Author

Topic: Bitcoin Enthusiasts, We Need to Have a Serious Discussion about Malware (Read 1608 times)

legendary
Activity: 1512
Merit: 1049
Death to enemies!
Quote
In the summer of 2011, when a Mt Gox user's account was hacked and coins stolen
The user was not hacked, the Mt.Goatse itself was hacked.
Quote
the result was that trust was lost in Bitcoin itself, plummeting the value
The result was that bitcoin price bubble bursted and speculators did run for the money. They did not trust Bitcoin in first place.
Quote
the message heard by many was that the currency was not to be trusted
The retards will listen to anything and not do research themselves. What message they listens is irrelevant.
Quote
value and distribution of Bitcoin increases, so does the incentive for evil and theft
Not true. People will steal bitcoins even if they cost pennies. And also will steal copy the naked pictures from girl computers even if they have no monetary value. And the theft are not purely evil. I call it redistribution of bitcoins. I also want some share!
Quote
An encrypted wallet, stored on a computer connected to the internet, is not safe from a rootkit or a keylogger deployed through bundled malware distributed through an exploited website.
There are many diverse ways to distribute malware but You got it right! Encrypted wallets are not safe if computer is infected with malware.
Quote
A patient and malicious actor can ultimately do much more to destroy Bitcoin than even a corrupt overreaching government, or a client based software bug can
Totally wrong. It does not make sense at all.
Quote
If funds are stolen from a large enough percentage of the user base, we might as well pull the plug on this whole experiment, because the trust will never be repaired. Never.
Try to steal the funds from me or Gavin or any other technically and security savvy person. And even if half of current users lose the coins by theft, the other users will continue to use bitcoins unaffected. I will laugh at them and will trust bitcoins even more, because the attack would be done by exploiting some security weakness in other parts of system, not the bitcoin itself.
Quote
The message we are sending to new Bitcoin users is that they should not trust web based wallets with more than a small percentage of their funds
The message was around here for years, even when MyBitcoin and BitcoinLaundry were operational.
Quote
coupled with the fact that most people do not have an extra computer that can be permanently left offline, means that right now there is NO good solution for MOST users
Is not that the users fault? Where did the Pentium3s and AMD Duron (Spitfire) computers gone? Because most people in capitalistic consumer society think it is cool to destroy old but perfectly working equipment, now they need to BUY more junk computers such as netbooks to fill role that older systems are perfectly capable of.
Quote
Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users
Any operating system that have full disc encryption can be trusted to run on network disconnected computer for offline wallet purposes.
Quote
And needs this distribution to be extremely user friendly and robust. I don't personally have experience in creating a customized linux distribution, but I'd like to work with people who do, so that this need can be filled.
"User friendly" and "live Linux distribution" does not mix together. Also the computer must be disconnected from network to be 100% sure it cannot be tampered even when booting liveCD. And even then it will not help if the user is socially engineered to run commands by someone else. As with linux distros there will be more googling for crappy or malicious advice than with windows, there will come greater chance of socially engineering.
Quote
To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them
If someone places his wealth in something he don't understand how to properly use and maintain, he is asking for disaster. He either needs to learn about computer security or he needs to find someone who will do it for him. And retards should not use computers at all.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
@batcoin, when you get a cheap netbook or other computer for offline purposes, you erase the whole thing first, re-partition it, re-format it. Then simply don't install the wireless drivers. Or if you really need a thick tin foil over it, open up the laptop and physically disconnect or destroy the wifi adapter, paint over the IR port, put glue or rubber into all the other ports (or disconnect them.)

Then keep that laptop or netbook inside a faraday cage when you're working on it. The room which contains the cage must have a door that you can close. And make sure to sweep the room for bugs.
legendary
Activity: 1330
Merit: 1000
Yes, I'm suggesting someone create and sell packaged, dedicated hardware nodes with support.  You wouldn't even need to create the hardware.  Just integrate the software.  It would be somewhat more secure, and more convenient, than a typical Windows PC.  It could also be used for POS.
full member
Activity: 238
Merit: 100
In Gord We Trust
There are hardware wallet projects ongoing.  Very important development imho.  Hope we get enough people soon to get them into 'mass' production so they can become cheap.

I think Slush & Co. are working on something like this, no?

If there is any other way to get data into the hardware box aside from human input, it will get infected by malware. It has to have no electronic or digital connections.

Yeah, I think it's on the Armory website that they recommend buying a netbook to keep as an offline wallet vault. I am far into the tinfoil hat realm on this topic and I don't trust that wireless hardware won't continue to function even when "disabled" or "without drivers". The thing that's over my head is how it's possible to make something like a hardware wallet or offline wallet as easy to use as cash and email, but still secure and capable of backing up in multiple locations to avoid physical loss/destruction from fire, flood, theft, etc.

