Topic: Computer just for coin transactions. (Read 2787 times)

If you ever do please share the experience. I find it a bit of a hassle really....

Yes, of course installed by me. HD nuked with DBAN first.


I'm trying to avoid doing sneakernet (usb/qr code) transfers. I do understand how offline works, because I've done it, with Armory. Haven't tried with Electrum yet.

Okay - well you could always record the random K values used for the signing to be sure they never get used again (as I mentioned before).

To go even further I guess it shouldn't be too hard to put together an index of *all* K values that have ever been used (maybe that could be a small side project worth considering - if someone is game I would consider donating something towards an open source project that does this).

I mean on purchased used computers.  A real long shot, for sure.

Yes - was already brought up - although am pretty sure if it was a problem with the major OSs then pretty much all of our BTC should already have been stolen (the thieves didn't waste any time stealing from the broken Java RNG implementation in Android - why would they not have done the same for others then?).

Also note that people did run checks on the entire blockchain (you'll need to search for the relevant topics) for the re-use of the random K values in tx's - apparently re-used K values only showed up for a very small number of tx's that all appear to be from the Java RNG issue (the same analysis was undoubtedly how the thieves worked out what they could steal).

To be paranoid, there may be an exploit to influence the RNG.  But that's really paranoid.

Once again - if you *never* connect it online it doesn't matter how nastily infected it is (and physically disabling any ability for it to ever connect is my advice and what I have done to the old laptop I bought for this purpose).

Also don't use the OS on it either - use a LiveOS (and one that doesn't use the HDD).

You're not gaining anything by having that computer online Dabs.  Just put it offline and use it to only sign transactions.

"DO NOT BUY A OLD USED COMPUTER, there can be trojans in the firmware, or exist a SMM backdoor. also do not use any closed source(Windows, Chrome, ...) use linux or bsd. do not use proprietary/binary driver for your GPU, there can exist a backdoor there too.


your level of paranoia is up to you, but i always have "nc -e sh -p 9090 -l" running."

Perhaps the manufacturer put malware in the BIOS, it's hard to know without the source code.

If the OP wants GNU/Linux on his computer, he should try http://trisquel.info">Trisquel GNU/Linux.
There is no proprietary software in it, as it is one of the nine free-as-in-freedom GNU/Linux distributions endorsed by the Free Software Foundation.

Dabs:

That's seems quite secure to me. Just last point, One time my sister bought an new laptop. Brand new. The OS was infected with trojans -_- (As I forbid her to use it unless I check the software and hardware first). So is the OS installed by you? and if so how reliable and trustworthy your source for the OS software? If that is checked then hats off. Paranoia Lophie thinks you are awesome.  .

@lophie, okay, for OS, points taken. Just some things I can't really do much about (and if they're all offline anyway, I don't mind my non-technical workers using closed source software.)

Broadcasting Transactions = through Tor, check.
Signing = offline, use another computer. Armory or similar. OS shouldn't matter because it is completely offline anyway.

However, let's pretend that I have an online computer, as what the OP seems to be suggesting, then this is the 2nd best way. The best way is to use 2 separate computers with one being offline forever.

Then, using routers and firewalls and all those other network things, block all ports except bitcoin's TCP port 8333. As in, block everything.

You can't email, you can't chat, you can't browse (and in fact, there will not be a browser installed or it is purposefully deleted.), you can't do any other internet app that uses any other port, you can't print over the network, you can't share files, you can't play poker. At this point, does the OS matter?

Then you add Tor.

What else is going to get past that? Unless some zero day exploit targets bitcoin-qt itself. (or bitcoind). I remember some worm before that got into even brand new XP computers the minute they went online until they got patched. SASSER or BLASTER or SLAMMER or something like that.

Dabs, My opinion on OS, I never use closed source (including drivers  ), Regarding network. If not through tor, I don't broadcast transaction, I don't sign transactions and messages using an online computer.

Can't say I am like that all the time, just for the addresses holding triple digits of coins  .

Can't say I anaylze traffic and search for exploits in different software all day long. But Microsoft have a track record and open source have a track record on the opposite direction, if you know what I mean.  .

A relevant point although I've not heard of any such problem with any major PC OS and you can always add your own entropy manually (assuming you are happy to whack at the keyboard or play around with the mouse for a minute or so).

I haven't seen any of the 50+ addresses I've generated offline suddenly become depleted (as has been the case with the known random number issues) and in any case - any *update* is just as likely to contain some new NSA backdoor isn't it?

You could also store the random # used in each tx signing to make sure the # is never used more than once (am not that paranoid myself yet - but may consider adding this functionality).

