Ubunutu + Electrum Security

[Anonymoose33]

Fresh install of Ubunutu onto a dedicated (encrypted) hard drive, with a download of Electrum from the Software Center.

Specific hard drive will never open an internet browser/apps/anything not wallet related (although still connected to the internet), will be disconnected from the power supply while not doing wallet transfers.

How secure would this method be?

Seems like it would be the second most secure method to secure coins aside from cold storage, no?

[1715547926]

1715547926

[1715547926]

1715547926

[lucasjkr]

You're assuming the version of electrum you downloaded from the software center is the same as you would have compiled yourself. Why risk it? Just download the tools to compile your own copy.

Also, go through your firewall rules to make certain that nothing on your machine can connect out, or connect in. Of course, then you have an internet connected machine not receiving software updates...

REally, at the end - if you want cold storage, you need to create an airgapped machine, there's no point in doing it halfway.

[Blazr]

It isn't as safe as proper cold storage, but it is safer than storing them on your everyday PC. One problem is if the device is compromised, you have almost no chance to prevent theft, where as with a normal cold storage you have some chance to prevent it in some cases.

Why don't you just keep the device permanently offline and use it as a cold storage?

You should also configure the firewall to only allow outgoing connections to electrum servers and possibly APT too if you want to update the PC.

You can use gufw to setup a firewall on Ubuntu, which has a GUI.

I also think you shouldn't use "half-measures". The system you describe is exactly the one that was used by BTER when they were hacked and lost thousands of Bitcoins. Electrum makes it easy to setup cold storage, might as well do it.

[Reynaldo]

Why would you even use ubuntu with such bloated software installed from start? get archlinux or gentoo and compile everything by hand, this will be safer and learn how to use the firewall. Here there are some useful links:

Here's the link to iptable: http://www.gtcomm.net/blog/linux-native-firewall-introduction-to-iptables/

[Blazr]

Why would you even use ubuntu with such bloated software installed from start? get archlinux or gentoo and compile everything by hand, this will be safer and learn how to use the firewall. Here there are some useful links:

Here's the link to iptable: http://www.gtcomm.net/blog/linux-native-firewall-introduction-to-iptables/

Ubuntu is much more polished than other distro's though. It's because much of Ubuntu is developed by a for-profit company called Canonical with paid developers, and they regularly use tricks to avoid pushing their changes upstream, so other distro's don't get to use much of their code. I personally distrust Canonical for this and other reasons and don't particularly like Ubuntu, but I do use Ubuntu because on the desktop it runs stabler than any other distro, even Debian, however Debian is much better on the server.

Also compiling everything by hand might seem like a good idea, but be aware you are FAR more likely to introduce bugs due to incompatible libraries etc doing that, and also you won't be prompted for updates, so whenever another OpenSSL vulnerability shows up you'll be at risk until you manually compile the updated version. I don't think you should compile EVERYTHING by hand, perhaps you should compile your Bitcoin client by hand and use a package manager for most things. On top of that some packages don't play nice together, for example I used to use LXDE on Debian and I had an issue with a keyboard shortcut conflict and the windows key, which was a unique issue to me and I could never fix it because nobody else ran LXDE along with the package that was causing the conflict and digging through the code wasn't worth the effort and even if I did manage to fix it I'd have to manually compile it with my patch every time there's an update and also check that the update doesn't break the patch. In the end it was just easier to use Ubuntu.

[Blazr]

From what I understand for cold storage:

Unplug from internet, run btc client to generate wallet, write down public/private keys to piece of paper?

Then create a watch only on blockchain.info

All done on a fresh install of course

Not at all. Check this out:
http://codinginmysleep.com/cold-storage-part-1
http://codinginmysleep.com/cold-storage-part-2
http://codinginmysleep.com/cold-storage-part-3

[shorena]

I am aware that there will still be some vulnerabilities as it does still get connected to the internet.  This way would still be the next best security aside from cold storage though?

I don't trust myself enough/understand fully how cold storage works, I am relatively new to this.

IMHO using Tails (comes with electrum) from a DVD is better.
#1 you can verify the checksum of the image and know it was not tempered with.
#2 you dont have to compile everything yourself, which does not add much in terms of security unless you know the code by heart
#3 the DVD is easy to keep offline on any system as its designed to not interact with the system installed on the drives
#4 its a DVD, once its done, its next to impossible to modify it.

[Reynaldo]

Why would you even use ubuntu with such bloated software installed from start? get archlinux or gentoo and compile everything by hand, this will be safer and learn how to use the firewall. Here there are some useful links:

Here's the link to iptable: http://www.gtcomm.net/blog/linux-native-firewall-introduction-to-iptables/

Ubuntu is much more polished than other distro's though. It's because much of Ubuntu is developed by a for-profit company called Canonical with paid developers, and they regularly use tricks to avoid pushing their changes upstream, so other distro's don't get to use much of their code. I personally distrust Canonical for this and other reasons and don't particularly like Ubuntu, but I do use Ubuntu because on the desktop it runs stabler than any other distro, even Debian, however Debian is much better on the server.

