Red Emerald
|
|
March 02, 2012, 10:23:56 PM |
|
You CAN'T do this even if the computer is running nothing BUT bitcoin and malware:
Every program has a ram space, other programs can't touch it.
This means that even assuming data stayed alive in RAM a while (I never heard of such):
The virus would need to allocate almost ALL the computers RAM to itself in order to even get access the residue after the bitcoin client closed THEN it would have to search it.
This would slow the PC to a crawl and be VERY obvious.
This is incorrect. There are plenty of tools available for editing another programs RAM. This is how many of the public video game hacks work.
|
|
|
|
cncmasterw
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 03, 2012, 10:35:31 PM |
|
wow, haha his choice of words... and understanding.. I like how he Rolls!!
question though, could a Virtual machine work just as well? and basically Totally lock down that virtual machine so nothing and Nothing can access that information unless you boot it up? i feel like this would be possible too, yes a usb idea is much greater but if you just move the Virtual machine over to a flash drive Disconnect from the internet or something on a different computer and access it that way? i could be just making up some dumb crap but hell, might as well put some effort into getting out of the newbiee SECTION..
|
|
|
|
BlueCorp
Newbie
Offline
Activity: 42
Merit: 0
|
|
March 05, 2012, 05:29:12 AM |
|
This is a very good idea
|
|
|
|
LoWang
|
|
March 05, 2012, 05:44:24 PM |
|
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure: - create another user account in your system (non admin) - Install bitcoin (or whatever coin you are interested in) client, but do not run it. - run the client by using "run as" context menu command or "runas" from command line as this newly created user - change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this) - run the client under this new account Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either. Am I right?
|
|
|
|
cncmasterw
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 06, 2012, 05:58:32 AM |
|
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure: - create another user account in your system (non admin) - Install bitcoin (or whatever coin you are interested in) client, but do not run it. - run the client by using "run as" context menu command or "runas" from command line as this newly created user - change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this) - run the client under this new account Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either. Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess. In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able. Cncmasterw - p.s. I'm not student major with English. and im not very good with periods and commas!~
|
|
|
|
Red Emerald
|
|
March 06, 2012, 06:11:50 PM Last edit: March 09, 2012, 04:12:41 AM by Red Emerald |
|
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure: - create another user account in your system (non admin) - Install bitcoin (or whatever coin you are interested in) client, but do not run it. - run the client by using "run as" context menu command or "runas" from command line as this newly created user - change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this) - run the client under this new account Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either. Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess. In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able. Cncmasterw - p.s. I'm not student major with English. and im not very good with periods and commas!~ I've seen malware that installs itself on Windows by completely ignoring UAC and it has full admin rights. For a truly secure wallet, you need a separate system. Putting things in a VM may protect you from an automated attack, but it is likely not enough to stop a directed attack. Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed.
|
|
|
|
Tuxavant
|
|
March 06, 2012, 06:27:45 PM |
|
Putting my 2 BTC in...
You need to diversify your holdings.
A large portion must go off-line. If your Bitcoins have been secure up to this point, it's relatively safe to assume that your computer has not been compromised so download the BitAddress.org page and save it to disk. Disconnect your computer from the network and generate some Bitcoin addresses. Print them to paper several times. Close your browser and reconnect to the Internet. Send the majority of your Bitcoins in multiple denominations to different Bitcoin addresses. For instance, if you have 1000 Bitcoins and 10 addresses, send 100 Bitcoins to 9 addresses and leave 100 Bitcoins in your online wallet.
Next, download BitcoinSpinner, or some other method to keep a wallet on your phone. Send 10-20 Bitcoins to your phone for casual spending while out and about - offering to pay your friends, family, coworkers Bitcoins in return for buying your lunch or paying your beer tab.
The 50 remaining Bitcoins in your desktop wallet should be for funding your phone and online purchases and holding new bitcoin you purchase from exchanges, etc. When you exceed 50 BTC, send some more to your off-line addresses. Only keep on your phone and desktop what you need for spending.
When it comes time for a big purchase, you only need to import one or more off-line addresses to fund your purchase - rather than the entire amount offline and risk losing it to malware.
Now... to protect your online wallet... you need to be operating outside of the 80% of the average users because that is what malware targets. Anything you do differently will help you miss becoming a target. Encrypt your wallet. Store it in a truecrypt volume. Use a VM. Use Linux as your Bitcoin OS. Buy a dedicated netbook and never use it for anything but Bitcoin.
|
|
|
|
Financier
Newbie
Offline
Activity: 52
Merit: 0
|
|
March 08, 2012, 10:57:20 PM |
|
thanks, useful information
|
|
|
|
1l1l11ll1l
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 08, 2012, 11:53:09 PM |
|
The only 100% secure wallet is a wallet that on a flash drive in a vault.
|
|
|
|
Red Emerald
|
|
March 08, 2012, 11:58:49 PM |
|
The only 100% secure wallet is a wallet that on a flash drive in a vault.
