Bitcoin Forum

Shocked you were when you heard the horrify story, a guy lost a tremendous amount of BTC (perhaps worth half a million!), and so was I. Gone are the days when [url http://bitcointalk.org/index.php?topic=137.msg1195#msg1195]10000BTC could only buy a $25 pizza courtesy[/url]. After decimal bitcoin reached parity with the US dollar (2011 Feb. 9), BTC became serious at least for some individuals. The price of BTC keeping rising, wallet files on computers finally attract attention of thieves.
 
HOW to protect our BTC wallet?

The first advice is that you should walk away from MS Windows. MS Windows are too venerable, often easily infected with viruses, subject to Trojans, or controlled by unknown malicious programs. Nix-based operating systems are much more secure.

If you cannot abandon MS Windows as many (sometimes including me), at least you should setup a virtual machine (such as VBOX), dedicated only to running bitcoin client. DON'T install any other program even including anti-virus softwares. DON'T allow any other program pass through the firewall except bitcoin client -- open port 8333 ONLY. ONLY open this virtual machine when you have to pay bitcoin to others.

If you are interested in mining, DON't do solo mining. Solo mining forces you using mining software on the same machine in which you store your wallet file. Hackers can easily spot machines whose 8332 port is opening. They always have some methods hacking into your machine without your noticing, then, bang! your BTC disappears! When you're working in mining pool, you can only setup workers on local machine, and only setup a receiving address on the mining pool server, which means your wallet can put somewhere else, securely.

Now, official bitcoin client is weak.

If you have a fairly big amount of BTC, you should cultivate a habit:

• When you close your bitcoin client, you should move (NOT copy) your wallet file to other location, add a password (even a simple password is better than none) when compressing, and then rename it (DON'T leave it as wallet.dat!).
• Open your bitcoin client ONLY WHEN you have to send BTC to someone.
• Before you open your bitcoin client, put back your wallet file as it was.

Hope these simple advices are useful for you.

[url http://forum.bitcoin.org/index.php?topic=17208.0]BTW, I'm selling mining contracts[/url]. http://forum.bitcoin.org/index.php?topic=17208.0

The only way a VM can help with bitcoin security is if you do everything inside the VM and only use bitcoin outside the VM.

Good points!

L.

+1

It's good to point out the really simple things. In practice, many people will shy away from the 100% security recommendations, but just renaming your wallet.dat is easy and might be enough to save a lot of money. 20% effort to get 80% effect.

Another good point of advice, don't brag about how much you have. When I saw a news story about bitcoin and the value was so high, they mentioned in the story that the person who had the most bitcoins in the world (270K I think) and I wanted badly to e-mail them and say that they were very wrong and that I had 100K over that, but I didn't because I don't want the media banging down my door or turning a watchful eye to thieves or crackers.

humorous...

Yeah, it's totally not true: to be safe you need to do your day-today things in one VM, and do your bitcoin things in another.

Or, if you don't want the overhead of a two virtual machines, you could create two limited user accounts: one for day-to-day stuff, and one for bitcoin.

Moral of the story: It not viruses and tojans that make Windows insecure, it is the expectation that you are able to install Adobe Flash, P2P software, and Games as the administrative user. In the *ix world, requiring root privileges is considered a software bug.

With Windows Vista, Microsoft had the opportunity to make a clean break: they could have shoved all missbehaving programs in a Virtual machine running Windows XP. They chose the path of evil: putting misbehaving programs in a VM would be admitting that DRM does not work. On the contrary, Microsoft built DRM deeper into the system. Video drivers were screwed up for months because the companies involved were required by contract to make them hard to debug (to obfuscate the "Protected Media Path").

</Rant>

100% safe wallet:

1. buy an old PC on ebay
2. physically remove any wireless cards
3. boot from a linux live CD
4. run bitcoin offline to generate address and wallet.dat
5. encrypt wallet and save it to USB stick
6. deposit USB stick in bank vault
7. hand-type address into bitcoin client on other machine and send "savings" balance
8. remove hard disk from old PC and physically destroy it with a blowtorch

9. after withdrawing from savings wallet, repeat steps 3-8 with a new hard disk.


Ok, to be really 100% safe you probably have do all of the above in a faraday cage, but I don't think we have arrived at that point yet.

It is true. VMs are designed to protect the host against the guest. Protection in the other direction was never intended and does not exist at all.

It's just security by obscurity. Renaming files does the same job. I wouldn't even call it security. Linus Torvalds would call it masturbation.

Security by masturbation? That's security I can believe in!

False. You can run bitcoind on one machine and connect to it remotely from the mining machine. However, from a security standpoint it's almost the same, since your mining machine will still have full access to the coins using the RPC password.

Good advice, except that I am under the impression that Linux Live CD's (like LinuxCoin (https://en.bitcoin.it/wiki/LinuxCoin)) can run entirely in RAM, and so no need to torch your hard drive.  The wallet.dat file never hit your hard drive.

In addition, you left off the implied step of not connecting to the internet.


You know, this sounds really hard, but it's simple.  Once you have the LinuxCoin ISO, it's a piece of cake.  Just disconnect from the internet, turn off your unsecured access points, and fire up LinuxCoin.  I thought it'd be hard, but I did it yesterday and it was REALLY simple.