Bitcoin Forum

Well I finally became a bit security conscious and have searched for anything I can find about how to create a secure savings wallet and I really don't like any of the answers available.

I don't like paper wallets because I don't want to print anything on a paper and I don't like liveCDs because I don't want to download the entire blockchain every time I want to spend from my savings wallet I also don't like a brainwallet because it exposes me to the risk of being robbed while entering my pass phrase when trying to spend from it.

Is there really no option to simply have a USB drive that I can pop in, before doing so restart my laptop, boot the USB and have a ready to go client and wallet with a connection ready and free of any worry of getting hacked?

These are my conditions for what I'd like to use:

-I want it in a digital form, preferably on an encrypted USB stick
-I want to be able to use it with my primary and only laptop (needing to reboot my laptop is fine)
-I want to be able to at least send myself an email with an address where to send the coins to and be safe doing so or use some other way of copy/paste
-I want to spend from my savings wallet without having to download the blockchain

I'm no expert, but just spent a good chunk of time researching this.

Here's the options recommended elsewhere...

You can setup a bootable USB drive.  The OS commonly recommended was Ubuntu.  Then boot to that drive. Use exclusively for Bitcoin transactions and that's it.

Another option is to use Truecrypt and Dropbox for your backup.  (You're still at risk of keylogger attacks).  I wouldn't keep too much wealth in that vault.  For this option create a truecrypt vault.  Place your wallet in it.  It is recommended to use symlink to link to your wallet within the truecrypt vault.  I couldn't get that to work.  Instead I use MultiBit and specified where to save the wallet in the truecrypt vault.

So long as your computer is clean that should give you reasonable security for spending.

The other option is to use an mtgox online wallet with double authentication.  Meaning you have to get an extra piece of hardware for $25 that gives you unique onetime codes each time you access your wallet.  Frankly I feel better about using truecrypt/dropbox then a hosted wallet.

Then for savings....

After looking at everything I feel your best bet is still the paper wallet approach.  However you don't have to store the paper.  You can create screen captures of the private keys (or cut and pastes) and store them in a truecrypt vault.  And then store that vault in the cloud.  Be sure though when you create the paper wallet your computer is clean (this might be where having that bootable USB comes in very handy).

To import the private keys I tested MultiBit.  Using Mac Texedit.app I simply edited an exported private key file, then imported it back into MultiBit.  It seems to work and wasn't too much of a hassle for a long-term savings wallet.

 

These are my conditions:

-I want it in a digital form, preferably on an encrypted USB stick
-I want to be able to use it with my primary and only laptop (needing to reboot my laptop is fine)
-I want to be able to at least send myself an email with an address where to send the coins to and be safe doing so or use some other way of copy/paste
-I want to spend from my savings wallet without having to download the blockchain


Does having a liveCD linux on a USB with armory meet all these conditions?

This actually sounds decent.. And yes keyloging is mainly what I want to protect against, I already secured everything with passwords..

Btw I'll pay up to $15 worth of BTC for a plug&play version of this and I'm sure I'm not the only one.

I use electrum, on ubuntu, that yes is installed on a usb stick.
It's my secondary wallet and is easy to backup and secure without any fuss on downloading a blockchain.
Sending and receiving of coins is pretty easy.

Since it's a pretty usual ubuntu install I can easily install and do anything I want for it that ubuntu can usually do.
I could of made it a live usb based version of ubuntu, but I wanted abit more flexibility, but it be pretty easy to do that if you wanted.

I used http://unetbootin.sourceforge.net/ to make the usb install drive, then install it to another.
Same program could be used to make a single usb drive a live drive and reserve X amount of room towards any programs and saved data you want between sessions.
Electrum is pretty easy to install for Ubuntu to be fair, then you just need to do standard stuff to secure it, giving it a nice long password and securing your seed (backup) somewhere safe
http://electrum-desktop.com/download.html

This might sound a bit naive...

...But before I go through the effort of setting up a USB boot, is it possible to boot to Ubuntu on a Mac running Parallels?  If not what are my OS options for this machine?

And to make this secure, I would need to be disconnected from the internet when booting to the USB right?

If that's the case, is it possible to somehow save the javascript https://www.bitaddress.org is using to generate bitcoin addresses.  And then run that on the USB stick in a browser not connected to the internet?

I'm not overly familiar with Mac. So can not offer any advice that is very specific to it.

At least with the electrum wallet that doesn't download the blockchain, you'd still need to be online to really check on or change anything.
But there is no reason why you would need to stay online longer than you needed to. So yes I suppose during bootup you could be offline.

I wouldn't generate an address via a 3rd party, I'd rather my program on my computer did it, that is just me.
I'm sure you could do that, some wallets will allow you to import those sort of details.

Any open source address generation tools you can recommend?

Pretty much every wallet software that I have installed to my computer has made one for me, upon install.
Now if you using one which doesn't, then I don't have any recommendations, since I wouldn't trust a 3rd party to generate my new address.

If the Bitcoin client generates the keys, is the only way to get those keys is through and export function?

The beauty I saw in the bitcoinaddress.org paper wallet approach is you never had to load the private keys into memory (simply print them).  Thus eliminating any chance of key loggers capturing that data.  Is there a way to do something similar in a BC client?

Think so.

I've never worried about that, since I keep all my machines both windows and linux regularly scanned.
You really don't have much to worry about on a fresh install of Ubuntu. How you expect it to get infected?

You'd only risk comes from keyloggers if you happily installed a wallet on an already infected drive, which quiet frankly is your fault for not making sure it's clean first.

Just some light reading I think might be relevant here for the paranoid:

http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf

Here's what you do. Download the Ubuntu LiveCD and put it on a USB drive using Unetbootin. Don't forget to allow for space to preserve files across reboots. Boot onto your USB drive and install Armory. Now, disable all network connections inside the operating system. Start up Armory in offline mode (it will prompt you since it won't detect Bitcoin running), and create a new wallet. Go to the wallet properties, and create a watching only copy. Save this to your USB drive (not the mounted file system). Make a paper backup if you want.

Now, boot back into your main operating system. Get Bitcoin running and up to date with the block chain. Start up Armory, and import the watching only wallet. With this, you can generate addresses, see incoming payments, and create spending transactions, but you cannot sign them. In order to sign them, you'll have to follow the Offline Transactions prompt, transfer the generated file to your USB drive, boot to USB, sign the transaction, boot back to your main OS, and broadcast the transaction.

