Author

Topic: airgap wallet not totally safe? (Read 3874 times)

copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
January 03, 2015, 12:05:25 PM
#36
To the completeness: https://en.wikipedia.org/wiki/BadBIOS

Quote
BadBIOS is an alleged computer virus reported by network security researcher Dragos Ruiu in October 2013[1] with the power to be transmitted from one device to other across air gaps using ultrasonic communication between a computer's speakers and microphone

No Mic, no problem.
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
January 03, 2015, 11:20:43 AM
#35
To the completeness: https://en.wikipedia.org/wiki/BadBIOS

Quote
BadBIOS is an alleged computer virus reported by network security researcher Dragos Ruiu in October 2013[1] with the power to be transmitted from one device to other across air gaps using ultrasonic communication between a computer's speakers and microphone
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 31, 2014, 10:29:18 AM
#34
A QR code just contains *data* (no program) so it is very different to a USB device (that can contain things like autorun programs).

*EDIT* the use of QR codes is "dumb comms" vs. USB which is "smart comms" - when it comes to best security practices the "dumber" the better (audio cables are another approach that has been worked on).

Note that narrowing the comms down to "one channel" (i.e. just cams) is much better than having to deal with multiple potential comms channels.
sr. member
Activity: 366
Merit: 250
December 31, 2014, 10:26:55 AM
#33
Anything you move over to the airgap computer should be through usb stick and then the usb stick essentially smelted.

It would be safer to use QR codes rather than USB devices (due to potential attack vectors) but if you are going to use USB there is no reason to "destroy" the device (the point is to simply not re-use it).


I guess I like to say destroy because then I cant use it on network (or someone else) ever again on purpose or by mistake compromising my whole network. Even if I marked the devices in red it could still happen if a family member, TSA, boogyman etc gets there hands on it and says "what's this" and plugs it into a computer (which 2014 will be 99% likely on network) now your whole op is compromised because of someone intentional or otherwise.

Additionally I am not quite sure I understand how QR codes keep you safe from malware. Please correct me if I am wrong but computers communicate using the most basic of 1's and 0's. In theory if the QR code program on each end was malware. It could simply decode the QR data and format it to do whatever corrupt bidding you could fit on a QR code (no idea). I do know that when I was a kid I programmed a basic hard drive delete program. It was so small if I had to guess I could get it into QR format somehow.... could be way off base tho but makes sense in my head at least.

**edit** I guess you're saying that because my airgap computer is snapping photos of the QR codes and the airgap comp never touches the network that there is no way for the airgap comp to transmit back data w/o it generating its own QR code. wireless signal, Lan, IR, etc etc. If that makes sense. Even if they were to encode my private keys into a QR code it could never make it back to the network because the airgap computer physically has no way of talking.
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
December 30, 2014, 10:48:45 PM
#32
Dear, this beastie shall looks like Stuxnet, it must know that you are air-gapped. It is like attack against nuclear power station. Chance to be infected by such worm while first and last boot of air-gap station is 0.00000000 ... 000001 %

Easiest ways to protect your self against such worms, DON'T USE microsoft SOFTWARE. Better to take one of the Linux's LiveCD

Additionally, any device or media connected once to the Air-Gapped Station shall not be used ever. For example, you bring data on DVD 4.0 Gb of blockchain or anything else, this media shall be destroyed, burned, annihilated. In - yes, out - no.

You're missing my point.

The risk of being infected by malware without ever connecting to the Internet = x
The risk of being infected by malware by connecting to the Internet once = x +1


Most malware is not known and Linux is by no means immune. (But I agree, it's a better alternative than Windows)


If "out = no", how will you spend your bitcoins?


I'm talking about media, such as DVD / CD / or usb-device.

You could print your priv_key of cold wallet on the paper with printer.
Further, import it on the connected to the network computer side.
Thereafter, spend your Bitcoins as much faster as it possible!!!!! (((;


This is what called Air-Gap and what called Sneakernet.

See also: Bell–LaPadula model   - Up - yes, Down - no.

In such way, your Air Gapped Station simply can't leak any data to the network.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 30, 2014, 10:36:34 PM
#31
Anything you move over to the airgap computer should be through usb stick and then the usb stick essentially smelted.

It would be safer to use QR codes rather than USB devices (due to potential attack vectors) but if you are going to use USB there is no reason to "destroy" the device (the point is to simply not re-use it).
sr. member
Activity: 366
Merit: 250
December 30, 2014, 09:05:20 PM
#30
I believe the problem is not malware infecting your computer through the the power cable, but existing malware leaking information through the power cable.

This could be avoided if running the computer off batteries, which are only charged from main when they are disconnected from the computer.

so this is 100% true? Can anyone else verify this?

