Bitcoin Forum
December 03, 2016, 04:45:43 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
Author Topic: .  (Read 62171 times)
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1512


64blocks.com


View Profile WWW
June 01, 2012, 01:43:14 AM
 #81

I personally prefer generating a completely random private key / public key pair than using deterministic methods to create / recreate a wallet (or bunch of keys), as there is the risk (no matter how small) of the method to be discovered and the whole wallet compromised.

64blocks.com Social Multiplayer Dice (Gambling) - Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480740343
Hero Member
*
Offline Offline

Posts: 1480740343

View Profile Personal Message (Offline)

Ignore
1480740343
Reply with quote  #2

1480740343
Report to moderator
1480740343
Hero Member
*
Offline Offline

Posts: 1480740343

View Profile Personal Message (Offline)

Ignore
1480740343
Reply with quote  #2

1480740343
Report to moderator
1480740343
Hero Member
*
Offline Offline

Posts: 1480740343

View Profile Personal Message (Offline)

Ignore
1480740343
Reply with quote  #2

1480740343
Report to moderator
Kazimir
Legendary
*
Offline Offline

Activity: 1036



View Profile
June 04, 2012, 05:02:28 PM
 #82

You should try Wuala.com. ( it also accept Bitcoin as payment: http://www.wuala.com/bitcoin )
It has many features like Dropbox, but it also include a local encryption before the upload Wink
I only just discovered about this Wuala thing, but this is pretty awesome!

Looking into Wuala right now, didn't try it yet but so far it seems a big improvement over Dropbox:

  • Encrypted locally, which is extremely important for sensitive data (such as your wallet)
  • 5GB instead of 2GB in the free plan (well even 2GB is already WAY more than you need to backup your wallet)
  • Ability to have multiple sync folders on your computer (as opposed to just one global 'Dropbox folder')

Looks pretty nice so far.

In theory, there's no difference between theory and practice. In practice, there is.
Insert coin(s): 1KazimirL9MNcnFnoosGrEkmMsbYLxPPob
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 04, 2012, 05:49:32 PM
 #83

I made a pretty comprehensive tutorial for using cold storage in Armory:  Using Offline Wallets in Armory

Get an old laptop, and it's 7 steps to get setup.  Then 7-8 steps to actually execute a transaction.  But of course, this is all with a pleasant graphical user interface with directions shown along the way, so the steps are a lot easier than the alternatives! 

Offline wallets/cold storage is exactly what inspired me to make Armory in the first place! 

The only potential point of failure is USB viruses.  And those viruses would have to be highly-targeted:  your private keys never touch any computer that will ever touch the internet.  So a USB virus would have to be fully automated and exploit autorun vulnerabilities to even have a chance.  In the future, I will support serial cables to close this tiny little gap, for the super-paranoid.

</spam>

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
fivemileshigh
Full Member
***
Offline Offline

Activity: 136


View Profile
June 04, 2012, 09:01:42 PM
 #84

How do you guys feel about bitaddress.org paper wallets for offline storage? Pdf's backed up as physical paper in a secure location and as a file on an encrypted disk image on email/dropbox/various usb sticks (25+ char. pwd)?
Dabs
Staff
Legendary
*
Offline Offline

Activity: 1512


64blocks.com


View Profile WWW
June 05, 2012, 04:00:34 AM
 #85

@etotheipi

The offline computer can have an offline antivirus, anti-malware, anti-rootkit software installed. It is updated by virus definition files offline through the USB. Serial cables (as in the RS232?) are non-existent on modern computers and you can consider them obsolete.

Personally, I don't have enough bitcoins to justify an offline computer for the purpose of cold storage, and I think I know relatively enough about malware to prevent it from affecting my daily computer usage despite not having installed anti-virus software (they slow down my computer so much that I notice it.)

Your software is interesting though and I might just download and try it out.

@fivemileshigh

That's almost how I do it. I generated some key pairs and they're backed up on paper and encrypted and rar'd with recovery records, and then protected from damage. I haven't actually printed them out to paper but will do it soon.

A piece of paper, printed using a dot-matrix impact printer (because laser toner sticks and inkjets smudge), optionally laminated, stored in a folder or envelope, in a safe is cheaper than a used mini laptop / netbook.

I'm actually looking for a decent font to print out my private keys and so far I've come up with Courier, Consolas and Lucida (fax / mono). I prefer monospaced font for this purpose.

64blocks.com Social Multiplayer Dice (Gambling) - Escrow Service (Services) - GPG ID: 32AD7565, OTC ID: Dabs
All messages concerning escrow or with bitcoin addresses are GPG signed. Please verify.
CompTIA A+, Microsoft Certified Professional, MCSA: Windows 10; Windows Server 2012, MCSE: Cloud Platform and Infrastructure; Productivity; Messaging
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 04:03:24 AM
 #86

@etotheipi

The offline computer can have an offline antivirus, anti-malware, anti-rootkit software installed. It is updated by virus definition files offline through the USB. Serial cables (as in the RS232?) are non-existent on modern computers and you can consider them obsolete.

