Bitcoin Forum

Hello Everyone,

I just wanted to share my personal bitcoin security toolkit...

I believe this combination represents the current state of the art in portable bitcoin wallets, privacy, and secure bitcoin exchange access.

The first tool is the "8GB Ironkey Basic S200" which I use for a portable bitcoin wallet & security software ensemble.

The Ironkey is the most secure USB flash drive in the world.. It is virtually impervious to any known exploits, brute force, or physical attacks to attempt to access the data contained on the Flash Memory.  Any data which is read/written to the flash drive has to pass through an embedded encryption chip, which is unlocked by a custom launcher which runs when you put it into a computer. The S200 series contains higher quality SLC flash storage capable of performing swap and virtual memory functions, the D200 edition contains less expensive MLC flash, not suitable for virtual machine usage, however you get about twice as much storage for the same cost.  If the drive is lost or stolen, the attacker has 10 attempts to enter the correct password, after the 10th incorrect password, the internal electronics automatically perform a complete wipe of the flash chips and the encryption chip then will self destruct rendering the drive useless.  The one unique feature of the "Basic" edition of the Ironkey vs the "Personal" edition is the fact that it is able to be configured to only "Wipe the data", but not to self destruct the rest of the electronics. (Ironkey's are not cheap, so I don't want mine to destroy itself under ANY circumstances.)   Initially, the Ironkey emulates a USB CD-ROM drive in order to launch the tool to unlock the encrypted drive.  The password / encryption keys NEVER enter the host computers memory as the application communicates directly with the encryption chip.  Once you unlock the drive you are presented with a set of utilities for managing the Ironkey, including a secure backup facility which is able to make an encrypted backup of the Ironkey to your local hard drive in case it is lost or stolen, you can easily restore this backup to a fresh Ironkey drive.  The Ironkey Unlocker also doubles as an application launcher for your bitcoin client, tor browser bundle, portable virtualbox VM's, security software, or any other portable applications & data you would like to carry with you on the drive.  I am recommending the "Basic" edition of the Ironkey for bitcoin usage since the personal edition bundles some "Windows Only" security software.. some of which require fee's after the first year, like their own "Private Web Browser" which is essentially a custom version of TOR which uses their own private nodes.  Both editions can still be securely unlocked & mounted on Windows, Mac, & Linux... and have the option of being mounted in a "Read-Only" mode... which could be useful for securely performing drive and memory scans of a host computer.  The usefulness of these features are only limited by your own cleverness and creativity.

https://www.ironkey.com/demo-basic (https://www.ironkey.com/demo-basic)

The second tool in the kit is the "Yubikey" provided to me by MT.Gox.

If you don't know what a Yubikey is, then you probably don't religiously listen to the "Security Now" podcast, as Yubico will tell you if you ask them, that they attribute a portion of their success to Steve Gibson's support of their product.  A yubikey appears to be a USB flash drive, but it is more closely related to the electronics found in a standard USB keyboard combined with encryption firmware on board. The build quality of the Yubikey is EXCELLENT, it is similar to that of a solid poker chip, and has been shown to be nearly indestructible & completely sealed and waterproof.  In addition to that it contains no on board battery since it is powered 100% by the host computer.  In its usage with MT.GOX it provides a secondary authentication factor that works on anything that supports a standard USB Keyboard, Linux, Mac, Windows, iPhone/iPad (USB dongle in the Camera Connection Kit) and even various Android devices since they can switch their charging port into a USB host port (google it)...  Neither the Yubikey, or your credentials alone will allow a hacker to get into your account, you must have both the physical Yubikey & the knowledge of your credentials. Once you login with your name and password @ MT.GOX you are then required to do a secondary authentication using the Yubikey.  Each time you press the button it will generate a single use OTP (one time password) that needs to be entered in a field which is presented AFTER you log in with your normal MT.GOX name and password.  Not only does the MT.GOX Yubikey enhance your security during the login process, but it also requires you to hold your finger on the yubikey button for 3 seconds to produce a unique "withdraw password" before allowing any funds to be transferred out of your MT.GOX account.

MT.Gox will provide the Yubikey to any of its users upon request for a small fee, additionally, if you had a trade which got rolled back during the infamous MT.GOX incident, you can request that a yubikey be sent to your completely free of charge. Which was a commendable gesture on their part in my humble opinion.

https://yubikey.mtgox.com/ (https://yubikey.mtgox.com/) Request your Yubikey security device here.

http://youtu.be/xYnznunUAOU (http://youtu.be/xYnznunUAOU) Yubikey programming & manufacturing video.


