Bitcoin Forum
December 03, 2016, 04:44:08 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Portable Bitcoin Security, Backup & Privacy toolkit.  (Read 5610 times)
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 13, 2011, 06:13:18 PM
 #1

Hello Everyone,

I just wanted to share my personal bitcoin security toolkit...

I believe this combination represents the current state of the art in portable bitcoin wallets, privacy, and secure bitcoin exchange access.

The first tool is the "8GB Ironkey Basic S200" which I use for a portable bitcoin wallet & security software ensemble.

The Ironkey is the most secure USB flash drive in the world.. It is virtually impervious to any known exploits, brute force, or physical attacks to attempt to access the data contained on the Flash Memory.  Any data which is read/written to the flash drive has to pass through an embedded encryption chip, which is unlocked by a custom launcher which runs when you put it into a computer. The S200 series contains higher quality SLC flash storage capable of performing swap and virtual memory functions, the D200 edition contains less expensive MLC flash, not suitable for virtual machine usage, however you get about twice as much storage for the same cost.  If the drive is lost or stolen, the attacker has 10 attempts to enter the correct password, after the 10th incorrect password, the internal electronics automatically perform a complete wipe of the flash chips and the encryption chip then will self destruct rendering the drive useless.  The one unique feature of the "Basic" edition of the Ironkey vs the "Personal" edition is the fact that it is able to be configured to only "Wipe the data", but not to self destruct the rest of the electronics. (Ironkey's are not cheap, so I don't want mine to destroy itself under ANY circumstances.)   Initially, the Ironkey emulates a USB CD-ROM drive in order to launch the tool to unlock the encrypted drive.  The password / encryption keys NEVER enter the host computers memory as the application communicates directly with the encryption chip.  Once you unlock the drive you are presented with a set of utilities for managing the Ironkey, including a secure backup facility which is able to make an encrypted backup of the Ironkey to your local hard drive in case it is lost or stolen, you can easily restore this backup to a fresh Ironkey drive.  The Ironkey Unlocker also doubles as an application launcher for your bitcoin client, tor browser bundle, portable virtualbox VM's, security software, or any other portable applications & data you would like to carry with you on the drive.  I am recommending the "Basic" edition of the Ironkey for bitcoin usage since the personal edition bundles some "Windows Only" security software.. some of which require fee's after the first year, like their own "Private Web Browser" which is essentially a custom version of TOR which uses their own private nodes.  Both editions can still be securely unlocked & mounted on Windows, Mac, & Linux... and have the option of being mounted in a "Read-Only" mode... which could be useful for securely performing drive and memory scans of a host computer.  The usefulness of these features are only limited by your own cleverness and creativity.

https://www.ironkey.com/demo-basic

The second tool in the kit is the "Yubikey" provided to me by MT.Gox.

If you don't know what a Yubikey is, then you probably don't religiously listen to the "Security Now" podcast, as Yubico will tell you if you ask them, that they attribute a portion of their success to Steve Gibson's support of their product.  A yubikey appears to be a USB flash drive, but it is more closely related to the electronics found in a standard USB keyboard combined with encryption firmware on board. The build quality of the Yubikey is EXCELLENT, it is similar to that of a solid poker chip, and has been shown to be nearly indestructible & completely sealed and waterproof.  In addition to that it contains no on board battery since it is powered 100% by the host computer.  In its usage with MT.GOX it provides a secondary authentication factor that works on anything that supports a standard USB Keyboard, Linux, Mac, Windows, iPhone/iPad (USB dongle in the Camera Connection Kit) and even various Android devices since they can switch their charging port into a USB host port (google it)...  Neither the Yubikey, or your credentials alone will allow a hacker to get into your account, you must have both the physical Yubikey & the knowledge of your credentials. Once you login with your name and password @ MT.GOX you are then required to do a secondary authentication using the Yubikey.  Each time you press the button it will generate a single use OTP (one time password) that needs to be entered in a field which is presented AFTER you log in with your normal MT.GOX name and password.  Not only does the MT.GOX Yubikey enhance your security during the login process, but it also requires you to hold your finger on the yubikey button for 3 seconds to produce a unique "withdraw password" before allowing any funds to be transferred out of your MT.GOX account.

