Handle a Wasp and you will not get stung! Practice Safe Bitcoin

[casascius]

Bitcoins Stolen From Me In My Lifetime: 0

Let me explain one difference between ME and most of YOU:  For the low price of $319 (http://www.theposwarehouse.com/wasp-wdi4500-2d-barcode-scanner-usb/), I own one of these, and you don't.



Because of this, I can practice safe Bitcoin without going out of my way.  Seriously, if you handle other people's money, you should invest in one of these.  The way this scanner works is, if I point it at a QR code and squeeze the trigger, it types whatever's in that code on my computer by pretending to be a USB keyboard.  As a result, moving coins to and from paper wallets is ridiculously easy.

When scanning QR codes is easy as aiming and pulling a trigger, it seems like so much less of a hassle to just throw that online bitcoin balance to a paper wallet before leaving or going to bed.

Whenever you make a purchase on Casascius.com, you are paying an offline wallet.  The concept is simple - I generated a large number of addresses, but only put the bitcoin addresses on the server, not the private keys.  Such wallets can be generated via BitAddress.org, or via my free open-source Casascius Bitcoin Address utility.  When I need to access the money you sent me, I pull out the paper wallet and start scanning.

For what it's worth, if you make a particularly large order, you get served an address that's even colder: an encrypted one kept partially in a safety deposit box.

I could still get hacked, but my losses would be limited to what the attacker could do with my website until I noticed it, such as making it serve his own bitcoin addresses instead of ones belonging to my offline wallet.  Bottom line, there is rarely a moment in my life where I have large numbers of BTC (of my own or anybody else's) anywhere it could be stolen from me.

If you MUST accept deposits into a hot wallet, consider only accepting your smaller deposits/incoming payments into the hot wallet, and having your largest ones go straight to paper.  If you have a way to know when you expect a large incoming deposit/payment, you could program your server to serve an address from your coldest paper wallet, so it never goes online.  For example, if you're an exchange that gives bigger limits to some customers, they will probably be the biggest depositors, so have the limit-raised customers always receive addresses belonging to cold storage and use the hot wallet for the rest.

Why am I hyping this today?  Because if more people followed these easy steps and invested in a $319 barcode scanner, we wouldn't be seeing so many big thefts.

[Stephen Gornick]

The way this scanner works is, if I point it at a QR code and squeeze the trigger, it types whatever's in that code on my computer by pretending to be a USB keyboard.

The Requirements on the site you linked to describes only Windows systems.

Just to ensure that I am understanding this correctly.  This works no different from a USB keyboard.  So this should work from any computer, tablet, etc, that can handle a USB keyboard and this simply works like there is a second keyboard that is plugged in.  There are no drivers necessary for nearly any operating system released in the past decade or so.  All that is needed is an open USB port on the computing device (or port on a USB hub connected to the device).

Does that accurately describe how this is used?

[casascius]

The way this scanner works is, if I point it at a QR code and squeeze the trigger, it types whatever's in that code on my computer by pretending to be a USB keyboard.

The Requirements on the site you linked to describes only Windows systems.

Just to ensure that I am understanding this correctly.  This works no different from a USB keyboard.  So this should work from any computer, tablet, etc, that can handle a USB keyboard and this simply works like there is a second keyboard that is plugged in.  There are no drivers necessary for nearly any operating system released in the past decade or so.  All that is needed is an open USB port on the computing device (or port on a USB hub connected to the device).

Does that accurately describe how this is used?

Yes, it will scan into Linux and Mac OS natively (I have tested it) as long as the scanner is in keyboard emulation mode (set by scanning a special configuration barcode out of the manual).  They may have special features or integration API's that only work with Windows, but the keyboard emulation I use is OS agnostic.  There are no drivers when in keyboard emulation mode - the host machine thinks it is truly a keyboard.

[greyhawk]

Why does this thing cost a bajillion dollars, when I can get the exact same functionality from a Motorola DS4208 for half that price?

[casascius]

Why does this thing cost a bajillion dollars, when I can get the exact same functionality from a Motorola DS4208 for half that price?

Probably to pay for their retail marketing budget and to help them make their Lexus payment.  If you can get one for half the price, by all means, do it.  The Wasp one is by no means the best, and the ability to read QR codes and pretend to be a keyboard is commonplace.  (Of course, a critical requirement is to read 2D barcodes like QR Code, am pointing this out solely lest anyone buy a 1D barcode scanner and expect it to work)

[justusranvier]

I think I still have a CueCat or two laying around somewhere. I wonder if it could be repurposed to read QR codes?

[casascius]

I think I still have a CueCat or two laying around somewhere. I wonder if it could be repurposed to read QR codes?

No, CueCat is strictly a 1D scanner

[mufa23]

Great concept. I need to start doing this. Or at least, start using Paper Wallets

[Nyhm]

Enlightening tutorial! Do you use bitcoind importprivkey to retrieve your paper balances (when scanning in the private keys)?

