Bitcoin Forum
December 04, 2024, 10:24:15 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: How to be safe with bitcoins - guide  (Read 3473 times)
Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 11:26:09 AM
Last edit: June 15, 2011, 01:57:03 PM by Houdini
 #1

After reading this horrifying story : http://forum.bitcoin.org/index.php?topic=16457.0 from a guy who lost half a million bucks and a bunch of posts from people who were wondering how to stay safe (some of which had good ideas, some horrible) I decided to put together this little guide. If someone doesn't make a better one (or there isn't one already) the moderators might want to make this thread a sticky so new people coming to this forum can read usefull safety tips and protect themselves.
Bear in mind this guide is meant more for those with LOTS of bitcoins, as in huge stashes worth a fortune (mostly early adopters), but can also be usefull to starters with small stashes (even though they risk less and are far less likely to be targeted). A 100 $ is worth a lot more to someone living in Zimbabve than someone living in Beverly Hills.
Before I begin, I should mention I'm a newbie myself (just found out about bitcoins several days ago) but I believe I've read enough of other people's good ideas and done enough of logical reasoning and carefull thinking to put this guide together. Nevertheless this isn't the ultimate guide so if you have something to add, or you don't agree on something, or you wish to correct a mistake of mine please say so and I'll ammend this post.
One last thing, if you wish to thank me for the considerable time and effort I'm about to put into writing the following, you can send your BTC to the following address : 18wJXRnB8ihPVL5viVHrUfrDrNNdzYKBKq
(though that's not the main reason I'm doing it, the main reason is I need a nice, structured reminder myself, so I might as well share it).


1. Silence is golden
This one is pretty simple. You heard the saying : "If you got it, flaunt it." ?
Well that goes for T & A, sure.  Tongue And for Ferraris, and swimming pools, and yachts, and certainly for private jumbo jets.
But not for bitcoins (or dollars). If you were an ordinary middle-class middle-aged guy a few years ago, and now suddenly you're filthy rich and swimming in BTC thanks to being an early adopter, you don't need to tell all your neighbours, coworkers, friends and family how you acquired the wealth, where your stash is stored, how they can get some BTC and so one. The more attention you attract to your newly acquired BTC fortune the more likely you're going to be targeted for either a physical theft or a digital theft. Most people still have no idea what the hell bitcoins are, and aren't going to have any idea where your sudden wealth came from unless you tell them. So the worst they can do is try to steal your Ferrari, and you can keep that in your private underground garage protected by an alarm and security cameras. As for the nosey neighbours, let them just think you're a drug lord incognito.  Grin


2. Don't put all your eggs in one basket
Some rich folks keep all their money, jewels and other valuables in a big, strong, expensive safe in their house. Then a clever and sneaky safecracker sneaks into the house one night when they're away on holiday in Barbados, drills into the safe, and relieves them of their valuables.
Others put their life savings (desperately saved over many years) in a bank, and then that bank gets robbed (in spite of their high tech security systems and armed guards) and they lose their hard-earned money (well actually they don't, banks are all insured, but imagine it was the Wild West). Successfull bank robberies are unlikely with today's security, but they do happen.
Now if you split your money and put it in ten different banks (big, professional, secure banks, maybe even in different countries) NO ONE can relieve you of your hard-earned money, at least not all of it. Theoretically all ten banks could be robbed in succession, but simple mathematics tells us the odds of that happening are such that you would likely be hit by lightning a billion billion times before they all get robbed, so you would be atomized into vapour and wouldn't care much about being robbed.  Tongue
The same applies to bitcoins (and eggs  Wink ), if you spread out your BTC life savings over multiple wallets in different locations on a computer or better yet in different physical locations, you'll be much safer than with just a single big wallet. If one is stolen or lost you will survive.


