This is just my purely subjective personal opinion but if I had a wallet with $100,000+ in it I would store it on a computer that had complete air gap security - not even an RS-232 link to an Internet-connected computer. I would want the ability to create offline transactions by hand-keying in the source and destination addresses and would broadcast the transaction by having the offline computer print a hard copy that another computer could scan in and upload to the network.
Well you can do that with Armory. It just might be quite a bit of handwriting (I think some transactions can be up to 10kB)... However, I had considered the possibility of using webcams and QR codes. But that will turn into a mess of wires and complicated interfaces to deal with multiple QR codes, etc. |
|
|
|
I think you're forgetting that Armory can be use, and should be used IMO, to create offline paper backups. Laminate a few of those suckers and store them in fireproof safes. If the the old computer you used, which may have had an active wallet on it, dies; then just grab another computer and one of your paper backups and your back in business.
Thank you for reminding me about another "attack vector" that I neglected. You'll also need to store the Armory source code as well as the source code of its tangled mess of dependencies, including the toolsets required to rebuild them. Or just buy a life insurance policy and a performance bond on Mr. etotheipi. Sorry, but I have a feeling that explaining certain long-term attack vectors will look to much like a personal attack. I really don't want to go into that discussion. 2112, I know what you're saying: it's improper to talk about "zero attack-surface" because there's always a vulnerability due to one of the assumptions made which isn't necessary true (unexpected software on the OS, improper software design, maliciously modified software, etc). But what solution do you recommend instead? Both, "what do you do right now to secure your coins" and "how do you improve the software to make it more secure"? I am not sure if there's anything better than Armory for the first question, right now, in terms of being a solution that moderately-experienced users can use. The answer to the second question has been the topic of many discussions including this one where I sought input from other users on exactly this topic. I don't see any posts from you. (EDIT: added the correct link to the previous paragraph)You clearly have constructive input to add, so please do so on those threads. You are clearly very experienced and your input would be valuable so that stupid things don't happen. For reference, I am aware of various pre-installed tools for communicating via serial port -- and even IrDA could be used to initiate logins. I didn't mean to imply that all you need is a serial cable -- using the serial cable would come with a lockdown procedure. It would be for the really advanced users. I heed your advice about claiming "zero attack vector", I should really be claiming that this is the "best solution currently available." It's certainly better than keeping an encrypted wallet on your online HDD. P.S. -- One thing to clear up: paper backups for Armory are invaluable. You can print off multiple copies to protect against hardware failure, and any version of Armory can produce a raw list of private keys that could be imported into any other program. Agreed that old hardware is likely to fail, but new hardware fails too -- that's why there's such exhaustive backup features in Armory. |
|
|
|
I love Armory, and I think it is the easiest possible solution for much of the current bitcoin crowd, but I think the time is approaching that we'll need to begin developing for our parents and less-tech-savvy friends. I know lots of people, even among my cohort, who don't have spare computers sitting around, and even if they did they wouldn't be able to setup an offline Armory wallet.
Edit: BTW, you've got PM.
