Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: 9thsky on January 21, 2021, 03:17:47 AM



Title: What risk is there creating a cold storage on a public computer considering...
Post by: 9thsky on January 21, 2021, 03:17:47 AM
1) I'm using a Linux non-persistent live USB.

2) I'm disconnecting the ethernet cable from the computer after downloading Electrum.

3) No one can see the screen.

This would be to create an Electrum wallet and fund using the  unsigned method  (http://)

Also...which would be more secure for the purpose of above...Linux live non-persistent USB...or...Tails?


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: ranochigo on January 21, 2021, 03:28:14 AM
Tails is designed for privacy primarily but you'll be better off using Tails than most of the other Linux distribution since it comes with Electrum preinstalled and you wouldn't need an internet connection in that case.

I find it insecure to do something this sensitive on a public computer. There is a possibility of a rootkit infecting the firmware of the components within the computer and/or it's BIOS so I wouldn't recommend anyone doing anything on insecure computers regardless. Most public computers locks their boot priority so I'm not sure if you would be able to boot from your USB in the first place. If possible, this should be done in a private place and on a computer that you can trust.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: pooya87 on January 21, 2021, 04:32:13 AM
It is best if you bought a hardware wallet if you don't have a PC to create your cold storage in safety of your own home. You can never be sure whether you are leaving anything behind or there is any "surveillance" in the public place you create your cold storage.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: topcoin360 on January 21, 2021, 04:57:58 AM
It is best if you bought a hardware wallet if you don't have a PC to create your cold storage in safety of your own home. You can never be sure whether you are leaving anything behind or there is any "surveillance" in the public place you create your cold storage.

It's almost the same price as a chromebook  ;D


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Farul on January 21, 2021, 05:20:00 AM
It's almost the same price as a chromebook  ;D
if he gonna store some bitcoin in cold storage, I'm sure he is rich enough to afford it.
btw the cheapest cold storage wallet is probably Blockstream Jade (https://store.blockstream.com/product/blockstream-jade/), which is only 40 USD.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: BASE16 on January 21, 2021, 06:58:23 AM
Tails is designed for privacy primarily
This is what they would like you and everybody else to believe.
But if you dive a little bit deeper then you will come up with a different conclusion.
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: 9thsky on January 21, 2021, 07:09:03 AM
Tails is designed for privacy primarily
This is what they would like you and everybody else to believe.
But if you dive a little bit deeper then you will come up with a different conclusion.
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.

Source?


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: NeuroticFish on January 21, 2021, 07:14:48 AM
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.

Aren't the same sources telling that ToR and also Bitcoin were created by NSA?
"Follow the money" always lead ultimately to the same source = those who are printing them  ;)

People seem to love conspiracy theories and spreading them without any proof. I personally I'm sick and tired of them.



Now on topic: Tails may be OK and easier since it has Electrum. But I think that for OP case a hardware wallet may be less insecure, although even then I'd bring my own verified Electrum too...


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: ranochigo on January 21, 2021, 07:17:32 AM
This is what they would like you and everybody else to believe.
But if you dive a little bit deeper then you will come up with a different conclusion.
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.
To delve deeper, here's the source code: https://gitlab.tails.boum.org/tails/tails.

Snowden seems to favour tails quite a bit. Unless he's currently working for the NSA, I wouldn't think he would want anything to do with Tails if what you said is true.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: bob123 on January 21, 2021, 11:28:32 PM
Tails is designed for privacy primarily
This is what they would like you and everybody else to believe.
But if you dive a little bit deeper then you will come up with a different conclusion.
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.

I hope this is a joke.



People seem to love conspiracy theories and spreading them without any proof. I personally I'm sick and tired of them.

I mean, it is funny to listen to conspiracy theories. But some people are just delusional  :D
Weak minds are getting caught by that.



Also...which would be more secure for the purpose of above...Linux live non-persistent USB...or...Tails?

Tails is a linux distro just as others are.
It might be pre-configured for more privacy etc.. but if you keep it offline anyway, it doesn't matter.

Just make sure to verify the signature of the downloaded .iso and you are good to go.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Dabs on January 22, 2021, 06:05:06 PM
1) I'm using a Linux non-persistent live USB.

2) I'm disconnecting the ethernet cable from the computer after downloading Electrum.

