Security again: Before using TrueCrypt - read the freakin manual

[bcearl]

Quote from the TrueCrypt documentation:

IMPORTANT: If you want to use TrueCrypt, you must follow the security requirements and security precautions listed in this chapter.

The sections in this chapter specify security requirements for using TrueCrypt and give information about things that adversely affect or limit the ability of TrueCrypt to secure data and to provide plausible deniability. Disclaimer: This chapter is not guaranteed to contain a list of all security issues and attacks that might adversely affect or limit the ability of TrueCrypt to secure data and to provide plausible deniability.

http://www.truecrypt.org/docs/?s=security-requirements-and-precautions

and especially from the malware section:

It is important to note that TrueCrypt is encryption software, not anti-malware software. It is your responsibility to prevent malware from running on the computer. If you do not, TrueCrypt may become unable to secure data on the computer.

A lot of people here are just telling the noobs: "I have TrueCrypy, everything is secure." That's just not true. And it is even worse: The very fact that TrueCrypt appears to be a click-here-click-there-I-am-secure-now tool gives people a feeling of security they don't have. Like any security tool, TrueCrypt is worthless unless you are aware what exactly it does.

For the task of protecting wallets I would go even further and say that TrueCrypt is not a appropriate solution. For this application it is almost as bloated as VMs.
If you want to encrypt wallet files for backups, use GPG.
If you want to protect the wallet file from being stolen from your disk, use encrypted folders of the kind that your operating system provides. But don't expect it to be protected against malware while in use. Everything you have access to, the malware you catch has access to, too. It will protect you against people who steal your computer, but it will not protect you against malware.

PS:
Just to prevent misunderstanding: In my opinion you can do whatever you like to. But stop making such strong claims misleading people who understand less then you do.

PPS:
Maybe we need a security subforum.

[1713283945]

1713283945

[1713283945]

1713283945

[1713283945]

1713283945

[bcearl]

Another important detail for the task of protecting wallets:


An attacker can set you wallet to a previous state without even decrypting your TrueCrypt disk:

TrueCrypt uses encryption to preserve the confidentiality of data it encrypts. TrueCrypt neither preserves nor verifies the integrity or authenticity of data it encrypts or decrypts. Hence, if you allow an adversary to modify data encrypted by TrueCrypt, he can set the value of any 16-byte block of the data to a random value or to a previous value, which he was able to obtain in the past. Note that the adversary cannot choose the value that you will obtain when TrueCrypt decrypts the modified block — the value will be random — unless the attacker restores an older version of the encrypted block, which he was able to obtain in the past. It is your responsibility to verify the integrity and authenticity of data encrypted or decrypted by TrueCrypt (for example, by using appropriate third-party software).

http://www.truecrypt.org/docs/authenticity-and-integrity

[lonestranger]

How do we use GPG to encrypt the wallet file?  I use ubuntu 10.04

[gene]

How do we use GPG to encrypt the wallet file?  I use ubuntu 10.04

please read http://forum.bitcoin.org/index.php?topic=16266.0

[jaime]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

[Basiley]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.

[gene]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

Of course, security is a process. The means taking steps to protect the operating system and not using a BTC-handling computer to browse for pr0n. Having said that, we also need good tools to protect the data at rest or in transit. GPG is as trustworthy as any crypto tool can be to protect data at rest.

[bcearl]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

I never said that GPG protects against malware.


It allows you to store backups on insecure machines, but it does not allow you to decrypt anywhere but on a secure machine, of course.

[kokojie]

Why not simply use 7zip to create a archive of your wallet.dat with a password? 7zip does use 256-bit AES to encrypt the content of the archive, same as truecrypt. Just choose a strong password, and you'll be fine.

[bcearl]

Why not simply use 7zip to create a archive of your wallet.dat with a password? 7zip does use 256-bit AES to encrypt the content of the archive, same as truecrypt. Just choose a strong password, and you'll be fine.

If the 7z AES implementation is good, this should work well, too.

[bcearl]

And I really have a stupid cracking tool, the one I already linked, one of the first Google matches. It really calls "7z" each time.

[error]

And I really have a stupid cracking tool, the one I already linked, one of the first Google matches. It really calls "7z" each time.

I tried that out. It's rather slow. So I made a couple of quick hacks to it and increased its speed threefold. It's possible to make it even faster, though it would take much more work.

[jhansen858]

99% of getting hacked is the wide open blatantly unsecured data.  encrypting your data in what ever means you should choose is the theme here.  In fact, i would not rely on one single encryption alone, but using an encryption pyramid where your data is independently encrypted multiple times via different means to be absolutely secure.  Especially when were talking about enough money for a down payment on a house.   For example, have an encrypted home directory where you store your truecrypt container.  When you email the truecrypt container off of your secure home directory for backup purposes, encrypt that container with gpg.  Of course the best advise is to not have more coins then you can afford to lose in one wallet. 

[bcearl]

99% of getting hacked is the wide open blatantly unsecured data.  encrypting your data in what ever means you should choose is the theme here.  In fact, i would not rely on one single encryption alone, but using an encryption pyramid where your data is independently encrypted multiple times via different means to be absolutely secure.  Especially when were talking about enough money for a down payment on a house.   For example, have an encrypted home directory where you store your truecrypt container.  When you email the truecrypt container off of your secure home directory for backup purposes, encrypt that container with gpg.  Of course the best advise is to not have more coins then you can afford to lose in one wallet.  

Yes, encryption protects data storage. And multiple encryption tools avoid flaws in a single one of them.

But encryption does not protect data while it is processed, for example by the bitcoin software. That's just impossible.

A special user account or a dedicated machine is protected against malware on your regular user account. But that has nothing to do with encrytion, but with policy enforcement.

[Capitan]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.

Ugh. How exactly does one set up a clean PC, and keep it that way then? I take more precautions than probably 98% of the general population but I'm positive that's not enough.

[bcearl]

How do you guys spect GPG to be malware-proof?
If your system is compromised , it doesn't matter what tools you use on top of it.

ex-actly.
and nowdays bookits in mobo/video frimware is quite common, let alone mbr things and stealth rootkits.

Ugh. How exactly does one set up a clean PC, and keep it that way then? I take more precautions than probably 98% of the general population but I'm positive that's not enough.

You need proper hardware. Unfortunately most hardware is crap and you don't know which products are good before you buy them.

For example a motherboard just needs a single hardware switch that disables the possibility of firmware/BIOS updates. If you can do that, you can start looking for the software you want to run.