MT.Gox will provide the Yubikey to any of its users upon request for a small fee, additionally, if you had a trade which got rolled back during the infamous MT.GOX incident, you can request that a yubikey be sent to your completely free of charge. Which was a commendable gesture on their part in my humble opinion.

https://yubikey.mtgox.com/ Request your Yubikey security device here.

http://youtu.be/xYnznunUAOU Yubikey programming & manufacturing video.


Here is a photo of both devices, on my keyring, along side 2 drop forged keyring screwdrivers, my house key, and the key to my secret lair, muhahahaha ha cough.. :-)



4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
1480740248
Hero Member
*
Offline Offline

Posts: 1480740248

View Profile Personal Message (Offline)

Ignore
1480740248
Reply with quote  #2

1480740248
Report to moderator
1480740248
Hero Member
*
Offline Offline

Posts: 1480740248

View Profile Personal Message (Offline)

Ignore
1480740248
Reply with quote  #2

1480740248
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480740248
Hero Member
*
Offline Offline

Posts: 1480740248

View Profile Personal Message (Offline)

Ignore
1480740248
Reply with quote  #2

1480740248
Report to moderator
1480740248
Hero Member
*
Offline Offline

Posts: 1480740248

View Profile Personal Message (Offline)

Ignore
1480740248
Reply with quote  #2

1480740248
Report to moderator
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 560


Posts: 69


View Profile WWW
July 13, 2011, 06:16:53 PM
 #2

I want like ten iron keys, those look solid and bad ass.  I like that one dude who promoted his key that is in the shape of a key.

Thanks for sharing these personal experiences with the items, not enough people using them and/or talking about it, especially in relation to how much security gets brought up.

spruce
Full Member
***
Offline Offline

Activity: 140


View Profile
July 13, 2011, 06:25:22 PM
 #3

I don't like that idea of it self-wiping after 10 failed attempts! Other than that it looks pretty neat.

-----

I prefer a paper bitcoin wallet, like one from Casascius, then encode the hex code with something like the one-time code at sprucecodes.com. You can then keep the encoded hex key lying about as it as unbreakable as your 64-character passphrase happens to be.

I find that ever since I got the sheet from Casascius I've been somewhat paranoid about leaving the plaintext sheet anywhere except on my person. If you leave $1000 cash lying about it's easy to tell when it's been stolen as it isn't there any more. But someone can take a quick photo of your sheet of plaintext keys and you'll be none the wiser. But once those private keys are encoded and you have destroyed the plaintext versions then you're safe, even if you put them online or email them to yourself etc. As long as you don't forget the passphrase!
enmaku
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
July 13, 2011, 06:37:44 PM
 #4

I haven't had a chance to look into the Yubikey all that much. Mt Gox says that the yubi they send you is useable with their service only but is that the case for most such keys or could a standard yubikey be used to auth to multiple sites?

RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 13, 2011, 06:58:20 PM
 #5

I want like ten iron keys, those look solid and bad ass.  I like that one dude who promoted his key that is in the shape of a key.

Thanks for sharing these personal experiences with the items, not enough people using them and/or talking about it, especially in relation to how much security gets brought up.

I had an original S100 1GB Ironkey which I subsequently lost...   I was convinced I would see again some day since it displayed the "If Found Please Return to:" info as soon as it was plugged into a computer.  Unfortunately that never happened... I think I sometimes tend to give the average human being more more credit than they deserve.. I assume everyone has a computer and would think to plug it in and see what is on it.  (I always do, if its not empty, I'll try to find some kind of info on it to return it to its rightful owner.)

I wouldn't normally engrave anything on my electronics because I think its tacky, but in this case I'm going to... As soon as I get to my friends gift shop, I'll get the outer body of my Ironkey engraved with my contact information.

Forgot to mention one VERY IMPORTANT AND HIGHLY CRITICAL feature...

