• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Security Advisory For paper.dash.org

eduffield

Core Developer
Hello Everyone,

Unfortunately we broke paper.dash.org on January 4th and the seeding process for generating a wallet was insecure since then. There are no known Dash thefts that have taken place because of this (yet), but if you created a wallet using paper.dash.org between January 4th and April 5th, please move your money to a new place.

We take these kinds of issues quite seriously and believe it's our fiduciary responsibility to create the most secure environment for users to store value safely in our ecosystem. To address the issue we’ve reverted the patch that caused the issue and have also reverted paper.dash.org to an earlier, much safer version.

Thanks,

Evan Duffield
 
Last edited by a moderator:
Even if I copied the source to usb and made the paper wallets off-line?

I used a couple of different sites but never put any coin on them...
 
Even if I copied the source to usb and made the paper wallets off-line?

I used a couple of different sites but never put any coin on them...

You'll need to move the funds still. It's the source of entropy that is the problem, not where you ran it.
 
Yes. paper.dash.org is safe to use now. The repo is safe as well. I've reverted both.

Seems like the source of randomness input requested from the user (mouse and keyboard) is much less than other wallet sites. Does that make a difference?

Thanks,
Pablo.
 
paper-dash-org is still running old version with poor seeding!
And I can't see any changes on github
 
Can someone please confirm these sites are legit? Would appreciate detailed feedback.

Pablo.

They're a fork of bitaddress.org, just extended for multiple coins.

But, yeah, paper.dash.org *does* seem to initialize too fast when compared with either of the 2 I've listed.

Also, we're running 3.1.0 and current is 3.2.0 https://www.bitaddress.org/CHANGELOG.txt.asc

Edit: Also, the github links at the bottom are 404:

Donations for original project:1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN
GitHub Repository (zip)
 
Can someone please confirm these sites are legit? Would appreciate detailed feedback.

Pablo.
NEVER create your paper wallet while online - ever, download the webpage preferably from known and vetted github repository then run it offline, preferably on a jump drive loaded OS, I use Ubuntu, and when it asks me if I want to install or try it out, I try it out, then open the web-page I downloaded, create my wallet, make a copy of the numbers and save on a clean jump drive (so that when I want it, I don't have to read/type it but can go to my txt file and copy/paste the numbers.

Then I never put the jump drive into another machine, (actually I make encrypted copies on a zip program (7zip) as backups on several jump drives. This is why cheap 1gb jump drives are useful if you can find them super cheap :)
 
NEVER create your paper wallet while online - ever, download the webpage preferably from known and vetted github repository then run it offline, preferably on a jump drive loaded OS, I use Ubuntu, and when it asks me if I want to install or try it out, I try it out, then open the web-page I downloaded, create my wallet, make a copy of the numbers and save on a clean jump drive (so that when I want it, I don't have to read/type it but can go to my txt file and copy/paste the numbers.

Then I never put the jump drive into another machine, (actually I make encrypted copies on a zip program (7zip) as backups on several jump drives. This is why cheap 1gb jump drives are useful if you can find them super cheap :)

I already generate securely on an Ubuntu stick, though I have to say you go above and beyond :).

My question is more whether the code linked can be trusted for download and running on a live CD; as I am feeling not so confident on the internet right now.

:)

Pablo.
 
Moo posted this link on Bitcointalk: https://github.com/MichaelMure/WalletGenerator.net and said it was secure/good :)

I know I'm repeating myself when I write stuff like that, but I want to make sure lurkers/newbs get a warning when researching in which this kind of thread may show up on :)

Again, it's the mommy in me :p

Do you mean Moo said it was good? Because I get that as he posted it here. And I have a lot of respect for Moo and I mean no offense, but since we are dealing with cash here, I was also hoping to hear from a few other people who have used the github code successfully :).

Feeling paranoid right now.

:)

Pablo.
 
Yes. paper.dash.org is safe to use now. The repo is safe as well. I've reverted both.

You missed a step. I pulled in and applied UdjinM6's revert.
Entropy collection is back to where it should be on https://paper.dash.org/ ! :)

Code:
| * 72a4bbb (udjinm6/master) update sha256sum and gitHead
| * 3306409 Revert "speed up seeder 10x"
|/
* 5ddab0b (HEAD, origin/master, origin/HEAD, master) update sha256sum and gitHead
# git reset --hard 72a4bbb
HEAD is now at 72a4bbb update sha256sum and gitHead
# git reflog
72a4bbb HEAD@{0}: reset: moving to 72a4bbb
5ddab0b HEAD@{1}: reset: moving to 5ddab0b
 
Back
Top