3. Stay off the Grid, Big Brother is watching !
You don't really have to access your bitcoin wallet to add coins to it. You simply declare to the bitcoin network you're transfering the coins (from some other wallet or website account) to that account and voila. So your wallet can lie in some dusty vault (on a USB drive for example) for years and years and still accumulate a fortune in it, your fortune. And if it's not accessible, it's not stealable.
The only times a wallet has to be accesible and therefore vulnerable is when it's created and when you're sending / spending funds from it. At those times it is under inescapable risk of being stolen, if your computer is infected with various kinds of malware. The risk is always present, no matter the OS or antimalware apps (though it can be minimized of course).
The solution is simple (relatively). Use one wallet for your everday receiving and sending of funds, and another wallet, or better yet a set of wallets for storeing your BTC life savings. Keep your everyday wallet on your everday computer (like you keep your real wallet in your trousers) and do whatever you like with it, and don't even worry about the risks. Who cares if you lose a few bucks ? Meanwhile, keep the storage wallets that contain your savings offline on cheap external memory (like a USB memory drive) and hidden in various different places. Hide one under your bed, put one in the closet, shuffle one into the pile of junk in the basement, tape one to the wall behind the water tank in the bathroom, plaster one into a wall in the attic, bury one in the garden (right next to that annoying neighbour you wacked because he wouldn't stop talking about his boring family), leave one at your grandma's cottage, give one to your sister-in-law for safekeeping (telling her it's a worthless emotional keepsake of course), stick one into the hollow wooden leg of the drunk who hangs out under the pier (while he's passed out of course), and store several more into safety deposit boxes in several different banks (on several different continents). Of course you have to be sure you remember the locations of all of these. And don't tell ANYONE where you hid them !
But digital memory doesn't last forever, so use USB memory drives or CDs or 2.5" external drives, whichever lasts the longest and is safest for the least money, and remember to renew them every 10-15 years !  Smiley
This solves the problem of safely daily receiving and sending, but you still have to "download" the money from those storage wallets some time (to sell it), and they obviously have to be created before everything else, so how to do that safely ?
Simple, to create those wallets use a brand new computer / laptop with a fresh and clean OS install, or just format your HD and do a clean OS install, and then without even connecting that computer to the web (so you can be absolutely sure it's not infected !) create as many wallets as you need and move them to external memories.
When you need to "download" the money from them simply plug in the memory and do it and discard that wallet. It doesn't matter if you download it on your everyday computer, the risk is negligible that the malware will be waiting for you to make the wallet available for a second, and if it does you haven't lost all of your wallets and all your money, just a small part.
EDIT : As was said in another thread (and I failed to remember) you can also use a bootable CD or better yet a bootable USB drive. You'd probably have to install the Bitcoin client program each time you use it though.
I seem to remember reading something about a bootable USB drive with some version of WinXP on it, where you could change settings and they'd be remembered, if that's true than it could be presumably also get infected in theory.



4. Encryption is next to cleanliness
Well not really, but it has it's uses. Encryption is really more of nuissance to deter crooks than a full-proof measure. ANY safety measure invented by a human being can be defeated by a human being (with enough time, determination and money) !
You can't keep your everyday wallet encrypted (it would be a lot of bother encrypting and decrypting it all the time !) but you should encrypt your stored wallets before you store them (even though hiding them is your first line of defense you can never be too carefull). Just make sure you remember the passwords (use the same one, if they're hidden in different places the crook shouldn't be able to find them all).
Any wallet you store on a public server HAS TO be encrypted ! Anything else would be foolish. But why store an encrypted wallet on a public server anyway when you can stick it on a long lasting memory drive and hide it in a safe place or safe places...


