Bitcoin Forum
March 28, 2024, 09:42:03 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Hardware wallets still aren't secure, and they never will be. Use paper wallets  (Read 1786 times)
pereira4
Legendary
*
Offline Offline

Activity: 1610
Merit: 1183


View Profile
July 31, 2019, 12:07:22 AM
Merited by Welsh (2), vapourminer (1), o_e_l_e_o (1)
 #41



Airgapped computers can be compromised and there are methods to getting into the coins. There was a interesting article a number of years ago where someone used radio waves on a raspberry pi to get into the wallet. However for that to happen the device has to be physically compromised but again if someone looks onto your computer and sees you have a wallet they will be very interested in that device. I understand that I'm talking about very technical stuff and the majority of people don't possess these skills but I like being paranoid when it comes to security.

Hardware wallets wipe themself after 3 attempts? That isn't a security feature at all. What if an attacker fails 3 times is your Bitcoin then wiped?

It is literally impossible to crack Truecrypt's (or currently, Veracrypt's) encryption, which you could use you for your airgap setup. If you were to be faced by a $5 wrench situation, you can even have a hidden OS and deliver an alternative password. You can use cascaded configurations for the encryption algo such as SHA256(Twofish(Serpent)) which means attacker would need to crack not only a SHA256 but the two other as well. In other words a waste of time. You could also use dm-crypt or LUKS if you know what you are doing.

The only realistic attack is an evil maid type, which you can mitigate by due diligence and generally not being an idiot.

The good old airgapped laptop remains the #1 proponent, coupled with the QR reader to broadcast your tx's. The only thing you need is to not be an idiot like me (I forgot the password to all of my encrypted HDDs) then you should be good. Certainly better than having an obvious device to be filled with coins.
1711618923
Hero Member
*
Offline Offline

Posts: 1711618923

View Profile Personal Message (Offline)

Ignore
1711618923
Reply with quote  #2

1711618923
Report to moderator
1711618923
Hero Member
*
Offline Offline

Posts: 1711618923

View Profile Personal Message (Offline)

Ignore
1711618923
Reply with quote  #2

1711618923
Report to moderator
1711618923
Hero Member
*
Offline Offline

Posts: 1711618923

View Profile Personal Message (Offline)

Ignore
1711618923
Reply with quote  #2

1711618923
Report to moderator
If you see garbage posts (off-topic, trolling, spam, no point, etc.), use the "report to moderator" links. All reports are investigated, though you will rarely be contacted about your reports.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
July 31, 2019, 05:19:29 AM
 #42

However I don't like mnemonic seeds just because its easy to identify what these words are for on a piece of paper.
There are also many places you can hide a mnemonic phrase that are just as us likely to be found as someone "cracking" a story or similar. You could take a door off its hinges and write it along the bottom before replacing it. You could hide a piece of paper inside an electrical socket or a light fighting. You could flip over your sofa, cut a small hall in the fabric on the underside, and hide the paper in there. There are endless places a burglar would never look.

IF the burglar had the technical capabilities of using the methods you have mentioned then that would be your coins gone.
You could pair a hardware wallet with an airgapped computer, and then airgapped computer doesn't know your seed/keys, and so couldn't leak them.

I guess what I'm trying to say is there are already known risks to air gapped computers but with my basic idea of creating a story that doesn't have any major risks other than the person catching on that this is an encrypted piece of text which could be made difficult depending on how much effort you put into it.
Sure, I appreciate that, but I would argue that the chance of someone figuring out what your story means is higher than the chance of a focused, targeted, and highly technical malware attack on an airgapped machine.
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1610
Merit: 1899

Amazon Prime Member #7


View Profile
August 03, 2019, 07:10:26 PM
 #43


You can use a QR code reader (which im shocked so few people use) in order to completely bypass any printer exploits. You can use Coreboot or Libreboot in order to not use a propietary BIOS. You can have more control over RNG than in a hardware wallet. You can have FDE with a couple of passwords for plausible deniability and so on.


A QR reader would not keep you safe from printer attacks because you still need to print the QR code/image. I don’t think it is reasonable to expect to be able to not print a QR code, while you could hand write a private key/seed.

The advantage of using a QR code is it reduces the time your key is exposed to any potential cameras. Scanning a QR code will only take a few seconds, while the next best thing, a written seed will take probably close to a minute to enter and a private key will arguably take several minutes to type from a paper.

