Is this practice safe? (how to avoid keylogger when I type pass?)

[thejaytiesto]

I use Bitcoin-qt (well now Bitcoin Core) because I have been used to it for years and honestly im too lazy to move my funds into another place, when it comes to software wallet nothing beats having the actual blockchain downloaded locally, even tho the interface is a bit archaic but I hope in the future it gets a bit better for those of us that actually use it as an actual wallet (I can't properly order receiving and sending addresses for example, it's just a big messy list)

Anyway that's for another thread, the question here was: Let's say I want to open my wallet to send a transaction, is it safe if I do this?

1) I turn on computer
2) With modem turned off I open Bitcoin Core
3) Once im inside the program I enter the pass to decrypt the wallet and be able to send transactions
4) Now I turn modem on and begin syncing then I can send the bitcoins

With this practice can I avoid any potential keyloggers or something to steal my wallet pass? Or will the keylogger still log me when im offline then send the log once I go online?

I would like to keep using Bitcoin Core, but I can't find a way to make 100% sure that when I enter the pass to decrypt wallet im not being logged.
It would be cool to be able to run Bitcoin Core in an isolated way so you can still use this software without being scared all day that you may have a keylogger but I can't think of any way.

[cr1776]

The only way to be 100% sure is to use a computer that never connects to the internet.  Key loggers can store what they capture and send it when you reconnect, depending on the software. 

A safer way could possibly be to run it off an external boot drive that only has Bitcoin Core on it and doesn't connect to the internet.  But even that isn't perfect safe since you have to worry about USB infections or lower level (e.g. BIOS or firmware or lower).  So it is very difficult to be sure you are 100% safe. 

Also varies by OS.

see e.g.
bad bios: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
usb: http://www.komando.com/happening-now/275451/the-unstoppable-usb-virus-released-to-hackers/all

etc

[27QVUTZj8rgZP1]

Or will the keylogger still log me when im offline then send the log once I go online?

Obviously, it will store all data then send when you are online. Any properly coded "keylogger" will do this.

The solution is to certify your system does not have such software installed.

[thejaytiesto]

Or will the keylogger still log me when im offline then send the log once I go online?

Obviously, it will store all data then send when you are online. Any properly coded "keylogger" will do this.

The solution is to certify your system does not have such software installed.

Well how do you go around certifying it? Im pretty certain that my computer is clean, but then again, as long as your computer is connected the internet, there is a posibility that you are infected with something that has been customized and has never been detected by any of the existing av/firewall software, or maybe it is but you are unlucky and it hasn't been detected by the ones that you have installed.

I have considered installing linux on another partition just for the sake of running core in a less harsh environment than Windows but even then it doesn't solve the problem of being to connected to the internet anyway, and I don't trust this "you can't get hacked in linux" stuff.

[27QVUTZj8rgZP1]

Well how do you go around certifying it? Im pretty certain that my computer is clean, but then again, as long as your computer is connected the internet, there is a posibility that you are infected with something that has been customized and has never been detected by any of the existing av/firewall software, or maybe it is but you are unlucky and it hasn't been detected by the ones that you have installed.

I have considered installing linux on another partition just for the sake of running core in a less harsh environment than Windows but even then it doesn't solve the problem of being to connected to the internet anyway, and I don't trust this "you can't get hacked in linux" stuff.

Of course, you can be hacked in any system. Especially if you are careless.

At the same time, no one can enter your system, execute a program or plant a trap without it having "holes". There's no magic to get access to your system that I know of.

After you have your system installed, you just have to keep in mind to offer as less potential holes as possible, like:
  1.Is your system running a SSH server?
  2.Is your system running a Remote Desktop server?
  3.Is your system running a Web server?
  4.Running, downloading all programs you found on the internet (e.g. joe's blog).
  5.More things I do not know about?

Configuring or doing any of that in a careless manner will make you a very easy target to other people plant and run any software they wish after every startup. Even if you're running Linux.

I am not sure about Windows, past experiences told me it is vulnerable out of the box... While most Linux implementation is not (that I know of). It will depend on what the user will do that will open or close doors to outside attackers.

Also, keep in mind to update your system regularly. Some serious bugs are fixed every now and then.

[ramesh770]

Well how do you go around certifying it? Im pretty certain that my computer is clean, but then again, as long as your computer is connected the internet, there is a posibility that you are infected with something that has been customized and has never been detected by any of the existing av/firewall software, or maybe it is but you are unlucky and it hasn't been detected by the ones that you have installed.

I have considered installing linux on another partition just for the sake of running core in a less harsh environment than Windows but even then it doesn't solve the problem of being to connected to the internet anyway, and I don't trust this "you can't get hacked in linux" stuff.

Of course, you can be hacked in any system. Especially if you are careless.

At the same time, no one can enter your system, execute a program or plant a trap without it having "holes". There's no magic to get access to your system that I know of.