Here is a photo of both devices, on my keyring, along side 2 drop forged keyring screwdrivers, my house key, and the key to my secret lair, muhahahaha ha cough.. :-)


http://i53.tinypic.com/ay13cy.jpg

I want like ten iron keys, those look solid and bad ass.  I like that one dude who promoted his key that is in the shape of a key.

Thanks for sharing these personal experiences with the items, not enough people using them and/or talking about it, especially in relation to how much security gets brought up.

I don't like that idea of it self-wiping after 10 failed attempts! Other than that it looks pretty neat.

-----

I prefer a paper bitcoin wallet, like one from Casascius (http://casascius.com), then encode the hex code with something like the one-time code at sprucecodes.com (http://sprucecodes.com/one-time.htm). You can then keep the encoded hex key lying about as it as unbreakable as your 64-character passphrase happens to be.

I find that ever since I got the sheet from Casascius I've been somewhat paranoid about leaving the plaintext sheet anywhere except on my person. If you leave $1000 cash lying about it's easy to tell when it's been stolen as it isn't there any more. But someone can take a quick photo of your sheet of plaintext keys and you'll be none the wiser. But once those private keys are encoded and you have destroyed the plaintext versions then you're safe, even if you put them online or email them to yourself etc. As long as you don't forget the passphrase!

I haven't had a chance to look into the Yubikey all that much. Mt Gox says that the yubi they send you is useable with their service only but is that the case for most such keys or could a standard yubikey be used to auth to multiple sites?

I had an original S100 1GB Ironkey which I subsequently lost...   I was convinced I would see again some day since it displayed the "If Found Please Return to:" info as soon as it was plugged into a computer.  Unfortunately that never happened... I think I sometimes tend to give the average human being more more credit than they deserve.. I assume everyone has a computer and would think to plug it in and see what is on it.  (I always do, if its not empty, I'll try to find some kind of info on it to return it to its rightful owner.)

I wouldn't normally engrave anything on my electronics because I think its tacky, but in this case I'm going to... As soon as I get to my friends gift shop, I'll get the outer body of my Ironkey engraved with my contact information.

Forgot to mention one VERY IMPORTANT AND HIGHLY CRITICAL feature...

The Ironkey by design is electromagnetically shielded which should protect it from a... wait for it...

Thats the point of the built in secure backup software.. you can dump the contents of the flash drive to your computer, fully encrypted, so that if it does somehow get lost or wiped, you can easily restore it back to the drive.

The default mode of the Ironkey is to completely destroy itself, rendering the unit worthless if stolen, this is to deter theft of ironkeys.. I know for a fact that the "Basic" edition of the ironkey allows you to change the mode to allow the ironkey to be reinitialized.

By limiting the number of attempts to guess the password you defeat any brute force attack. Feel free to use an easier password, because the fact is.. There is only 10 attempts.. period.

The other feature, which beats something like a truecrypt encrypted USB drive is the fact that you can use the Ironkey on nearly any computer or os, without the need to have root or administrator access to install any encryption software.  This has always been the one factor that had limited something like a truecrypt USB thumb drive from being universally accessible on any computer.. which limits truecrypt's usefulness as a truly portable bitcoin wallet solution.

Thanks for sharing this!

SECURITY BREACH! I can now copy both of your keys. Can't wait to see inside the secret lair.

Same question. I already have my IronKey, though, and I'm very happy with it.

Haha.. yeah.. nope... if you look closely I actually shopped the keys in gimp with the clone tool and re-arranged the teeth.. and blurred the codes on the Yubikey..  ;-)

Nice Idea though.. I'm glad I knew you would say that.

If you were to purchase a factory fresh Yubikey directly from the company it would have the standard AES key that Yubico's public auth server uses..  If you wanted to use a service that utilizes Yubico's own in house authentication server then would need to retain that default private key.

Also... Yubikeys are shipped with a default password so that if you want to reprogram them for your own server using Yubico's tools you can do it, and then assign your own password which would be required for further reprogramming of the keys.  Once you remove the factory private key it can't be recovered, that particular yubikey is now only usable on your own private authentication server.

There was some discussion at one point whether or not it would be possible to write malware to reprogram the Yubikey's functionality since they all have the same reprogramming password initially.. for example, the early Yubikey firmware had the ability to actually launch a URL by programming it with a series of control characters.  In more recent firmware this option to launch a URL is no longer is possible.  

