Is old 3.5 floppy safer than USB drive for cold storage?

[25hashcoin]

Many computers with built in webcam have built in wifi so if the OP is trying to avoid using USB period then he would probably not to be dealing with a computer that could have it's wifi antenna enabled (although this is serious tinfoil hat status).

Disable it in the BIOS? Or in the OS on first run? Some come with hardware switches that you can super-glue in the off position? Not really a problem.

I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

It may be low, but the additional security measures are what seal off the gaps.

[1714125056]

1714125056

[1714125056]

1714125056

[1714125056]

1714125056

[Newar]

If it is in there, in theory it can be used. Some people want to use thicker "tinfoil hats" then others. I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

Only if the attacker has access to the device. At that point I wouldn't worry about USB/wifi security issues anymore. You got a bigger problem then.

[Newar]

Most people do not send bitcoin directly from their cold storage to the address(es) they are sending to. In my experience most businesses will have a "hot wallet" that will contain a "target" amount of bitcoin. If the hot wallet gets too low then bitcoin will be transferred from their cold storage into their hot wallet. If the hot wallet starts to get too much bitcoin then the company will transfer some of the bitcoin to their cold storage

I guess it's because "most people" don't use Armory.

[Dabs]

It's enough, for me, to live in a gated community with armed guards roaming, with CCTV all over the place. And of course, I am armed myself.

For others, it might not be enough, but usually those kinds of people have other problems and has made enemies. They are either obscenely rich, or politicians.

The head of the largest retail group in my country travels with the minimum entourage of bodyguards. You can easily disappear here, even among the locals, if you even have the slightest idea how. I mean, its not easy, but it's not difficult either.

Back to topic: Just print your wallet or private keys, put it in an envelope, and lock it up in a traditional safe or filing cabinet at home.

[Eisenhower34]

If it is in there, in theory it can be used. Some people want to use thicker "tinfoil hats" then others. I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

Only if the attacker has access to the device. At that point I wouldn't worry about USB/wifi security issues anymore. You got a bigger problem then.

Well, in a worse case scenario, an attacker could enable the wifi + somehow capture the private key when it is unencrypted to sign a TX.

I agree that most of the vectors of attack would require physical access and a very good alternative to going crazy with tinfoil is to simply buy a safe and put your computer in your safe when you are not using it

[Newar]

If it is in there, in theory it can be used. Some people want to use thicker "tinfoil hats" then others. I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

Only if the attacker has access to the device. At that point I wouldn't worry about USB/wifi security issues anymore. You got a bigger problem then.

Well, in a worse case scenario, an attacker could enable the wifi + somehow capture the private key when it is unencrypted to sign a TX.

Please explain how he could enable wifi on the device without physical access to the device.

It's enough, for me, to live in a gated community with armed guards roaming, with CCTV all over the place. And of course, I am armed myself.
[...]

Sometimes the "attack" can come from unexpected angles. There was a thread the other day where a guy lost his private keys he had on his phone wallet. Turns out his kids had access to the phone and deleted the Mycelium data (but not the app) to make room for a game they wanted to play.

[CIYAM]

In regards to getting the WiFi card removed (and I also stuck "plug stubs" into both the Ethernet and *phone* sockets) - this was not about worrying that some criminal might get physical access to the device but instead to ensure that someone like my wife "doesn't accidentally connect it to the internet".

In fact my cold storage is not *even stored on that computer* (I use a Live OS of CIYAM Safe).

[Eisenhower34]

If it is in there, in theory it can be used. Some people want to use thicker "tinfoil hats" then others. I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

Only if the attacker has access to the device. At that point I wouldn't worry about USB/wifi security issues anymore. You got a bigger problem then.

Well, in a worse case scenario, an attacker could enable the wifi + somehow capture the private key when it is unencrypted to sign a TX.

Please explain how he could enable wifi on the device without physical access to the device.

I am saying that they would have physical access to the device. Many bitcoin users counter the potential of someone getting physical access to their cold storage with encryption, however the private keys would need to be decrypted temporarily in order to sign a TX. 

[funtotry]

If it is in there, in theory it can be used. Some people want to use thicker "tinfoil hats" then others. I personally don't think it is necessary to go to these extremes (or to the extremes that CIYAM went to above) as I believe the incremental amount of security is low

Only if the attacker has access to the device. At that point I wouldn't worry about USB/wifi security issues anymore. You got a bigger problem then.

Well, in a worse case scenario, an attacker could enable the wifi + somehow capture the private key when it is unencrypted to sign a TX.

Please explain how he could enable wifi on the device without physical access to the device.

I am saying that they would have physical access to the device. Many bitcoin users counter the potential of someone getting physical access to their cold storage with encryption, however the private keys would need to be decrypted temporarily in order to sign a TX. 

You could easily prevent any potential attack on your cold storage computer by renting a large safe deposit box at your bank and storing a laptop in the safe deposit box with the battery out. Colt storage by definition should not be used very frequently so it should not be easy for even you to access. You can store an unused USB drive with the laptop in the safe deposit box. This would resolve the issue of both your wifi being compromised and that your USB drive could somehow get compromised.