The Ironkey by design is electromagnetically shielded which should protect it from a... wait for it...



ELECTRO-MAGNETIC PULSE
Either you got the reference or you didn't.




4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 13, 2011, 07:52:22 PM
 #6

I don't like that idea of it self-wiping after 10 failed attempts! Other than that it looks pretty neat.


Thats the point of the built in secure backup software.. you can dump the contents of the flash drive to your computer, fully encrypted, so that if it does somehow get lost or wiped, you can easily restore it back to the drive.

The default mode of the Ironkey is to completely destroy itself, rendering the unit worthless if stolen, this is to deter theft of ironkeys.. I know for a fact that the "Basic" edition of the ironkey allows you to change the mode to allow the ironkey to be reinitialized.

By limiting the number of attempts to guess the password you defeat any brute force attack. Feel free to use an easier password, because the fact is.. There is only 10 attempts.. period.

The other feature, which beats something like a truecrypt encrypted USB drive is the fact that you can use the Ironkey on nearly any computer or os, without the need to have root or administrator access to install any encryption software.  This has always been the one factor that had limited something like a truecrypt USB thumb drive from being universally accessible on any computer.. which limits truecrypt's usefulness as a truly portable bitcoin wallet solution.

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
Trader Steve
Hero Member
*****
Offline Offline

Activity: 725


"How do you eat an elephant? One bit at a time..."


View Profile
July 13, 2011, 09:47:37 PM
 #7

Thanks for sharing this!
AtlasONo
Hero Member
*****
Offline Offline

Activity: 551



View Profile
July 13, 2011, 10:56:36 PM
 #8

SECURITY BREACH! I can now copy both of your keys. Can't wait to see inside the secret lair.
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
July 13, 2011, 10:59:15 PM
 #9

I haven't had a chance to look into the Yubikey all that much. Mt Gox says that the yubi they send you is useable with their service only but is that the case for most such keys or could a standard yubikey be used to auth to multiple sites?
Same question. I already have my IronKey, though, and I'm very happy with it.
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 13, 2011, 11:00:42 PM
 #10

SECURITY BREACH! I can now copy both of your keys. Can't wait to see inside the secret lair.

Haha.. yeah.. nope... if you look closely I actually shopped the keys in gimp with the clone tool and re-arranged the teeth.. and blurred the codes on the Yubikey..  ;-)

Nice Idea though.. I'm glad I knew you would say that.


4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 13, 2011, 11:35:39 PM
 #11

I haven't had a chance to look into the Yubikey all that much. Mt Gox says that the yubi they send you is useable with their service only but is that the case for most such keys or could a standard yubikey be used to auth to multiple sites?
Same question. I already have my IronKey, though, and I'm very happy with it.

If you were to purchase a factory fresh Yubikey directly from the company it would have the standard AES key that Yubico's public auth server uses..  If you wanted to use a service that utilizes Yubico's own in house authentication server then would need to retain that default private key.

Also... Yubikeys are shipped with a default password so that if you want to reprogram them for your own server using Yubico's tools you can do it, and then assign your own password which would be required for further reprogramming of the keys.  Once you remove the factory private key it can't be recovered, that particular yubikey is now only usable on your own private authentication server.

There was some discussion at one point whether or not it would be possible to write malware to reprogram the Yubikey's functionality since they all have the same reprogramming password initially.. for example, the early Yubikey firmware had the ability to actually launch a URL by programming it with a series of control characters.  In more recent firmware this option to launch a URL is no longer is possible.  

I believe the most secure configuration possible with a Yubikey is when a service provider DOES reprogram the internal AES key, and runs their own local auth server.. This not only makes their keys unique, but also removes ANY possibilities of rogue software reprogramming the keys because the programming password has been customized as part of the customization process.

The Ordering Process.

After ordering your Yubikey your order will be processed and a specific key will be associated with your MT.GOX account.. once that is done you will notice that once you do your normal authentication you will get presented with a page asking you to authenticate with your assigned Yubikey...  You are able to skip over the Yubikey portion of the authentication by just hitting the submit button until your Yubikey arrives.

