mirror of
https://github.com/seigler/dash-docs
synced 2025-07-27 01:36:13 +00:00
7d98f798ab
Gemfile:
- Upgrade to Jekyll 3.x (3.0.1 tested). This brings several new
features I want to use, most notably *collections* which allows us
to add blog-like collections. I've converted the `_releases` and
`_alerts` pages into collections, although their plugins are
maintained to handle the Download and Active Alert features.
- Upgrade to latest Kramdown.
- Lock Less at 2.4.0. This prevents breaking our Less plugin. Jekyll
3.x provides native support for SCSS, so we may want to switch to
that in time.
- Lock HTML Proofer at 2.1.0. The most recent version was taking
forever to check our pages (I never actually got it to complete).
I'll look into it when I get more time.
Makefile:
- New `make clean` command. Jekyll 3.x by default attempts to do
incremental rebuilds. The new `jekyll clean` command cleans up the
metadata necessary for than so that a full build is performed, and
this new `make clean` command is a wrapper around it so that we
automatically do full rebuilds in the relevant cases. Note: our
plugins aren't fully compatible with the incremental rebuilds, but
I'd like to fix that in the future.
- Remove WEBrick hack to enable previewing with default URL paths (/
instead of /index.html).
- Filter out compliants from Rouge
README.md:
- Now that Alerts (_alerts) are part of a collection, the file names
are no longer parsed for dates, so instructions on adding the date
to the YAML metadata have been added.
_alerts/*:
- Now that alerts are part of a collection, the file names are no
longer parsed to provide dates, so a `date:` field has been added to
the YAML metadata.
_config.yml:
- Some variables renamed per upgrade instructions.
- Switched from old default syntax highlighter Pygments to new default
Rouge. I tried to use Rouge options to keep new output as similar
to old output as possible to making diffing easy, but Rouge adds
extra CSS class info.
- Move `_alerts` and `_releases` into Jekyll 3.x "collections", which
provide the organizational features we were using plugins to
manange. I haven't removed the old plugins because we still use
some of their features (alerts.rb provides active issue and banner
features; releases.rb provides info to Download page)
- _layouts/* can no longer provide default global metadata; that is now
provided in the new `defaults:` section in _config.yml.
_layouts/*:
- Default metadata can no longer be provided in the layout files for
collections, so I've removed it and left a message to see
_config.yml.
_plugins/*:
- Remove filter_for.rb. It's completely broken on Jekyll 3.x because
of changes to Liquid which prevent adding new arguments to the
inherited Liquid::For class. Existing uses of filter_for have been
migrated to built-in for loops prefaced by sorts.
- Remove remove-html-extension.rb: at it said in the comments, this
was a temporary hack to get us to Jekyll 3.0.
_releases/*:
- Rename all the files: prefix a v to the file name so the output html
(e.g. v10.0.0.html) is the same as the source filename (e.g.
v10.0.0.md). This is necessary to migrate them to a Jekyll collection.
- Remove %v from titles: we have to explicitly set the title, like we
used to. Again required for migration to collections.
_templates/events.html & en/rss/events.rss:
- Sort events by date and then loop with regular for loop rather than
filter_for
en/alerts.html & en/rss/alerts.rss:
- Sort alerts by date and then loop with regular for loop rather than
filter_for
en/bitcoin-core/index.md & en/version-history.html & en/rss/releases.rss:
- Sort alerts by date and then loop with regular for loop rather than
filter_for
32 lines
4 KiB
HTML
32 lines
4 KiB
HTML
---
|
|
title: "Android Security Vulnerability"
|
|
active: false
|
|
shorturl: "android"
|
|
banner: ""
|
|
date: 2013-08-11
|
|
---
|
|
|
|
<h2 id="what-happened">What happened</h2>
|
|
|
|
<p>We recently learned that a component of Android responsible for generating secure random numbers contains <a href="http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html">critical weaknesses</a>, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be <a href="https://play.google.com/store/apps/details?id=de.schildbach.wallet">Bitcoin Wallet</a>, <a href="https://play.google.com/store/apps/details?id=piuk.blockchain.android">blockchain.info</a> wallet, <a href="https://play.google.com/store/apps/details?id=com.miracleas.bitcoin_spinner">BitcoinSpinner</a> and <a href="https://play.google.com/store/apps/details?id=com.mycelium.wallet">Mycelium Wallet</a>. Apps where you don't control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.</p>
|
|
|
|
<h2 id="what-has-been-done">What has been done</h2>
|
|
|
|
<p>Updates have been prepared for the following wallet apps:</p>
|
|
<ul>
|
|
<li><b><a href="https://play.google.com/store/apps/details?id=de.schildbach.wallet">Bitcoin Wallet</a></b>: Update 3.15 can be installed from <a href="https://play.google.com/store/apps/details?id=de.schildbach.wallet">Google Play</a> or <a href="http://code.google.com/p/bitcoin-wallet/downloads/list">Google Code</a>. Key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.</li>
|
|
<li><b><a href="https://play.google.com/store/apps/details?id=com.miracleas.bitcoin_spinner">BitcoinSpinner</a></b>: Update 0.8.3b can be installed from <a href="https://play.google.com/store/apps/details?id=com.miracleas.bitcoin_spinner">Google Play</a> or <a href="https://code.google.com/p/bitcoinspinner/downloads/list">Google Code</a>. On startup it will advise you on how to proceed.</li>
|
|
<li><b><a href="https://play.google.com/store/apps/details?id=com.mycelium.wallet">Mycelium Bitcoin Wallet</a></b>: Update 0.7.0 can be installed from <a href="https://play.google.com/store/apps/details?id=com.mycelium.wallet">Google Play</a> or <a href="http://mycelium.com/">mycelium.com</a>. A wizard will guide you through the process of moving your bitcoins to newly generated addresses, and put the old keys into archive mode.</li>
|
|
<li><b><a href="https://play.google.com/store/apps/details?id=piuk.blockchain.android">blockchain.info</a></b>: Update 3.54 can be installed from <a href="https://play.google.com/store/apps/details?id=piuk.blockchain.android">Google Play</a>. Version 3.54 and above includes an automatic re-keying wizard. Simply update to the latest version and follow the onscreen instructions. Please make a fresh wallet backup after the process completes.</li>
|
|
</ul>
|
|
|
|
<h2 id="what-you-should-do">What you should do</h2>
|
|
|
|
<p>In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.</p>
|
|
|
|
<p>If you can't update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your
|
|
Android app can be updated. You should make sure not to send back your bitcoins to your old insecure addresses.</p>
|
|
|
|
<div style="text-align:right">
|
|
<i>This notice last updated: Tue, 13 Aug 2013 13:51:00 UTC</i>
|
|
</div>
|