Bitcoin Forum
December 12, 2017, 04:18:23 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Time to upgrade your security  (Read 3059 times)
wormbog
Hero Member
*****
Offline Offline

Activity: 561



View Profile
January 24, 2013, 12:54:43 AM
 #21

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
foo
Sr. Member
****
Offline Offline

Activity: 409



View Profile
January 24, 2013, 03:41:56 AM
 #22

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

I know this because Tyler knows this.
jl2012
Legendary
*
Offline Offline

Activity: 1750


View Profile
January 24, 2013, 03:49:55 AM
 #23

Quote
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.


Now it is

Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY)
LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC)
PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
Jutarul
Donator
Legendary
*
Offline Offline

Activity: 994



View Profile
January 24, 2013, 04:41:21 AM
 #24

Also worth learning:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

I applied it to software.
One user account = one cryptocurrency, one set of trusted software

Be wary of malicious clients, and only do revised upgrades.

The ASICMINER Project https://bitcointalk.org/index.php?topic=99497.0
"The way you solve things is by making it politically profitable for the wrong people to do the right thing.", Milton Friedman
marcus_of_augustus
Legendary
*
Offline Offline

Activity: 2464



View Profile
January 24, 2013, 08:23:16 AM
 #25



Upgrade complete.

Fiyasko
Legendary
*
Offline Offline

Activity: 1428


Okey Dokey Lokey


View Profile
January 24, 2013, 01:21:57 PM
 #26

PAAAAAPPPEEERRR WAAAALLLEEEETTTTTSSS PRRRIIINNNTTTEEEDDDD WWIIITTTHHH AAA CCYYYPPHHHEEERRR KKEEYYYYY

http://bitcoin-otc.com/viewratingdetail.php?nick=DingoRabiit&sign=ANY&type=RECV <-My Ratings
https://bitcointalk.org/index.php?topic=857670.0 GAWminers and associated things are not to be trusted, Especially the "mineral" exchange
twolifeinexile
Full Member
***
Offline Offline

Activity: 154



View Profile
January 24, 2013, 01:53:12 PM
 #27

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

The first step to steal is to get privileged to be able to read your file in the server, for that step, they usually use a exploit, and that is usually done on the client side ( a windows running putty, login in a linux server) and keylog and read files from your client. So you password to server will be stolen, but for One time password, it is of no use, they still could not log on so no way to get privileged.

If they attacking server directly, that is another story, and I believe in sshd much much more than any windows software. It is been tested attacked for so many years and get to know handle these thing better than client side. (be it firefox, chrome, java, whatever it is)

Jan
Legendary
*
Offline Offline

Activity: 1043



View Profile
January 24, 2013, 06:57:44 PM
 #28

But why not make today the day you back up your wallet and clean out any scraps of old wallets. Or change your password from "god" to something robust.

This!
I heard of an incident yesterday where someone got a phone replacement and forgot that he had BTC in BitcoinSpinner on it. BitcoinSpinner warns you that you should make a backup as soon as you have coins on it. Come on folks, it is not that hard. 3 clicks and take a picture.

Mycelium let's you hold your private keys private.
niko
Hero Member
*****
Offline Offline

Activity: 742


There is more to Bitcoin than bitcoins.


View Profile
January 24, 2013, 07:49:02 PM
 #29

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.
Excellent points. However, if your savings are in any way significant, make sure to provide a way for your beneficiaries or estate to identify and control your offline wallet.

They're there, in their room.
Your mining rig is on fire, yet you're very calm.
RodeoX
Legendary
*
Offline Offline

Activity: 2478


The revolution will be monetized!


View Profile
January 25, 2013, 02:41:38 PM
 #30

Another thing to consider in your security regime is silence. If you are using cloud storage for a wallet, for example, don't mention that online. Or don't say "my coins are safe because I put them on a flash drive and buried it in my back yard." Shhh.  Lips sealed

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf

Free bitcoin in ICELAND - https://bitcointalk.org/index.php?topic=1610684
Carlton Banks
Legendary
*
Offline Offline

Activity: 1848



View Profile
January 25, 2013, 03:14:13 PM
 #31

brain wallet mnemonic, etched into a ceramic block with 3D printer and stored in a safe FTW!

Vires in numeris
Ukigo
Hero Member
*****
Offline Offline

Activity: 938


View Profile
January 25, 2013, 04:22:17 PM
 #32

No need to use safe, just bury it
 in your backyard, right between two trees.

"...Enemies are everywhere ! Angka is all rage ! Be a good soldiers, blow everything... " <-- Pol Pot (C)
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
January 25, 2013, 04:51:18 PM
 #33



Upgrade complete.

how do you handle small letters?
superbit
Hero Member
*****
Offline Offline

Activity: 757



View Profile
January 25, 2013, 05:26:57 PM
 #34

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?

https://bitfinex.com/?refcode=UInJLQ5KpA <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with the refcode
My feedback thread: Forum thread
prezbo
Sr. Member
****
Offline Offline

Activity: 430


View Profile
January 25, 2013, 05:52:32 PM
 #35

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
twolifeinexile
Full Member
***
Offline Offline

Activity: 154



View Profile
January 25, 2013, 06:15:09 PM
 #36

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.
wormbog
Hero Member
*****
Offline Offline

Activity: 561



View Profile
January 25, 2013, 06:33:17 PM
 #37

Quote
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.


Now it is

Ominous.

Now a thief only has to identify me, defeat my home security systems, subdue the dogs, and hope I wasn't lying about the secret location of the private keys to grab them. Oh, and hope I own enough bitcoins to make the effort worthwhile. (psst... I don't!)

The only thing better than security through obscurity is security through poverty.
nobbynobbynoob
Hero Member
*****
Offline Offline

Activity: 756


Annuit cœptis humanae libertas


View Profile WWW
January 25, 2013, 06:48:21 PM
 #38

bitcointip wormbog +BTC0,01

A bit less poverty now. Tongue

Earn Free Bitcoins!   Earn bitcoin via BitcoinGet
BTC tip: 1PKkvuwC24Vqjv9odigXs1QVzE66jEJqmb (if <200 µBTC, please donate to charity)
LTC tip: LRqXaNdF79QHvhPpS5AZdEJZnLiNnAkJvq (if <Ł0,05, please donate to charity)
superbit
Hero Member
*****
Offline Offline

Activity: 757



View Profile
January 25, 2013, 09:03:37 PM
 #39

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?

https://bitfinex.com/?refcode=UInJLQ5KpA <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with the refcode
My feedback thread: Forum thread
prezbo
Sr. Member
****
Offline Offline

Activity: 430


View Profile
January 25, 2013, 10:07:26 PM
 #40

Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?
No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!