No intro paragraph needed. Title says it all. Let’s get started:
If a group chat for everyone that needs to be on the conference call doesn’t yet exist, you’ll need to create one and add participants. Once it exists, anyone can join in a conference or bail out at any time. They can do it by text, audio, and/or video as long as the group exists.
You can inform everyone that you’d like to start at a particular date and time and they’ll need to set their own reminders to show up.
To Create a Group
(To JOIN an existing conference call, go to your existing Signal group, then skip ahead to step #8)
In the lower right, tap the blue icon with the pencil in it to start a new conversation.
You’ll see “New group” at the top.
Type in someone’s name from your contacts. Tap their name in the search results and they’ll be added to the group.
Repeat step 4 for everyone you want to be in the group.
Once done adding participants, in the lower right, tap the right arrow in the blue circle.
Enter a Group Name. This will be visible to all participants. Then hit the blue pill button in the lower right with “create” in it.
The group now exists
Anyone in the group can now text the whole group or join a video or audio call. Tap the camera icon in the upper right hand corner.
You will join an existing video conference OR if you’re the first one, you’ll start one.
While IN the conference call, tap anywhere on the screen where there is NOT a button or other control… for example, tap on someone’s face, and you’ll get 4 icons at the bottom of the screen. To toggle your camera, hit the camera icon. To toggle your microphone, tap the microphone button. Swipe up to switch between views of each member.
Anyone in the group can come and go as they please. Anyone can participate as video+audio or audio only or just send texts.
This is part of a multi-part series of articles on how to get started in cryptocurrencies. This article is the first step you need to take: Installing your first wallet app. Before you do anything else, you must first create your own BitCoin wallet.
What does this mean and why?
In the cryptocurrency world, YOU are your own bank. That means YOU are 100% in control of your cryptocurrency and no one else. This means no one can steal your funds… not a bank, not the government, not hackers that hack a cryptocurrency exchange.
What’s a cryptocurrency exchange?
A cryptocurrency exchange is a CENTRALIZED authority where you can buy cryptocurrency with fiat currency. One of the articles in this series will cover that. Fiat currency is money you’ve been using your whole life like U.S. dollars, the British pound, the Euro, etc… Currencies created by and issued by governments are “fiat” currencies. Cryptocurrencies are created by citizens with complex computer code and not under the control of governments and are not assigned to any one country. They are borderless.
A cryptocurrency exchange is essentially a centralized bank. They are your “on ramp” and “off ramp” for cryptocurrency. (they’re not the ONLY way to acquire crypto) Before you buy any cryptocurrency with fiat from an exchange, you need to have your own, personal cryptocurrency wallet set up so that you can immediately transfer your purchased crypto into your own personally controlled wallet. If you don’t do that, you’re not in control of your crypto. “Not your keys, not your crypto”.
Not Your Keys, Not Your Crypto!
People often make the HUGE mistake of purchasing crypto, but then NOT moving it to their own, personal wallets. This is why people WRONGLY claim that crypto is always stolen. IT IS NOT! If they had moved their crypto into their own personal wallet files, the massive thefts of crypto that happened at exchanges like Mt Gox would NEVER have happened!
The REASON people lost money with exchanges is because they made the fatal mistake of LEAVING their crypto IN A CENTRALIZED BANK! Hackers got ahold of the central bank’s keys and stole millions of dollars worth of crypto… FROM THE BANK! Only the users that FAILED to move their crypto into their own wallets ever lost anything.
DO NOT MAKE THAT MISTAKE!
Install the Electrum BitCoin wallet app on your PC. Below, is a video demonstrating the entire process.
There are MANY wallet apps for MANY cryptocurrencies. I created a website for decentralized apps and services and I’m adding more to it all the time. Here’s a (growing) list of cryptocurrency wallets. Electrum isn’t the only one.
Cryptocurrency is different than fiat money, as you probably already know. But those differences make a HUGE impact on how you choose which wallet software to use. And it’s all about control… YOUR control over your own money.
Rather than telling you which wallet apps are best, I’m going to lay out the features you need to look for in wallets, and the ones you need to DEMAND. In other words, in the “demand” features, you should remove any wallet from consideration that does NOT have the complete “demand” list. Other features, that may help, but are not deal breakers will be listed as “nice to haves”. One of the reasons I’m not listing any wallets is because that would make this article dated eventually. What I’m presenting here should be relevant for decades to come.
Open Source: If the software wallet you’re considering is NOT open source, then ditch it immediately! Why? Because open source wallets have no secrets. Their entire source code is freely available for anyone to inspect, to guarantee there are no malicious intentions hidden behind the scenes. Closed source wallets are a black box and you’re throwing out any chance of verification of honesty and relying SOLELY on the word of the wallet creator. The whole point of cryptocurrency technology is that you DO NOT TRUST ANYONE ELSE WITH YOUR MONEY! And that INCLUDES programmers… ESPECIALLY programmers! And I say that AS A PROGRAMMER, MYSELF!
