Wallet Import and Security Questions

[pqzilvaq]

I'm not a programmer and that makes me overly precarious. Please help me answer a couple questions that I have not been able to find answers for.



1. I want to move bitcoins from a QT wallet to electrum (I know imported wallets cannot be recovered from seed). I want to import just one of multiple private keys. I was under the impression for every private key there were 100 addresses. I don't have that many addresses but I have more than 1 private key. I know how to use QT to dump my private key for a specific wallet address, if I import this into an Electrum wallet and then transfer do I ever run the risk making my other private keys in my QT wallet unusable? I do not want to use the command line but I would rather not expose the entire wallet if I can keep 90% of the balance in cold storage this way.

2. I know electrum wallets are deterministic. Does this also mean that if someone knows an Electrum address of mine they will also be able to determine my other electrum addresses and in turn my entire wallet balance for that electrum seed?

3. I know that using java in your browser is a risk. If it is the only real risk you take is it possible to get a virus from Java script or the recent heartbleed bug/QT version 0.9.0 which could infect the computer's BIOS? Since I cannot flash my BIOS, I am worried about putting the computer online again before flashing BIOS and zero filling the hard drive.

These are real tin foil hat questions for the small amount of bitcoins that I have but if I lose them it will be devastating. My neighbor who I don't trust knows I have some bitcoins and he is a programmer. I appreciate any help

[Light]

1. I want to move bitcoins from a QT wallet to electrum (I know imported wallets cannot be recovered from seed). I want to import just one of multiple private keys. I was under the impression for every private key there were 100 addresses. I don't have that many addresses but I have more than 1 private key. I know how to use QT to dump my private key for a specific wallet address, if I import this into an Electrum wallet and then transfer do I ever run the risk making my other private keys in my QT wallet unusable? I do not want to use the command line but I would rather not expose the entire wallet if I can keep 90% of the balance in cold storage this way.

2. I know electrum wallets are deterministic. Does this also mean that if someone knows an Electrum address of mine they will also be able to determine my other electrum addresses and in turn my entire wallet balance for that electrum seed?

3. I know that using java in your browser is a risk. If it is the only real risk you take is it possible to get a virus from Java script or the recent heartbleed bug/QT version 0.9.0 which could infect the computer's BIOS? Since I cannot flash my BIOS, I am worried about putting the computer online again before flashing BIOS and zero filling the hard drive.

These are real tin foil hat questions for the small amount of bitcoins that I have but if I lose them it will be devastating. My neighbor who I don't trust knows I have some bitcoins and he is a programmer. I appreciate any help

First off I take it you accidentally made a self-moderated thread since you're just asking questions.

1. Incorrect, each private key corresponds only to a single private key. You'll have to import each one that contains a balance in it. Alternatively if you want to take use of Electrum's deterministic system you'd need to send it to one of the generated address rather than importing as imported keys aren't restored from seed.

2. It doesn't matter if they have your address - it's designed to be public and shared. What you don't want to is to expose the 12 word seed (e.g eat burgers potato nuggets etc) as all the addresses can be determined from there.

3. Java =/= Javascript - they are completely different things that have different features and functions. As far as security goes, being paranoid is good but it's a lot of effort. For most people making sure to scan their stuff with an AV and not clicking random links plus having an encrypted wallet is enough. For those worried about leaks in RAM then they may use a cold storage solution but it is a bit more effort.

Best advice is to keep you're wallet encrypted. No one not even the NSA would be able to bruteforce the encryption hence you'd be fine (except if there's a hole in the implementation - but there are bigger concerns if there are).

If you need any more help feel free to ask.

[shorena]

1. Incorrect, each private key corresponds only to a single private PUBLIC key. You'll have to import each one that contains a balance in it. Alternatively if you want to take use of Electrum's deterministic system you'd need to send it to one of the generated address rather than importing as imported keys aren't restored from seed.

2. It doesn't matter if they have your address - it's designed to be public and shared. What you don't want to is to expose the 12 word seed (e.g eat burgers potato nuggets etc) as all the addresses can be determined from there.

3. Java =/= Javascript - they are completely different things that have different features and functions. As far as security goes, being paranoid is good but it's a lot of effort. For most people making sure to scan their stuff with an AV and not clicking random links plus having an encrypted wallet is enough. For those worried about leaks in RAM then they may use a cold storage solution but it is a bit more effort.

Best advice is to keep you're wallet encrypted. No one not even the NSA would be able to bruteforce the encryption hence you'd be fine (except if there's a hole in the implementation - but there are bigger concerns if there are).

If you need any more help feel free to ask.

Sorry, but this had to be fixed

Flashing BIOS or not has nothing to do with "Bad BIOS" (the virus you are refering to). Afaik you cant check for Bad BIOS other than trying to boot from a CD. If you can boot from a CD, the BIOS should be fine.

Heartbleed will not affect you personaly, unless you run a server. It basicly can reveal secret information from a server that uses openSSL (in an old version). This might include things you send to this server, but it is not a way to inject malware to your PC. Esp. not if its offline.

