Say apple or microsoft wanted your coins could they....

[jubalix]

Could apple or microsoft put in some code into their OS that grabs you private keys at the point of decryption from a memory read and send them back to the mother ship, or you entered password for you encrypted wallet and they send that and your wallet back....all without you knowing. Or would they get a few people then it would be figured out and some sort of fix.

Eg some coder in one of the large corps just decides to insert this code and obfuscate it.

air gaped would defeat, but maybe not as the signing event, could trigger some sort of insert vector to a connected USB, that captures the password.

[Qoheleth]

If you're using a standard 1XXXX... address? Absolutely. "I control my own machine" is a fundamental assumption in normal use.

If you're using multisig addresses with physical separation of keys (e.g. your computer signs the transaction and sends it to your phone, your phone co-signs and submits), this attack is defeated unless both systems are compromised by the same attacker. The code to support such addresses was committed to bitcoin-qt over a year ago (it's why some addresses look like 3XXXX...), but support for the process itself is thin on the ground.

Of course, from a practical perspective, airgap-jumping attacks are generally targeted at a known configuration. If someone is deploying that sort of attack against you, they can probably break into your phone too.

[jubalix]

If you're using a standard 1XXXX... address? Absolutely. "I control my own machine" is a fundamental assumption in normal use.

If you're using multisig addresses with physical separation of keys (e.g. your computer signs the transaction and sends it to your phone, your phone co-signs and submits), this attack is defeated unless both systems are compromised by the same attacker. The code to support such addresses was committed to bitcoin-qt over a year ago (it's why some addresses look like 3XXXX...), but support for the process itself is thin on the ground.

Of course, from a practical perspective, airgap-jumping attacks are generally targeted at a known configuration. If someone is deploying that sort of attack against you, they can probably break into your phone too.

air gap attacks you would just have to know os + usb, thats pretty much down to osx, win for a lot.

Your multi sig would make it hard if you you used 2 different USB as the two sig data's would never be exposed in the same time frame. So that would be a very hard to attack this. essentially you would need 3 computers.

[Carlton Banks]

Who?

[mogrith]

Could apple or microsoft put in some code into their OS that grabs you private keys at the point of decryption from a memory read and send them back to the mother ship, or you entered password for you encrypted wallet and they send that and your wallet back....all without you knowing. Or would they get a few people then it would be figured out and some sort of fix.

Eg some coder in one of the large corps just decides to insert this code and obfuscate it.

air gaped would defeat, but maybe not as the signing event, could trigger some sort of insert vector to a connected USB, that captures the password.

Well assuming coder can do that he could also grab all bank and CC info, logins to stock trading accounts etc. So why steal BTC.

 

[jubalix]

Could apple or microsoft put in some code into their OS that grabs you private keys at the point of decryption from a memory read and send them back to the mother ship, or you entered password for you encrypted wallet and they send that and your wallet back....all without you knowing. Or would they get a few people then it would be figured out and some sort of fix.

Eg some coder in one of the large corps just decides to insert this code and obfuscate it.

air gaped would defeat, but maybe not as the signing event, could trigger some sort of insert vector to a connected USB, that captures the password.

Well assuming coder can do that he could also grab all bank and CC info, logins to stock trading accounts etc. So why steal BTC.

 

because who exactly is going to know or sue or identify him/her. Bank account much more traceable.

[ArticMine]

In Microsoft's case especially with post XP versions of Windows absolutely. There are many parts of the OS where the owner (even an administrator) is completely locked out in Vista/7/8 due to the the desire on the part of Microsoft to support DRM in particular HDCP. Basically I would not trust any OS that supports DRM with my Bitcoins for this very reason. It is the reason why I only use GNU/Linux for my Bitcoins.

[Rupture]

They'd have to issue an update first but people would probably realise what is going on an sue/switch to linux

[oakpacific]

Read this: http://cm.bell-labs.com/who/ken/trust.html

[JTrain_51]

I honestly don't want to know if apple or microsoft can take my bitcoins or not all I care about is if they do or don't