Addendum: Just because a wallet CLAIMS to be “open source”, doesn’t mean it IS. For example, I could publish a closed source wallet and just CLAIM it’s “open source” and people would just believe it and download and use it, while I never publish the source code. So, if some app CLAIMS it’s open source, DON’T BELIEVE THEM… EVER! You go and FIND the source code (usually on https://gitlab.com or https://github.com) and verify the source code exists. A reputable wallet author will also provide you a link to the source along with the binary to download.
In addition to FINDING the source code, make sure you download the app FROM the source code repository’s binaries, NOT from an app store or anywhere else!
If you’re a programmer, just download the source and compile it yourself and use THAT! If you’re NOT a programmer, do #1.2 above.
Must be an app that runs on your own hardware. In other words, if it’s a website, then you’ve just completely obliterated the ENTIRE PURPOSE of cryptocurrency. A website “wallet” is NOT a wallet. It’s a BANK! THEY are a centralized authority holding YOUR money. By definition, if YOU are not in control of it, then it isn’t YOUR money, it’s THEIRS. They ALLOW you to access it, until they DON’T! Stay away from online wallets, with the brief exception of online exchanges where you EXCHANGE your cryptocurrency for fiat money or vice/versa. But as SOON as you acquire crypto from an online exchange, you MOVE IT IMMEDIATELY into your OWN wallet!
This means that you must DOWNLOAD an app (desktop or mobile). And I recommend staying away from browser plugin wallets. Browsers are just not a safe enough environment.
Your keys or seed phrases are not transmitted over the internet FOR ANY REASON! Your keys ARE your money! Whomever holds they keys, holds and OWNS the money. This is the very core and soul of cryptocurrency. It’s its reason for being. NO ONE other than YOU should EVER know your seed phrase or passwords… EVER!!!
NICE TO HAVES
Easy to use user interface. A lot of people mistakenly think this is a “demand” feature, but you’re better off with a klunky UI that puts you in control of your crypto rather than a sleek and polished wallet that doesn’t meet all the “demand” features.
light vs full node. What does this mean? The most secure wallet will be one that’s ALSO a full node on the network for that cryptocurrency. But to do that, it would need to download the ENTIRE blockchain for that cryptocurrency. For a popular cryptocurrency, like #BitCoin, that would mean HUNDREDS OF GIGABYTES of data (eventually TERABYTES!) and hours or days of downloading, plus consuming all that space on your hard drive, forever. It would also mean that your PC would be an actor in the BitCoin network, processing transactions. That’s actually a GOOD thing for the network, but NOT a good thing for your local resources. If all you’re looking for is a wallet, a full node is beyond overkill. It’s like running a whole grocery store just because you need a refrigerator for your Milk. I’m not discouraging you to NOT be a node. By all means, PLEASE DO run a full node. It helps the whole crypto community. But, it’s not necessary for YOU if all you want is a wallet. A “light” wallet is JUST a wallet, not a full node. As such, light wallets are the only kinds of wallets that are available on mobile. A full node requires a desktop PC, plugged into the electrical outlet.
There’s another kind of wallet that I’m on the fence for at the moment, because it violates demand #1: It’s NOT open source. However, it has some other interesting security features.
The Samsung cryptocurrency wallet
I know I said I’m not going to recommend any specific wallet, and I maintain that. I AM, however, going to TALK ABOUT one: The Samsung cryptocurrency wallet meets all the other demand features, but it IS NOT OPEN SOURCE! However, it has an important security feature no other software based wallets have. That is, modern Samsung phones and tablets have a hardware based key store. This is a special, isolated chip that can store encrypted versions of your cryptocurrency keys. This hardware IS robust and is an important, core feature of the Samsung Knox (now known as “Samsung Secure Folder”) isolated security environment. It’s the only mobile environment approved by the US Department of Defense for its employees. Take that however you like.
What is Samsung Knox (or “Secure Folder”)? You know how you enter a PIN or a password, or a pattern, or a fingerprint, or a face image to unlock your phone? Well, on Samsung phones, you have all that, PLUS another, completely isolated, secure environment INSIDE of that. It’s like a smartphone within a smartphone. Once you set up “secure folder”, you get a SECOND smartphone environment, with another home screen and another set of apps. Apps installed inside this secure area are NOT accessible to apps outside of it. I personally install all my financial apps inside of this area. My games and less sensitive apps and data are stored in the regular phone area.
