Bitcoin Forum
November 12, 2019, 02:11:04 PM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6] 7 8 »  All
  Print  
Author Topic: It is NOT secure to use hardware wallets (and it never was)  (Read 1943 times)
linhphieudb
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
April 15, 2018, 08:27:33 AM
 #101

Do I intend to store the ERC20 token on the TREZO wallet? Is your information secure? . If not cold wallet. Where should we store it? is feeling puzzled Sad OMG  Sad Shocked Shocked Shocked
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
1573567864
Hero Member
*
Offline Offline

Posts: 1573567864

View Profile Personal Message (Offline)

Ignore
1573567864
Reply with quote  #2

1573567864
Report to moderator
Karartma1
Legendary
*
Offline Offline

Activity: 1820
Merit: 1073


Be Revolutionary Or Die Trying


View Profile WWW
April 15, 2018, 04:15:33 PM
 #102


Of course a USB could be accessed by an offline air gapped PC. And a hardware wallet could by design have it's records regenerated on a PC if the key word set were known.

A bad actor or government actor could exert influence on a hardware wallet company, say by causing certain items to be included in an update of the hardware wallet. This is at least in my opinion, a long term risk worth mulling over.


What is your solution to that long term problem? I am puzzling myself to find the best possible way to store a few bitcoins long term and, as of today, I have no solution for that. If I look for security, in case I die, nobody will ever be able to recover my coins (until bitcoin cryptographic security is broken). I supposed that leaving a trezor behind could have been that solution but right now I don't think that is a viable option.

I am not interested in preserving the status quo; I want to overthrow it. Niccolò Machiavelli
cellard
Legendary
*
Offline Offline

Activity: 1372
Merit: 1211


View Profile
April 15, 2018, 06:54:06 PM
 #103

If that's the case what can we do then? What kind of microprocessor is your machine using? I mean f*c*ing intel is everywhere! I am about to change my old 2010 laptop (amd)? Do you have any suggestions?

1. Keep that AMD laptop

Best advice right now is to keep pre-2013 AMD and (I think) pre-2007 Intel hardware (which in a stroke of irony are not receiving patches for those kernel memory access exploits that made the news for Intel recently).  


Alternative options to Intel/AMD (which are all compromises of some kind, and all involve more computing skills than x86 platforms):
  • ARM chips (not open designs or fully user controllable, & ARM are beginning to introduce anti-features similar to those that Intel and AMD have, so careful research needed)
  • IBM POWER chips (which are expensive, & not well supported, but the platform is fully user controllable AFAIK)
  • RISC V chips (which are expensive, immature, & not at all widely used, although the design is more open than IBM POWER, and like POWER, whole tech platform is user controllable)

Intel and Microsoft are slowly turning the whole Wintel concept into something closer to owning a Nintendo console than using a proper computer. Using some kind of Unix style operating system on non-Intel hardware will be the only option, eventually.

As you pointed, the purism laptops quoted by the other user do not fully get rid of ME, but as far as I know, the old Thinkpads which have Libreboot installed (which require a change in hardware, except the x60 which can be easily flashed) get rid of it at the highest level possible. I think this is as best as it gets. A t400 is still a decent laptop, specially with an SSD, it should do the job to run a Bitcoin node. I don't see any other option as realistic, I think this is as good as it gets?

I may buy one but I will not do Bitcoin stuff on it, I just want a spare laptop and I would like to try this one, but if I was running a node or wanted to use a laptop as cold storage, why not use one of these? seems pretty solid, I think it's the best we have so far. You could get two: use one as a node, and use the other as a hardware wallet in which you sign transactions, the put them in the node with a QR code to broadcast them, to avoid USB's risks (this one of course must not have wifi cards or anything else)
HodlingCrypto
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
April 15, 2018, 07:16:15 PM
 #104

Do I intend to store the ERC20 token on the TREZO wallet? Is your information secure? . If not cold wallet. Where should we store it? is feeling puzzled Sad OMG  Sad Shocked Shocked Shocked