3) No one can see the screen.

1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

2. Did you check if the wifi is turned off or bluetooth, or any other peripheral device or add-on is there? Did you check the keyboard is not a keylogger?

3. How many other people are in the room? Can you see the CCTV camera behind you that's as small as a phone camera?


Just don't do it in a public computer if at all possible unless you have no choice. If you're creating cold storage, we can assume it is for a significant amount. If it is for a life-changing amount in value, then it's worth more than the price of your own hardware. Get your own laptop or computer or tablet.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: bob123 on January 22, 2021, 06:09:26 PM
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

There is no partition for the OS to write to.
He would need to create 2 partitions on the USB and mount the second one to be able to write to it.

So, yes, non-persistent linux distros on a USB flash drive can not write if there is no other partition which can be mounted.

You'd make sure to install a genuine distribution by verifying its signature of course.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: NeuroticFish on January 22, 2021, 06:14:53 PM
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

Even with CD you cannot always be sure (!).
I've had my own experience with a bootable "recovery" (antivirus) CD, I've booted from it, used it, all good, and next day I've noticed that it has left a temporary folder on my C drive (I don't remember though if it was empty or had also files).

So I'd rather check with the community than assume things.



However, overall the points are good.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: bob123 on January 22, 2021, 06:21:05 PM
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

Even with CD you cannot always be sure (!).
I've had my own experience with a bootable "recovery" (antivirus) CD, I've booted from it, used it, all good, and next day I've noticed that it has left a temporary folder on my C drive (I don't remember though if it was empty or had also files).

I think he meant that using a CD guarantees that no files are written onto the CD.
And his assumption was, since an USB flash drive is by default not write-protected, a live distro could write files to the USB flash drive.

Obviously, any live distro can write files to a hard drive. But this requires the drive to be mounted. An AV recovery CD might do this by default, but with a proper live distro, you have to do this by hand.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Dabs on January 22, 2021, 07:42:25 PM
4. Did you use a blanket to cover your head so no one else sees what you're doing? Is the computer shielded so wireless emanations from the monitor are not captured a few feet away by some evil maid with RF scanning equipment ... Is that Johnny English or James Bond behind you?

5. Is there enough white noise that your key strokes are not recorded by audio and then translated into something readable later?

6. Did you blow up the public computer after you used it?


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: bob123 on January 23, 2021, 01:28:53 PM
6. Did you blow up the public computer after you used it?

Ridiculous, you'll be arrested and must pay for the damage.

It's the price you have to pay for a secure cold storage generated on a publicly available and probably (or at least potentially) infected public computer.

Even tho you could buy a private computer for that price and create the cold storage at home... you wouldn't have any fun doing so!


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Porfirii on January 23, 2021, 02:43:39 PM
probably (or at least potentially) infected public computer.

I'm curious: what are the real probabilities of this possibility to happen?

I use to say that it is better safe than sorry, but I have the feeling that every time someone poses a question about how to create a wallet safely we all go into the worst case scenario and take for granted that this is what is going to happen (me the first one).

Personally, and after questioning my own conventional thoughts, if I had to create it on a public computer, unless I was storing there all my savings, I think that maybe it is not necessary to be so fearful. I guess that many of us know that it is possible to infect these computers with a keylogger or whatever, but then because of ethics and self-control almost no one does it (just some script-kiddies, maybe). And if it happened, afaik, public computers are usually reset every night in order to keep them "clean", apart from other security measures.

So it is not 100% safe, ok, but could we say it is safe in the 99% of the cases? just like using condoms? yes, accidents happen but I think we keep focusing too much on them.

Please, if this reasoning is wrong, challenge it, I consider myself more a noob than any other label in this topic, but sometimes it may be good to hear an outsider's version on mostly consensual thesis like this one creating whatever on a public computer is not safe.



Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: ranochigo on January 23, 2021, 02:57:34 PM
I'm curious: what are the real probabilities of this possibility to happen?
Public computers infected with malware is not uncommon. Even with LiveCDs, I wouldn't rule out the possibility of side channel attacks especially when everyone has access to it, a seemingly harmless USB at the back of the computer, a VGA splitter, an additional connection between the keyboard and the computer, etc. I don't consider this paranoia as you're supposed to be at least this paranoid if you have to generate a wallet that could possibly contain your entire year worth of wages.