Also you can never let a airgap computer touch the network. I have no idea why that article says connect to the network as little as possible? You're supposed to never connect. Anything you move over to the airgap computer should be through usb stick and then the usb stick essentially smelted.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 25, 2014, 03:36:39 AM
#29
Dear, this beastie shall looks like Stuxnet, it must know that you are air-gapped. It is like attack against nuclear power station. Chance to be infected by such worm while first and last boot of air-gap station is 0.00000000 ... 000001 %

Easiest ways to protect your self against such worms, DON'T USE microsoft SOFTWARE. Better to take one of the Linux's LiveCD

Additionally, any device or media connected once to the Air-Gapped Station shall not be used ever. For example, you bring data on DVD 4.0 Gb of blockchain or anything else, this media shall be destroyed, burned, annihilated. In - yes, out - no.

You're missing my point.

The risk of being infected by malware without ever connecting to the Internet = x
The risk of being infected by malware by connecting to the Internet once = x +1


Most malware is not known and Linux is by no means immune. (But I agree, it's a better alternative than Windows)


If "out = no", how will you spend your bitcoins?
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
December 25, 2014, 03:14:17 AM
#28
...
His step 1:
Quote
1. When you set up your computer, connect it to the Internet as little as possible.


For bitcoin air-gapping that is already not acceptable. You just don't connect it to the Internet.

He talking about "set up".

He means, that at the first boot something anyway shall be downloaded from the network.

Which would suck if you picked up a beastie during that process, wouldn't it?

Dear, this beastie shall looks like Stuxnet, it must know that you are air-gapped. It is like attack against nuclear power station. Chance to be infected by such worm while first and last boot of air-gap station is 0.00000000 ... 000001 %

Easiest ways to protect your self against such worms, DON'T USE microsoft SOFTWARE. Better to take one of the Linux's LiveCD


Additionally, any device or media connected once to the Air-Gapped Station shall not be used ever. For example, you bring data on DVD 4.0 Gb of blockchain or anything else, this media shall be destroyed, burned, annihilated. In - yes, out - no.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 25, 2014, 02:28:46 AM
#27
...
His step 1:
Quote
1. When you set up your computer, connect it to the Internet as little as possible.


For bitcoin air-gapping that is already not acceptable. You just don't connect it to the Internet.

He talking about "set up".

He means, that at the first boot something anyway shall be downloaded from the network.

Which would suck if you picked up a beastie during that process, wouldn't it?
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
December 24, 2014, 07:55:13 PM
#26
...

His step 1:
Quote
1. When you set up your computer, connect it to the Internet as little as possible.


For bitcoin air-gapping that is already not acceptable. You just don't connect it to the Internet.

He talking about "set up".

He means, that at the first boot something anyway shall be downloaded from the network.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 24, 2014, 10:48:57 AM
#25
There is good post "Schneier on Security" from 2013 year about Air Gaps:

https://www.schneier.com/blog/archives/2013/10/air_gaps.html

Looks like it is still actual. Most of Bitcoin's users could just follow him with their 10 - 20 BTC in cold wallets.

Holder with 1mil$ in BTC probably would like to hardening this way little bit more.

His step 1:
Quote
1. When you set up your computer, connect it to the Internet as little as possible.


For bitcoin air-gapping that is already not acceptable. You just don't connect it to the Internet.
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
December 24, 2014, 10:11:30 AM
#24
There is good post "Schneier on Security" from 2013 year about Air Gaps:

https://www.schneier.com/blog/archives/2013/10/air_gaps.html

Looks like it is still actual. Most of Bitcoin's users could just follow him with their 10 - 20 BTC in cold wallets.

Holder with 1mil$ in BTC probably would like to hardening this way little bit more.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 24, 2014, 10:09:13 AM
#23
I believe the problem is not malware infecting your computer through the the power cable, but existing malware leaking information through the power cable.

This could be avoided if running the computer off batteries, which are only charged from main when they are disconnected from the computer.
hero member
Activity: 533
Merit: 500
^Bitcoin Library of Congress.
December 24, 2014, 10:04:39 AM
#22
I believe the problem is not malware infecting your computer through the the power cable, but existing malware leaking information through the power cable.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
December 24, 2014, 06:55:12 AM
#21

Just because I like it so much I'll leave this here:

Tx signing via minimodem
https://bitcointalksearch.org/topic/tx-signing-via-minimodem-735111

Smiley
sr. member
Activity: 366
Merit: 250
December 24, 2014, 02:44:22 AM
#20
so will we all be using that special box thingy in the future? lolzzzz(true the plug itself is a sec breach)

anyway whats the deal with security breach through existing wiring? If you charge a battery first and then charge the computer is it still possible for a virus/malware to be in the battery or is that a gap too. thank
hero member
Activity: 900
Merit: 1014
advocate of a cryptographic attack on the globe
December 21, 2014, 04:17:10 PM
#19
The ground pins in that pic will leak data to the local grid.
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
December 21, 2014, 03:48:11 AM
#18


Air Gap can be safe 100% with caution of RF Emanation, i'm talking about GSM and WI-FI.

