Bitcoin Forum
December 12, 2017, 04:59:43 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 »  All
  Print  
Author Topic: Bitcoin cold storage - HACKED easily  (Read 12347 times)
ABitNut
Hero Member
*****
Offline Offline

Activity: 763


I'm a cynic, I'm a quaint


View Profile
January 21, 2015, 04:15:48 AM
 #141

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.


              ▄
            ▄███▄
          ▄███████▄
   ▄▄▄    █
█████████
   ███
    ███████████▄
██    ████    ████████▄
      ████    ██████████
  ████    ████▀██████████
  ████    ██▀   ▀█████████▄
      █████       █████████▄
      ███▀         ▀████████
  ██████▀           ▀███████
  █████▀             ▀█████
   ████ █▄▄▄     ▄▄▄█ ████
    ███ ▀███████████▀ ███
     ▀▀█▄ █████████ ▄█▀▀
        ▀▀▄▄ ▀▀▀ ▄▄▀▀
●●
●●
●●
●●
●●
●●
|●  facebook
●  reddit
●  ann thread
|
█ ██
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██

██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
█ ██ █
██ █
1513097983
Hero Member
*
Offline Offline

Posts: 1513097983

View Profile Personal Message (Offline)

Ignore
1513097983
Reply with quote  #2

1513097983
Report to moderator
1513097983
Hero Member
*
Offline Offline

Posts: 1513097983

View Profile Personal Message (Offline)

Ignore
1513097983
Reply with quote  #2

1513097983
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513097983
Hero Member
*
Offline Offline

Posts: 1513097983

View Profile Personal Message (Offline)

Ignore
1513097983
Reply with quote  #2

1513097983
Report to moderator
mayax
Legendary
*
Offline Offline

Activity: 1064


View Profile
January 21, 2015, 01:04:50 PM
 #142

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.

the answer is "easy" when you know what you are doing.
ChuckBuck
Hero Member
*****
Offline Offline

Activity: 602


Vietnamese Translator


View Profile
January 21, 2015, 01:15:55 PM
 #143

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.

the answer is "easy" when you know what you are doing.

And who knows how to do this exactly?

And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper.   Cheesy

Please lock this thread.

██
█║█
║║║
║║║
█║█
██
'BTC MULTI-WALLET SOON'
▬▬▬▬ Download WHITEPAPER ▬▬▬▬

                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
e i d o o
██

███▀▀
▐▐▌
▐▌
▐▌
▐▐▌
███▄▄
▀▀███
▐▌▌
▐▌
▐▌
▐▌▌
▄▄███
turvarya
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 21, 2015, 01:44:39 PM
 #144

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.

the answer is "easy" when you know what you are doing.
If it is so easy, than explain the steps, to get the compromissed code in any of the currently used programs. You can pick every program you like.

https://forum.bitcoin.com/
New censorship-free forum by Roger Ver. Try it out.
BillyBobZorton
Legendary
*
Offline Offline

Activity: 1036



View Profile
January 21, 2015, 02:24:41 PM
 #145

I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.

So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.

..C..
.....................
........What is C?.........
..............
...........ICO            Dec 1st – Dec 30th............
       ............Open            Dec 1st- Dec 30th............
...................ANN thread      Bounty....................

Unbelive
Full Member
***
Offline Offline

Activity: 210


Invest & Earn: https://cloudthink.io


View Profile
January 21, 2015, 02:55:48 PM
 #146

Every solution has a problem and every problem has a solution.

It will just go on and on. And only progress gains.

jonald_fyookball
Legendary
*
Offline Offline

Activity: 1260


Core dev leaves me neg feedback #abuse #political


View Profile
January 21, 2015, 03:07:36 PM
 #147

I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.

So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.

Agree that its not mainstream, but its not THAT hard. 
Buy a cheap machine from ebay/craigslist, kill the wifi, and re-install the OS. 

dsattler
Legendary
*
Offline Offline

Activity: 896


View Profile
January 21, 2015, 04:01:32 PM
 #148

I also read that if you make a paper wallet, despite the keys being embedded in a jpeg, they can still be hacked. And that if you print the wallets, the info is stored in the printer, which can be hacked.

So, the solution seems to be to buy a computer that has never seen the internet, and a printer that has never seen the internet. This is NOT a solution for the main-stream 99% of people. I've given up on computer-based cold storage as I'm not tech-literate enough, but would still like to try paper wallets.

Agree that its not mainstream, but its not THAT hard. 
Buy a cheap machine from ebay/craigslist, kill the wifi, and re-install the OS. 

Or wait for this:

https://www.indiegogo.com/projects/mycelium-entropy

Bitcointalk member since 2013! Smiley
mayax
Legendary
*
Offline Offline

Activity: 1064


View Profile
January 21, 2015, 05:56:08 PM
 #149

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.

the answer is "easy" when you know what you are doing.

And who knows how to do this exactly?

And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper.   Cheesy

Please lock this thread.

many other people know a lot about cryptography. Verbücheln is only one of them. Stay chill, you will find out soon that cold wallets were hacked.
MT gox wallet was hacked too Smiley
turvarya
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 21, 2015, 07:00:41 PM
 #150

The solution is in the article itself:

Quote
Another counter-measure would be to strictly not use any address more often than once.

Also the following statement in the article is endorsed by Captain Obvious:

Quote
there is only one conclusion to draw from this
problem: Users cannot trust any implementation of ECDSA or Bitcoin, which they cannot fully verify

And "Easily" is very subjective. How easy is it to compromise a cold storage wallet? -> If the answer is easy then you're doing it wrongtm.

the answer is "easy" when you know what you are doing.

And who knows how to do this exactly?

