MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
October 27, 2011, 04:32:54 PM |
|
If the computer is compromised, the malware can do anything, and this means anything! If it is specifically targeting one software (your Bitcoin "protection"), it will circumvent it and it's done!
Backing up file to network? Sounds bad idea. Even if the wallet is encrypted, the encryption keys should remain known only to owner of wallet.dat So the keys should be backed up by owner, prefereably on removalbe medium. So why not back up the whole wallet.dat on encrypted flash drive instead, and keep your system always clean and secure? With secure system the wallet can be in plaintext.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
October 27, 2011, 04:44:04 PM |
|
Okay i read, the first 5posts, Then Laughed too hard to keep reading.
"My software will make it impossible for the wallet to be accessed by anything other than the real bitcoin software."
Okay, So that means that if i try to right click on wallet.dat my comp should BSoD? Right? LOL
Come the fuck on, Nobody listen to this drabble, Just toss your wallet into a TrueCrypt Partition and Voila, No matter how compromised your computers is(please challenge me on this lol), Whatevers in that TrueCrypt folder isnt going Anywhere.
I would love to see a virus/Remote user (or literally BADASS hacker) try to get inside a remote truecrypt volume.
The fucking FBI takes One Month to open a 6letter truecrypt drive(if you dont use the Noob encryptions), And thats when the comp is At Their Place, and they can do ANYTHING to it. This is just so fucking funny.
"My software will make it impossible for the wallet to be accessed by anything other than the real bitcoin software." That is impossible. lollololololololllllll.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 04:45:16 PM |
|
There is a way to make bitcoins safe, we offer the cold storage option that the bitcoins are sent to a computer physically turned off... but it's a manual process and we had to spend considerable funds securing a deposit box in the bank to store the USB keys, rent an office with a security system just for the cold storage system, get new servers only to be used for the backup process...
It's possible, just such a hassle... Good points. Paper wallet works equally well also. Keeping "frozen" bitcoins (or deposit only accounts) secure is relatively easy. Keeping funds ready to outgoing transactions secure is more complex. Still anyone claiming something is "impossible to steal" knows nothing of security. Hell the authors of AES or SHA don't even make claims like "impossible to crack" they use more realistic terms like "no know cryptographic flaws", "no pre-image vulnerabilities beyond 40 rounds".
|
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
October 27, 2011, 04:47:53 PM |
|
If the computer is compromised, the malware can do anything, and this means anything! If it is specifically targeting one software (your Bitcoin "protection"), it will circumvent it and it's done!
Backing up file to network? Sounds bad idea. Even if the wallet is encrypted, the encryption keys should remain known only to owner of wallet.dat So the keys should be backed up by owner, prefereably on removalbe medium. So why not back up the whole wallet.dat on encrypted flash drive instead, and keep your system always clean and secure? With secure system the wallet can be in plaintext.
Keys should only be held in Cold Storage or Mental Memory,Almost Anything else will eventually be compromised. Personally, i've never seen malware Find a TrueCrypt volume, But a Remote attacker would sure as hell know what to look for. Want an IMPOSSIBLE to steal wallet? Stick it on a fucking CD, And stick the CD in a safe, Then mail the safe to a bank, then have the bank lockup, and go 100fathoms below into the ocean. But that wont even work. Nothing is impossible to steal. My best bet? Truecrypt it onto a USB stick and stick the USB stick into a safe. Done.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
October 27, 2011, 05:00:49 PM |
|
My best bet? Truecrypt it onto a USB stick and stick the USB stick into a safe. Done.
Unless your computer is infected w/ a trojan. When you insert the USB and unlock the truecrypt partion it has access to wallet.dat and your passphrase. As indicated upthread securing "frozen" bitcoins is trivially easy. No need even for truecrypt just print out the private keys or print out QR codes and put them in a safe. Securing online, transaction ready wallet is more difficult. Truecrypt doesn't add anything beyond an encrypted wallet.dat.
|
|
|
|
ovidiusoft
|
|
October 27, 2011, 05:16:53 PM |
|
Everything can be stolen. EVERYTHING. You can make it harder, but not impossible. Keyloggers (hardware or software), code injection, cold boot attacks, and so on, will beat any encryption. Here, get this tool: http://www.mcgrewsecurity.com/tools/msramdmp/ and have fun recovering your encrypted wallet private keys from memory.
|
|
|
|
the founder
|
|
October 27, 2011, 05:17:22 PM |
|
I put all my bitcoin information in plain text on my microsoft front page websites, no one bothers to view source
|
Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me Say thank you here: 1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
|
|
|
Vladimir
|
|
October 27, 2011, 05:24:32 PM |
|
Coming Soon! impossible to steal wallets
Is this based on some kind of unknown to masses magic or is it because once the coins are stolen they cannot be stolen again (not from the same person anyway)?
|
-
|
|
|
memvola
|
|
October 27, 2011, 05:24:34 PM |
|
people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it.
Well, it's hardly a measure for anti-viruses. And firewalls? What part of them are obscure? It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you.
If I run something that isn't open source, I run it as a user with few privileges. I do the same with software that isn't popular, even if it is open source, so being oss is not an automatic protection. Have you put funds on mtgox or tradehill recently? how can you trust it without full password access to their servers and bank accounts?
You can't trust them fully, can you... You'd also need the source code for their brains. That's a whole different mechanism. I bet 99% of you didnt check the source code for the bitcoin software anyway, let alone check the signature. I could easily post source code to a trojan and remove all the trojan bits, and no one would notice for some time.
That's not the point at all. Obviously enough people check Bitcoin sources and all commits are distinctly visible. You can't sneak in malicious code easily. If you are talking about compromised servers or MITM, that's also a different issue altogether. I know people will still use it. Probally be a bit wary of it at first, but once it gains enough reputation more people will trust and use it.
That's true. But without knowing the internals, we have to assume that it "could be" security by obscurity, so the system could be depending on reverse engineering skills of some people. After reading how you missed the point with firewalls, etc., I'd certainly worry about that.
|
|
|
|
randomguy7
|
|
October 27, 2011, 05:26:51 PM |
|
The only really secure way to use a wallet is to use some trusted computing platform, like a smartcard. This could be done when bitcoin supports this new transaction type which requires two or more signatures. One of the required keys could be stored on the trusted platform (and NEVER LEAVE IT) and add the additional signature to the transaction. Correct destination address and amount of coins must be verified and confirmed on the trusted platform (like with this smart cards who have a display and buttons). The finished transaction is transfered back to the computer and then send to the network.
THIS is secure. Anything else is just making it more anoying to malware to steal the wallet.
lol @ protecting the wallet with truecrypt. Of course it's a good idea to encrypt your wallet, especially when putting it on some external storage, but it won't help against the most likely attack scenario, and that's a trojan on the computer.
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
October 27, 2011, 06:07:02 PM |
|
My Bitcoins are already protected against theft and I don't have to trust a 3rd party for their security.
I've created about 100 Bitcoin addresses off-line. I've divided my Bitcoins into manageable denominations and distributed the Bitcoins to those off-line addresses.
The private keys have been GPG encrypted and encoded to QRCodes. Those QRCodes have been printed to paper and distributed to several locations online and in the real world.
As I need to spend Bitcoin, I only need to import an address at a time until I have my needed funds. The rest remain off-line - safe.
It was a very tedious and scary process, but I did a lot of testing to ensure my procedure. I would not wish this on any n00b. Any solution to protect someone's Bitcoins needs to be a self reliant process, with redundant outputs, and no requirement for 3rd party trust. I am confident that some developer will soon make this process an easy, "click here" solution for the average user to benefit from.
That has already happened. Go to www.bitaddress.org, save his single .htm file, put a copy on an offline machine that's connected to nothing but a printer, and voila, you have a secure paper wallet factory complete with QR codes.
|
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
TiagoTiago
|
|
October 27, 2011, 07:06:02 PM |
|
If it is not open source - forget it.... just don't spend your time on it you will not get a dime out of it...
people that make anti-viruses or firewalls do not make them open source as that would defeat the point. With the source, people would work out ways around it. It wont be open source, if you dont trust it, dont install it. Dont install anything ever again, why have you got an OS installed if its not open source?? have you installed anything in the past year that isnt open source?? i wouldnt trust it then if i were you. ... I'm already suspicious of programs that make absurd claims about protecting my whatever, it's even worse when it's a paid closed source system from a random individual. I haven't installed, much less trusted, anything like that, your thing won't be the first.
