Security Advisory For paper.dash.org

eduffield

Core Developer
Mar 9, 2014
1,084
5,323
183
Hello Everyone,

Unfortunately we broke paper.dash.org on January 4th and the seeding process for generating a wallet was insecure since then. There are no known Dash thefts that have taken place because of this (yet), but if you created a wallet using paper.dash.org between January 4th and April 5th, please move your money to a new place.

We take these kinds of issues quite seriously and believe it's our fiduciary responsibility to create the most secure environment for users to store value safely in our ecosystem. To address the issue we’ve reverted the patch that caused the issue and have also reverted paper.dash.org to an earlier, much safer version.

Thanks,

Evan Duffield
 
Last edited by a moderator:

MangledBlue

Well-known Member
Jun 28, 2014
1,246
678
183
USA
Even if I copied the source to usb and made the paper wallets off-line?

I used a couple of different sites but never put any coin on them...
 

fible1

Well-known Member
Dash Core Team
Masternode Owner/Operator
May 11, 2014
710
722
163
Is "paper" functional now?
 

eduffield

Core Developer
Mar 9, 2014
1,084
5,323
183
Even if I copied the source to usb and made the paper wallets off-line?

I used a couple of different sites but never put any coin on them...
You'll need to move the funds still. It's the source of entropy that is the problem, not where you ran it.
 
  • Like
Reactions: MangledBlue

fible1

Well-known Member
Dash Core Team
Masternode Owner/Operator
May 11, 2014
710
722
163
Yes. paper.dash.org is safe to use now. The repo is safe as well. I've reverted both.
Seems like the source of randomness input requested from the user (mouse and keyboard) is much less than other wallet sites. Does that make a difference?

Thanks,
Pablo.
 

alex99

New Member
Apr 6, 2016
1
0
1
paper-dash-org is still running old version with poor seeding!
And I can't see any changes on github
 

moocowmoo

Bovine Bit-flipper
Foundation Member
Jun 15, 2014
483
603
263
masternode.me
Dash Address
XmoocowYfrPKUR6p6M5aJZdVntQe71irCX
Can someone please confirm these sites are legit? Would appreciate detailed feedback.

Pablo.
They're a fork of bitaddress.org, just extended for multiple coins.

But, yeah, paper.dash.org *does* seem to initialize too fast when compared with either of the 2 I've listed.

Also, we're running 3.1.0 and current is 3.2.0 https://www.bitaddress.org/CHANGELOG.txt.asc

Edit: Also, the github links at the bottom are 404:

Donations for original project:1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN
GitHub Repository (zip)
 

TanteStefana

Grizzled Member
Foundation Member
Mar 9, 2014
2,871
1,863
1,283
Can someone please confirm these sites are legit? Would appreciate detailed feedback.

Pablo.
NEVER create your paper wallet while online - ever, download the webpage preferably from known and vetted github repository then run it offline, preferably on a jump drive loaded OS, I use Ubuntu, and when it asks me if I want to install or try it out, I try it out, then open the web-page I downloaded, create my wallet, make a copy of the numbers and save on a clean jump drive (so that when I want it, I don't have to read/type it but can go to my txt file and copy/paste the numbers.

Then I never put the jump drive into another machine, (actually I make encrypted copies on a zip program (7zip) as backups on several jump drives. This is why cheap 1gb jump drives are useful if you can find them super cheap :)
 

fible1

Well-known Member
Dash Core Team
Masternode Owner/Operator
May 11, 2014
710
722
163
NEVER create your paper wallet while online - ever, download the webpage preferably from known and vetted github repository then run it offline, preferably on a jump drive loaded OS, I use Ubuntu, and when it asks me if I want to install or try it out, I try it out, then open the web-page I downloaded, create my wallet, make a copy of the numbers and save on a clean jump drive (so that when I want it, I don't have to read/type it but can go to my txt file and copy/paste the numbers.

Then I never put the jump drive into another machine, (actually I make encrypted copies on a zip program (7zip) as backups on several jump drives. This is why cheap 1gb jump drives are useful if you can find them super cheap :)
I already generate securely on an Ubuntu stick, though I have to say you go above and beyond :).