Personally, I don't have enough bitcoins to justify an offline computer for the purpose of cold storage, and I think I know relatively enough about malware to prevent it from affecting my daily computer usage despite not having installed anti-virus software (they slow down my computer so much that I notice it.)

Your software is interesting though and I might just download and try it out.


You can get USB-to-Serial-port converters for $10.  One for each system and a null modem cable to hook'em together.

I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness.  But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars.

Please try it out and let me know if you have any issues or concerns.  I'm always available to help Smiley

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 04:27:43 AM
 #87

I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness.  But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars.
If users really are storing $100,000+ there's no reason to use a general-purpose computer as an offline wallet. It seems like a dedicated hardware device should be able to be produced for less than the cost of two USB to Serial converters plus a PC. All it would need to do is receive unsigned transactions, wait for user input, sign the transaction, and return it.
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 02:01:49 PM
 #88

I agree that you can install all sorts of extra stuff on the two systems to prevent most nastiness.  But if users are storing $100,000+, they would prefer the 100% guaranteed solution, even if it's a little extra work and a few extra dollars.
If users really are storing $100,000+ there's no reason to use a general-purpose computer as an offline wallet. It seems like a dedicated hardware device should be able to be produced for less than the cost of two USB to Serial converters plus a PC. All it would need to do is receive unsigned transactions, wait for user input, sign the transaction, and return it.

Yes and no. 

(1)  Such hardware devices do not exist yet
(2)  Offline systems can usually be found for free, because even 10 yrs old with 256 MB of RAM will work
(3)  A specialized hardware device may work, but will lack flexibility -- with the offline system you can import keys, juggle wallets, print backups, etc.

I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 04:03:15 PM
 #89

I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway.
Flexibility is nice but it also means more potential ways for a remote attacker to find an exploit. The lack of flexibility in a specialized device is a feature because it greatly reduces the attack surface.

It might not be worth it for $1000 but a wallet with $100,000+ is a highly desirable target for someone to go after.
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
June 05, 2012, 05:08:38 PM
 #90

This thread lost me at 14 steps... easy?

anyway, in case I feel like I need more security... sub

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 05:30:50 PM
 #91

I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway.
Flexibility is nice but it also means more potential ways for a remote attacker to find an exploit. The lack of flexibility in a specialized device is a feature because it greatly reduces the attack surface.

It might not be worth it for $1000 but a wallet with $100,000+ is a highly desirable target for someone to go after.

I agree with your sentiment.  But a computer that has never touched the internet has no attack surface.  The only attack vector is the autorun-USB vulnerabilities when using a USB key for moving tx data back and forth.  It's a small surface, but it is theoretically exploitable.  That's why I brought up the USB-serial connection, which reduces that attack surface to zero (barring compromised software updates), because there is no way to induce remote-code execution through the serial cable.

EDIT: last sentence is true given a couple basic precautions taken on the offline system.  And the entirety of the above is true given that the software was designed "correctly."

I designed Armory specifically for the easiest cold storage capability possible.  And most people either have an old spare laptop sitting around waiting to be junked, or can get one from a neighbor/friend/coworker for free.  The program walks you through the process, and unlike other solutions, you get a watching-only wallet on your online computer so you can still generate addresses and monitor your balance and transactions, without the risk of someone getting the private keys.




Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 05:43:22 PM
 #92

because there is no way to induce remote-code execution through the serial cable.
That's what has me worried. It's been a long time since we used dial up modems as a primary means of accessing the internet so how much attention has been paid to the OS serial port drivers and libraries with regards to security flaws? Can you prove there is no possible sequence of bits capable of exploiting a bug somewhere in the stack?

In the case of Linux, wasn't the entire TTY layer recently rewritten? How much security auditing has been done on that, given that serial ports don't get a lot of use these days?
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
June 05, 2012, 06:12:27 PM
 #93

I agree that a specialized piece of hardware would be nice, but there's a lot of flexibility in using a general purpose system that was about to be thrown out anyway.
Flexibility is nice but it also means more potential ways for a remote attacker to find an exploit. The lack of flexibility in a specialized device is a feature because it greatly reduces the attack surface.

It might not be worth it for $1000 but a wallet with $100,000+ is a highly desirable target for someone to go after.

I agree with your sentiment.  But a computer that has never touched the internet has no attack surface.  The only attack vector is the autorun-USB vulnerabilities when using a USB key for moving tx data back and forth.  It's a small surface, but it is theoretically exploitable.  That's why I brought up the USB-serial connection, which reduces that attack surface to zero (barring compromised software updates), because there is no way to induce remote-code execution through the serial cable.