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1049
Death to enemies!
|
|
October 27, 2011, 11:01:32 PM |
|
As far as keepeing wallet.dat on TrueCrypt encrypted volumes goes, it helps only against thug who might steal your computer. For Bitcoin to operate you need wallet.dat to be acessible, so the truecrypt volume must be mounted. And when mounted, truecrypt volume is acessible to any software, including malware. Even more, malware can capture your truecrypt password and steal the truecrypt container to be mounted later.
And no source available = security trough obscurity = no real security at all. Don't waste your time, there are enough false security software out there, such as Kaspersky, Norton and NOD32, better learn more about real life security.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
makomk
|
|
October 27, 2011, 11:26:30 PM |
|
I already have such a utility on my linux box, and I use if regularly:
shred -u ~/.bitcoin/wallet.dat
Nobody's stealing that fucker!
There was actually someone on here that claimed to have recovered a wallet he accidentally deleted using shred - it's not guaranteed to actually protect you.
|
Quad XC6SLX150 Board: 860 MHash/s or so. SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
|
|
|
memvola
|
|
October 27, 2011, 11:51:59 PM |
|
There was actually someone on here that claimed to have recovered a wallet he accidentally deleted using shred - it's not guaranteed to actually protect you.
There was a discussion about this a while ago. I'd suggest wiping all free space after deletion.
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
October 28, 2011, 07:13:14 AM |
|
dd if=/dev/urandom of=/dev/drivePartitionContainingWallet bs=65536
After the above command completes, you should have an impossible to steal wallet*, provided no backups are lying around. PS: Tieing the wallet to a specific computer is insecure. There is more to wallet security than keeping attackers out. You must also guard against data loss. *More accurately, you should not have a wallet left to steal.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
tvbcof
Legendary
Offline
Activity: 4704
Merit: 1276
|
|
October 28, 2011, 07:26:03 AM |
|
I already have such a utility on my linux box, and I use if regularly:
shred -u ~/.bitcoin/wallet.dat
Nobody's stealing that fucker!
There was actually someone on here that claimed to have recovered a wallet he accidentally deleted using shred - it's not guaranteed to actually protect you. Looks like for all intents and purposes you are right and I was wrong. At least given my white lie about being on a Linux box. I actually do perform a similar operation not irregularly. The reason why is that I prefer to have a large number wallet.dat files with a relatively small number of coins (associated with the addresses) in them. This, in part, as a theft mitigation strategy.
|
sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
|
|
|
nanonano
Member
Offline
Activity: 70
Merit: 10
|
|
October 28, 2011, 10:05:26 AM |
|
There was actually someone on here that claimed to have recovered a wallet he accidentally deleted using shred I think the operative word here (as with these "impossible to steal wallets") is claimed. Scanning the device would also show any copies that the user had forgotten were there... That said, just like you implied elsewhere the infrastructures we operate in are so complex today that there are loopholes. Shredding a file without shredding the empty space on the partition does leave a shadow of a doubt: e.g. what if the user (or an application, or a fs defragmentation tool) made a temporary copy earlier and that happened to actually be real bits in another address and not just a COW-copy? Speaking of shredding... For joeyjoe and anyone who even thinks of putting their money into this "impossible to steal" wallet: This is quite clearly either a scam or wishful thinking. "Impossible to steal" is just as viable as as perpetual motion machine. As someone already said, an invention like this would make that creator fabulously rich and world famous in a very short time. Occam's razor says that joeyjoes "programming professor" friend has not invented that, and as soon as the details of this "invention" are available, the theory will be shred to pieces. TL;DR: Security can always be improved but it's often not easy. 1. If someone says it is easy to do it, he should be treated with caution. 2. If that person fails to explain how it's done (even though it was supposedly easy), he probably sells snake oil. 3. When the same person advertises backing up your money on their "secured dedicated server", alarm bells should be ringing loud and clear.
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
October 28, 2011, 12:02:57 PM |
|
It wont be open source Scam detected
|
|
|
|
wareen
Millionaire
Legendary
Offline
Activity: 910
Merit: 1001
Revolutionizing Brokerage of Personal Data
|
|
October 28, 2011, 12:17:07 PM Last edit: October 28, 2011, 12:32:05 PM by wareen |
|
Proposing a closed source solution like this is equivalent to saying: "give me all your money and I'll make sure nobody else will have access to it". Not exactly a very appealing offer to somebody who has - for the first time - got the possibility to _not_ have to trust a third party with their money.
|
|
|
|
|