[cr1776]

1. Incorrect, each private key corresponds only to a single private PUBLIC key. You'll have to import each one that contains a balance in it. Alternatively if you want to take use of Electrum's deterministic system you'd need to send it to one of the generated address rather than importing as imported keys aren't restored from seed.

2. It doesn't matter if they have your address - it's designed to be public and shared. What you don't want to is to expose the 12 word seed (e.g eat burgers potato nuggets etc) as all the addresses can be determined from there.

3. Java =/= Javascript - they are completely different things that have different features and functions. As far as security goes, being paranoid is good but it's a lot of effort. For most people making sure to scan their stuff with an AV and not clicking random links plus having an encrypted wallet is enough. For those worried about leaks in RAM then they may use a cold storage solution but it is a bit more effort.

Best advice is to keep you're wallet encrypted. No one not even the NSA would be able to bruteforce the encryption hence you'd be fine (except if there's a hole in the implementation - but there are bigger concerns if there are).

If you need any more help feel free to ask.

Sorry, but this had to be fixed

Flashing BIOS or not has nothing to do with "Bad BIOS" (the virus you are refering to). Afaik you cant check for Bad BIOS other than trying to boot from a CD. If you can boot from a CD, the BIOS should be fine.

Heartbleed will not affect you personaly, unless you run a server. It basicly can reveal secret information from a server that uses openSSL (in an old version). This might include things you send to this server, but it is not a way to inject malware to your PC. Esp. not if its offline.

Not just servers. Anyone running the correct versions of OpenSSL. Some android phones have been reported to be vulnerable. Bitcoin 0.9.0 was using the current version (since updated to the fixed version of OpenSSL) and was vulnerable. So not just servers, although they were much more likely to be targeted.

Also, bios can boot and yet still be altered. Bios is just a program after all that can be used to compromise your machine.  Done properly, you wouldn't even know without checking the checksum or signature.

[pqzilvaq]

Thank you for amazing answers but I didn't phrase myself clearly on a few things. I am not worried about the security of deterministic wallets in the sense of losing bitcoins. I am more interested in whether, if I know a single or a few addresses from a person's deterministic wallet would I be able to work out their master public key or a list of other addresses which would be produced by their seed. If I send someone .01 bitcoins, I would not like them to know that I have XX bitcoins in my wallet.

I have read a lot about viruses and it seems that BIOS viruses have been around for years. They are very rare and I am not sure if a trojan could be put in the BIOS, but since there are BIOS viruses which survive a hard drive wipe, it seems the safest way to access a large cold wallet would involve a BIOS wipe before and after the transfer. 1. BIOS flash 2. boot from live CD 3. download electrum 4. Add private key from a single address 5. Make transfer 6. Restart and flash BIOS.

I know non technical users should not mess around with the command line or attempt to generate their own transactions. I know Mount Gox might have lost bitcoins due to poorly configuring their wallets. Since importing a single private key would be like generating a transfer from the command line I am a bit worried. If I import a private key into electrum and send to a seed generated address, I simply want to know if there can be any corruption where the QT wallet either does not recognize the transfer and won't know the address that the remaining coins were returned to or something involving dust transactions (which I don't understand one bit). I'm just looking for a definitive answer.

[cp1]

No, they can't know your other addresses if they only know one address.  And don't import the private key, just send all the coins in it to one of your electrum addresses.

[shorena]

-snip-
I have read a lot about viruses and it seems that BIOS viruses have been around for years. They are very rare and I am not sure if a trojan could be put in the BIOS, but since there are BIOS viruses which survive a hard drive wipe, it seems the safest way to access a large cold wallet would involve a BIOS wipe before and after the transfer. 1. BIOS flash 2. boot from live CD 3. download electrum 4. Add private key from a single address 5. Make transfer 6. Restart and flash BIOS.
-snip-

I though you where talking about a specific BIOS virus, called Bad BIOS, which was discovered by Dragos Ruiu. Afaik you cant just flash it away, you need to burn a now ROM. If thats the kind of stuff you are worried about, I can not help you. It is said to infect air gapped systems and the only strange thing you will notice is that you can not boot from a CD/DVD. So with an attacker that can write a virus like this in mind, nothing is safe. Esp. not if you have to get software online.

[pqzilvaq]

No, they can't know your other addresses if they only know one address.  And don't import the private key, just send all the coins in it to one of your electrum addresses.

In your guide to offline Armory install you say,

"If you're not connected to the internet your wallet can't be stolen"


In that same vain, I importing a private key instead of connecting the whole wallet to the internet to make a small transfer should be a better security practice. The question that still has not been answered in this thread is if it is possible, since electrum wallets may generate transactions differently than QT wallets, that bitcoins could get trapped on the original QT wallet. If that is not possible, I see no reason not to import a private key by private key into electrum as the need arises. I would not like to send all the coins to a single address because I do not want to want to connect every private key to the internet if I don't need to and because I do not want people to be able to make better estimations as to my full balance.

[cp1]

In that case check if electrum has a sweep private key option.  I just don't like having a mix of electrum seeded keys and private keys that aren't backed up by the seed, seems like an easy way to get mixed up.