Topic: Cold Wallet Myth (Read 284 times)

Nobody can be sure there's no vulnerability in system, when new vulnerability keep discovered as time progress. For example, there were 11 new CVE (based on published date) for Windows 10 and 15 new CVE for Linux Kernel[2] in last month.


I assume that's because people who replied either unable to afford to lose their coins or being far more cautious, especially for saving all your coins.

[1] https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html?page=1&order=7&trc=3070&sha=4103294ea69ab71338d175f3bb08afe8bd275db0
[2] https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html?page=1&order=7&trc=3306&sha=7f81e0da0504619b76358c8c584bb5679247de89

Allow me to quote Under Siege 2: "Assumption is the mother of all fuckups".

In an ideal world we'd have unicorns everywhere. There's not really a point discussing something that doesn't exist.


The whole reason of using cold storage is because you can't know all vulnerabilities. For laughs:
Are you talking about cold or hot storage? It's easy to have 2 USB sticks, paint tape one blue and the other red. The blue cold one doesn't have internet and holds your private keys, the red hot one has internet and a watch-only wallet.

But for how long?

Tell me you don't know anything about computer security without telling me. 

There are millions of things to account for your computer's security.  One of them is the net.  Never connecting to the net, and to no network in general can mitigate every possible network attack.

I consider TAILS safe enough for me. Always check and verify you downloaded a genuine version of it and other cryptocurrency related software. This verification step should never be skipped. Be aware that TAILS is agnostic, forgets everything you saved, unless you have a persistent storage partition setup (which is usually or should be encrypted; don't forget or loose the decryption passphrase!).

Don't rely on a single USB flash device, be it with TAILS or some other encrypted container or other valuable data on it, as such devices can fail. Cheap flash storage is sometimes of questionable quality. No backups, no mercy!

Better learn how to setup before doing it on your own or else you may end up either setting the wallet incorrectly or losing your bitcoins.

I would advise you to first watch these three tutorials to have a basic understanding. Although these are a bit old, but they will give you an idea of what you are going to do.

Hardware Wallets in TAILS or Ubuntu Linux - Verify GPG Electrum, udev rules, sweep Paper Wallet

How To Make A DIY Cold Storage Bitcoin Wallet

Electrum offline transactions tutorial

Think about it — even experts themselves are scared of malware/viruses. If they're worried, YOU should be worried.

Also, hackers don't necessarily choose who to hack. They do wide attacks that affects as much devices as possible.


It's fine if you know what you're doing; but the thing is, most people don't. Seriously don't cheap out and just buy a decent hardware wallet.

Hard? Maybe. Impossible? Absolutely not.

How can you be sure you'll never click an unknown link? You can't. How can you be sure your anti-virus will pick up every possible piece of malware? You can't. Whereas I can be 100% certain I will never click an unknown link on my airgapped computer, because it has no hardware in it which is capable of connecting to the internet.

This is like saying you have driven for 5 years without wearing a seatbelt, so you are confident you don't need a seatbelt. Just because you have been safe so far doesn't mean you will be safe forever more.

Hot wallets have their place. I use a hot wallet frequently. But I only use it for amounts I can afford to lose. My rule of thumb is "How much cash would you carry around in your physical wallet?" $100? Fine. Then $100 worth of bitcoin can be in a hot wallet. $10,000? No chance. So that amount of bitcoin should be on something more secure, be that a hardware wallet or an airgapped wallet.

It's certainly better than a hot wallet, provided you disconnect your internet connection prior to booting to Tails and keep Tails offline the entire time you are using it. But it is not as good as a proper hardware wallet or dedicated airgapped computer.

Well, i thought that since I did not download any extra software on my system, never click on unknown links, and had an updated anti-virus on my system, so it is hard to get any malware on my system. Also, i wondered why would any hacker try to intrude on my system, I do not store even a full Bitcoin. Also, another thing that made me confident of my system is that i haven't faced any such issues for the last few years, using Electrum as a hot wallet.

