Bitcoin Forum
November 08, 2024, 02:21:05 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: security recomendations  (Read 1481 times)
mishrahsigni (OP)
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
July 26, 2013, 12:45:17 AM
 #1

I am painfully aware of the risks involved with keeping bitcoins online (https://bitcointalk.org/index.php?topic=255369.msg2749654)... but i i can't trust the exchanges, and I can trust double password access, what is the secure way to store bitcoins onl9ine, specifically with regards to running an online business that moves bitcoins to and fro? 

My original plan was to keep them in blockchain as they seem to have very good security, but as their security was not able to stop my 300 coins for getting disappeared, I guess that is out of the question... so, what IS the best way to store coins online what they HAVE to be stored online?

westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
July 26, 2013, 04:20:48 PM
 #2

I am painfully aware of the risks involved with keeping bitcoins online (https://bitcointalk.org/index.php?topic=255369.msg2749654)... but i i can't trust the exchanges, and I can trust double password access, what is the secure way to store bitcoins onl9ine, specifically with regards to running an online business that moves bitcoins to and fro? 

My original plan was to keep them in blockchain as they seem to have very good security, but as their security was not able to stop my 300 coins for getting disappeared, I guess that is out of the question... so, what IS the best way to store coins online what they HAVE to be stored online?


Probably depends on why they have to be stored online. What specifically do you need? I know you said "with regards to running an online business that moves bitcoins to and fro" but with more details, you will be more likely to get a helpful answer.

Is it because the bulk of the coins you receive as income are quickly spent (meaning nothing of significance stays stashed away) so you want one location to easily view and manage transactions, and spend from, all by hand?

Is it because you do not want to (or cannot) setup your own system/hardware to manage the transactions automatically?

Do you have several employees and want to use a distributed system "in the cloud" rather than relying on direct-access systems that an employee can compromise?

The more we know (that isn't personal info,) the more of a help we can be. But you should also understand that the answers may not be the ones you were looking for.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
mishrahsigni (OP)
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
July 27, 2013, 03:17:42 AM
 #3

ok, so think of it like a penny arcade.  you give the cashier 1 dollar and she gives you 10 tokens, which you can spend in the arcade.  When you leave, you cash in your remaining tokens.   

Bitcoins are send yo the account to get credits and then bitcoins are sent back to client when they cash in their credits.  That is how the coins are used.

Now, i assume (perhaps in error) that the mtgox's and blockchain  of the world have better security than i can privide while allowing me to receive/send bitcoins.

If I do not keep them online anywhere, how does that work?  Do I send all the accumulated coins to my private wallet every hour, and then make a cd backup of that wallet every hour? 

Regardless of how I use the coins, the question is the same:  What is the best way to make an online wallet secure?

trilightzone.org
Newbie
*
Offline Offline

Activity: 47
Merit: 0



View Profile WWW
July 27, 2013, 11:14:11 PM
 #4

ok, so think of it like a penny arcade.  you give the cashier 1 dollar and she gives you 10 tokens, which you can spend in the arcade.  When you leave, you cash in your remaining tokens.   

Bitcoins are send yo the account to get credits and then bitcoins are sent back to client when they cash in their credits.  That is how the coins are used.

Now, i assume (perhaps in error) that the mtgox's and blockchain  of the world have better security than i can privide while allowing me to receive/send bitcoins.

If I do not keep them online anywhere, how does that work?  Do I send all the accumulated coins to my private wallet every hour, and then make a cd backup of that wallet every hour? 

Regardless of how I use the coins, the question is the same:  What is the best way to make an online wallet secure?



It starts with you, it is more likely that your computer got compromised or email then all those services you used suddenly got hacked to get to your coins. I'd advise to first make sure the computers you use are well secured and you know enough on how to keep them secure. Second, if you trade on an exchange don't leave large chunks online but only what you can afford to lose. Third, if you run your own online business with an online wallet make sure to empty it often so if something happens it'll not cause you a serious loss and invest in the security of your business.

mishrahsigni (OP)
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
July 28, 2013, 12:02:16 AM
 #5


It starts with you, it is more likely that your computer got compromised or email then all those services you used suddenly got hacked to get to your coins. I'd advise to first make sure the computers you use are well secured and you know enough on how to keep them secure. Second, if you trade on an exchange don't leave large chunks online but only what you can afford to lose. Third, if you run your own online business with an online wallet make sure to empty it often so if something happens it'll not cause you a serious loss and invest in the security of your business.



so, that is the answer I was afraid of... basically saying "no, there is no safe place to keep your money online.  You have to hide it under your pillow, next to your gun.", which makes banks a little bit more attractive, even with all their downsides.  it is surprising to me that a bank can do this security easy-peasy, yet crypto-nerds can't.  It shakes my faith.