Side note: Whether you use the Samsung crypto wallet or not, you SHOULD install the mobile wallet you DO use inside the Samsung Secure Folder area on your phone (if you’re using a Samsung device).
The Samsung Cryptocurrency wallet is a software mobile wallet, and just like all other mobile wallets, it encrypts your seed phrase to your cryptocurrency with your password. But the difference is that it stores that in the isolated, secure chip. THAT makes it immensely more secure. HOWEVER, the app is NOT open source! Hence my hesitation of recommending this app. We have no way to know what’s REALLY going on inside the Samsung wallet, because it’s closed source.
So, here’s my recommendation: If you DO use the Samsung wallet, never have more in it than you’d ever put in your real, physical wallet. In other words, in the days when you’d have a wallet in your pocket with cash in it (you remember that right? That green paper that you’d trade for stuff?), you’d rarely carry more than about $100, because that’s all you’d need for 1 day and it wouldn’t be the end of the world if you lost it or if it were stolen.
I recommend the same practice with the Samsung crypto wallet. Only store about $100(USD) worth of crypto in your Samsung wallet. If you run across a local place that accepts crypto, you can spend it, but if there’s ever any kind of a breach with Samsung’s OS and/or software, you’re not going to lose too much.
And I’ll give the same $100 limit advice for ALL OTHER mobile wallets too! Store the remainder of your fortunes in multiple hardware wallets or multiple desktop wallets.
Cryptocurrency was created for the purpose of YOU being in control. Therefore, it’s pointless to store your cryptocurrency in a place that you DO NOT control. As always, don’t put all your eggs or cryptos in one basket. Don’t put your life savings into your mobile wallet.
Speaking of not putting all your eggs in one basket: As you start accumulating more and more wealth in cryptocurrency, either by continuous investing or by the value of it rising, it’s smart to create more digital wallets and spreading your crypto among them. Don’t store all your passwords and seed phrases in the same place. Following these practices, if any of your wallets are ever compromised by your own failures to protect them, you won’t lose ALL of your assets.
In the comments below, tell us what wallets YOU use… THAT FIT THE DEMANDS listed here? Please keep the conversation limited to those that fit the minimal demand list.
If you’re getting the “Couldn’t install app” error when trying to install the Samsung Blockchain Keystore app in your device’s Secure Folder, then read on. Skip the background if you’re familiar with it and go straight to the Solution section.
In mid-2019, Samsung came out with the Samsung Galaxy S10 phone. At the same time, they introduced their first cryptocurrency wallet, the “Samsung Blockchain Wallet”. At first, it only supported Ethereum. But as of late 2019, it supports a few more cryptocurrencies, most notably, it now supports the most important one, Bitcoin!
But, to use the wallet app, it requires another app; the “Samsung Blockchain Keystore”. I’m not sure why they separated that out into two apps, but my semi-educated guess is that you can create your keys and manage them in one app and use them in other apps, not JUST the wallet app.
Now, as anyone with any knowledge of cryptocurrencies knows, you have to be EXTRA careful with your keys for cryptocurrency. YOU are 100% in control of your cryptocurrency. If you’re careless, and it gets stolen, you have NO RECOURSE! Unlike a traditional bank with FDIC insurance of up to $100,000 protection per account, there’s NOTHING for cryptocurrency. That’s not a bug, that’s a feature! With freedom, comes responsibility. But that’s a speech for another day. The point is, that if you’re going to do this on mobile, you want it to be a secure as possible, and on a Samsung phone, that means putting it in the ultra secure section called “Secure Folder”. Now, let’s get back to the “Couldn’t install app” error.
Sorry to be the bearer of bad news, but there is no solution at the time of this writing (2020-01-04). I spent an hour on chat support with Samsung, who then sent me to a phone tech support that’s a specialist on the Secure folder. Both the chat tech and the Secure Folder tech were unaware of the problem and both confirmed that it is, indeed, a problem that they’re going to have to fix.
Here are the problems you’ll experience:
When trying to install the Samsung Blockchain Keystore into the Samsung Secure Folder:
It will not find it in the installed apps from the apps installed outside of the Secure Folder.
It will not find it in the Play Store (to their surprise, it’s not in the Play Store at all. You can search for it with a desktop browser. It’s just not there).
It WILL not find it in the Samsung Galaxy Store… at least, not directly. First, you have to search for the Samsung Blockchain Wallet app, select it, scroll down for similar apps, and you’ll find the Samsung Blockchain Keystore down there. Try to install it, and you’ll get the error:
Installing the KeyStore app OUTSIDE of Secure Folder will NOT make it available to the wallet app INSIDE the secure folder.
Even when installed outside of secure folder, it does not show up in the app drawer. You cannot add its icon to the home screen.
The ONLY way to launch it is to find it in the Galaxy Store and tap the “Open” button there.
So, the conclusion is that it’s not possible to use the Samsung Wallet app in the Secure Folder area. And if you can’t use it in there, it’s not worth using. You NEED the extra protection of the Secure Folder for your cryptocurrency. DO NOT ATTEMPT TO USE IT OUTSIDE OF SECURE FOLDER!!!
Speaking of Decentralized Monetization,
If you like my work, you can contribute directly to me with the following cryptocurrencies (but, apparently, not with the Samsung Blockchain Wallet app in Secure Folder yet!)
Whether you’re a developer or a user, these are the requirements for a truly decentralized app. If it lacks any of these, your app can (and should be assumed that it WILL) be censored:
No reliance on legacy DNS.
While you CAN make use of DNS as an additional measure, your app should still fully function even if the entire DNS system is compromised and/or your domain name confiscated. You should think of the DNS as only a gateway for legacy users to find your services.
No reliance on a centralized account creation system.
User accounts should be created client side ONLY, like a cryptocurrency wallet. The app’s concern with the user account should ONLY be that the user cryptographicly signs their communication with you, using their private key and you use their public key to transmit private data from you to them.
Deployment of the app should NOT depend on a centralized app publisher.
The app should be obtainable if you or your company or your organization cease to exist. This does not mean that you can’t ALSO deploy to centralized app stores, but those should be SECONDARY. You should also dissuade your users away from centralized app stores.
User’s personal data should ONLY be stored on their own device
OR encrypted with their public key before being stored remotely to their choice of external storage.
All remote storage should be stored on a decentralized storage platform (The user’s SiaCoin or FileCoin accounts, for example. For published data, IPFS and/or a blockchain). This doesn’t mean you can’t also make use of centralized platforms. In fact, make use of popular centralized cloud storage like Amazon S3, DropBox, Google Drive, etc, but encourage the user to add 3 of those to their storage preferences and you encrypt their data locally, with their public key, then replicate it, like RAID 3, across at least 3 or more centralized storage platforms.
Creator monetization should NOT be controlled by the app creator. The app creator should only facilitate code in their app to allow independent users to pay, directly, to each other, using a system outside the control of the app creator (such as cryptocurrencies).
Speaking of Decentralized Monetization,
If you like my work, you can contribute directly to me with the following cryptocurrencies:
The reason I’m writing this article today, is because this past week was the first time one of my drives in the ARRAY failed. To be clear, this is not a complaint. ALL drives fail. That’s WHY I bought a RAID tower, so that when one eventually DOES fail, I have the redundancy in place to keep going while I get a replacement drive, with zero down time and zero data loss.
When I bought the tower almost 4 years ago (this model is not available for sale anymore), I also bought 4 of these drives. Click the image to see it on Amazon.
for $149.99 each in December 2014. They were the cheapest 4TB drives I could find at that time.
All 4 have been running 24/7 until 2018-10-29, when one of them finally failed. To be honest, I expected the first failure to be years ago, considering my track record of at least 1 failed drive a year. I bought the cheapest drives I could find too, so I expected more frequent failures. The front panel of the RAID tower indicated that my drive #3 had died.
The computer was completely unaware of the failure. This is a good thing. That means the RAID tower’s seamless drive failure was working. I immediately ordered a new, replacement drive. I ordered the cheapest, 4TB drive I could find. Why? Because reliability of individual drives is not all that important when you have them in a RAID tower. The redundancy of the whole system dramatically improves overall reliability, even when using low reliability drives. I should also point out that just because a drive is inexpensive, doesn’t mean it’s also low reliability.
Here’s the drive I bought in late October 2018 for $79.99… nearly half the cost from 4 years earlier. Click the image to see it on Amazon.
What did I do?
When it arrived 3 days later, without shutting anything down, I opened the front panel of my RAID tower, pulled out the bad drive (with the whole system still on and running), unscrewed the 2 screws holding the handle onto the bad drive, screwed them and the handle onto the new drive, and plugged it into the RAID tower.
What did the RAID tower do?
The RAID tower immediately recognized the new drive and started replicating data to it.
What did the PC do?
My PC never knew anything ever happened. As far as it was concerned, there was a working 12TB drive that it continued to actively use throughout the whole process. There was never any downtime.
How long did it take?
Swapping the drive took about 5 minutes or less. The replication, however, began on the night of Tuesday, October 30th. It was still replicating when I left the PC on Saturday night, November 3rd. However, Sunday morning, when I got back to it, it had finally finished. So, it took it about FOUR DAYS to complete the replication. Much longer than I thought. I figured it would take between a couple hours up to maybe 1 day.