And please don't say Stephan Verbücheln, because he's the one that wrote the damn paper.   Cheesy

Please lock this thread.

many other people know a lot about cryptography. Verbücheln is only one of them. Stay chill, you will find out soon that cold wallets were hacked.
MT gox wallet was hacked too Smiley

MtGox cold wallet was just hacked, because Mark accidentally looked at it

https://forum.bitcoin.com/
New censorship-free forum by Roger Ver. Try it out.
thompete
Full Member
***
Offline Offline

Activity: 224


View Profile
January 21, 2015, 08:09:40 PM
 #151

Why does the title say Hacked Easily ?
I don't think that is the case. Even cold wallets which have not many transactions are rather safe.

Anillos2
Legendary
*
Offline Offline

Activity: 1190


View Profile
January 21, 2015, 09:04:27 PM
 #152

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf  

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT !    Grin
I don't believe that.

I always create my paperwallets offline and I move the computer mouse in order to get enough entropy.

How someone could know my mouse movements if I type some random letters between moves.

How many paperwallets (with enough entropy) have been stolen?

turvarya
Hero Member
*****
Offline Offline

Activity: 714


View Profile
January 23, 2015, 08:04:32 AM
 #153

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf  

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT !    Grin
I don't believe that.

I always create my paperwallets offline and I move the computer mouse in order to get enough entropy.

How someone could know my mouse movements if I type some random letters between moves.

How many paperwallets (with enough entropy) have been stolen?
The whole thing is just theoretical.
A year ago or so, we got instant payment(so without PIN) via NFC for our Bank cards in Austria. There where also a theory about how to route the signal through a smartphone so a thief could pay with his smartphone on the other end.
Also not very likely to execute and a lot of effort for € 25. I just bought a protective cover that blocks the signal(and also protects my card from e.g. a magnetic field) and was done with that.
So, it might be nice, that there are people theorizing about such things, but they don't really work in the real world.

https://forum.bitcoin.com/
New censorship-free forum by Roger Ver. Try it out.
MithrilMan
Hero Member
*****
Offline Offline

Activity: 554

Developer!


View Profile WWW
January 23, 2015, 10:40:39 AM
 #154

putting the sourcecode of the critical parts of code into blockchain, and let a "smart client" compile it when downloaded, could be a way to secure a client.
a CRC checked compiled version could be used too instead of downloading and compiling (because often code rely on external references)

the trust problem is something real for bitcoin clients, there isn't a perfect solution, even downloading from the official site could be insecure and not decentralized anyway, and people who compile on their machine doesn't have to assume that since they have compiled then the client is secure, because if they rely on other dependencies (like QT libraries) then they should check that even that dll isn't compromised

i think that a good way to secure clients would be to implement a sanity check between nodes: every client should implement a protocol to find other peers that share the same client (and match the version) so they can cross check that they are using the same version and that every file match (of course this check couldn't be cross platform, every platform has its own set of files) and if the version doesn't match, then a warning should popup on the client that has less consensus over the network

I haven't thought yet about details, but I think that this could work, the network should be its own supervisor to keep behaving as decentralized (would be easy to create a service where you upload your client files and it returns if they are fine, but this would be a 3rd party service, so centralized)

Huntercoin: Mithril Edition - Alternative client for Huntercoin - (Discontinued)
HUC: HMSCYGYJ5wo9FiniVU4pXWGUu8E8PSmoHE  - BTC: 1DKLf1QKAZ5njucq37pZhMRG67qXDP3vPC
rant to people who pretend things for free
pooya87
Legendary
*
Offline Offline

Activity: 1120


Buy bitcoin they said... who listened?


View Profile
January 23, 2015, 03:32:37 PM
 #155

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley
this is true but at the same time it means that it will become apparent to the community since a lot of people are checking

BADecker
Legendary
*
Online Online

Activity: 1512


View Profile
January 23, 2015, 03:54:11 PM
 #156

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley
this is true but at the same time it means that it will become apparent to the community since a lot of people are checking

I'm not checking. Are you checking? Maybe the other guy is checking.

Smiley
Wendigo
Legendary
*
Offline Offline

Activity: 1498


Lauda's neighborhood cats support group


View Profile
January 23, 2015, 03:58:20 PM
 #157

I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.

BADecker
Legendary
*
Online Online

Activity: 1512


View Profile
January 23, 2015, 04:16:56 PM
 #158

I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.

Try Trusteer Rapport - https://www.trusteer.com/ and read about it here http://www-03.ibm.com/software/products/en/trusteer-rapport.  It will bog your computer down, somewhat. And it is not compatible with some firewalls. But if you can work your way around these two problems, it seems to be something that is very valuable. Many banks are trusting it.

Smiley
mayax
Legendary
*
Offline Offline

Activity: 1064


View Profile
January 23, 2015, 05:17:11 PM
 #159

I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.

Try Trusteer Rapport - https://www.trusteer.com/ and read about it here http://www-03.ibm.com/software/products/en/trusteer-rapport.  It will bog your computer down, somewhat. And it is not compatible with some firewalls. But if you can work your way around these two problems, it seems to be something that is very valuable. Many banks are trusting it.

Smiley

Yes, the cost is be prohibitive for any small-medium company Smiley
freebit13
Hero Member
*****
Offline Offline

Activity: 546

I got Satoshi's avatar!


View Profile
January 23, 2015, 05:21:22 PM
 #160

I am actually afraid of keyloggers when using online hot wallets because most of the time people use this service.
Then you should use an online wallet service that offers 2FA and get the confirmation code sent to your mobile phone. That way a keylogger won't work unless they steal your phone and you also have the added extra of getting notified by sms if someone else logs into your account.

Decentralize EVERYTHING!
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!