Can someone confirm my security is OK?

[GiganticDays]

I have recently installed Armory on my everyday PC, plus on another machine not connected to the outside world. I've created my wallet on the offline machine and a watching-only copy which I have imported into Armory on the onliner machine.
I have a paper backup of the wallet printed (immediately after installation) which I will keep safe in multiple locations.
I've transferred a quantity of BTC into the watching-only wallet.
Anything else I need to do?

[1714979823]

1714979823

[Otoh]

dead man switches

Edit: meant to say email death switches sry - encrypted for private keys or passwords (to say a LastPass account) & the recipient/s have the de-cryption instructions & know to expect the mails so aren't sent to spam, plus an account enabled Yubi Key in the LastPass case.

[Abdussamad]

Wow you are truly paranoid

About the paper backup you can now do m of n backups in armory. That is total n backups of which you need m to restore the wallet. See this thread:

https://bitcointalk.org/index.php?topic=149820.0

[talnted]

Paranoid is not a bad thing!

[CasinoBit]

Wow you are truly paranoid

About the paper backup you can now do m of n backups in armory. That is total n backups of which you need m to restore the wallet. See this thread:

https://bitcointalk.org/index.php?topic=149820.0

You aren't paranoid if it's really happening.

[The 4ner]

If you own a lot of coins then why not? You can never be too safe.

[Abdussamad]

Ok guys please look beyond my comment about paranoia. Note I used a smiley which means it was just a joke.

I also made a useful suggestion about paper backups while you guys have yet to suggest anything. So let's get back to the topic at hand.

[Hawkix]

...

Anything else I need to do?

I would not use paper wallet with unencrypted private keys. You never know who will look at these papers, who may copy them, etc.

[acoindr]

I have recently installed Armory on my everyday PC, plus on another machine not connected to the outside world. I've created my wallet on the offline machine and a watching-only copy which I have imported into Armory on the onliner machine.
I have a paper backup of the wallet printed (immediately after installation) which I will keep safe in multiple locations.
I've transferred a quantity of BTC into the watching-only wallet.
Anything else I need to do?

That security is pretty good and you have a very low chance of losing coins that way. However, there are a couple weak points to be aware of. The first is your printed private keys. Remember, private keys unlock the bitcoins so if someone learns your private keys they can steal your coins regardless of your computer setup. Keep those maybe in a safe/safety deposit box, and guard against cameras/binoculars through windows etc.

Next, the one flaw I see in the Armory setup is shuttling data back and forth by USB which subjects even an offline computer to autorun viruses. Be sure to disable autorun.

Also, remember you must guard against someone using your offline computer. To guard against that be sure to encrypt the wallet with a strong password and protect the password. Then even if your offline computer is stolen your coins are safe.

Last, you may want to check this thread started by someone thinking of starting a Bitcoin Bank. In particular I agree this quote is the most secure and efficient method for storing coins:

1. Dedicated offline Ubuntu Live on USB drive.
2. Create a bunch of private keys offline and put them in a truecrypt container.
3. Backup the truecrypt container on multiple locations (both local and online).

This pretty much reduces the risk of theft or losing the money to ZERO percent.

For extra paranoia, e.g. in case of kidnapping your family and demanding the private keys as ransom:

4. Use a time-lock, i.e. a remotely controlled server that sends the passphrase for the truecrypt container only X days after you request it. Obviously this implies the inconvenience of not *instantly* being able to access your money, but that's the whole idea.

I don't think it gets any more secure than this.

[r3wt]

TO OP. you need to do the following things in sequence


Download MBAR(MalwareBytes Anti RootKit Utility)
then whip on over to
Gibson research company and use the shields up utility to scan your ports for visibility to hackers.

https://www.grc.com/x/ne.dll?bh0bkyd2

If you are afraid of this because of the dll file extension, search google about this company. They are the leading firewall research and development company in the world. Anyway, when you get there use the utility(which is quite ugly and a bit confusing) to scan all of your common service ports. green means they are in stealth and not visible. red means they are visible and open. blue means they aren't visible but your computer sent a response when the request was received, making the port vulnerable to various hack attempts. if all of your ports are in stealth mode then it is next to impossible for a hacker to find your computer unless they know your ip address.

After you have done all this research what ever coin clients you use's rpc port and default port and scan all of these manually.

Additonally, i would recommend downloading ccleaner from piriform, malware bytes pro, microsoft security essentials, avast internet security and sandboxie. i run all of these programs simultaneously with no problem and haven't had an infection in months, despite several attempts, including one by a forum member who coaxed me into a skype chat.

[acoindr]

TO OP. you need to do the following things in sequence


Download MBAR(MalwareBytes Anti RootKit Utility)
then whip on over to
Gibson research company and use the shields up utility to scan your ports for visibility to hackers.

https://www.grc.com/x/ne.dll?bh0bkyd2

If you are afraid of this because of the dll file extension, search google about this company. They are the leading firewall research and development company in the world. Anyway, when you get there use the utility(which is quite ugly and a bit confusing) to scan all of your common service ports. green means they are in stealth and not visible. red means they are visible and open. blue means they aren't visible but your computer sent a response when the request was received, making the port vulnerable to various hack attempts. if all of your ports are in stealth mode then it is next to impossible for a hacker to find your computer unless they know your ip address.

After you have done all this research what ever coin clients you use's rpc port and default port and scan all of these manually.

Additonally, i would recommend downloading ccleaner from piriform, malware bytes pro, microsoft security essentials, avast internet security and sandboxie. i run all of these programs simultaneously with no problem and haven't had an infection in months, despite several attempts, including one by a forum member who coaxed me into a skype chat.

This is unnecessary. In general, you should never depend on more software to secure your system.

As long as the OP had no viruses on the offline computer before setting things up (do a clean OS install), disables autorun to protect from a USB transfer virus, and encrypts the offline computer with a strong password to guard against physical use he is perfectly safe (provided his paper backups remain so) because the private keys to spend coins are not accessible to the outside world, period. It doesn't matter if the online computer ever gets infected. No coins can move without being signed by the encrypted offline computer.

[r3wt]

TO OP. you need to do the following things in sequence


Download MBAR(MalwareBytes Anti RootKit Utility)
then whip on over to
Gibson research company and use the shields up utility to scan your ports for visibility to hackers.

https://www.grc.com/x/ne.dll?bh0bkyd2

If you are afraid of this because of the dll file extension, search google about this company. They are the leading firewall research and development company in the world. Anyway, when you get there use the utility(which is quite ugly and a bit confusing) to scan all of your common service ports. green means they are in stealth and not visible. red means they are visible and open. blue means they aren't visible but your computer sent a response when the request was received, making the port vulnerable to various hack attempts. if all of your ports are in stealth mode then it is next to impossible for a hacker to find your computer unless they know your ip address.

After you have done all this research what ever coin clients you use's rpc port and default port and scan all of these manually.

Additonally, i would recommend downloading ccleaner from piriform, malware bytes pro, microsoft security essentials, avast internet security and sandboxie. i run all of these programs simultaneously with no problem and haven't had an infection in months, despite several attempts, including one by a forum member who coaxed me into a skype chat.

This is unnecessary. In general, you should never depend on more software to secure your system.

As long as the OP had no viruses on the offline computer before setting things up (do a clean OS install), disables autorun to protect from a USB transfer virus, and encrypts the offline computer with a strong password to guard against physical use he is perfectly safe (provided his paper backups remain so) because the private keys to spend coins are not accessible to the outside world, period. It doesn't matter if the online computer ever gets infected. No coins can move without being signed by the encrypted offline computer.

only wannabes wipe their drives and reinstall unnecessarily. much easier, faster, and better for your harddrive to clean the mbr, quarantine viruses, remove spyware and rootkits, fix the registry and delete temp files. and if you have problems deleting registry entries its almost a sure sign of  a virus. thats where FileAssasin comes in handy. it deletes the fiile securely, and if the file refuses, it gives you the option to delete it on reboot before it can load into memory. What you suggest is the sloppy and inneficient way of fixing a problem. and in this day and age one single antivirus isn't gona protect you from every virus spyware trojan adware driveby or infected gif out there. throughout my time repairing computers, i've noticed that many people don't even realize that sometimes you have to remove exceptions from your firewall when you uninstall some software, especially unsigned software such as the many variations of QT. my method may be considered overkill, and if it is, that is simply UNJUST. In my book, its more unnecessary to uninstall the entire os to get rid of a single virus. that's just me though.

[Lauda]

Don't go for too much software, and don't be so paranoid. Maybe keep money spread across 2-3 wallets?

[r3wt]

Maybe keep money spread across 2-3 wallets?

this, a million times.

also, go for a password atleast 32 charachters long. the more special charachters the better.  in fact, my second password is 106 charachters in lenght, and i have it memorized by heart.

[acoindr]

only wannabes wipe their drives and reinstall unnecessarily.

I guess you mean people that wannabe safe.

much easier, faster, and better for your harddrive to clean the mbr, quarantine viruses, remove spyware and rootkits, fix the registry and delete temp files.

That depends on the situation. Computers are cheap, especially one which is only going to run offline for dedicated purposes needing minimal hardware specs.

and if you have problems deleting registry entries its almost a sure sign of  a virus. thats where FileAssasin comes in handy. it deletes the fiile securely, and if the file refuses, it gives you the option to delete it on reboot before it can load into memory. What you suggest is the sloppy and inneficient way of fixing a problem. and in this day and age one single antivirus isn't gona protect you from every virus spyware trojan adware driveby or infected gif out there. throughout my time repairing computers, i've noticed that many people don't even realize that sometimes you have to remove exceptions from your firewall when you uninstall some software, especially unsigned software such as the many variations of QT. my method may be considered overkill, and if it is, that is simply UNJUST. In my book, its more unnecessary to uninstall the entire os to get rid of a single virus. that's just me though.

