Hacker News new | ask | show | jobs
by nwh 4484 days ago
Oddly enough, the website brainwallet.org which is used to create most brainwallets seems to be in itself malicious. nullc on reddit makes an interesting comment about it.

 > "Yes, the creator of Brainwallet.org got his start with password based private keys by cracking them. Here is an old IRC log extract I pulled out for someone else who didn't believe this: https://people.xiph.org/~greg/brainwallet.txt*

  More recently he really was in IRC asking for information on faster cracking mechanisms, right after whining about needing money. But uh, he might have just been trying to further convince himself that brainwallets really are secure and that it's really the users fault (or a MITM on the site) when they get robbed.

  I'm less inclined to assume malice, and more inclined to assume that he's clueless— both of the insecurity of these schemes, the acceptability of blaming the victims when users inevitably choose poor keys, and how scammy his own actions look. But thats just my own impression.

  When you choose to use something like that you should start with the assumption that the creator is malicious and ask yourself why its safe to use anyways. For the Bitcoin reference software you can point to the large amount of open public review, processes which prove the binaries agree with the source, etc. For brainwallet.org? Not much.

  So if ever you find the prospect that the creator of something might be a bit black-hat and this concerns you thats potentially a red-flag."

Probably more concerning, the first "random" key the website displays is "correct horse battery staple", which people get their funds stolen from almost constantly.

http://blockr.io/address/info/1JwSSubhmg6iPtRjtyqhUYYH7bZg3L...
2 comments
nadaviv 4484 days ago
"correct horse battery staple" is a reference to xkcd [0]. Its not meant to be "random" and not meant to be used by anyone. I assume that people who send funds to that address are fully aware that anyone can access them.

[0] http://xkcd.com/936/

link
nwh 4484 days ago
I doubt it, they've sent almost 5BTC over 2300 transactions to that address so far. I personally know somebody who got caught out with it, and another with the static change address in the transaction view of the same site.
link
3pt14159 4483 days ago
That is because when we explain brain wallets to people we use that phrase as an example and then show how quickly the coins are stolen.
link
ChuckMcM 4483 days ago
It would be an interesting way to launder the block chain.
link
LyndsySimon 4483 days ago
It's been done.

About a year ago, I generated the Bitcoin addresses derived from single-word passphrases in the English language. I then came across a "top 1000 passwords" list from a large site hack, and added those as well.

Finally, I set up a script that watched Blockchain.info's Websockets endpoint and checked every destination address against the list.

I quickly noticed that there were a large number of ~0.05 BTC transactions to these addresses, and a network analysis showed that many of them ended up in the same handful of addresses. Those addresses were tagged on Blockchain.info as being the destination for coins used to buy off the writer of the ransomware that was making the rounds at the time.

None of the money sat at those addresses for more than a couple of minutes. I'm fairly sure that the coins aren't being stolen from those addresses, but merely quickly run through in a feeble attempt to launder coins.

ETA: I suppose I should add that I didn't take any balances. I was merely satisfying my own curiosity.

link
httpagent 4483 days ago
nullc on reddit == Gregory Maxwell

https://github.com/gmaxwell

link