Topic: ALL of my bitcoins stolen (Around 60) . What the F*CK. - page 3. (Read 16780 times)

This site would have to be American ran, and willing to fight a NASTY fight with Paypal. Right now the community is divided. We can't seem to get anything off the ground here  . Who the hells motivated to make new currency solutions when they see informational forums getting hacked, where there's virtually 0 money to be gained. I don't get people.. I really don't SMH.

Does your Windows 7 have the latest updates.

Is it genuine ?

Do you have a strong account password.

What kind of Security are you running?

Please let me know everything in detail.

The future of Bitcoin for the masses will be online wallet services like mybitcoin.com IMHO.
Not only because of security, but also because running a bitcoind instance will be a major resource hog once Bitcoin goes mainstream.

I really wouldn't recommend any non-geek to even download the client...

I also want to add to my last post that this is only a way to prevent getting robbed from alot of bitcoins.
If you do not secure your computer by scanning before you send then you will take the risk there will be a trojan on your computer that is gonna compromise your wallet.dat

To send you need to connect to the Bitcoin network, what opens the gate to the internet.
And not always the gatekeeper (anti-virus software) can keep out these trojans.

So right now the only way to prevent getting robbed big time is just by backing up your big wallets and putting them offline.
Just create  a small account with a couple of BTC wich you can use to spend or send.

Honestly, this is exactly why I stopped developing a site called Bitcoin For Beginners ... it turns out it really isn't. I wrote a lot until I realized it is basically an impossible task to leverage clarity and completeness needed to understand and use this shit securely with the brevity and simplicity expected in a tutorial to get someone's feet wet. It actually felt like an ethical dilemma so I just opted to stop development entirely.

I found I wanted to just recommend an online wallet only, but that would have to come with a long disclaimer about trusting a third party to A) Not get broken into and pillaged and B) Not be scumbag thieves themselves.

From the leaked data that's floating around, I know your email address is d***n_kn*t**n@*****.com and your password is p*nd*ra.


I hope you didn't use the same redundant info for something like dwolla or paypal.

Regarding the namecoin connection, did either of you who lost coins but also used a namecoin client try any of the 'Namecoin GUI' programs that people posted about in some of the forums? At least one was a trojan of some sort IIRC. Note that these GUI programs weren't namecoin official programs, they were developed and distributed by third party forum members.

Hey you should really use this cool new currency, Granny.  All you have to do is buy a new computer -- heck, just throw it together from cheapo parts on newegg, it's not like you're going to be gaming on it -- install linux, along with the bitcoin client, all from a single boot cd -- right, you need to make this first, dont' connect to the internet from your new machine, use the old virus-infected one -- find, encrypt (just use truecrypt, granny) and backup your wallet.dat file to multiple media and, through your regular machine -- not the new one, keep it pristine! -- upload to the cloud, go the blockchain explorer to see you're getting your deposits, and if you ever want to access those funds, just boot your new machine -- don't use it for anything else! -- decrypt and reload your saved wallet file, run the client just long enough to send your other, totally vulnerable, spending account some BTC, and... use that account to make purchases on the interwebs!

See? Bitcoin security is simple and totally convenient.  Money has basically never been so easy.  

if any secure password or pad 'lives in memory', well thats fail right there.

It should only be stored in memory for the fraction of a second that its needed.

Further, different languages have best practices to store such values, for example in java store this data as a byte[] rather than String so that you can fill it out with rubbish onced used without waiting for the GC, which may never happen.

You can also do alot of other stuff to make memory dumps harder.

The reason why we focus here, as WELL as on protecting your os from trojans, is because its more efficient to put this stuff in the client. E.g., a safer client makes it safer for everyone, while a safer os only makes it safer for one person. everyone > one person. Its more efficient security.

The crypto pad will have to remain in memory so the bitcoin client can use it to decrypt the wallet.  Again, the trojan can get the wallet from memory after decryption by the bitcoin client or it can get the crypto pad from memory and use it decrypt the wallet itself.

Similar strategies to defeat other two-factor authentication methods.  If there's a malicious piece of software on the OS, you've already lost the war. 

Spend the energy keeping trojans from getting in your base in the first place.

Dang. How about if when the bitcoin client boots up for the first time it gives you the option to print out a crypto pad. This is akin to a cheap form of two factor authentication. Each crypto pad is of course different.

I like how one of the others current posts on here is "...secure bitcoin savings account in 14 easy steps".

LOL

I only need 7 steps to unlimited financial wealth: http://7stepstounlimitedwealth.com/

http://forum.bitcoin.org/index.php?topic=18238.msg256221#msg256221

+

http://forum.bitcoin.org/index.php?topic=18238.msg259458#msg259458

= Not getting robbed.

Yes, well said. These wallet thefts are plain trivial to code for a hacker so that's why they are happening.

It may only be because it's a really early build, but this archive does not contain the same files as the archive on dot-bit.org.

None of this can help.  Trojans can take screenshots at every mouse click so it knows what the password is because it knows where you clicked.  This is already a standard feature in bank theft trojans.

Hmm, what if the layout changed every 5 seconds or some predetermined time. It would make it a pain in the ass to input your password but hey it's worth it.

The thief should be smarter than that.  Or he wants everyone to know just how many he stole.

Another thing to consider is that the windows 7 iso torrent you downloaded years ago was pre-infected with a trojan.  Later, the author repurposes it remotely to scan for bitcoin wallets.  When the new client is released that supports wallet encryption, the trojan author will update it to keylog the encryption password for your wallet.  That's why an encrypted wallet really won't help much.

If the windows iso wasn't pre-infected with a trojan, you could have been infected in any number of ways (binary downloads, pdf, java or browser (IE) exploits, remote exploits).  And again, old and dormant trojans can be updated later by its controller to nab bitcoin wallets.

Anti-virus programs won't help much either.  Anti-virus programs will only detect known viruses/trojans, not new ones and new variants.  The trojan authors were already winning the arms race.  I warned back in May that it would only get worse when the Zeus trojan source code was leaked.  AV companies simply won't be able to keep up.

Using an OS besides windows can help but is far from a guarantee.  The only guarantee is a properly prepared offline wallet.  Create a new wallet and address on an offline and clean computer.  You don't need to be connected to the bitcoin network or even online to generate a wallet and an address.  Save your new address to a text file on a USB.  Back up the wallet file to a different USB.  You can safely back up the new "offline" wallet online too, if its encrypted and the encryption password is safe and secure somewhere else.  That way if you lose the USB or the house burns down there's a second backup copy in the cloud.

Now you have your offline wallet backed up and you have the offline wallet address in a text file.  Send your bitcoins to the offline address.  Send them from your current wallet or withdraw them from the exchange.  Check the address in block explorer to verify the bitcoins are there.  Now that bitcoin is safe in your offline wallet.

edit:  Don't forget to reformat the clean, offline computer.  You don't want forgotten extra copies of your offline wallet sitting around.

While it is true that at some point the data in the wallet needs to be decrypted in memory the level of security are orders of magnitude higher.
To start with it is much easier to copy a file with a known name and location from your file system than decrypting it, *only in the instant that it is needed which is only while signing a transaction" in an unknown memory location.
Then you have segmented memory protection which keeps memory segments isolated to the process that owns it.

Any existing Trojan or virus can easily be upgraded to copy the wallet.dat file from a know location and transfer it elsewhere, but copying decrypted keys from a memory location within thew time frame they exist is a none trivial task.

Wallet Encryption will add much more security if it is done right.