Malicious PACs and Bitcoins

[aetos]

http://www.securelist.com/en/blog/208195033/Malicious_PACs_and_Bitcoins

[blastbob]

Yea focus on security has always been learning by burning.

[Joerii]

I keep backups of my wallets and have them encrypted by really strong passwords that I store in Keypass. I enter part of my main Keypass password with a virtual keyboard to thwart ( love that word heheh ) potential keyloggers.

I figure, even if my wallet.dat files get stolen, it'll take a millenium with current technology to break the encryption, so I feel pretty safe.

Am i though ?

[blastbob]

I keep backups of my wallets and have them encrypted by really strong passwords that I store in Keypass. I enter part of my main Keypass password with a virtual keyboard to thwart ( love that word heheh ) potential keyloggers.

I figure, even if my wallet.dat files get stolen, it'll take a millenium with current technology to break the encryption, so I feel pretty safe.

Am i though ?

Most people don't do it the way you do it, its to hard over time so they get sloppy

[aetos]

i wonder with all these alt coin releases   what if again i say what if they offer you coin x   ..and steal your wallet.dat   especially the way that they mine new coins convert to ltc or btc.. again i say what if lol

[Luckybit]

i wonder with all these alt coin releases   what if again i say what if they offer you coin x   ..and steal your wallet.dat   especially the way that they mine new coins convert to ltc or btc.. again i say what if lol

Encrypt your wallet and use Yubikey.

[sor.rge]

I keep backups of my wallets and have them encrypted by really strong passwords that I store in Keypass. I enter part of my main Keypass password with a virtual keyboard to thwart ( love that word heheh ) potential keyloggers.

I figure, even if my wallet.dat files get stolen, it'll take a millenium with current technology to break the encryption, so I feel pretty safe.

Am i though ?

The article speaks about a phishing attack on Mtgox, so your measures will not help in this case. If you will be a victim of such an attack, they could steal your bitcoins stored at the exchange, and possibly also the money.

[aetos]

I keep backups of my wallets and have them encrypted by really strong passwords that I store in Keypass. I enter part of my main Keypass password with a virtual keyboard to thwart ( love that word heheh ) potential keyloggers.

I figure, even if my wallet.dat files get stolen, it'll take a millenium with current technology to break the encryption, so I feel pretty safe.

Am i though ?

The article speaks about a phishing attack on Mtgox, so your measures will not help in this case. If you will be a victim of such an attack, they could steal your bitcoins stored at the exchange, and possibly also the money.

He is right, that there is Trojan software in a heap of bitcoin stuff,
but wrong in saying encrypting your wallet will stop it getting stolen.
The trojens are often keyloggers so they just record your passwords and send that back with the wallet.dat
Even without your encryption password I suspect someone with enough FPGA fire power could brute force your password anyway.
Your best bet is to have your bitcoin client on a linux boot from a USB stick and keep it in a sterile quarantined OS.

[blastbob]

I keep backups of my wallets and have them encrypted by really strong passwords that I store in Keypass. I enter part of my main Keypass password with a virtual keyboard to thwart ( love that word heheh ) potential keyloggers.

I figure, even if my wallet.dat files get stolen, it'll take a millenium with current technology to break the encryption, so I feel pretty safe.

Am i though ?

The article speaks about a phishing attack on Mtgox, so your measures will not help in this case. If you will be a victim of such an attack, they could steal your bitcoins stored at the exchange, and possibly also the money.

He is right, that there is Trojan software in a heap of bitcoin stuff,
but wrong in saying encrypting your wallet will stop it getting stolen.
The trojens are often keyloggers so they just record your passwords and send that back with the wallet.dat
Even without your encryption password I suspect someone with enough FPGA fire power could brute force your password anyway.
Your best bet is to have your bitcoin client on a linux boot from a USB stick and keep it in a sterile quarantined OS.

How to make all this n00b friendly?

[sor.rge]

He is right, that there is Trojan software in a heap of bitcoin stuff,
but wrong in saying encrypting your wallet will stop it getting stolen.

Exactly. If you caught a Trojan tailored for bitcoin, you're pretty much done no matter what you do. There's a thousand ways to intercept your password next time you type it, by patching your bitcoin client for example. Bitcoin is extremely insecure in this respect.

[aetos]

If Bitcoins are a set of digital Alpha/numerric characters for each Bitcoin, then each REAL transaction should add the sellers 'input' characters to the code that verify that the seller ACTUALLY sold them to a Specific buyer, who know has them in his Account/s. They need to be traceable, that way.
So, stealing them would not add any verifiable characters to each Bitcoin, which should render them worthless to the thief, but still holding their value for the owner they were 'stolen' from.
IF he was SMART enough to keep them backed-up, then he'd still have his version of the digital docs, that have his code attached to them,

NO?

[sor.rge]

Bitcoins do not exist as a separate entity, in the network there are only transactions. Each transaction has some other transactions as inputs and a destination address, and it's signed using the sender's key. Stealing means publication of an unauthorized transaction in favor of the thief's address, and the resulting funds are quite usable by the thief, and lost for the original owner, since the transactions are irreversible.