|
jhansen858 (OP)
|
 |
June 04, 2011, 06:02:22 AM |
|
IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?
Seems like if someone gets that file your completely F'd.
Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.
|
Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
|
|
|
|
|
|
|
|
TalkImg was created especially for hosting images on bitcointalk.org: try it next time you want to post an image
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
|
|
|
jhansen858 (OP)
|
|
June 04, 2011, 06:10:16 AM |
|
guess i'm going to have to store my wallet in a truecrypt container...
hey isn't that open source as well?
damn that sounds like a match made in heaven.
|
Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
|
|
|
|
gigitrix
|
|
June 04, 2011, 08:40:32 AM |
|
guess i'm going to have to store my wallet in a truecrypt container...
hey isn't that open source as well?
damn that sounds like a match made in heaven.
Sure is! Hopefully the devs have talked about more officially securing the wallet file, but it's nothing we can't do manually until then. Plus you can dump copies of the truecrypt volume on dropbox or wherever so if your PC goes kaput you don't lose the coins! |
|
|
|
|
|
jhansen858 (OP)
|
|
June 04, 2011, 08:47:35 AM |
|
I got it set up.. it took all of 5 minutes
after you create your truecrypt volume, move your .bitcoin folder into it then make a symlink back to the folder
make sure and back that .bitcoin folder up before doing this incase you screw something up and overwrite the wrong data.
I guess it doesn't protect against hijacking my data when the program is running but at least if someone steals my computer they will not be getting the coins.
|
Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
|
|
|
|
gigabytecoin
|
|
June 04, 2011, 08:58:51 AM |
|
IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?
Seems like if someone gets that file your completely F'd.
Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.
Is there any mechanism currently in place which would prevent someone from writing a worm or virus who's purpose is to seek out and steal your banking password? Seems like if someone gets that password you're completely fucked... |
|
|
|
|
bitcoinBull
Legendary
 Offline
Activity: 826
Merit: 1001
rippleFanatic
|
|
June 04, 2011, 12:37:30 PM |
|
IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?
Seems like if someone gets that file your completely F'd.
Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.
No straightforward mechanism to prevent it. Crimeware writers are definitely winning the arms race against the AV companies. Growing opportunities to encourage it: Zeus trojan source leaked - bitcoin wallet and mtgox pw stealing trojans coming soon |
College of Bucking Bulls Knowledge
|
|
|
scooter
Member
Offline
Activity: 100
Merit: 10
|
|
June 04, 2011, 05:52:58 PM |
|
I was thinking earlier that it doesn't even have to be a widespread attack.
For example, I have seen threads here about specific users who claim to have a lot of coins. In some cases you can find enough out about a person to design an attack specifically for that person. Be it tricking them into visiting a web page with an exploit that gives you access to their computer, or even just finding out their address and stealing the whole computer.
In the meantime. I am looking forward to seeing what good solutions people come up with for making the wallet less vulnerable to being stolen or lost.
|
|
|
|
|
omar
Jr. Member
Offline
Activity: 37
Merit: 1
|
|
June 06, 2011, 01:35:11 PM |
|
I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.
The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.
Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.
|
|
|
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
June 06, 2011, 02:16:19 PM |
|
I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.
The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.
Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.
+1 fully agree |
|
|
|
|
rebuilder
Legendary
Offline
Activity: 1615
Merit: 1000
|
|
June 06, 2011, 02:42:33 PM |
|
I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.
The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.
Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.
That will only help if the virus doesn't include a keylogger. |
Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
|
|
|
doesntworkthatway
Newbie
Offline
Activity: 2
Merit: 0
|
|
June 06, 2011, 02:51:08 PM |
|
Yeah then we can make them steal the password to the encryption container and the key instead of the key. Encryption is not enough to solve this problem. It solves it is someone randomly steals your computer physically if the container isn't mounted, but if a worm gains access to your machine or you are targeted for an attack to steal your bitcoins in meatspace (keyloggers etc) putting it in a wallet like that wont help. Need to find a way to add air gaps so that the wallet is not on a machine with internet access, and you can still send coins from it. The only sure way to protect from hackers is to have no internet connection on a machine and nothing that has been on the internet ever going from the machine back to the internet.