Also compiling everything by hand might seem like a good idea, but be aware you are FAR more likely to introduce bugs due to incompatible libraries etc doing that, and also you won't be prompted for updates, so whenever another OpenSSL vulnerability shows up you'll be at risk until you manually compile the updated version. I don't think you should compile EVERYTHING by hand, perhaps you should compile your Bitcoin client by hand and use a package manager for most things. On top of that some packages don't play nice together, for example I used to use LXDE on Debian and I had an issue with a keyboard shortcut conflict and the windows key, which was a unique issue to me and I could never fix it because nobody else ran LXDE along with the package that was causing the conflict and digging through the code wasn't worth the effort and even if I did manage to fix it I'd have to manually compile it with my patch every time there's an update and also check that the update doesn't break the patch. In the end it was just easier to use Ubuntu.

I've been running arch linux and its quite stable (never lost control of my system on an update) and I can always be UP to date, as soon as a patch comes up, I know it will be on the Testing repos or core as soon as 1 week. I still remember those times when ubuntu upgrades broke my system. I would not use ubuntu to trust my bitcoins, but everyone to their reasons.

Also, the rolling release nature its just really convenient.

Tails is a good option too that should be considered.

[Reynaldo]

What is the difference between Tails, and using Ubunutu Live DVD?

Sorry I am not familiar with Tails at all, and Linux in general..  Aside from some old aircrack experiments a few years ago 

Edit - Hence why I chose Ubuntu, seemed like the like most user friendly form of Linux.  Although I am not opposed to trying other ones.

More information about tails:

https://tails.boum.org/

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

[shorena]

What is the difference between Tails, and using Ubunutu Live DVD?

Sorry I am not familiar with Tails at all, and Linux in general..  Aside from some old aircrack experiments a few years ago  ;D

Edit - Hence why I chose Ubuntu, seemed like the like most user friendly form of Linux.  Although I am not opposed to trying other ones.

More information about tails:

https://tails.boum.org/

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;
leave no trace on the computer you are using unless you ask it explicitly;
use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

...and most importantly it comes with electrum (1.9.8)[1]. There is no extra step. Its based on debian same as ubuntu.


[1] https://labs.riseup.net/code/issues/6739

[stevenh512]

You're assuming the version of electrum you downloaded from the software center is the same as you would have compiled yourself. Why risk it? Just download the tools to compile your own copy.

If you're going to assume any one piece of software in the official Ubuntu repositories (which the Software Center installs from) is compromised, you have to assume they could all be compromised. In that case, you also have to assume that your installation disc (built from those same packages, by the same people who maintain those packages) is compromised. Better ditch Ubuntu altogether and go with Gentoo or Linux From Scratch in that case.

Realistically, though, Electrum is a Python app. It might be compiled to an EXE on Windows, but on any other operating system the source code is what you run and there's no real need to compile it. Technically the Python interpreter will compile it to an intermediate byte code (.pyc files) but that's just an optimization and the .py (source) files will be used if they don't match the .pyc files.

Out of the box, Ubuntu does contain some things that some of us might consider to be adware or spyware, but it's not hard to remove those things (which don't matter on an offline machine anyway). What is there is far from being the kind of wallet stealing trojan you'd be worried about, it's mostly there as a way for Canonical to make some extra money off of the mostly free distribution of their Ubuntu Linux OS.

BTW if you're so worried about Ubuntu that you want to compile your Linux OS from scratch, keep an eye on Gentoo as well, some packages contain some pretty controversial patches and if you let Portage install them those patches will be installed along with them.. so compiling everything from source isn't necessarily the silver bullet you make it out to be either.

[Blazr]

Put Tails on a DVD and I have been playing with it, it is pretty neat.  Would the most secure way to run this with Electrum to be putting in my 12 word seed when I would like to make transactions?  I don't really like the idea of having my wallet on a persistent flash drive, Tails doesn't let me encrypt the actual drive like Ubunutu does (I'm probably missing it somewhere).

It sort of depends really. I would say in most use cases it is best to setup a persistent drive and store the wallet on that, Tails DOES allow you to encrypt persistent storage (IIRC it requires you to encrypt it) in any case that shouldn't matter much as you can encrypt your wallet in Electrum, the only benefit to encrypting it again would be to hide your transaction history, as with Electrum if you have the wallet file you can still see your transactions without the wallets password, you just need the password to spend.

[Blazr]

I've been running arch linux and its quite stable (never lost control of my system on an update) and I can always be UP to date, as soon as a patch comes up, I know it will be on the Testing repos or core as soon as 1 week. I still remember those times when ubuntu upgrades broke my system. I would not use ubuntu to trust my bitcoins, but everyone to their reasons.

I first ran Ubuntu nearly 10 years ago when Ubuntu 4.10 came out and while during that time I've ran many different distros, the one I used the most was Ubuntu and it was by far the one I had the least amount of issues with. I also really like Arch, I love the package manager, in fact Arch is my favorite non Debian-based distro and I also admire its stability, but I definitely had many more issues with it than Ubuntu. I guess it depends on what your using your distro for, some people won't mind small issues like a key conflict, but for me that can be a game changer as I use my PC a lot for work, and even a small issue like that would bug me so much because I spend so much time on my PC, I need everything to be perfect and always work.

[lophie]

b]compile everything by hand[/b]

I laughed so hard when I read this, Thanks!