I whole-heartedly agree. My priority has been to make the functionality exist and accessible for those who want it. So far, I haven't seen cold-storage implemented anywhere else that isn't a complete PITA to use. In that sense, Armory is the perfect response to this thread, because you were already expecting to do 14 steps when you clicked on this thread  At least the steps for Armory cold storage are built into the interface, and lets you have a watching-only wallet... However, as you point out, absolute beginners would probably not figure this out. And to be fair, Armory is not designed, in its current state, to be a beginner's tool. Armory is intended to be the ultimate advanced-users' tool first, then I will work on networking-independence and standard-usermode to make it usable by new users. As long as you need the Satoshi client running in the background, there's no point in catering to beginners, yet... |
|
|
|
I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway. Flexibility is nice but it also means more potential ways for a remote attacker to find an exploit. The lack of flexibility in a specialized device is a feature because it greatly reduces the attack surface. It might not be worth it for $1000 but a wallet with $100,000+ is a highly desirable target for someone to go after. I agree with your sentiment. But a computer that has never touched the internet has no attack surface. The only attack vector is the autorun-USB vulnerabilities when using a USB key for moving tx data back and forth. It's a small surface, but it is theoretically exploitable. That's why I brought up the USB-serial connection, which reduces that attack surface to zero (barring compromised software updates), because there is no way to induce remote-code execution through the serial cable. EDIT: last sentence is true given a couple basic precautions taken on the offline system. And the entirety of the above is true given that the software was designed "correctly."I designed Armory specifically for the easiest cold storage capability possible. And most people either have an old spare laptop sitting around waiting to be junked, or can get one from a neighbor/friend/coworker for free. The program walks you through the process, and unlike other solutions, you get a watching-only wallet on your online computer so you can still generate addresses and monitor your balance and transactions, without the risk of someone getting the private keys. |
|
|
|
|
Okay, we're comparing to the same thing, at least. The Stratum servers can be set to communicate with a full-node that you trust, but many users will either pay a fee to use one, or trust based on majority response from a bunch of free servers. When the latter is used, you can get awfully creative in trying to figure out what servers are telling you the truth, profiling them, blacklisting nodes, etc.
What I don't get is why you scoffed at the necessity of having a connection, but I don't know how the Stratum overlay network you describe can work without a connection...? You must contact one of the servers in order to construct your outgoing transaction, right? So why not connect to a alt-chain node and query your address balances the same way? It's slightly more data to download, but it requires zero setup, zero trust, and uses the same networking protocols already used everywhere else (because it's already done in Bitcoin-Qt and the variants used for merged mining nodes).
Again, you can download your entire unspent-TxOut-list from any node with the same confidence as a full node. If you don't see it, then you didn't understand the proposal. This is assuming that the second chain is secure, but I'm pretty sure merged mining is taking care of that.
As for the spoofing -- people don't need a good a reason to be dicks, they may just want to disrupt stuff. For a "small price" they may be able to disrupt an otherwise useful network, enough that people stop even bothering using it, and accept lower-confidence data. Or just stop using Bitcoin. There doesn't need to be a good reason for it, because anything is a good reason to the person actually doing it.
|
|
|
|
I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness. But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars. If users really are storing $100,000+ there's no reason to use a general-purpose computer as an offline wallet. It seems like a dedicated hardware device should be able to be produced for less than the cost of two USB to Serial converters plus a PC. All it would need to do is receive unsigned transactions, wait for user input, sign the transaction, and return it. Yes and no. (1) Such hardware devices do not exist yet (2) Offline systems can usually be found for free, because even 10 yrs old with 256 MB of RAM will work (3) A specialized hardware device may work, but will lack flexibility -- with the offline system you can import keys, juggle wallets, print backups, etc. I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway. |
|
|
|
@etotheipi
The offline computer can have an offline antivirus, anti-malware, anti-rootkit software installed. It is updated by virus definition files offline through the USB. Serial cables (as in the RS232?) are non-existent on modern computers and you can consider them obsolete.
Personally, I don't have enough bitcoins to justify an offline computer for the purpose of cold storage, and I think I know relatively enough about malware to prevent it from affecting my daily computer usage despite not having installed anti-virus software (they slow down my computer so much that I notice it.)
Your software is interesting though and I might just download and try it out.
You can get USB-to-Serial-port converters for $10. One for each system and a null modem cable to hook'em together. I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness. But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars. Please try it out and let me know if you have any issues or concerns. I'm always available to help |
|
|
|
Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?
"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase. This may be a way to improve the encrypted wallet format. Passphrase to key function -> key. Then have the client encrypt separately a "test string" and the wallet. This would allow brute force recovery in a secure manner. The person could just give only the encrypted test string (which given the right key should decrypt to a known value (something like "Bitcoin Wallet format v1.2") to recovery team. It wouldn't simplify the attacker's job but it would allow forgotten/incorrect passwords to be recovered in a manner that doesn't require the owner to trust a third party. +1 That's such a good idea I'm going to make it part of my new wallet format in Armory. This kind of thing happens infrequently, but enough. Although, Armory has the advantage that you usually have a paper backup which is unencrypted. When you forget your passphrase, you only need to restore your wallet from the sheet of paper. |
|
|
|
Just out of curiosity is there any theoretical way to put another password on a file before handing it off to someone yet still have them able to know if they've found the original?
