Bitcoin Forum
November 11, 2024, 07:59:19 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: security concern  (Read 2268 times)
jhansen858 (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 04, 2011, 06:02:22 AM
 #1

IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?

Seems like if someone gets that file your completely F'd.

Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.

Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
DannyM
Sr. Member
****
Offline Offline

Activity: 275
Merit: 250



View Profile
June 04, 2011, 06:05:12 AM
 #2

There is not. That has been outside the scope of this project, but there are several projects for a future "secure wallet protocol".

Here are the best practices in the meantine: https://en.bitcoin.it/wiki/Securing_your_wallet
jhansen858 (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 04, 2011, 06:10:16 AM
 #3

guess i'm going to have to store my wallet in a truecrypt container...

hey isn't that open source as well?

damn that sounds like a match made in heaven.

Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
gigitrix
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
June 04, 2011, 08:40:32 AM
 #4

guess i'm going to have to store my wallet in a truecrypt container...

hey isn't that open source as well?

damn that sounds like a match made in heaven.


Sure is! Hopefully the devs have talked about more officially securing the wallet file, but it's nothing we can't do manually until then. Plus you can dump copies of the truecrypt volume on dropbox or wherever so if your PC goes kaput you don't lose the coins!
jhansen858 (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 04, 2011, 08:47:35 AM
 #5

I got it set up.. it took all of 5 minutes

after you create your truecrypt volume, move your .bitcoin folder into it then make a symlink back to the folder

make sure and back that .bitcoin folder up before doing this incase you screw something up and overwrite the wrong data.

I guess it doesn't protect against hijacking my data when the program is running but at least if someone steals my computer they will not be getting the coins.

Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
gigabytecoin
Sr. Member
****
Offline Offline

Activity: 280
Merit: 252


View Profile
June 04, 2011, 08:58:51 AM
 #6

IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?

Seems like if someone gets that file your completely F'd.

Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.

Is there any mechanism currently in place which would prevent someone from writing a worm or virus who's purpose is to seek out and steal your banking password?

Seems like if someone gets that password you're completely fucked...
bitcoinBull
Legendary
*
Offline Offline

Activity: 826
Merit: 1001


rippleFanatic


View Profile
June 04, 2011, 12:37:30 PM
 #7

IS there any mechanism currently in place which would prevent someone from writing a worm or virus purpose is to seek out and steal, wallet.dat ?

Seems like if someone gets that file your completely F'd.

Just throwing that out there we might need some way to prevent this simple attack if there isn't one already.


No straightforward mechanism to prevent it.  Crimeware writers are definitely winning the arms race against the AV companies.

Growing opportunities to encourage it:  Zeus trojan source leaked - bitcoin wallet and mtgox pw stealing trojans coming soon

College of Bucking Bulls Knowledge
scooter
Member
**
Offline Offline

Activity: 100
Merit: 10


View Profile
June 04, 2011, 05:52:58 PM
 #8

I was thinking earlier that it doesn't even have to be a widespread attack.

For example, I have seen threads here about specific users who claim to have a lot of coins. In some cases you can find enough out about a person to design an attack specifically for that person. Be it tricking them into visiting a web page with an exploit that gives you access to their computer, or even just finding out their address and stealing the whole computer.

In the meantime. I am looking forward to seeing what good solutions people come up with for making the wallet less vulnerable to being stolen or lost.
omar
Jr. Member
*
Offline Offline

Activity: 37
Merit: 1



View Profile WWW
June 06, 2011, 01:35:11 PM
 #9

I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.

The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.

Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.
IIOII
Legendary
*
Offline Offline

Activity: 1153
Merit: 1012



View Profile
June 06, 2011, 02:16:19 PM
 #10

I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.

The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.

Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.


+1
fully agree
rebuilder
Legendary
*
Offline Offline

Activity: 1615
Merit: 1000



View Profile
June 06, 2011, 02:42:33 PM
 #11

I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.

The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.

Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.


