Topic: Cold storage security (Read 5064 times)

I'm sure you have your reasons for not telling us what kind of business would require such kind of full disclosure. But the moment you started operating it, then everyone would know what it is, and that's not going to stop someone with more capital to do a copy-cat business.

Why not think of a solution that does not require full disclosure? People would have to some how trust you anyway. Look at the exchanges, they have hundreds of thousands of bitcoins. Of course, one is located in Japan, so ... ... you've got physical security right there.

Look at, hmmm, I can't think of anything else really, maybe Silk Road. But the important thing is that people should trust you and maybe there is no need for everyone to know everything, just what it is in the blockchain particular to them, and the rest of the info is summarized so they have an idea.

In my particular case, I only have armed security guards because I employ people in the factory. It is located away from the city, away from the malls that sell the items. Around the immediate area, several crimes have happened but it seems they are crimes of opportunity and chance from small petty criminals (theft of items in unguarded areas, theft of items locked by a wooden door, homicide between drunk people, etc.)

There is a small chance someone will attempt to rob my place because if you have as many people as I do, one might suspect that on some days they might be paid a small amount of cash each. One way I have addressed that is to minimize the cash and majority go through banks. It has actually happened before several years ago at a different location. Thankfully, no one was hurt, they just lost their money. Twice was too much, so we changed strategies and used more deliveries of smaller amounts that would not attract the interest of robbers. Finally, we now require all workers to have their own bank account or cash card, and most of the time (still not all the time) they get paid that way.

But there are still items at the physical location, like raw materials, which are worth a lot to those people who know what they are, and how to make products out of it. Fortunately, this is sort of a niche market so the most thieves could do is steal them and sell them cheap. And then we'd know who did it or what happened.

Actually, the armed guards I have are probably no good if there is still a determined attacker. They are meant as a deterrent to the small time robbers.

Watch any movie. One particular movie I remember is Firewall starring Harrison Ford and Paul Bettany. There is no way you can realistically and reasonably protect yourself from that kind of attack. You can read the plot at wikipedia or any other movie website. Unless you don't like spoilers and actually want to watch the movie, but I like knowing the story ahead of time.

This tactic is called tiger robbery or tiger kidnapping. The counter measure for this is requiring two or more people to do the transaction. None of you need be armed or have bodyguards (although it really helps if you do.) This is like those nuclear launch thingies, or mission impossible thingies that require two or more people to agree on something before it can be done.

That way, people would have to kidnap two or more people. The more, the harder it is. But if you eventually control hundreds of thousands or millions of bitcoins, then they have all the incentive in the world to hire their own personal SWAT team to do the job.

If I were evil, I could get rich systematically invading other wealthy people and threatening their families in exchange for money. Most people are unprotected (or at least they seem so.)

Makes me wonder why no one has tried robbing Bill Gates or Donald Trump or one of those billionaires, I mean, just kidnap their children right? And ask for a measly $10 million dollars in cash. ... ... Oops, I just found out they do have bodyguards. But hey, he controls a few billion dollars, so the risk is gotta be worth it. Doing it Firewall style would prevent the bodyguards and police to get involved.

Dabs, thanks for the input.  Unfortunately, because of the type of business, every address I was holding coins in would be public, and people could then look at the blockchain to find the balances.  The whole amount would be public, not by choice.

I bolded the part about body guards.  I am curious if ANYONE dealing in Bitcoins has hired one for their Bitcoin business?  I honestly cannot think of any of those companies making enough to impart some of the profits towards a bodyguard.  Regardless, it is certainly not something I would be able to do.  If physical protection like that is a requirement, then it's not a business I can start.

I do have my own firearms, and am not afraid to use them on any intruder.

And certainly, I agree that some of the measures of security should be obscured.

Is the whole amount public, or only for each client or customer? What I mean is, if I were a customer, I should of course know how much bitcoins you have that are assigned to me, but should I also know another customers amount of bitcoins. Maybe that information need not be public.

In which case, people can only speculate how many bitcoins you have in total, but not exactly. If that is true, then no one can ever be sure how much more bitcoins you control.

Kindly correct me if I am wrong. I do not know what business or service you are planning to do, so I do not know how it will operate.

For password security, you could try using a Yubikey or something similar (static mode maybe.) You will never remember the entire password and it can be destroyed convincingly to bad guys so they know they can't get anything from you. A backup should exist, and you can use the bank safety deposit box for that purpose.

Or you could design your own "panic room" not unlike the bank, or the storage unit. Like a large vault. It could be anywhere, it could be undetectable, it could be secret, no one knows where it is, etc.

Again, physical security.

If using remote computers through secure channels, you could always encrypt those systems. Backups get encrypted too.

Personally, I'd just have a laptop with my own mobile internet to do the transactions, and it never leaves my person, has tamper proof seals, and is auto-format/auto-wipe when I don't do something right. It will of course be encrypted so just wiping the keys (or the first and last megabyte) is more than enough to render it useless.

You could use a virtual machine or virtual OS that sits in an encrypted volume (such as TrueCrypt) but is only mounted manually, on a drive that has a wipe function in the startup folder that will wipe the same volume unless you stop it in time.

I actually made a small program to partially wipe a file on a drive. (I use TrueCrypt on Windows XP, you could use FAT32 instead of NTFS.) That way the file is gone if you don't boot it properly, and a single button short-cut or key combination will also do the same thing or do an instant shutdown, also keeping the data (and the private keys) safe.

If you are operating like something like a pawn shop or investing firm or bank like in nature or money changer, then you MUST have physical security, or at least a building that has double locks to give you enough time to push the panic button.

There are some things about your operation that should be kept secret from everyone else, like the nature of your self-destruct mechanism, your passwords, your yubikey, your fingerprints or other biometric security, and the location of your safe room.

If your business can not afford to hire even one armed security guard, then it is not something you should be doing. You'd have to weigh the cost-benefit analysis of this yourself.

Again, personally, I would do my own physical security, and acquire my own firearm (actually, I already have one) but that really depends on where you live and the laws of your country.

Businessmen in my country who are rich enough usually hire at least one bodyguard. There are very few who are completely unarmed, and only because no one else really knows what they're doing, and it's easy to keep some things secret around here.

I don't know what your business is, so I'm sorry if none of what I said can apply to you. I run a business that has several branches in several malls (it's an old fashioned business selling specialty items, unfortunately not for bitcoins) and I've learned how to protect myself from all but the most determined attackers.

All I can say is that what you have identified as potential vulnerabilities make sense, and I'm interested to dive further into mitigating this.  However, you could've simply emailed, PM'd or posted in my thread about this months ago, and I would've been happy to act on it.  Instead, you lurk in the shadows, popping your head out occasionally to insult people's intelligence for not knowing what you know, and the people who could be best aided by your experience will essentially ignore you, even if you have something important to say.

Please continue this conversation in the Armory thread, so we can stop derailing this thread.

Thank you very much for your understanding about my lack of style. I'm more worried that my rant was lacking clearness in the description of the possible avenues of attack.

Basically (a) & (d) are about the same idea: the distribution of source code should be clearly separated from the distribution of the compiled code. By mixing the two you inadvertently opened Armory to the attack by overriding/redefining some of its function/classes by dropping the overriding source anyplace where the Python interpreter could pick it up.
I didn't wanted to spark the discussion about benefit/drawbacks of static-typing vs. duck-typing. As far software security the duck-typed dynamic compiler/interpreter has a serious drawback of being able to accidentaly pick up leftover/changed code from many places in the file system which only Python expert will be able to locate.

The mixing of source/compiled representation also effectively nullifies the benefits of signing the compiled/executable code: anything in it can be changed by a very short (less than 100 bytes) .py file placed away from Armory appication directories.

Another thing that I didn't explained clearly is that Armory Online and Armory Offline have drastically different security postures. I was under impression that you actually understand this differentiation and posted in this thread to spark discussion how to further differentiate the two.

Anyway, it is great that you were able to rise over the presentation style used. I'm going to post a single link to very neutral/matter of fact presentation about offline system security.

http://gaming.nv.gov/index.aspx?page=51

then search for "Technical Standards for Gaming Devices".

For everyone who thinks that they will be better served by a ultra-polite, glad handing and slick presentations: please review the posts of
vadimg and shtylman about the BitFloor.

https://bitcointalksearch.org/user/vadimg-37089
https://bitcointalksearch.org/user/shtylman-37090

Again thanks to etotheipi for understanding the substance over the style.