What does this mean?
It means that my data was vulnerable to disaster via a SECOND drive failure from the moment the drive went bad on Saturday, October 27th, through when the data was finally, fully replicated onto the new drive somewhere between the night of Saturday 11/3 and the morning of Sunday, 11/4… a total of a few hours more than 1 solid week.
If any other drive had died during that time, my 10TB of data would have been hosed.
The good news is that if I were NOT using a RAID tower, I’d be in that same risk ALL THE TIME! I was only at risk for 7 days. The BAD news (for YOU) if you’re not using RAID, you’re at that risk 100% of the time.
This RAID tower performed as designed and is still performing. The vulnerable replication period is much longer than I expected. But, in the end, it all worked. This is the first drive failure I’ve had where I didn’t lose a single bit of data.
Whether you need speed or reliability, you SHOULD be using a RAID array. I highly recommend buying a RAID tower and let it handle the complexities of configuring the system. Software RAID solutions are available, but they are much less reliable and consume resources on your computer, slowing you down. With an external hardware solution, it’s literally just plug and play, like any normal, single external drive. But with the capacity, speed, and reliability of a RAID solution. RAID towers can be found for under $100 and there’s no upper limit to how much you can spend on one.
There are a lot of decentralized, peer-to-peer, cloud backup services coming online like:
and others. None of them are great solutions as of this writing YET! But that’s changing. Keep an eye on them and read EDUCATED reviews of them. That includes keeping an eye on my blog because I’m watching them with intense interest, in addition to testing them myself. I’ll ring the alarm bell when it’s time to jump on. They WILL BE the ultimate backup solution.
If you’re trying to get started with Machine Learning using Tensorflow, you’ll likely experience frustration trying to find the right version of Tensorflow, Python, & NVidia CUDA drivers that all work together.
Having just gone through that frustration myself, I present to you a WORKING set of instructions.
This part is NOT REQUIRED, unless you want to use your GPU for MUCH faster Tensorflow program execution. You DOwant to use your GPU, BTW!
As of this writing, CUDA 9.2 is the latest version, however,Tensorflow will not work with anything later than 9.0, so go here to download CUDA 9.0:
If you don’t have an NVidia GPU, click here to get one…
What is CUDA?
CUDA is software to allow you (or other programs written by other people) to write software to utilize your video card’s GPU (Graphic Processing Unit). A GPU is hardware designed specifically for video operations that are many times faster than a CPU can do it. Turns out, you can use your GPU for some specific types of calculations that have nothing to do with graphics and speed up those operations… like… a Neural Network like TensorFlow. They’re also good for cryptomining, but we won’t get into that in THIS article.
Once you have CUDA installed (assuming you have an NVidia GPU and want to take advantage of the massive speeds it’ll give you compared to just running Tensorflow on your CPU), it’s time to install Tensorflow.
2018 is the first year U.S. citizens have to file taxes on their cryptocurrency activities for 2017. The limited “rules” the IRS has published do not cover the majority of types of activities and the information needed to accurately file taxes is simply not available to non programmers and is excruciatingly difficult to acquire, even for programmers.
Unfortunately, reality is much more complicated than that. Here are the real-world things that we have no clear rules on:
What if I bought some prior to 2017?
When I sell some, which of the MANY prior purchasing transactions do I apply the price to? The price is different for every transaction.
What about mining?
What about mining hardware prices?
What about price of electricity?
I bought & sold on more than one exchange.
I moved crypto between exchanges.
I converted crypto from one to another.
Prices at the moment of each transaction are not available when converting between currencies.
Which price would we use, even if we had it? There’s no universal price on any crypto. Each exchange has its own, moving price that changes by the second.
What about when a cryptocurrency forks, like BitCoin to BitCoinCASH and BitCoinGold?
They say to use the fair market value of the day to determine prices on transactions, but that’s of no use since the price can swing thousands of dollars within a day.
Since 2014, I’ve bought and sold crypto hundreds of times. On some days, I’ve made dozens of trades in a single day. In addition to that, I have accounts on 4 exchanges and also mine Ethereum. I also traded between cryptos like converting BitCoin to LiteCoin and LiteCoin to Ethereum & Ripple & IOTA, etc., and moved crypto between exchanges like CoinBase, Kraken, Bitfinex, & Bittrex, and to and from my personal wallets, and gained some crypto during forks, and lost some due to CoinBase not giving me my Ethereum Classic.
Over the past week, I’ve spent about 6-10 hours or so JUST on trying to gather what I understood would be needed for my tax accountant for cryptocurrency (not counting my usual taxes). From the list above, you’ll get a rough idea of what I was going through to try to collect the information.