The Yubikey will arrive via EMS Japan Post (Express).. My Yubikey shipped on 7/11 and arrived today 7/13.

Once you use the Yubikey to provide the first OTP it will then become a requirement as part of your authentication process for logins, and withdraws.

To generate the OTP which is required after you enter your existing name and password you press the button for about 1/2 second.

To generate the password which is required for the withdraw process, you need to hold down the button for 3 seconds.

If you LOSE YOUR YUBIKEY, you will NOT be able to access the funds in your account until you receive a replacement..

DON'T LOSE THE YUBIKEY!

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
Trader Steve
Hero Member
*****
Offline Offline

Activity: 725


"How do you eat an elephant? One bit at a time..."


View Profile
July 13, 2011, 11:51:05 PM
 #12

Quote
I assume everyone has a computer and would think to plug it in and see what is on it.  (I always do, if its not empty, I'll try to find some kind of info on it to return it to its rightful owner.)

I wouldn't normally engrave anything on my electronics because I think its tacky, but in this case I'm going to... As soon as I get to my friends gift shop, I'll get the outer body of my Ironkey engraved with my contact information.

You may not want to do this. I read somewhere that it is a common strategy for snoops to drop malware-loaded thumb-drives in corporate parking lots with the hope that someone plugs it into a machine - instantly infecting the machine.

RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 14, 2011, 01:03:33 AM
 #13

Quote
I assume everyone has a computer and would think to plug it in and see what is on it.  (I always do, if its not empty, I'll try to find some kind of info on it to return it to its rightful owner.)

I wouldn't normally engrave anything on my electronics because I think its tacky, but in this case I'm going to... As soon as I get to my friends gift shop, I'll get the outer body of my Ironkey engraved with my contact information.

You may not want to do this. I read somewhere that it is a common strategy for snoops to drop malware-loaded thumb-drives in corporate parking lots with the hope that someone plugs it into a machine - instantly infecting the machine.



That's good advice .. and true.. I've actually heard of people doing this..


4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
thechevalier
Jr. Member
*
Offline Offline

Activity: 40



View Profile
July 14, 2011, 05:35:45 AM
 #14

I haven't had a chance to look into the Yubikey all that much. Mt Gox says that the yubi they send you is useable with their service only but is that the case for most such keys or could a standard yubikey be used to auth to multiple sites?

Yeah, I'm not real hot on Mt. Gox's Yubikeys, which costs like $30 and are only usable with Mt. Gox (my understanding; someone please correct me if I'm wrong). I'm not sure I actually trust Gox to implement multi-factor auth correctly, or any type of security (I don't like their new password hashing scheme, for example, which still seems lacking).

For $45 you can get two Yubikeys and a year's subscription to the LastPass service directly from Yubico:

https://store.yubico.com/store/catalog/product_info.php?products_id=13&osCsid=580ed7bb4272de9a5e6ad19b2b8c0166

That seems like a better way to go because you can use your key as a second factor with all the exchanges, and other sites as well. LastPass is a pretty good password vault too. Plus, you get two keys that can be programmed to be identical. You want a second Yubikey (or at least, I do) in case a key gets lost or damaged.

No offense intended to the OP, but I feel it's kind of a bad idea to keep both your Yubikey and your flash drive with your wallet.dat on the same keychain, because if someone steals it not only are you locked out of Mt. Gox (at least temporarily), but it makes it easier for the thief to mount an attack. You're also probably more vulnerable to the $5 wrench attack: http://xkcd.com/538/ Having a super "military strength" crypto flash drive kinda signals you have something secret and potentially valuable in your pocket. I'd prefer to have an unassuming flash drive with a hidden Truecrypt volume on it: http://www.truecrypt.org/hiddenvolume or something equivalent.

Considering one has to have net access to send and confirm Bitcoin transactions anyway, it might be best to just keep several copies of your wallet.dat encrypted and sprinkled around the interwebs in secret locations. For long term storage, e.g.: in safety deposit box or under the bed, I do not trust magnetic media. I do however like the idea of storage on paper, but I haven't seem a really good implementation of that yet.

