|
Title: Questions regarding security Post by: Nunuface on November 02, 2019, 09:24:08 AM Hi guys,
I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised). I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol. Would appreciate help! Thank you! Title: Re: Questions regarding security Post by: Lauda on November 02, 2019, 09:33:31 AM The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? Is it open source? If yes, you can verify this. If not, you can not verify this.For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? Of course, this is trivial to do.I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol. I find it unlikely that anyone who has mentioned the Glacier Protocol in this context (on the forum; from what I've seen) has the sum of money that requires something like the Glacier Protocol. A simple air-gapped system which you wipe afterwards is fine.Title: Re: Questions regarding security Post by: Deathwing on November 02, 2019, 09:42:15 AM Hi guys, I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised). I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol. Would appreciate help! Thank you! If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one. Title: Re: Questions regarding security Post by: unsoindovo on November 02, 2019, 10:15:10 AM Hi guys, I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised). I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol. Would appreciate help! Thank you! If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one. I'm really interested in this use case! Can you share a link to a tutorial? I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it. Title: Re: Questions regarding security Post by: Rath_ on November 02, 2019, 10:29:30 AM If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one. Can you share a link to a tutorial?The whole process looks a bit complicated (https://bitcointalk.org/index.php?topic=651344.msg7306076#msg7306076) for Bitcoin Core. It's more common for its users to keep the wallet online in order to have all the (latest) blocks downloaded. Consider choosing Electrum instead, it will be much easier (https://electrum.readthedocs.io/en/latest/coldstorage.html) for you. No commands involved. Title: Re: Questions regarding security Post by: Deathwing on November 02, 2019, 10:45:05 AM Hi guys, I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised). I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol. Would appreciate help! Thank you! If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one. I'm really interested in this use case! Can you share a link to a tutorial? I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it. Virtual machines can be hacked if the main one is hacked. Don't use virtual machines, just get a cheap computer and/or raspberry pi to store your coins there without connecting it to the internet. Title: Re: Questions regarding security Post by: DaveF on November 02, 2019, 11:52:10 AM Hi guys, I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? For the ColdCard not only is the software open source so is the hardware: Firmware: https://github.com/Coldcard/firmware (https://github.com/Coldcard/firmware) Build your own hardware: https://blog.coinkite.com/coldcard-hardware-shared/ (https://blog.coinkite.com/coldcard-hardware-shared/) So, yeah you can trust them. -Dave Title: Re: Questions regarding security Post by: Nunuface on November 02, 2019, 01:32:51 PM Awesome, thank you!
Title: Re: Questions regarding security Post by: Dabs on November 02, 2019, 07:34:14 PM I used to use something like Glacier when I had a lot of contracts, but it was a lot of work and not that much more added security. Paper wallets and air gapped machines are more practical. I actually only recently discovered Glacier and I find it too much, even for someone storing thousands of coins. I'm pretty sure the cold and hot wallets of big exchanges use something else.
VMs running in a machine you have physical control over and where you personally installed the hypervisor and keep it secure or update would be fine in my opinion. I got a refurbished or off-lease rack server for cheap and use that for plenty of different VMs, I mean that's the only way to maximize usage of plenty of RAM. 32 GB to 48 to 64 GB. Could even add more. Title: Re: Questions regarding security Post by: DiamondCardz on November 02, 2019, 07:42:01 PM If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one. I'm really interested in this use case! Can you share a link to a tutorial? I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it. There are many tutorials on how to set up cold storage, but the most simple way is: Set up a PC that has no internet connection, download a Bitcoin wallet to a USB stick, install it on the PC with no internet connection, randomly generate a private key and import it onto the airgapped PC, and then send Bitcoin to that wallet. Your Bitcoin is now in cold storage. When you want to get Bitcoin off that machine, you generate a transaction on an online computer using the public key of the cold storage wallet's address, transfer the transaction file to the cold storage computer, sign it on that computer using the cold storage's private key, and then finally move it back onto the online computer and broadcast it. Title: Re: Questions regarding security Post by: Kprawn on November 04, 2019, 04:14:31 PM Hi guys, I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds? For the ColdCard not only is the software open source so is the hardware: Firmware: https://github.com/Coldcard/firmware (https://github.com/Coldcard/firmware) Build your own hardware: https://blog.coinkite.com/coldcard-hardware-shared/ (https://blog.coinkite.com/coldcard-hardware-shared/) So, yeah you can trust them. -Dave Well, if I am not wrong.. Blockchain.info also used Open source code to randomly generate Bitcoin addresses, but at one stage people figured out that it was not that random at all. Here is a article to show you what happened when the random generator was flawed and not that random at all https://www.coindesk.com/blockchain-info-issues-refunds-to-bitcoin-theft-victims Important note : Blockchain.info patched the bug, so this is not a problem anymore. |