It’s 2018-03-31 and I finally finished my taxes. Here’s how the day went:
I was woken up around 9:45 am this morning (I like to sleep late on Saturdays) by my tax accountant. We spent a SOLID FIVE HOURS on the phone, trying to resolve everything (95% of that was related to cryptocurrencies). This is their first year dealing with this. I had to explain a lot about crypto and even the IRS’s rules. She, apparently, had the same, uninformative PDF document from 2014 from the IRS too and just assumed it’d be as simple as they explain. Reality is hugely different.
She wanted me to make it simple for her. I wanted her to make it simple for ME. That’s kind of why I’m paying her, right? I spent hours gathering everything she could possibly need (minus the information that was just not feasible to get, but that we actually DO need).
It was simply not enough information, not just the lack of data that I didn’t have access to, but the lack of rules from the IRS.
The amount of effort trying to figure out just HOW to report my cryptocurrency transactions to the IRS was a nightmare and equals about the same amount of effort I spent throughout the year transacting and buying, learning, and setting up my Ethereum mining. And it was significantly more frustrating than the actual crypto activities.
The IRS needs to get their act together, learn what it is we actually do, and come up with REALISTIC rules that we can actually perform.
After all the time and effort I spent preparing my taxes for my accounted, PLUS the amount of time we spent on the phone afterwords was insane and we STILL didn’t get everything. We probably got about 85% of what was needed and I guarantee that what we reported was not right, but that was the best we could do. I had tens of thousands of dollars in transactions. With the limited information we had, she simply ended up using what I sent to her from the website CoinTracking.com, which is ONLY good for a SINGLE exchange. So, I reported a $200 profit and paid taxes on that. At least that is small, to keep my taxes down AND shows a “profit”, which should keep the IRS off my back, since I’m actually paying them something. I was told that if I reported a loss, it would likely trigger an audit.
What? Were you hoping to come here for a resolution to YOUR tax problems? Sorry. All I can offer is comfort that you’re not alone. The IRS needs to get their act together and YOU need to click this link to contact your U.S. representative and explain to them the nightmare they’ve created for us. Click the following link:
They are, in a very very simplistic explanation, answers to a math function where the numbers given to the function are the bytes of the file you want to download.
Why are they important?
They are used to prove to you that the file you’re downloading hasn’t been tampered with. HOW? you may ask? Because only the valid, original file, with the original set of bytes in it could have produced that signature. If you change just ONE byte in the entire file, no matter how big the file is, you’d get a DIFFERENT answer to the math function.
This is CRUCIALLY important for things like cryptocurrency wallets for cryptocurrencies like #BitCoin, #Ethereum, #LiteCoin, etc… Hackers frequently publish TAMPERED versions of wallet software and if you install and run the hacker’s version, they’re going to steal ALL OF YOUR CRYPTO! This has already happened many times. Websites are compromised and hacked versions are put on their websites.
This brings up another important concept of signatures vs. the files they’re supposedly coming from:
A published signature is absolutely USELESS if it’s on the SAME website as the download file. Why? Because if a hacker compromises the download site, then you can’t trust anything on that site, including the signature. You’ll find that MOST sites that publish a signature do so on one website, but the downloaded file is hosted on another website. For BOTH the signature AND the file to be compromised by the same hacker, they’d have to hack BOTH of those websites, which is much more difficult.
How can I validate them?
You’ll need software on your computer that can compute the same types of signatures that the website publishes for their downloaded files. In short, these are the steps (I’ll go into explicit detail shortly):
Install some signature making and validating software onto your computer (Do this only once).
Make note of the published signature for the file you’re about to download. (Do this for every download that offers it).
Download the file (DO NOT EXECUTE IT! It’s NOT trusted until you validate the signature!)
Use the signature software to make or verify the signature of the downloaded file.
If the signature checks out, the file is safe. If it doesn’t, DELETE THE FILE! DO NOT EXECUTE IT!
Detailed VALIDATION instructions:
Before you get overwhelmed, scroll to the bottom and see that once you’ve done all this once, future validations are really simple…. Just those 4 steps at the bottom. But for now, you’ll need to go through this more lengthy setup process.
In this tutorial, we’ll be dealing with a downloadable executable file that offers a public PGP signature for you to validate against. You should know that there are many forms of signatures that an author could choose to publish. Other than PGP, there are SHA1, SHA256, SHA512, MD5 (which has been broken), and several others. These are the most popular ones.
We’ll be downloading and validating a popular BitCoin wallet app. For this type of app, it’s critical to validatethe downloaded file against the published signature.
Yes! This looks very involved, but the good news is that most of these steps are only needed to be done ONCE EVER. Since this is your first time, there are many steps to get new things installed and set up right. Subsequent verification will be much simpler and I’ll provide a list of steps to do after you have everything set up.
