Bitcoin Forum
December 04, 2016, 10:32:33 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Security again: Before using TrueCrypt - read the freakin manual  (Read 8784 times)
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 10:11:53 AM
 #1

Quote from the TrueCrypt documentation:

Quote
IMPORTANT: If you want to use TrueCrypt, you must follow the security requirements and security precautions listed in this chapter.

The sections in this chapter specify security requirements for using TrueCrypt and give information about things that adversely affect or limit the ability of TrueCrypt to secure data and to provide plausible deniability. Disclaimer: This chapter is not guaranteed to contain a list of all security issues and attacks that might adversely affect or limit the ability of TrueCrypt to secure data and to provide plausible deniability.
http://www.truecrypt.org/docs/?s=security-requirements-and-precautions

and especially from the malware section:

Quote
It is important to note that TrueCrypt is encryption software, not anti-malware software. It is your responsibility to prevent malware from running on the computer. If you do not, TrueCrypt may become unable to secure data on the computer.


A lot of people here are just telling the noobs: "I have TrueCrypy, everything is secure." That's just not true. And it is even worse: The very fact that TrueCrypt appears to be a click-here-click-there-I-am-secure-now tool gives people a feeling of security they don't have. Like any security tool, TrueCrypt is worthless unless you are aware what exactly it does.

For the task of protecting wallets I would go even further and say that TrueCrypt is not a appropriate solution. For this application it is almost as bloated as VMs.
If you want to encrypt wallet files for backups, use GPG.
If you want to protect the wallet file from being stolen from your disk, use encrypted folders of the kind that your operating system provides. But don't expect it to be protected against malware while in use. Everything you have access to, the malware you catch has access to, too. It will protect you against people who steal your computer, but it will not protect you against malware.

PS:
Just to prevent misunderstanding: In my opinion you can do whatever you like to. But stop making such strong claims misleading people who understand less then you do.

PPS:
Maybe we need a security subforum.

Misspelling protects against dictionary attacks NOT
1480890753
Hero Member
*
Offline Offline

Posts: 1480890753

View Profile Personal Message (Offline)

Ignore
1480890753
Reply with quote  #2

1480890753
Report to moderator
1480890753
Hero Member
*
Offline Offline

Posts: 1480890753

View Profile Personal Message (Offline)

Ignore
1480890753
Reply with quote  #2

1480890753
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480890753
Hero Member
*
Offline Offline

Posts: 1480890753

View Profile Personal Message (Offline)

Ignore
1480890753
Reply with quote  #2

1480890753
Report to moderator
1480890753
Hero Member
*
Offline Offline

Posts: 1480890753

View Profile Personal Message (Offline)

Ignore
1480890753
Reply with quote  #2

1480890753
Report to moderator
1480890753
Hero Member
*
Offline Offline

Posts: 1480890753

View Profile Personal Message (Offline)

Ignore
1480890753
Reply with quote  #2

1480890753
Report to moderator
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 10:56:31 AM
 #2

Another important detail for the task of protecting wallets:


An attacker can set you wallet to a previous state without even decrypting your TrueCrypt disk:

Quote
TrueCrypt uses encryption to preserve the confidentiality of data it encrypts. TrueCrypt neither preserves nor verifies the integrity or authenticity of data it encrypts or decrypts. Hence, if you allow an adversary to modify data encrypted by TrueCrypt, he can set the value of any 16-byte block of the data to a random value or to a previous value, which he was able to obtain in the past. Note that the adversary cannot choose the value that you will obtain when TrueCrypt decrypts the modified block — the value will be random — unless the attacker restores an older version of the encrypted block, which he was able to obtain in the past. It is your responsibility to verify the integrity and authenticity of data encrypted or decrypted by TrueCrypt (for example, by using appropriate third-party software).

http://www.truecrypt.org/docs/authenticity-and-integrity

Misspelling protects against dictionary attacks NOT
lonestranger
Member
**
Offline Offline

Activity: 115


I like long walks on the beach, shaving my head...


View Profile
June 13, 2011, 12:02:07 PM
 #3

How do we use GPG to encrypt the wallet file?  I use ubuntu 10.04
gene
Sr. Member
****
Offline Offline

Activity: 252


View Profile
June 13, 2011, 12:16:31 PM
 #4

How do we use GPG to encrypt the wallet file?  I use ubuntu 10.04

please read http://forum.bitcoin.org/index.php?topic=16266.0

*processing payment* *error 404 : funds not found*
Do you want to complain on the forum just to fall for another scam a few days later?
| YES       |        YES |
jaime
Sr. Member
****
Offline Offline

Activity: 337


División de Poderes s.XXI es Descentralización


View Profile WWW
June 13, 2011, 03:24:17 PM
 #5

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

Basiley
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 13, 2011, 03:30:05 PM
 #6

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.
ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.
gene
Sr. Member
****
Offline Offline

Activity: 252


View Profile
June 13, 2011, 03:35:48 PM
 #7

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

Of course, security is a process. The means taking steps to protect the operating system and not using a BTC-handling computer to browse for pr0n. Having said that, we also need good tools to protect the data at rest or in transit. GPG is as trustworthy as any crypto tool can be to protect data at rest.

*processing payment* *error 404 : funds not found*
Do you want to complain on the forum just to fall for another scam a few days later?
| YES       |        YES |
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 04:28:34 PM
 #8

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

I never said that GPG protects against malware.


It allows you to store backups on insecure machines, but it does not allow you to decrypt anywhere but on a secure machine, of course.

Misspelling protects against dictionary attacks NOT
kokojie
Legendary
*
Offline Offline

Activity: 1498



View Profile WWW
June 13, 2011, 04:52:46 PM
 #9

Why not simply use 7zip to create a archive of your wallet.dat with a password? 7zip does use 256-bit AES to encrypt the content of the archive, same as truecrypt. Just choose a strong password, and you'll be fine.

If my post has been helpful, send me some love -> BTC: 1kokojUapmWqCqPw3Ch2rjcVh57tJEzka | PPC: PDyXAgA8eH47gokVW6zVZPSuu15aao5nZF | Bitshares: kokojie
My reputation
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 05:45:33 PM
 #10

Why not simply use 7zip to create a archive of your wallet.dat with a password? 7zip does use 256-bit AES to encrypt the content of the archive, same as truecrypt. Just choose a strong password, and you'll be fine.

If the 7z AES implementation is good, this should work well, too.

Misspelling protects against dictionary attacks NOT
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 13, 2011, 05:55:17 PM
 #11

And I really have a stupid cracking tool, the one I already linked, one of the first Google matches. It really calls "7z" each time.

Misspelling protects against dictionary attacks NOT
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
June 14, 2011, 09:04:18 AM
 #12

And I really have a stupid cracking tool, the one I already linked, one of the first Google matches. It really calls "7z" each time.

I tried that out. It's rather slow. So I made a couple of quick hacks to it and increased its speed threefold. It's possible to make it even faster, though it would take much more work.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
jhansen858
Sr. Member
****
Offline Offline

Activity: 336


View Profile
June 14, 2011, 09:28:37 AM
 #13

99% of getting hacked is the wide open blatantly unsecured data.  encrypting your data in what ever means you should choose is the theme here.  In fact, i would not rely on one single encryption alone, but using an encryption pyramid where your data is independently encrypted multiple times via different means to be absolutely secure.  Especially when were talking about enough money for a down payment on a house.   For example, have an encrypted home directory where you store your truecrypt container.  When you email the truecrypt container off of your secure home directory for backup purposes, encrypt that container with gpg.  Of course the best advise is to not have more coins then you can afford to lose in one wallet. 

Hi forum: 1DDpiEt36VTJsiJunyBc3XtG6CcSAnsQ4p
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 14, 2011, 09:45:44 AM
 #14

99% of getting hacked is the wide open blatantly unsecured data.  encrypting your data in what ever means you should choose is the theme here.  In fact, i would not rely on one single encryption alone, but using an encryption pyramid where your data is independently encrypted multiple times via different means to be absolutely secure.  Especially when were talking about enough money for a down payment on a house.   For example, have an encrypted home directory where you store your truecrypt container.  When you email the truecrypt container off of your secure home directory for backup purposes, encrypt that container with gpg.  Of course the best advise is to not have more coins then you can afford to lose in one wallet.  


Yes, encryption protects data storage. And multiple encryption tools avoid flaws in a single one of them.

But encryption does not protect data while it is processed, for example by the bitcoin software. That's just impossible.

A special user account or a dedicated machine is protected against malware on your regular user account. But that has nothing to do with encrytion, but with policy enforcement.

Misspelling protects against dictionary attacks NOT
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 18, 2011, 07:55:41 AM
 #15

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.
ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.

Ugh. How exactly does one set up a clean PC, and keep it that way then? I take more precautions than probably 98% of the general population but I'm positive that's not enough.
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
June 18, 2011, 08:39:40 AM
 #16

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.
ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.

Ugh. How exactly does one set up a clean PC, and keep it that way then? I take more precautions than probably 98% of the general population but I'm positive that's not enough.

You need proper hardware. Unfortunately most hardware is crap and you don't know which products are good before you buy them.

For example a motherboard just needs a single hardware switch that disables the possibility of firmware/BIOS updates. If you can do that, you can start looking for the software you want to run.

Misspelling protects against dictionary attacks NOT
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!