acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
August 20, 2013, 06:28:10 PM |
|
The problem is Android is still an operating system and therefore vulnerable to malware. It also wasn't built with Bitcoin in mind. You tell people it's safe for them to use as cold storage for 50K then the recent Android bug with random number generation can wipe them out. The Trezor is designed for security and Bitcoin specifically so it's far more unlikely to have such a glaring software flaw.
AFAIK the Trezor has got no RNG at all. It is seeded with randomness by the host that it is connected to. Well, it uses a mnemonic code of 12 words for the seed: http://www.bitcointrezor.com/faq/#software-design-securityIt generates this when the device is first initialized after plugging it into a computer, so yes I think it would grab some randomness from there. At least I hope so. It would then probably use that to randomly choose from an internal dictionary of words. Don't use Windows...
Which is absurd. What chance does bitcoin have if people can't use it on their home PC for fear of theft? Online wallets and clients need 2FA and maybe online banking style "enter letters 3, 5 and 7 from your password" to help improve security. For anyone moving coins around - buying and selling, day trading, etc - paper wallets or offline storage really isn't practical. Yeah, there are a lot of idiots running the TOR project who recommend to stay away from Windows too http://threatpost.com/tor-urges-users-to-leave-windowsThey are not idiots. Staying away from Windows is prudent advice for anyone, especially types interested in Tor. There are several reasons. Even apart from software vulnerability Microsoft has been shown willing to work with the NSA. There were hidden NSA labelled keys found in the operating systems starting from Windows 95, the purpose of which is unknown.
|
|
|
|
westkybitcoins
Legendary
Offline
Activity: 980
Merit: 1004
Firstbits: Compromised. Thanks, Android!
|
|
August 20, 2013, 08:46:53 PM |
|
For the cost of a (plastic) Trezor, one can purchase a cheap Android smartphone, install cyanogenmod if desired, then install Mycelium. While this arrangement has flaws compared to a Trezor, it also has advantages, and it's certainly good enough to produce paper wallets, or to keep turned off as a cold storage medium for modest funds. Anyone who has a lot of bitcoins should currently be using a paper or other cold-storage wallet, but if that's too cumbersome, at least they can go the dedicated-smartphone route rather than keep their bitcoins on a web wallet while waiting for Trezor.
No, I don't like that idea. The problem is Android is still an operating system and therefore vulnerable to malware. It also wasn't built with Bitcoin in mind. You tell people it's safe for them to use as cold storage for 50K then the recent Android bug with random number generation can wipe them out. The Trezor is designed for security and Bitcoin specifically so it's far more unlikely to have such a glaring software flaw. If people are storing substantial coins then they shouldn't mind spending either the time or money necessary to ensure their coins are safe. For about the same cost they can buy a simple dedicated laptop to use with Armory and be assured their coins are safe, including easy paper wallet backups. I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed, and the least-flawed solution remains paper wallets. Storing 50K on your phone is unwise, but frankly I wouldn't trust that much to a Trezor either, or even a laptop with Armory; physical and inert media seems to be the only method with a low enough risk. Android/Mycelium has it's own advantages the other solutions do not. So does laptop/Armory. And so does Trezor. Unfortunately, Trezor isn't out yet, and as far as Mycelium vs. Armory, I'm not convinced bitcoins sitting on a dedicated smartphone are significantly less safe than bitcoins sitting on a laptop with Armory, especially after the difficulty of setup and use is factored in. Still, I completely understand those taking a different stance. (And hey, one could always hedge their bets and do both.) I think we at least agree that paper wallets remain the most secure storage method for now. Blockchain.info should be used as a convenient spending wallet, not storage wallet.
I disagree. While I think it's true no one should use it for savings and storage, I see no reason to use it at all any more, even for spending, if it's at all possible to avoid doing so. If you have a home computer, there are good clients available to use. If you have an Android smartphone, the same is true (I just think one happens to be better.) If someone cannot learn to use one of those clients to spend bitcoins, or cannot afford to do so, or just finds them too inconvenient, then I would question whether they should be using bitcoins in the first place. Maybe next year, or a couple of years from now, but not at this point, sadly.
|
Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
... ... In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber... ... ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)... ... The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
August 20, 2013, 09:08:15 PM |
|
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...
