antonimasso



Offline



Activity: 73

Merit: 10







MemberActivity: 73Merit: 10 Multisig Addrss UTXO spent (hacked) August 25, 2014, 06:45:11 PM #1



My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).

https://insight.bitpay.com/address/3KZriXF1KJB5edEXwM5TdByaFEtgRd5VyE

Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX?



Thanks Hello,My Multisig address I'm using for testing purposes has been used to send the funds to an address by a TX I did not generate (1ENnzep2ivWYqXjAodTueiZscT6kunAyYs).Can Multisig addresses be hacked in any other way than knowing the private keys of at least two public keys? I used very simple passwords to generate the public keys. Could this person have used an application that uses multiple private keys to test and build a valid TX?Thanks

antonimasso



Offline



Activity: 73

Merit: 10







MemberActivity: 73Merit: 10 Re: Multisig Addrss UTXO spent (hacked) August 25, 2014, 06:55:49 PM #3 I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.

DannyHamilton



Offline



Activity: 2338

Merit: 1730









LegendaryActivity: 2338Merit: 1730 Re: Multisig Addrss UTXO spent (hacked) August 25, 2014, 07:28:55 PM

Last edit: August 25, 2014, 08:03:05 PM by DannyHamilton #9 Quote from: antonimasso on August 25, 2014, 07:24:04 PM Wouldn't it take a huge amount of time & resources to brute force the private key of a public key generated with such a long password?



Brute force? Yes.



But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior. Such a program could significantly reduce the search space necessary to find the password used.



At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)? Wouldn't it be simpler to just randomly generate a private key? Brute force? Yes.But, because humans are VERY bad at doing things in a completely random way, a program can be written to take advantage of biases in human thought and human behavior. Such a program could significantly reduce the search space necessary to find the password used.At the moment, an arbitrarily long password might be sufficient for short term storage, but since private keys can be randomly generated, why bother with such long and indecipherable passwords (which may fall to weaknesses in the future)? Wouldn't it be simpler to just randomly generate a private key? https://21.co/dannyhamilton/



My Merit sending policy: My Merit sending policy: https://bitcointalk.org/index.php?topic=2822212.0

amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Re: Multisig Addrss UTXO spent (hacked) August 26, 2014, 04:17:28 AM

Last edit: August 26, 2014, 04:59:30 AM by amaclin #11 Quote from: antonimasso on August 25, 2014, 06:55:49 PM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.



Multisig redeem script contains public keys.



this was your transaction:



https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806

public keys are:



Code: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"

"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"

"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"



it was not too difficult to check associated private keys for these public keys



two of three to redeem:

Code: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },

{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },



Quote Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug No luck yet







Multisig redeem script contains public keys.this was your transaction:public keys are:it was not too difficult to check associated private keys for these public keystwo of three to redeem:Unfortunately, my script had a bugNo luck yet

antonimasso



Offline



Activity: 73

Merit: 10







MemberActivity: 73Merit: 10 Re: Multisig Addrss UTXO spent (hacked) August 26, 2014, 06:15:29 AM #13 Quote from: amaclin on August 26, 2014, 04:17:28 AM Quote from: antonimasso on August 25, 2014, 06:55:49 PM I did use extremely simple passwords. I guess he just brute forced the private keys, generated the Multisig address and if it contained UTXO sent them to his account.



Multisig redeem script contains public keys.



this was your transaction:



https://blockchain.info/tx/18eae575e18c47d5b8c14fddbe7e31299359cc5d3ce23f9c64a2af0fc0817806

public keys are:



Code: "043394c36007889341b06434535adbb6d9ff8d54f0a075f660f9a15c5c160bd24eb8f9bd98d32e3b6624d1fefa360496d8a98f8ee2e558e6d0e385ff1afc2b70b7"

"049b0ee70d754c419be928df649029004bbffbe1f0a3a5b60f2c5141eb4e109438b8bfb6f68776d4632bbfa9ce2646388d4f436a350fa0fa3d9fd0ecd83a63da25"

"0491e379d32b48a0fde8e7923a41d6b2004636aabb9b47efc564770d582e59714c8594e592fc6f17b25afbd912f0750e66a2744c73776b88f42c63fdc338d29bbf"



it was not too difficult to check associated private keys for these public keys



two of three to redeem:

Code: { "5JAimMxne7A62i25P7MjjX37d5WCK3dUzgzmUSzqPdKstqjY2nx", "141995JqUd7VkHfggTKqPSPvK3deuinbit", "billgates" },

{ "5KS5cGrx2uvFjMgnvQSeyajtS7CAhhCfLxQrx7xFrJ5VETLRVGT", "126zmC4XSu5nFU7bYZVwEn9iVc82MXk15B", "aznar" },



Quote Any bitcoins sent to such an address or public key are very likely to be quickly stolen. Unfortunately, my script had a bug No luck yet









Multisig redeem script contains public keys.this was your transaction:public keys are:it was not too difficult to check associated private keys for these public keystwo of three to redeem:Unfortunately, my script had a bugNo luck yet

Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

Soon before you tried to steal my funds I made a TX with no fee and now these funds seem to be blocked or lost. Did you select my Multisig address manually or do you have a script that tries combinations of public keys?Soon before you tried to steal my fundsI made a TX with no fee and now these funds seem to be blocked or lost.

amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Re: Multisig Addrss UTXO spent (hacked) August 26, 2014, 06:36:51 AM #14 Quote Soon before you tried to steal my funds

I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know.

Let us say that you have bought some knowledge for small price. And I can sell you more.

Just ask me. I will be happy to share my knowledge with everyone else.



Quote I made a TX with no fee and now these funds seem to be blocked or lost.

Bitcoins can not be lost such way. The game is not over. I do not like the words "my" & "steal". Bitcoins belong the person who knows private keys. I know.Let us say that you have bought some knowledge for small price. And I can sell you more.Just ask me. I will be happy to share my knowledge with everyone else.Bitcoins can not be lost such way. The game is not over.

amaclin



Offline



Activity: 1260

Merit: 1008







LegendaryActivity: 1260Merit: 1008 Re: Multisig Addrss UTXO spent (hacked) August 26, 2014, 06:47:24 AM #16 Quote Did you select my Multisig address manually or do you have a script that tries combinations of public keys?

There are 60k+ used p2sh addresses right now according to

Do you think it is possible to check them manually? There are 60k+ used p2sh addresses right now according to http://webbtc.com/scripts/script_hash Do you think it is possible to check them manually?