justusranvier



Offline



Activity: 1400

Merit: 1006









LegendaryActivity: 1400Merit: 1006 Re: Armory - Discussion Thread October 02, 2014, 03:11:35 PM #4142 Quote from: segeln on October 02, 2014, 02:58:29 PM What about antimalware/antiviruses programs like Norton,kaspersky,avira.Mc affee?

Could they detect those malicious software,when they are widespread and known ?

No.



USB firmware exploits happen outside the control of the CPU and any software that may be running on it.



For now, you should probably use CD-Rs to move unsigned transactions across the air gap discard them after each use.



There might not be any exploitable CD drive firmware vulnerabilities that can be triggered by malicious data on a disc. Maybe. No.USB firmware exploits happen outside the control of the CPU and any software that may be running on it.For now, you should probably use CD-Rs to move unsigned transactions across the air gap discard them after each use.There might not be any exploitable CD drive firmware vulnerabilities that can be triggered by malicious data on a disc. Maybe.

SimonBelmond



Offline



Activity: 226

Merit: 100









Full MemberActivity: 226Merit: 100 Re: Armory - Discussion Thread October 02, 2014, 03:13:49 PM #4143 Quote from: Perlover on October 02, 2014, 02:17:50 PM I don't know somebody wrote to here or not.

But i think the Armory and other programs could have a potential vulnerability.



For example what if your computer with installed Armory (watch-only wallet mode) is infected and trojan/virus which modifies a receiving address in Armory's interface? How can i trust to my online watch-only computer that all generated addresses are my addresses? What if trojan/virus modifies installed DLLs/Shared libraries of Armory and substitute watch-only generated addresses or seed to hacker things? If i will send to money to generated address how can i sure that this address is my address for private key at offline computer? :-/



What do developers think about this?



I jsut double check the address before broadcasting. That's more or less all I can do. Of course you could take appart the unsigned and signed transaction before broadcasting. However, as long as I don't hear anything else I consider it safe enough... I jsut double check the address before broadcasting. That's more or less all I can do. Of course you could take appart the unsigned and signed transaction before broadcasting. However, as long as I don't hear anything else I consider it safe enough...

Perlover



Offline



Activity: 159

Merit: 100







Full MemberActivity: 159Merit: 100 Re: Armory - Discussion Thread October 03, 2014, 04:10:20 PM #4148 Quote from: SimonBelmond on October 02, 2014, 03:13:49 PM I jsut double check the address before broadcasting. That's more or less all I can do. Of course you could take appart the unsigned and signed transaction before broadcasting. However, as long as I don't hear anything else I consider it safe enough...

I am about getting from Armory the address for receiving bitcoins. It's not neeeded for broadcasting...

As i think you about a sending of bitcoins... I am about getting from Armory the address for receiving bitcoins. It's not neeeded for broadcasting...As i think you about a sending of bitcoins...

Ente



Offline



Activity: 2126

Merit: 1001









LegendaryActivity: 2126Merit: 1001 Re: Armory - Discussion Thread October 03, 2014, 08:42:43 PM #4149 Quote from: Perlover on October 02, 2014, 02:17:50 PM I don't know somebody wrote to here or not.

But i think the Armory and other programs could have a potential vulnerability.



For example what if your computer with installed Armory (watch-only wallet mode) is infected and trojan/virus which modifies a receiving address in Armory's interface? How can i trust to my online watch-only computer that all generated addresses are my addresses? What if trojan/virus modifies installed DLLs/Shared libraries of Armory and substitute watch-only generated addresses or seed to hacker things? If i will send to money to generated address how can i sure that this address is my address for private key at offline computer? :-/



What do developers think about this?



I totally agree on that.

So, I try to pay a bitcoin to my landlord.

How do I get his adress? Via his website, or mail, or I noted it down in my Armory adressbook.

All of these can be easily replaced, without noticing, by malware.

Malware might also change stuff so the change adress isn't mine, but his. Not sure about that though.



That is no Armory-specific or even Bitcoin-specific problem. Same problem arises with regular bank account transfer, if I don't know the account details by heart.



The only thing Armory can secure, and does so well, is that you only lose that one transaction. As soon as your landlord kicks your butt, you know something is wrong with your computer. All other coins should still be safe on the offline computer.