I believe the most secure configuration possible with a Yubikey is when a service provider DOES reprogram the internal AES key, and runs their own local auth server.. This not only makes their keys unique, but also removes ANY possibilities of rogue software reprogramming the keys because the programming password has been customized as part of the customization process.

The Ordering Process.

After ordering your Yubikey your order will be processed and a specific key will be associated with your MT.GOX account.. once that is done you will notice that once you do your normal authentication you will get presented with a page asking you to authenticate with your assigned Yubikey...  You are able to skip over the Yubikey portion of the authentication by just hitting the submit button until your Yubikey arrives.

The Yubikey will arrive via EMS Japan Post (Express).. My Yubikey shipped on 7/11 and arrived today 7/13.

Once you use the Yubikey to provide the first OTP it will then become a requirement as part of your authentication process for logins, and withdraws.

To generate the OTP which is required after you enter your existing name and password you press the button for about 1/2 second.

To generate the password which is required for the withdraw process, you need to hold down the button for 3 seconds.

If you LOSE YOUR YUBIKEY, you will NOT be able to access the funds in your account until you receive a replacement..

DON'T LOSE THE YUBIKEY!

You may not want to do this. I read somewhere that it is a common strategy for snoops to drop malware-loaded thumb-drives in corporate parking lots with the hope that someone plugs it into a machine - instantly infecting the machine.

That's good advice .. and true.. I've actually heard of people doing this..

Yeah, I'm not real hot on Mt. Gox's Yubikeys, which costs like $30 and are only usable with Mt. Gox (my understanding; someone please correct me if I'm wrong). I'm not sure I actually trust Gox to implement multi-factor auth correctly, or any type of security (I don't like their new password hashing scheme, for example, which still seems lacking).

For $45 you can get two Yubikeys and a year's subscription to the LastPass service directly from Yubico:

https://store.yubico.com/store/catalog/product_info.php?products_id=13&osCsid=580ed7bb4272de9a5e6ad19b2b8c0166

That seems like a better way to go because you can use your key as a second factor with all the exchanges, and other sites as well. LastPass is a pretty good password vault too. Plus, you get two keys that can be programmed to be identical. You want a second Yubikey (or at least, I do) in case a key gets lost or damaged.

No offense intended to the OP, but I feel it's kind of a bad idea to keep both your Yubikey and your flash drive with your wallet.dat on the same keychain, because if someone steals it not only are you locked out of Mt. Gox (at least temporarily), but it makes it easier for the thief to mount an attack. You're also probably more vulnerable to the $5 wrench attack: http://xkcd.com/538/ Having a super "military strength" crypto flash drive kinda signals you have something secret and potentially valuable in your pocket. I'd prefer to have an unassuming flash drive with a hidden Truecrypt volume on it: http://www.truecrypt.org/hiddenvolume or something equivalent.

Considering one has to have net access to send and confirm Bitcoin transactions anyway, it might be best to just keep several copies of your wallet.dat encrypted and sprinkled around the interwebs in secret locations. For long term storage, e.g.: in safety deposit box or under the bed, I do not trust magnetic media. I do however like the idea of storage on paper, but I haven't seem a really good implementation of that yet.

Just my .02 BTC.

how secure is the hardware, what happens if i try to open it. is flash memory embedded inside a plastic casing that cant be opened, easily anyway.

edit: they showed it.

edit2: seems a bit pricy, this drive is a lot cheaper, but im sure its not as secure http://www.youtube.com/watch?v=i6J-Dh8gQeo

http://www.newegg.com/Product/Product.aspx?Item=N82E16820139060
I don't think it destroys the data after x amount of attempts either, so it is likely viable to brute force. if you use a strong password, you should have a few days to make the wallet worthless so, idk use at your own risk, and only buy the ironkey if you are paranoid.

That looks like a viable alternative to the Ironkey based upon the dollar/security ratio.

Pros: Similar functionality to the Ironkey products line of products, Swivel cap can't be lost while the Ironkey one can, Cost is WAY less than Ironke

Cons: No Linux Support, Build Quality is Lower than Ironkey, Swivel cap design's often are more fragile than standard USB caps, Lower quality flash storage non-suitable for Virtual Machine usage, No built in Secure Backup System to secure the data in an encrypted format on your drive, Not Waterproof, won't survive your washing machine or other abuses, Previous models of Kingston secure flash drives have been hacked.

However.. for the cost its hard to argue.  The performance / quality of flash memory seems very similar to the D200 series of Ironkey products.

WARNING WARNING  TL;DR Material Ahead..  Proceed at your own peril!



Yawn, for real though?!  I read about some script kiddie saying what they are doing isn't secure, so it must not be..

Back up your claims with some facts and figures son... you'll get more respect.

My original MT.Gox password was "R8YC2txHc1RWtScewxid" and is listed in its MD5+Salt format in the hack DB as "$1$9W57ShSS$H37Nb7ik2PUf2WY/p/OEl.)"

Lets try that with a multi-iteration triple salt.. lets see what we get...(Honestly I don't know what that is, but I'll try, lol)

mkpasswd -m sha-512 R8YC2txHc1RWtScewxid   <- This will produce a random 128bits of salt which will be used for the next 3 iterations, combined with the 512bit hashed output of my original gox password...

Produces this output "$6$86Ev9OHO/tSQ/NsH$dadWFKTBwRv7hzHDE721AWlALB14RggRquYrJwYm5XrKzYjSdPduedhlPQe.68Pdn6gDDrBAyYgVbizCxY72O."

Now we use that random salt to apply a secondary SHA-512 to that with this command  

mkpasswd -m sha-512 dadWFKTBwRv7hzHDE721AWlALB14RggRquYrJwYm5XrKzYjSdPduedhlPQe.68Pdn6gDDrBAyYgVbiz CxY72O. 86Ev9OHO/tSQ/NsH

Produces this output "$6$86Ev9OHO/tSQ/NsH$NbFEw6ToZrAnGai3kVDp1GbqY5iX7o0zu41iMelKnbjBvR/xUMAbxQ3Zk3egojw8GxXUlzGVTyCBT7NhKbLyE."

Now for the final iteration of SHA-512 using the same salt one last time...

mkpasswd -m sha-512 NbFEw6ToZrAnGai3kVDp1GbqY5iX7o0zu41iMelKnbjBvR/xUMAbxQ3Zk3egojw8GxXUlzGVTyCBT7NhKbLyE 86Ev9OHO/tSQ/NsH

Produces this output "$6$86Ev9OHO/tSQ/NsH$BBh.ljcEs8wqAWtpm1CAsoCpuAKXVPh8WJaTsr/H9o8uPXD9Qa5vDyHZkIhHWtoRSm.qLQkmJ7qXcDrsSbtJ90"

Yeah.. good luck with that.. even though its considered a speedier hash in comparison to bcrypt, its still 100% NON REVERSABLE, it has a HUGE output which is for all intents and purposes completely collisionless.  

I used Steve Gibsons "Password Haystacks" tool to do some sample calculations on what would be required to crack my current MT.Gox password.

http://i54.tinypic.com/mhcdao.png

OMGWTFBBQ.. you are right.. My MT.Gox account is terribly terribly insecure.. what will I ever do now!?!?! Oh noes, and I gave away its length too!! I'm a goner!

Just because some group of guys say bcrypt is better, doesn't automatically make SHA-512 insecure today...  Take my advice and use a better password than "Poop" or "123456".. Take advantage of that LastPast you have to generate something wicked..

And don't be critical of people who MIGHT know more than you.. you sound like you are trying to make everyone else's words your own.


My Yubikey was free.


While LastPass is a great password management service that can generate, store and automatically submit complex passwords for many sites, believing that this is a viable replacement for a site specific multi-factor authentication system is just flat out incorrect advice to give.  The fact that you are storing passwords in LastPass, and using the Yubikey to access them does not stop anyone from compromising any account if password has been compromised.  You understand the difference, right?  In your scenario the Yubikey is used as a secondary factor for LastPass.



Same sentiments here in hoping that no offense is taken.. I don't think you are trying to intentionally trying to mislead people into making poor security decisions, but I do think you havent fully thought through everything you said.

You are just repeating what you think is true .. because thats what someone else wrote.

How would the attacker be able to mount an attack by getting access to both my ironkey & yubikey? (The other drive you see is empty, its a tool.)  Did you just make that up hoping no one would call you on it?  The $5 wrench attack would NEVER work as an attack vector against the Yubikey or Ironkey.. HOW!?! The ONLY way he would get any of my Bitcoins would be if my car was broken down, and he used the wrench to help get it going, I would give him a few coin, and say THANKS!!

Question..  Have you actually attempted using TrueCrypt as a roaming data security solution for any period of time with any level of convienience?  

My experience was that mounting a TrueCrypt volume requires the same level of system access that enable the components that modern rootkits use to be completely undetectable, stuff like TDSS, Aleureon, and newer more sophisticated EVIL EVIL PROGRAMS capable of interacting with the kernel of an operating system, and its those undetectable things that will eat both your USB drive AND your bitcoins alive. munch munch munch.. burp.

http://www.truecrypt.org/docs/?s=non-admin-users

http://www.truecrypt.org/docs/?s=truecrypt-portable

You do realize that a truecrypt drive is pretty easy to get into, right?... If I got my hands on it, I could copy it, and recompile your truecrypt with a version that sends me your password, or return it with a virus or utility program could pull the keys right out of a systems RAM any time its mounted.  If it sent those keys back to me, I could then mount the copy I made right before I returned your drive!! cake.

http://www.truecrypt.org/docs/?s=unencrypted-data-in-ram

http://www.truecrypt.org/docs/?s=paging-file

http://www.lostpassword.com/hdd-decryption.htm


Do you truely believe that sprinkling your wallet.dat all over the interwebs might just be the best approach to keeping your wallet.dat available and secure?. If any one of those files gets uncovered and decrypted you might find that those efforts were all in vain.  Remember the bitcoin community has a higher level of knowledge & capability in that area.

What implementations of paper based storage of bitcoins have you explored?  What is wrong with paperback?  I found it to have high levels of resilience against damage, highly recoverable, and additionally it was configurable with strong FIPS-197 compliant AES encryption via a configurable password.  Check it out (http://www.ollydbg.de/Paperbak/index.html) or does this not live up to your security standards either!?!   Here is a nice sample to print and scan back in.. the password is "bitcoin"  http://www.mediafire.com/?yks2s9251yfvywy

Well anyway... If you think I'm wrong you can tell me again.. I really don't mind, it helps me learn.    The ONLY weakness I can perceive would be the act of using your bitcoins on a foreign computer, ever, which is an unavoidable weakness... The ironkey will allow you to run a portable VM like tinylinux, or ubuntu even if you have the space.

If you are looking to buy something a little less expensive.. that Kingston Locker+ posted by the previous poster is the closest thing yet I have seen to an Ironkey for such a low cost.. its a schweet deal for the money!! it uses the same techniques, minus a few features, and no linux support, Not recommeded for VM usage.

Um... I'll be right back. I'm just going to go change my password.

I KNEW IT!!!!  Damn and all this time the riches of Ryland could have been mine.

Oh wait... maybe they already are, didn't you send me like 80 bitcoins when they were worth like 69 cents?   :D

I believe I donated a little over a hundred. I wanted to help out the server as much as I could. I had no idea how much I was really giving you! Man, if I had those bitcoins again, I could finally buy myself the open pandora I've wanted for so many years! And then I found out that you already have that too! Why do you have everything I want!?

Would you twist that knife a little harder please..  ;D

I have the Pandora Console, Pandora Case, Stylus, Extra Battery, Battery Carrying Case, & AC Power Adapter, it works 100%, both nubs work perfectly, and it holds its charge forever (something like 10 hours of use).. I just put that stuff in the cart and it came to $624 shipped...

If you really still want one, but can't justify their asking price, you can take mine for 1/2 of that.

I'd be honored and happy if it went to you.

Woah, whoa... where's all this hostility coming from? I didn't mean to hurt your feelings, man.


If you don't know what it is, why the eff are you defending it so vehemently?

Hopefully, what Mt. Gox is talking talking about is key stretching (http://en.wikipedia.org/wiki/Key_strengthening), and hopefully they are doing more than just three iterations as in your example because that would hardly do anything to slow down a brute force or dictionary attack. Salts don't help against brute force attacks either, at all. Mt. Gox could add 50 salts and it wouldn't make a difference (unless maybe they stored the salts in another secure database or something). It's troubling they seem to have come up with their own homebrew system. Getting cryptography right is pretty hard and they should have used known good solutions instead of rolling their own thing.


Okay, you've constructed a straw animal here. We're not talking about your password, we're talking about passwords in general. Your password is a very good one. It seems to be 20 random alphanumeric chars. Most people -- almost nobody -- bothers to make a strong password like that. And Mt. Gox certainly doesn't force anyone to. They seem to have practically no password policy at all! You can still create a Mt. Gox account using a short dictionary word for a password. A good password policy would have accomplished way, way more to enhance their security than a bunch hand waving about "SHA-512 multi-iteration triple salted hashing".

Try cutting the length of your password in half and see what you get in Password Haystacks. Try cutting it down to seven characters.

For a few hundred bucks an hour you can spin up enough Amazon EC2 power to try hundreds of billions of passwords a second (i.e. Gibson's "Offline Fast Attack Scenario"). If the cracker can just use a dictionary attack to find passwords (like they probably can with Mt. Gox) s/he could probably use an old clunker PC to get those accounts.

SHA-512 is not "considered" faster than bcrypt, it is faster. SHA-512 was designed as a cryptographic primitive to be used as part of more complex crypto systems that need hashes for big chunks of data (e.g. documents, binary files) so it has to be very fast. There are even dedicated hardware implementations of it. Bcrypt on the other hand was designed for password hashing and does not have a fixed speed, so you can make brute force attacks infeasible. You can easily adjust the work factor to keep up with Moore's Law.


Yes, because you were affected by the hack, right? Everyone else hoping for a sloppy modicum of security has to pay $30.


Yes, I understand the difference. I guess what I meant to say is that I don't trust Mt. Gox to implement multi-factor auth correctly. You might be more secure using your own Yubikey and password manager, and trading on another exchange that takes security more seriously.


False.


How about: first an attacker hits you with a wrench to get the password to your Mt. Gox account, then she hits you again to get the password to your IronKey, then she takes all your Bitcoinage! Seems like it would work to me. BTW, do you memorize your 20-char random Mt. Gox password? Or do you use a password manager or write it down or something?


Yeah, I have -- for years. It works great.


I use a Truecrypt container not a drive. But anyway, that's false.


Yes, I think it's a good approach. I don't think either of those things is likely at all.


The only paper-based ones I've looked at print out the private keys to your bitcoins in the clear or as QR codes. I wasn't aware of Paperback. It looks good. I'll definitely take a close look. Thanks for the tip.


No, I don't think you're wrong. Ironkey looks like a great product. I just don't trust Mt. Gox's security and I'm not sure I'd personally want to become dependent on an expensive flash drive, especially when there are free tools that are just as (if not more) secure.

No hostility, nor feelings hurt... only the feelings of reality were hurt.

I wasn't aware that they didn't have any password policies in place, but . I see them doing a decent job lately.  If it happens again.. well now.. thats a different story.  I have adjusted my trading habits since the attack... at no time will I keep more money in ANY account than I am unable to withdraw in one shot.  I feel more comfortable with someone I already know well, than dealing with unknowns.

Truecrypt is susceptible to a memory dump attack.. whether container or drive, it doesn't matter.  I think truecrypt is a decent solution, and I have had experience with it all the way back to its roots in the scramdisk... The biggest killer for me is the inability to use it on a computer that is properly secured without specific preinstallation of truecrypt by a system administrator.  These were real stumbling blocks I found when implementing it for a government agency in a secure network...  On the first day of the trial the fact that you couldn't mount the data on secured computers was the final nail in the coffin, the memory dump attacks is an interesting sidenote.  This experience is what causes me to call into the question its usefulness and convenience when roaming outside of your realm of administration.

The Kingston Locker+ thumb drive seems to be an actual viable equivalent to Ironkeys if you don't require access from a linux computer.

In the past week I have used my Ironkey on Windows 7 (64) and XP (32), Mac OS/X Leopard (32) & Snow Leopard (64), and 2 linux installs (32 & 64), which total 6 distict platforms.  I was able to do this without any complicated preplanned configuration by just inserting the drive and double clicking an icon.

The wrench attack is far fetched.. and the likelihood of its occurrence is low.. Its much more likely that small devices like this could be misplaced.  Worrying about women who carry wrenches as being a serious security vector, is like worrying that the Coyote from road runner will spike my cola with earthquake pills.... much more likely to happen in a comic strip than real life.

I greatly simplified my password example to "123.Bitcoin.456" and assuming it was attacked at the rate of 100,000,000,000,000 guesses per second, it would still take nearly 1.5 million centuries to perform an exhaustive search, a secure password does not preclude the ability to be memorized.

I guess security is in the eye of the beholder.

http://i54.tinypic.com/15nlhkm.jpg

No, actually they aren't; I made an account the other day as a test with the word "feline" for a password (!). My guess is they will be hacked again. They haven't talked about having an audit done for additional SQL injection vulnerabilities, have they?


So is the data on your IronKey once you start using it.


Yeah, well, if you're really security conscious, you 1) shouldn't use Windows and 2) shouldn't use any machine you don't have admin rights to.

But I agree that is a nice feature the IronKey has over TrueCrypt.


Yes, it is, for now, but as crypto-money gets more popular and widely used and understood, the $5 wrench attack becomes more likely. I predict we'll see it happen.