You can always go to MyEtherWallet.com and generate a new wallet. You will be given a private key which you can later use for accessing your wallet. The best thing about it that you can do it even while being offline so there is less risk that some kind of malware steals your key. After you save your private key, you can encrypt it using for example VeraCrypt and store it on multiple external drives. Hardware wallets are much more convenient because all you have to do is to plug in a hardware wallet your computer and use it with MEW. I use my TREZOR One for small amounts of cryptocurrencies in case I needed to spend them immediately.
vnh8888
Newbie
*
Offline Offline

Activity: 182
Merit: 0


View Profile
April 16, 2018, 10:48:40 PM
 #105

I thought that using those hardware wallets is the most secure way of storing Bitcoins but now I am doubting, i guess i will keep my BTC on my online wallets with a password that i put on a safe place. But still i am planning to buy a ledger nano to try myself the security of that hardware wallet.
AGD
Legendary
*
Offline Offline

Activity: 1855
Merit: 1060


Keeper of the Private Key


View Profile
April 17, 2018, 08:03:58 AM
 #106

I thought that using those hardware wallets is the most secure way of storing Bitcoins but now I am doubting, i guess i will keep my BTC on my online wallets with a password that i put on a safe place. But still i am planning to buy a ledger nano to try myself the security of that hardware wallet.

Online wallet is a bad choice. Use Bitcoin Core on an offline machine.

edit: https://medium.com/@tednobs/how-to-create-a-secure-bitcoin-cold-wallet-82f82be4bfa

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
Commie
Full Member
***
Offline Offline

Activity: 364
Merit: 102


View Profile
April 17, 2018, 09:19:48 AM
 #107

There's an old saying, what was built by one man can always be broken by another one. There's no such thing as absolute security.
Kogs
Member
**
Offline Offline

Activity: 86
Merit: 12


View Profile
April 17, 2018, 09:33:18 AM
 #108

Online wallet is a bad choice. Use Bitcoin Core on an offline machine.

edit: https://medium.com/@tednobs/how-to-create-a-secure-bitcoin-cold-wallet-82f82be4bfa

I've read this medium article, but I'm a bit confused about the second part (Funding & redeeming).

In the first part the author is doing everything right to keep everything on the offline laptop.
But then he suggests to copy the wallet.dat to an online computer?

For me this makes no sense. Why doing all those secure steps before to create a cold wallet and then just copy the wallet.dat to an online PC?
With this step the cold wallet instantly turn into a hot wallet. So what is the point here?
It does not matter for me, that the passphrase was never used so far.

In my understanding a cold wallet never touches a PC which is connected to any network.

I would only agree with the described way if the author would change one point and add one point.

1) The wallet.dat on the usb-drive should not be verified on any online PC. Only copy the wallet.dat on the online PC whenever you want to spend the coins.
2) Whenever you spend something from this wallet.dat, always spent EVERYTHING and then never use this wallet.dat again. Create a new one.
hao2067755834
Jr. Member
*
Offline Offline

Activity: 98
Merit: 1

Unibright Token Launch - 10th April 2018


View Profile
April 17, 2018, 10:37:03 AM
 #109

Hardware wallets are good for storing large amounts of unused money.

Hardware wallet system also exists the possibility of virus, cause your wallet to be invaded!

If the hardware wallet is lost or damaged it will be difficult to repair!

▃▃▃▃▃  U N I B R I G H T  ▃▃▃▃▃
⟪ Blockchain-Based Business Integration ⟫
visit: https://unibright.io/
HCP
Legendary
*
Offline Offline

Activity: 1148
Merit: 1847

<insert witty quote here>


View Profile
April 17, 2018, 10:41:05 AM
 #110

I've read this medium article, but I'm a bit confused about the second part (Funding & redeeming).

In the first part the author is doing everything right to keep everything on the offline laptop.
But then he suggests to copy the wallet.dat to an online computer?

For me this makes no sense. Why doing all those secure steps before to create a cold wallet and then just copy the wallet.dat to an online PC?
With this step the cold wallet instantly turn into a hot wallet. So what is the point here?
It does not matter for me, that the passphrase was never used so far.

