|
ABitNut
|
 |
January 21, 2015, 04:15:48 AM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. |
|
|
|
|
mayax (OP)
Legendary
 Offline
Activity: 1470
Merit: 1004
|
|
January 21, 2015, 01:04:50 PM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. the answer is "easy" when you know what you are doing. |
|
|
|
|
|
ChuckBuck
|
|
January 21, 2015, 01:15:55 PM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. the answer is "easy" when you know what you are doing. And who knows how to do this exactly? And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper.  Please lock this thread. |
|
|
|
|
turvarya
|
|
January 21, 2015, 01:44:39 PM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. the answer is "easy" when you know what you are doing. If it is so easy, than explain the steps, to get the compromissed code in any of the currently used programs. You can pick every program you like. |
|
|
|
BillyBobZorton
Legendary
Offline
Activity: 1204
Merit: 1028
|
|
January 21, 2015, 02:24:41 PM |
|
I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.
So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.
|
|
|
|
|
Unbelive
Full Member
Offline
Activity: 210
Merit: 100
Invest & Earn: https://cloudthink.io
|
|
January 21, 2015, 02:55:48 PM |
|
Every solution has a problem and every problem has a solution.
It will just go on and on. And only progress gains.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
January 21, 2015, 03:07:36 PM |
|
I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.
So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.
Agree that its not mainstream, but its not THAT hard. Buy a cheap machine from ebay/craigslist, kill the wifi, and re-install the OS. |
|
|
|
dsattler
Legendary
Offline
Activity: 924
Merit: 1000
|
|
January 21, 2015, 04:01:32 PM |
|
I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.
So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.
Agree that its not mainstream, but its not THAT hard. Buy a cheap machine from ebay/craigslist, kill the wifi, and re-install the OS. Or wait for this: https://www.indiegogo.com/projects/mycelium-entropy |
Bitcointalk member since 2013! 
|
|
|
mayax (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
January 21, 2015, 05:56:08 PM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. the answer is "easy" when you know what you are doing. And who knows how to do this exactly? And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper. Please lock this thread. many other people know a lot about cryptography. Verbücheln is only one of them. Stay chill, you will find out soon that cold wallets were hacked. MT gox wallet was hacked too |
|
|
|
|
|
turvarya
|
|
January 21, 2015, 07:00:41 PM |
|
The solution is in the article itself: Another counter-measure would be to strictly not use any address more often than once.
Also the following statement in the article is endorsed by Captain Obvious: there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify
And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrong tm. the answer is "easy" when you know what you are doing. And who knows how to do this exactly? And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper. Please lock this thread. many other people know a lot about cryptography. Verbücheln is only one of them. Stay chill, you will find out soon that cold wallets were hacked. MT gox wallet was hacked too MtGox cold wallet was just hacked, because Mark accidentally looked at it |
|
|
|
|
thompete
|
|
January 21, 2015, 08:09:40 PM |
|
Why does the title say Hacked Easily ?
I don't think that is the case. Even cold wallets which have not many transactions are rather safe.
|
|
|
|
Anillos2
Legendary
Offline
Activity: 1260
Merit: 1003
|
|
January 21, 2015, 09:04:27 PM |
|
I don't believe that. I always create my paperwallets offline and I move the computer mouse in order to get enough entropy. How someone could know my mouse movements if I type some random letters between moves. How many paperwallets (with enough entropy) have been stolen? |
|
|
|
|
turvarya
|
|
January 23, 2015, 08:04:32 AM |
|
I don't believe that. I always create my paperwallets offline and I move the computer mouse in order to get enough entropy. How someone could know my mouse movements if I type some random letters between moves. How many paperwallets (with enough entropy) have been stolen? The whole thing is just theoretical. A year ago or so, we got instant payment(so without PIN) via NFC for our Bank cards in Austria. There where also a theory about how to route the signal through a smartphone so a thief could pay with his smartphone on the other end. Also not very likely to execute and a lot of effort for € 25. I just bought a protective cover that blocks the signal(and also protects my card from e.g. a magnetic field) and was done with that. So, it might be nice, that there are people theorizing about such things, but they don't really work in the real world. |
|
|
|
|
MithrilMan
|
|
January 23, 2015, 10:40:39 AM |
|
putting the sourcecode of the critical parts of code into blockchain, and let a "smart client" compile it when downloaded, could be a way to secure a client.
a CRC checked compiled version could be used too instead of downloading and compiling (because often code rely on external references)
the trust problem is something real for bitcoin clients, there isn't a perfect solution, even downloading from the official site could be insecure and not decentralized anyway, and people who compile on their machine doesn't have to assume that since they have compiled then the client is secure, because if they rely on other dependencies (like QT libraries) then they should check that even that dll isn't compromised
i think that a good way to secure clients would be to implement a sanity check between nodes: every client should implement a protocol to find other peers that share the same client (and match the version) so they can cross check that they are using the same version and that every file match (of course this check couldn't be cross platform, every platform has its own set of files) and if the version doesn't match, then a warning should popup on the client that has less consensus over the network
I haven't thought yet about details, but I think that this could work, the network should be its own supervisor to keep behaving as decentralized (would be easy to create a service where you upload your client files and it returns if they are fine, but this would be a 3rd party service, so centralized)
|
|
|
|
pooya87
Legendary
Offline
Activity: 3654
Merit: 11103
Crypto Swap Exchange
|
|
January 23, 2015, 03:32:37 PM |
|
what you it seems that you do not understand or you do not want to say is that : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE. These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."So, COLD Storage can be easily hacked. this is true but at the same time it means that it will become apparent to the community since a lot of people are checking |
|
|
|
BADecker
Legendary
Offline
Activity: 3990
Merit: 1386
|
|
January 23, 2015, 03:54:11 PM |
|
what you it seems that you do not understand or you do not want to say is that : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE. These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."So, COLD Storage can be easily hacked. this is true but at the same time it means that it will become apparent to the community since a lot of people are checking I'm not checking. Are you checking? Maybe the other guy is checking. |
|
|
|
Wendigo
Legendary
Offline
Activity: 2604
Merit: 1036
|
|
January 23, 2015, 03:58:20 PM |
|
I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.
|
|
|
|
|
BADecker
Legendary
Offline
Activity: 3990
Merit: 1386
|
|
January 23, 2015, 04:16:56 PM |
|
I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.
Try Trusteer Rapport - https://www.trusteer.com/ and read about it here http://www-03.ibm.com/software/products/en/trusteer-rapport. It will bog your computer down, somewhat. And it is not compatible with some firewalls. But if you can work your way around these two problems, it seems to be something that is very valuable. Many banks are trusting it. |
|
|
|
mayax (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
January 23, 2015, 05:17:11 PM |
|
I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.
Try Trusteer Rapport - https://www.trusteer.com/ and read about it here http://www-03.ibm.com/software/products/en/trusteer-rapport. It will bog your computer down, somewhat. And it is not compatible with some firewalls. But if you can work your way around these two problems, it seems to be something that is very valuable. Many banks are trusting it. Yes, the cost is be prohibitive for any small-medium company |
|
|
|
|
|
freebit13
|
|
January 23, 2015, 05:21:22 PM |
|
I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.
Then you should use an online wallet service that offers 2FA and get the confirmation code sent to your mobile phone. That way a keylogger won't work unless they steal your phone and you also have the added extra of getting notified by sms if someone else logs into your account. |
Decentralize EVERYTHING!
|
|
|
|