"Commutative encryption" does exist, but wallet encryption uses AES which is not. And even if it did, I'm not sure there would be a way for the cracker to know when he's found the correct passphrase. |
|
|
|
Update OP?
Sorry, I've been slacking. I just updated it now. SD went through a rather dramatic swing the past few days: jumping above 1,500 BTC profit, and dropping back down to around 500. A spurt of large bets (50-100 BTC each) may be responsible... Also, I added a field "Profit only completed bets": it's because there seem to be some freezing issues with the service, such that hundreds of BTC in bets are getting backlogged, and the previous "Profit/Loss" fields were including those as profit. The third entry is now the important one: of all the bets that have been fully processed, SD has made about 650 BTC profit so far. |
|
|
|
|
Given what you just said, I would guess that you know all the words that are in the password. Therefore, the issue is most likely capitalization and/or punctuation. Especially punctuation and numbers, which can easily be mistyped, or accidentally double-capitalizing like "WAlrus". Or maybe a spacebar was tapped twice, or you have a "teh" in there.
It sounds like there's a lot of BTC there, so I would first spend a couple hours trying slight variations of it. A couple hours seems like a lot, but that's the price you pay for forgetting your password! And it's worth it if it actually works, because then you don't have to risk giving the wallet to anyone else. And it might be faster than downloading and figuring out how to use some poorly made software specifically designed for cracking Satoshi wallet passwords but it doesn't quite work right...
|
|
|
|
|
Given enough time, it can be found. But the system is designed to make brute forcing the password slower...
RIGHT NOW write down anything you can remember about the password. Length, characters, patterns that are probably in the password. Not only might this jog your memory, but it could reduce the search time by a factor of 1,000,000, and could be the difference between figuring it out eventually, or not at all.
Unfortunately, I don't have the time to attempt this, but I know there are folks out there who would. Just be aware that unless you are "buying a script" to run on your own system, you will most likely be giving your wallet to someone and there's no guarantee that you'll get anything back once they find the password. In other words, I would only send the wallet to members with a reputation at stake.
(I mean, there's no guarantees with anyone on the forums, but at some point you have to trust someone if the alternative is losing the coins forever)
|
|
|
|
In fact, Startum does eactly what you seem to want to do both decentralized and without an alt-chain.
Sorry, I'm not familiar with the Stratum alternative. If there is no alt-chain for verification, what is stopping malicious nodes from distributing bogus data to the rest of the network? Someone malicious can effectively DoS a significant proportion of lite nodes just by setting up a thousands of fake peers that connect to as many other peers as possible and all give out the same incorrect data. It might take more work for nodes to sort it out than if you just decided to be a full node (credit to Casascius for this argument). This goes back to the original source of this thread: an overlay network makes sense in some contexts, but perhaps using an alt-chain secured through merged mining might be a better alternative (albeit more complex). Under what criteria does a node decide that important data is correct in an overlay network if there is no way to compare directly to the blockheaders? It seems that to do this in a decentralized manner without an alt-chain, you have to trust whatever information is given to you by the majority of your peers. But peers are cheap and easily spoofed. One resourceful attacker can muck up the entire network with a million fake nodes. This is where an alt-chain is beneficial: --In a non-alt-chain network, you need a majority of nodes telling you the correct answer to end up with the correct answer --With an alt-chain secured through merged mining, it only takes only one honest node for you to get the correct answer (verified through proof-of-work), even if the other 999 peers are malicious Unfortunately, my understanding of merged mining and Stratum's overlay network is really weak. Please fill me in if I'm missing the mark. |
|
|
|
And it's quite literally impossible for lightweigt clients to have the 'same confidence as" a full node. The best that a lightweight client can have is some confidence.