Ok chrisrico, that sounds very good but I have two questions:
- can I import the watch only wallet into blockchain.info wallet and generate new addresses there or does it have to be the satoshi client?
- can I send from those addresses without having to download the blockchain - I don't want the blockchain on my laptop at any point if at all possible?

No, it has to be the Armory client.


Armory requires a copy of the Satoshi client running in order to connect to the network and keep the block chain up to date. I thought your requirement was that you didn't want to have to download the block chain twice, once for your main operating system and once for the secure storage. With Armory, you still need to download it once.

Yeah no, I don't want a blockchain on my laptop at all because I frankly don't see a need to have it given that there are other options.

Same. I love it so much. It's even running on my RPi

those options are then restricted to server based solutions which i personally am not comfortable with. 

i use an Armory offline netbook as my solution but am intrigued by the USB option outlined above and on etotheipi's thread.

be aware that the Armory watching only wallet can generate you an infinite number of addresses to receive coins.  its a deterministic wallet.  thus the backup is easy also and only requires a seed and chain code.

I've used Ubuntu Privacy Remix + a downloaded version of Brainwallet.org.

To make/fund the wallet:
Run UPR and make a brainwallet using a long, secure passphrase. Write the address down AND copy it to a separate USB stick. Fund address as needed.

To spend coins:
Get your transaction info from block explorer like so:
http://blockexplorer.com/q/mytransactions/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
Save it to your USB drive with UPR. Run UPR and use brainwallet to generate and sign a transaction. Copy the TX to second USB (and write down if paranoid). Broadcast to the network using one of various services.

There are other ways to do the same sorts of things using Electrum, but I found this simpler as all one needs are two USB sticks and UPR+Brainwallet.org.

Man I'm disappoint. I thought there's an easy plug&play solution for this issue but I guess not.

Let me repeat this again, I'm willing to pay up to $15 for a plug&play USB stick that would allow me to meet my conditions and I don't believe I'm alone.

Have you looked at my little project already?

It includes Bitcoin official client and Bitcoin Armory. You can choose between two kernels at boot: One for online usage (to broadcast transactions / use your watch-only wallet / etc.), one for complete offline usage to sign your transactions (either with saved wallet or wallet recreated from paper wallet). In online mode hard disk access to your host system is allowed and Bitcoin does ask for its data-directory. So if you have downloaded the blockchain on your host system already, you can reuse it (and don't have to download again, Attention: The version of bitcoin within the live-system uses a newer version of the db-backend. The blockchain is converted to this newer format on first start and then can't be opened with an older version anymore. If you still want to use your blockchain on the host-system make a copy first.). In offline mode blockchain is not needed (verification / creation of unsigned transactions has to be done in online mode).

Thread: https://bitcointalk.org/index.php?topic=109439.0 (https://bitcointalk.org/index.php?topic=109439.0)
Link to Demo-Download: https://github.com/flipperfish/privcoin/downloads (https://github.com/flipperfish/privcoin/downloads) (Be aware that this is only for demonstration, it would be more secure to create the live system yourself. If you use a freshly installed VM with Debian Wheezy this should be pretty easy.)

You can still use blockchain.info from the live-os in online mode, if you want. It would also be possible to use electrum in the same way as Armory with offline transactions, but there is no gui for this currently, which results in bad usability. And IMHO bad usability is the arch-enemy of good security.

except for the no blockchain part.. what about just having truecrypt (or whatever the better one is?) partition on USB, store vmware/virtualbox hdd on it with linux and run wallet inside that ? Then use keypas or similar to copy/paste wallet passwd in each time you want to spend  ?

I already have something like this setup but this is vulnerable to keylogging.

So I now have a USB stick with ubuntu on it following this guide: http://squarethought.wordpress.com/2011/06/26/bitcoin-on-a-stick-usb/

Would someone be so kind to explain to me how secure this is with a network connection enabled after I exactly followed that guide? Also what are the risks of using either multibit or electrum clients for my savings wallet?

The article is telling how to install and configure a firewall and antivirus for ubuntu so really I'd say it's done a okay job of making sure it's secure atleast from the outside. It's abit outdate since most would install 12.04 now, but it's easy to adapt to that.
Of course the client like electrum you still need to make sure you follow sensible precautions and secure it, lock it, which I kinda remember it bugging me to do.

I prefer Electrum over multibit. I don't know enough about the later to be honest. Thin clients are ideal for those who want to install to a usb, where you don't have the room (or want a lot of writes) for the blockchain, but your private key isn't shared, so no risk there.

http://electrum-desktop.com/
https://bitcointalk.org/index.php?topic=100502.0 (electrum thread here)

Great, thanks for your help. Mind answering a few more questions?
1) is that firewall enough to protect me even if I'm connected and happen to visit a compromised site? Can a script drive by still install something on my system without me knowing and having to allow it?
2) should I update to 12.04 (I don't mind the work if it's somehow better for my bottom line - security)
3) do you happen to know how I can check how much free space is left on the USB, I'm a linux noob and I couldn't find that anywhere?
4) is there a way to trim down Ubuntu and uninstall some tools if I should notice I'm running out of space (I bought two 4GB sticks specifically for this purpose)?

1)
If you want it to be secure, probably a not good idea not to use this system running just a usb to go to websites that you don't trust 100%.
It's holding your backup/savings wallet, if you want it for dual purposes, use another usb or HD that matters less if it gets comprises. Saying that most such sites infect windows based machines and have no effect on linux ones. That is what the anti-virus is there for, incase you do something stupid, since that is how most virii get on peoples computers.

2)
Yes, I would make sure you install 12.04.

3)
Unless you made your usb partitioned for specific folders, easiest way is to open up any folder, click on it's properties and you can see it's free space just like in windows.

4)
Software Center will allow you to install/uninstall anything you want to. There is plenty of things you don't need, but 4Gb sticks might be too small, unless you get a specifically trimmed down version of 12.04 ubuntu. Personally I would of gone with 8-16Gb sticks, not much can be done now. Btw don't bother with setting any swap space, realistically you system shouldn't have a need to use it, so that will save some space. Think Xubuntu uses up less space than vanilla ubuntu.

QR Codes on paper are a digital form.  Just an extremely durable and low density medium.

Thanks for your help again.


Yeah I only meant for sites like blockchain.info so I can easily fund my day to day wallet.