After you have your system installed, you just have to keep in mind to offer as less potential holes as possible, like:
  1.Is your system running a SSH server?
  2.Is your system running a Remote Desktop server?
  3.Is your system running a Web server?
  4.Running, downloading all programs you found on the internet (e.g. joe's blog).
  5.More things I do not know about?

Configuring or doing any of that in a careless manner will make you a very easy target to other people plant and run any software they wish after every startup. Even if you're running Linux.

I am not sure about Windows, past experiences told me it is vulnerable out of the box... While most Linux implementation is not (that I know of). It will depend on what the user will do that will open or close doors to outside attackers.

Also, keep in mind to update your system regularly. Some serious bugs are fixed every now and then.

Thanks man for giving a good reply as i also got information about how to keep my system free from this virus and hacking problem, not to install anything in one computer where i keep my wallet and coins.

[unholycactus]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

[thejaytiesto]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

[cr1776]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

[prix]

I am using a virtual machine with disabled clipboard sharing.
VM is tuned: update installed, all unused services disabled, separate user and admin accounts, static IP and dns, firewall with HIPS and so on.
For password input i am using Auto-Type feature of KeePass (with Auto-Type Obfuscation enabled).
But it protect against only keylogers and it doesn't protect against the full remote access software.
But my host is tunned in same manner and even more: browser plugins auto-run disabled (especially flash), Windows AppLocker (programs/scripts can run only from restricted places, as example, you can't run a exe/sript from temp folder, as I know this can be circumvented, but nevertheless it increases safety against common malware), etc.
For all programms that I do not trust I use Sandboxie or a separate virtual machine which I periodically reset to clear state.
Of course it's better to move the first virtual machine to a separate computer, but I use it almost every day and it will reduce the convenience for me and I have not yet done so.

PS. Another way is boot your tuned windows with a wallet software from a external flash/hdd.

[smaxz]

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

[thejaytiesto]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

Well it's not a lot, but for me it is very important, i don't want to lose it. I do use it sometimes, now that steam is accepting BTC I will be using it more, so I need to generate new sending addresses ( I never reuse a single address) so paper wallet is out of the question since you can't do anything with it.

So maybe I should look into Trezor and learn how it works properly, but i will miss Bitcoin Core.

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Good idea actually. I wish window's keyboard was more lightweight tho, linux's virtual keyboard is better, i used it once, i think it was called florence or something. But this makes me a bit less paranoid to write my pass.

[prix]

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Some keyloggers can record data from some on-screen keyboards. Windows on-screen keyboard is very weak as example.
And virtual keyboard is not panacea against complex malware. In addition to record action from a keyboard,
they can take screenshots when an user interact with a mouse.

[BitcoinNewsMagazine]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

Well it's not a lot, but for me it is very important, i don't want to lose it. I do use it sometimes, now that steam is accepting BTC I will be using it more, so I need to generate new sending addresses ( I never reuse a single address) so paper wallet is out of the question since you can't do anything with it.

So maybe I should look into Trezor and learn how it works properly, but i will miss Bitcoin Core.

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Good idea actually. I wish window's keyboard was more lightweight tho, linux's virtual keyboard is better, i used it once, i think it was called florence or something. But this makes me a bit less paranoid to write my pass.

Go buy the Trezor already. Once you have it you will kick yourself for waiting. Trezor is changing their backend from Bits of Proof to Bitpay Bitcore, you can run a Bitcore full node on an extra linux box if you want and point myTrezor.com to it.

[Reynaldo]

so.. yes you could make sure nothing is running behind your back under linux... Install arch linux or gentoo, compile your own programs and learn how to check all your processes at startup and decide obviously what automatically starts, this will require a lot of reading and learning but will help you reach your goal of trying to satisfy your paranoia.

[ranochigo]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

Well it's not a lot, but for me it is very important, i don't want to lose it. I do use it sometimes, now that steam is accepting BTC I will be using it more, so I need to generate new sending addresses ( I never reuse a single address) so paper wallet is out of the question since you can't do anything with it.

So maybe I should look into Trezor and learn how it works properly, but i will miss Bitcoin Core.

You can spend a paper wallet and send the change to a new address. The problem with it is that you need to make sure that your generation and spending method is safe. For example, using a computer that is offline and free of virus to generate it.

Trezor is the best choice if you're using it frequently. The most likely drawback is probably the high cost of buying it. However, if you don't mind a slight bit of hassle, you can buy a raspberry pi and setup an offline Electrum wallet on it[1].

[1] http://docs.electrum.org/en/latest/coldstorage.html

[Patatas]

Not really.Most of the keyloggers are programmed to read macros which are generally strokes from external devices.Even if you use an on screen keyboard,the key strokes are read using macros from your external bus drivers only.High possibility of the IO read will be 90-95% accurate.

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Nope.I haven't came across any keyloggers (since I've developed a few) which record screen data or take screen shots.As the name says ,a key logger is a "Key presses" recorder.It is only programmed to read the key strokes which use macros.Also the term you might be referring to is called a "RAT" (Remote Administration Tool)

Some keyloggers can record data from some on-screen keyboards. Windows on-screen keyboard is very weak as example.
And virtual keyboard is not panacea against complex malware. In addition to record action from a keyboard,
they can take screenshots when an user interact with a mouse.

