Bitcoin Forum
December 14, 2024, 09:29:37 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: [SECURITY] Feature request for Windows clients  (Read 1077 times)
mouse (OP)
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 27, 2011, 06:28:56 AM
Last edit: June 27, 2011, 06:38:57 AM by mouse
 #1

Hi,

A few assumptions I'd like to make:
1. most developers do not use windows, by default.
2. in the future, most new user will be using windows.
3. a large number of those users will have vulnerable machines (OS not patched with latest fixes).

Given this I'd like to propose a new feature that should be relatively easy to develop yet provide massive bang for buck in user security and positive Bitcoin press. However I'm no Win OS developer so for all I know it's impossible. Maybe via the WUApi.dll?

Whenever bitcoin is run on a windows machine that is not up to date the client shows a prominent warning icon that their wallet security is as stake.
This can link to a simple guide explaining how to turn on windows update.

If I had a lot of BTC, which I sadly don't, I would bounty this.
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
June 27, 2011, 06:44:11 AM
 #2

It's a nice idea.

The problem, of course, is in the implementation. It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are. Of course some of them are none too subtle about it, so a lot of these situations would be detectable.

I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
zellfaze
Full Member
***
Offline Offline

Activity: 141
Merit: 101


Security Enthusiast


View Profile WWW
June 27, 2011, 01:26:59 PM
 #3

Quote
It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are.

We can at least try to ask Windows Security Centre whether or not they have anti-virus, updates, etc.  Even if it doesn't provide the correct answer (i.e. it lies because they already have a virus) wouldn't that be better than nothing?

I think we can query Windows Security Centre for Updates, Firewall, and Anti-virus, although I could be wrong as I know very little on the subject.

Quote
I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.

Would make a good fork though.  Alt-client: "Secure bitcoin"

A+, CCENT, CCNA
Security Enthusiast
PHP Coder

Not that I expect anyone to, but should you like my post, please donate:
Donate: 1BRbfqii6Sm9tEUE8A16H7QeDmYFjyBZ7V
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
June 27, 2011, 05:11:01 PM
 #4

Nah, that would be "SuperBitcoinAntiMalware2013". Grin

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
June 29, 2011, 03:10:24 PM
 #5

The problem, of course, is in the implementation. It's actually quite difficult to determine - for real - if updates are available for a Windows box. Many viruses and trojans pull tricks to prevent the Windows update service from working properly, so one might determine that there are no updates when there really are. Of course some of them are none too subtle about it, so a lot of these situations would be detectable.
I think the goal is more to warn a person that their box is vulnerable, not that it's compromised already.

Quote
I'm not sure it's such a good idea to weigh down the official Bitcoin client with what would essentially be a large chunk of anti-malware code.
I wonder if somebody already has a library to do exactly this. If it was already build and maintained, that might make the decision easier. Trying to have the client maintainers also maintain a list of vulnerabilities to probe seems to be a bit crazy.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!