Bitcoin Forum

Saw this news on Slashdot: http://it.slashdot.org/story/11/05/11/1326257/Zeus-Crimeware-Kit-Source-Code-Leaked (http://it.slashdot.org/story/11/05/11/1326257/Zeus-Crimeware-Kit-Source-Code-Leaked).

This comes soon after reports of a new Mac OS X trojan in the wild.  Won't be surprised when they appear on other OS's: android, iOS, linux, etc.

Since bitcoin tends to attract the paranoiacs among us, I think this zeus source code leak is cause for heightened concern.  Gavin even mentioned in his Twist Tv interview the other day http://media.witcoin.com/p/1547/Gavin-Andresen-and-Amir-Taaki-Bitcoin (http://media.witcoin.com/p/1547/Gavin-Andresen-and-Amir-Taaki-Bitcoin) that he predicts bitcoin wallet stealing trojans will appear.

The bitcoin wallet isn't the only thing that needs to be protected.  Also MtGox username/password, any other service which could potentially store bitcoin deposits.

If a trojan keylogs somebody's credit card info, there is recourse when charges appear (reversible transactions).  But with bitcoin, there is no recourse (irreversible - advantages and disadvantages).


What would be the most secure way to use bitcoin, or a way which is reasonably secure without becoming too inconvenient.  Obviously an Anti-Virus program is basic, but again with the release of this Zeus source, AV programs will be even less reliable as new variants appear.

Using a clean virtual machine in e.g. VirtualBox is also probably a good idea, but it still seems that a trojan on the host OS would be able to keylog anything typed into the virtual machine.

Which only leaves the extreme - clean reboots from clean USB drives.

Any suggestions for something more convenient but still secure?  Other thoughts??

A bitcoin bank.

Also, a client which encrypts by default the wallet.dat file. Each time the client is launched, a password is asked to decrypt the file.

That way, an uncrypted version of the wallet.dat is *never* present on the filesystem.

this would be a logical step in that direction

http://bitcoinweekly.com/articles/security-in-bitcoin

It reminds me of this article that I wrote.

Such a bank could be made more profitable and sustainable, if holds only a fraction of its reserve.  Use the majority of the reserve for investing in risky ventures that provide high returns to your clients.

If you can't trust the OS, you can't trust anything above it.  For large amounts, use a separate specialized device.  People are already working on bitcoin smartcards and whatnot.  People will figure it out.

Make a clean VM and install BC on it. make a new wallet and only use the on screen keyboard inside the VM. AFAIK viruses that infect VMs are still pretty rare. If your super paranoid, download the BC installer to a flash drive and install on a freshly formatted pc. make a new wallet and put it on the flash drive. write down the BC address. use DBAN to format your computer or use a new hard drive. NEVER HAVE YOUR ETHERNET CABLE PLUGGED INTO YOUR COMPUTER, or if making a new address requires it, only during when you need it. NEVER plug the usb key into your computer unless you are making an outgoing transaction.

How are you supposed to download the block chain and use your coins without an internet connection?

I think so far the safest approach is the use of a savings account to most of your coins in a wallet you just access like once a year and even. Limits the possibility of exposure to wallet leaks by a lot. Of course it is also recommended to have a pen drive with a Linux live cd distro on it and the Bitcoin client installed. I wonder if an angry firewall blocking all outgoing communications but the Bitcoin port would help.

I'm considering creating a "bitcoin" user on my machine, so that no troyan could read my wallet or send any bitcoins without knowing the bitcoin user's password.

Would that solve the troyan problem?

If you install programs as root, then they will be able to do anything. Even if you encrypt the home folder of your account, a program installed as root can do any keylogging it likes and will be able to see the decrypted files when you are using this user's account. The best solution would be to have an entirely separate computer dedicated to bitcoin on which you install only the basic software you need to run bitcoin, downloaded from trusted sources.
To protect against trojans which are not too sophisticated, running a VM seems like a reasonable solution. If the VM storage file is encrypted, that's even better. See truecrypt for that.

Do you mean a website as bitcoin bank?  In that case, all the thief needs is your bitcoin bank login and pw.  This wouldn't help, and could make it worse.

I prefer to think of the bitcoin P2P network as the bitcoin bank.  Any intermediaries would simply be centralized points of vulnerability.

creighto, i pay attention to everything u write b/c your thoughts are sound.  but how can u advocate a bitcoin bank it being a centralized big fat juicy target for the Feds?  ppl don't store their gold at banks but instead at home in the safe therefore the Feds can't/won't do anything about that.  but a bitcoin bank would be too irresistible for the banksters/gov't to raid.

do u have to backup a savings wallet from time to time if ur not using it?  i would guess not but i'm so paranoid now i have to ask?

also do u know of a trusted USB version of the client?

i use a Macbook pro with VMWare Fusion and Win 7.   my client is on the Win 7.  is this what u mean by a reasonable solution?

I have all my bitcoins tied up on servers, so I have no wallet.dat :P

i'll pass on that.  i want my coins with me :)

Most people store their cash at banks, not at home.

It is simply a question of efficiency.  You can trade the risk of a centralized target for being able to pool funds, building a fortress far stronger than each person could themselves build individually.

And by volume, I'd wager the same is true for gold.  The more gold you have, more likely it is stored in a secured depository.

Banks do exist for sound economic reasons.  Convience is a sound economic reason.  Mybitcoin.com is functionally a bitcoin bank.  I have no doubts that once the market matures and the value of a bitcoin stablizes, that Mybitcoin.com and all of it's competitors will offer bitcoin CD's and short term credit lending in bitcoin.  I might even use them for that purpose to a limited degree, but most of my bitcoin savings sits in an independent wallet.dat on a 128 meg thumbdrive locked in a firebox.  That's very secure, but it's damned inconvient.  Banks of all kinds thrive at the intersection of security and convience, and some people are going to use them.

But if the government attempts to co-opt them, users will withdraw their funds and/or move them to similar banks out of country.  It's not impossible for the US government to get to mybitcoin.com, but the fact that mybitcoin.com is based in a server in New Zealand does represent an obstacle.

egold was a digital gold bank.  they got taken down.  why can't this happen to a bitcoin bank?   and please clarify what u mean by a fortress? 

He means that, like a bank vault is more cost effective security than 100+ home fire safes; a single bitcoin bank online secured by the skills of a cryptogeek and the latest and greatest hardened linux os is more cost effective security than those same users witheach running their own client that is continuously accessible to the Internet.

yes, but all the encryption security in the world won't stop the thugs from walking in the front door and taking the server away with a fork lift.

True, but you have to get to it first.  It's probably easier to do that in your own home than it would be to a bitcoin bank server, as I have seen how secure datacenters that specialize in ecommerce are.  Hacking from outside the network really is the weak link.

it depends on how determined a gov't wants to be