Just my .02 BTC.
ctoon6
Sr. Member
****
Offline Offline

Activity: 350



View Profile
July 14, 2011, 06:09:49 AM
 #15

how secure is the hardware, what happens if i try to open it. is flash memory embedded inside a plastic casing that cant be opened, easily anyway.

edit: they showed it.

edit2: seems a bit pricy, this drive is a lot cheaper, but im sure its not as secure http://www.youtube.com/watch?v=i6J-Dh8gQeo

http://www.newegg.com/Product/Product.aspx?Item=N82E16820139060
I don't think it destroys the data after x amount of attempts either, so it is likely viable to brute force. if you use a strong password, you should have a few days to make the wallet worthless so, idk use at your own risk, and only buy the ironkey if you are paranoid.

RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 14, 2011, 08:58:45 PM
 #16

how secure is the hardware, what happens if i try to open it. is flash memory embedded inside a plastic casing that cant be opened, easily anyway.

edit: they showed it.

edit2: seems a bit pricy, this drive is a lot cheaper, but im sure its not as secure http://www.youtube.com/watch?v=i6J-Dh8gQeo

http://www.newegg.com/Product/Product.aspx?Item=N82E16820139060
I don't think it destroys the data after x amount of attempts either, so it is likely viable to brute force. if you use a strong password, you should have a few days to make the wallet worthless so, idk use at your own risk, and only buy the ironkey if you are paranoid.

That looks like a viable alternative to the Ironkey based upon the dollar/security ratio.

Pros: Similar functionality to the Ironkey products line of products, Swivel cap can't be lost while the Ironkey one can, Cost is WAY less than Ironke

Cons: No Linux Support, Build Quality is Lower than Ironkey, Swivel cap design's often are more fragile than standard USB caps, Lower quality flash storage non-suitable for Virtual Machine usage, No built in Secure Backup System to secure the data in an encrypted format on your drive, Not Waterproof, won't survive your washing machine or other abuses, Previous models of Kingston secure flash drives have been hacked.

However.. for the cost its hard to argue.  The performance / quality of flash memory seems very similar to the D200 series of Ironkey products.

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 15, 2011, 07:51:13 AM
 #17

WARNING WARNING  TL;DR Material Ahead..  Proceed at your own peril!


Yeah, I'm not real hot on Mt. Gox's Yubikeys, which costs like $30 and are only usable with Mt. Gox (my understanding; someone please correct me if I'm wrong). I'm not sure I actually trust Gox to implement multi-factor auth correctly, or any type of security (I don't like their new password hashing scheme, for example, which still seems lacking).

Yawn, for real though?!  I read about some script kiddie saying what they are doing isn't secure, so it must not be..

Back up your claims with some facts and figures son... you'll get more respect.


My original MT.Gox password was "R8YC2txHc1RWtScewxid" and is listed in its MD5+Salt format in the hack DB as "$1$9W57ShSS$H37Nb7ik2PUf2WY/p/OEl.)"

Lets try that with a multi-iteration triple salt.. lets see what we get...(Honestly I don't know what that is, but I'll try, lol)

mkpasswd -m sha-512 R8YC2txHc1RWtScewxid   <- This will produce a random 128bits of salt which will be used for the next 3 iterations, combined with the 512bit hashed output of my original gox password...

Produces this output "$6$86Ev9OHO/tSQ/NsH$dadWFKTBwRv7hzHDE721AWlALB14RggRquYrJwYm5XrKzYjSdPduedhlPQe.68Pdn6gDDrBAyYgVbizCxY72O."

Now we use that random salt to apply a secondary SHA-512 to that with this command  

mkpasswd -m sha-512 dadWFKTBwRv7hzHDE721AWlALB14RggRquYrJwYm5XrKzYjSdPduedhlPQe.68Pdn6gDDrBAyYgVbiz CxY72O. 86Ev9OHO/tSQ/NsH

Produces this output "$6$86Ev9OHO/tSQ/NsH$NbFEw6ToZrAnGai3kVDp1GbqY5iX7o0zu41iMelKnbjBvR/xUMAbxQ3Zk3egojw8GxXUlzGVTyCBT7NhKbLyE."