Anyhow, reading all of the replies and none agreeing with my point of view, i have started to feel scared.



Since i do not have any extra system with me right now to meet this emergency, is the tails USB with the built-in electrum can be trusted?

I think you're missing the point. There is no such thing as nirvana. Here's haven, here's hell, and it's far from ideal. In an ideal world, we wouldn't need bitcoin --or money in general. We wouldn't need food to survive, 8 hours of sleep, there wouldn't be diseases, wars, and unhappiness.

For the same reason, you can't just make the arrogant assumption that your machine will be free from malware if it remains Internet connected. You don't have 100% security, nowhere. Neither permanently airgapped devices are 100% secure. It's just one factor less to account for.

Of course and it's possible. It's possible to have a hot wallet which never gets compromised. It's possible to download bunch of non-reviewed software in the same machine, such as cracked programs, and still not lose a penny. In fact, it's even possible to guess a private key with a million dollars worth of bitcoin. What's possible is not relevant. What's relevant is what's probable, and it's a lot less probable to have your wallet compromised if it lives in an airgapped device.

The problem is that you can never be sure about that, in fact the whole point of using an air-gap computer is to effectively eliminate a large number of potential vulnerabilities that may not even be known to us. So by taking that simple step we try to significantly improve our security.
The real question is why would you want to take that risk and connect to the internet?

Air-gapped wallets means isolation from outer world. Which means it should not have any connection to outer world even there must not be any Bluetooth, or NFC etc. This definition indicates that we should not attach our AG wallet to outside world even if we do it for once or two time then it is not Air-gapped anymore. To update the wallet you could use SD card or usb to insert data into your wallet. In my knowledge most of the wallet even do not have the option of SD card mean to insert data in it. But in current era, new wallets are coming which have many features. like QR scan etc. and more which also lies on security levels.

A computer can be air-gapped just like a wallet once if it become isolated from outside world. But you are saying you are connecting that computer to online will not make it non-air-gapped. I mean the question is same but you changed the device. i.e. In first question the device was air-gapped wallet and in this question the device is air-gapped computer.

So my answer is same for the Question 1 and 2.

Secure from what? I mean if you are that sure about your computer being free of virus then what's the need of uninstalling the electrum from it. But still in my knowledge it is not a practical thing to achieve Means not a single computer could remain free of malware. There are numerous types of Malware so new types of malwares will keep coming. But Yeah this method is way secure then keeping that Electrum wallet installed on your device.

Look — in an ideal world, there are no malware and viruses. But in the real world, they're everywhere. The point of having cold storage is to erase the chances of you getting malware on your device. Because even if you're the most technologically savvy person in the entire world, you can still have malware with a slight misstep.


The thing is, how sure are you that you actually will get no malware/viruses? Just because your device's antivirus didn't detect any malware doesn't mean you can't have any.

I would like to drop a thread I thought I would never get hacked... which clearly explains why we should not assume "my device is invulnerable to hacks and other potential risks" and that is the whole point of having cold storage as well.


You can "assume/If or But" where I don't see the word 'for sure' here.

Those who lost the coin also said at first "we were sure that there was nothing on our device".
We have the definitional boundary between hot and cold wallets based on due diligence and recognized by most technical experts. But you always have the right to enforce your wallet security according to your own definition.

There is no ideal world, it is only your mind that thinks that your computer is malware free and the other 99% of the users also believe the same. And then when they lose their crypto, they have no idea what went wrong.



I am testing out making a tail OS through USB and then using electrum through it. This can be a cost effective and better solution rather than making a computer or a mobile an air-gapped device. With tail OS, the Electrum wallet comes by default and there is no need to install any more softwares. Secondly, you can keep save that USB like you save a hardware wallet.

Just connecting a device to the internet doesn't leave it non-airgapped until it starts sending and receiving TCP or UDP traffic (collectively I will call this stuff TCP although there's a slight difference).

For example, if the device has any sort of incoming ports, then it is no longer air-gapped as hackers can start throwing malicious traffic at it.