[thejaytiesto]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

Well it's not a lot, but for me it is very important, i don't want to lose it. I do use it sometimes, now that steam is accepting BTC I will be using it more, so I need to generate new sending addresses ( I never reuse a single address) so paper wallet is out of the question since you can't do anything with it.

So maybe I should look into Trezor and learn how it works properly, but i will miss Bitcoin Core.

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Good idea actually. I wish window's keyboard was more lightweight tho, linux's virtual keyboard is better, i used it once, i think it was called florence or something. But this makes me a bit less paranoid to write my pass.

Go buy the Trezor already. Once you have it you will kick yourself for waiting. Trezor is changing their backend from Bits of Proof to Bitpay Bitcore, you can run a Bitcore full node on an extra linux box if you want and point myTrezor.com to it.

This sounds good but still confusing to me. First of all why do I need to log in to that mytrezor page to move funds? what if the webpage is down?
I still need a lot to learn because the only software I really know how to use is Bitcoin-qt (Core) and I also know how to create paper wallets, but everything else is alien to me. I just don't understand why do I need to log to some webpage (from what I've read you need to do that)

Also let's say that you connect your Trezor to a computer that's infected with a RAT or something, is Trezor immune to any problems your computer might have? you have to put a pass in the mytrezor thing too.. what if they steal that data?

[prix]

Some keyloggers can record data from some on-screen keyboards. Windows on-screen keyboard is very weak as example.
And virtual keyboard is not panacea against complex malware. In addition to record action from a keyboard,
they can take screenshots when an user interact with a mouse.

Nope.I haven't came across any keyloggers (since I've developed a few) which record screen data or take screen shots.As the name says ,a key logger is a "Key presses" recorder.It is only programmed to read the key strokes which use macros.Also the term you might be referring to is called a "RAT" (Remote Administration Tool)

I don't say than keyloggers can record screenshots (but some can: https://www.raymond.cc/blog/how-to-beat-keyloggers-to-protect-your-identity/).
I said they can pass through some on-screen keyboards (I don't say how - it's not matter). Second, I'm not talking about remote control tools,
I said "complex malware", which can record only changed area on some action (mouse click on example).
But it's a not big deal - how who name it: keyloggers, malware, trojans, etc. The main: on-screen keyboard it's not a panacea.

[BitcoinNewsMagazine]

People will target you if they know you have coins or that you're likely to have some.
Best way to protect yourself if you're using a computer that is connected to the internet is to be careful for phishing scams and such.

Like other people mentioned, a good keylogger will just send the data collected offline when you it can connect to the internet.

I suppose it's less likely to get hacked running a Linux OS, but it doesn't eliminate the threat completely.

Well they will not find much because im broke lol. But im hoping that my small BTC wallet will be more valuable in the future.

So im thinking about maybe buying a Trezor, as far as I know my coins will be isolated there, but im not sure if it's as easy as Bitcoin Core to create new sending and receiving addresses... I will eventually need to make the effort to learn about more isolated ways to store coins that don't depend on your computer not getting hacked, but since I don't have that much money I become lazy with the idea of having to do it. But go knows maybe in 5 years my Bitcoins are worth a lot so I should start looking for it. But until then i've just been doing backups of my wallet.dat and I have never had a problem.

If you don't have a lot of coins and don't intend to spend/use them any time soon, perhaps a paper wallet would be the smartest choice then?

Well it's not a lot, but for me it is very important, i don't want to lose it. I do use it sometimes, now that steam is accepting BTC I will be using it more, so I need to generate new sending addresses ( I never reuse a single address) so paper wallet is out of the question since you can't do anything with it.

So maybe I should look into Trezor and learn how it works properly, but i will miss Bitcoin Core.

using an on screen keyboard to type the key with your mouse might alleviate some of your worries mate.

Good idea actually. I wish window's keyboard was more lightweight tho, linux's virtual keyboard is better, i used it once, i think it was called florence or something. But this makes me a bit less paranoid to write my pass.

Go buy the Trezor already. Once you have it you will kick yourself for waiting. Trezor is changing their backend from Bits of Proof to Bitpay Bitcore, you can run a Bitcore full node on an extra linux box if you want and point myTrezor.com to it.

This sounds good but still confusing to me. First of all why do I need to log in to that mytrezor page to move funds? what if the webpage is down?
I still need a lot to learn because the only software I really know how to use is Bitcoin-qt (Core) and I also know how to create paper wallets, but everything else is alien to me. I just don't understand why do I need to log to some webpage (from what I've read you need to do that)

Also let's say that you connect your Trezor to a computer that's infected with a RAT or something, is Trezor immune to any problems your computer might have? you have to put a pass in the mytrezor thing too.. what if they steal that data?

I think you should read the Trezor User Manual. It is an easy read and you will get your questions answered and also help you decide if Trezor is right for you.