Now for the final iteration of SHA-512 using the same salt one last time...

mkpasswd -m sha-512 NbFEw6ToZrAnGai3kVDp1GbqY5iX7o0zu41iMelKnbjBvR/xUMAbxQ3Zk3egojw8GxXUlzGVTyCBT7NhKbLyE 86Ev9OHO/tSQ/NsH


Produces this output "$6$86Ev9OHO/tSQ/NsH$BBh.ljcEs8wqAWtpm1CAsoCpuAKXVPh8WJaTsr/H9o8uPXD9Qa5vDyHZkIhHWtoRSm.qLQkmJ7qXcDrsSbtJ90"

Yeah.. good luck with that.. even though its considered a speedier hash in comparison to bcrypt, its still 100% NON REVERSABLE, it has a HUGE output which is for all intents and purposes completely collisionless.  

I used Steve Gibsons "Password Haystacks" tool to do some sample calculations on what would be required to crack my current MT.Gox password.



OMGWTFBBQ.. you are right.. My MT.Gox account is terribly terribly insecure.. what will I ever do now!?!?! Oh noes, and I gave away its length too!! I'm a goner!

Just because some group of guys say bcrypt is better, doesn't automatically make SHA-512 insecure today...  Take my advice and use a better password than "Poop" or "123456".. Take advantage of that LastPast you have to generate something wicked..

And don't be critical of people who MIGHT know more than you.. you sound like you are trying to make everyone else's words your own.

For $45 you can get two Yubikeys and a year's subscription to the LastPass service directly from Yubico:

https://store.yubico.com/store/catalog/product_info.php?products_id=13&osCsid=580ed7bb4272de9a5e6ad19b2b8c0166

That seems like a better way to go because you can use your key as a second factor with all the exchanges, and other sites as well. LastPass is a pretty good password vault too. Plus, you get two keys that can be programmed to be identical. You want a second Yubikey (or at least, I do) in case a key gets lost or damaged.

My Yubikey was free.


While LastPass is a great password management service that can generate, store and automatically submit complex passwords for many sites, believing that this is a viable replacement for a site specific multi-factor authentication system is just flat out incorrect advice to give.  The fact that you are storing passwords in LastPass, and using the Yubikey to access them does not stop anyone from compromising any account if password has been compromised.  You understand the difference, right?  In your scenario the Yubikey is used as a secondary factor for LastPass.


No offense intended to the OP, but I feel it's kind of a bad idea to keep both your Yubikey and your flash drive with your wallet.dat on the same keychain, because if someone steals it not only are you locked out of Mt. Gox (at least temporarily), but it makes it easier for the thief to mount an attack. You're also probably more vulnerable to the $5 wrench attack: http://xkcd.com/538/ Having a super "military strength" crypto flash drive kinda signals you have something secret and potentially valuable in your pocket. I'd prefer to have an unassuming flash drive with a hidden Truecrypt volume on it: http://www.truecrypt.org/hiddenvolume or something equivalent.

Same sentiments here in hoping that no offense is taken.. I don't think you are trying to intentionally trying to mislead people into making poor security decisions, but I do think you havent fully thought through everything you said.

You are just repeating what you think is true .. because thats what someone else wrote.

How would the attacker be able to mount an attack by getting access to both my ironkey & yubikey? (The other drive you see is empty, its a tool.)  Did you just make that up hoping no one would call you on it?  The $5 wrench attack would NEVER work as an attack vector against the Yubikey or Ironkey.. HOW!?! The ONLY way he would get any of my Bitcoins would be if my car was broken down, and he used the wrench to help get it going, I would give him a few coin, and say THANKS!!

Question..  Have you actually attempted using TrueCrypt as a roaming data security solution for any period of time with any level of convienience?  

