Bitcoin cold storage - HACKED easily - page 9.

Flashman

hero member

Activity: 518

Merit: 500

Hodl!

Quote from: MrTeal on January 16, 2015, 09:53:59 AM

Of course more broadly one would have to assume that if you're D/Ling a precompiled binary with compromised ECDSA, the key generation module would also be compromised.

If you're D/Ling compromised binaries period, your Nest thermostat is going to kill you from hypothermia in your sleep, or your cellphone is deliberately trying to give you brain cancer by going full power on all radios any time you pick it up, and so on.

freequant

hero member

Activity: 770

Merit: 500

Title is wrong and FUD'y: it should read "compromised bitcoin client coldstorage hacked easily". This is a complete non-news, it was already possible to do the same thing by using a custom random generator that would generate numbers in a reduced subset of the integer space.

qwk

donator

Activity: 3542

Merit: 3413

Shitcoin Minimalist

Quote from: MrTeal on January 16, 2015, 09:53:59 AM

Am I correct in reading that this vector only allow the attacker to determine the private key of an address that has been used to sign a transaction? IE, if you use all the inputs of an address in the transaction and not reusing any addresses even a compromised ECDSA module would only net the attacker your now empty address.

Well, the paper isn't really published yet, but as far as I can tell, this seems to be the case.
Honestly, the whole issue is interesting, but not much more.

All it really shows is that you can actually use the transaction signing part of cold storage to get information out of an otherwise sealed system.
Then again, that's more or less Captain Obvious speaking Wink

MrTeal

legendary

Activity: 1274

Merit: 1004

Ok, back to serious questions to knowledgeable people.

Am I correct in reading that this vector only allow the attacker to determine the private key of an address that has been used to sign a transaction? IE, if you use all the inputs of an address in the transaction and not reusing any addresses even a compromised ECDSA module would only net the attacker your now empty address.

Of course more broadly one would have to assume that if you're D/Ling a precompiled binary with compromised ECDSA, the key generation module would also be compromised.

Flashman

hero member

Activity: 518

Merit: 500

Hodl!

Quote from: ropbat on January 16, 2015, 09:41:33 AM

I think op was trying to scare everyone and people would start panic selling again..nice try mate.

Yah, he's been in alarm and despair mode for the last week, just trying a little "too" hard now for us to continue to regard him as genuine.

ChuckBuck

hero member

Activity: 1372

Merit: 783

better everyday ♥

To the OP,

You should change the thread title to Bitcoin cold storage - HACKED DIFFICULTLY WHERE ATTACKER NEEDS ACCESS TO AIR GAPPED PC OR WALLET AND HAS TO INSTALL BACKDOOR WALLET VERSION ONE COLD WALLET AT A TIME

The original post and title very misleading, and causes FUD to the Noobs.

Thanks,

Bitcointalk Community

P.S. - You keep saying the manufacturer and link to Bitcoin.org....reread the article, dude. The context is if hardware wallet manufacturers like say Trezor or Ledger have the compromised software installed. Not software wallets like Bitcoin Core or Electrum or Armory.

ebliever

legendary

Activity: 1708

Merit: 1036

Quote from: RKZ72 on January 16, 2015, 09:40:30 AM

sorry for being dumb but if someone has modifed the code and you run it in a offline computer how does the hacker gain your information? how is it sent to him becase there is no internet connection to send the data or he cant remote control your computer because theres no internet access.

The idea is that you downloaded software from the hacker and use it to generate your wallet. Since he designed it to produce specified outputs, it generates private keys that he can recognize in the blockchain. So it doesn't matter that your cold wallet generating system is offline.

MrTeal

legendary

Activity: 1274

Merit: 1004

Quote from: ebliever on January 16, 2015, 09:43:53 AM

Quote from: mayax on January 16, 2015, 09:37:47 AM

Quote from: ebliever on January 16, 2015, 09:33:38 AM

Quote from: RainVein on January 16, 2015, 09:29:28 AM

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

And maybe my smartphone has secret code from the CIA that is recording all my conversations and has super-secret hardware that can perform a keystroke log on any computer within 5' of it, so they have access to all my accounts and activities and can haul me off for thinking bad thoughts at any moment. Sometimes you just have to accept that the world is not an absolute locked-down perfect place no matter how hard you try to make it.

It remains the case that the hack can't be performed after the fact, which is what you've been shouting.

Don't laugh. The whole reason phones have pulse oximeters now isn't for measuring heartrate. It's so that the CIA can track your thoughts. I read it on the internet.

SaltyRainbow

newbie

Activity: 2

Merit: 0

Quote from: mayax on January 16, 2015, 08:20:11 AM

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe.

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT ! Grin

Where do you keep your Bitcoin? Blockchain.info? Cold storage is the safest and always will be.

ebliever

legendary

Activity: 1708

Merit: 1036

Quote from: mayax on January 16, 2015, 09:37:47 AM

Quote from: ebliever on January 16, 2015, 09:33:38 AM

Quote from: RainVein on January 16, 2015, 09:29:28 AM

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

And maybe my smartphone has secret code from the CIA that is recording all my conversations and has super-secret hardware that can perform a keystroke log on any computer within 5' of it, so they have access to all my accounts and activities and can haul me off for thinking bad thoughts at any moment. Sometimes you just have to accept that the world is not an absolute locked-down perfect place no matter how hard you try to make it.

It remains the case that the hack can't be performed after the fact, which is what you've been shouting.

MrTeal

legendary

Activity: 1274

Merit: 1004

Quote from: mayax on January 16, 2015, 09:37:47 AM

Quote from: ebliever on January 16, 2015, 09:33:38 AM

Quote from: RainVein on January 16, 2015, 09:29:28 AM

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

bitcoin.org is added by you. The article was talking about hardware wallets like Trezor or Bitsafe, and that is a valid concern.
If you're concerned about the precompiled binaries on bitcoin.org not matching the source, just compile it yourself.

ropbat

newbie

Activity: 16

Merit: 0

I think op was trying to scare everyone and people would start panic selling again..nice try mate.

RKZ72

newbie

Activity: 15

Merit: 0

sorry for being dumb but if someone has modifed the code and you run it in a offline computer how does the hacker gain your information? how is it sent to him becase there is no internet connection to send the data or he cant remote control your computer because theres no internet access.

bornil267645

sr. member

Activity: 406

Merit: 250

AltoCenter.com

I think this theory is only applicable when your next door neighbor is peeping through your window to get a peek at your password or been compromised in that sort of way.

other than that, cold storage is still the safest bet. I hope so.

mayax

legendary

Activity: 1470

Merit: 1004

Quote from: ebliever on January 16, 2015, 09:33:38 AM

Quote from: RainVein on January 16, 2015, 09:29:28 AM

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

Please re-read : "Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?"

Rich Tsunami

newbie

Activity: 2

Merit: 0

This is so obvious...of course if someone has modified the code of a wallet and you downloaed it without verfiying where it came from and if its actually safe by checking its pgp then you are going to lose your coins thats pretty obvious...thats why you always make sure the check sum or pgp is exact.

mayax

legendary

Activity: 1470

Merit: 1004

Quote from: R2D221 on January 16, 2015, 09:26:33 AM

Quote from: mayax on January 16, 2015, 09:23:56 AM

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

So, COLD Storage can be easily hacked.

That is true for any open source project, even the Linux kernel.

TRUE. Also, remember Heartbleed bug and the vulnerability in the "bash" shell for Linux and Unix, Shellshock

Flashman

hero member

Activity: 518

Merit: 500

Hodl!

I'm shocked and horrified, next you'll be telling me that opening stuff in my spam folder "Your friend Joe, attachment:Photo.exe" isn't safe.

Then, oh horrors of the slippery slope, next they'll say that if I leave my front door open just a very small crack, I'll get random strangers taking my stuff, where does it all end? Huh

ebliever

legendary

Activity: 1708

Merit: 1036

Quote from: RainVein on January 16, 2015, 09:29:28 AM

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?

The only risk from what I see in the article is that if you use software to originally set up your wallet that actually originated from a criminal trying to steal your coins with this method, they could steal any coins you subsequently deposit.

They cannot hack a wallet that is secure. They can only put a backdoor in it when it was first created. And only if you use software that is not open-source and vetted by anyone besides the criminal.

ebliever

legendary

Activity: 1708

Merit: 1036

Quote from: mayax on January 16, 2015, 09:23:56 AM

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."

So, COLD Storage can be easily hacked.

You don't seem to understand that the hack has to be performed on the software the Bitcoin user uses to generate private keys. It can't be done after the fact. So you are entirely wrong and sensationalist in claiming that everyone's cold wallets are at risk. They are only at risk if they did in fact create their wallet using a criminal's hacked code. This is a risk, but not in the way you are shouting.

Topic: Bitcoin cold storage - HACKED easily - page 9. (Read 12634 times)