Bitcoin Forum
December 18, 2017, 06:16:54 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Wallet Security  (Read 3241 times)
e4xit
Sr. Member
****
Offline Offline

Activity: 302



View Profile
October 29, 2013, 11:05:04 AM
 #21

I found this guide to be quite helpful in achieving what I wanted to acheive, which was a completely (and forever) offline netbook with armory running on Ubuntu 10.04.

Armory Offline setup tutorial

I believe there are only three attack vectors here:

1) malware/other attack is transferred over to the offline netbook via USB when transferring a transaction for signing (not known of yet)

2) an attacker can change the payment address of your payment on the online computer before you create the transaction (this can be avaoided by checking the payment address(es) at all stages of the payment.

3) Someone comes round your house and hits you with a bat until you hand over the password(s) required to steal your coin.

I would also reccomend password-protecting you offline Armory installation even though "George" does not reccomend it; can't be too careful eh!

If you don't have the private key for "your" bitcoins then you have no bitcoins.
There are a million bits in a bitcoin: 1 ฿ = 1,000,000 ƀ
1513621014
Hero Member
*
Offline Offline

Posts: 1513621014

View Profile Personal Message (Offline)

Ignore
1513621014
Reply with quote  #2

1513621014
Report to moderator
1513621014
Hero Member
*
Offline Offline

Posts: 1513621014

View Profile Personal Message (Offline)

Ignore
1513621014
Reply with quote  #2

1513621014
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Scott J
Legendary
*
Offline Offline

Activity: 1778


View Profile
October 29, 2013, 11:25:48 AM
 #22

Thanks for the thoughtful replies.

I am considering Armory, however I will also want an LTC wallet and possibly XPM too.

Considering what e4xit has outlined above, what are the additional attack vectors for my scenario?

I have:

-compromised software when updating wallets.
-direct hacking of my computer due to IP being visible on the network (is this even possible?)

Abdussamad
Legendary
*
Online Online

Activity: 1582



View Profile WWW
October 29, 2013, 11:28:58 AM
 #23

An idea I have had for a brain wallet that doesn't require too much memory...

Choose a particular book and make the private key from, say, the third letter of every fifth page, up to x

Then add the ISBN number in between each letter.  

I'd considered some permutation of that strategy.  I'll bet there are a lot of passwords out there that have characters taken from noteworthy and widely distrubuted texts like the Christian bible or U.S. constitution.  I never considered it enough to research how much disparity there may be between various re-prints and such.  I'm guessing that a rainbow table like construct could be pretty effective against such a strategy, but my math (and interest and knowledge of table methods) isn't strong enough to analyze it in detail.

Someone who has the knowledge says brainwallets with passphrases chosen by human beings are a terrible idea:

https://bitcointalk.org/index.php?topic=311000.msg3345309#msg3345309

Use electrum if you want a brainwallet.

Abdussamad
Legendary
*
Online Online

Activity: 1582



View Profile WWW
October 29, 2013, 11:30:04 AM
 #24

If you are going to go this route, it might be wise to completely remove the wireless adapter drivers, and connect to the Internet via hard wire. That way, you know for a fact when it is going online.

That won't help. He wants to use a computer to store coins which is allowed to connect to the Internet at various times. If your computer is compromised it only takes milliseconds to transfer sensitive information somewhere else once a connection is given. That's why the strongest options are use something like Armory with an offline computer, a completely offline paper wallet, or the Trezor.

Yes.  I bought an old laptop and installed Lubuntu and took it offline and it never goes online.  I installed Armory and do all transactions offline.

How much RAM does Armory need?

e4xit
Sr. Member
****
Offline Offline

Activity: 302



View Profile
October 29, 2013, 12:58:45 PM
 #25

If you are going to go this route, it might be wise to completely remove the wireless adapter drivers, and connect to the Internet via hard wire. That way, you know for a fact when it is going online.

That won't help. He wants to use a computer to store coins which is allowed to connect to the Internet at various times. If your computer is compromised it only takes milliseconds to transfer sensitive information somewhere else once a connection is given. That's why the strongest options are use something like Armory with an offline computer, a completely offline paper wallet, or the Trezor.

Yes.  I bought an old laptop and installed Lubuntu and took it offline and it never goes online.  I installed Armory and do all transactions offline.

How much RAM does Armory need?