Please, someone tell me what I overlooked here?



Ente I totally agree on that.So, I try to pay a bitcoin to my landlord.How do I get his adress? Via his website, or mail, or I noted it down in my Armory adressbook.All of these can be easily replaced, without noticing, by malware.Malware might also change stuff so the change adress isn't mine, but his. Not sure about that though.That is no Armory-specific or even Bitcoin-specific problem. Same problem arises with regular bank account transfer, if I don't know the account details by heart.The only thing Armory can secure, and does so well, is that you only lose that one transaction. As soon as your landlord kicks your butt, you know something is wrong with your computer. All other coins should still be safe on the offline computer.Please, someone tell me what I overlooked here?Ente

cypherdoc



Offline



Activity: 1764

Merit: 1002









LegendaryActivity: 1764Merit: 1002 Re: Armory - Discussion Thread October 03, 2014, 09:27:35 PM

Last edit: October 03, 2014, 10:29:35 PM by cypherdoc #4150 can someone remind me how to check the signature of the offline *.deb installer?



i'm able to check the sha256sum of the initial downloaded *.tar.gz file but can't remember how to check the sig. is it done on the online or offline computer?



Edit: running the dpkg-sig against the armory*.deb extracted from the *.tar.gz for 0.92.1 is unsuccessful.

laurentb



Offline



Activity: 5

Merit: 0







NewbieActivity: 5Merit: 0 Re: Armory - Discussion Thread October 04, 2014, 12:13:50 PM #4154 Quote from: K1773R on October 04, 2014, 10:57:24 AM when can we expect a git update + signed tag?

Yes, please provide at least a git tag.

A while back I asked for simple tarballs, but at least with the git tag I can get them from GitHub.

You're making it impossible for distribution packagers - and this is why 0.92.2 didn't end up in the Gentoo Overlay. Yes, please provide at least a git tag.A while back I asked for simple tarballs, but at least with the git tag I can get them from GitHub.You're making it impossible for distribution packagers - and this is why 0.92.2 didn't end up in the Gentoo Overlay.

josephbisch



Offline



Activity: 75

Merit: 10







MemberActivity: 75Merit: 10 Re: Armory - Discussion Thread October 04, 2014, 01:13:14 PM #4155 Quote from: laurentb on October 04, 2014, 12:13:50 PM Yes, please provide at least a git tag.

A while back I asked for simple tarballs, but at least with the git tag I can get them from GitHub.

You're making it impossible for distribution packagers - and this is why 0.92.2 didn't end up in the Gentoo Overlay.

I agree. I am working on getting Armory into Debian and the git tag or a tarball makes my job easier. I agree. I am working on getting Armory into Debian and the git tag or a tarball makes my job easier.

cypherdoc



Offline



Activity: 1764

Merit: 1002









LegendaryActivity: 1764Merit: 1002 Re: Armory - Discussion Thread October 04, 2014, 07:25:02 PM #4158 Quote from: etotheipi on October 04, 2014, 03:37:08 AM If that's the case, then just grab the correct .deb not from the offline bundle. It's the same thing, but should be signed.



On the other hand, if you check the hashes file, that will be accurate. That lists the hash of the tar.gz with whatever .debs are in there, signed or not. Even though the .deb itself was not signed, the bundle was created on the same secure machine, hashed, and put in the sha256 file which is signed.



in regards to a fresh install of offline bundle:



hash is good for *.tar.gz:



Code: cypher@ubuntu:~/Downloads$ sha256sum armory_0.92.3_offline_ubuntu_12.04-32.tar.gz

1702a46db8263411ca0e639943f7e7cf33ad8dea365c9252457b8288b149c057 armory_0.92.3_offline_ubuntu_12.04-32.tar.gz

but, if not in the extracted Offline Bundle folder, where do i grab the armory_0.92.3_offline_ubuntu_12.04-32.deb against which i can run the dpkg-sig --verify *.deb? in regards to a fresh install of offline bundle:hash is good for *.tar.gz:but, if not in the extracted Offline Bundle folder, where do i grab the armory_0.92.3_offline_ubuntu_12.04-32.against which i can run the dpkg-sig --verify *.deb?