[casascius]

Enlightening tutorial! Do you use bitcoind importprivkey to retrieve your paper balances (when scanning in the private keys)?

Yes, I patched it to remove the rescan after each key so I can import many keys without such a long wait.  (I must do a manual -rescan however).

BlockChain.info allows fast import of private keys and can even import QR private keys through a web cam (though it doesn't scan anywhere near as quickly as the handheld scanner)

[swissmate]

Why is that barcode scanner so expensive?
Am I missing something?

[Nyhm]

Enlightening tutorial! Do you use bitcoind importprivkey to retrieve your paper balances (when scanning in the private keys)?

Yes, I patched it to remove the rescan after each key so I can import many keys without such a long wait.  (I must do a manual -rescan however).

BlockChain.info allows fast import of private keys and can even import QR private keys through a web cam (though it doesn't scan anywhere near as quickly as the handheld scanner)

Multi-import is a good idea. This would be good to get into the Satoshi client (import several keys, _then_ initiate a rescan). I wrote a simple command-line sweep program to send private key balances to a specified address, but it has to download/crawl the entire chain (saves nothing to disk).

I like your process a lot. I'm going to look for a Linux QR scanning application that can snap the picture from a webcam (I don't have the BTC or USD for the Wasp), so I can feed it to my sweeper. I'll check out your paper wallet QR generator tool, too.

Then again, if I lost all the bitcoins I have in the world, I'd only be out 3.5btc!

[ribuck]

How do you make sure you don't have a trojan that's reading the scanned keystrokes?

[Domrada]

Everyone should use cold storage, but you don't need a $319 scanner. Smartphone works just as well. Or take the 10 secs to type in the key.

[justusranvier]

How do you make sure you don't have a trojan that's reading the scanned keystrokes?

If the QR code is used to transfer an entire transaction instead of just an address then the transaction can be generated on a computer with absolutely no network access.

Then someone would need physical access to the computer containing the cold wallet in order to steal bitcoins.

[Elwar]

We have one of those Wasp scanners here at work for inventory management.

The gal that does all of that was pretty excited to see the scanner come in. Apparently it does a lot.

[casascius]

Why is that barcode scanner so expensive?
Am I missing something?

Barcode scanners like anything else come in a wide range of quality and durability and performance and you usually get what you pay for.  That happens to be the model I bought, but you might very well find a cheaper option if you look for it.

The concept sounds good but how do I generate a paper wallet without using a 3rd party cloud service?
Is there software I can run on my Windows PC (that works without a network connection) to generate a paper wallet?

Yes, https://casascius.com/btcaddress.zip - binary and source included.  Also, bitaddress.org's entire site is a single self-contained javascript html file you can copy locally and run offline.

How do you make sure you don't have a trojan that's reading the scanned keystrokes?

Spend all the money immediately, sending any unneeded change to a new paper wallet.  If the money went where you intended for it to go, you know didn't get stolen.  And if it got stolen, at least you have limited your losses to the value of that single address, not your whole purse, and you'll know to clean or reformat your machine before scanning any more.

Everyone should use cold storage, but you don't need a $319 scanner. Smartphone works just as well. Or take the 10 secs to type in the key.

If you have lots of somebody else's money, then you need everything reasonable that helps you not get it stolen, including a $319 barcode scanner if it helps lessen the odds of that happening.

[casascius]

We have one of those Wasp scanners here at work for inventory management.

The gal that does all of that was pretty excited to see the scanner come in. Apparently it does a lot.

Apparently you can take pictures through its camera/sensor if you use its low-level API, so indeed it can do a lot, though I'll bet the camera is very near-sighted.  Otherwise, it can mainly only read barcodes - though it will read nearly any bar code you can throw at it.  It's sure nice for things like "thanks for your order, your tracking number is " ... *beep* (scan the package so the tracking number gets typed into the e-mail).  It does a fairly good job of reading QR codes directly off my screen too.

[Domrada]

Everyone should use cold storage, but you don't need a $319 scanner. Smartphone works just as well. Or take the 10 secs to type in the key.

If you have lots of somebody else's money, then you need everything reasonable that helps you not get it stolen, including a $319 barcode scanner if it helps lessen the odds of that happening.

Point conceded.

[Nyhm]

Found instructions on installing (Ubuntu/Linux) software QR readers, one of which can snap a pic from a webcam. Not as convenient as the Wasp.

Summarizing from above (and general Bitcoin practice), it sounds like the ultimate process is:

• Download entire block chain into a file (copy the Satoshi client block chain file)
• Transfer chain (via air gap) to offline computer
• On offline computer, Scan QR into an app that can read the chain, sign a tx, and save tx to file (for all/part of the balance, to some other hot wallet address)
• Transfer tx file (via air gap) back to an online computer, and use an app that can send it to the Bitcoin network

Sorry for the newbish question, but can the Satoshi client do offline transactions yet? I'm not seeing it in the bitcoind help list.