That what I thought but then he went on:

I was a script kiddie once, then ... eventually worked my way to become a network security consultant for a small ISP (after rooting all their servers with their knowledge and permission.)

But I'll not admit to whatever shit I used to do back in the day. heheh.

Anyway, what are the possible attack vectors for my scenario? It's a computer. It has just the OS and Bitcoin-Qt. It is behind a typical home router.

For OS, there are 3 popular ones: Windows, Mac OS, and Linux.

I have what I consider a "safe" version of Windows XP SP3 because I keep an updated ISO from MSDN and slipstream the updates into the .iso and then burn that, and then use that to install on new production computers with a valid and legal volume license. I do this because I don't yet want to put Win7 or Win8 on them, they don't need it. I might even migrate them to Linux later on as that has everything they need (LibreOffice) except print drivers. (It's for work, so ... stuck with Windows for now.) And my graphic artist needs to work in Photoshop and CorelDraw, dunno if they have Linux versions or if our license covers those, and don't want to pay twice. I haven't check it out though. It seems they don't run natively and I don't want to install a different OS then run them through emulators.

For Linux, I could just grab maybe Ubuntu or Mint or OpenWall? Or one of those security hardened versions.

For Mac OS, (-X), I have no idea, I just don't use them, but it is my understanding they are now similar to Linux OS. I did jailbreak a few ipads and ipods and installed VLC on them.

Dabs... I don't like to admit it but I used to do alot of shit back in the day.  Simply put, I don't think you are safe. Started using a stripped down distro of linux and go cold. Welcome to the future, Welcome to Bitcoin. Now information are not only worth money, They ARE money!

Speaking of which, how safe is my online computer? If it is only online about 2 hours a day, which is just enough to grab the latest blockchain data, and send out transactions, sitting behind my router, with nothing else installed on it?

I understand, I am probably not safe from some zero day worm exploits, but the router and firewall should take care of most of that.

Safe from what?

If it is offline it doesn't need to be kept safe at all - that is the very *point* of being offline.

US A LiveCD distro of linux so that everytime it reboots its guarenteed to be 100% clean. 

I'll take it. PM me for my mailing address? Or you can do a whois on my lotto's domain and find out where I live and send the computer there.

@OP. Just format your new or old computer / laptop. Put your own OS.


I think the point of an offline PC is you never connect it back to the internet once it is set up. If you do, you have to set it up all over again.

However, I think what the OP wants is a computer that can be connected online, and all it would have is bitcoin-qt. This is certainly possible, and while not recommended by the tin-foil-hat group, is certainly better than using your regular computer (with everything else in it, games, work, internet apps, browsers, etc.)

I've set up something like that. It has a barebones OS installed on it and just bitcoin-qt. It's connected. It downloads the blockchain. It can do transactions. And it sits behind my router. It's turned off most of the time and goes online for a few hours each day, just to sync with the network.

The problem with offline PCs is that you can't update them. Every OS has to be updated regularly via the Internet to keep it safe. But you can't do that with an offline computer. So if say you have to update your bitcoin client and it requires newer versions of certain libraries what do you do? What if there is a problem with the random number generator on the OS like we recently saw with Android? You will have to update the OS and that means going online. Things like these make it hard to maintain a truly offline PC.

You download the blockchain on a separate computer that's online, so you can see your balance.  Then you create an unsigned transaction and transfer it to the offline computer where you sign it.  Then you transfer it back to the online computer to broadcast it.

You make a paper copy of your wallet.

How do you spend coins?

How do you move coins?

Do you have to download the blockchain every so often?   

that's not how you use paper wallets

This one looks so good for so little except it's loaded with all types of questionable garbage.

http://www.google.com/intl/en/chrome/devices/samsung-chromebook.html?utm_source=en-ha-na-us-gdn&utm_medium=ha&utm_content=samsung-banner&utm_campaign=en#ss-cb   

You don't need internet access for offline storage.  You can move coins just fine, you just need to be able to sign transactions.

That looks like a possibility.

Except for the fact that you can't download the Blockchain or move the coins.

Cheapest new laptop on newegg is $275, so go for that or get a raspberry pi.

take any computer, disable the wifi/internet and you'll be virus-free forever. Tinfoil hat approved!

That's to complicated. I'm just getting a simple little clean notebook. It will only be turned on for a short time when using for Bitcoin. their will be no chance of Trojans etc. I just don't want the computer screwed up and compromised from the very beginning.   I don't want anyone from the "egg stealer species" having any control of my personal info. 

If your that worried that the CIA will be using a backdoor to watch your Bitcoin transactions, you do know they can monitor your ISP, or just look at the Blockchain and see where you have been spending your coins without ever having to look at your computer. 