Whenever you are copying information on a paper wallet onto a computer to spend, you must expose it in a way that potentially someone will capture the information via a camera you are unaware of. The longer it takes to copy the information on your paper wallet, the longer it will be exposed.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
August 03, 2019, 07:35:01 PM
 #44

A QR reader would not keep you safe from printer attacks because you still need to print the QR code/image.
Not at all. You can generate a QR code on your internet connected watch only wallet, display it on screen, scan it in to your airgapped device, sign the transaction, generate the QR code, display it on the screen of your airgapped device, and scan it in to your live device. No printers required.

Whenever you are copying information on a paper wallet onto a computer to spend, you must expose it in a way that potentially someone will capture the information via a camera you are unaware of. The longer it takes to copy the information on your paper wallet, the longer it will be exposed.
True, but you should never be copying information from a paper wallet in a public place. It should be done behind closed doors in your own house, where you should be able to be certain there are no cameras you are unaware of. The only risk then is a from a camera you are aware of, but you are unaware it has been compromised, probably a laptop webcam or your phone camera. The length of time you expose the information to the camera is irrelevant.
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1610
Merit: 1899

Amazon Prime Member #7


View Profile
August 04, 2019, 09:03:01 PM
 #45

A QR reader would not keep you safe from printer attacks because you still need to print the QR code/image.
Not at all. You can generate a QR code on your internet connected watch only wallet, display it on screen, scan it in to your airgapped device, sign the transaction, generate the QR code, display it on the screen of your airgapped device, and scan it in to your live device. No printers required.
Fair enough. Although I believe the possible attacks on what you describe would include the same attacks possible on a HW wallet such as trezor or ledger, and include additional attacks above that.
Whenever you are copying information on a paper wallet onto a computer to spend, you must expose it in a way that potentially someone will capture the information via a camera you are unaware of. The longer it takes to copy the information on your paper wallet, the longer it will be exposed.
True, but you should never be copying information from a paper wallet in a public place. It should be done behind closed doors in your own house, where you should be able to be certain there are no cameras you are unaware of. The only risk then is a from a camera you are aware of, but you are unaware it has been compromised, probably a laptop webcam or your phone camera. The length of time you expose the information to the camera is irrelevant.
Yes, ideally you will have a house that allows you to be certain there are no cameras watching, but this is not always possible. You might live in an apartment that doesn't have any rooms without windows, or you might have roommates that live with you. If you have your blinds closed, the wind or a fan may cause your blinds to sway enough for someone with a camera to see your paper wallet. Or someone may not fully understand how to best secure their coins, and use a paper wallet in a library or coffee shop.
DaveF
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
August 04, 2019, 10:45:48 PM
 #46

I did not see it in the thread but, "X" of "N" paper keys are very useful
And then you can use misdirection.
You can make a 4 of 6 wallet
Label each piece 1 of 2 or 2 of 2
Someone gets 2 of them they then generate a private key for an address that has....nothing in it. Only you know that you really need 4 out of 6 pieces of paper that all say 1 of 2 or 2 of 2.

Or get a cold card  https://coldcardwallet.com/

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3626
Merit: 6321


Looking for campaign manager? Contact icopress!


View Profile
August 05, 2019, 09:02:02 AM
 #47

I did not see it in the thread but, "X" of "N" paper keys are very useful
And then you can use misdirection.
You can make a 4 of 6 wallet
Label each piece 1 of 2 or 2 of 2
Someone gets 2 of them they then generate a private key for an address that has....nothing in it. Only you know that you really need 4 out of 6 pieces of paper that all say 1 of 2 or 2 of 2.

Combination of multi-sig & obfuscation is good idea, but it sounds overkill IMO unless you're targeted or people who know you IRL know you have lots of bitcoin.

And if somebody knows IRL that you have big amounts of Bitcoin and could come after you, the combination of multi-sig & obfuscation will not help, since there's a good chance he's do the 5$ wrench attack.


Edit: I think that the easiest combo is BIP39 seed hidden in plain sight and keeping your mouth shut.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
DaveF
Legendary
*
Offline Offline

Activity: 3430
Merit: 6129


Crypto Swap Exchange


View Profile WWW
August 05, 2019, 02:35:07 PM
 #48


And if somebody knows IRL that you have big amounts of Bitcoin and could come after you, the combination of multi-sig & obfuscation will not help, since there's a good chance he's do the 5$ wrench attack.

Edit: I think that the easiest combo is BIP39 seed hidden in plain sight and keeping your mouth shut.

There is nothing you can do about the wrench attack. ( Unless you are Chuck Norris http://www.icndb.com/the-jokes-2/ )
However, the more difficult you make it for other forms of theft the better.

Remember, we are talking about edge cases here. You can beat somone with a wrench all you want, if their keys are in a vault in a bank, walking in covered in blood asking to get into the vault might raise a few alarms.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
hd49728
Legendary
*
Offline Offline

Activity: 2044
Merit: 1017


View Profile WWW
August 06, 2019, 01:11:11 AM
 #49

Let's come back to ultimate steps to secure our wallets. Which ones do we have to secure? Private keys, that's all we need to secure. So, it is definitely true that if someone can keep their private keys in secret, and safely, and away from potential damaging threats, like water, fire, etc. There is no need to use hardware wallets to secure your funds. Backing up private keys on paper (writing them down, or printing them with high quality ink); for bunches of paper (to get more safety from potential damages); then put them in your vault. I do think that it is safe enough, and don't need hardware wallets.
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1610
Merit: 1899

Amazon Prime Member #7


View Profile
August 06, 2019, 03:35:54 AM
Merited by redsn0w (2), vapourminer (1)
 #50


There is nothing you can do about the wrench attack.
What you can do is avoid the "wrench attack" by avoiding being the target of a wrench attack. You can do this by obscuring how much coin you have via things like coin control,  not reusing addresses, and minimizing the number of transactions that can be publicly attributed to you.

HCP
Legendary
*
Offline Offline

Activity: 2086
Merit: 4315

<insert witty quote here>


View Profile
August 06, 2019, 04:04:24 AM
Merited by o_e_l_e_o (1)
 #51

What you can do is avoid the "wrench attack" by avoiding being the target of a wrench attack. You can do this by obscuring how much coin you have via things like coin control,  not reusing addresses, and minimizing the number of transactions that can be publicly attributed to you.
And not actively participating on online, public forums related to cryptocurrency... oh... wait. Tongue

Seriously tho, a lot of these arguments always descend into what I like to call the "What if? Game"™... where the participants start inventing more and more unlikely scenarios to attempt to justify their position and/or denigrate the oppositions position.

The truth is that there really is no "one size fits all" approach to cryptocurrency, how it should be "stored" or how it should be "used"... for some people, web wallets are perfect... for others they need cryptosteel, locked in a fire proof safe, in a drybag, buried in the woods... and then everything else inbetween.

As long as your solution fits your requirements and satisfies your personal level of risk... then you are "Being your own bank" Wink

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
Kakmakr
Legendary
*
Offline Offline

Activity: 3402
Merit: 1944

This space is availlable for advertising


View Profile
August 08, 2019, 06:59:53 AM
Merited by redsn0w (2)
 #52

My strategy with Paper wallets has been very effective over the last couple of years. I bought a small second hand computer and printer and I printed 1000's of paper wallets and then I destroyed it. I picked a few "good" looking ones with familiar numbers and the rest are stored all over the place. Some are loaded with very small amounts of Satoshi to serve as a "honey trap" - I check these once in a while to see if they were accessed, as a early warning system to see if someone is looking for Bitcoin at my house.  Roll Eyes <The computer and printer was chopped into small pieces>

The Paper wallets with more coins are laminated and also duplicated and stored at different geographical locations. Some of the private keys are stored in plain sight, but nobody would know, because I used a method that would only be recognized by myself. <I also shared this method with a family member, if something happens with me>

I must admit that I use hardware wallets too, because it is more convenient when you want to use coins more frequently. The seed is never stored on site and I protect it with a passphrase.

So the strategy is to use more than one method, because each method have Pro's and Con's and also to split the coins.  Wink

 

Signature space availlable -Just DM me if you need some advertising.
fillippone
Legendary
*
Offline Offline

Activity: 2114
Merit: 15180


Fully fledged Merit Cycler - Golden Feather 22-23


View Profile WWW
August 08, 2019, 07:33:27 AM
Merited by redsn0w (2), Zedpastin (2)
 #53

Speaking about Vulnerabilities found in hardware wallets:

Trezor found this one:
Details of the OLED Vulnerability and its Mitigation

Quote
This article describes an information leak discovered in the OLED display used by hardware wallets, including Trezor One. We want to explain how this side-channel attack works and what measurements we took to mitigate the threat. This attack affects only the Trezor One; Trezor Model T is immune to this attack thanks to its entirely different display.