5. Don't put all your eggs in one basket
You may think I'm repeating myself, but consider this a variation on the theme (I can't help it if the proverb is so good !).
The unlucky victim mentioned in the beginning of this thread kept half a million dollars of gold in BTC. I don't know how much else he owned, but I'm presuming that was most of his wealth (that may or may not be true, but there are surely many others who keep all their BTC-earned wealth in BTC).
Keep in mind bitcoins are barely two and a half years old, almost completely unknown in the general population of any country, mysterious even to those who deal with them, and of questionable legality and sustainability to everyone. So are you SURE you want to keep your entire life savings in this volatile currency which no one knows if it will last or burst like a bubble ?
Do you think any billionairs on the Forbes list keep all their wealth invested in one thing ? Of course not, most of them have stocks in dozens or hundreds of companies, money in various currencies in various banks (in places like Switzerland and the Cayman Islands), private stashes of gold and other valuables in safes, various real-estate and so on.
Now I'm no expert on this, but I think that once you reach an amount (in BTC) you ABSOLUTELY CAN NOT AFFORD to lose (an amount which would cause suicidal depression or a lifelong trauma to you if lost it) you should sell 1/2 or 3/5 or 4/5 of the amount in BTC and invest in other things which yield much less profit but are more reliable, like stocks of big and stable companies, and stable commodities like gold. Heck, if there's another great international market collapse like in the 30's all the BTC and dollars and stocks may become worthless, but gold will always be gold. Even if WW3 comes and everything gets nuked to hell cockroaches and gold will survive.
So my personal opinion and advice is this - spread out your earnings so you still earn a decent amount from the incredible BTC growth (presuming it continues) but still have something left if the BTC market crashes.


6. Backup, backup, backup
Like everything else, backup your wallets, so you don't lose money due to technical failure.
Points #2 - #4 still apply.


Well, that's all for now, and I hope someone will find this usefull (and that I won't get a lot of rude replies Smiley ). Cheers !

Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 11:30:50 AM
 #2

Good stuff... Can I buy this text from you for use on a web site?

Can I use this on a web site for free if I include your donation address?

Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 11:40:33 AM
Last edit: June 15, 2011, 11:51:26 AM by Houdini
 #3

How about one little bitcoin ? Smiley I mean since you already offered (and retracted  Tongue)...
Seriously, you can use my text for free, just copy it in it's original form, and please put my real name under it (for bragging rights), which is Veljko Dobrijević. The same goes for anyone else.
aiwk171
Jr. Member
*
Offline Offline

Activity: 134
Merit: 1


View Profile
June 15, 2011, 11:42:51 AM
 #4

Sweet, I wrote up a similar thing in the newb-forum Smiley HOWTO: create a 100% secure wallet

I wanted to move it here, but I see you've also taken a shot at this. Hope people will start behaving a little more responsibly.

EDIT: Jesus, dude... Begging is so sad. Also: awesome that you think in the time-span of 10 years Cheesy
Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 11:47:15 AM
 #5

EDIT: Jesus, dude... Begging is so sad.
Hey, I'm just a poor student...  Grin I'm not one of those capitalist pigs wallowing in BTC...  Cheesy


Hope people will start behaving a little more responsibly.
Responsible behaviour is one thing, but we need technology. The wallet should be more protected by the system.
The pope can preach about responsible behaviour and abstinence all he wants but it's a fact without condoms we'd all be f***ed...  Cheesy
We need protection for our wallets just as much...
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 11:53:37 AM
 #6

How about one little bitcoin ?  Smiley I mean since you already offered (and retracted  Tongue)...
Seriously, you can use my text, just copy it in it's original form, and please put my real name under it (for bragging rights), which is Veljko Dobrijević. The same goes for anyone else.

Yeeeah, I'm not going to pay $20 for it, but your text (and your donation address) will get more exposure on http://bitcoinsafety.com.
I'm just doing up a logo and some quick CSS now, will come back and update here when it's ready...

Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 11:57:02 AM
 #7

Njaaah, you know, the thought that someone was actually willing to pay for something I wrote was worth more to me than the little money... I'd be a published commercial author then !  Grin Tongue I was going to tell everyone... Now my dreams of glory are ruined...  Tongue
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 12:49:59 PM
Last edit: June 15, 2011, 02:47:58 PM by Alex Beckenham
 #8

Welp, here's a preview: http://bitcointoss.com/bitcoinsafety.php

I'll get it onto it's own domain once my host sysadmin sets it up.

Here it is: http://bitcoinsafety.com

Thanks again.

Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 01:34:38 PM
 #9

Nice !
I saw you edited it a bit, mostly just to adapt from forum post to web article, but all the text except the forum related intro is the same. Looks cool. Kind of makes me look wiser and smarter than I am...  Grin
So you building a whole separate site about bitcoin safety or what ? Or are you just gonna post that and that's all ?
Oh yeah, and you might add one word after "Donations" - "to the author", or something like that, so people know why the link is there and what they're donating to.
Good work all in all...
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 01:43:04 PM
 #10

Sweet, I wrote up a similar thing in the newb-forum Smiley HOWTO: create a 100% secure wallet

I wanted to move it here, but I see you've also taken a shot at this. Hope people will start behaving a little more responsibly.

EDIT: Jesus, dude... Begging is so sad. Also: awesome that you think in the time-span of 10 years Cheesy

I've put yours up at http://bitcoinsecurity.com and I've sent 0.20 btc to both you and Houdini to kick off donations.

Nice !
I saw you edited it a bit, mostly just to adapt from forum post to web article, but all the text except the forum related intro is the same. Looks cool. Kind of makes me look wiser and smarter than I am...  Grin
So you building a whole separate site about bitcoin safety or what ? Or are you just gonna post that and that's all ?
Oh yeah, and you might add one word after "Donations" - "to the author", or something like that, so people know why the link is there and what they're donating to.
Good work all in all...

I'd like to add code so that it can take comments from visitors, but I don't know how to set that up yet with the various blog plugins. I'm sure in time they will both morph into bigger, more complex sites.

Also, I'll change 'donate' to 'donate to author' (on both sites).

Cheers.

Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 02:26:38 PM
 #11

I've put yours up at http://bitcoinsecurity.com and I've sent 0.20 btc to both you and Houdini to kick off donations.
Thanks for the donation, I got it already. I'm betting your's will be the only one... Smiley
But I got a question, my address changed automatically (the one written in the address field), but the other one, the old one, is still open, right ? They're not single-use, otherwise how would people post links ? I still find bitcoin mechanics a bit confusing... Smiley
And btw, why not put both posts on one site, they're kind of similar ? You trying to corner the bitcoin domain name market ? Smiley Or just get as much marketing space as possible to sell ads ? Shrewd operater, you are... Smiley


I'd like to add code so that it can take comments from visitors, but I don't know how to set that up yet with the various blog plugins. I'm sure in time they will both morph into bigger, more complex sites.
Comments shouldn't be too difficult to set up. You have any experience in that kind of thing ?
Btw don't expect me to check regularly on your site to answer comments on my text... Smiley

P.S.
Why are only you two guys answering in this thread ? Where are the voices of the rest of you 200+ viewers, you need to be heard ? Say what you think about the post, do you find it usefull or stupid, do you have something to add or correct...
Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 02:41:12 PM
 #12

my address changed automatically (the one written in the address field), but the other one, the old one, is still open, right ? They're not single-use, otherwise how would people post links ?

That's correct, you'll be able to continue receiving coins at that address (And you can look it up in your Address Book actually). It might be helpful to label that address as "bitcoinsafety donations" or something.

And btw, why not put both posts on one site, they're kind of similar ? You trying to corner the bitcoin domain name market ? Smiley Or just get as much marketing space as possible to sell ads ? Shrewd operater, you are... Smiley

Well, I already own both domains anyway so I might as well use them.

Comments shouldn't be too difficult to set up. You have any experience in that kind of thing ?

I have plenty of experience doing that kind of thing from scratch (PHP/MySQL) but I have no experience whatsoever with modern plug-and-play blog software.

Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 15, 2011, 07:58:56 PM
 #13

That's correct, you'll be able to continue receiving coins at that address (And you can look it up in your Address Book actually). It might be helpful to label that address as "bitcoinsafety donations" or something.
Done as you suggested. Though the proper name would probably be donatioN, without an s in the end, as you're the only one... Smiley
So Bitcoin can only keep 100 adresses at one time, right, so what if I do 100+ transactions and automatically get 100+ new adresses, will I ever lose the first one ?
jerfelix
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile
June 15, 2011, 09:12:41 PM
 #14

Why are only you two guys answering in this thread ? Where are the voices of the rest of you 200+ viewers, you need to be heard ? Say what you think about the post, do you find it usefull or stupid, do you have something to add or correct...