My method is a no brainer basically guaranteed secure way to not lose bitcoins. That's all I care about. Whatever you want to say about the online computer is not my interest. Tell him to run whatever you like. It doesn't matter, because like I said the offline computer (spending bitcoins) is secure regardless.

[r3wt]

only wannabes wipe their drives and reinstall unnecessarily.

I guess you mean people that wannabe safe.

much easier, faster, and better for your harddrive to clean the mbr, quarantine viruses, remove spyware and rootkits, fix the registry and delete temp files.

That depends on the situation. Computers are cheap, especially one which is only going to run offline for dedicated purposes needing minimal hardware specs.

and if you have problems deleting registry entries its almost a sure sign of  a virus. thats where FileAssasin comes in handy. it deletes the fiile securely, and if the file refuses, it gives you the option to delete it on reboot before it can load into memory. What you suggest is the sloppy and inneficient way of fixing a problem. and in this day and age one single antivirus isn't gona protect you from every virus spyware trojan adware driveby or infected gif out there. throughout my time repairing computers, i've noticed that many people don't even realize that sometimes you have to remove exceptions from your firewall when you uninstall some software, especially unsigned software such as the many variations of QT. my method may be considered overkill, and if it is, that is simply UNJUST. In my book, its more unnecessary to uninstall the entire os to get rid of a single virus. that's just me though.

My method is a no brainer basically guaranteed secure way to not lose bitcoins. That's all I care about. Whatever you want to say about the online computer is not my interest. Tell him to run whatever you like. It doesn't matter, because like I said the offline computer (spending bitcoins) is secure regardless.

ha, are you serious on both points?

[acoindr]

ha, are you serious on both points?

What are you talking about?

[e4xit]

ha, are you serious on both points?

What are you talking about?

I don't think he knows what he is talking about. Surely no-one would advocate running MalwareBytes, ccleaner, malware bytes pro, microsoft security essentials, avast internet security and sandboxie all at the same time, as a means of "staying secure".

Surely anyone who knew what they were talking about would know that this does absolutely nothing to protect you from zero day exploits, and also the most common attack vector - conning the user into installing the trojan/similar themselves (i.e. donwloading something unknown from the internet and running it).

OP has already taken excellent precautions; if his install of Armory on his offline computer was to a freshly installed OS (I used Ubuntu 10.14) then he should be alright.

Disabling autorun is a good idea in any case though, another precaution I took, was to enter the BIOS of my (offline) netbook and then to disable wifi and bluetooth, to remove some more potential vectors.

I did not print my armory keys when generated, but saved to pdf and immediately encrypted the doc using Truecrypt (using a long, randomly generated password), and that is now sitting in an online backup service (which happens to be 2 factor auth protected too).

My offline armory wallet (on a ubuntu netbook) is password protected. My netbook is fully encrypted itself. Passwords were randomly generated for all.

I agree with acoindr when he says, that OPs online computer can get whatever sh*t on he cares to allow on there, as long as the offline computer is secure, then the coins will be safe (and the infection is then not passed onto the offline device).

Browser extensions can help with online computer safety, such as noscript, adblock, flashblock and if using chrome (which you shoudl do I think), then go here: chrome://settings/content and set plugins to "click to play" rather than "play automatically". This will prevent things from being autorun on various webpages.

Also, never run anything you download from the internet unless you know what it is. This may sound obvious, but is more helpful than you might think - I am not trying to patronise anyone... 

Stay safe OP.

Also, if anyone has any additional pointers I should beware of, not to hijack this thread, but I would always be open to hear them 

[GiganticDays]

Thanks for all your suggestions.
The offline machine is a clean install of LinuxMint so no viruses.
I'll be careful with the hard copies as recommended.
I'm satisfied I've done enough - it's not like I have a huge hoard!
Thanks again.

[acoindr]

... and also the most common attack vector - conning the user into installing the trojan/similar themselves ...

Exactly. That or lulling them into a false sense of security. That's why I say installing more software isn't the route for security. It's sort of like the mess we have now with the Fed. The only thing the Fed can do is print more money, which doesn't solve the problem because the problem is larger and within the system itself. You need to correct the system.

I actually thought of starting a company that sells guaranteed virus-free computers. It basically stores files in a compartmentalized way then clean re-installs the OS with a click or on schedule. With computer security becoming more important as technology integrates more into people's lives, and now directly deals with money I think it may be essential.

I'm satisfied I've done enough - it's not like I have a huge hoard!

Yes, but others reading and seeking advice may. Thanks for asking.