See, TEMPEST Transient Electromagnetic Pulse Emanation Standard
* en.wikipedia.org Tempest_(codename)

Read this article en.wikipedia.org Air gap (networking)



I would think isolated signature systems for multisig and 2fa would be ample security. Polarized lenses and laser scanners with mirrors might be useful for independently confirming signatures. There's lots of cheap real world tech to play with.
sr. member
Activity: 1120
Merit: 263
Sovryn - 300-500% APY on USDT Deposit
December 21, 2014, 03:35:31 AM
#17


Air Gap can be safe 100% with caution of RF Emanation, i'm talking about GSM and WI-FI.

See, TEMPEST Transient Electromagnetic Pulse Emanation Standard
* en.wikipedia.org Tempest_(codename)

Read this article en.wikipedia.org Air gap (networking)


sr. member
Activity: 366
Merit: 250
December 21, 2014, 01:37:18 AM
#16
i read somewhere airgap can still be compromised?

No system is completely safe.  Even with an air-gapped system it is still possible to transmit data: http://www.bloomberg.com/news/2014-11-19/hackers-can-steal-data-wirelessly-from-pcs-that-aren-t-even-online.html.

yea im pretty sure they can even go in thru existing wiring if they wanted to like a 120/220v jack ryan style.... The question is if you charge your offline computer off a pre-charged battery can the existing wiring virus exist in a battery cell too?
hero member
Activity: 533
Merit: 500
^Bitcoin Library of Congress.
December 20, 2014, 11:22:26 AM
#15
i read somewhere airgap can still be compromised?

No system is completely safe.  Even with an air-gapped system it is still possible to transmit data: http://www.bloomberg.com/news/2014-11-19/hackers-can-steal-data-wirelessly-from-pcs-that-aren-t-even-online.html.
legendary
Activity: 3472
Merit: 4801
December 19, 2014, 04:30:33 PM
#14
- snip -
what is the best way to store bitcoin?

Cold storage.  Find software that you can trust and keep your private keys permanently offline. Generate the addresses/keys on a computer that never has been connected to the internet, is not currently connected to the internet, and never will be connected to the internet.

Some software to consider: Electrum Offline, Armory Offline, Bitcoin Core, bitaddress.org.

Or is it better to spread everything you earn thin so if you get hit in any 1 place you only lose a controlled amount? Like eggs in one basket theory....

If you are unable to determine which software to trust, then you are simply increasing the odds that you will make a bad decision and store some of your bitcoins somewhere unsafe.  If you are able to determine which software to trust, then there isn't much benefit to spreading it all thin.  That's a decision you'll have to make for yourself.

so say you make 10 bitcoin worth 3k. Take 1k dump into portfolio 1k cash and store 1k bitcoin etc...?

Me?  I'd put almost all of it on a paper wallet.  Not sure what you prefer.

With all the scandals any everything i get headaches over security. Then come to find out I lost 0.36 mining funds on blockchain.info..... now blockchain tells me it wasn't them or the hack it was malware on my computer? Jesus so how the heck do I keep my bitcoins safe

Education.  Learn how to properly take responsibility for securing what you own.

or should i just be dumpining into every single thing with minimum coin.....

That sounds like a disaster.

Is litecoin or dogecoin storage systems safer?

No.

sr. member
Activity: 366
Merit: 250
December 19, 2014, 04:09:16 PM
#13
so what youre basically claiming is that you will never scam and that your system is totally foolproof?

Sorry - you seem to be having some troubles understanding the conversation as I am not making any such claims whatsoever (and if I did you should assume my account has been hacked and that whoever is pretending to be me is in fact a scammer).

I have told you "no system is foolproof" - so that obviously would include my own system.

Hint - "trust no-one" (which kind of does make it impossible to safely secure your BTC when there is no way to do so without trust).


i'm going to need pictures of your children and pets even goldfish. if i get the gold fish pictures i will trust anyone!

ok but seriously now I understand a little better. You're def right nothing in the world is 100% foolproof. So let me ask this...

what is the best way to store bitcoin? Or is it better to spread everything you earn thin so if you get hit in any 1 place you only lose a controlled amount? Like eggs in one basket theory....

so say you make 10 bitcoin worth 3k. Take 1k dump into portfolio 1k cash and store 1k bitcoin etc...?  With all the scandals any everything i get headaches over security. Then come to find out I lost 0.36 mining funds on blockchain.info..... now blockchain tells me it wasn't them or the hack it was malware on my computer? Jesus so how the heck do I keep my bitcoins safe or should i just be dumpining into every single thing with minimum coin.....