|
|
|
|
|
TECSHARE
In memoriam
Legendary
Offline
Activity: 3318
Merit: 1958
First Exclusion Ever
|
|
June 06, 2011, 02:56:29 PM |
|
It seems to me that loading a version of bitcoin on a computer, disconnecting it from the net, deleting the first wallet.dat file, then generating a new one which is then encrypted is fairly secure. If you then generate a list of addresses, and securely overwrite the wallet.dat file after making an encrypted copy, you can just mine or accept transactions on one wallet.dat file, then when you build up a decent sum deposit it in your secure address for saving. If you only open it to send payments out it seems reasonably secure to me. If some one was really determined of course they could still get it, but there are ways to mitigate that risk such as storing it on a USB drive, or spreading out your savings to several wallet.dat files.
|
|
|
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
June 06, 2011, 03:04:43 PM |
|
Step 1: Stop using that Swiss cheese shite put out by Microsoft!
If you can do that, you can figure out the rest...
Do you want BTC to be a currency for geeks or one for the masses? If you want the latter you have keep in mind that most people like cheese...  |
|
|
|
|
|
gigitrix
|
|
June 06, 2011, 03:12:54 PM |
|
Step 1: Stop using that Swiss cheese shite put out by Microsoft!
If you can do that, you can figure out the rest...
Do you want BTC to be a currency for geeks or one for the masses? If you want the latter you have keep in mind that most people like cheese... +1. It's great for us "in the know" types (although I can talk, typing this from Win 7 but whatever) but bitcoin is exploding in popularity. The easier and safer we can make this for Joe Public, the more people can be brought into the market. They don't necessarily want to discuss the minutiae of the blockchain, or have to worry about security all the time: they just need bitcoin to be a viable, low-fee based currency that is trivial to use. |
|
|
|
|
omar
Jr. Member
Offline
Activity: 37
Merit: 1
|
|
June 08, 2011, 10:08:25 PM |
|
I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.
The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.
Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.
That will only help if the virus doesn't include a keylogger. This would at least raise the bar. Security is all about raising the bar. Don't take an all or nothing approach. Don't wait for the perfect solution before closing the holes. Having the wallet.dat file completely open is asking for trouble. It's an easy way for a critic to ruin the reputation of bitcoins. The solution to a keylogger is to have the client present an image of the keyboard with the position of the keys jumbled differently each time and let the user enter the keys based on this layout. |
|
|
|
|
|
imperi
|
|
June 08, 2011, 10:10:50 PM |
|
It is impossible to fully secure anything involving computers. There are just different levels of it.
|
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
June 09, 2011, 01:00:43 AM |
|
It is impossible to fully secure modern computers because they are too complex to fully understand (top-to-bottom) yet are not formally proven correct at each abstraction layer. In fact, since at least 1996, the trend has been to hide implementation details from the end-user. I personally think that the computer industry won't be mature enough to sustain a stable crypto-currency for another 150 years. There are two competing security concerns when talking about the wallet.dat: - Security from attackers who want to spend your wallet
- Security from data destruction
Encrypting the wallet.dat by default will help protect against the first security concern, while making the second one worse. I plan on using full drive encryption, as well as an encrypted back-up. The passphrase would be written down in two locations. The back-up would be stored in a safety-deposit box and never move with the decryption key, though I may store it with the decryption key (in the safety deposit box). BTW: for secure encryption, the term is passphrase, not password. Passwords are simply not long enough. A passwords made up of random ASCII numbers, letters, and symbols has about 6 bits of entropy per character. I have seen it reported that a 12 character password is "enough." That works out to about 72 bits of entropy. 64 bits of entropy can likely be cracked by a fast computer within a year. 72 bits increases the difficulty by a factor of 256. 128bits is believed to be computationally infeasible to even count during the lifetime of the universe (energy constraints). If your password was ever published at any time during human history, the entropy is probably less than 64 bits (I don't think more than 1.84x10^19 words/phrases have ever been published, even on the Internet). |
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160 |
|
|
|
