Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: Hello Invictus! Please respond!  (Read 727 times)

0 Members and 1 Guest are viewing this topic.

Offline toast

Hello Invictus! Please respond!
« on: February 28, 2014, 02:35:05 PM »

I've brought this up to both Dans but haven't heard meaningful responses...

Your Keyhotee master private key does not depend on all of the forms in the profile wizard! This a critical error and all founders would have to re-register, right? Please just tell me I'm misreading the code?

https://github.com/InvictusInnovations/keyhotee/blob/master/profile_wizard/ProfileWizard.cpp#L269

I don't see where create_profile is defined but its conf argument is defined on the stack and so we know all the fields that got set.
Looks like first name, middle name, last name, and brain key are the only things that count. SS, passport, DOB... none of those things contribute to security.

Quote
No, that was a bug that we didn't catch.

Dan


On Feb 27, 2014, at 3:33 PM, Nikolai Mushegian <[email protected]> wrote:

> I forgot to mention this: is it intended that the keyhotee master
> private key does NOT depend on many fields in the profile wizard? Try
> changing your DOB or SS...

Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline bytemaster

Re: Hello Invictus! Please respond!
« Reply #1 on: February 28, 2014, 02:41:16 PM »
We have three options with respect to this issue: 

1) force everyone to reregister
2) enable these extra fields for new users only
3) remove these fields

I am inclined to give people the option to reregister, but not require it.  Those that do not reregister will have to remember to ignore those fields if they want to regenerate their key from memory in the future.

Dan Notestein has been addressing this issue in Github. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline toast

Re: Hello Invictus! Please respond!
« Reply #2 on: February 28, 2014, 03:04:00 PM »
2) enable these extra fields for new users only

...

I am inclined to give people the option to reregister, but not require it.  Those that do not reregister will have to remember to ignore those fields if they want to regenerate their key from memory in the future.

I think Dan N disagrees with you about these options based on his changes on github.

Quote
Dan Notestein has been addressing this issue in Github.

https://github.com/InvictusInnovations/keyhotee/commit/bd9c5785a6527566cb4209f58af7872035cba8b2
"whooooops yeah those were never supposed to be part of the profile anyway yeah..."

So should I go find all the forum posts referring to those fields between now and lets see how long ago...

https://github.com/InvictusInnovations/keyhotee/commits/bd9c5785a6527566cb4209f58af7872035cba8b2/profile_wizard/ProfileEditPage.ui
https://github.com/InvictusInnovations/keyhotee/commits/master/profile_wizard/ProfileWizard.cpp

two months!!!

All information is optional and was chosen merely because it is easy to remember for most users

It is used as a salt that makes attackers pick an individual


Sent from my iPhone using Tapatalk



Brain wallet doesn't depend on DOB? I just used two different dates and got the same public key...
Hi toast,

Yes, I tested it myself and you're correct. Passport/driver's license also didn't affect it. I've committed a new version of this dialog that removes these fields, since it's just extra work for no purpose to enter this info, plus it's confusing. So now it's just first, middle, last name, brainwallet key, and password that are accepted.

Well NOW it is...


why am I so angry about this, I shouldn't be angry
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

bitbro

  • Guest
Re: Hello Invictus! Please respond!
« Reply #3 on: February 28, 2014, 03:12:47 PM »
Everything good toast?


Sent from my iPhone using Tapatalk

Offline toast

Re: Hello Invictus! Please respond!
« Reply #4 on: February 28, 2014, 03:31:45 PM »
Everything good toast?


Sent from my iPhone using Tapatalk

I took like 20 deep breaths so now it's all ok

Sent from my SCH-I535 using Tapatalk

Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline bytemaster

Re: Hello Invictus! Please respond!
« Reply #5 on: February 28, 2014, 07:38:45 PM »
Lol.. Dan N. and I often have different opinions.   And sometimes I waiver on my opinion on what should be done when I lack a metric by which to judge.   I this case I may have told Dan one thing, then talked to you Toast and changed my mind... 

I welcome feedback on how this should be handled.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

 

Google+