In my understanding a cold wallet never touches a PC which is connected to any network.
He tries to justify his methodology here:
Quote
Note on cloud storage. You may think I’m crazy by storing the wallet.dat file online where corporate overlords or the overreaching deep state agencies could potentially grab a copy, but there are a few factors that make me OK with this. First, I know myself — and after a decent amount of time goes by there is definitely potential for me to lose the wallet files. But more importantly, it doesn’t matter if my cloud provider or the gubbermint copies my wallet.dat file — it’s encrypted. Assuming you used a decent passphrase with a high number of entropy bits (>120), it would take the worlds strongest supercomputers trillions of years to brute force, yes trillions of years. You could store the USB drive on a park bench and have no worries. Choose what is right for you.

Basically... as the wallet file is encrypted (hopefully with the 40+ char random password that has only ever been stored offline) it should be "fine" to have your wallet.dat on an online computer... or even cloud storage. I think the important point is the last one: "Choose what is right for you." You need to work out what your acceptable level of risk is and go with a method that fits that risk model.

In your case, that is a wallet.dat that never touches an online computer until you're wanting to redeem the coins... in the authors case... it is wallet.dat encryption is "bulletproof", I'll put the wallet.dat on cloud storage.

In my case... it's a hardware wallet Wink


Hardware wallets are good for storing large amounts of unused money.
Among other things...

Quote
Hardware wallet system also exists the possibility of virus, cause your wallet to be invaded!
No. As far as I'm aware, you can only flash the full firmware, which will effectively wipe the device... and unrecognised firmware should be flagged during the bootup sequence of the hardware wallet to indicate to the user that the device is not running officially signed firmware.

Quote
If the hardware wallet is lost or damaged it will be difficult to repair!
While you may not be able to repair the device, you can recover your funds by using your "seed mnemonic" (aka backup words) and importing it into BIP39/BIP44 compatible wallets for the coins you need to recover.

Tahir460pk
Jr. Member
*
Offline Offline

Activity: 308
Merit: 4


View Profile WWW
April 17, 2018, 01:40:26 PM
 #111

its not good i listen about hardware wallets that are more secure and safe and now you are saying its not safe,very big problem and must be resolve this from experts,now only option to save only wallets with password placed at safe place till no other solution.

GigTricks
WORLD FIRST INTEGRATED FREELANCE & ON-DEMAND ECOSYSTEMS
WHITEPAPER | BOUNTY | ANN THREAD
www.gigtricks.io
Theb
Sr. Member
****
Offline Offline

Activity: 1106
Merit: 450



View Profile
April 18, 2018, 08:43:50 AM
 #112

So if hardware wallets are not safe then it is kinda useless to invest in one right now? If the point of this article is to make people aware of the dangers of using hardware wallets it just made them insecure. If the article is correct any retailer or seller (or even one of their employees) of  a hardware wallet can install a custom firmware before they even put it up to the shelves, yes I know they have stickers and security seals on their boxes but all of it can be easily tampered by a professional.

Maybe hardware wallet makers need to take it on to the next level of security like having a software where it can detect if your hardware wallets are compromised or not. In this way even if they had accessed your wallet you will know if your wallet was touched or not. But in my own personal opinion I would still want a hardware wallet where it is not always connected to the internet or to my desktop, my Bitcoin is more vulnerable out there.

      ▄ ▄█▄ ▄█ ▄
     ▄▐██▀▀▀▀▀▀
      ▀▄▄████▄ █▄
   ▄ ██▄█▀▀   ▀▀ ▀
  ▄██▄██▄ ▀██▄▀ ▀█▄
 ▀███████▄▄▄▄▄█▄▄▄██
▐███████████▀▀  ▀█▀ █
█▀███████████  ▄▄█▄ ██
 ▐█████████████▀   ███
  ████▀██████████▄███
  ▐█▀  ████████████ ▀
   ▀  ▐███████████
     ▄██████▀▀ █▀
.
JACKMATE'S
MAJESTIC

