Is it alright or not? Can I use it for the IPO?
yes
Where do I get my personal key from?
C:\Users\"YOUR USER"\.skycoin\wallets
inside wallets folder you'll find all the wallets you have created through the browser (.wlt files)
you can open these files with notepad; they include the seed, address & pub/priv keys
only one address per seed generated in browser at this stage
note: these .wlt files are not encrypted; make encrypted backups
Really? All this talking about security stuff: "Nothing is save, etc."
And now we create wallets with secret keys in plain text, unencrypted without a password?
??
Even if I delete them now or store them in TrueCrypt or USB-Stick, it could be already stolen.
Super tinfoil mode:
Generate a wallet using electrum seed words on a computer that's not connected to the internet, surrounded by signal absorbing material on an open-source operating system with open-source hardware. Write the words down, don't print them on a printer. Then, destroy the computer without removing it from the room w/ signal absorbing material, after writing down the receiving address first.
Then, do what you'd like with those words. Things can get pretty creative from there.
Also, not so good idea to use truecrypt anymore: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
Not sure if skycoin is using any kind of mnemonic wallet generation. I'd be surprised if they aren't.
Very funny. I am not talking about securing it from Pentagon. I am talking about secret keys in plain text files without password protection!!!
You are quite right. The DEV is concerned about security vulnerabilities at hardware shack attack level and try address that (in technical terms correctly) by suggesting security devices that uses ARM TrustZone to make secure the solution at the lowest possible layer at hardware registers and firmware boot ... and then the keys are in a plain text file.
I have been the biggest fan of the DEV and this project for a long time, but right now, following that long discussion with iamback - which from 80% I couldn't understand a thing - I am a bit confused what's happening.
Yes. We are also concerned about "Default Security". For average user.
Here is an example. Many people want "vanity addresses". Third party services generate the addresses, then you import the private key. They store the private key, wait until you have a bunch of coins and then steal some of them! Users think it was trojan or they dont even know how the coins were stolen. To protect against that, we have to make sure vanity address gen is client side and integrated into the skycoin wallet. We have to make sure that the default way is the easiest way and that it is secure, for every single action that can result in coins being stolen or lost.
Normally, when a vanity address theft happens, they only steal a fraction of the coins. The user wonder why they stole only a few and not every coin. If they had a trojan, why would someone steal a few coins when they could steal them all? The user is confused. It is because if they did transactions, then some of the coins are in the vanity address and some of the coins are in change addresses. The thief is the 3-rd party who generated the vanity address and they only have the private key for that address (which only has fraction of the keys in the wallet).
A theft of a few coins, but not whole wallet can also occur when private keys are generated with a weak random number generator. Bitcoin was using OpenSSL and we are finding many many bugs in OpenSSL and many system random number generators are being discovered to be weak. So we are not using OpenSSL and we made sure Skycoin salts the key generation wont be compromised even if the random number generator is faulty. We are improving that even further in future with using SHA3 to accumulate entropy every random number call.
I could write a 200 page book about every way that Bitcoin has been lost or stolen. We have to make hundreds of small, incremental changes over time.
We have multiple wallets in Skycoin, because we have seen people delete wallets with bitcoin in them, because we had to swap out wallets. Its easy to overwrite a wallet with coins in it and panic. So we tried to make it easy to have multiple wallets loaded in Skycoin and make it easy to backup the wallets (a simple seed or pass phrase).
We have deterministic wallets and only deterministic wallets as the default, because we have seen people lose coins unexpectedly by loading a wallet from backup after making transactions, because backups do not contain the newly generated change addresses! Bitcoind generates new change addresses after every transaction, which bitcoin are sent to. So if you restore a wallet from backup, you may be missing coins. This also means in Bitcoin, if you have two thumb drives with the same wallet on them and do transactions on each, they will end up with difference coin balances! Each wallet will have different change addresses after being used for a while!
Skycoin doesn't do this at all, because it would mean unexpected behavior and people would lose coins. We made sure that the default behavior is exactly what users expect and that the defaults dont result in people losing coins.
There are so many ways to lose coins in Bitcoin, that addressing every situation is overwhelming. We need to hire contractors to work on each little detail (vanity gen in wallet, locking/unlocking wallets, default on screen keyboard), because we will go mad otherwise. I think we have covered 90% of the causes of coin theft than the user could not control.
We will add a password feature on wallet, but it is a false sense of security. It will stop someone from passively grabbing the wallet, but if they have a key logger, they will get the password. It does make it more difficult (grab file + keylogger). If you use an on-screen keyboard, then it makes it painful. It would put wallet theft beyond skill level of most script kiddies.
The average user will lose more coins from unexpected behavior, than security. We have almost eliminated unexpected behavior. Exchanges are where we need enough software and hardware security to protect against government level infosec/hacker firms.
>Wallet Seed SecurityWe recommend creating a new wallet from scratch and using a strong password. Anything less than 12 characters will get brute forced. Some GPUs can brute force 2,600,000,000 passwords per second and anything less than 12 characters will get broken eventually (but is safe for small balances). Hackers combine very fast hash rates (trillions of passwords per second) with rainbow tables. So generally, most passwords comely used can be brute forced.
Lowercase 10 letters/numbers: 51.7 BoE (bits of entropy)
5 common words (2000 word dictionary): 54.8 BoE
Mixed case 10 letters/numbers: 59.5 BoE
6 common words (2000 word dictionary): 65.8 BoE
Lower case 13 letters/numbers: 67.2 BoE
Mixed case 13 letters/numbers: 77.4 BoE
12 common words +120 BoE
Brute forcing all wallets with 64 bits of entropy is doable in four years. Electrum pass phrases are 128 bits of entropy and this is minimum. Skycoin should adapt the electrum pass phrase model with 8 to 12 random words from dictionary. This is easier to write down than the hex. It is harder to screw up.
If you need security, we recommend using a SHA256 hash as the seed. Or take a decent password, then add your phone number after it or birthdate. Something you will remember and that an attacker wont know usually.
>How to get wallet seedThis is a very good question!
Look at the interface, see "import from seed button". This lets you type in a need seed/passphrase and generate a wallet
New Wallet: creates a new wallet, with a random pass phrase (also called a seed)
Import Wallet From Seed: Lets you generate a wallet from a pass phrase you choose (Which becomes the seed that generates the wallet)
In the web-wallet, add /wallets to the URL and you can see your wallets and copy down the seed.
Remote Wallet Example:This is a remote wallet.
Its public, so dont inport your wallet seed here. This is for publicly checking balances and demonstration.
http://skycoin-chompyz.c9.io/These are the "outputs". This is where coins are stored. You can check balance here.
http://skycoin-chompyz.c9.io/outputsIf you open your wallet through the web interface and do "/wallet", you get the list of wallets. As long as you have written down "seed", then you cannot lose your coins.
http://skycoin-chompyz.c9.io/walletsTry creating a wallet with a seed (import wallet from seed), then close the client, delete the wallet, then go and reimport the wallet from the seed. Make sure you get the same address and private key the second time.
IPO StatusWe have not started sending out confirmation receipts yet. We finished the remote server, so people can check balances.
http://skycoin-chompyz.c9.io/outputsWe also triple tested deterministic bitcoin privatekey and address generation from Skycoin. We are sure this is working now. So we can generate a unique address for each receipt in the IPO.
We will have a bitcoin wrapper over sx, when the darkwallet team makes that stable and then can store bitcoin in Skycoin wallets. Also allows libraries for making it easier to deal with a good library without having to go through bitcoind. This will make developers happy.
> OSX issue:There is a problem with the wget flags in the gvm script. It appears to affect mingw and some versions of OSX. You may need to look up the gvm instructions for installing go, do that (and maybe fix script and do pull request). We tested it on OSX and it worked for us.
>Even if I delete them now or store them in TrueCrypt or USB-Stick, it could be already stolen.I think we might change the Skycoin wallet storage directory, to be subfolder of the exe. So it is easier to find. Then you can just put skycoin exe and wallets on a USB stick. In Bitcoin, many users cannot find their wallets at all and it can be difficult.