No problem.
If that is something you feel must be done while on this system, you should be fine. I can't see why but okay.

Hmm well I made another installation of 12.04 now, but following that guide for how to setup a firewall I now run into two problems:
1) I did:
But this didn't work after a reboot..

2) but once actually typed in sh ipt.sh which I setup as instructed (c/ped it) it started blocking browsing... I couldn't even ping anything. Did I do something wrong or do I need do change something?

I'd really appreciate anyone who could help me out with this. Thanks in advance!

Here's some questions about your requirements:

(1) Do you want to be able to use unique addresses for each deposit into the wallet?
(2) Will the addresses be distributed to other users for receiving payments, or only used for your own deposits?
(3) Does it matter how often you have to backup?   
(4) Does it matter how easy/convenient it is to move the coins once it's in savings?
(5) Does it matter how easy/convenient it is to monitor coins in your savings?
(6) Are you afraid of running scripts, or must you have a GUI?

If the Bitcoin community was bigger, and the developer community was bigger, there might be enough competition in the client market that you can ask for whatever you want and someone will have made it already.  But at the moment, it sounds like you are asking for cold-storage, but chose requirements that are in conflict with existing cold storage solutions.  I think you are going to have to pick a partial solution, and tweak your own CONOPs (concept of operations) to better achieve your goals using these partial solutions.

You have made one of your requirements not to have the blockchain, at all.  That's a fine requirement, as long as you're willing to give up some security (being a lite node dependent on full nodes you don't own comes with risks), and willing to limit your options to clients that don't require the blockchain.  That leaves... very little.   I guess electrum with offline wallets using the command line.  Or a variety of hack-it-together-yourself solutions which are fragile and very inconvenient (and error prone). 

However, if you remove your no-blockchain requirement, suddenly you have Armory, which was designed specifically for the reasons you are requesting.  You can have your top-notch encrypted in offline storage, with the ability to watch your funds without having private keys online, requires only a single backup the first time you create the wallet, produces an infinite number of unlinkable addresses to use for yourself or distribute to others, and gives you a way to actually move the funds out of cold storage without having to execute 37 command line calls (it takes 60 seconds once you understand the process).  And all packaged in a nice GUI with built-in instructions, and 6+ months of testing with end-users.

However, if you're going to make no-blockchain your unbreakable requirement, you're going to give up a lot of other features that may be useful to you.  You can require A, and as a consequence give up B,D,E,F,and J.  Or you can acknowledge that giving up A might be worth getting B,D,E,F and J (whatever those may be). 

I'm not trying to be annoying or degrading.  My only point is that I made Armory with offline wallets for exactly the reasons you are requesting, but your inflexibility to waver on the no-blockchain requirement might be blinding you to what is otherwise a fantastic solution.  If you are going to stick to it, you might consider electrum + command-line.  That's the only structured solution I know that does offline wallets without the blockchain.  If you don't want blockchain or deal with the command-line, then you're going to have to go with an internet-connected solution that is kind of contrary to the original goal.  If you insist on no-blockchain + no command-line + no internet, then I think you're out of luck  (maybe the electrum devs will work on making an offline wallet GUI).

etotheipi, ty for your reply I didn't take it the wrong way but please you too don't take this the wrong way.

You are approaching my requirements as a developer instead of as an user. For instance as far as I know right now, running linux with an encrypted home directory already is all the security I need even if I connect to the internet. I'm not looking for impenetrable air gap solution that a bank or an exchange might consider. No, what I'm looking for is a peace of mind easy to setup and easy to use solution that will be good enough.

Here is what I fear, I fear keylogging and viruses which is what I understand is the only way my wallet can be stolen or my bitcoins spent by someone else and all I need is something that will protect me against that.


Here's my Christmas wish list for safe storage:
- a bootable encrypted USB stick with ubuntu on it
- stripped down Ubuntu running only the essentials, allowing only the most necessary connections
- a light client that will hold the wallet file on the USB stick at all times
- the option to easily communicate addresses between my spending wallet and my savings wallet while using this USB ubuntu setup
- piece of mind that when I visit blockchain.info there is no chance something malicious could be installed on my USB ubuntu and rob me


How I'd use this? Well right now I'm using only blockchain.info. If I had such a USB stick, every time I'd want to transfer money between my spending wallet to my savings wallet or the other way around I'd simply reboot my laptop, boot the USB stick, open firefox, go to blockchain info and upload a private key or send a transaction from my light client while knowing nothing bad can happen.

To be frank if you think this is asking to much you're delusional. Users such as myself, who have little clue about linux and and don't want to have a bitcoin client running eating up my connection, eating up my hard drive and eating up my RAM and don't want a 30 step solution will lose their mind with Bitcoin because of worrying they might get robbed. And I discovered this problem just now.. It's fucking hard to setup an easy to use and yet secure plugplay savings wallet and using anything else is just too risky. I thought I was safe with an encrypted backup on my email with a strong pw and two factor authentication on blockchain but it turns out that if I get key logged and an attacker gets to my email and gets to the backup he can simply decrypt my wallet and steal my money. Since I realized this 5 days ago it's all I'm thinking about and what I need to do to fix this security hole.

I don't want a perfect solution but I do want a user friendly solution that will be just good enough in 99.999% cases so I can have some peace of mind. The best such option right now is paper wallets if you're willing to deal with printing stuff and can accept the risk of being robbed the moment you're transferring your bitcoins from it.


But please, listen to what I'm telling you as a USER, even if all of this sounds outrages to you I promise you I'm not alone who feels this way, and if you want a lot of users you need to listen to us, no matter how ridiculous our wishes and needs. I can even tell you the armory solution doesn't sound bad until you get from the offline mode to the online mode. If I could use blockchain.info + offline armory I'd be a happy camper.

It would also help if someone explained what attacks are possible on a machine running ubuntu with a firewall up. I don't understand if this is safe or not.

you may think that carrying your savings wallet around with you on a USB stick is safer than leaving it at home in a safe but i'm not so sure about that.  what if you lose it or it gets stolen from you?  what's wrong with leaving your offline savings wallet at home on a netbook in a safe?