I think on paper in a vault is better.
|
|
|
|
1l1l11ll1l
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 09, 2012, 12:02:00 AM |
|
lol, just write down the code on paper. lol
|
|
|
|
payb.tc
|
|
March 09, 2012, 12:20:15 AM |
|
Disconnect your computer from the network and generate some Bitcoin addresses. Print them to paper several times. intermediate step: secure-wipe your printer's flash-memory cache. (don't ask me how to do this, i'd have to look it up). Close your browser and reconnect to the Internet.
|
|
|
|
Jaryu
Member
Offline
Activity: 90
Merit: 10
|
|
March 09, 2012, 04:07:19 AM |
|
This is great info for a BTC newbie like me. Been having fun reading all the possible ways to keep your wallet safe.
|
|
|
|
wyager
Member
Offline
Activity: 98
Merit: 10
|
|
March 10, 2012, 03:33:39 AM |
|
Wouldn't you have to download the entire block chain every time you used the LiveCD (which could take over 24 hours)? Also, because they don't have persistence, wouldn't that use over a gig of ram?
I think we need a client that allows for easy/secure temporary account usage (so you can carry around your private key and account info on a USB drive, and be able to use it temporarily). Right now, I think the only way is to keep your entire wallet.dat and swap it out when you want to use your stored accounts, which is a PITA.
|
OTC-WoT: 1BWF66DuVqBCSFksUgkLtdYmHucpBgPmVm
|
|
|
ragnard
Member
Offline
Activity: 66
Merit: 10
|
|
March 10, 2012, 03:49:25 AM |
|
Thanks for the info!
|
|
|
|
LoWang
|
|
March 10, 2012, 01:40:26 PM |
|
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure: - create another user account in your system (non admin) - Install bitcoin (or whatever coin you are interested in) client, but do not run it. - run the client by using "run as" context menu command or "runas" from command line as this newly created user - change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this) - run the client under this new account Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either. Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess. In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able. Cncmasterw - p.s. I'm not student major with English. and im not very good with periods and commas!~ I've seen malware that installs itself on Windows by completely ignoring UAC and it has full admin rights. For a truly secure wallet, you need a separate system. Putting things in a VM may protect you from an automated attack, but it is likely not enough to stop a directed attack. Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed. This is an impractical overkill. I am talking about securing your everyday use wallet. Not the one for lifesavings! For that I would generate address on bitcoinaddress.org and use paper wallet. This armoryclient looks promising though... Even that malware you are talking about should not be able to overcome ntfs permissions and access the folder unless it impersonates as the only user account who has permissions to access it. And it should not be able to do it if there is no process running under this account. I am not sure how big is a chance that some malware would hijack the session of a bitcoin-qt process when you "run as" it as this designated account though...
|
|
|
|
Red Emerald
|
|
March 11, 2012, 03:11:37 AM |
|
Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed. This is an impractical overkill. I am talking about securing your everyday use wallet. Not the one for lifesavings! For that I would generate address on bitcoinaddress.org and use paper wallet. This armoryclient looks promising though... Even that malware you are talking about should not be able to overcome ntfs permissions and access the folder unless it impersonates as the only user account who has permissions to access it. And it should not be able to do it if there is no process running under this account. I am not sure how big is a chance that some malware would hijack the session of a bitcoin-qt process when you "run as" it as this designated account though... While it seems like overkill, it is actually pretty similar to the directions on page 1. Armory on a separate system isn't so different from running a live cd like recommended here. Armory is also by far the easiest client I've used (if you can get past the RAM requirement which will eventually be going away). An offline armory system is also actually offline, unlike the live cd which needs an internet connection. It has no need to update the blockchain, which will likely take a long time and kill your poor flash drive. You can also do online transactions with Armory on your normal computer for your everyday funds. The wallet file (or files since it supports multiple wallets) is far easier to maintain and only needs to be backed up once (unlike the Satoshi client with its keypool). Armory supports encryption of the wallet as well, so installing it gives you a secure wallet without having to deal with live cds or anything like that. A key logger would still be bad, but if you didn't mind setting up a live cd like these instructions recommended, you can just use armory with a live cd. That's what I did until I got an old laptop running.
|
|
|
|
LoWang
|
|
March 11, 2012, 11:41:48 AM |
|
But Armory can be used only for bitcoin right?
|
|
|
|
Tangowska
Newbie
Offline
Activity: 10
Merit: 0
|
|
March 15, 2012, 08:53:52 AM |
|
Useful information,thanks.
|
|
|
|
ARapalo
Member
Offline
Activity: 93
Merit: 10
|
|
March 15, 2012, 11:18:01 PM |
|
To have zero risk from a wallet, can I just not have one?
For example, I can just accept BTC directly into my mtgox account, and if I need to pay someone with BTC, with draw the BTC from my mtgox directly into the other person's wallet/mtgox account. Would this be safe?
|
|
|
|
|