  • In offline mode (such as you would use on a dedicated netbook/old laptop) - very little indeed; I think far less than 100MB but can verify for you tonight if you would like.
  • In current 'public' version for online use - rather a lot (some poeple require >4GB)
  • Current 'Beta' version - around 200MB for an average wallet

If you don't have the private key for "your" bitcoins then you have no bitcoins.
There are a million bits in a bitcoin: 1 ฿ = 1,000,000 ƀ
Abdussamad
Legendary
*
Online Online

Activity: 1582



View Profile WWW
October 29, 2013, 02:18:48 PM
 #26

  • In offline mode (such as you would use on a dedicated netbook/old laptop) - very little indeed; I think far less than 100MB but can verify for you tonight if you would like.
  • In current 'public' version for online use - rather a lot (some poeple require >4GB)
  • Current 'Beta' version - around 200MB for an average wallet

Thanks. This should suffice. I just wanted a rough idea.


Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
October 30, 2013, 04:39:51 PM
 #27

This discussion is not new. In my opinion most of the analysis is going too far.

Clearly a virus or malware infected system is bad anyways and a special danger for wallets. So first thing before one starts to handle with Bitcoin wallets is to clean the system or use Linux with a dedicated user account - suggested software and procedure for Windows:
 - Superantispyware
 - Avast Antivirus
 - SpyBot
 - CCleaner
 - strict firewall settings
 - manual inspection of the process list in the task manager
 - analyse any small peace of software with www.virustotal.com before installation
 - AdBlock and BetterPrivacy add ons for the browser; turn off 3rd party cookies
 - for paranoids turn off Javascript and Java and do not visit any suspicious sites

When all that done (it has to be done frequently and regulary at best every day) install any wallet software with password protection and strong key encryption (eg. AES256) like Bitcoin-QT. Turn on the password with a secure password (http://bit.ly/19SE2n9) - at least 13 characters out of a set of 120. Be careful with the password not to write it down anywhere accessable.

Then Bitcoin addresses may be created. After each new address the wallet.dat must be backed up somewhere eg. cloud, email, memory stick, CD, etc. - at least in two independent locations.

When that is done not too much should happen. If someone is really paranoid he can use https://www.bitaddress.org on a not connected and clean device to create a paper wallet as cold storage and transfer his Bitcoins there. I would not recommend brain wallets - some kind of backup has to be done which would be equal to paper wallets from a security perspective.

Finally I recommend using more than one wallet (not address) if the Bitcoin amount or value gets bigger - if accidently one wallet is lost or cracked at least the rest will be preserved.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
Jan
Legendary
*
Offline Offline

Activity: 1043



View Profile
October 30, 2013, 06:51:58 PM
 #28

Buy a cheap secondhand android device, wipe it and install only: Cyanogenmod + Mycelium Bitcoin Wallet + ... nothing else
Use the Cold Storage Spending feature with paper wallets, and don't use it for anything else.

Cheap + Easy + Secure

Demo: http://youtu.be/1pDSzOiFgIk

Mycelium let's you hold your private keys private.
johnyj
Legendary
*
Offline Offline

Activity: 1834


Beyond Imagination


View Profile
October 31, 2013, 12:53:50 PM
 #29

If one bitcoin worth enough money, there will be hardware key logger built in the mother board, and the motherboard searches any hard drive for wallet files and send it to a server together with logged key stroke as soon as there is a network connection.  Cheesy

The only way to survive such attack is Armory (together with an old usb drive, before any fancy usb hidden devices are invented), but currently armory is still difficult to use

The 4ner
aka newbitcoinqtuser
Hero Member
*****
Offline Offline

Activity: 546


R.I.P Silk Road 1.0


View Profile
October 31, 2013, 01:12:34 PM
 #30

Try using a brain wallet. Store your coins in the mind! Shocked
wachtwoord
Legendary
*
Offline Offline

Activity: 1638


View Profile
October 31, 2013, 01:13:31 PM
 #31

Try using a brain wallet. Store your coins in the mind! Shocked

Don't. Very few people can come up with a passphrase safe enough to use.
Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
October 31, 2013, 01:16:36 PM
 #32

Try using a brain wallet. Store your coins in the mind! Shocked

Don't. Very few people can come up with a passphrase safe enough to use.

Secondly - if you have an accident and loose your memory all Bitcoins will be lost too.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
wachtwoord
Legendary
*
Offline Offline

Activity: 1638


View Profile
October 31, 2013, 02:24:48 PM
 #33

Try using a brain wallet. Store your coins in the mind! Shocked

Don't. Very few people can come up with a passphrase safe enough to use.

Secondly - if you have an accident and loose your memory all Bitcoins will be lost too.

That's kinda true for my way of saving the Bitcoins too. If I'm the only one who knows it's a lot safer. I'm not responsible for anyone's lifelyhood though (except my own) Smiley
Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
October 31, 2013, 02:41:37 PM
 #34

Secondly - if you have an accident and loose your memory all Bitcoins will be lost too.

That's kinda true for my way of saving the Bitcoins too. If I'm the only one who knows it's a lot safer. I'm not responsible for anyone's lifelyhood though (except my own) Smiley

Little selfish - may it would be worth to leave a closed letter with the private key at your lawyer for the case of the cases.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
October 31, 2013, 09:08:18 PM
 #35

Maybe it would be a good concept to make Bitcoin addresses invalid after a certain period of time. It would give the miners the possibility to reuse lost coins.

Lets say Bitcoin addresses get invalid after 10 years (we can call it expiration). Then any Bitcoin holder must be aware to transfer his money frequently to a new addresses (latest before 10 years are over). Lost coins can be found by blockchain analysis and simplly be remined.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
Scott J
Legendary
*
Offline Offline

Activity: 1778


View Profile
October 31, 2013, 09:39:45 PM
 #36

Maybe it would be a good concept to make Bitcoin addresses invalid after a certain period of time. It would give the miners the possibility to reuse lost coins.

Lets say Bitcoin addresses get invalid after 10 years (we can call it expiration). Then any Bitcoin holder must be aware to transfer his money frequently to a new addresses (latest before 10 years are over). Lost coins can be found by blockchain analysis and simplly be remined.
A lot of people are hostile to this idea (myself included).

Maybe only if the time period was greater than the average life expectancy.

Scott J
Legendary
*
Offline Offline

Activity: 1778


View Profile
October 31, 2013, 09:46:25 PM
 #37

Sorry to keep asking the same sort of questions, but...

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

(Ignoring offline attacks)


Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
October 31, 2013, 10:12:23 PM
 #38

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

The same way someone could inject malware or a virus in your system without your direct support. Basically the attacker must be able to run some code or script on your computer. If your system was just clean (you never know if it was really clean even if you think so) then there might be three primary leakages:

1. you use any browser and it is able to execute code (Java, Javascript, ActiveX, etc ...) which simply reads your key input (keylogger) and/or your wallet.dat

2. you install some software which serves an attacker as intrusion point and reads your keys and/or wallet.dat

3. some process on your system (who knows how it came where it is now) serves an attacker as intrusion point and reads your keys and/or wallet.dat

You'll never be sure for 100%. But if you follow some rules (one of my previous postings in this thread) the probability to loose Bitcoins gets low.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
Scott J
Legendary
*
Offline Offline

Activity: 1778


View Profile
November 01, 2013, 12:43:58 AM
 #39

If I were to have an online computer with a guaranteed clean OS, running only bitcoin-qt, with no other software ever to be installed, how could someone steal my coins?

The same way someone could inject malware or a virus in your system without your direct support. Basically the attacker must be able to run some code or script on your computer. If your system was just clean (you never know if it was really clean even if you think so) then there might be three primary leakages:

1. you use any browser and it is able to execute code (Java, Javascript, ActiveX, etc ...) which simply reads your key input (keylogger) and/or your wallet.dat

2. you install some software which serves an attacker as intrusion point and reads your keys and/or wallet.dat

3. some process on your system (who knows how it came where it is now) serves an attacker as intrusion point and reads your keys and/or wallet.dat

You'll never be sure for 100%. But if you follow some rules (one of my previous postings in this thread) the probability to loose Bitcoins gets low.
Thank you.

What I'm struggling to get my head around is that I need a 'clean' PC to generate my private keys for a paper wallet, so why not just install Bitcoin-qt and do NOTHING else with this computer, but send/receive transactions?

Is connecting to the internet inherently dangerous even if you don't download ANYTHING?


Valerian77
Sr. Member
****
Offline Offline

Activity: 398


View Profile
November 01, 2013, 01:35:34 AM
 #40

Is connecting to the internet inherently dangerous even if you don't download ANYTHING?

Yes it is inherently dangerous. But following some rule reduces risks:
https://bitcointalk.org/index.php?topic=320385.msg3443370#msg3443370

I am thinking over long time on the same problem now. Finally the point is: Know your system.
Paper wallets etc also have their flaws.

Bitmessage: BM-2cTHvwzzG3cDJxmM7YrYXSaBex4oRobJxu
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!