  ███████████████████
 ███████████████████
███████████████████
         █████████
        █████████
       █████████
      █████████
     █████████
    █████████
   █████████
  █████████
 █████████
████████
██
██
██
██
██
██
██
██
██
██
██
████████
██████████████████████████████████████████████████████████████████████████████████████████████     ███
.
WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY
.
███     ██████████████████████████████████████████████████████████████████████████████████████████████
████████
██
██
██
██
██
██
██
██
██
██
██
████████
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
██████
██
██
██
██
██
██
██
██
██
██
██
██████
.
JOIN US - IT'S FREE!
██████
██
██
██
██
██
██
██
██
██
██
██
██████
gruad
Jr. Member
*
Offline Offline

Activity: 84
Merit: 1


View Profile WWW
April 18, 2018, 08:20:51 PM
 #113

Quote
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.


Nothing beats the paper wallet
stomachgrowls
Hero Member
*****
Online Online

Activity: 1218
Merit: 547


Crypto-Games.net: Multiple coins, multiple games


View Profile
April 18, 2018, 11:17:40 PM
 #114

So if hardware wallets are not safe then it is kinda useless to invest in one right now? If the point of this article is to make people aware of the dangers of using hardware wallets it just made them insecure. If the article is correct any retailer or seller (or even one of their employees) of  a hardware wallet can install a custom firmware before they even put it up to the shelves, yes I know they have stickers and security seals on their boxes but all of it can be easily tampered by a professional.

Maybe hardware wallet makers need to take it on to the next level of security like having a software where it can detect if your hardware wallets are compromised or not. In this way even if they had accessed your wallet you will know if your wallet was touched or not. But in my own personal opinion I would still want a hardware wallet where it is not always connected to the internet or to my desktop, my Bitcoin is more vulnerable out there.
When you are really aware on the risk  of it then you should proceed with caution.We do know issues is already showed up and as a sensible token hodler you will eventually avoid it at all cost. Re-sellers of such wallet can possibly re-packed it and install any software which would compromise or exposed the keys.We have seen such problems thats why i decide to buy in the company itself but still i do have always the doubts that they do have those seeds yet they are the ones who do create and do the packaging.

On the thing being said above, the thing being created by someone can really be possibly be cracked or exploit some flaws by other person anytime.


▄▄▄████████▄▄▄
▄██████████████████▄
▄██████████████████████▄
██████████████████████████
████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
████████████████████████████
██████████████████████████
▀██████████████████████▀
▀██████████████████▀
▀▀▀████████▀▀▀
   ███████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
██████████
███████
BTC  ◉PLAY  ◉XMR  ◉DOGE  ◉BCH  ◉STRAT  ◉ETH  ◉GAS  ◉LTC  ◉DASH  ◉PPC
     ▄▄██████████████▄▄
  ▄██████████████████████▄        █████
▄██████████████████████████▄      █████
████ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄ ████     ▄██▀
████ █████ ██████ █████ ████    ▄██▀
████ █████ ██████ █████ ████    ██▀
████ █████ ██████ █████ ████    ██
████ ▀▀▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀ ████ ▄██████▄
████████████████████████████ ████████
███████▀            ▀███████ ▀██████▀
█████▀                ▀█████
▀██████████████████████████▀
  ▀▀████████████████████▀▀ 
✔️DICE           
✔️BLACKJACK
✔️PLINKO
✔️VIDEO POKER
✔️ROULETTE     
✔️LOTTO
AGD
Legendary
*
Offline Offline

Activity: 1855
Merit: 1060


Keeper of the Private Key


View Profile
April 19, 2018, 06:44:53 AM
 #115

Quote
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.


Nothing beats the paper wallet

Fire and water (and time) does.

