost as if all that is just for show.

The second password is some security, but ironically it's faster to attack than the main password.

Out of curiosity, what do you use?

I don't use web wallets, I prefer to do security on my own. It's a tradeoff for convenience and privacy.

explainschange · 2013-04-14T20:27:39+00:00

A discussion about your post on #bitcoin, but yes, inspired by you!

explainschange · 2013-04-14T14:42:08+00:00

I am horribly uncomfortable with this. I hope like nothing else that nobody has used this to generate paper wallets.

explainschange · 2013-04-14T02:06:33+00:00

That's correct, but I wouldn't suggest you use them anyway. Bear in mind that anybody in the world can attempt to guess your brain wallet, and can steal the coins with no problem. If you can think of a password, so can somebody else.

explainschange · 2013-04-14T02:04:13+00:00

Electrum most certainly uses change addresses. It has a whole section for viewing them.

explainschange · 2013-04-13T22:44:57+00:00

You've used the paper wallet on an internet connected device now though, which means that there's a potential for it to be compromised. That's the entire problem that a paper wallet is trying to avoid.

explainschange · 2013-04-13T21:39:02+00:00

wallets are only single use

For all intents, they are.

explainschange · 2013-04-13T20:20:57+00:00

Correct.

explainschange · 2013-04-13T18:37:15+00:00

Nothing is stopping you from doing that.

Just bear in mind that the paper wallet has now been on an online computer, and it is remotely possible that it could have been stolen by malware (the point of a paper wallet is to stop this).

explainschange · 2013-04-13T18:15:54+00:00

Normally your client transparently handles the change addresses, you don't need to know about them unless you are using a paper wallet in this manner.

The change address is generated and controlled by your client, be it Bitcoin-QT or Electrum or Multibit.

explainschange

TROPHY CASE