Bitcoin Forum
December 04, 2016, 10:26:03 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Coming Soon! impossible to steal wallets  (Read 5785 times)
TiagoTiago
Hero Member
*****
Offline Offline

Activity: 616


Firstbits.com/1fg4i                :Ƀ


View Profile
October 27, 2011, 06:11:53 AM
 #21

If it's not gonna be open source i won't trust it can live up to the claims.

(I dont always get new reply notifications, pls send a pm when you think it has happened)

Wanna gimme some BTC for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX Smiley

The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!

Do you like mmmBananas?!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Syke
Legendary
*
Offline Offline

Activity: 2086


View Profile
October 27, 2011, 06:34:18 AM
 #22

My software will make it impossible for the wallet to be accessed by anything other than the real bitcoin software.
The only thing impossible is your claim. Any protection you put into the software can be simulated if the system is compromised.

Buy & Hold
JohnnyCashout
Jr. Member
*
Offline Offline

Activity: 35


View Profile
October 27, 2011, 07:09:16 AM
 #23

Trollolol

in b4 OP runs off with the bitcoins of anyone stupid enough to install his trojan
Andrew Vorobyov
Hero Member
*****
Offline Offline

Activity: 565



View Profile
October 27, 2011, 07:53:00 AM
 #24

If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...

joeyjoe
Full Member
***
Offline Offline

Activity: 224


View Profile
October 27, 2011, 02:44:00 PM
 #25

If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...


people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it.

It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you.

Have you put funds on mtgox or tradehill recently? how can you trust it without full password access to their servers and bank accounts?

I bet 99% of you didnt check the source code for the bitcoin software anyway, let alone check the signature. I could easily post source code to a trojan and remove all the trojan bits, and no one would notice for some time.

I know people will still use it. Probally be a bit wary of it at first, but once it gains enough reputation more people will trust and use it.


Bitcoin PHP programmer for hire! (HTML / CSS / JQuery / AJAX / .NET).
Tuxavant
Hero Member
*****
Offline Offline

Activity: 756


Bitcoin Mayor of Las Vegas


View Profile WWW
October 27, 2011, 02:58:32 PM
 #26

My Bitcoins are already protected against theft and I don't have to trust a 3rd party for their security.

I've created about 100 Bitcoin addresses off-line. I've divided my Bitcoins into manageable denominations and distributed the Bitcoins to those off-line addresses.

The private keys have been GPG encrypted and encoded to QRCodes. Those QRCodes have been printed to paper and distributed to several locations online and in the real world.

As I need to spend Bitcoin, I only need to import an address at a time until I have my needed funds. The rest remain off-line - safe.

It was a very tedious and scary process, but I did a lot of testing to ensure my procedure. I would not wish this on any n00b. Any solution to protect someone's Bitcoins needs to be a self reliant process, with redundant outputs, and no requirement for 3rd party trust. I am confident that some developer will soon make this process an easy, "click here" solution for the average user to benefit from.

Generation Bitcoin | G+ | FB | Bitcoins In Vegas | CoinBus.com | TOR Exit Operator 1MVTPATVCKBMfALRHJsXpHfKJu7GyL7nAc
P4man
Hero Member
*****
Offline Offline

Activity: 504



View Profile
October 27, 2011, 02:59:41 PM
 #27

people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it.

If your security depends on the source being secret, then its not secure, period.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
October 27, 2011, 02:59:45 PM
 #28

If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...


people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it.

It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you.

Have you put funds on mtgox or tradehill recently? how can you trust it without full password access to their servers and bank accounts?

I know people will still use it. Probally be a bit wary of it at first, but once it gains enough reputation more people will trust and use it.


http://www.clamav.net/
http://www.smoothwall.org

Security through obscurity is no security.

True security comes from taking the aproach that your attacker already knows the secrets.   For example a good bank vault is designed to deter an attacker even if an attacker has the complete scematics and material specs.  

http://en.wikipedia.org/wiki/Kerckhoffs%27_principle

If your code can't survive scrutiny and remains secure you are merely hiding the mechanism that blocks an attacker.  Eventually an attacker will discover it an "undo" it.  

SHA-256, Bitcoin, and Linux are three examples of secure systems where there are no "secrets".  Everything about SHA-256 hash is in the open publicly available.  Go ahead and try and crack it.  There are no secrets so it should be easy right?

There are times when closed source is fine.  I don't care if a video game is closed source, however mining and wallets can involve significant amounts of money so that ups the security requirements. 

My mining rigs are 100% open source.  Linux (open source) + Miner (open source) + utilities (open source).
Mageant
Legendary
*
Offline Offline

Activity: 1079



View Profile WWW
October 27, 2011, 03:22:27 PM
 #29

I'm thinking perhaps it is a OS process that blocks access to the wallet.dat file except for the Bitcoin program (and a backup program).

That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.

  ►  NEW ECONOMY MOVEMENT  ◄ 
  100% built from scratch • revolutionary forging mechanism • fairly distributed

BIETCOIN.DE - Kleinanzeigenmarkt für Bitcoin
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
October 27, 2011, 03:25:43 PM
 #30

I have an impossible to steal wallet.  It's called a paper wallet.  Physical bitcoins are just metallic paper wallets with a preloaded balance.

I suppose it can be stolen in person.  But can't be stolen online if produced securely.

Ultimately, with computers being hackable and as porous as swiss cheese, I feel that offline bitcoins is the only safe way for the average consumer to go.

wow, i never realized you felt that strongly about it.  hmmm....
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
October 27, 2011, 03:26:27 PM
 #31

I'm thinking perhaps it is a OS process that blocks access to the wallet.dat file except for the Bitcoin program (and backup a program).

That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to read out something out of the memory.

Or just use the wallet remotely.  Simulating user input is somewhat trivial task.  You don't need to steal the wallet.dat if you simply write a trojan which waits until it acquired passphrase and then uses the wallet to send full balance to an address owned by the attacker.  I have been looking into running a wallet inside a smart card because it provides some resistance to an attacker (compromising the computer is useless you need to compromise the smartcard). 

Just bouncing attack and defense ideas off myself and colleges I believe that the only secure digital wallet is one that also has a secure 2nd factor authentication.
Tuxavant
Hero Member
*****
Offline Offline

Activity: 756


Bitcoin Mayor of Las Vegas


View Profile WWW
October 27, 2011, 03:30:07 PM
 #32

That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.

Problem is, the trojan probably already elevated privileges to install itself. If it's got that permission on the system, it would be able to do anything else (like disable the "dont touch my wallet.dat" file protection process.

Generation Bitcoin | G+ | FB | Bitcoins In Vegas | CoinBus.com | TOR Exit Operator 1MVTPATVCKBMfALRHJsXpHfKJu7GyL7nAc
BubbleBoy
Sr. Member
****
Offline Offline

Activity: 322



View Profile
October 27, 2011, 03:31:32 PM
 #33

joeyjoe, thank you for working so hard for the good of the community. An unhackable wallet is a much needed product, it can't arrive any moment too soon. If only allinvain, the infamous wallet.dat victim would be alive to see this day ! Sadly the pressure of loosing half a million dollars to a hacker was too much for the poor soul, he succumbed to deep depression and took his own life by homoerotic asphyxiation. Sad indeed.

However I cannot but wonder why would men with such genius waste time on a small fish like the Bitcoin. Banks are wasting billions of dollars on things like security tokens and authentication methods. A method guaranteeing that only the bank software has access to say, a certificate file used in the authentication, is pure gold. It's easily the invention of the decade in the field of security. Your company might very well be the next Apple. Since I see it's potential, I'm more than anxious to buy stock in an IPO, please keep me posted !

Hush now, stop wasting your talent on these unworthy simpletons, disclosing the glorious invention. Together the three of us will make billions !
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
October 27, 2011, 03:33:35 PM
 #34

when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.

wanna a bet? 100btc, 1000btc?

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
P4man
Hero Member
*****
Offline Offline

Activity: 504



View Profile
October 27, 2011, 03:39:07 PM
 #35

when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.

wanna a bet? 100btc, 1000btc?

Ill take it!
1000 BTC it takes you more than 10 second to hack or disprove my unhackable arhm.. I dont know, obfuscated file extension enhanced password protected zip file method. Ready when you are, Ill publish and you have 10 seconds. Deal?

kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
October 27, 2011, 03:45:51 PM
 #36

when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.

wanna a bet? 100btc, 1000btc?

Ill take it!
1000 BTC it takes you more than 10 second to hack or disprove my unhackable arhm.. I dont know, obfuscated file extension enhanced password protected zip file method. Ready when you are, Ill publish and you have 10 seconds. Deal?
typo! minutes?

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
October 27, 2011, 03:50:31 PM
 #37

That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.

Problem is, the trojan probably already elevated privileges to install itself. If it's got that permission on the system, it would be able to do anything else (like disable the "dont touch my wallet.dat" file protection process.

True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system.  I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client.

A truly secure wallet would:
a) be deterministic to avoid the need for backups and protect against loss.
b) prevent access to private keys by any process.
c) required 2nd factor authentication.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
October 27, 2011, 04:00:13 PM
 #38



True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system.  I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client.

a compromise of the OS, would'nt do anything. the TPM only does signing, it contains a private key, that the OS does not have access to.

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
October 27, 2011, 04:25:21 PM
 #39



True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system.  I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client.

a compromise of the OS, would'nt do anything. the TPM only does signing, it contains a private key, that the OS does not have access to.

True I spoke somewhat unclearly.   TPM doesn't have enough memory to store bitcoin wallet.  It also doesn't support the hahsing algorithms used by Bitcoin.  so TPM could only be used to hold the decryption key for a Bitcoin wallet.  A TPM aware OS will support a feature called protected memory.  TPM can indicate to the OS to dedicate some memory as protected memory and indicate which processes are allowed to access it.  This would allow a key in TPM to be given to a wallet running in protected memory to decrypt wallet, perform transactions, and then clear the protected memory.

If everything works correctly the key can only be accessed by the valid wallet application.  If the OS is compromised though it may not properly protect this "protected memory" allowing a trojan or other app.

The larger point is that even if the private key can be guaranteed to NEVER be lost/stolen/copied one still needs to protect the actual wallet applications otherwise malicious software could simply use the wallet to transfer funds out.
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
October 27, 2011, 04:29:27 PM
 #40

There is a way to make bitcoins safe,   we offer the cold storage option that the bitcoins are sent to a computer physically turned off...   but it's a manual process and we had to spend considerable funds securing a deposit box in the bank to store the USB keys,  rent an office with a security system just for the cold storage system,  get new servers only to be used for the backup process...

It's possible, just such a hassle...




Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!