As for the hacks, it was not all at once, but over a year, and unless someone secretly installed a vnc server on my linux box, and then secretly open that port, they could not know the 2nd password (at blockchain) entered on a virtual keyboard.  I think there is a far more likely scenario.  And the bitcoin-24 shutdown certainly had nothing to do with my security.
vokain
Legendary
*
Offline Offline

Activity: 1834
Merit: 1019



View Profile WWW
July 28, 2013, 03:26:08 AM
 #6

OSX seems to be pretty secure in my two years running it without any problems
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
July 29, 2013, 02:44:57 AM
 #7

Now, i assume (perhaps in error) that the mtgox's and blockchain  of the world have better security than i can privide while allowing me to receive/send bitcoins.

I believe this is an erroneous assumption. At this point in the growth of bitcoin, you simply can't trust anyone else to hold your coins for you. IMHO, the main reason that bitcoin businesses can't and that banks can boils down to two simple issues: insurance, and the nature of the money itself.

There are no bitcoin insurance companies yet. So if Mt. Gox gets hacked and loses all of it's bitcoins, everyone--you, Mt. Gox, and all their customers--are just out of luck. And while every hacker on the planet knows about Mt. Gox, and knows they hold millions of dollars worth of bitcoins, very few know about any bitcoins you keep stashed away yourself, so the risks to Mt. Gox's bitcoin stash are far greater than the risks to your own. This will likely change as bitcoin continues to grow, but yes, currently this is an advantage banks have over the bitcoin network.

The second issue, the nature of the money, is something that simply isn't going to change, because of the way it all works. Bitcoin is different from the fiat banking systems, with advantages and disadvantages. The only way bitcoin will have those disadvantages removed is to use an infrastructure built on top of bitcoin that changes it to effectively act like the traditional banking system. It's an either-or thing; you can't have the advantages without the corresponding downsides.

All that said...


Quote
If I do not keep them online anywhere, how does that work?  Do I send all the accumulated coins to my private wallet every hour, and then make a cd backup of that wallet every hour?  

Ideally, you would design (or have designed for you) a system that does exactly what you expect Mt. Gox or blockchain.info to do, but does it more securely, and in secrecy. This isn't a monumental undertaking; Bitcoin-Qt is already designed to process most of what you need, the backups and redundancy is routine, and there are extra tools to help with security (Armory comes to mind.) But of course, it's going to cost some money and involve some effort setting up and handling the hardware, just as if you wanted to custom-design and run your own website rather than letting someone else build and run one for you.

It sounds like that's what it will take to securely do what you want to do with bitcoins.

Quote
Regardless of how I use the coins, the question is the same:  What is the best way to make an online wallet secure?

Yes, there's a way to make an online wallet (more) secure. You mainly do it by not having your private keys online. You setup a server that checks and processes incoming transactions, dispenses pre-generated payment addresses, and creates unsigned transactions for spending the bitcoins. Then you transfer those unsigned transactions to an offline system that has the private keys, and checks and signs them; you then transfer the transactions back to the online system to be broadcast. There are a number of ways to do the transfer, and ideally it would require physical movement of a file and manual authorization each time, but that's the basic idea.

If that doesn't fit into the time constraints of your system (you HAVE to have automated spending of the bitcoins, you don't want customers to have to wait to pull out funds,) you could keep a "hot wallet," but keep the bulk of your bitcoins in an offline system. The hot wallet is online, but has few bitcoins at any given time, and it transfers bitcoins to the cold storage stash whenever it goes over an certain limit. You transfer bitcoins from cold storage to the hot wallet as needed, and at best you'll only lose what's in the hot wallet. There's still the risk that some customers will have to wait for a transfer from cold storage if a lot of them make withdrawals all at once, but it should automate most of the system, at the cost of reduced security.

But you still have to do all this yourself. Even if some company did this as part of their regular operations, they still would be in control of your bitcoins, and it's still a significant security risk.

<Edited for brevity>

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
Varicon
Member
**
Offline Offline

Activity: 90
Merit: 10



View Profile
July 29, 2013, 04:01:51 AM
 #8

When Trezor comes out it will probably be one of the most secure ways to store bitcoins next to a paper wallet.
vokain
Legendary
*
Offline Offline

Activity: 1834
Merit: 1019



View Profile WWW
July 29, 2013, 04:14:23 AM
 #9

When Trezor comes out it will probably be one of the most secure ways to store bitcoins next to a paper wallet.

I want one so bad
AliceWonder
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
July 29, 2013, 06:53:32 AM
 #10

OSX seems to be pretty secure in my two years running it without any problems

OS X would be vulnerable to java malware, so either don't install java or don't ever allow java applets to run.

QuarkCoin - what I believe bitcoin was intended to be. On reddit: http://www.reddit.com/r/QuarkCoin/
DannyHamilton
Legendary
*
Offline Offline

Activity: 3486
Merit: 4816



View Profile
July 29, 2013, 02:04:53 PM
 #11

- snip -
My original plan was to keep them in blockchain as they seem to have very good security, but as their security was not able to stop my 300 coins for getting disappeared, I guess that is out of the question...
- snip -

This sounds like FUD to me. If you use a secure password, then access to your bitcoins is encrypted and inaccessible to anyone at blockchain.info or anyone who gains access to blockchain.info's servers.  The only places that have access to those bitcoins are the computers where you type the password.  This means that either:

  • You chose an extremely poor password that a hacker discovered
  • or, you typed your password on a computer that was compromised with malware

Do you have any evidence to the contrary?

- snip -
As for the hacks, it was not all at once, but over a year,
- snip -

Wait.  You're saying your account was repeatedly hacked multiple times over a course of a year, and that you continued to use the service each time it was hacked until you had lost a total of 300 BTC?

Huh

This doesn't make any sense.  It's starting to sound to me like you are sending bitcoins and then forgetting that you sent them.
mishrahsigni (OP)
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile
July 30, 2013, 10:40:55 PM
 #12

- snip -
My original plan was to keep them in blockchain as they seem to have very good security, but as their security was not able to stop my 300 coins for getting disappeared, I guess that is out of the question...
- snip -

This sounds like FUD to me. If you use a secure password, then access to your bitcoins is encrypted and inaccessible to anyone at blockchain.info or anyone who gains access to blockchain.info's servers.  The only places that have access to those bitcoins are the computers where you type the password.  This means that either:

  • You chose an extremely poor password that a hacker discovered
  • or, you typed your password on a computer that was compromised with malware

Do you have any evidence to the contrary?

- snip -
As for the hacks, it was not all at once, but over a year,
- snip -

Wait.  You're saying your account was repeatedly hacked multiple times over a course of a year, and that you continued to use the service each time it was hacked until you had lost a total of 300 BTC?

Huh

This doesn't make any sense.  It's starting to sound to me like you are sending bitcoins and then forgetting that you sent them.

well, my passwords (rather the ROT(n) versions of them, which i changed)
were "gafa973p3l5h7" to login and "txtxtx18" to withdraw.  Granted these may not be award winning passwords, but they are not THAT easy to hack, are they?  And the 2nd passwd can only be entered on a virtual keyboard. 

Here is the complete list of all warning on my linux, from 'rkhunter'

[19:21:23] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[19:22:20] Checking if SSH root access is allowed          [ Warning ] 
[19:22:20] Warning: Hidden directory found: '/etc/.java'
[19:22:20] Warning: Hidden directory found: '/dev/.udev'
[19:22:20] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

none of these have the ability to read a virtual keyboard.

As for the multiple hacks, no, not on the samne service

1) BTC-e (and consequently MtGox as I used the same password)  (100btc)
2) Bitcoin-24 (government shutdown, but no bitcoins were confiscated... they simply have decided to not return them) (100btc)
3) Blockchain (300btc)

Now, one of many things that is weird about BTC-e is, i always get a "Successful authorization." when I log into BTC-e.  But the day I was hacked, there was no such notices... just a "Successful Withdrawl" as midnight, followed by a "Successful auth" from my IP 2 hours later when I logged in, which implies they did not log into my account but came in another way, no?   



westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
July 31, 2013, 03:59:27 AM
 #13

well, my passwords (rather the ROT(n) versions of them, which i changed)
were "gafa973p3l5h7" to login and "txtxtx18" to withdraw.  Granted these may not be award winning passwords, but they are not THAT easy to hack, are they?

I'm not an IT security professional. But I try to fully digest anything related to the topic that I come across. From everything I've encountered, that second password probably isn't very strong. Only eight characters, consisting of a simple, repeated lowercase pattern and two digits on the end? I wouldn't trust it; I would think any reasonably-sophisticated password-testing algorithm wouldn't take too much time to stumble onto it.

Actual IT security professionals, feel free to corroborate or correct....

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
westkybitcoins
Legendary
*
Offline Offline

Activity: 980
Merit: 1004

Firstbits: Compromised. Thanks, Android!


View Profile
August 11, 2013, 06:36:16 PM
 #14

Just as an update, here are a couple of threads that may suggest what happened to your funds:

https://bitcointalk.org/index.php?topic=251743.0
https://bitcointalk.org/index.php?topic=271831.0

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!