I think it's useful to consider a dedicated hardware node, perhaps based on Raspberry Pi, or a re-purposed Pirate Box.

Time for a roleplay:

How would I go about using a Raspberry Pi and what is a Pirate Box? Think of me as your mediocre end user who loves everything Bill Gates ever did including inventing the mouse and GUI and the computer...in that order. I don't know or really care what the Raspberry Pi and Pirate Box are. In fact, I am scared of Pirate Box just because of its name. I just want to use Windows 8 and keep my Weatherbug software chirping away and running in the background.  Roll Eyes

~~The End~~

If something like Raspbery Pis are the way to go (because they sound so nice and wholesome), then there needs to be a nice little user's manual to go along with a detailed step-by-step list on how to carry out transactions in the most secure way possible. (A detailed step-by-step manual is a good idea with any method, actually.) The only way my average ass can think of for doing it securely involves two DVD drives and a USB, which isn't very attractive to a lot of people I think. Too many ways to fuck it up...

legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
If there is any other way to get data into the hardware box aside from human input, it will get infected by malware. It has to have no electronic or digital connections.
legendary
Activity: 1638
Merit: 1001
₪``Campaign Manager´´₪


There are hardware wallet projects ongoing.  Very important development imho.  Hope we get enough people soon to get them into 'mass' production so they can become cheap.
legendary
Activity: 1330
Merit: 1000
I think it's useful to consider a dedicated hardware node, perhaps based on Raspberry Pi, or a re-purposed Pirate Box.
full member
Activity: 238
Merit: 100
In Gord We Trust

Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.

To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them.
                                                                                                             

I've been having these exact thoughts myself over the past several days. I am among the less technical of Bitcoin supporters, so any user friendly software out there would be really great to have. I can putz around with Linux a little bit, but I am still a very basic user who doesn't understand a lot of the behind-the-scenes workings. I am also very paranoid about internet contamination and want an offline wallet to be truly offline. Since I would fall into an average user category, I have trouble trusting apps that require going back and forth between an online and offline computer to verify transactions. To me it is too risky to be plugging USB drives into an offline computer and returning the USB to an online one. I simply see it as an unacceptable security risk for those that would have large numbers of BTC to store because I would wonder about wallet sniffing malware finding its way from the online computer to the offline environment and returning private keys to an online environment. Perhaps some education and clarification on these matters is in order too.

Bitsafe looks like a good project and though it's slightly less offline than what I would chose, perhaps it is safe enough if done right. It just looks like that project has been abandoned for now. Are there any more recent alternatives? And, how are average users like me supposed to know that such software is not just a wallet snatcher to begin with?
member
Activity: 84
Merit: 10

Sure, I can. But can my mom?

Just because there is A SOLUTION, doesn't mean its THE SOLUTION.

There's no such thing as THE SOLUTION for any problem.  Except maybe high explosives.

But yeah, your mom can run it if she does OK with Ubuntu by herself.  Setting up the various Doms is pretty intuitive and installation is professionally easy.  Besides; the lead developer is a woman, so your mom might be better motivated than your dad.
sr. member
Activity: 310
Merit: 250

Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.
                                                                                                            

It's maybe not quite as user friendly as Ubuntu, (being based on Red Hat), but if you're looking for secure - and I mean SECURE - you should give Qubes a look:

http://qubes-os.org/Home.html

You can actually run an Armory off-line wallet on it while connected to the internet.  Shocked

Yes you can.

Look into it.  It's at V.1.0 and a real mind-blower.

Sure, I can. But can my mom?

Just because there is a solution, doesn't mean its the solution for the majority of users. Maybe a bootable OS is totally the wrong way to go with this. But we need something and soon.
member
Activity: 84
Merit: 10

Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust.
                                                                                                            

It's maybe not quite as user friendly as Ubuntu, (being based on Red Hat), but if you're looking for secure - and I mean SECURE - you should give Qubes a look:

http://qubes-os.org/Home.html

You can actually run an Armory off-line wallet on it while connected to the internet.  Shocked

Yes you can.

Look into it.  It's at V.1.0 and a real mind-blower.
sr. member
Activity: 310
Merit: 250
I agree completely.  Is a custom Linux distro the best solution?  It may well be, perhaps booting into a kiosk app.  Are you imagining people would use it to create a wallet to store funds, perhaps on an external USB with a paper wallet backup?  And then maybe boot into the distro whenever they need to top up their everyday wallet, whether that's Electrum, the official client, blockchain.info, or some other client.  This working wallet would only contain the funds they could afford to lose.

