Bitcoin Forum
November 11, 2024, 10:55:50 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoin Enthusiasts, We Need to Have a Serious Discussion about Malware  (Read 1608 times)
conv3rsion (OP)
Sr. Member
****
Offline Offline

Activity: 310
Merit: 250


View Profile
March 23, 2013, 08:12:08 PM
 #1

The most important quality of money is trust. If something that acts as money loses trust, it stops acting as money. History is full of failed currencies whose demise was brought about through the loss of trust in the governments backing those currencies.  

In the summer of 2011, when a Mt Gox user's account was hacked and coins stolen, the result was that trust was lost in Bitcoin itself, plummeting the value and temporarily retarding its progress. It doesn't matter that "the hack had nothing to do with Bitcoin, only an exchange and a user on that exchange", the message heard by many was that the currency was not to be trusted. Its taken almost 2 years to build that trust back up in the eyes of members of the general public.

We are at a crucial time in the development of Bitcoin. User adoption is exploding and new opinions are being formed daily. As the value and distribution of Bitcoin increases, so does the incentive for evil and theft. An encrypted wallet, stored on a computer connected to the internet, is not safe from a rootkit or a keylogger deployed through bundled malware distributed through an exploited website. A patient and malicious actor can ultimately do much more to destroy Bitcoin than even a corrupt overreaching government, or a client based software bug can. If funds are stolen from a large enough percentage of the user base, we might as well pull the plug on this whole experiment, because the trust will never be repaired. Never.

The message we are sending to new Bitcoin users is that they should not trust web based wallets with more than a small percentage of their funds. That, coupled with the fact that most people do not have an extra computer that can be permanently left offline, means that right now there is NO good solution for MOST users. Paper wallets are great, but they present their own challenges. The armory team have done a wonderful and admirable job with their wallet, and for the more technical amongst us, it is a great solution. But as things stand today, we most go further. Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust. I don't personally have experience in creating a customized linux distribution, but I'd like to work with people who do, so that this need can be filled.

To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them.
                                                                                                            
bb113
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
March 23, 2013, 08:16:28 PM
 #2

There have been a couple projects like this. For example:

https://bitcointalk.org/index.php?topic=46916.0

conv3rsion (OP)
Sr. Member
****
Offline Offline

Activity: 310
Merit: 250


View Profile
March 23, 2013, 08:28:07 PM
 #3

There have been a couple projects like this. For example:

https://bitcointalk.org/index.php?topic=46916.0



interesting, thanks.
w1R903
Full Member
***
Offline Offline

Activity: 218
Merit: 100


View Profile
March 23, 2013, 08:38:57 PM
 #4

I agree completely.  Is a custom Linux distro the best solution?  It may well be, perhaps booting into a kiosk app.  Are you imagining people would use it to create a wallet to store funds, perhaps on an external USB with a paper wallet backup?  And then maybe boot into the distro whenever they need to top up their everyday wallet, whether that's Electrum, the official client, blockchain.info, or some other client.  This working wallet would only contain the funds they could afford to lose.

There was LinuxCoin, which was based on debian.  As far as I know, it was last updated in 2011 so it's now fairly obsolete.  I used it back then, and it's nice but not targeted toward non-tech folks.  However, I had missed BitSafe, mentioned in this thread.  I'll have to look into it, looks impressive.  Wonder if the GUI is friendly enough for non-Linux people.

I'm imagining something akin to a kiosk app that the distro would boot into, which would have simple buttons/menus for doing things like creating addresses, backing up, sending, paper wallets, etc.  Kivy is a good Python framework for creating kiosk apps that runs on Linux and Android (and other platforms).

I think that in addition to Linux, it's worth considering Android for this kind of OS that would boot into a single app, using bitcoinj.

I've got a lot of Linux experience and am comfortable with Kivy, and other GUI toolkits as well.  Unfortunately, I'm also quite booked for the next few weeks.  Nonetheless, I agree this is something that needs to be done and I'd like to contribute whatever I can, whether that's bash or Python scripts or something else.  It may be that Bitsafe fulfills our needs, and just needs to promoted among Bitcoin novices.