First, install some PGP key software on your computer.
Install gpg4win from here: https://gpg4win.org/
It will install a few utilities and a GUI app that will hold all of your PGP keys and certificates. (You don’t need to understand what those are at this point).
Skip this step if you already have a public/private PGP key pair. Create public/private keys for your own e-mail address. You’ll need this later and it has other benefits such as being able to send and receive encrypted e-mail on any e-mail system. See: STICK IT TO THE NSA: HOW TO ENCRYPT YOUR WEBMAIL
Open the “File” menu and choose “New Key Pair”.
On the box that opens, choose “Create a personal OpenPGP key pair”.
Enter your name and e-mail address, then click “Advanced Settings…” and on the top 2 drop downs, change it to 4096 bits. That’ll make your key orders of magnitude stronger. If you want, feel free to check “Authentication” and “Valid until” and pick a date. I recommend 1 year into the future. If you choose a date, your key will not be trusted by anyone after that day.
Click [OK], then [Next], then [Create].
It’ll prompt you for a password. To use your private key, you’ll need this password, so DO NOT LOSE IT!!!!! Go ahead and enter it.
After taking a few moments (and it WILL take a few moments), you’ll have a key pair. If you want others to be able to send you encrypted data, I recommend clicking the button “Upload Public Key To Directory Service…”. People will be able to look up your public key via your name or e-mail address. But, it’s not needed for validating signatures, which is the primary purpose of this article. Now, click [Finish].
You’ll now have a new, certified key in your key ring. PROTECT YOUR PRIVATE KEY WITH YOUR LIFE!!!!
If you’re interested in more details about what they private/public key pair is that you created, please see. It’s not necessary to know all of that for this article, but it will clear up some confusion, if you have any.
Go to https://electrum.org/#download and view that page. (Note, if you have the know-how and the means to download and build from the source code, ALWAYS do that rather than downloading a pre-built executable!) Notice the signature links next to every download option? THAT’S what we’re working with in this article.
Click the Windows Installer and download it. DO NOT RUN IT! In the folder in which you downloaded the file, you’ll see a file named something like electrum-3.1.0-setup.exe. As you can see, I’ve downloaded prior versions of the file too. Notice that some of the files DON’T have “.exe” at the end? We’ll fix that shortly.
Back on the web page, click the signature next to “Windows Installer”. You’ll see something that looks like this in your browser:
Click anywhere on the text and hit [Ctrl]+[A] to select all of that text, then [Ctrl]+[C] to copy it. Or you can select all the text with your mouse and copy it. You’ll be pasting it into a text file shortly.
DO NOT COPY THE PGP SIGNATURE FROM MY ARTICLE TEXT!!!
Open the folder to where you downloaded the Windows Installer file. It should be named something like electrum-3.1.0-setup.exe. Obviously, if you’re reading this in the future, there will likely be a newer version. This is the latest version at the time of this writing.
Right-click on any empty, white space in the folder and choose “New”, then “Text Document”. A new, empty text file will be created. Ignore the extra menu items I have. I’m a developer and have extra features installed that you might not.
Now hit enter to open the empty text file and paste the PGP key into it (from step 3.1 above, you should have the text in your copy buffer (or “clipboard”) still). Hit [Ctrl]+[V]. This will paste the text you already had copied from 3.1 above into the text file. Now hit [Ctrl]+[S] to save it. And finally CLOSE notepad (or whatever text editor you’re using).
Now rename the text file to exactly the same name as the downloaded electrum exe file, but with “.pgp” added to the end of the filename. In my case, I rename the text file to electrum-3.1.0-setup.exe.pgp
Now, let’s fix that problem where the file types (also called “file extensions”) are hidden. While looking at the filename that you downloaded in Windows Explorer, open the “View” menu or tab. On the right hand side (you might have to resize the window to something bigger to see it), open the “Options” drop down and choose “Change folder and search options”.
On the “Folder Options” that opens up, click on the “View” tab and check OFF (or UN-check) the box “Hide extensions for known file types”, then click “OK”. It should NOT have a check-mark in it.
You’ll see the files changed from this…
to this… (again, these are MY files, you may have more or fewer and certainly different files in your downloads folder).
It’s VERY important that you see the FULL filenames. Before this, the electrum-3.1.0-setup.exe.pgp file looked like it it was named electrum-3.1.0-setup.exe and as you can see, there’s actually ANOTHER file that actually has that name. Why Microsoft hides these by default is beyond me. All it does is create confusion is severely increases the risk of hackers tricking you into launching a malicious program when you think you’re opening a safe text file or a picture file.