There was LinuxCoin, which was based on debian.  As far as I know, it was last updated in 2011 so it's now fairly obsolete.  I used it back then, and it's nice but not targeted toward non-tech folks.  However, I had missed BitSafe, mentioned in this thread.  I'll have to look into it, looks impressive.  Wonder if the GUI is friendly enough for non-Linux people.

I'm imagining something akin to a kiosk app that the distro would boot into, which would have simple buttons/menus for doing things like creating addresses, backing up, sending, paper wallets, etc.  Kivy is a good Python framework for creating kiosk apps that runs on Linux and Android (and other platforms).

I think that in addition to Linux, it's worth considering Android for this kind of OS that would boot into a single app, using bitcoinj.

I've got a lot of Linux experience and am comfortable with Kivy, and other GUI toolkits as well.  Unfortunately, I'm also quite booked for the next few weeks.  Nonetheless, I agree this is something that needs to be done and I'd like to contribute whatever I can, whether that's bash or Python scripts or something else.  It may be that Bitsafe fulfills our needs, and just needs to promoted among Bitcoin novices.


I don't know that a bootable OS is the best solution, maybe its ultimately a hardware wallet or something that uses trusted computing. This is not my area of expertise, but I feel like the need is so strong and so immediate that I'm very much hoping that people with more skill than I are realizing how crucial this is.
full member
Activity: 218
Merit: 100
I agree completely.  Is a custom Linux distro the best solution?  It may well be, perhaps booting into a kiosk app.  Are you imagining people would use it to create a wallet to store funds, perhaps on an external USB with a paper wallet backup?  And then maybe boot into the distro whenever they need to top up their everyday wallet, whether that's Electrum, the official client, blockchain.info, or some other client.  This working wallet would only contain the funds they could afford to lose.

There was LinuxCoin, which was based on debian.  As far as I know, it was last updated in 2011 so it's now fairly obsolete.  I used it back then, and it's nice but not targeted toward non-tech folks.  However, I had missed BitSafe, mentioned in this thread.  I'll have to look into it, looks impressive.  Wonder if the GUI is friendly enough for non-Linux people.

I'm imagining something akin to a kiosk app that the distro would boot into, which would have simple buttons/menus for doing things like creating addresses, backing up, sending, paper wallets, etc.  Kivy is a good Python framework for creating kiosk apps that runs on Linux and Android (and other platforms).

I think that in addition to Linux, it's worth considering Android for this kind of OS that would boot into a single app, using bitcoinj.

I've got a lot of Linux experience and am comfortable with Kivy, and other GUI toolkits as well.  Unfortunately, I'm also quite booked for the next few weeks.  Nonetheless, I agree this is something that needs to be done and I'd like to contribute whatever I can, whether that's bash or Python scripts or something else.  It may be that Bitsafe fulfills our needs, and just needs to promoted among Bitcoin novices.
sr. member
Activity: 310
Merit: 250
The most important quality of money is trust. If something that acts as money loses trust, it stops acting as money. History is full of failed currencies whose demise was brought about through the loss of trust in the governments backing those currencies.  

In the summer of 2011, when a Mt Gox user's account was hacked and coins stolen, the result was that trust was lost in Bitcoin itself, plummeting the value and temporarily retarding its progress. It doesn't matter that "the hack had nothing to do with Bitcoin, only an exchange and a user on that exchange", the message heard by many was that the currency was not to be trusted. Its taken almost 2 years to build that trust back up in the eyes of members of the general public.

We are at a crucial time in the development of Bitcoin. User adoption is exploding and new opinions are being formed daily. As the value and distribution of Bitcoin increases, so does the incentive for evil and theft. An encrypted wallet, stored on a computer connected to the internet, is not safe from a rootkit or a keylogger deployed through bundled malware distributed through an exploited website. A patient and malicious actor can ultimately do much more to destroy Bitcoin than even a corrupt overreaching government, or a client based software bug can. If funds are stolen from a large enough percentage of the user base, we might as well pull the plug on this whole experiment, because the trust will never be repaired. Never.

The message we are sending to new Bitcoin users is that they should not trust web based wallets with more than a small percentage of their funds. That, coupled with the fact that most people do not have an extra computer that can be permanently left offline, means that right now there is NO good solution for MOST users. Paper wallets are great, but they present their own challenges. The armory team have done a wonderful and admirable job with their wallet, and for the more technical amongst us, it is a great solution. But as things stand today, we most go further. Bitcoin desperately needs a trusted bootable operating system that can serve as a better cold storage for a majority of its users. And needs this distribution to be extremely user friendly and robust. I don't personally have experience in creating a customized linux distribution, but I'd like to work with people who do, so that this need can be filled.

To the people placing their trust and wealth in Bitcoin, especially to the least technical amongst them, we owe them a committed effort to protect that trust. Their adoption benefits us, and Bitcoin's success ultimately depends on them.
                                                                                                            
Jump to: