TiagoTiago
|
|
October 27, 2011, 06:11:53 AM |
|
If it's not gonna be open source i won't trust it can live up to the claims.
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
Syke
Legendary
Offline
Activity: 3878
Merit: 1193
|
|
October 27, 2011, 06:34:18 AM |
|
My software will make it impossible for the wallet to be accessed by anything other than the real bitcoin software.
The only thing impossible is your claim. Any protection you put into the software can be simulated if the system is compromised.
|
Buy & Hold
|
|
|
JohnnyCashout
Newbie
Offline
Activity: 35
Merit: 0
|
|
October 27, 2011, 07:09:16 AM |
|
Trollolol
in b4 OP runs off with the bitcoins of anyone stupid enough to install his trojan
|
|
|
|
Andrew Vorobyov
|
|
October 27, 2011, 07:53:00 AM |
|
If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...
|
|
|
|
joeyjoe (OP)
|
|
October 27, 2011, 02:44:00 PM Last edit: October 27, 2011, 03:00:49 PM by joeyjoe |
|
If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...
people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it. It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you. Have you put funds on mtgox or tradehill recently? how can you trust it without full password access to their servers and bank accounts? I bet 99% of you didnt check the source code for the bitcoin software anyway, let alone check the signature. I could easily post source code to a trojan and remove all the trojan bits, and no one would notice for some time. I know people will still use it. Probally be a bit wary of it at first, but once it gains enough reputation more people will trust and use it.
|
Bitcoin PHP programmer for hire! (HTML / CSS / JQuery / AJAX / .NET).
|
|
|
Tuxavant
|
|
October 27, 2011, 02:58:32 PM |
|
My Bitcoins are already protected against theft and I don't have to trust a 3rd party for their security.
I've created about 100 Bitcoin addresses off-line. I've divided my Bitcoins into manageable denominations and distributed the Bitcoins to those off-line addresses.
The private keys have been GPG encrypted and encoded to QRCodes. Those QRCodes have been printed to paper and distributed to several locations online and in the real world.
As I need to spend Bitcoin, I only need to import an address at a time until I have my needed funds. The rest remain off-line - safe.
It was a very tedious and scary process, but I did a lot of testing to ensure my procedure. I would not wish this on any n00b. Any solution to protect someone's Bitcoins needs to be a self reliant process, with redundant outputs, and no requirement for 3rd party trust. I am confident that some developer will soon make this process an easy, "click here" solution for the average user to benefit from.
|
|
|
|
P4man
|
|
October 27, 2011, 02:59:41 PM |
|
people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it. If your security depends on the source being secret, then its not secure, period.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 02:59:45 PM Last edit: October 27, 2011, 03:11:20 PM by DeathAndTaxes |
|
If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...
people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it. It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you. Have you put funds on mtgox or tradehill recently? how can you trust it without full password access to their servers and bank accounts? I know people will still use it. Probally be a bit wary of it at first, but once it gains enough reputation more people will trust and use it. http://www.clamav.net/http://www.smoothwall.orgSecurity through obscurity is no security. True security comes from taking the aproach that your attacker already knows the secrets. For example a good bank vault is designed to deter an attacker even if an attacker has the complete scematics and material specs. http://en.wikipedia.org/wiki/Kerckhoffs%27_principleIf your code can't survive scrutiny and remains secure you are merely hiding the mechanism that blocks an attacker. Eventually an attacker will discover it an "undo" it. SHA-256, Bitcoin, and Linux are three examples of secure systems where there are no "secrets". Everything about SHA-256 hash is in the open publicly available. Go ahead and try and crack it. There are no secrets so it should be easy right? There are times when closed source is fine. I don't care if a video game is closed source, however mining and wallets can involve significant amounts of money so that ups the security requirements. My mining rigs are 100% open source. Linux (open source) + Miner (open source) + utilities (open source).
|
|
|
|
Mageant
Legendary
Offline
Activity: 1145
Merit: 1001
|
|
October 27, 2011, 03:22:27 PM |
|
I'm thinking perhaps it is a OS process that blocks access to the wallet.dat file except for the Bitcoin program (and a backup program).
That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.
|
cjgames.com
|
|
|
cypherdoc
Legendary
Offline
Activity: 1764
Merit: 1002
|
|
October 27, 2011, 03:25:43 PM |
|
I have an impossible to steal wallet. It's called a paper wallet. Physical bitcoins are just metallic paper wallets with a preloaded balance.
I suppose it can be stolen in person. But can't be stolen online if produced securely.
Ultimately, with computers being hackable and as porous as swiss cheese, I feel that offline bitcoins is the only safe way for the average consumer to go.
wow, i never realized you felt that strongly about it. hmmm....
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 03:26:27 PM |
|
I'm thinking perhaps it is a OS process that blocks access to the wallet.dat file except for the Bitcoin program (and backup a program).
That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to read out something out of the memory.