4096R/F5EA0017
conv3rsion (OP)
Sr. Member
****
Offline Offline

Activity: 310
Merit: 250


View Profile
March 23, 2013, 08:41:35 PM
Last edit: March 23, 2013, 10:07:10 PM by conv3rsion
 #5

I agree completely.  Is a custom Linux distro the best solution?  It may well be, perhaps booting into a kiosk app.  Are you imagining people would use it to create a wallet to store funds, perhaps on an external USB with a paper wallet backup?  And then maybe boot into the distro whenever they need to top up their everyday wallet, whether that's Electrum, the official client, blockchain.info, or some other client.  This working wallet would only contain the funds they could afford to lose.

There was LinuxCoin, which was based on debian.  As far as I know, it was last updated in 2011 so it's now fairly obsolete.  I used it back then, and it's nice but not targeted toward non-tech folks.  However, I had missed BitSafe, mentioned in this thread.  I'll have to look into it, looks impressive.  Wonder if the GUI is friendly enough for non-Linux people.

I'm imagining something akin to a kiosk app that the distro would boot into, which would have simple buttons/menus for doing things like creating addresses, backing up, sending, paper wallets, etc.  Kivy is a good Python framework for creating kiosk apps that runs on Linux and Android (and other platforms).

I think that in addition to Linux, it's worth considering Android for this kind of OS that would boot into a single app, using bitcoinj.

I've got a lot of Linux experience and am comfortable with Kivy, and other GUI toolkits as well.  Unfortunately, I'm also quite booked for the next few weeks.  Nonetheless, I agree this is something that needs to be done and I'd like to contribute whatever I can, whether that's bash or Python scripts or something else.  It may be that Bitsafe fulfills our needs, and just needs to promoted among Bitcoin novices.


I don't know that a bootable OS is the best solution, maybe its ultimately a hardware wallet or something that uses trusted computing. This is not my area of expertise, but I feel like the need is so strong and so immediate that I'm very much hoping that people with more skill than I are realizing how crucial this is.
BTC Books
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
March 23, 2013, 09:57:08 PM
 #6


Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.
                                                                                                            

It's maybe not quite as user friendly as Ubuntu, (being based on Red Hat), but if you're looking for secure - and I mean SECURE - you should give Qubes a look:

http://qubes-os.org/Home.html

You can actually run an Armory off-line wallet on it while connected to the internet.  Shocked

Yes you can.

Look into it.  It's at V.1.0 and a real mind-blower.

Dankedan: price seems low, time to sell I think...
conv3rsion (OP)
Sr. Member
****
Offline Offline

Activity: 310
Merit: 250


View Profile
March 23, 2013, 10:07:36 PM
 #7


Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.
                                                                                                            

It's maybe not quite as user friendly as Ubuntu, (being based on Red Hat), but if you're looking for secure - and I mean SECURE - you should give Qubes a look:

http://qubes-os.org/Home.html

You can actually run an Armory off-line wallet on it while connected to the internet.  Shocked

Yes you can.

Look into it.  It's at V.1.0 and a real mind-blower.

Sure, I can. But can my mom?

Just because there is a solution, doesn't mean its the solution for the majority of users. Maybe a bootable OS is totally the wrong way to go with this. But we need something and soon.
BTC Books
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
March 23, 2013, 10:15:00 PM
 #8


Sure, I can. But can my mom?

Just because there is A SOLUTION, doesn't mean its THE SOLUTION.

There's no such thing as THE SOLUTION for any problem.  Except maybe high explosives.

But yeah, your mom can run it if she does OK with Ubuntu by herself.  Setting up the various Doms is pretty intuitive and installation is professionally easy.  Besides; the lead developer is a woman, so your mom might be better motivated than your dad.

Dankedan: price seems low, time to sell I think...
batcoin
Full Member
***
Offline Offline

Activity: 238
Merit: 100


In Gord We Trust


View Profile
March 24, 2013, 12:44:37 AM
 #9


Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.

To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them.
                                                                                                             

I've been having these exact thoughts myself over the past several days. I am among the less technical of Bitcoin supporters, so any user friendly software out there would be really great to have. I can putz around with Linux a little bit, but I am still a very basic user who doesn't understand a lot of the behind-the-scenes workings. I am also very paranoid about internet contamination and want an offline wallet to be truly offline. Since I would fall into an average user category, I have trouble trusting apps that require going back and forth between an online and offline computer to verify transactions. To me it is too risky to be plugging USB drives into an offline computer and returning the USB to an online one. I simply see it as an unacceptable security risk for those that would have large numbers of BTC to store because I would wonder about wallet sniffing malware finding its way from the online computer to the offline environment and returning private keys to an online environment. Perhaps some education and clarification on these matters is in order too.

Bitsafe looks like a good project and though it's slightly less offline than what I would chose, perhaps it is safe enough if done right. It just looks like that project has been abandoned for now. Are there any more recent alternatives? And, how are average users like me supposed to know that such software is not just a wallet snatcher to begin with?

If you have more than 0.01BTC and complain about early adopters, please consider donating to this address: 1P11Dz4mhDcJvetHqEJu35KNEVqSRmqo3b
General Tips: 1P4YfrYwQKKtfwszzb2aHgLVLiWQCrJfwi
benjamindees
Legendary
*
Offline Offline

Activity: 1330
Merit: 1000


View Profile
March 24, 2013, 12:55:12 AM
 #10

I think it's useful to consider a dedicated hardware node, perhaps based on Raspberry Pi, or a re-purposed Pirate Box.

Civil Liberty Through Complex Mathematics
Spaceman_Spiff
Legendary
*
Offline Offline

Activity: 1638
Merit: 1001


₪``Campaign Manager´´₪


View Profile
March 24, 2013, 01:50:29 AM
 #11



There are hardware wallet projects ongoing.  Very important development imho.  Hope we get enough people soon to get them into 'mass' production so they can become cheap.
Dabs
Legendary
*
Offline Offline

Activity: 3416
Merit: 1912


The Concierge of Crypto


View Profile
March 24, 2013, 02:06:42 AM
 #12

If there is any other way to get data into the hardware box aside from human input, it will get infected by malware. It has to have no electronic or digital connections.

batcoin
Full Member
***
Offline Offline

Activity: 238
Merit: 100


In Gord We Trust


View Profile
March 24, 2013, 09:07:39 AM
 #13

There are hardware wallet projects ongoing.  Very important development imho.  Hope we get enough people soon to get them into 'mass' production so they can become cheap.

I think Slush & Co. are working on something like this, no?

If there is any other way to get data into the hardware box aside from human input, it will get infected by malware. It has to have no electronic or digital connections.

Yeah, I think it's on the Armory website that they recommend buying a netbook to keep as an offline wallet vault. I am far into the tinfoil hat realm on this topic and I don't trust that wireless hardware won't continue to function even when "disabled" or "without drivers". The thing that's over my head is how it's possible to make something like a hardware wallet or offline wallet as easy to use as cash and email, but still secure and capable of backing up in multiple locations to avoid physical loss/destruction from fire, flood, theft, etc.

I think it's useful to consider a dedicated hardware node, perhaps based on Raspberry Pi, or a re-purposed Pirate Box.

Time for a roleplay:

How would I go about using a Raspberry Pi and what is a Pirate Box? Think of me as your mediocre end user who loves everything Bill Gates ever did including inventing the mouse and GUI and the computer...in that order. I don't know or really care what the Raspberry Pi and Pirate Box are. In fact, I am scared of Pirate Box just because of its name. I just want to use Windows 8 and keep my Weatherbug software chirping away and running in the background.  Roll Eyes

~~The End~~

If something like Raspbery Pis are the way to go (because they sound so nice and wholesome), then there needs to be a nice little user's manual to go along with a detailed step-by-step list on how to carry out transactions in the most secure way possible. (A detailed step-by-step manual is a good idea with any method, actually.) The only way my average ass can think of for doing it securely involves two DVD drives and a USB, which isn't very attractive to a lot of people I think. Too many ways to fuck it up...


If you have more than 0.01BTC and complain about early adopters, please consider donating to this address: 1P11Dz4mhDcJvetHqEJu35KNEVqSRmqo3b
General Tips: 1P4YfrYwQKKtfwszzb2aHgLVLiWQCrJfwi
benjamindees
Legendary
*
Offline Offline

Activity: 1330
Merit: 1000


View Profile
March 24, 2013, 09:13:16 AM
 #14

Yes, I'm suggesting someone create and sell packaged, dedicated hardware nodes with support.  You wouldn't even need to create the hardware.  Just integrate the software.  It would be somewhat more secure, and more convenient, than a typical Windows PC.  It could also be used for POS.

Civil Liberty Through Complex Mathematics
Dabs
Legendary
*
Offline Offline

Activity: 3416
Merit: 1912


The Concierge of Crypto


View Profile
March 25, 2013, 10:28:49 AM
 #15

@batcoin, when you get a cheap netbook or other computer for offline purposes, you erase the whole thing first, re-partition it, re-format it. Then simply don't install the wireless drivers. Or if you really need a thick tin foil over it, open up the laptop and physically disconnect or destroy the wifi adapter, paint over the IR port, put glue or rubber into all the other ports (or disconnect them.)

Then keep that laptop or netbook inside a faraday cage when you're working on it. The room which contains the cage must have a door that you can close. And make sure to sweep the room for bugs.

MysteryMiner
Legendary
*
Offline Offline

Activity: 1512
Merit: 1049


Death to enemies!


View Profile
March 25, 2013, 12:35:00 PM
 #16

Quote
In the summer of 2011, when a Mt Gox user's account was hacked and coins stolen
The user was not hacked, the Mt.Goatse itself was hacked.
Quote
the result was that trust was lost in Bitcoin itself, plummeting the value
The result was that bitcoin price bubble bursted and speculators did run for the money. They did not trust Bitcoin in first place.
Quote
the message heard by many was that the currency was not to be trusted
The retards will listen to anything and not do research themselves. What message they listens is irrelevant.
Quote
value and distribution of Bitcoin increases, so does the incentive for evil and theft
Not true. People will steal bitcoins even if they cost pennies. And also will steal copy the naked pictures from girl computers even if they have no monetary value. And the theft are not purely evil. I call it redistribution of bitcoins. I also want some share!
Quote
An encrypted wallet, stored on a computer connected to the internet, is not safe from a rootkit or a keylogger deployed through bundled malware distributed through an exploited website.
There are many diverse ways to distribute malware but You got it right! Encrypted wallets are not safe if computer is infected with malware.
Quote
A patient and malicious actor can ultimately do much more to destroy Bitcoin than even a corrupt overreaching government, or a client based software bug can
Totally wrong. It does not make sense at all.
Quote
If funds are stolen from a large enough percentage of the user base, we might as well pull the plug on this whole experiment, because the trust will never be repaired. Never.
Try to steal the funds from me or Gavin or any other technically and security savvy person. And even if half of current users lose the coins by theft, the other users will continue to use bitcoins unaffected. I will laugh at them and will trust bitcoins even more, because the attack would be done by exploiting some security weakness in other parts of system, not the bitcoin itself.
Quote
The message we are sending to new Bitcoin users is that they should not trust web based wallets with more than a small percentage of their funds
The message was around here for years, even when MyBitcoin and BitcoinLaundry were operational.
Quote
coupled with the fact that most people do not have an extra computer that can be permanently left offline, means that right now there is NO good solution for MOST users
Is not that the users fault? Where did the Pentium3s and AMD Duron (Spitfire) computers gone? Because most people in capitalistic consumer society think it is cool to destroy old but perfectly working equipment, now they need to BUY more junk computers such as netbooks to fill role that older systems are perfectly capable of.
Quote
Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users
Any operating system that have full disc encryption can be trusted to run on network disconnected computer for offline wallet purposes.
Quote
And needs this distribution to be extremely user friendly and robust. I don't personally have experience in creating a customized linux distribution, but I'd like to work with people who do, so that this need can be filled.
"User friendly" and "live Linux distribution" does not mix together. Also the computer must be disconnected from network to be 100% sure it cannot be tampered even when booting liveCD. And even then it will not help if the user is socially engineered to run commands by someone else. As with linux distros there will be more googling for crappy or malicious advice than with windows, there will come greater chance of socially engineering.
Quote
To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them
If someone places his wealth in something he don't understand how to properly use and maintain, he is asking for disaster. He either needs to learn about computer security or he needs to find someone who will do it for him. And retards should not use computers at all.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!