Bitcoin is not a bubble, it's the pin!
+++ GPG Public key FFBD756C24B54962E6A772EA1C680D74DB714D40 +++ http://pgp.mit.edu/pks/lookup?op=get&search=0x1C680D74DB714D40
TryNinja
Legendary
*
Offline Offline

Activity: 1190
Merit: 1595



View Profile
April 19, 2018, 04:38:37 PM
 #116

Nothing beats the paper wallet

Fire and water (and time) does.
What about this "steel" wallet?

https://cryptosteel.com/

Stedsm
Legendary
*
Offline Offline

Activity: 1848
Merit: 1142


Piiiii Kaaaaaa Chuuuuuuu


View Profile
April 19, 2018, 05:21:14 PM
 #117

Nothing beats the paper wallet

Fire and water (and time) does.
What about this "steel" wallet?

https://cryptosteel.com/

Can't we even use those cheap memory cards in which we can store lots and lots of data with any sort of stuff or just private keys only?
Purchasing ~250 Memory Cards with just 2 GB memory will cost much less compared to what we need to pay for that steel thing. Wink
I believe that all of these 250 memory cards are not going to get corrupted at once (few may get corrupted, but not all of them).
Even 25 memory cards can save our Notepad file and have all our data stored without much hassle which we can easily access offline whenever we want to use our private keys to use our funds. Encryption of private keys and then keeping them safer in these memory cards is the best and cheapest way IMO.

Spendulus
Legendary
*
Online Online

Activity: 2422
Merit: 1191



View Profile
April 19, 2018, 06:23:47 PM
 #118

Quote
I have been warning people about hardware wallets for years. Bitcoin is the most personal store of value. Don't break it by using untrusted third party soft/hardware:

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Worth mentioning, that the guy who found this exploit is 15 ys young.


Nothing beats the paper wallet

Fire and water (and time) does.


Not when the "paper wallet" is made out of stainless steel.



Of course a USB could be accessed by an offline air gapped PC. And a hardware wallet could by design have it's records regenerated on a PC if the key word set were known.

A bad actor or government actor could exert influence on a hardware wallet company, say by causing certain items to be included in an update of the hardware wallet. This is at least in my opinion, a long term risk worth mulling over.


What is your solution to that long term problem? I am puzzling myself to find the best possible way to store a few bitcoins long term and, as of today, I have no solution for that. If I look for security, in case I die, nobody will ever be able to recover my coins (until bitcoin cryptographic security is broken). I supposed that leaving a trezor behind could have been that solution but right now I don't think that is a viable option.

The "long term storage problem" is the simplest thing in the world to solve. Consider that a bitcoin address is no more than a 50-some digit long number All you need is a copy of that number in a safe depot box.




bob123
Legendary
*
Offline Offline

Activity: 1064
Merit: 1571



View Profile WWW
April 20, 2018, 12:58:01 PM
 #119

The "long term storage problem" is the simplest thing in the world to solve. Consider that a bitcoin address is no more than a 50-some digit long number All you need is a copy of that number in a safe depot box.

An 'address' is a 160 binary number. This, of course, can be encoded in any format.
Just like it is done with the displayed addresses (Base 58 encoding).

But to be able to gain access over the funds sent to the address you need the private key (256 bit binary number), which also can be encoded into *any* format.


The question is wether you want to put it into a depot box.
It matters on how much you trust the phsysical security of this box.

If you want to keep it away from everyones knowledge, such a storage might not be the best idea.

rem26
Newbie
*
Offline Offline

Activity: 78
Merit: 0


View Profile
April 20, 2018, 08:37:19 PM
 #120


Can't we even use those cheap memory cards in which we can store lots and lots of data with any sort of stuff or just private keys only?
Purchasing ~250 Memory Cards with just 2 GB memory will cost much less compared to what we need to pay for that steel thing. Wink
I believe that all of these 250 memory cards are not going to get corrupted at once (few may get corrupted, but not all of them).
Even 25 memory cards can save our Notepad file and have all our data stored without much hassle which we can easily access offline whenever we want to use our private keys to use our funds. Encryption of private keys and then keeping them safer in these memory cards is the best and cheapest way IMO.

Each generation of nand flash is much worse than the previous generation.

If you take a recent high capacity USB key, write it, and put it in a car on a hot day, most of the data will be damaged and the ECC/codecs in the flash controller will have to work their collective asses off to recover your data.

I would not expect the data to be on cheap memory cards in 2 years.  Read the specs from majior SSD manufacturers on data retention unpowered. 


Pages: « 1 2 3 4 5 [6] 7 8 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!