wormbog
|
|
January 24, 2013, 12:54:43 AM |
|
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.
If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers. Agreed, and even better: add a few extra random characters at the beginning or end of the key.
|
|
|
|
foo
|
|
January 24, 2013, 03:41:56 AM |
|
Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.
That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.
|
I know this because Tyler knows this.
|
|
|
jl2012
Legendary
Offline
Activity: 1792
Merit: 1111
|
|
January 24, 2013, 03:49:55 AM |
|
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.
Now it is
|
Donation address: 374iXxS4BuqFHsEwwxUuH3nvJ69Y7Hqur3 (Bitcoin ONLY) LRDGENPLYrcTRssGoZrsCT1hngaH3BVkM4 (LTC) PGP: D3CC 1772 8600 5BB8 FF67 3294 C524 2A1A B393 6517
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
January 24, 2013, 08:23:16 AM |
|
Upgrade complete.
|
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
January 24, 2013, 01:21:57 PM |
|
PAAAAAPPPEEERRR WAAAALLLEEEETTTTTSSS PRRRIIINNNTTTEEEDDDD WWIIITTTHHH AAA CCYYYPPHHHEEERRR KKEEYYYYY
|
|
|
|
twolifeinexile
|
|
January 24, 2013, 01:53:12 PM |
|
Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.
That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security. The first step to steal is to get privileged to be able to read your file in the server, for that step, they usually use a exploit, and that is usually done on the client side ( a windows running putty, login in a linux server) and keylog and read files from your client. So you password to server will be stolen, but for One time password, it is of no use, they still could not log on so no way to get privileged. If they attacking server directly, that is another story, and I believe in sshd much much more than any windows software. It is been tested attacked for so many years and get to know handle these thing better than client side. (be it firefox, chrome, java, whatever it is)
|
|
|
|
Jan
Legendary
Offline
Activity: 1043
Merit: 1002
|
|
January 24, 2013, 06:57:44 PM |
|
But why not make today the day you back up your wallet and clean out any scraps of old wallets. Or change your password from "god" to something robust.
This! I heard of an incident yesterday where someone got a phone replacement and forgot that he had BTC in BitcoinSpinner on it. BitcoinSpinner warns you that you should make a backup as soon as you have coins on it. Come on folks, it is not that hard. 3 clicks and take a picture.
|
Mycelium let's you hold your private keys private.
|
|
|
niko
|
|
January 24, 2013, 07:49:02 PM |
|
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.
If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers. Agreed, and even better: add a few extra random characters at the beginning or end of the key. Excellent points. However, if your savings are in any way significant, make sure to provide a way for your beneficiaries or estate to identify and control your offline wallet.
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
RodeoX (OP)
Legendary
Offline
Activity: 3066
Merit: 1147
The revolution will be monetized!
|
|
January 25, 2013, 02:41:38 PM |
|
Another thing to consider in your security regime is silence. If you are using cloud storage for a wallet, for example, don't mention that online. Or don't say "my coins are safe because I put them on a flash drive and buried it in my back yard." Shhh.
|
|
|
|
Carlton Banks
Legendary
Offline
Activity: 3430
Merit: 3080
|
|
January 25, 2013, 03:14:13 PM |
|
brain wallet mnemonic, etched into a ceramic block with 3D printer and stored in a safe FTW!
|
Vires in numeris
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
January 25, 2013, 04:51:18 PM |
|
Upgrade complete. how do you handle small letters?
|
|
|
|
superbit
|
|
January 25, 2013, 05:26:57 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
|
|
|
|
prezbo
|
|
January 25, 2013, 05:52:32 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
|
|
|
|
twolifeinexile
|
|
January 25, 2013, 06:15:09 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards. Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.
|
|
|
|
wormbog
|
|
January 25, 2013, 06:33:17 PM |
|
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.
Now it is Ominous. Now a thief only has to identify me, defeat my home security systems, subdue the dogs, and hope I wasn't lying about the secret location of the private keys to grab them. Oh, and hope I own enough bitcoins to make the effort worthwhile. (psst... I don't!) The only thing better than security through obscurity is security through poverty.
|
|
|
|
nobbynobbynoob
|
|
January 25, 2013, 06:48:21 PM |
|
bitcointip wormbog + BTC0,01 A bit less poverty now.
|
|
|
|
superbit
|
|
January 25, 2013, 09:03:37 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards. Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant. Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt?
|
|
|
|
prezbo
|
|
January 25, 2013, 10:07:26 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards. Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant. Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt? No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here. Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.
|
|
|
|
twolifeinexile
|
|
January 25, 2013, 10:20:23 PM |
|
Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards. Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant. Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt? No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here. Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client. Server side security is not sth google authenticator could help, I guess, but it protect you from get your password hacked and then all is F*ked.
|
|
|
|
|