So it is not 100% safe, ok, but could we say it is safe in the 99% of the cases? just like using condoms? yes, accidents happen but I think we keep focusing too much on them.
I don't consider public computers safe precisely because it's public. The loopholes for a bunch of vulnerabilities is unlimited. Wiping the entire OS might not be sufficient, especially if there is a persistent rootkit within the public computers. If it's public enough, then I wouldn't believe that there is a chance that it wouldn't be infected. As with your reference to condoms, I don't think that's a fair comparison at all. Small computers like Raspberry Pis are cheap and would probably give you some reassurance. If you're handling Bitcoins that you can't afford to lose, I don't think you would settle for anything less than that.

A cold storage is supposed to be secure anyways. If you consider the wallet being created as a normal wallet then I assume it's alright.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Porfirii on January 23, 2021, 03:11:40 PM
A cold storage is supposed to be secure anyways. If you consider the wallet being created as a normal wallet then I assume it's alright.

OK, this makes a lot of sense: if you create cold storage is because you want extra safety, and lacking that creating it from a public computer without further security measures makes no sense.

I now realise that my comment might make sense only when talking about a common wallet (or not, that's why I wrote it, to be challenged :P).

Thank you ranochigo.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: bob123 on January 23, 2021, 03:11:49 PM
probably (or at least potentially) infected public computer.
I'm curious: what are the real probabilities of this possibility to happen?

It is hard to precisely answer this question, since i don't have any numbers.
There might be a study made somewhere, but i am not aware of it.

However, i personally, wouldn't ever trust a public computer to be secure. It is simply too easy to infect them. Anyone can gain access to it.

As ranochigo has mentioned, formatting the hard drive might not be enough. Root kits are horrible to deal with.
And further, anyone can gain access to the hardware. This makes it even harder (than it already is) to be sure about the integrity of the hardware.

I really wouldn't be surprised if there was a relatively high number infected (at least with key loggers).


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Dabs on January 23, 2021, 07:00:12 PM
Cold storage implies at least an air gap. Public computers are almost always infected and most that you can rent have some sort of monitoring software (or hardware) installed.

If you want something almost as secure, do it on a phone that you have just factory reset.

Blowing up the computer shop is for movies.

Quote
Robert Clayton "Bobby" Dean: "What the hell is happening?"
Edward "Brill" Lyle: "I blew up the building."
Bobby: "Why?"
Brill: "Because you made a phone call!"
 - Enemy of the State.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Theb on January 23, 2021, 10:26:51 PM
If you want something almost as secure, do it on a phone that you have just factory reset.

If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future. If the problem here mainly is you not having a personal computer I think the best alternative here is if you can't buy one ask someone who you are close with first like a family member perhaps and scan first for any viruses and malware before doing the method you already know. At least in this way you have some privacy in a creation of your cold storage.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: ranochigo on January 24, 2021, 02:18:33 AM
If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future.
Can't see how that's an argument at all. Unless you bring your phone around to dunk in the ocean and lakes, I don't think phones are that unreliable. There's a reason why the wallet always asks the user to write down the seeds on a piece of paper and to keep it safe. In the event of any hardware failure, the user can just restore it to another phone or device.

Old laptops are fairly cheap nowadays, if you purchase one, it could be a good investment and would probably serve as a decent airgapped wallet if you run a LiveCD using a USB flash drive.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Theb on January 24, 2021, 09:33:38 PM
If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future.
Can't see how that's an argument at all. Unless you bring your phone around to dunk in the ocean and lakes, I don't think phones are that unreliable. There's a reason why the wallet always asks the user to write down the seeds on a piece of paper and to keep it safe. In the event of any hardware failure, the user can just restore it to another phone or device.

Old laptops are fairly cheap nowadays, if you purchase one, it could be a good investment and would probably serve as a decent airgapped wallet if you run a LiveCD using a USB flash drive.

