Bitcoin Forum
October 22, 2017, 02:45:25 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 »  All
  Print  
Author Topic: Bitcoin cold storage - HACKED easily  (Read 12056 times)
qwk
Donator
Legendary
*
Offline Offline

Activity: 1568


Bitcoin Foundation Member


View Profile WWW
January 16, 2015, 02:30:14 PM
 #21

what you it seems that you do not understand or you do not want to say is that :
[...]
These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."
So, COLD Storage can be easily hacked. Smiley
You seem to have little to zero experience with large collaborative software projects.
The specific attack we're talking about would require changing the code of a subroutine that's probably not been touched for years, since it's basically part of the fundamental core of the system.
With version control systems, such things don't go unnoticed.

It's like waving a red flag with the words "hey, I'm going to do something incredibly stupid and/or important" and hoping no one will notice.

Yeah, well... I'm gonna go build my own blockchain, with blackjack and hookers. In fact, forget the blockchain!
1508640325
Hero Member
*
Offline Offline

Posts: 1508640325

View Profile Personal Message (Offline)

Ignore
1508640325
Reply with quote  #2

1508640325
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508640325
Hero Member
*
Offline Offline

Posts: 1508640325

View Profile Personal Message (Offline)

Ignore
1508640325
Reply with quote  #2

1508640325
Report to moderator
1508640325
Hero Member
*
Offline Offline

Posts: 1508640325

View Profile Personal Message (Offline)

Ignore
1508640325
Reply with quote  #2

1508640325
Report to moderator
1508640325
Hero Member
*
Offline Offline

Posts: 1508640325

View Profile Personal Message (Offline)

Ignore
1508640325
Reply with quote  #2

1508640325
Report to moderator
Meuh6879
Legendary
*
Offline Offline

Activity: 1400



View Profile
January 16, 2015, 02:30:29 PM
 #22

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

False, very false ... we have revision display system to view the only added code (followed by name of author and reputation).
And even with this, the contribution are not allowed "like easy added" on the bitcoin core.
ebliever
Legendary
*
Offline Offline

Activity: 1330


View Profile
January 16, 2015, 02:30:37 PM
 #23

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley

You don't seem to understand that the hack has to be performed on the software the Bitcoin user uses to generate private keys. It can't be done after the fact. So you are entirely wrong and sensationalist in claiming that everyone's cold wallets are at risk. They are only at risk if they did in fact create their wallet using a criminal's hacked code. This is a risk, but not in the way you are shouting.

Luke 12:15-21

Ephesians 2:8-9
ebliever
Legendary
*
Offline Offline

Activity: 1330


View Profile
January 16, 2015, 02:33:38 PM
 #24

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Luke 12:15-21

Ephesians 2:8-9
Flashman
Hero Member
*****
Offline Offline

Activity: 518


Hodl!


View Profile
January 16, 2015, 02:34:06 PM
 #25

I'm shocked and horrified, next you'll be telling me that opening stuff in my spam folder "Your friend Joe, attachment:Photo.exe" isn't safe.

Then, oh horrors of the slippery slope, next they'll say that if I leave my front door open just a very small crack, I'll get random strangers taking my stuff, where does it all end?Huh

TL;DR See Spot run. Run Spot run. .... .... Freelance interweb comedian, for teh lulz >>> 1MqAAR4XkJWfDt367hVTv5SstPZ54Fwse6

Bitcoin Custodian: Keeping BTC away from weak heads since Feb '13, adopter of homeless bitcoins.
mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 02:36:08 PM
 #26

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley

That is true for any open source project, even the Linux kernel.

TRUE. Also, remember Heartbleed bug and the vulnerability in the "bash" shell for Linux and Unix, Shellshock Smiley

Rich Tsunami
Newbie
*
Offline Offline

Activity: 2


View Profile
January 16, 2015, 02:37:01 PM
 #27

This is so obvious...of course if someone has modified the code of a wallet and you downloaed it without verfiying where it came from and if its actually safe by checking its pgp then you are going to lose your coins thats pretty obvious...thats why you always make sure the check sum or pgp is exact.
mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 02:37:47 PM
 #28

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"
bornil267645
Sr. Member
****
Offline Offline

Activity: 406


AltoCenter.com


View Profile WWW
January 16, 2015, 02:38:48 PM
 #29

I think this theory is only applicable when your next door neighbor is peeping through your window to get a peek at your password or been compromised in that sort of way.

other than that, cold storage is still the safest bet. I hope so.

RKZ72
Newbie
*
Offline Offline

Activity: 15


View Profile
January 16, 2015, 02:40:30 PM
 #30

sorry for being dumb but if someone has modifed the code and you run it in a offline computer how does the hacker gain your information? how is it sent to him becase there is no internet connection to send the data or he cant remote control your computer because theres no internet access.
ropbat
Newbie
*
Offline Offline

Activity: 16


View Profile
January 16, 2015, 02:41:33 PM
 #31

I think op was trying to scare everyone and people would start panic selling again..nice try mate.
MrTeal
Legendary
*
Offline Offline

Activity: 1274


View Profile
January 16, 2015, 02:43:43 PM
 #32

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"
bitcoin.org is added by you. The article was talking about hardware wallets like Trezor or Bitsafe, and that is a valid concern.
If you're concerned about the precompiled binaries on bitcoin.org not matching the source, just compile it yourself.
ebliever
Legendary
*
Offline Offline

Activity: 1330


View Profile
January 16, 2015, 02:43:53 PM
 #33

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

And maybe my smartphone has secret code from the CIA that is recording all my conversations and has super-secret hardware that can perform a keystroke log on any computer within 5' of it, so they have access to all my accounts and activities and can haul me off for thinking bad thoughts at any moment. Sometimes you just have to accept that the world is not an absolute locked-down perfect place no matter how hard you try to make it.