Or just use the wallet remotely. Simulating user input is somewhat trivial task. You don't need to steal the wallet.dat if you simply write a trojan which waits until it acquired passphrase and then uses the wallet to send full balance to an address owned by the attacker. I have been looking into running a wallet inside a smart card because it provides some resistance to an attacker (compromising the computer is useless you need to compromise the smartcard). Just bouncing attack and defense ideas off myself and colleges I believe that the only secure digital wallet is one that also has a secure 2nd factor authentication.
|
|
|
|
Tuxavant
|
|
October 27, 2011, 03:30:07 PM |
|
That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.
Problem is, the trojan probably already elevated privileges to install itself. If it's got that permission on the system, it would be able to do anything else (like disable the "dont touch my wallet.dat" file protection process.
|
|
|
|
BubbleBoy
|
|
October 27, 2011, 03:31:32 PM |
|
joeyjoe, thank you for working so hard for the good of the community. An unhackable wallet is a much needed product, it can't arrive any moment too soon. If only allinvain, the infamous wallet.dat victim would be alive to see this day ! Sadly the pressure of loosing half a million dollars to a hacker was too much for the poor soul, he succumbed to deep depression and took his own life by homoerotic asphyxiation. Sad indeed.
However I cannot but wonder why would men with such genius waste time on a small fish like the Bitcoin. Banks are wasting billions of dollars on things like security tokens and authentication methods. A method guaranteeing that only the bank software has access to say, a certificate file used in the authentication, is pure gold. It's easily the invention of the decade in the field of security. Your company might very well be the next Apple. Since I see it's potential, I'm more than anxious to buy stock in an IPO, please keep me posted !
Hush now, stop wasting your talent on these unworthy simpletons, disclosing the glorious invention. Together the three of us will make billions !
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
October 27, 2011, 03:33:35 PM |
|
when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.
wanna a bet? 100btc, 1000btc?
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
P4man
|
|
October 27, 2011, 03:39:07 PM |
|
when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.
wanna a bet? 100btc, 1000btc?
Ill take it! 1000 BTC it takes you more than 10 second to hack or disprove my unhackable arhm.. I dont know, obfuscated file extension enhanced password protected zip file method. Ready when you are, Ill publish and you have 10 seconds. Deal?
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
October 27, 2011, 03:45:51 PM |
|
when you release it, i will hack it in 10 seconds, or at least proof that there are a flaw in your system.
wanna a bet? 100btc, 1000btc?
Ill take it! 1000 BTC it takes you more than 10 second to hack or disprove my unhackable arhm.. I dont know, obfuscated file extension enhanced password protected zip file method. Ready when you are, Ill publish and you have 10 seconds. Deal? typo! minutes?
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 03:50:31 PM |
|
That way if a Trojan were running on the system it could not copy or read the file. At least it would make it more difficult for the Trojan as it would have to circumvent or shut down the protecting process first, or it would have to directly read out of the memory.
Problem is, the trojan probably already elevated privileges to install itself. If it's got that permission on the system, it would be able to do anything else (like disable the "dont touch my wallet.dat" file protection process. True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system. I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client. A truly secure wallet would: a) be deterministic to avoid the need for backups and protect against loss. b) prevent access to private keys by any process. c) required 2nd factor authentication.
|
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
October 27, 2011, 04:00:13 PM |
|
True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system. I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client.
a compromise of the OS, would'nt do anything. the TPM only does signing, it contains a private key, that the OS does not have access to.
|
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 04:25:21 PM |
|
True in most cases, however for things like a TPM a process doesn't have access to data stored inside the TPM unless it has also compromised the operating system. I was just pointing out a second attack vector, even IF you could assure the private keys remain private a wallet could be compromised by transfering the value using the client.
a compromise of the OS, would'nt do anything. the TPM only does signing, it contains a private key, that the OS does not have access to. True I spoke somewhat unclearly. TPM doesn't have enough memory to store bitcoin wallet. It also doesn't support the hahsing algorithms used by Bitcoin. so TPM could only be used to hold the decryption key for a Bitcoin wallet. A TPM aware OS will support a feature called protected memory. TPM can indicate to the OS to dedicate some memory as protected memory and indicate which processes are allowed to access it. This would allow a key in TPM to be given to a wallet running in protected memory to decrypt wallet, perform transactions, and then clear the protected memory. If everything works correctly the key can only be accessed by the valid wallet application. If the OS is compromised though it may not properly protect this "protected memory" allowing a trojan or other app. The larger point is that even if the private key can be guaranteed to NEVER be lost/stolen/copied one still needs to protect the actual wallet applications otherwise malicious software could simply use the wallet to transfer funds out.
|
|
|
|
the founder
|
|
October 27, 2011, 04:29:27 PM |
|
There is a way to make bitcoins safe, we offer the cold storage option that the bitcoins are sent to a computer physically turned off... but it's a manual process and we had to spend considerable funds securing a deposit box in the bank to store the USB keys, rent an office with a security system just for the cold storage system, get new servers only to be used for the backup process...
It's possible, just such a hassle...
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
|