I didn't say vps - I said vpn accessable vms... for clarity, if you're dealing with that much money - it shouldn't be a big deal to get some rack space in a secure location and drop your own server. That's if you'd rather let someone else physically secure it. But if it were me - I'd worry about physically securing that one SSD and the room it'll be accessed in. Seems way cheaper and easier to manage my own security than to goto the expense and annoyance of outsourcing it via bank vault or remote location.

Also - by cold storage, I meant an offline wallet probably a print out stored in safety deposit box.

I am overthinking it because no one else is.

Haven't you heard of all of the hacks, coins stolen from VPS's, sometimes even by the VPS providers themselves?  I wouldn't touch a service using a VPS for cold storage with a 10-foot pole.

I think you're over thinking this...

Physical security is always going to be easier to enforce than digital security. What you ought to do is physically protect the data storage device of the virtual machine your wallet is on (slap that puppy on an SSD and boot it via hyper-v) - keep the block chain updated on the host OS. Then all you have to secure is the room where you store the safe that the drives in.

if you'd rather not secure it yourself - then I'm sure you could figure something out using a bank computer and bootable USB device that you store in a safety deposit box. Or just a laptop that you bring in with you - drop in ssd - etc.

Personally, I'd just setup a few hosted vms that I could access via vpn and be done with it. The weak point in this sort of home invasion thing is always going to be threats towards you or someone you care about. If you've got the keys - and can be convinced to give them to someone... it doesn't matter how secure your setup is. The plus side of all this, you could code something for the vm you're using to ditch your coin to cold storage if you don't follow procedure aka giving you the option to pay them or not without them knowing. Of course, it would all come out in the block chain.

That's great to hear etotheipi - I do agree it would be a good option to have for those who want it!

You have clearly demonstrated that you are an asshole.  But that doesn't mean I won't accept advice from you.  Everyone has their own deficiencies, and clearly yours is a social deficiency, having no tact (or desire to try being tactful) in your expressions that everyone is dead wrong unless they are exactly right.  But I have thick skin, and can look past this.  Especially because you tend to have valuable input somewhere in your asshole ramblings.  After all, extreme technical competence usually comes with quirkier personalities.  I'll assume that's what your problem is...

(a): The Makefile is there because I put it there. I wanted to distribute everything with the executable, because it's all part of the same project.  Perhaps the organization of the files could be improved, but the only people looking for it will know what to do with it when they find it.  I'm not sure what your point was about this.

(b),(c): You have a good point that static linking is a security benefit, in addition to being easier to distribute.  I will look to see how much more stuff I can static-compile.

(d):  I do not agree about duck-typed languages being such a problem.  Sure, they leave room for poor/inexperienced programmers to make messier, more error-prone code.  But the quality of the final product is on the programmer, not the language they used.  Type-checking and error handling is superfluous throughout Armory code, and I am constantly testing everything I can.  I know you're probably going to be an asshole and point me to 10 different lines of code out of the 25,000 lines throughout Armory, where I didn't check variable types, or demonstrated some poor coding practice.  Well, go ahead.  I might even fix those lines.  But I won't apologize for having bugs in my, or doing something sub-optimal.  We can't all be good at everything.  

If you want to continue to discuss this, please do so on the Armory thread, or PM.  As I said, I'm happy to take reasonable advice from you.  However, your attitude is very likely to turn off others who otherwise would listen to your advice, but brush you off because you are so abrasive.

---

SgtSpike,

I'm actually talking to my buddy about the Android app.  He has much of it implemented, already.  As I said, we were waiting for multi-sig, but I had never considered the possibility of using an Android phone as an offline signing device.  I think this would be worth experimenting with, even with the default Android OS (there are no 100% solutions, yet, but I think this is about as close as you're going to get).   Looks like there's plenty of options for independent battery chargers, so you can keep your battery charged at home.  You'd also get the benefit of not having the battery stored with the device, so it would be a tad harder for an employee to boot your phone and pull the keys off.  They'd have to either steal the phone outright, or order a battery (which might end up being traceable).  In most cases, they'd probably just see a crappy Android phone and think it's unimportant. (Edit: this is another example of "attacks of opportunity" vs targeted attacks:  if an employee is digging through safe-deposit boxes looking for stuff to steal, they're going to go after all the jewelry that they can hide in their underwear until they leave work, not your crappy, battery-less Android phone -- the employee would have to know you and the value of that phone and actually target you, before it is stolen)