EDIT: last sentence is true given a couple basic precautions taken on the offline system.  And the entirety of the above is true given that the software was designed "correctly."

I designed Armory specifically for the easiest cold storage capability possible.  And most people either have an old spare laptop sitting around waiting to be junked, or can get one from a neighbor/friend/coworker for free.  The program walks you through the process, and unlike other solutions, you get a watching-only wallet on your online computer so you can still generate addresses and monitor your balance and transactions, without the risk of someone getting the private keys.

I love Armory, and I think it is the easiest possible solution for much of the current bitcoin crowd, but I think the time is approaching that we'll need to begin developing for our parents and less-tech-savvy friends.  I know lots of people, even among my cohort, who don't have spare computers sitting around, and even if they did they wouldn't be able to setup an offline Armory wallet.

Edit:  BTW, you've got PM.
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 06:24:32 PM
 #94

I love Armory, and I think it is the easiest possible solution for much of the current bitcoin crowd, but I think the time is approaching that we'll need to begin developing for our parents and less-tech-savvy friends.  I know lots of people, even among my cohort, who don't have spare computers sitting around, and even if they did they wouldn't be able to setup an offline Armory wallet.

Edit:  BTW, you've got PM.

I whole-heartedly agree.   My priority has been to make the functionality exist and accessible for those who want it.  So far, I haven't seen cold-storage implemented anywhere else that isn't a complete PITA to use.   In that sense, Armory is the perfect response to this thread, because you were already expecting to do 14 steps when you clicked on this thread Smiley    At least the steps for Armory cold storage are built into the interface, and lets you have a watching-only wallet...

However, as you point out, absolute beginners would probably not figure this out.  And to be fair, Armory is not designed, in its current state, to be a beginner's tool.  Armory is intended to be the ultimate advanced-users' tool first, then I will work on networking-independence and standard-usermode to make it usable by new users.  As long as you need the Satoshi client running in the background, there's no point in catering to beginners, yet...




Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
2112
Legendary
*
Offline Offline

Activity: 1708



View Profile
June 05, 2012, 06:39:30 PM
 #95

I'm pretty sure that Mr. etotheipi is well meaning, but he is also very young and inexperienced. His advice about "attack surface" is generally right, but it just betrays his lack of experience.

1) Those who remember the old product called Laplink and its special "serial and parallel on both ends" cable will probably also remember the trivial procedure used to transfer Laplink from one machine to the other through that cable. Once you had Laplink on both machines you had access to all files on both machines.

2) Ten years old laptop computers frequently have IrDA (or other infrared) port. There wasn't many commercial products using those ports, but it was heavenly invention for hackers. Clever person could gain access to the other person's computer while siting right in front of him around the conference table during negotiations.

3) The biggest attack surface on 10 years old computers in not from hackers, but from your good old friend Murphy. If you plan on following his advice to store your valuable bitcoins on an old PC please buy at least 2 or 3 identical copies to have spare parts in case of inevitable component failure. Also make sure that either you know how to swap those parts or have a trusted person who could help you with that task.

This is pretty much close to a security theater performance art.

The constructive advice I could give is:

1) use modern computers, just learn how to boot them off the external drive or how to swap internal drives.
2) when storing on the hard drives learn about SmartMonTools (or other S.M.A.R.T. toolset), how to use them and how to interpret the results.
3) DVD-RAM is the only consumer-grade removable media technology with any track record of long-term reliability.
4) USB flash drives are to be trusted only if you also have access to the test and configuration application that is specific to the particular controller used in your flash device.

Thank you for reading.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
proudhon
Legendary
*
Offline Offline

Activity: 1148



View Profile
June 05, 2012, 06:44:46 PM
 #96

I'm pretty sure that Mr. etotheipi is well meaning, but he is also very young and inexperienced. His advice about "attack surface" is generally right, but it just betrays his lack of experience.

1) Those who remember the old product called Laplink and its special "serial and parallel on both ends" cable will probably also remember the trivial procedure used to transfer Laplink from one machine to the other through that cable. Once you had Laplink on both machines you had access to all files on both machines.

2) Ten years old laptop computers frequently have IrDA (or other infrared) port. There wasn't many commercial products using those ports, but it was heavenly invention for hackers. Clever person could gain access to the other person's computer while siting right in front of him around the conference table during negotiations.

3) The biggest attack surface on 10 years old computers in not from hackers, but from your good old friend Murphy. If you plan on following his advice to store your valuable bitcoins on an old PC please buy at least 2 or 3 identical copies to have spare parts in case of inevitable component failure. Also make sure that either you know how to swap those parts or have a trusted person who could help you with that task.

This is pretty much close to a security theater performance art.

The constructive advice I could give is:

1) use modern computers, just learn how to boot them off the external drive or how to swap internal drives.
2) when storing on the hard drives learn about SmartMonTools (or other S.M.A.R.T. toolset), how to use them and how to interpret the results.
3) DVD-RAM is the only consumer-grade removable media technology with any track record of long-term reliability.
4) USB flash drives are to be trusted only if you also have access to the test and configuration application that is specific to the particular controller used in your flash device.

Thank you for reading.

I think you're forgetting that Armory can be use, and should be used IMO, to create offline paper backups.  Laminate a few of those suckers and store them in fireproof safes.  If the the old computer you used, which may have had an active wallet on it, dies; then just grab another computer and one of your paper backups and your back in business.
2112
Legendary
*
Offline Offline

Activity: 1708



View Profile
June 05, 2012, 07:09:52 PM
 #97

I think you're forgetting that Armory can be use, and should be used IMO, to create offline paper backups.  Laminate a few of those suckers and store them in fireproof safes.  If the the old computer you used, which may have had an active wallet on it, dies; then just grab another computer and one of your paper backups and your back in business.
Thank you for reminding me about another "attack vector" that I neglected.

You'll also need to store the Armory source code as well as the source code of its tangled mess of dependencies, including the toolsets required to rebuild them. Or just buy a life insurance policy and a performance bond on Mr. etotheipi.

Sorry, but I have a feeling that explaining certain long-term attack vectors will look too much like a personal attack. I really don't want to go into that discussion.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 08:01:13 PM
 #98

I think you're forgetting that Armory can be use, and should be used IMO, to create offline paper backups.  Laminate a few of those suckers and store them in fireproof safes.  If the the old computer you used, which may have had an active wallet on it, dies; then just grab another computer and one of your paper backups and your back in business.
Thank you for reminding me about another "attack vector" that I neglected.

You'll also need to store the Armory source code as well as the source code of its tangled mess of dependencies, including the toolsets required to rebuild them. Or just buy a life insurance policy and a performance bond on Mr. etotheipi.

Sorry, but I have a feeling that explaining certain long-term attack vectors will look to much like a personal attack. I really don't want to go into that discussion.

2112,

I know what you're saying: it's improper to talk about "zero attack-surface" because there's always a vulnerability due to one of the assumptions made which isn't necessary true (unexpected software on the OS, improper software design, maliciously modified software, etc).  But what solution do you recommend instead?  Both, "what do you do right now to secure your coins" and "how do you improve the software to make it more secure"?

I am not sure if there's anything better than Armory for the first question, right now, in terms of being a solution that moderately-experienced users can use.  The answer to the second question has been the topic of many discussions including this one where I sought input from other users on exactly this topic.  I don't see any posts from you.

(EDIT: added the correct link to the previous paragraph)

You clearly have constructive input to add, so please do so on those threads.  You are clearly very experienced and your input would be valuable so that stupid things don't happen.  For reference, I am aware of various pre-installed tools for communicating via serial port -- and even IrDA could be used to initiate logins.  I didn't mean to imply that all you need is a serial cable -- using the serial cable would come with a lockdown procedure.  It would be for the really advanced users.  

I heed your advice about claiming "zero attack vector", I should really be claiming that this is the "best solution currently available."  It's certainly better than keeping an encrypted wallet on your online HDD.  

P.S. -- One thing to clear up:  paper backups for Armory are invaluable.  You can print off multiple copies to protect against hardware failure, and any version of Armory can produce a raw list of private keys that could be imported into any other program.  Agreed that old hardware is likely to fail, but new hardware fails too -- that's why there's such exhaustive backup features in Armory.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
justusranvier
Legendary
*
Offline Offline

Activity: 1400



View Profile WWW
June 05, 2012, 10:04:02 PM
 #99

This is just my purely subjective personal opinion but if I had a wallet with $100,000+ in it I would store it on a computer that had complete air gap security - not even an RS-232 link to an Internet-connected computer. I would want the ability to create offline transactions by hand-keying in the source and destination addresses and would broadcast the transaction by having the offline computer print a hard copy that another computer could scan in and upload to the network.
etotheipi
Legendary
*
Offline Offline

Activity: 1428


Core Armory Developer


View Profile WWW
June 05, 2012, 10:57:42 PM
 #100

This is just my purely subjective personal opinion but if I had a wallet with $100,000+ in it I would store it on a computer that had complete air gap security - not even an RS-232 link to an Internet-connected computer. I would want the ability to create offline transactions by hand-keying in the source and destination addresses and would broadcast the transaction by having the offline computer print a hard copy that another computer could scan in and upload to the network.

Well you can do that with Armory.  It just might be quite a bit of handwriting (I think some transactions can be up to 10kB)...

However, I had considered the possibility of using webcams and QR codes.  But that will turn into a mess of wires and complicated interfaces to deal with multiple QR codes, etc.

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!