How is the Trezor solution flawed? Storing 50K on your phone is unwise, but frankly I wouldn't trust that much to a Trezor either
What problem do you imagine there? , or even a laptop with Armory;
You buy a cheap dedicated laptop and cleanly install an OS. Go to bitcoin.org and download Bitcoin-Qt. Go to bitcoinarmory.com and download Armory. Disconnect it permanently from the Internet. Proceed to use Armory for paper backups, storing and spending coins. What problem do you imagine? Blockchain.info should be used as a convenient spending wallet, not storage wallet.
I disagree. While I think it's true no one should use it for savings and storage, I see no reason to use it at all any more, even for spending, if it's at all possible to avoid doing so. If you have a home computer, there are good clients available to use. What happens if you're away from home? Blockchain.info can give users similar access to spending bitcoins as online email services give users for accessing email, which is access anywhere in the world. Keeping a few hundred dollars worth of spending money in a Blockchain.info wallet seems very convenient and low risk to me.
|
|
|
|
Realpra
|
|
August 20, 2013, 09:09:21 PM |
|
Your post is mostly correct except there is no "trial and error" about it. If the same random value is used in the creation of two different signatures then the private key can be directly and immediately calculated from the information publicly available in the block chain.
Hmm I suppose you can see if two Rs are the same right away yes. To say that r is "not a random number" because it is derived from a random number is silly. The mod of the x coordinate of k*G of a random number k is a random number. The private key is also a random number, but the public key derives from it, so is the public key a random number? No it is not. Saying r is random is confusing people.
|
|
|
|
World
|
|
August 20, 2013, 09:46:22 PM |
|
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...
How is the Trezor solution flawed? Here's a video [OHM2013] Trezor Bitcoin Hardware Wallet
|
Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
August 20, 2013, 09:57:11 PM |
|
I agree with the notion that using an Android phone is a flawed solution, but then all "solutions" to this are flawed...
How is the Trezor solution flawed? Here's a video [OHM2013] Trezor Bitcoin Hardware WalletI've watched the Trezor video at their website and also the talk given at the Bitcoin 2013 Conference. The video you linked is 45 minutes long, but I doubt it will specify the Trezor is a flawed solution. Does it?
|
|
|
|
600watt
Legendary
Offline
Activity: 2338
Merit: 2106
|
|
August 20, 2013, 10:02:01 PM |
|
watching
|
|
|
|
btcven
|
|
August 20, 2013, 11:35:50 PM |
|
Don't use Windows...
Which is absurd. What chance does bitcoin have if people can't use it on their home PC for fear of theft? Online wallets and clients need 2FA and maybe online banking style "enter letters 3, 5 and 7 from your password" to help improve security. For anyone moving coins around - buying and selling, day trading, etc - paper wallets or offline storage really isn't practical. Yeah, there are a lot of idiots running the TOR project who recommend to stay away from Windows too http://threatpost.com/tor-urges-users-to-leave-windowsThey are not idiots. Staying away from Windows is prudent advice for anyone, especially types interested in Tor. There are several reasons. Even apart from software vulnerability Microsoft has been shown willing to work with the NSA. There were hidden NSA labelled keys found in the operating systems starting from Windows 95, the purpose of which is unknown. Obviously my message has the SARCASM tag missing
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
August 20, 2013, 11:52:15 PM |
|
Obviously my message has the SARCASM tag missing Sorry I missed that I thought it seemed strange.
|
|
|
|
lophie
|
|
August 21, 2013, 06:04:58 AM |
|
I am sorry for your loss. Most people here learn how to secure and backup their bitcoins the hard way. I am sorry that your loss is relatively a big one. But from now on it will only get better if you decided to learn.
- Stop using Windows operating system. - Stop using closed sourced or untrusted sourced software. - Stop being ignorant to healthy security practices.
What I found really helpful if you still don't want to do all the above in your daily routines, Do them at least in a dedicated device for your bitcoins. I suggest a small netbook. I think I should start a thread for that....
|
Will take me a while to climb up again, But where is a will, there is a way...
|
|
|
batt01
|
|
August 21, 2013, 06:28:08 AM |
|
I am sorry for your loss. Most people here learn how to secure and backup their bitcoins the hard way. I am sorry that your loss is relatively a big one. But from now on it will only get better if you decided to learn.
- Stop using Windows operating system. - Stop using closed sourced or untrusted sourced software. - Stop being ignorant to healthy security practices.
What I found really helpful if you still don't want to do all the above in your daily routines, Do them at least in a dedicated device for your bitcoins. I suggest a small netbook. I think I should start a thread for that....
