Hello, i want install last electrum version, because
Warning: Versions of Electrum older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. Do not download software updates from another source than electrum.org. In order to reach users of vulnerable versions, we have started to use the same vulnerability, and to direct them to electrum.org.
But with following this instruction Electrum Bitcoin Wallet possible install only 3.1.3 version.
If following official instruction
Installation on Whonix XFCE 15.0.0.0.9 after following the directions in the wiki shows that the AppImage cannout be mounted, because of “Fuse”, and gives this link for further information.
“FUSE · AppImage/AppImageKit Wiki · GitHub”
The electrum appimage ran after running “sudo apt-get install fuse”, but the question remains is this secure?
I would also like to get involved with this project, I think it is amazing! Should I update the wiki after finding the solution to this, so anyone else coming along has an easier time? Can anybody submit changes to the wiki?
Thanks for your interest. Yes anyone can help out. When coming up with instructions, make sure you include appimage signature verification steps so users are not running a tainted version. Feel free to post on our wiki edits mega-thread for input on contributions:
Hey HulaHoop, thank you for packaging everything up for us regular people. I believe software such as this will become very mainstream in the future, as people start to become aware of the extent of mass-surveillance.
HulaHoop - do any security precautions come to mind with installing “fuse”? I’m not seeing much from my searching.
Yes like anything you would install. Fuse is a package available from Debian repos so you should be able to retrieve it safely by following the instructions on the page you linked to.
sudo apt install fuse
Next you need to adjust group permissions because the fuse package interacts with filesystems in the kernel. (also in that guide)
Hey HulaHoop, thanks for the reply.
I am still learning, so sorry if these are stupid questions. Hopefully soon I will become proficient and involved.
I did not understand what those further commands did, so after doing “sudo apt install fuse”, I tried to run the appimage, and it started up just fine. Is this a security risk to not do the further commands listed, since it is interacting with the file system in an unsecure way?
Also of note, there is a further option of extracting the appimage if you do not want to install fuse, appending “–appimage-extract” to the command. I did this and it outputted a bunch of commands, and created a new folder, but still would not run. The folder was called “squashfs-root” and inside contained a bunch of files.
@userapp3 thanks for the reply bro! so I was able to get it installed and working, but I am curious why I had to do the steps I outlined above. Do you think that poses any type of security risk to install those packages? As far as I am aware, appimages are self contained and dont need any dependencies, so I am hesitant to use it because of the fact that I had to install dependencies.
I don’t have enough knowledge to help contribute, but I am working on increasing my skill set so I can contribute to this amazing project
Sorry for the late reply. For the appimage to function, package fuseDebian -- Details of package fuse in buster must be installed on the system. If you run the following command in Whonix-Workstation 14 you will see that fuse is installed.
sudo apt --list installed | grep fuse
So fuse is ok to install in Whonix 15 as long as you use apt to install the package.
If fuse is not installed by default in Whonix 15 instructions to do so will be needed in the Whonix Electrum wiki.
I love Electrum but I think the Console feature, (easily accessible from the View → Console menu) poses an unnecessary security risk.
It allows running any arbitrary python code that can affect not only the wallet but the whole system. A one liner can easily download and execute malicious scripts. I tested a simple PoC of it.
Electrum treated this concern by adding a warning displayed at the first launch of the Console.
Can we do anything else about it, perhaps using Apparmor?
I think it goes without saying if any user runs malicious code on there system (in Whonix konsole… or any application) they run the risk of system compromise and / or de-anonymization (if run from whonix-gateway). I’m willing to make a bet Whonix devs could come up with a few one liners that would be a disaster if run from whonix-gateway (for de-anonymizaion) or whonix-workstation (for system compromise). We can’t prevent stupid.
The Terminal / Whonix Konsole and specifically root on Terminal granting absolute power over the system is I think a very well understood and accepted concept even for the average user.
I can come up with such one liners as you mentioned. No need to post them here, someone might actually run those by mistake.
But a bitcoin wallet easily allowing the user to run any script that affects the whole system isn’t a naturally accepted behaviour. A bitcoin wallet should have absolute power over the content of the wallet, not over the rest of the system. That should belong in some kind of developers addition perhaps, not on the mainstream software.
Isn’t that the whole point of Apparmor and similar restrictive methods?
I am not aware of any other GUI application that (will now be) installed by default in Whonix that has the same power with the same ease (where no software download is expressly done by user, no obvious installations etc).
I see “average” users run any code snippets they find on various forums to fix application x. They’ll do just about anything they are told that will “fix” their problem
I’ not sure how someone could mistakenly copy/paste + enter? The problem is users (average or otherwise) don’t follow best practices i.e. If you don’t know what you are doing, don’t do it.
Locking down any application is a good idea. Locking down an app just because a user might shoot themselves in the foot not so much. Whonix can’t protect users from mistakes such as this (shooting in the foot).
Locking down electrum would be great because its popular app. The point i’m trying to make is:
foolish user behavior, by itself, is not good reason to divert dev resources.
Sandboxing app that is easilty compromised by malware, yes good idea.
Sandbox from phishing attacks, no. This falls under follow best practices or you’ll learn a hard lesson.