Is litecoin or dogecoin storage systems safer? May sound like a dumb question but still should be covered.
legendary
Activity: 3472
Merit: 4801
December 19, 2014, 09:16:51 AM
#12
so what youre basically claiming is that you will never scam and that your system is totally foolproof?

No.

He's claiming that you should ONLY use open source software, and that you should make sure that, at a minimum, it is very well reviewed by experts in the field.  Preferably, the code should be reviewed by an expert that you trust, and better yet you should be an expert and review the code yourself if that is possible.
sr. member
Activity: 467
Merit: 267
December 19, 2014, 07:53:11 AM
#11
To Op, I was replying to your first message.
It's true. Air gap wallets can leak your keys by the way they sign. They can hide a message while forming a valid signature. When you spend some funds, a crafty signature can leak your master key and it can be done in a undetectable way.
A malicious attacker can later get all your funds. It's very powerful with deterministic wallets because even your future funds can be stolen.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 19, 2014, 07:44:39 AM
#10
so what youre basically claiming is that you will never scam and that your system is totally foolproof?

Sorry - you seem to be having some troubles understanding the conversation as I am not making any such claims whatsoever (and if I did you should assume my account has been hacked and that whoever is pretending to be me is in fact a scammer).

I have told you "no system is foolproof" - so that obviously would include my own system.

Hint - "trust no-one" (which kind of does make it impossible to safely secure your BTC when there is no way to do so without trust).
sr. member
Activity: 366
Merit: 250
December 19, 2014, 07:37:46 AM
#9
so what youre basically claiming is that you will never scam and that your system is totally foolproof?
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 19, 2014, 07:30:15 AM
#8
please see above so how is this solution different?

The point you are not getting is that there is no software that you can be sure won't go wrong unless a) you wrote it from scratch (and have a very thorough understanding of ECDSA), or b) you can fully understand every line of source code that someone else wrote before then compiling it yourself on your offline computer.

As I doubt you are capable of either a) or b) then you are simply going to just have to trust someone (no offense intended as at least 99.9999% of people are not capable of this).

The idea of Bitcoin being really "trustless" is actually not a very accurate idea (it depends upon a non-flawed implementation of ECDSA for a start).
sr. member
Activity: 366
Merit: 250
December 19, 2014, 07:16:11 AM
#7
i have no idea what you people are even saying

If the software you are running offline has been compromised it doesn't matter whether you use air-gapped comms or not.


please see above so how is this solution different?
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 19, 2014, 07:13:28 AM
#6
i have no idea what you people are even saying

If the software you are running offline has been compromised it doesn't matter whether you use air-gapped comms or not.
sr. member
Activity: 366
Merit: 250
December 19, 2014, 07:11:56 AM
#5
i have no idea what you people are even saying its like diff lang

I guess i'm not sure I see how the qr code makes you safe?

i went to the website but it doesn't add up to me at least but then again i know nothing
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 19, 2014, 06:46:11 AM
#4
Very true - as we have seen recently from the blockchain.info fiasco ECDSA that relies upon *random values* is not such a great idea.
sr. member
Activity: 467
Merit: 267
December 19, 2014, 03:32:59 AM
#3
A modified signing code can leak all your data onto the blockchain - airgap wallet or not. I can do it in 2 signatures but it could be lower. So check that your download hasn't been tampered with.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
December 19, 2014, 01:53:00 AM
#2
The CIYAM Safe (https://susestudio.com/a/kp8B3G/ciyam-safe) is designed to work with QR codes and cameras to provide 100% air-gapped safety.

Bear in mind this doesn't have the ease of an offline *wallet* or a device like a Trezor but assuming you have disabled all network connectivity in the offline computer it is arguably more secure.

I wouldn't go as far as saying it is "totally safe" though as you would next need to start thinking about things like Faraday cages to protect your offline computer from being spied upon through signal detection as well as any cameras you are unaware of being able to see over your shoulder, etc.

sr. member
Activity: 366
Merit: 250
December 19, 2014, 01:42:03 AM
#1
i read somewhere airgap can still be compromised? is this even thru. i would imagine if you removed all netqork cards and ir ports on old computermto create true airgap you would be safe? then anything you wanted to put on there would have to be usb then smelt the usb and never let it touch the network again...

seems secure to me outside of smelting the laptop itself after you make 1000's of btc addresses....

Jump to: