Hostile action against the bitcoin infrastracture

[ShadowOfHarbringer]

You are thinking of the traditional garage made or botnet data thief virus that gets instantly detected and patched. You might want to brush up on the reality of actual state-level cybercrime or cyberwarfare.

I explained myself more fully in the other thread.

http://bitcointalk.org/index.php?topic=111.msg39486#msg39486

I know what You mean. I can still either run bitcoin as a different user, or better: run bitcoin in an encrypted virtual machine.
This practically takes the risk of any hack down to zero.

That attacker would have to
0) Find a MASSIVE way to attack everybody at once before the 0-day is detected (not an easy thing to do).
1) Crack my web browser (with Noscrtipt/Flashblock/Adblock installed, so it is not an easy task either)
2) Find the correct virtual machine
3) Hack into the virtual machine, breaking it's security also.

I **seriously doubt** that any 0-day will ever be able to do that.

And about Stuxnet: It ran on Windows. I don't put "windows" and "security" in one sentence.

[1715101763]

1715101763

[1715101763]

1715101763

[genjix]

virtual machine is a good idea. Thanks will do that.

Now I have:
- Inside an encrypted virtual machine with only Bitcoin + backup scripts installed (no desktop).
- Encrypted wallet.dat on the encrypted drive.
- PGP signed backups on servers that use SSH keys + long password.
- Firewall blocking all ports except Bitcoin in the virtual machine.

Am I missing anything else? Beat that suckers.

[MoonShadow]

And about Stuxnet: It ran on Windows. I don't put "windows" and "security" in one sentence.

Not only did Stuxnet use four zero day exploits, only two of which were unknown; more analysis by actual experts has resulted in exactly the opposite conclusion of the media.  Although this was certainly put together by a group of people with a wide knowledge base concerning their target, a nuclear fuel refinement facility, the actual programming displays some basic errors with regards to the construction of a computer worm intended to hide from detection.  Either they were unaware of some old cloaking tricks better than what they chose to use, or the authors intended the worm to be discovered.  Considering the evidence all together, the worm was probably written by a small middle-eastern government in a hurry with a strong motive to delay Iran; which seems to implicate Israel.  However, Iran's facilty is still not running months after the discovery of Stuxnet, so the one that was found may have been a distraction for an even better cloaked version still hammering away at it's intended target.  It was a very precise weapon, as well, very tightly targeting only the particular facility it intended.

If any GNU/Linux distro has four unpatched zero day exploits at the same time, I'll eat my hat.

[ShadowOfHarbringer]

If any GNU/Linux distro has four unpatched zero day exploits at the same time, I'll eat my hat.

Yeah - as i said - breaking into a fully patched desktop Linux with software only from signed repos using a 0-day is itself highly unlikely.

+ Add Noscript/Flashblock = Very highly unlikely (A critical 0-day vulnerabilities which do not require javascripts/canvas/html5/iframes/advanced stuff are VERY rare)
+ Add Virtual Machine = Practically impossible

[Innomen]

I don't put "windows" and "security" in one sentence.

I see, so then all I have to do to get the average man off the street to safely adopt bitcoin (and declare war on the fiscal system) is teach them linux, cryptography, and vmware. >.> Why didn't I think of that?

I am so sick and tired of attitudes like this making all of open source look downright smug and mean. Not to mention devoid of vision or common sense. I'm so tired of this petty divisive clannish crap.

Newsflash: Not Everyone Is A Nerd And This Is Not A Personal Failing. (I'm reminded of ethnocentrism, but that's the wrong word.) Society is full of specialists. Demanding that everyone who wants to use something as basic as Currency adopt Your specialty is unrealistic and arrogant to put it mildly.

It reminds me of some ivory tower obsessive compulsive math professor demanding that children be required to pass calculus 4 before leaving grade school just because you happen to have a gift for numbers. Or some crotchety old fossil demanding that everyone should have to churn their own butter just because he can and does.

Bitcoin is unsafe so long as the wallet file system persists.

Think of it this way. If every single bit coin were legally treated like an image of child porn, how long would it take before they were all destroyed? The fact that the system allows bitcoins to effectively be destroyed is a huge, obvious, glaring, deal breaking, weakness. If it can't be coded around or even conceptualized around then bitcoin is dead.

You people don't seem to fathom the damage a functional crypto currency would do to government power, nor the lengths to which they will go to preserve that power. Think secret service anti-counterfeiting efforts times a billion.

Perspective: ultimately, we are attempting to usurp the power of the global financial industry and trying to talk people out of using dollars at the same time.

We are trying to unrig THE game.