[sandykho47]

For short term cold storage, CD/DVD & Secure USB (example : Iron Key) is should good enough
For long term cold storage, use best quality DVD & long term Secure USB (this is expensive)

And you might want to encrypt your cold storage file to get more secure
But, i don't reccomended 3.5 floppy because it's difficult to find the reader & i'm afraid floppy disk can working if you don't use for a long time 

[bf4btc]

With the news on USB firmware hacks I was wondering if I should add a 3.5" floppy to my online computer to transfer from my cold storage old XP computer that already has a floppy. Would it be safer?

It really depends. If you are a business who is potentially sending bitcoin to customers (and taking money from cold storage to refill your hot wallet) then this would be a bad idea. Floppy disks and floppy drives are much less reliable then a USB drive so if it were to fail you would temporarily be unable allow your customers to receive bitcoin that it owed to them. This could cause your business to have a decreased reputation that could potentially be much more costly then having your bitcoin stolen (it is much easier to recover lost money then to recover lost reputation).

If you would be acting as an individual and would have little reason to need immediate access to your cold storage funds then yes it would be safier

[Dabs]

It's enough, for me, to live in a gated community with armed guards roaming, with CCTV all over the place. And of course, I am armed myself.
[...]

Sometimes the "attack" can come from unexpected angles. There was a thread the other day where a guy lost his private keys he had on his phone wallet. Turns out his kids had access to the phone and deleted the Mycelium data (but not the app) to make room for a game they wanted to play.

My kids are under 3 years old. While they know how to play on the ipad mini and my phone (and have accidentally deleted apps), I don't have any coins stored there, for precisely that reason, because they keep playing Pou or Fruit Ninja or Temple Run, and keep spending all my hard earned play money.

I would probably reserve a phone unit specifically for bitcoin purposes that no one else uses, but nah, that's what my laptops are for. (full drive encrypted, so no one opens it but me.)

[abercrombie]

I use 3 layers of encryption for wallets tucked away.

Bip-38 protected private addresses (steal it, it still won't work)
PGP encrypt your CSV spreadsheet
All encased in a TrueCrypt container

Rename it to something like taxes-2007.xls then make a bunch of copies.

[sinip]

With the news on USB firmware hacks I was wondering if I should add a 3.5" floppy to my online computer to transfer from my cold storage old XP computer that already has a floppy. Would it be safer?

yeah but why not go all the back to a 5 1/4" floppy.  Now those actually flopped.

And 5.25 floppies are actually much more durable regarding usage as storage than 3.5 floppies. Trust me, I have personal experience. Numerous 3.5 floppies would go bad for simply no reason at all, even after being left unused in a box, while 5.25 ones I have with some data on them are still usable. Provided you have working 5.25 inch floppy drive, and a PC to plug it into..

[santaClause]

It's enough, for me, to live in a gated community with armed guards roaming, with CCTV all over the place. And of course, I am armed myself.
[...]

Sometimes the "attack" can come from unexpected angles. There was a thread the other day where a guy lost his private keys he had on his phone wallet. Turns out his kids had access to the phone and deleted the Mycelium data (but not the app) to make room for a game they wanted to play.

My kids are under 3 years old. While they know how to play on the ipad mini and my phone (and have accidentally deleted apps), I don't have any coins stored there, for precisely that reason, because they keep playing Pou or Fruit Ninja or Temple Run, and keep spending all my hard earned play money.

I would probably reserve a phone unit specifically for bitcoin purposes that no one else uses, but nah, that's what my laptops are for. (full drive encrypted, so no one opens it but me.)

In order for this to be sufficiently secure you would need to keep your FDE password long/complex enough so that it cannot easily be guessed and is different from other passwords. Cold storage however, by definition is not used very often. Your risk is that you do not enter your password often enough so that you remember your FDE password and lose access to your computer and private key.

[Armadillo]

It seems to me that there is a greater risk in losing your wealth through the volatility of bitcoin itself than from someone stealing your coins out of cold storage. If you have a large portion of your wealth in bitcoin, a hedging strategy may add more security to your purchasing power than etching your info into a tungsten billet....just sayin.

[iwillwin]

Why do you think it would be safer ? I mean you must have given a thought to it as to why do you feel it would be safer ?

[banders]

The Unpatchable Malware That Infects USBs Is Now on the Loose  http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

[vipgelsi]

I think the floppy would be safer and kinda cooler.

[Dabs]

In order for this to be sufficiently secure you would need to keep your FDE password long/complex enough so that it cannot easily be guessed and is different from other passwords. Cold storage however, by definition is not used very often. Your risk is that you do not enter your password often enough so that you remember your FDE password and lose access to your computer and private key.

Thanks for your concern. This should not be a problem for me. I forget many things, but not my passwords. They are also usually alphanumeric and between 20 to 64 characters long. (Randomly generated.)

And of course, there is a paper backup, stored somewhere safe.