It remains the case that the hack can't be performed after the fact, which is what you've been shouting.

Luke 12:15-21

Ephesians 2:8-9
SaltyRainbow
Newbie
*
Offline Offline

Activity: 2


View Profile
January 16, 2015, 02:44:54 PM
 #34

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf  

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT !    Grin

Where do you keep your Bitcoin? Blockchain.info? Cold storage is the safest and always will be.
MrTeal
Legendary
*
Offline Offline

Activity: 1274


View Profile
January 16, 2015, 02:45:47 PM
 #35

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

And maybe my smartphone has secret code from the CIA that is recording all my conversations and has super-secret hardware that can perform a keystroke log on any computer within 5' of it, so they have access to all my accounts and activities and can haul me off for thinking bad thoughts at any moment. Sometimes you just have to accept that the world is not an absolute locked-down perfect place no matter how hard you try to make it.

It remains the case that the hack can't be performed after the fact, which is what you've been shouting.
Don't laugh. The whole reason phones have pulse oximeters now isn't for measuring heartrate. It's so that the CIA can track your thoughts. I read it on the internet.
ebliever
Legendary
*
Offline Offline

Activity: 1330


View Profile
January 16, 2015, 02:45:57 PM
 #36

sorry for being dumb but if someone has modifed the code and you run it in a offline computer how does the hacker gain your information? how is it sent to him becase there is no internet connection to send the data or he cant remote control your computer because theres no internet access.

The idea is that you downloaded software from the hacker and use it to generate your wallet. Since he designed it to produce specified outputs, it generates private keys that he can recognize in the blockchain. So it doesn't matter that your cold wallet generating system is offline.

Luke 12:15-21

Ephesians 2:8-9
ChuckBuck
Hero Member
*****
Offline Offline

Activity: 560



View Profile
January 16, 2015, 02:47:24 PM
 #37

To the OP,

You should change the thread title to Bitcoin cold storage -   HACKED DIFFICULTLY WHERE ATTACKER NEEDS ACCESS TO AIR GAPPED PC OR WALLET AND HAS TO INSTALL BACKDOOR WALLET VERSION ONE COLD WALLET AT A TIME

The original post and title very misleading, and causes FUD to the Noobs.

Thanks,

Bitcointalk Community


P.S. - You keep saying the manufacturer and link to Bitcoin.org....reread the article, dude.  The context is if hardware wallet manufacturers like say Trezor or Ledger have the compromised software installed.  Not software wallets like Bitcoin Core or Electrum or Armory.

██
█║█
║║║
║║║
█║█
██

                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
e i d o o
██


                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
██
█║█
║║║
║║║
█║█
██
Flashman
Hero Member
*****
Offline Offline

Activity: 518


Hodl!


View Profile
January 16, 2015, 02:49:41 PM
 #38

I think op was trying to scare everyone and people would start panic selling again..nice try mate.

Yah, he's been in alarm and despair mode for the last week, just trying a little "too" hard now for us to continue to regard him as genuine.

TL;DR See Spot run. Run Spot run. .... .... Freelance interweb comedian, for teh lulz >>> 1MqAAR4XkJWfDt367hVTv5SstPZ54Fwse6

Bitcoin Custodian: Keeping BTC away from weak heads since Feb '13, adopter of homeless bitcoins.
MrTeal
Legendary
*
Offline Offline

Activity: 1274


View Profile
January 16, 2015, 02:53:59 PM
 #39

Ok, back to serious questions to knowledgeable people.

Am I correct in reading that this vector only allow the attacker to determine the private key of an address that has been used to sign a transaction? IE, if you use all the inputs of an address in the transaction and not reusing any addresses even a compromised ECDSA module would only net the attacker your now empty address.

Of course more broadly one would have to assume that if you're D/Ling a precompiled binary with compromised ECDSA, the key generation module would also be compromised.
qwk
Donator
Legendary
*
Offline Offline

Activity: 1568


Bitcoin Foundation Member


View Profile WWW
January 16, 2015, 03:04:11 PM
 #40

Am I correct in reading that this vector only allow the attacker to determine the private key of an address that has been used to sign a transaction? IE, if you use all the inputs of an address in the transaction and not reusing any addresses even a compromised ECDSA module would only net the attacker your now empty address.
Well, the paper isn't really published yet, but as far as I can tell, this seems to be the case.
Honestly, the whole issue is interesting, but not much more.

All it really shows is that you can actually use the transaction signing part of cold storage to get information out of an otherwise sealed system.
Then again, that's more or less Captain Obvious speaking Wink

Yeah, well... I'm gonna go build my own blockchain, with blackjack and hookers. In fact, forget the blockchain!
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!