Go back and read the proposal. It allows for a lightweight node to carry nothing but the headers (for both chains) and then it can verify the full unspent-TxOut-list directly against the headers. Ultimately that's what a full node does -- the headers are the base of all trust. While this is true, it's far from a complete picture of the intergrated security model that full nodes have access to. In order for a lightweight client to accept a payment transaction, it must either 1) have Internet and access to a supporting server or 2) accept the evidence that the sender's client provides. Although a lightweight client sending to another should have no problem sending a copy of the input transactions, which the lightweight client can then verify that it fits into it's own claimed spot on the merkle tree connecting to it's own copy of the block header, this is still not quite the same as what options of verfications that a full client has. The solution I proposed does not rely on a "supporting server". It does not require trusting the sender's client. And the internet access part is a given for any node that has any hope of accepting zero-confirmation transactions with less than complete-trust. I have assumed all along that the node has a connection. The solution I proposed does not require any trust of any nodes, any more than a full node on currently trusts any other node -- you trust the longest chain of headers. Any data that is consistent with the longest chain is as trustworthy as it gets, regardless of who it came from. In this case, the second-chain headers contain a hash of a merkle tree specifically designed for a node to verify the complete unspent-TxOut-list for any script/address. Let's say you have only the headers of both chains and you are verifying an input of a zero-conf tx. A peer sends you a list of unspent outputs. But, how do you know the list is legit? Even if you verified the outputs are part of the blockchain, how do you know they haven't been spent since then? The solution I proposed does exactly this. I download an additional 1-2kB of data (the master merkle branch for that address), and then I can see that the unspent output list is correct against the headers. This includes the fact that none of those outputs have been spent since then. Therefore, once you've got the headers and the longest chain figured out, a wallet of 100 addresses could be sync'd and verified against the headers with the same confidence as a full-node with less than 1 MB of downloading. (that's for the initial sync -- after that you either re-sync, or update the unspent-TxOut-list for your wallet with the new blocks/tx as they come in)
I don't see that, sorry. [/quote] Then we're not talking about the same thing. I'll make a graphic to depict this concept more clearly. Until then, this conversation can't continue, because you will otherwise never believe that what I am proposing is possible. I didn't believe it was possible, either... which is why I'm so excited about this idea because it actually does this |
|
|
|
And it's quite literally impossible for lightweigt clients to have the 'same confidence as" a full node. The best that a lightweight client can have is some confidence.
Go back and read the proposal. It allows for a lightweight node to carry nothing but the headers (for both chains) and then it can verify the full unspent-TxOut-list directly against the headers. Ultimately that's what a full node does -- the headers are the base of all trust. Therefore, once you've got the headers and the longest chain figured out, a wallet of 100 addresses could be sync'd and verified against the headers with the same confidence as a full-node with less than 1 MB of downloading. (that's for the initial sync -- after that you either re-sync, or update the unspent-TxOut-list for your wallet with the new blocks/tx as they come in) For the nodes that are maintaining the compressed/pruned list, they only need to do that massive full-chain calculation once. The tree/snapshot can then be updated incrementally, which is many orders of magnitude faster than recomputing the whole thing on every block. It certainly doesn't hurt to talk about it, but I don't agree that such an idea has merit when compared to other methods od achieving similar goals already discussed. And if I can't see it, I'f wager that there are many more who are going to be sceptical of it's value as well. Without a minimum critical mass, nothing is going to matter.
My concern with other methods is lack of verifiability that your node actually has the correct tree. It could be corrupted, or maliciously modified, and there's no way to know, since nothing in the tree is traceable back to the headers. The only solution is to trust a third-party/server, or download substantial portions of the entire blockchain. It's for this reason that I thought blockchain pruning would not work without enforcing accurate snapshot hashes in the header, and thus it wouldn't work because no one would support such a huge change to the protocol. But the idea of putting all that data into another chain with merged mining makes it completely feasible and non-disruptive to others that don't care. |
|
|
|
I have no doubt that someone or a team would step up and produce the solution. And I have no doubt that users/miners would do (1) if they were confident that it would work. Number (2) is more uncertain, but if it's a matter of a CPU-minute every hour, most miners would do it given the benefits it brings to the network. Plus, you only need some miners to participate, you don't even need a majority.
Perhaps, but only if the benefit to the network is demonstratable as compared to alternatives. While a p2p solution might be possible, it's not always necessary. And if it's not necessary, it's not likely resource/economicly justifiable. Bitcoin is p2p for sound reasons, but what reasons carry over to what amounts to a tracking service? If the server that a particular client chooses should go down or be DDOS'ed, the result from the perspective of the user is the same as if he had left his service area; a temporary inconveince. And in the case of header-only/lightweight clients, not necessarily even a dehibilitating one. I'll admit, this idea has merit; but it seems to lack encentive. I can admit I might be overlooking something here, but what gain does a miner have for participating and sharing his findings? Both are important, because if his gains are personal, he then has limited incentive to share the results. Just to clarify: I have in mind the hybrid solution between this thread (a second chain w/ merged mining for non-disruptively maintaining snapshot info) and my modification of the unspent-TxOut-tree idea for compression and pruning. If all we were talking about was compression/pruning, then I understand why you're skeptical, though I still disagree (I believe it would be widely supported). But we're talking about any client having the ability to retrieve full unspent-TxOut lists, nearly instantaneously, with the same confidence as a full node, with only headers, and while maintaining complete decentralization. If lightweight clients suddenly have the same usability & confidence as full clients and everything remains completely decentralized -- that's an extraordinary boon to the network that a lot of users would go out of their way to support. I mean, really go out of their way to support it. Hell, even if it was just compression/pruning, I think users would still support it. Therefore, I think the extra benefits would have users racing to implement and support it. Though, if that idea turns out not to work, it is still relevant to talk about the expected acceptance of a second blockchain solely for compression purposes. |
|
|
|
Why do users run Tor exit nodes? Why do people participate in P2Pool? There's a dozen things like it -- and people do it anyway because it adds value to the system (which means it also adds value for themself). If the incentive is that we help avoid centralization of a this global currency, then people will do it, as long as the cost isn't too high. Not sure that this is a good analogy, since there would be economic incentive to merged-mine both chains. I don't follow. The proposal in this thread suggests that there would be a second chain, and it's purpose would be for nodes to securely exchange pruned/compressed blockchain snapshots. The result of mining a block on the second chain would not produce anything of financial value, but it doesn't matter because it's basically free with merged mining (besides a software upgrade). If someone or a team produced this solution, and there was great confidence in this solution being correct and usable -- then the cost for users to support it is: (1) Upgrade their mining servers and probably miners, too. (2) Spend electricity computing unspent-TxOut-tree snapshots I have no doubt that someone or a team would step up and produce the solution. And I have no doubt that users/miners would do (1) if they were confident that it would work. Number (2) is more uncertain, but if it's a matter of a CPU-minute every hour, most miners would do it given the benefits it brings to the network. Plus, you only need some miners to participate, you don't even need a majority. Btw: I don't have much experience with merged mining, so maybe I'm making a poor assumption here... |
|
|
|
Although this is an interesting idea, I don't think that it's viable. How do you encentivise miners to secure this alt-chain?
Why do users run Tor exit nodes? Why do people participate in P2Pool? There's a dozen things like it -- and people do it anyway because it adds value to the system (which means it also adds value for themself). If the incentive is that we help avoid centralization of a this global currency, then people will do it, as long as the cost isn't too high. You're right, though, if it's too expensive: if it requires a system with 192 GB of RAM and 48 CPU cores to keep the second chain updated, then it's probably a no-go. But in the absence of that, people will do it, maybe solely because they're selfish and they want better performance&security on their own smartphone. I haven't done the calculation yet. However, I suspect that once the second blockchain has been seeded (i.e. one can securely acquire the current unspent-txout-tree), then a regular computer will be able to maintain and update that unspent-txout-tree (short of Visa-level tx volume). In that case, there will be no problem getting users and miners to support it, EDIT: Also, If merged mining didn't exist then I would 100% agree with you. But because it does exist, the second chain be secured for "free", which lowers the cost and risk dramatically. However, a running balance table server isn't a bad idea as a pay-for service for light clients to use as a means to check their own addresses to make sure that they havn't missed something. For example, one (or serveral) balance servers could exist that individual lightweight clients could contact out-of-bitcoin-band as a quick check upon startup, or a secondary check. If the balance returned does not match, the lightweight client may have to try again, but if the balance returned matches what it thinks that it should have upon startup, the client can happily assume that it has all the relevant transactions to continue.
The service could be paid for in an anonymous, monthly fee. Once every 30 days or so, the client tries to send the chosen balance server a small tip, and the server collects the addresses presented in that transaction (since lightweight clients tend to use fewer new addresses, or a more sophisticated lightweight client for the desktop could simply create a special transaction that uses as many input address as may be important, or simply uses the monthy transaction to consolidate addresses into a new operating address producing the server's monthly fee in the process). When the client is restarted in the middle of the month according to the datetime available to the client, it first checks to see what it thinks that it's balance is, and then sends off the appropriate requests to the subscribed balance server. If the server responds with the matching balance, the client happliy can quick boot and be ready for action (like bitcoinspinner). If the balance returned is differnet, the client then should tell the user that it needs to update itself before spending, and proceed to do so in the background. If the server feels it's not been properly paid, it returns an error code; or of the address is unknown in the blockchain; which would likely be the same as a zero balance to a running balance server. Lightweight clients (that hold block headers) could still manage local transactions sans live Internet access, but with a warning to the user that Internet was not present and this could present a risk. This setup would allow android clients to get into a working condition as fast as BitcoinSpinner most of the time, while also permitting delayed transactions/offline transactions to occur, which BitcoinSpinner & BitcoinJ most certainly cannot do.
I think what you've posted there is a good idea, in general. However, I'm more interested in finding solutions that don't involve third-parties and extra fees. Or rather, I just don't like conceding to them until it's clear that a decentralized P2P solution is infeasible. |
|
|
|
This will not come to pass.
Way too complicated indeed.
I disagree. Bitcoin is complicated, not just this pruning/compression solution. I'm not saying that the linked thread is "the best way", but I assure you there will be no simple way to do it. However, the solutions are usually very simple in concept: represent the current state of the network as only the remaining unspent coins, you can throw away everything else. The details are in the algorithms for computing these unspent-output-trees, and sharing/verifying answers with other nodes. I used to think this was a pipe dream, because it would cause a hard fork to implement this securely in the network (because you'd have to modify the headers), but the linked thread brings up the fact that it can be done in a parallel blockchain with merged mining. This means that the pruning/compression would be strictly opt-in: users who don't care only use the regular network. Nodes that want the compression/pruning, can subscribe to the second chain and only download the most recent unspent-output-tree and latest blocks. With this in mind, it's actually feasible. And if there's a strong enough incentive -- like ensuring decentralization by enabling home computers to still participate in the network as full nodes -- then something should be done, even if it's not exactly this solution. |
|
|
|
I made a pretty comprehensive tutorial for using cold storage in Armory: Using Offline Wallets in Armory. Get an old laptop, and it's 7 steps to get setup. Then 7-8 steps to actually execute a transaction. But of course, this is all with a pleasant graphical user interface with directions shown along the way, so the steps are a lot easier than the alternatives! Offline wallets/cold storage is exactly what inspired me to make Armory in the first place! The only potential point of failure is USB viruses. And those viruses would have to be highly-targeted: your private keys never touch any computer that will ever touch the internet. So a USB virus would have to be fully automated and exploit autorun vulnerabilities to even have a chance. In the future, I will support serial cables to close this tiny little gap, for the super-paranoid. </spam> |
|
|
|
|
Show Posts