My experience was that mounting a TrueCrypt volume requires the same level of system access that enable the components that modern rootkits use to be completely undetectable, stuff like TDSS, Aleureon, and newer more sophisticated EVIL EVIL PROGRAMS capable of interacting with the kernel of an operating system, and its those undetectable things that will eat both your USB drive AND your bitcoins alive. munch munch munch.. burp.

http://www.truecrypt.org/docs/?s=non-admin-users

http://www.truecrypt.org/docs/?s=truecrypt-portable

You do realize that a truecrypt drive is pretty easy to get into, right?... If I got my hands on it, I could copy it, and recompile your truecrypt with a version that sends me your password, or return it with a virus or utility program could pull the keys right out of a systems RAM any time its mounted.  If it sent those keys back to me, I could then mount the copy I made right before I returned your drive!! cake.

http://www.truecrypt.org/docs/?s=unencrypted-data-in-ram

http://www.truecrypt.org/docs/?s=paging-file

http://www.lostpassword.com/hdd-decryption.htm

Considering one has to have net access to send and confirm Bitcoin transactions anyway, it might be best to just keep several copies of your wallet.dat encrypted and sprinkled around the interwebs in secret locations. For long term storage, e.g.: in safety deposit box or under the bed, I do not trust magnetic media. I do however like the idea of storage on paper, but I haven't seem a really good implementation of that yet.

Just my .02 BTC.

Do you truely believe that sprinkling your wallet.dat all over the interwebs might just be the best approach to keeping your wallet.dat available and secure?. If any one of those files gets uncovered and decrypted you might find that those efforts were all in vain.  Remember the bitcoin community has a higher level of knowledge & capability in that area.

What implementations of paper based storage of bitcoins have you explored?  What is wrong with paperback?  I found it to have high levels of resilience against damage, highly recoverable, and additionally it was configurable with strong FIPS-197 compliant AES encryption via a configurable password.  Check it out (http://www.ollydbg.de/Paperbak/index.html) or does this not live up to your security standards either!?!   Here is a nice sample to print and scan back in.. the password is "bitcoin"  http://www.mediafire.com/?yks2s9251yfvywy

Well anyway... If you think I'm wrong you can tell me again.. I really don't mind, it helps me learn.    The ONLY weakness I can perceive would be the act of using your bitcoins on a foreign computer, ever, which is an unavoidable weakness... The ironkey will allow you to run a portable VM like tinylinux, or ubuntu even if you have the space.

If you are looking to buy something a little less expensive.. that Kingston Locker+ posted by the previous poster is the closest thing yet I have seen to an Ironkey for such a low cost.. its a schweet deal for the money!! it uses the same techniques, minus a few features, and no linux support, Not recommeded for VM usage.

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
July 15, 2011, 01:46:13 PM
 #18

Take my advice and use a better password than "Poop"
Um... I'll be right back. I'm just going to go change my password.
RchGrav
Full Member
***
Offline Offline

Activity: 149



View Profile
July 15, 2011, 02:44:35 PM
 #19

Take my advice and use a better password than "Poop"
Um... I'll be right back. I'm just going to go change my password.

I KNEW IT!!!!  Damn and all this time the riches of Ryland could have been mine.

Oh wait... maybe they already are, didn't you send me like 80 bitcoins when they were worth like 69 cents?   Cheesy

4C 6F 6E 67  4C 69 76 65  42 69 74 63 6F 69 6E
Qba'g lbh unir nalguvat orggre gb qb?
Ryland R. Taylor-Almanza
Hero Member
*****
Offline Offline

Activity: 812



View Profile
July 15, 2011, 07:53:04 PM
 #20

Take my advice and use a better password than "Poop"
Um... I'll be right back. I'm just going to go change my password.

I KNEW IT!!!!  Damn and all this time the riches of Ryland could have been mine.

Oh wait... maybe they already are, didn't you send me like 80 bitcoins when they were worth like 69 cents?   Cheesy
I believe I donated a little over a hundred. I wanted to help out the server as much as I could. I had no idea how much I was really giving you! Man, if I had those bitcoins again, I could finally buy myself the open pandora I've wanted for so many years! And then I found out that you already have that too! Why do you have everything I want!?
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!