I'm talking about personal experience here. When I have bought a new phone and just kept my old (working) phone in one of my storage after a couple of months when I decided to open my old phones to transfer some contact numbers it wasn't turning on. Now if I made my old phone into a cold storage during that time then I have created a big problem at present. Yeah old laptops might be a good idea but only if he will be buying one from a reliable store probably one of those refurbished ones. Just by buying old laptops or just second-hand ones without knowing the real running condition of the laptop will just give him the same problems of having an old unreliable phone.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Dabs on January 25, 2021, 02:20:17 PM
I don't know what phones you have or used, but I have some 5 year old phones with me still working today. Samsung J1 (2016). I believe they were still being sold up to last year as brand new for around $100 USD.

You can regularly get refurbished old desktops for below $100 as well, they can all run the latest update of Windows 10. You'll want to add a keyboard, mouse, cheap monitor and maybe a webcam, but you can keep that machine behind an air gap and completely offline.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Kakmakr on February 02, 2021, 04:43:14 PM
"Tails" come with a standard old version of Electrum, so you have to update that version to the latest version and the only way to do that is to enable a Persistent volume. I think enabling a Persistent volume on Tails defeats the purpose of a clean boot with Tails.  ::)

I use a vanilla flavor the latest "Tails" for the creation of my paper wallets. (for the clean boot) and then I use bitaddress.org to create the paper wallets. (I download the script and then I go offline to create the wallets)  ;D


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: ranochigo on February 02, 2021, 04:56:17 PM
"Tails" come with a standard old version of Electrum, so you have to update that version to the latest version and the only way to do that is to enable a Persistent volume. I think enabling a Persistent volume on Tails defeats the purpose of a clean boot with Tails.  ::)
It's a cold storage. The version available on Tails is sufficient to generate the seeds and it shouldn't go online at all. Using outdated Electrum is fine, there isn't any concurrent vulnerabilities present in the installed binaries on the latest Tails that would impact the security.

I use a vanilla flavor the latest "Tails" for the creation of my paper wallets. (for the clean boot) and then I use bitaddress.org to create the paper wallets. (I download the script and then I go offline to create the wallets)  ;D
Paper wallets are actually not very great to use. You'd have to use a printer without any wireless connectivity, ensures that it isn't stored in the ram to ensure that the paper wallets remains as an offline cold storage. If you don't print it out, then you can't store it without the persistent storage either. If you were to use an OS for that already, might as well just use the Electrum that is provided on it. Needless to say, Bitaddress doesn't even have Segwit on it and it's arguable that using an offline Electrum *could* be potentially safer than trying to download a script online to use it in a browser.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: PrimeNumber7 on February 03, 2021, 04:11:09 AM
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.

Aren't the same sources telling that ToR and also Bitcoin were created by NSA?
TOR was actually created by the US Navy (https://www.wired.com/story/cia-sets-up-shop-on-tor/#:~:text=Tor%20was%20largely%20created%20through,Defense%20Advanced%20Research%20Projects%20Agency.&text=But%20the%20US%20government%20can,same%20way%20these%20groups%20do.), although it has been open source since its creation.


Don't use a public computer to create cold storage private keys. Public computers often have surveillance tools installed so whoever owns the public computer can monitor its usage. Even if this was not the case, there is the risk that someone has installed malware on the computer, or that the private keys will remain in memory after you finish for the next person to find.

It would be best if you were to purchase any equipment for a cold storage device in person without using any kind of order-ahead type service aka you pick up the equipment off the shelf at the store. You should also maintain possession of any equipment used to generate cold storage private keys after you have created them.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Wind_FURY on February 03, 2021, 05:19:21 AM
It's almost the same price as a chromebook  ;D
if he gonna store some bitcoin in cold storage, I'm sure he is rich enough to afford it.
btw the cheapest cold storage wallet is probably Blockstream Jade (https://store.blockstream.com/product/blockstream-jade/), which is only 40 USD.


I believe it’s safer to buy hardware to use for Bitcoin, that will not be known that you will use it for Bitcoin. This especially rings true after the Ledger privacy leak. Plus we shouldn’t trust third-parties anymore, not when Bitcoin is going to 6 digits. EVERYONE will be going after the thing they want most from you. Your Bitcoins.


Title: Re: What risk is there creating a cold storage on a public computer considering...
Post by: Dabs on February 03, 2021, 05:04:15 PM
You can probably use Tails, use Persistent volume, and update using an offline download. Still keeps it offline... But I would still not use any public computer, better to get your own.