I agree with the advice given here. A cheap desktop or notebook running some flavor of Linux. Use it only for Bitcoin transaction and management. Windows is a malware magnet. A dual boot on a pc would work as well. I use Manjaro with is a arch linux distro, small footprint and very fast and secure. I use it in virtualbox vm and its offline unliess Im doing bitcoin stuff, I dont browse or use if for anything else, just to access my bitfunder acct and to move funds into. However I doint have that much to worry about.
|
|
|
|
m19
|
|
August 21, 2013, 07:38:18 AM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
August 21, 2013, 07:49:45 AM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze.
|
|
|
|
m19
|
|
August 21, 2013, 08:09:15 AM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze. Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it. We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save.
|
|
|
|
stefffe
|
|
August 21, 2013, 08:14:09 AM |
|
Still trying to figure out how the thief accessed account if you had google authenticator activated?
|
|
|
|
batt01
|
|
August 21, 2013, 08:56:37 AM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze. Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it. We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save. The majority of users only use a browser and using Chrome or Firefox on a Linux box is no different than on Windows. 260 BTC lost is a good reason to consider making a few changes. Lots of money is lost to thieves from malware compromised Windows machines, but the banks and CC companies will replace your stolen funds. If someday bitcoins become mainstream and a common medium of exchange, simular protection are surely to be put in place. Until that day arrives it may be prudent to take some precautions.
|
|
|
|
Rampion
Legendary
Offline
Activity: 1148
Merit: 1018
|
|
August 21, 2013, 09:01:31 AM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze. Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it. We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save. The majority of users only use a browser and using Chrome or Firefox on a Linux box is no different than on Windows. 260 BTC lost is a good reason to consider making a few changes. Lots of money is lost to thieves from malware compromised Windows machines, but the banks and CC companies will replace your stolen funds. If someday bitcoins become mainstream and a common medium of exchange, simular protection are surely to be put in place. Until that day arrives it may be prudent to take some precautions. I'm not so sure that using Chrome or Firefox on a Linux box is no different than on Windows. There are much more vector attacks on Windows, plus there is much more malware/RATs/viruses coded for that SO. Honestly, Linux might scare a lot of people but Ubuntu and its derivatives made wonders in terms of ease of use... Then you have OSX, which is not invulnerable at all as some think, but in any case is order of magnitude more secure than Windows. I use both OSX and Linux, and I never got any type of malware in aprox. 10 years, and I don't follow any type of special "security protocol", I just disable Java, activate the firewall + a reverse firewall (in OSX Little Snitch, for example), and I scan for viruses files downloaded from untrusted sources (but I never have it running in the background). In Windows, if you do not regularly tweak your system to enforce security, run an antivirus on the background, etc. you will end up with some kind of spyware/malware etc. almost for sure.
|
|
|
|
LiteCoinGuy
Legendary
Offline
Activity: 1148
Merit: 1014
In Satoshi I Trust
|
|
August 21, 2013, 03:37:48 PM |
|
What wallet were you using?
Do you have an android phone?
Do you have a Bitcoin wallet on your android phone? If so which one?
The fact that the thief gave you change is interesting. Why not steal all the BTC?
i don't use android phone. i use blockchain.info he stole all btc in these 2 address. man -.- ! you had all your coins at blockchain? an online wallet? maybe thats your lesson...
|
|
|
|
piuk
|
|
August 21, 2013, 05:04:17 PM |
|
It is correct. Click "Show scripts & coinbase" for these both transactions. You will see that both used the same random number: 04b8c7b27846a1df35a87763f75b421a4f8148d17ca91c2daab6838aa5b04d48e373bba0cc1e081 be696bc626296febcdccab5336a43b8861a91afa57865bbb3f5
That is the public key of the address, not the random number (public keys always being with 04). These addresses are not affected by the random number issue.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
August 21, 2013, 05:14:08 PM |
|
There should be a better solution then stop using Windows, how else are non technical people gonna adapt Bitcoin?
I work with non technical people and I convinced them to leave windows for good 4/5 years ago. Most of them went to OSX and bought macbooks, a couple of them chose Linux (specifically Ubuntu and Linux Mint, which I'd say are even easier to use than Windows). All of them say they would NEVER go back to Windoze. Well good luck convincing the rest of the world, that a couple people started using Linux doesn't change the fact the majority of the world doesn't use it. We need a save way to use it on Windows, that's a fact. I think the best way is to educate them to use some kind of 2 factor authorization (ie. password + mobile phone), that should keep most wallets save. Using the Trezor with Windows would be a perfectly secure way to store and spend coins. (But people should really try migrating away from Windows)
|
|
|
|
|