My first thought was "Do I really want to trust a guy named Houdini?  My Bitcoins are about to have a disappearing act!"

But seriously, good advice!  There was another thread today that told how to create an offline wallet / vault for your valuables.  I highly recommend reading that, too.

http://forum.bitcoin.org/index.php?topic=17292.0;all

Alex Beckenham
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 15, 2011, 11:36:07 PM
 #15

So Bitcoin can only keep 100 adresses at one time, right, so what if I do 100+ transactions and automatically get 100+ new adresses, will I ever lose the first one ?

Not true, you can have thousands... I don't even know if there is a limit. It'll just mean your wallet.dat is a huge file. You'll never lose any addresses out of your wallet, unless you use some very specific wallet editing tool for that purpose.

Calavera
Member
**
Offline Offline

Activity: 74
Merit: 10


View Profile
June 16, 2011, 02:34:15 AM
Last edit: June 16, 2011, 02:51:54 AM by Calavera
 #16

The only times a wallet has to be accesible and therefore vulnerable is when it's created and when you're sending / spending funds from it. At those times it is under inescapable risk of being stolen, if your computer is infected with various kinds of malware. The risk is always present, no matter the OS or antimalware apps (though it can be minimized of course).

Actually, I don't think this is true.  For one when you're creating the wallet it could be done on a machine that isn't connected to any network and therefore the wallet cannot be stolen.   As you say, you can send coins to the addresses in that wallet for as long as you like without exposing it to the network.   (edit: actually, you allude to this now that I've read further)

Spending them is trickier, but in theory at least you could use an offline machine to sign transfer orders and then an online one to propagate them.   The online machine would not have or need access to the private keys, it would just use the already signed transfer order.  
Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 19, 2011, 04:14:19 AM
Last edit: June 19, 2011, 04:35:37 AM by Houdini
 #17

So Bitcoin can only keep 100 adresses at one time, right, so what if I do 100+ transactions and automatically get 100+ new adresses, will I ever lose the first one ?

Not true, you can have thousands... I don't even know if there is a limit. It'll just mean your wallet.dat is a huge file. You'll never lose any addresses out of your wallet, unless you use some very specific wallet editing tool for that purpose.
Quote from https://en.bitcoin.it/wiki/Securing_your_wallet :
"The wallet contains a pool of queued keys. By default there are 100 keys in the key pool. The size of the pool is configurable using the "-keypool" command line argument. When you need an address for whatever reason (send, “new address”, generation, etc.), the key is not actually generated freshly, but taken from this pool. A brand new address is generated to fill the pool back to 100. So when a backup is first created, it has all of your old keys plus 100 unused keys. After sending a transaction, it has 99 unused keys. After a total of 100 new-key actions, you will start using keys that are not in your backup. Since the backup does not have the private keys necessary for authorizing spends of these coins, restoring from the old backup will cause you to lose Bitcoins.
Creating a new address generates a new pair of public and private keys, which are added to your wallet. Each keypair is mostly random numbers, so they cannot be known prior to generation. If you backup your wallet and then create more than 100 new addresses, the keypair associated with the newest addresses will not be in the old wallet because the new keypairs are only known after creating them. Any coins received at these addresses will be lost if you restore from the backup.
"

So if I'm reading this correctly there is a limit but you can change it...
Houdini (OP)
Member
**
Offline Offline

Activity: 84
Merit: 10



View Profile
June 19, 2011, 04:32:21 AM
 #18

For one when you're creating the wallet it could be done on a machine that isn't connected to any network and therefore the wallet cannot be stolen.

I said the same thing... Smiley

Simple, to create those wallets use a brand new computer / laptop with a fresh and clean OS install, or just format your HD and do a clean OS install, and then without even connecting that computer to the web (so you can be absolutely sure it's not infected !) create as many wallets as you need and move them to external memories.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!