LET’S DO IT! Let’s make an attempt to actually verify the PGP signature of the file. Spoiler alert: It won’t work, but that’s OK. It will walk us through what we need to do. Right click your newly created and renamed file that you added “.pgp” to the end of the filename on. In my example, it will be electrum-3.1.0-setup.exe.pgp , and then choose “More GpgEX options”, then “Verify”.
The verification process will complete as verified, but not fully verified…
Here’s what’s going on. The EXE file DID verify against the PGP signature, but the signature, itself, is not known to be trusted. At least, your verification software you’re using (called Kleopatra) does not know the signature to be from a trustworthy source. You’ll have to TELL IT that you trust that author’s key. Once you do that, Kleopatra will fully verify everything produced from that author, signed with his same keys. Click the “Search” button. This will search on several public PGP key stores on the internet for one that contains that PGP key you have from that author.
It SHOULD find a key from ThomasV@gmx.de after a minute or so…
Click his e-mail address and then click the “Import” button. That will import his public PGP key into your PGP keyring. This will make it available for future use by you to validate new versions of this app and others from the same author. You won’t have to go through all of these steps again for future downloads from him.
Now we need to CERTIFY his signature. This simply means we’re going to tell our local install of Kleopatra that we TRUST the key from ThomasV. Open your start menu and find Kleopatra and launch it.
It will show you all the public and private PGP keys you have installed. Here’s what MINE looks like. Yours may have only the one key from ThomasV and your own key. (I’ve blurred my personal keys).
Now, we’ll certify ThomasV’s key. Right click his key (anywhere on the line with his e-mail address in it) and choose “Certify…”
Check ALL the boxes on the “Certify Certificate” dialog box that pops up, then click “Next”.
Now you need to tell it which of YOUR keys you want to certify it with. It should show you all your keys that you already installed for yourself. Select the one you wish to use to validate. It’s not critical which one you choose, but I recommend choosing the latest one of yours that’s not expired and is associated with your most used e-mail address. And select “Certify only for myself”, then click “Certify”. (I’ve blurred all my personal signatures).
You’ll see the following once Kleopatra has marked his certificate as validated by your own key. We do this to make the software validation work. Most of these steps are a one-time deal. You will not repeat all of these every time you want to validate a signature on software.
Click [Finish] and you’ll see your list of installed keys and see that his key is now marked as “certified”. This is good. This will REDUCE the number of steps to validate software from him in the future.
Now, one more time, let’s right-click the electrum-3.1.0-setup.exe.pgp file you created, choose “More GpgEX options”, then “Verify”. This time, you’ll get FULL VERIFICATION!
Congratulations! You’ve now validated that the Electrum BitCoin wallet software is safe, unmodified, and from the original author. It is safe to install. Please note, this was NOT an article about installing the Electrum BitCoin software. It was an example of how to validate software signatures from ANY software you download (as long as the author provides you validation signatures). We could have used countless other apps to do the same thing.
It’s MUCH easier the second time!
Yes, I know. That was quite a lot of work to do. But that’s only because you’re new to this AND you had to install, configure, and create lots of new things. Now that you’ve done it once, doing it again will be much less effort.
From now on, all you do is the following:
Get the PGP signature of the file you want to download and save it into a text file.
Download the file you want.
Rename your PGP signature file to exactly the same name as the file you download, but with “.pgp” appended to the end of the file name.
Right-click that pgp file, choose “More GpgEX options” -> “Verify”, and it’ll either validate or report that it’s not valid.
That’s it! And getting newer versions of the app will be the same 4 steps.
See these images?
You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.
There are many reports recently of malicious websites and malicious scripts in ads and comments on websites that generate login name and password fields on legitimate sites that trigger LastPass and other password managers to auto-fill with your credentials, allowing the bad actors to literally steal your login credentials, without you doing anything except innocently visiting your favorite sites.
Side note: This is a REALLY GOOD reason to turn on 2-Factor Authentication.
To turn off aut-fill in LastPass is pretty simple, but nearly impossible to find and know how to do with out someone else “in the know” showing you.
On your desktop browser, open your LastPass vault.
Click “Account Settings” in the lower left.
Click on the “Never URLs” tab.
Click the “Add” Button at the bottom of the dialog box.
Now, you’ll need to do this 3 times, once for “Never Fill Forms”, “Never AutoLogin”, and “Never AutoFill Application”. Choose “Never Fill Forms”, from the “Type” drop down and then type “all” (without the quotes!) in the “URL” box and click add. Continue for “Never AutoLogin” and “Never AutoFill Application”.
That’s it! From this point forward, LastPass will still work, but it won’t just blindly fill in your login name and password to just any field named “login” or “password”.
Thank you for sharing this article. See this image?
You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.