Quote
The attack requires device owners to use USB equipment that has been physically manipulated by an attacker. In other situations, users are not impacted.
There is no evidence that any malicious actors ever exploited this vulnerability.
The latest firmware v1.8.2, now available for Trezor One, mitigates the issue.

What we learnt from this story?
  • Hardware wallets aren't magical items granting eternal security
  • (Gullible)Users are the weakest links in the security mechanism
  • You can patch (some) hardware defect or weak spots with software
  • White hats are here to help

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
Chris! (OP)
Legendary
*
Offline Offline

Activity: 1382
Merit: 1122



View Profile
August 08, 2019, 02:51:24 PM
Merited by ABCbits (1), fillippone (1)
 #54

Everyone should definitely have a listen through Michael Flaxman's podcast at https://stephanlivera.com/episode/97/
ABCbits
Legendary
*
Offline Offline

Activity: 2828
Merit: 7327



View Profile
August 08, 2019, 04:00:09 PM
Merited by Zedpastin (2), vapourminer (1), JayJuanGee (1), fillippone (1)
 #55

Everyone should definitely have a listen through Michael Flaxman's podcast at https://stephanlivera.com/episode/97/

Thanks for sharing the podcast & i agree everyone should listen to the podcast/read the transcript, but which parts do you want to emphasize?

1. The fact hardware wallet is recommended for non-expert?

Michael Flaxman: Yeah, yeah. Before we get into this whole episode bashing hardware wallets, which I enthusiastically stand behind, for most people, they are the best choice. If you’re owning Bitcoin, I strongly advocate holding your own keys, and unless you’re an expert, you should use a hardware wallet. If you are an expert, you should build your own hardware wallet with open-source software that’s free and equipment that you source yourself, but that’s way outside the scope of this. For most people, hardware wallets still are the best choice as far as usability and security, and they’re reasonably priced.

2. The importance of good RNG for both HW wallet & software to make paper wallet?

Michael Flaxman: In terms of the things that you have to get right, because that was really your question, is this code doing what I think it’s doing, and am I running the code that I think I’m running? Both of those are incredibly hard things to verify. There are just so many famous examples of hacks and bugs, that it’s hard to point to all of them. There’s lots of other talks that’ll give examples of those, the idea is just that you should be cautious and paranoid, because it is really hard. One of my favorite examples is, there was a bug in 2013 in Android’s implementation of SecureRandom in Java. SecureRandom, as the name suggests, is a function that securely gets you some random bits of data. In a Bitcoin signature, you need a random component.

Michael Flaxman: It’s part of the proof in the ECDSA signature. If that bit is random, then it doesn’t matter. It’s not something that you ever would look at again. You can think of it as like nonce, a number used only once. It just is used to prove your ownership of that private key, but if that secure random data is actually not random, then somebody could intuit your private key instantly. This is not a difficult attack to do by any measure. There’s plenty of open source code that will do it from your signature. As soon as they see a signature broadcast, they know your private key, and that is terrifying. A lot of people lost money in wallets that were Android wallets in 2013. That’s the type of thing that nobody could possibly have been aware of.

Michael Flaxman: Yeah. That’s terrifying, because there’s a lot of copy-paste of code. Crypto is just really, really hard. If you have a library that does something in your language, you’re likely to borrow from it heavily. Unfortunately, almost all the hardware wallets are written in Python and MicroPython. That is not ideal, but I think that’s a more minor thing. Again, we’re talking like, you can chase the perfect secure system that was written in three different languages.

3. The risks of supply chain of HW wallet?

Michael Flaxman: The supply chain risk is absolutely terrifying, because it’s completely outside your control. You could do things to minimize it. You say, “Well, I’m only going to buy my hardware wallet direct from the company at an event where they’re there.” If I get my device from a person who works at the company, then that’s probably better odds than, absolutely, do not buy it secondhand on eBay. That’s one way to minimize the supply chain risk, but you can’t know about upstream supply chain risk.

4. Difficulty of full transaction verification on HW wallet?

Michael Flaxman: The point being that, hardware wallets, you want them to verify everything they can, and the screen helps you with some of that, but a lot of it’s buried in implementation details. It doesn’t matter how big your screen is, if you don’t verify what change address is yours versus an attacker’s, then you really don’t know what’s going on. If you don’t verify the inputs and the outputs, then you don’t know the fee. This is where there’s just so much devil in the details that, honestly, no one wallet does perfectly. Two wallets is your answer, because then you got to trick both of them. Even if one doesn’t do it perfectly, the other, hopefully, won’t have that exact same vulnerability.