Not in my opinion. In my opinion the weakest point of Armory is a side-effect-channels created by the convoluted tangle of dependencies that are required to run Armory:

1) Ubuntu/Windows
2) C++ & C++ dynamic runtimes
3) Python & Python dynamic dependencies
4) Tcl/Tk; I'm not kidding, the official distributions of Python have a plethora of dependecies on Tcl/Tk, I did a classic "WTF?" when I first saw this.

I am thinking that cypherdoc is your example target user of Armory. If I were a bigger asshole that I already am, I would have no problem whatsoever to be helpfull to cypherdoc; help him with the upgrade of his secured/air-gapped installation of Windows/Ubuntu; and then steal all his Bitcoin stash.

But I'm just a very small, pinprick size, of an asshole, so I'm going to say this:

a) I looked at your py2exe distribution downloads. They are obfuscated. But do you know why are you distributing the Linux makefile in your Windows executable download?

b) don't be afraid to be assertive in your support for linking with *.a instead of *.so when some ArchLinux user challenges your choice. You need to understand why are you doing that and be able to explain your choice.

c) in your long term goals aim to minimize the attack surface by statically linking as many things as practical.

d) understand the Python duck typing and how the class override/overload mechanism is the greatest enemy of software security and how are you going to mitigate that.

I want to reiterate that the above is just a friendly advice. Feel free to ask for a full refund if you are not satisfied with my advice.

That makes sense etotheipi, thanks for the lengthy explanation.  I hadn't thought about viruses being transferred via the USB device I am storing the transactions to be signed on.

It's more to do with all the things the OS does when you insert a new device.  The weakest point of Armory offline security is USB auto-run viruses, which unfortunately exist for all OS.  It is, of course, orders of magnitude safer than keeping your wallet online, but there's still attack vectors that could be exploited in highly-targeted environments (like what you are talking about).  

I've been investigating ways to reduce mitigate this concern, but modern OS'es really hurt here, because they have so much code under-the-hood to auto-process new media for the convenience of the user.  It dramatically increases the attack surface.  For instance, someone figured out a vulnerability in the thumbnailer application used by the Ubuntu file browser -- they put a file on the USB key with a special icon ... and it was triggered automatically because a file browser pops up the moment you insert the key and it reads the icon file so it can display it.   I don't think it was a root-access kind of vulnerability, but it's still concerning.

I see two major benefits of offline wallets:
(1) Dramatically more difficult to compromise.
(2) Removes attacks of opportunity.  

On point (2): If some script kiddie from Russia stumbles onto your system for some reason, he can dig around and steal information.  If he finds a wallet file, he'll probably take it.  If you're using a watching-only wallet, he won't have anything to take, and will probably move onto other systems with lower-hanging fruit.  That would be an attack of opportunity: the script kiddie wasn't trying to break you, he was just looking for stuff to steal on any computer he can get access to.  A better example is a virus that uploads wallets it finds.  If you have no wallet, it does nothing.  So, if you're going to be compromised with an offline wallet, it's probably because you were targeted.

Unfortunately, this thread is about the fact that you expect to be a target.  In such a case, there is probably ways to compromise your online system and inject a malicious file that will auto-run when you insert the key into the offline system (or Android device).  Don't get me wrong:  this is a dramatically more-complicated attack to pull off.  But it's not impossible.  

However, most of the attack surface is due to auto-execute functionality.  Luckily, linux-based operating systems refuse to auto-execute any code on key insertion (without permission), but as referenced above, there is still an awful lot of code that runs when you insert a new device, and it's not unheard of that someone would figure out how to exploit that.

In many ways, though, there is extraordinary security through obscurity.  If the attacker does not know what kind of system is holding the full wallet, they have no way to know what vulnerabilities exist to exploit.  If you are using a custom-modified Android app with some drivers disabled, etc, then the attacker won't even know where to start.  They don't know whether they are trying to compromise a Windows machine, and Android 4.0 device, Raspberry Pi, etc.