Your technically skilled naivete would be adorable and entertaining if the loss humanity might incur (the wholesale rejection of virtual currency as unsafe thanks to a lousy first impression and poor initial marketing) as a result was not so severe.

Why don't you stop thinking about your ego for 30 seconds and think about humanity and it's future? This isn't about how smart YOU are! Its about making average people comfortable enough to trust their lives to this abstraction. This is about perception management along with ideological and cyber warfare.

Look at the damage controlled currency has done to history.

"Permit me to issue and control the money of a nation, and I care not who makes its laws." ~Mayer Amschel Rothschild

Are you really going to get all defensive and snide with newbies when we have a real chance to prevent that damage?

I guess you are.

Your children and their children will probably die slaves of the banking system like we both will because of it, but hey at least you got to feel like a computer god for a little while. Fair trade yeah? >.>

You know, it dawns on me, at this point people like you are a worse threat than the ones I've mentioned.

You're like the techs at Chernobyl that said yeah sure an RBMK graphite-moderated reactor design allows for melt down, but our awesome technical skill and professional vigilance will be enough to prevent disaster, we have no need to consider the much safer PWR design.

It's probably too late already and I'm wasting my time.

Enjoy the last word, I'm done.

[Stephen Gornick]

Bitcoin is unsafe so long as the wallet file system persists.

Perhaps this alternative is suitable?

WALLET: Private key password encryption (AES256), makes the wallet require a password to sign a transaction
Version 0.1.0
planned for mid-january 2011

  http://en.bitcoin.it/wiki/QBitcoin

[MoonShadow]

Bitcoin is unsafe so long as the wallet file system persists.

Perhaps this alternative is suitable?

WALLET: Private key password encryption (AES256), makes the wallet require a password to sign a transaction
Version 0.1.0
planned for mid-january 2011

  http://en.bitcoin.it/wiki/QBitcoin

That would be an improvement, but the 'scorched earth' type attack wouldn't care to sign a transaction.  However, any methods to hide the wallet.dat data by the client itself would be in the source code, and the attacker would know where to go to destroy that data.

[MoonShadow]

Innomen, you are getting upset.  Calm down.  It is good for the community to have those who consider the weaknesses, but it is not neccessary that everyone agree on what to do about that.  I agree that the threat is greater than can be perceived at this time, but I don't agree that changing the system to permit coin recovery or forcing a security model on the user is the answer.  The real answer is that there must be many answers.  The vanilla client is just that, if you see a security issue with it, change it and release the code.  Some people will adopt your ideas, others will not.  What makes the whole of Bitcoin at greatest risk to destruction from a single massive attack vector is that everyone uses the same base code.  Using different OS's is only a stopgap measure.  Backups of wallet.dat files are only a stopgap measure.  We are aware that there is a risk to all of this, or many risks.  You are being heckled mostly because you are presenting the problems from only one perspective, your own, and seem to know very little about how the system actually works.  Not enough to offer any real solutions, at least not widely acceptable.

[ShadowOfHarbringer]

Bitcoin is unsafe so long as the wallet file system persists.

Perhaps this alternative is suitable?

WALLET: Private key password encryption (AES256), makes the wallet require a password to sign a transaction
Version 0.1.0
planned for mid-january 2011

  http://en.bitcoin.it/wiki/QBitcoin

That would be an improvement, but the 'scorched earth' type attack wouldn't care to sign a transaction.  However, any methods to hide the wallet.dat data by the client itself would be in the source code, and the attacker would know where to go to destroy that data.

I think the improvement would be that wallet could be completely encrypted, so to send or accept any transactions, one would have to give a password.
Still, that would not protect against keylogger attacks.

[neolith2099]

I think the improvement would be that wallet could be completely encrypted, so to send or accept any transactions, one would have to give a password.
Still, that would not protect against keylogger attacks.

Would it be considered a bad thing for someone to setup a company that manages Bitcoin wallets for people. I don't mean someone with only 1 server in an office building, but more like multiple servers around the world. They all replicate to each other and transfer data securely among them.

Obviously you would have to trust these companies, but don't people already trust banks with their money?

Even with bank insurance, who can say that you are getting your money at the value the you should? You might just be getting newly printed money which effectively is not the same amount (from a true value perspective) as what you put in. Based on what I am reading, I believe Bitcoin overcomes that sort of manipulation. Just a thought and I could be wrong.

[MoonShadow]

I think the improvement would be that wallet could be completely encrypted, so to send or accept any transactions, one would have to give a password.
Still, that would not protect against keylogger attacks.

Would it be considered a bad thing for someone to setup a company that manages Bitcoin wallets for people. I don't mean someone with only 1 server in an office building, but more like multiple servers around the world. They all replicate to each other and transfer data securely among them.

Do you mean something different than www.mybitcoin.com?

[alkor]

Or one could just create a separate device running a highly secure OS with a simple bitcoin client, and with wireless enabled so that it could connect to the internet. With such a secured device viruses and other types of attacks on the wallet would be highly unlikely, as there would be no third party applications, and installation of additional software would be disabled.

Then the safety of the wallet would simply require one to be able to physically secure the actual device.

[Anonymous]

Or one could just create a separate device running a highly secure OS with a simple bitcoin client, and with wireless enabled so that it could connect to the internet. With such a secured device viruses and other types of attacks on the wallet would be highly unlikely, as there would be no third party applications, and installation of additional software would be disabled.

Then the safety of the wallet would simply require one to be able to physically secure the actual device.

Create a bitcoin space heater with 1 or 2 gpus and use powerline networking ?

In winter you could have a nice foot warmer as well .

[FreeMoney]

Or one could just create a separate device running a highly secure OS with a simple bitcoin client, and with wireless enabled so that it could connect to the internet. With such a secured device viruses and other types of attacks on the wallet would be highly unlikely, as there would be no third party applications, and installation of additional software would be disabled.

Then the safety of the wallet would simply require one to be able to physically secure the actual device.

Create a bitcoin space heater with 1 or 2 gpus and use powerline networking ?

In winter you could have a nice foot warmer as well .

This would be so amazing. If you could a thermostat working roughly accurately a little heater/fan that paid back the electricity that it used in bitcoin would be the best thing ever (for cold feet and for bitcoin).

[neolith2099]

I think the improvement would be that wallet could be completely encrypted, so to send or accept any transactions, one would have to give a password.
Still, that would not protect against keylogger attacks.

Would it be considered a bad thing for someone to setup a company that manages Bitcoin wallets for people. I don't mean someone with only 1 server in an office building, but more like multiple servers around the world. They all replicate to each other and transfer data securely among them.

Do you mean something different than www.mybitcoin.com?

Actually... pretty much just like mybitcoin.com only there are several separate versions of them to avoid one site/company monopolizing the "trusted bank" structure. These companies can run internal transactions with other customers that use them to provide additional services such as insurance, escrow, etc. The only time any actual bitcoin transactions take place are when people send bitcoins outside of the institution of "trusted banks" - in which case the transfer cannot be insured by the "trusted bank" network.

Maybe I'm getting ahead of myself, but the only way I see bitcoin picking up pace is if merchants and consumers have ways of being protected from scams, etc. I like the clearcoin concept, but I think their structure is far from perfect. Their choice to not handle disputes doesn't make me feel any  safer than if I were to just risk my coins. Being able to not use bitcoins that were meant for a purchase for 30 days, 6 months, or even 12 months wouldn't phase me if I were a hardcore con-artist. The point is to eliminate the buyer/seller beware worries, which clearcoin isn't doing. Anyway, that's a discussion for another topic.

[neolith2099]

Or one could just create a separate device running a highly secure OS with a simple bitcoin client, and with wireless enabled so that it could connect to the internet. With such a secured device viruses and other types of attacks on the wallet would be highly unlikely, as there would be no third party applications, and installation of additional software would be disabled.

Then the safety of the wallet would simply require one to be able to physically secure the actual device.

Create a bitcoin space heater with 1 or 2 gpus and use powerline networking ?

In winter you could have a nice foot warmer as well .

This would be so amazing. If you could a thermostat working roughly accurately a little heater/fan that paid back the electricity that it used in bitcoin would be the best thing ever (for cold feet and for bitcoin).

I wouldn't mind having something like this

[Anonymous]

It would be an expensive heater lol.

[FreeMoney]

It would be an expensive heater lol.

Yes, but it might even pay you to run it!

You could blow people's mind with this. "Here, this heater costs $800, it doesn't get all that hot, but it costs less than nothing to run."

[Anonymous]

It would be an expensive heater lol.

Yes, but it might even pay you to run it!

You could blow people's mind with this. "Here, this heater costs $800, it doesn't get all that hot, but it costs less than nothing to run."

I wonder what the best gpu to use for it would be ....

something that gets really hot ? 

[ribuck]

I wonder what the best gpu to use for it would be ....

something that gets really hot ? 

Well no, you choose the GPU that gets least hot (for the same hash rate), because you want the maximum BTC payout per watt. If you have a GPU that generates the same number of blocks without becoming so hot, you simply use two of them in your heater.

If you wanted something that got really hot, you would stick with CPU mining.