So what if it gets stolen? It's encrypted with a +30 characters..

i hear ya.  actually i've been interested in a good USB solution for a long time as well.   more out of curiosity than anything.  as discussed before, the 2 USB solutions i'm aware of using Armory are:

https://bitcointalk.org/index.php?topic=110106.msg1200623#msg1200623

https://bitcointalk.org/index.php?topic=56424.msg1207465#msg1207465

the only other thing i'd say is carrying your USB stick around is less safe than if you had it home in a safe on whatever medium.  theoretically at gunpoint you could be forced to cough up the pw for the USB.  if at home, the thief would have to catch you at home, force you to open the safe, and then cough up the pw which all would be less likely or more difficult.

Well no, there is no label on it saying it's carrying money so how would anyone know to force me to give something up they don't know I have? But yea sure, it's safer keeping it at home but I'm not going for 100% security.

hazek,

I don't think that anything you said is outrageous or unreasonable, with minor exception.  My point was more that there is a gap between the supply and the demand on the end-user-software spectrum.

The caveat is that any system that is online has an order of magnitude more attack surface than one that isn't.  I'm not saying that there's no security to an online system, I'm saying that this thread is about "securing your savings wallet" which many users don't consider secure unless there's a physical/manual gap between the internet and your keys.   I misread your statements, thinking that you were like other users who wanted the cold-storage, but also wanted all the other features that haven't been combined into any existing cold storage solution, yet.  Since that's not the case, your options are significantly wider.  I was simply trying to bridge your understanding between "reasonable" and "reasonable-but-doesn't-exist-yet-you-might-need-to-find-a-compromise."  

If you are interested in simply a more-secure online solution, then that's a discussion worth having.  And it probably won't include Armory (eventually it will have a lite mode, though).

Since I'm using encryption I believe all I should need to be very safe is protection against keylogging. With my current setup, rightly or wrongly, that's the only thing I'm worried about. And I thought having a USB with Ubuntu is a solution for that.

Now is this having my wallet secured? You tell me! Is encryption + keylogging protection enough or are there other attack vectors I'm missing and are way too risky to remain exposed to?

The problem is that encryption doesn't protect you from a Bad Person that obtains access to your system.  Your wallet may be encrypted, but it has to be decrypted for a moment in order to sign transactions.  That means that, at some point (unless you never spend any coins, only receive them), your private keys will be sitting unencrypted in RAM.  If someone has root access to your system, they can write a program to copy the program's memory space as soon as it detects you've unlocked it.

It's not easy for an attacker to do.  Not every attacker gets root/admin access.  But there's also a lot of nasty viruses/malware out there, and people get infected all the time.  And part of the reason it's so difficult to secure computers against them is because they're constantly changing and developing new ones.  In fact, the threat vectors are the ones you don't know about yet (because the ones we do know about have generally been patched already).

If you really want to do the online computer thing, I recommend it be done on a system or OS that has good A/V and is not used for web-surfing.  It should have a minimal amount of software installed, and minimal interaction with the internet.   It's sole purpose should be for your Bitcoin software.   And in fact, that's very much like what you're asking for...

I just wanted to point out that for most users, hearing the phrase "Securing your savings wallet" is synonymous with "I want to keep a couple hundred dollars worth of BTC online, but I want to store my $30k in savings in the most secure way possible."  For most people, $30k is not something you compromise with, you just get the best thing out there, even if it's a little inconvenient.  I'd like to believe that Armory is not only "the best thing out there", but also rather convenient once you get past the load times :)

Unfortunately, it's very difficult to quantify what the security difference is, because most of it is based on what we don't know -- Bad People are finding new ways to attack systems, all the time ...

how common is it to have a laptop keylogged?  i thought that was more a function of physically attaching a device to the keyboard wire on a desktop?

how do you keep the A/V up to date?  don't most have to update every day or so online?

It's exactly what I'm asking for and trying to setup.  :)

Also thank you and everyone else very much for all the advice you're giving me here.

No I meant the encryption pw could be keylogged..

Hazek,
     I share all your concerns. I'm actively working on a Secure USB Bitcoin stick solution.
I'm currently in the feasibility stage. Trying to brush up on some programming skills to see if the microprocessor that only cost a few dollars will have the capability to generate signatures. If it does, then we are in business. It is going to be open source hardware/firmware.

IMHO there are a lot of attacks possible. Even if your firewall does block ALL traffic, some bugs in the kernel might be exploited. If you actively use some browser, etc. there is an even bigger attack vector. The firewall cannot protect you from attacks to the browser (because the browser has to be allowed in the firewall). Additionally, as long as you have some kind of storage, which holds modifications to your whole system (so you can install new packages, etc.), there is a chance that malware can hide somewhere (except you check every dir/file before booting).

The solution to this is having a read only system. It has to be checked only once. The wallet often must be read/write, but for the sole purpose of signing offline tx it would be enough to have it writable only at time of creation. This is also the reason, why I think, that encryption for a pendrive solution for bitcoins is overkill. All that has to be protected is integrity (which can be done without encryption of the whole live-system) and confidentiality of the wallet / private keys (which most clients do already).

Great, I can't wait!

This is what I have now:
- up to date Ubuntu 12.04.1 on a USB stick
- home directory encrypted with a very strong pw
- UFW blocking everything in both directions except 53,80/tcp,443/tcp out
- noscript addon for firefox intalled
- blockchain javascript verifier addon installed
- always browsing in private mode


My plan for use now is to either install electrum or multibit for my savings wallet and use those two in combination with blockchain.info which is the only website I'm ever going to connect to again.


How secure am I? How much money would you store like this?

I would store no more than the number of bitcoins I was willing to lose in that setup. Mainly because you are utterly relying on a third party (blockchain.info), but also because of what flipperfish said.

Ugh.. this is so frustrating. How am I going to lose my coins if blockchain.info won't hold more than what I need for my spending money. And how can a bug get exploited if I'm not going to be actively using my browser.


One more time: I'm going to use my setup as follows. When I want to fund my savings wallet I'm going to reboot to my ubuntu stick, open electrum or multibit(haven't decided yet) open either an exchange page or blockchain.info and transfer the money to my thin client's wallet. After I do this I'm going to close and reboot. If I need to spend my savings money I'm going to reboot to my ubuntu stick, open electrum and open blochchain.info and fund one of my spending addresses. I wont do anything else with my USB stick.

Where exactly is the risk in doing this and how big is it? Is linux really this unsafe that I can't even do the above without risking getting hacked? Is there really no other option but an air gap?! I mean this starting to be too much..

If you're not prepared to hear unwanted answers, you shouldn't ask questions. A few people have already answered with possible attack vectors for your setup, but apparently you don't want to hear it.

All I was saying is that I would not be comfortable storing a significant number of bitcoins with your setup. I prefer to have complete control over my stored coins, something your setup cannot provide.

No, I'm prepared to hear any answer. I just am frustrated with incomplete answers. Telling me it's not safe despite all these precautions is an incomplete answer. I know it's not 100%, I already said this. I already said I'm willing to forgo complete security for some convenience but what you told me is that you wouldn't trust my setup at all which I just can't take as anything but bullshit. Yes I can lose my money, but here's a newsflash for you, you can also lose your paper wallet if a thief breaks into your safe. Perfect security does not exist and I'm not asking for it. All I'm asking is for a setup that is reasonable safe but you are telling me that my setup is inherently unsafe which I just cannot understand without any further explanations.

I already said that most of what I'm afraid of is a keylogger because I'm already very careful, have keepass and strong, uniquie passwords for any service I use, I have noscript installed, I have an antivirus running...  My windows setup is already a lot safer than what most have but I'm not happy with it because I realize I'm actively browsing on this OS and a keylogging threat exists. All I wanted to do with my USB ubuntu setup is protect myself against that. Why? Because encryption takes care of the rest. And now you're telling me my USB Ubuntu setup will not even protect me against keylogging?

either i don't understand how electrum or multibit work or you don't understand Bitcoin.  when funding your savings wallet there should be no need to open your ubuntu stick and connect to blockchain.info.  you just have to send the coin from blockchain.info to the savings address, period.

Put it this way, there is nearly always the potential for you to be hacked or get a virus, but you have to under the % chance of this happening and put it in context, just because there is a 0.0001% chance doesn't mean it's going to happen (numbers maybe made up but they wouldn't be far off for any tech savy user).

I've been on the web for over 24 years. Sure my computer has caught a virus or two, but my personal computer was never purposefully attacked or hacked into. Most of the virus' I got was when I was a child or I let someone else on the computer and they did something stupid and it got compromised because they downloaded something they shouldn't of done and yes all of these were windows machines.
Btw the few linux based PC's I've had and never to my knowledge had either a virus or been hacked into, I use the same level of protection on these as my servers.

I've owned a server, vps, shared hosting of some sorts for around 10 years, those have a nice big target on them, no virus' but do get hack attempts all the time. They were all Linux machines very public, since they are servers and host a few relatively popular websites.
Most hacking attempts are pretty basic, so it's easy to prevent with a properly setup firewall.

If you want to go towards server like protection against hacking attempts, that is what you need to look into how to setup your firewall. One method, limiting outside access by IP address to specific ports, anyone else, gets a denied instantly. Figure out what might need to access you from the outside, make note of it's IP address and put that on a white list. Don't add more than you need to.

So if blockexplorer is the only site you go to, make it so that port will only be open for that IP address of that site.
Same applies for electrum and it's blockchain servers and the ports it uses.

Linux really does not need the same sort of anti-virus protect as windows, so as long as you have something, that is usually enough.

There is no need, but I want the convenience of c/ping the address and I'm ok with the extra risk that that exposes me to. At least I thought I could be.

That was my plan. Right now (I'm still not done setting it up) everything in is denied and only ports 53,80/tcp,443/tcp are allowed out. Once I figure out what ports electrum needs (probably what I'm going to end up using) I'll add that to the rules and that's it.

what is c/ping?  copying?  why?

Because I can't smell the address I'm sending bitcoins to.

what?  smell?  i assume you mean monitoring the balance?  dude, you need to educate yourself better as to how the system works.  you don't need to connect to your stick to do that. just use blockchain.info to monitor the balance.  you're making everyone here twist and contort to unreasonable demands for what you want w/o a complete understanding of the system.

having said that, thanks for this thread as i really enjoy sniffing out these security issues.

No dummy.  ::)

Look, I have two separate wallet files. One resides in blockchain.info the other on my USB stick in the electrum client. If I want to send money from the electrum wallet(my savings wallet) to my blockchain.info wallet (make it available to my spending wallet) I need to be able to input an address that belongs to my blockchain wallet into the electrum client. Got it?

I know I can add a watch only address to blockchain.info wallet but I can't spend from it unless I import the private key for which I'd also need to connect to blockchain.info.

I'm fairly certain I have a pretty firm grasp on what is possible, how things work and what I'm asking for.

sounds to me then that you should be using Armory.  it avoids any server exposure, allows the watching wallet for your savings wallet, and you don't need to connect the stick to the internet at all to sign tx to send coin to separate spending wallet located on blockchain.info.

Armory is not an option because having to keep a local copy of the blockchain is a deal breaker for hazek. He's willing to trust his entire savings to third parties (electrum, blockchain.info) and on an online machine. I give up on him, he can do whatever he wants.

That's just silly.  He said he'll be using his stick with a laptop.

It's a bad idea to use best-practices for protecting a server to protect a client-system. It's a completely different usage profile at a client and thus a different attack vector. Simple example: A server would never connect to blockchain.info, because it's a server, in best case even without gui or browser. Without a browser there's no risk of getting malware through (for example) an xss-attack on blockchain.info. Nevertheless at the client, this risk is very real.

I know it's different, clearly you didn't read or understand what I said, or read more into it than what I said.
I merely gave advice on configuring his firewall, that is it. None of the stuff you mentioned.

You wrote something about configuring a firewall to protect a server. I just made clear, that the configuration of a firewall for a client-system is completely different and not enough.

I made a small adjustment to my plan. This is what I plan to have now:

- Ubuntu 12.04.1 up to date USB stick
- 2 users: administrator, standard (home directory encrypted)
- electrum light client on both
- administrator always offline with no browsing at all using electrum offline tx signing and deseeded wallet sharing
- standard online, synced with electrum servers with a watch only deseeded wallet + blockchain.info in firefox + noscript + verifier + firewall all blocked except out: 53/udp,80/tcp,443/tcp

Is this any better?

Sounds like a hacker with a nice attack-via-browser setup just needs to hack blockchain.info and wait for you to expose your browser to the attack...

Of course the owner of blockchain.info will claim it wasn't them, they were hacked, afterall that is standard procedure for bitcoin services offered as websites so no surprise there...

Just how much coin are you planning to put on your windowsill like that to tempt hackers?

-MarkM-

I'm a little confused by your description. On Ubuntu you would usually have one user who can sudo to get root privileges. But not a separate admin (root) user. Just to be clear, you should not create a root user for admin purposes. Maybe that's not what you meant anyway.

I'm also not clear if you are having just one system for both uses or a regular desktop plus also a flash stick that you reboot into.

I haven't completely figured out my offline approach yet so I won't detail that but I have thought a bit about it. I don't have so much money in btc that I'd need to worry. A few things come to mind. Only have as much as you feel comfortable losing on a net connected system. I've used Linux for years and never had any issue with hacks and stuff but everyone is different and user carelessness matters a lot.

There's lots of ways to do a savings wallet but I think one thing well agreed on by many is that it needs to be a clean offline system. The more minimal the better. Every added component adds more risk, even if minimal.

No one notices the Vanitygen keyconv utility but it generates address/keys in the simplest possible way. A minimal cmd line tool. You can check the code in only a minute because it's so short (250 lines) and only depends on openssl and the std c library.

keyconv -G >> wallet.txt

But most of us want to play around with more complex fancy toys. For security this is less desirable.

Ok I guess I need to be more precise so people can understand what exactly I have in order for them to able to comment on security of my setup. So here goes.

I'm using a laptop with win7. I try to do my best to secure it by having ESET antivirus installed, noscript addon in firefox, hardware firewall on linksys router. For my various accounts I use keepass2 where I keep all my passwords encrypted of course with a strong master password. And for my spending wallet I use blockchain.info with two factor sms authentication and with the javascript verifier installed.

This I think is already decently secure but of course given that it's a working setup constantly online and used mainly for browsing I'm still exposed to a lot of attacks. Most of the attacks can't hurt me because blockchain.info uses encryption so unless someone can read my RAM with the unencrypted wallet while I'm logged in I'm safe from outside attacks there. The main security hole besides counterparty risk is my backup of the blockchain.info wallet sent to my email because if someone were to keylog me, they could get that encrypted backup and decrypt it provided they keylogged both my blockchain.info pw and my email pw, or just my keepass2 master pw if they managed to get my pw database.

That's why I decided to reduce the risk of a successful attack by installing Ubuntu on a USB stick. This is not a LiveUSB, it's an actual full installation of 12.04.1 which I then fully updated. The admin user I was referring to is the installation user that is the first user that you create when installing Ubuntu. I didn't mess with root or created a root user. This installation admin user has it's home directory encrypted with a strong password and is never online. I installed Electrum and created an offline wallet.

Then I created a second user on this same USB ubuntu installation which is a standard user, also encrypted home directory, is online only for the purpose of conveniently communicating receiving addresses between my blockchain.info spending wallet and my offline wallet, has UFW set to block everything except ports 53/udp,80/tcp,443/tcp,8081 out, has noscript and blockchain verifier installed and is not used for any other type of browsing. All I do with this user is log into blockchain to send bitcoins to my savings wallet or to copy an address that I'm going to send bitcoins to from my savings wallet, that's it. Then I have a shared directory which I use to move the offline deseeded wallet between my standard user and my installation admin user and when I need to spend from my savings wallet I log into my installation admin user, reseed the wallet, make an offline transaction, put that file in the shared directory, switch users back to the standard user and send it.

And that's all I use this USB ubuntu stick for, nothing else at all.

The only way I can now from my highly limited understanding see someone steal my savings wallet is if they manage to hack my standard user and somehow insert some malicious code in my kernel files which would then run while I switch back to the installation admin user. If this scenario is something I need to be seriously worried about, so much so that this setup isn't secure enough for my savings wallet, then I just don't understand how any server doesn't instantly get hacked all time.

Sounds like you're mostly fine. One step better - I would boot this usb stock while disconnected from the net. Save files for transfer somewhere shared. Remove usb, Reboot and connect again. It's pretty unlikely that you'll have problems with what you're doing now but the less your usb stick sees of the net the better. Well known public sites are far more likely to be targets than an unknown individual and this has some bearing on how far you want to go.

How about this alternative, integrated solution:

*Buy cheap used android phone (or new phone if you wish)
*factory reset/flash ROM/etc.
*use wifi to download bitcoin spinner (no carrier service on this phone)
*use SD slot to backup wallet seed
*use camera to scan address from blockchain.info (nice air gap here, no need to even log onto website)
*only power on or turn wifi on when reloading spending wallet.
*phone only communicates with bitcoin spinner servers
*bitcoin spinner servers handle the blockchain

Not the most advanced solution, but VERY EASY TO USE.

Modern computers are inherently insecure. They are slapped together quickly and cheaply. The prevelant debuging method employed is "ad-hoc" debugging, where the software or hardware is tweaked until it appears to work. Software and hardware is not proven correct, in part because it is perceived to be impossible. In truth, the halting problem only applies to Turing machines with infinite memory, which computers only imperfectly emulate.

I used to think that modern computers could be considered reasonably secure, if only they ran from Read-only memory. For over a year, I used a diskless computer booting from a live CD as my primary computer (a second computer acted as a file-server). For several more years my router was booting from a read-only floppy disk. Then I learned about an attack on a Voting machine using read-only memory (http://ucsdnews.ucsd.edu/newsrel/science/08-09ElectronicVoting.asp). They leveraged a stack overflow bug in one of the configuration menus into a full machine compromise. Because the machine was battery-backed, they were able to emulate the boot process. To get around to read-only memory limitations, they used a technique called return-oriented programming.

The implications for your laptop booting a "secure" USB key are obvious. A sufficiently skilled attacker may decide to emulate the boot process and prevent you from rebooting the machine; instead putting the machine in standby when you think you are turning it "off" (possibly adjusting LED behaviour in the process). You may think the battery is simply degrading with age. When you boot into Ubuntu, it may be running in a virtual machine, such that the hypervisor can record all of your keystrokes. The best part of return oriented programming is that if you do manage to do a hard-reset on the machine (by removing the battery), there may be no trace of the attack left on your hard-disk: simply because the binaries were never modified. The attacker would simply reinstall the malicious code the next time they come into contact with your machine.

There is a reason people advocate "cold storage" for large ammounts of money, commonly referred to as "savings". As the Armory author told you, it reduces your attack surface considerably.

From your description of this USB key, I get the impression that you are keeping only one copy. This is a security risk too. If your USB key gets lost or damaged, you would not be able to spend the funds. You really should consider some kind of paper backup in a safe somewhere.

buy a casascius BTC1 coin, peal it, take a digital picture of the private key and first bits, copy the jpeg to a secure/encrypted SD card (easy to do on Mountain Lion)...use MtGox to cash in the private key and send to a new address...

Seriously? Put my savings in an address someone definitely already saw the private key for? You must be joking.

s/casascius/your own easily generated key pair/g

now you've done it.  hazek won't sleep for a week.  ;)

I will sleep like a baby because my laptop is private and no one but me has access to it.

I think the most secure way is evenly divide your savings into 5-7 different wallet, and spread them among different platform, medium, physical location, online services, etc... so that you don't have too high risk on any single of them

A distributed saving solution

if your going to forgo some security for convenience.. then DO NOT forgo this security:

downloading ready compiled end user bitcoin programs....

the best security is knowing what goes on your computer in the first place.

i personally grabbed the sourcecode for the bitcoinD daemon, read through it then compiled it myself, i then made a simple VB.net program that API calls the daemon with commands i wanted.

i have it on a 16gb memory stick and life is good.

the chances of you getting a bitcoin trojan randomly browsing google for real life stuff is low. but the chances of you getting one downloading ready compiled end user programs from people in the bitcoin community is higher.

so do not get anything ready compiled from within the community. even if they show you sourcecode separately to say their ready to rock compiled executeable is ok... dont do it. compile it yourself.

seeing something large, ready built is tempting.. so was the trojan horse.

this is where i think the world market would suffer with adopting bitcoin. too many naive consumers who dont know how to compile, wanting ready to rock solutions and trusting in a community of hackers, script kiddies and anonymous users they have never met.

What's wrong with using a brain wallet???

Nothing if the keys are hashed up offline, other than amnesia being very expensive. :)

I'm sure your relatives will appreciate you taking your Bitcoins to the grave when you get hit by a bus.

Seriously, people:  if you want a "brainwallet", at least hand-write it onto a sheet of paper, with identifying markings, and pay the $5/mo for a safe deposit box.  I'm sure there's more stuff you'd like to store in there anyway (car title, birth certificate, etc).  Then, when you've forgotten your brainwallet after 2 years, or something unfortunately happens, your relatives will gain access to it and the coins won't be lost forever.

And of course, I don't condone brainwallets -- most people do not create strong enough "passphrases", and of course what I mentioned above about losing coins forever.  If you're going to go this route, boot up an offline computer wiht a linux Live-CD, and install Armory and use it to generate a high-entropy wallet.  Go to the "Print Paper Backup" dialog, and manually copy down all the information on the sheet (you can use a printer if you trust it).  Also copy down the first X addresses so that you have some addresses you can use for putting money into it.  Keep that address strings, and put the paper backups into envelopes.  Put one envelope in a safe-depost box, perhaps another one in a safe.  Live happily knowing that your coins are both secure and recoverable.

But if you're going to do this, you might as well use Armory offline wallets.  It is exactly what I said above, but you also get a watching-only wallet so you can monitor it online and distribute new addresses (private keys never touch the internet).  Spending is easiest if you keep the wallet on the offline computer, but you can just as easily reboot into a live session, and re-enter the paper-backup information to regenerate the wallet each time you need to sign something.  If you don't move the coins often, keeping the paper backup in your safe is sufficiently secure and convenient.

i personally have a large hoard in paper form printed to look like a bearer bond with instructions on the back how to redeem it. safe in a box stored away along with a CD containing the programs i hand crafted ready for the redeemer, in my demise to inherit the world... or i spend it one day :D  . i only hold smaller amounts on my personal wallet, so human memory is not an issue for me.

I have some questions about using Armory in a fully air-gapped offline mode that are relevent to the same scenerio as the OP.

I want to store Bitcoins on a computer which, after the initial software installation and key generation, will never again communicate over a network or accept removable media.

Can Armory generate raw transactions without ever having any knowledge about the blockchain and display them on the screen as a QR code?

If it could do this, and if the QR code was formatted as a URL, it would be possible to create a lightweight web service that would accept raw transactions as a URL parameter, check them for validity, and broadcast them on the network.

Now spending funds from an offline wallet doesn't require a serial cable or a thumbdrive - it just requires a smartphone with a standard QR code reader app.

I think this was discussed in the Armory thread (or maybe this one), but here's a quick run down. In order to use the offline Armory split wallet method, you must also have a computer with the block chain up to date and Armory installed, with the watching only copy of the wallet. The offline copy doesn't have any block or transaction information, so you can't even see your balance. The online copy is where you must initiate all transfers. In order for the offline copy to sign and verify the transaction, it must be supplied with the transactions for all outputs to be spent, along with the transaction to sign. So you first need to transfer more data than will fit in a QR code from the online to the offline computer, and then a smaller amount of data in the reverse direction.

I don't understand why this needs to be a hard requirement.

In theory the offline computer only needs a private key, output amounts, and output addresses to generate a valid transation. Output addresses can be typed in manually and stored in an address book. Amounts can also be manually typed in.

Sure, there's a high potential for user error doing it that way but the biggest risk (incorrectly specifing the amount for the change address output and giving away most of your savings as a transaction fee) could be removed by reusing the input address as the change address or by basic sanity checking built in to the offline program.

Edit. I just found out in a different thread that my understanding of how an input is specfied was incorrect. So now I do understand the requirement to generate the transaction on an online computer.

It's even a tad more complex than that.  Without the blockchain on the offline computer, it can't verify all the information on the transaction, and it may be tricked into signing something that you didn't intend.  i.e. -- someone hacks the computer holding the wallet you use to create the transactions, and the next time you create a transaction, it will put false information in the transaction, and it will look like you are paying a 0.0005 tx fee, but it turned out to be 500 BTC fee.

There is discussion of this in the BIP 10 (https://en.bitcoin.it/wiki/BIP_0010) document.  The punchline is that you need to transfer not just the transaction to be signed, but every transaction that provides inputs to it (so that it can manually verify amounts and hashes).  Because of this, the data to be transferred back and forth between online and offline computer can be way more than a QR code can handle.  It is usually less than a few kB, but someone recently submitted a bug report because Armory choked when trying to sign a transaction with 483 inputs -- and so there was 483 transactions to be transferred, totaling about 3 MB.  QR codes are just not feasible, here.

I want to get away from USB keys, but they are just so damned convenient and people already know how to use them, so I haven't been able to make it a priority, yet.   For now, USB keys are a 98% solution, and I'd rather people use this solution, than be greeted with something dramatically more complicated, and then they give up on offline wallets altogether. 

If the online computer which generate the transaction is compromised it can lie about the size of the inputs and cause you to pay a larger fee than you intended, but how credible of a threat is this? The only one who benefits is miners, and would it be profitable for them to fund a malware attack when they can't guarentee to be the ones to mine the blocks containing these transactions?

There's a difference between petty cash and your retirement savings.

In the first case convienience is very important and losses, while still undesirable, are expected to occur from time to time.

In the second case no losses are acceptable.

You need different procedures for handling each case because the definition of success is different. I'm satisfied with the security of Bitcoin clients as the currently exist for storing small amounts of money that I could survive losing without taking additional security precautions. On the other hand, I see the existing clients as wholly unsuitable for safely manipulating large and critical sums of money. (not their fault - it's a hard problem that just hasn't been solved yet)

That's why I'm trying to work out now what would solve the problem in an acceptable way before I actually need the capability.

Excluding exchange rate risk, it's perfectly safe for storage. The problem is safely moving funds out of storage without potentially exposing your private keys to malware.

Depending on who you talk to this is irrelevant or even beneficial.

It's an attack that is possible, and can ruin someone.  Even if the attacker has no financial gain from it, money may not be their primary motive.  Not to mention, that someone with serious mining power could see financial gain -- and further, if someone has compromised the online computer to do this, they can intercept the transaction so that no one else sees it until they can mine it themselves.  Sure, it may take a couple days, but the person may just assume something is wrong with their client or the tx fee (the fee they thought they were paying). 

No matter how silly the hole may seem to you, it can cause epic financial damage to someone and it's easy to avoid (modifying BIP 10 for this took only a few hours).  Thus, it had to be done.

Nonetheless, even if those transactions were not included, the tx to be signed could still be huge.  The transaction I referenced in my previous post was 140 kB.  Still too big for a QR code.

I think for this use case it's reasonable to look at ways to prevent the number of possible inputs from getting that large that might not otherwise be desirable.

The first thing that comes to mind is only having a single address in the offline wallet (always send change back to the same address), and combine unspent outputs after every N deposits, where N is selected to be small enough to never run into the problem you referenced.

No matter how much you try to avoid it, the system must still be able to handle it.  Even if it was acceptable from the user perspective to use only a single address, users would still combine wallets, import keys, etc, and it would still happen.  Plus, many users may collect month for months without ever moving the coins once, which means there will be no opportunity to consolidate coins until it's already too late. 

Even if it was, it's not worth the effort just to use QR codes for this purpose.  The answer is to find a transfer method that has higher bandwidth than QR codes.  (though, I do agree that programs could do a better job in this regard for high-activity wallets)

The answer is to find a transfer method that has higher bandwidth than QR codes.[/quote]Aren't there encoding methods with a higher limit that can be printed out?

If I was working with a savings wallet with > 10^4 USD equivalent I'd buy a printer/scanner for the offline computer and use paper to move the required data if that reduced the potential attack surface.

Aren't there encoding methods with a higher limit that can be printed out?

If I was working with a savings wallet with > 10^4 USD equivalent I'd buy a printer/scanner for the offline computer and use paper to move the required data if that reduced the potential attack surface.
[/quote]

There are non-standardized ways to do it, but it will be a lot of work.  I have discussed a lot of ideas -- and associated strengths and weaknesses -- in my Improving Offline Wallets thread (https://bitcointalk.org/index.php?topic=68482.0).  A lot of ideas have been discussed there, and you are welcome to contribute if you have more ideas.  I think I converged on a solution, though:  audio coupling.  Take two double-male audio cables and connect MicIn-to-SpeakerOut and transmit the data the same way a modem would. 

This has some tremendous benefits:

• (1) Zero surface for remote code execution between machines
• (2) Platform-independent (someone using an archaic/ancient version of Linux for offline computer may not be able to get webcam drivers working, but audio almost always works)
• (3) Simple, convenient and inexpensive for the user.
• (4) Bandwidth is sufficient to transfer a couple megabytes in less than a minute

I have not committed myself to this solution, but in the absence of new ideas, I believe this is how I'll go (when priorities become appropriate).  Before anyone mentions webcams, serial cables, IR, etc, please read that thread.  Those ideas were discussed, and may be appropriate for knowledgeable users, but I do not believe they are satisfactory solutions for the general user.

The attack surface is  never truly zero. Would you bet your life that it's impossible to craft an audio packet that crashes the decoder in such a way to allow code execution?

That being said it's probably safer than anything in use currently.

It's about as good as you're going to get.  There is no default software on any distribution (that I've ever heard of) that executes code based on the content of incoming audio streams.  Serial, on the other hand, some linux distributions have telnet logins enabled by default over serial ports!

Irrelevant.

Image displaying software isn't supposed to execute arbitrary code based on the content of a JPEG file, but it (http://www.f-secure.com/v-descs/ms04-028.shtml) still (http://www.securityfocus.com/bid/46651) happens (http://www.cvedetails.com/cve/CVE-2011-1931/) sometimes (http://www.slideshare.net/ashishmalik10/microsoft-gdi-jpeg-integer-underflow-vulnerability).

That you aren't even acknowledging the existence of an entire category of vulnerabilities does not inspire confidence.

Do we really know sound is safe? Has anyone ever tried to crash the Linux sound drivers via malicious sounds sent to the line in port? Maybe the only reason we don't think a vulnerability exists is because until now nobody has ever had a reason to look for one. Even if the sound drivers and ALSA libs are safe, there's still the matter of hardening the decoding software.

If even a task as old and well-understood as transforming a JPEG image into a bitmap can result in arbitrary code execution you can't just assume that sound is safe without at least some kind of testing.

Your software will, if you're not careful about avoiding buffer overflows. Remember, treat all incoming data as hostile and don't assume it is properly formatted (especially with regard to the expected size of the decoded data structures).

I'm not saying attack surface is exactly 0.00, simply that I'm not aware of any transfer method that has less linkage between the content of the data stream and what code will be executed. (and subsystems of the OS that automatically operate when the link is detected)

If you want to discuss this further, please respond to the thread I linked above.  This would be a good discussion to have there.