My question is more whether the code linked can be trusted for download and running on a live CD; as I am feeling not so confident on the internet right now.

:)

Pablo.
 

fible1

Well-known Member
Dash Core Team
Masternode Owner/Operator
May 11, 2014
710
722
163
Moo posted this link on Bitcointalk: https://github.com/MichaelMure/WalletGenerator.net and said it was secure/good :)

I know I'm repeating myself when I write stuff like that, but I want to make sure lurkers/newbs get a warning when researching in which this kind of thread may show up on :)

Again, it's the mommy in me :p
Do you mean Moo said it was good? Because I get that as he posted it here. And I have a lot of respect for Moo and I mean no offense, but since we are dealing with cash here, I was also hoping to hear from a few other people who have used the github code successfully :).

Feeling paranoid right now.

:)

Pablo.
 

moocowmoo

Bovine Bit-flipper
Foundation Member
Jun 15, 2014
483
603
263
masternode.me
Dash Address
XmoocowYfrPKUR6p6M5aJZdVntQe71irCX
Yes. paper.dash.org is safe to use now. The repo is safe as well. I've reverted both.
You missed a step. I pulled in and applied UdjinM6's revert.
Entropy collection is back to where it should be on https://paper.dash.org/ ! :)

Code:
| * 72a4bbb (udjinm6/master) update sha256sum and gitHead
| * 3306409 Revert "speed up seeder 10x"
|/
* 5ddab0b (HEAD, origin/master, origin/HEAD, master) update sha256sum and gitHead
# git reset --hard 72a4bbb
HEAD is now at 72a4bbb update sha256sum and gitHead
# git reflog
72a4bbb [email protected]{0}: reset: moving to 72a4bbb
5ddab0b [email protected]{1}: reset: moving to 5ddab0b
 

UdjinM6

Official Dash Dev
Core Developer
Dash Core Team
May 20, 2014
3,639
3,537
1,183
Yeah, I did that stupid thing :oops:
I was trying to make a shortcut while I was deving it (way too much time to spend on every page refresh while fixing small parts here and there)... I should have cleaned that out before pushing to production...
Sorry..:sad:
 

Myprotection

Member
Feb 23, 2016
61
30
58
Где генерировать новые адреса?

p.s.
Простите мне мой английский.
 

UdjinM6

Official Dash Dev
Core Developer
Dash Core Team
May 20, 2014
3,639
3,537
1,183
Где генерировать новые адреса?

p.s.
Простите мне мой английский.
Translated question: Where can I generate new addresses now?

https://paper.dash.org/ is updated now and fully functional, you can use it again.
Or you can use paper wallet in moocowmoo post above https://dashtalk.org/threads/security-advisory-for-paper-dash-org.8525/#post-90302

https://paper.dash.org/ обновили и он снова работает как надо, можно использовать.
Или можно использовать бумажный кошелек, указанный в посте moocowmoo выше https://dashtalk.org/threads/security-advisory-for-paper-dash-org.8525/#post-90302
 

tungfa

Grizzled Member
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,899
6,744
1,283
Translated question: Where can I generate new addresses now?

https://paper.dash.org/ is updated now and fully functional, you can use it again.
Or you can use paper wallet in moocowmoo post above https://dashtalk.org/threads/security-advisory-for-paper-dash-org.8525/#post-90302

https://paper.dash.org/ обновили и он снова работает как надо, можно использовать.
Или можно использовать бумажный кошелек, указанный в посте moocowmoo выше https://dashtalk.org/threads/security-advisory-for-paper-dash-org.8525/#post-90302
would be nice to have evans post translated , so i can use that on russian (and other outlets !)
tx
 

tungfa

Grizzled Member
Foundation Member
Masternode Owner/Operator
Apr 9, 2014
8,899
6,744
1,283
Russians are already aware in every possible place - here in ru / bitcointalk ru / bits.media (all thanks to alex-ru ) :)
dam are you guys fast
i wanna user it on dash.org / ru news section please