From my perspective, this is really frustrating.  I only need to move a few kB of text back and forth between devices, but there seems to be no media for transferring data that doesn't have dozen of drivers/modules loaded to automatically handle data transfer. 

P.S. - I wouldn't freak out about offline wallets being totally insecure.  I'm just pointing out that this is not a 100% solution as-is, and it actually becomes a non-negligible concern when you expect to be targeted.

If it never goes online, is there a need to disable anything in the OS?  Unless you don't trust whoever preloads the OS...

Actually, my buddy was helping me develop an Android app for two-factor authentication using Armory&Android phone, but I got side-tracked with other priorities.  This was on hold until I got multi-sig implemented in Armory.  But the app could theoretically be used to make your Android phone the entirety of the solution: it is the offline device instead of a laptop. 

I would much prefer a custom OS that has a bunch of stuff disabled, but my guess is it's no worse (as-is) than using a laptop + USB key.

That would be very cool etotheipi!  Hopefully someone will make something like that - I don't have the capabilities to do it myself.

No idea about bank insurance, but it would make sense that the bank would be liable for any robberies that happened on their premises.  I wonder how hard it would be to get an insurance company to pay up for robbed bitcoins though!

I bet it's possible to make an Android app that can hold a wallet and sign Armory offline transactions.  That phone can stay in the safety-deposit box, and you can get an external battery that you can keep charged at home and take it with you when you go to the bank.  Throughout the day, you accumulate all the transactions you need to be signed on a micro SD card (which most Android phones use for supplemental storage).  You go to the bank, plug in the external battery, put in the SD card, boot the phone, verify&sign everything, the put it away and leave.  It can probably be done in less than 5 minutes.  

Also, isn't there some kind of insurance in the event the bank is robbed?  Are you responsible to cover your own losses when there's a bank robbery?  (the question of whether Bitcoin private keys would be covered by insurance is another story).

EDIT: of course there's still attack surface for anyone who knows you will be plugging the SD card into your phone and can figure out an Android exploit.  However, I bet it would be possible to use something like cyanogenmod to install a super-basic "OS" onto the phone such that it's only job is mount the card, show you all the transactions, and sign them.

On a related note: there may be something of value in the what car-rental places use:  the device will scan a QR code, and has a little printer on it which will print out "reciepts" that are actually QR codes with the signautres needed to complete the transaction.  Of course, any of these ideas will require some modification of existing devices, but such solutions should be developed anyway. (i.e. they aren't specific to your application, there's lot of use for it)

Even if you really have the private key stored in the bank vault, robber of this kind simply won't believe and you will get shot anyway.

The easiest thing for you is to do your business anonymously.

Depends... how many percent a day can you offer them?

Another option might be to use tokens.

Instead of proving you have their bitcoins, maybe an equivalent number of bitcoins could be proven to be in a vault somewhere and you proven to hold that many digi-bitcoin tokens representing them?

Basically don't deal directly with bitcoin, instead tell people to go buy digi-bitcoin tokens and send the tokens to you instead of the bitcoins?

As I operate an Open Transactions server I am in a boat not totally unlike yours.

My server deals with tokens, and I would prefer not to have to keep bailing actual coins out of cold storage all day.

One approach I thought of is posted at https://bitcointalksearch.org/topic/market-makers-102316 but response has been underwhelming.

Ideally some number of bitcoins would be in a cold wallet so cold it would be a massive undertaking to get them out, and instead of taking any out people would sell tokens to market-makers, or as some call them, "exchangers". Similarly, people wanting the tokens would buy them from those third parties. I would merely operate the server and have in my "last will and testament" a method by which the cold wallet could be put back together from the various safe deposit boxes its parts reside in and decrypted with keys whose various parts are buried in various backyards, with of course umpteen redundant backup systems extremely convoluted and secure...

-MarkM-

Well, that's partially why I haven't been more specific about the business plan. 

The OTHER problem is, it obviously requires people to have a lot of trust in me, for temporarily holding on to their coins, so I am not sure an anonymous business model would work.  Then again, people seem to keep falling for scams left and right here, so maybe it would...