That will only help if the virus doesn't include a keylogger.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
doesntworkthatway
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
June 06, 2011, 02:51:08 PM
 #12

Yeah then we can make them steal the password to the encryption container and the key instead of the key. Encryption is not enough to solve this problem. It solves it is someone randomly steals your computer physically if the container isn't mounted, but if a worm gains access to your machine or you are targeted for an attack to steal your bitcoins in meatspace (keyloggers etc) putting it in a wallet like that wont help. Need to find a way to add air gaps so that the wallet is not on a machine with internet access, and you can still send coins from it. The only sure way to protect from hackers is to have no internet connection on a machine and nothing that has been on the internet ever going from the machine back to the internet.
TECSHARE
In memoriam
Legendary
*
Offline Offline

Activity: 3318
Merit: 2008


First Exclusion Ever


View Profile WWW
June 06, 2011, 02:56:29 PM
 #13

It seems to me that loading a version of bitcoin on a computer, disconnecting it from the net, deleting the first wallet.dat file, then generating a new one which is then encrypted is fairly secure. If you then generate a list of addresses, and securely overwrite the wallet.dat file after making an encrypted copy, you can just mine or accept transactions on one wallet.dat file, then when you build up a decent sum deposit it in your secure address for saving. If you only open it to send payments out it seems reasonably secure to me. If some one was really determined of course they could still get it, but there are ways to mitigate that risk such as storing it on a USB drive, or spreading out your savings to several wallet.dat files.
IIOII
Legendary
*
Offline Offline

Activity: 1153
Merit: 1012



View Profile
June 06, 2011, 03:04:43 PM
 #14

Step 1: Stop using that Swiss cheese shite put out by Microsoft!

If you can do that, you can figure out the rest...

Do you want BTC to be a currency for geeks or one for the masses?

If you want the latter you have keep in mind that most people like cheese...  Smiley
gigitrix
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
June 06, 2011, 03:12:54 PM
 #15

Step 1: Stop using that Swiss cheese shite put out by Microsoft!

If you can do that, you can figure out the rest...

Do you want BTC to be a currency for geeks or one for the masses?

If you want the latter you have keep in mind that most people like cheese...  Smiley


+1. It's great for us "in the know" types (although I can talk, typing this from Win 7 but whatever) but bitcoin is exploding in popularity. The easier and safer we can make this for Joe Public, the more people can be brought into the market. They don't necessarily want to discuss the minutiae of the blockchain, or have to worry about security all the time: they just need bitcoin to be a viable, low-fee based currency that is trivial to use.
omar
Jr. Member
*
Offline Offline

Activity: 37
Merit: 1



View Profile WWW
June 08, 2011, 10:08:25 PM
 #16

I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.

The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.

Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.


That will only help if the virus doesn't include a keylogger.

This would at least raise the bar. Security is all about raising the bar. Don't take an all or nothing approach. Don't wait for the perfect solution before closing the holes. Having the wallet.dat file completely open is asking for trouble. It's an easy way for a critic to ruin the reputation of bitcoins.

The solution to a keylogger is to have the client present an image of the keyboard with the position of the keys jumbled differently each time and let the user enter the keys based on this layout.
imperi
Full Member
***
Offline Offline

Activity: 196
Merit: 101


View Profile
June 08, 2011, 10:10:50 PM
 #17

It is impossible to fully secure anything involving computers. There are just different levels of it.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
June 09, 2011, 01:00:43 AM
 #18

It is impossible to fully secure modern computers because they are too complex to fully understand (top-to-bottom) yet are not formally proven correct at each abstraction layer. In fact, since at least 1996, the trend has been to hide implementation details from the end-user. I personally think that the computer industry won't be mature enough to sustain a stable crypto-currency for another 150 years.

There are two competing security concerns when talking about the wallet.dat:
  • Security from attackers who want to spend your wallet
  • Security from data destruction

Encrypting the wallet.dat by default will help protect against the first security concern, while making the second one worse.

I plan on using full drive encryption, as well as an encrypted back-up. The passphrase would be written down in two locations. The back-up would be stored in a safety-deposit box and never move with the decryption key, though I may store it with the decryption key (in the safety deposit box).

BTW: for secure encryption, the term is passphrase, not password. Passwords are simply not long enough. A passwords made up of random ASCII numbers, letters, and symbols has about 6 bits of entropy per character. I have seen it reported that a 12 character password is "enough." That works out to about 72 bits of entropy. 64 bits of entropy can likely be cracked by a fast computer within a year. 72 bits increases the difficulty by a factor of 256. 128bits is believed to be computationally infeasible to even count during the lifetime of the universe (energy constraints). If your password was ever published at any time during human history, the entropy is probably less than 64 bits (I don't think more than 1.84x10^19 words/phrases have ever been published, even on the Internet).


James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!