On a side note, the idea of using testnet to test HW wallet and check whether your system is compromised is clever idea.

.
.BLACKJACK ♠ FUN.
█████████
██████████████
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
████████████████
░██████████████
████████████
███████████████░██
██████████
CRYPTO CASINO &
SPORTS BETTING
▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
█████████
.
drawingthesun
Legendary
*
Offline Offline

Activity: 1176
Merit: 1015


View Profile
August 08, 2019, 05:38:53 PM
 #56

Stop trusting hardware wallet manufactures to protect your money.

We do need them for mass adoption however. Paper wallets can't take us the whole way.
Chris! (OP)
Legendary
*
Offline Offline

Activity: 1382
Merit: 1122



View Profile
August 08, 2019, 10:24:09 PM
 #57

It looks like the $5 wrench attack came up a few times as well. Easiest way to avoid that would be multisig. Spread those keys across the land. If someone holds you up until you give up your private keys, you can't.


We do need them for mass adoption however. Paper wallets can't take us the whole way.

100% disagree. Unless they're 100% open source you're trusting them, which means you are potentially leaking keys, meaning you're not the only one holding your private keys, meaning you might as well have stuck with legacy banking since you obviously can't be your own bank.
PrimeNumber7
Copper Member
Legendary
*
Offline Offline

Activity: 1610
Merit: 1899

Amazon Prime Member #7


View Profile
August 09, 2019, 07:05:33 AM
 #58

What you can do is avoid the "wrench attack" by avoiding being the target of a wrench attack. You can do this by obscuring how much coin you have via things like coin control,  not reusing addresses, and minimizing the number of transactions that can be publicly attributed to you.
And not actively participating on online, public forums related to cryptocurrency... oh... wait. Tongue
Not everyone participating in these forums has substantial amounts of coin, or any coin at all. You can also keep your forum identity separate from your IRL identity to mitigate your risk that you will be targeted by a wrench attack.

Speaking about Vulnerabilities found in hardware wallets:

Trezor found this one:
Details of the OLED Vulnerability and its Mitigation

I think this is an edge case. For this attack to be successful, an attacker will need to compromise the computer you use with your trezor one ahead of time in a very specific way involving having physical access to your computer.

Someone who is able to execute this attack on a (non-upgraded) trezor one would also be able to learn of the private key associated with a paper wallet by compromising other computer components that would most probably be easier to compromise.
fillippone
Legendary
*
Offline Offline

Activity: 2114
Merit: 15180


Fully fledged Merit Cycler - Golden Feather 22-23


View Profile WWW
August 09, 2019, 07:43:12 AM
 #59

Speaking about Vulnerabilities found in hardware wallets:

Trezor found this one:
Details of the OLED Vulnerability and its Mitigation

I think this is an edge case. For this attack to be successful, an attacker will need to compromise the computer you use with your trezor one ahead of time in a very specific way involving having physical access to your computer.

Someone who is able to execute this attack on a (non-upgraded) trezor one would also be able to learn of the private key associated with a paper wallet by compromising other computer components that would most probably be easier to compromise.
Totally agree,
my point were in fact you cannot blindly trust your Hardware wallet and a stupid user (the one using suspicious  hardware) can ruin every secure procedure or security practice.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18497


View Profile
August 09, 2019, 08:58:34 AM
 #60

It looks like the $5 wrench attack came up a few times as well. Easiest way to avoid that would be multisig. Spread those keys across the land. If someone holds you up until you give up your private keys, you can't.
Obviously the best way to mitigate a wrench attack is to maintain your privacy wo you don't become a target, but I've often wondered what the best way to survive it would be provided the attacker has already overcome that first step.

Unless they know for a fact your wallet set up (which is incredibly unlikely), then there is no real difference in using multi-sig and just telling them you are using multi-sig. However, if they are willing to physically attack you for money, is having everything you own locked away in multi-sig wallets really the best way to go? Perhaps you actually want to have some bitcoin available you can hand over for your own sake. Also, there's nothing really stopping them from forcing you to tell them where you've stored all your multi-sig keys instead of the keys themselves.
Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!