Outgoing ports are trickier and depend on the server that said traffic is going to - if it is your own managed server from the internet, that's not making any other traffic, or running any other software on different incoming ports, using a protocol whose traffic you have audited, there shouldn't be any concern, however if it is some random website or even google.com or AWS, then the air-gapped nature is gone because you cannot verify what those servers are doing with your request.

You can have a LAN in an airgapped setting, even a WLAN - as long as all computers inside the network are under your control and don't talk to the outside world, with the possible exception of getting security updates from your package manager, as running vulnerable air-gapped software or firmware is equally as dangerous.

No, it won't. It will be a hot wallet which is sometimes disconnected from the internet.

If you are sure your computer is 100% impenetrable to attacks and completely free from all malware 100% of the time, then you should probably present your findings to the CIA or something and be paid handsomely in return, since you'll be the first person ever to create a 100% secure system.

No. First, you can't be sure your device is malware free. Second, when you delete data, all you are actually doing is telling your computer it can write over these sectors of your hard disk when it needs to. The data isn't actually removed until it is written over, which could take months or even years depending on how you use that disk.

You aren't sure. No one is sure. Have you disassembled and intricately examined every piece of hardware in your computer to check for backdoors? Have you read every line of code for every piece of software running your computer, from your BIOS and OS through to your wallet software? Are you examining every incoming and outgoing packet across your internet connect to check for malware or data being leaked? Of course not. Therefore you have no idea if there are vulnerabilities in your system.

This is the whole point of a permanently airgapped device. It is impossible to have a completely secure system connected to the internet, but you can mitigate a lot of possible attack vectors simple by airgapping your device permanently.

Again, nope. Your wallet data will still exist on your hard drive unless you have deliberately written over the necessary sectors, which few people do. Malware can access that data and send it off to an attacker.

Ideally just like you assumed, your coins or keys saved on electrum is save as long it is not compromised but in all honesty that something you will never get guarantee on


No because a cold storage should never tastes the internet. Even that once could have it caught a malware.

You cannot or never be sure once it touches or connects to the internet because once it touches it then consider it been already compromised. There are malwares that can’t easily be detected. And connecting it sometimes to internet as you have suggested even if you are sure the device doesn’t have malware doesn’t not make it a cold storage again but rather a hot storage that is yet to catch malware. A cold storage never touches the internet.

I think you do not get my point of view, I just want to know that in an IDEAL WORLD, the Electrum wallet on the computer with an internet connection is safe if there is no Malwares, no hacker's attempt etc

We use Cold Storage only to avoid any possible risk that comes through the Internet, Right? There is no other reason.


But still possible, Yes?


Look here, you said "potential vulnerabilities". if we are sure that there are no vulnerabilities in the system, then we can connect to the internet.



Again, assuming the computer never gets stolen, uninstalling the electrum keeps the coin safe even if some malware later comes in that computer and we never re-install the electrum in that computer without formatting it first.

You don't necessarily need to connect your air-gapped device to the internet (because it voids the actual purpose) to upgrade your electrum since it can be done completely offline.

Download the latest version of Electrum from https://electrum.org/#download and then verify the signatures before installing it.

[GUIDE] How to Safely Download and Verify Electrum

Then copy the downloaded file to your air-gapped device and install it, then restore your wallet with your seeds "Standard Wallet -> I already have a seed".

Then go to  "Wallet -> Info" and get your "Master Public Key"

After this go to your device which is connected to the internet create the "watch-only" wallet (Standard Wallet -> "Use a Master Key)

By this method device will be never connected to the internet so you no need to worry about your seeds being exposed to malware or anything.

---

Technically No.

The actual purpose of creating the cold storage for crypto wallet is to mitigate any potential vulnerabilities so in case if you want to take the risk that you can be sure the device is entirely malware free then it's your choice.

Uninstalling and deleting doesn't necessarily mean files are gone permanently because we know it is possible to retrieve data back even from the formatted hard drives.