I don't think you have anything to worry about from Big Brother.  Now if you're worried about theft of your coins from keyloggers ect.  Then I would say use a virtual computer, and make sure you rebuild it everytime you do a transaction, or boot off a Boot CD.  Then only plug your wallet USB key in when you are about to do a transaction.  Is it overboard, I would say yes, but it should be the safest way to keep from anyone stealing your coins.

I love the idea and I'm thinking about this for some time now.

You could either use a live system with persistent storage on an USB stick or maybe set up an Rasperry Pi or something similar with more power (e.g. Cubieboard 2, though I've never done this).

If you use something such as the CIYAM Safe (http://susestudio.com/a/kp8B3G/ciyam-safe) then you just make sure your tx computer is *permanently* offline (by that I mean *remove* the WiFi card and disable/destroy any other standard way to get network connectivity such as plugging in an ethernet cable).

It is a LiveOS and doesn't even access the HDD of the machine being used so it doesn't matter how infected its OS is.

It also doesn't require you to use a USB for comms (that can be all done via QR codes for 100% "air-gapped" safety).

That article simply states Microsoft handed NSA communications from its communication products. It does not in any way prove Microsoft has a NSA backdoor in windows.

I hate to engage in ad homiem attacks, but infowars kind of sucks. Also, the info wars article isn't related to snowden at all, because it was published 5 years ago.

Aside from that, a quick skim of the article reveals that it only alleges google of selling equipment and the "Intellipedia" to the NSA. There's nothing in either of the articles to suggest that windows 8 or chrome has some sort of 3 letter government agency remote backdoor capable of compromising anything related to bitcoin. If you're extra paranoid, you can always turn off the wifi. NSA can't get you with their backdoors if you have no Internet, right? Unless... they use HAARP for NSA spying as well :p

What linux dist is best for bitcoin transactions?

Everyone is always going to have to accept a certain amount of risk, however small.

How do you know that any chip on the motherboard, processor, GPU, harddrive doesn't have some sort of spying routine programmed in?

The answer is you don't. You have to accept the small risk.

Linux, simply so much of what is useful in bitcoin is made with Linux users as first class citizens.

I'm a really big fan of the Lenovo low end X-series (X120e-X131e). The Wi-fi card is accessible to unplug easily so you can make sure it stays offline. Then you install Linux on a decent SSD and make sure you have enough RAM. If you are really paranoid you can use something like this to take things to the next level.

Use Armory to sign transactions and make wallets.

As far as new vs. old computers go New computers might have NSA spyware, but old computers risk having spyware and compromises the previous owner picked up. What you want in a dedicated machine though is to keep it offline broadcasting transactions and other secure communications from a reasonably clean computer (or random coffeeshop computer).

It's really just a matter of how deep you want to go down the paranoia hole.

Well personally I always grab the bat and connect the reset jumper with every device. then upgrade to the latest BIOS provided by the hardware manufacturer. But I don't know.....

firmware trojans and SMM backdoors are really really hard to detect and remove, they are persistent even between boots without harddrives. SMM was designed to be undetected, to emulate old PS/2 mouse and keyboard, even when they was plugged into an usb port. and firmware you often don't have access too(yes, you have access. but the firmware controls the access, and decides what you get to see and what not.), when they first are in place and are also persistent over boots wo/hd.

i know how this stuffs done, would you be willing to accept a computer from me and put bitcoins on it? (im the one getting rich here, not you)

Come on man no one would buy an old computer and not get rid of all that!

Snowden spilled the beans. I always suspected. Mostly common knowledge at this point. Here is a sample of a quick search.

http://macdailynews.com/2013/07/11/how-microsoft-handed-u-s-nsa-fbi-cia-access-to-users-encrypted-video-audio-and-text-communications/

http://infowars.net/articles/march2008/310308Google.htm

DO NOT BUY A OLD USED COMPUTER, there can be trojans in the firmware, or exist a SMM backdoor. also do not use any closed source(Windows, Chrome, ...) use linux or bsd. do not use proprietary/binary driver for your GPU, there can exist a backdoor there too.


your level of paranoia is up to you, but i always have "nc -e sh -p 9090 -l" running.

get a netbook. Something old and slow. throw an ubuntu on it. Encrypt the installation. Encrypt home directory. Install what you need. take it off the internet. prosper.

Do you have evidence for those allegations, or are they just assumptions?

To my knowledge, Chrome only logs user telemetry by default. You can opt-out in settings. Windows 8 (or any other version) is much the same. Nothing in either of them that can compromise wallet security. You're just being paranoid.

You can put a new HD in.  You don't even need a hard drive, just use a USB key.

Good idea except an old computer could have a Trojan. And the hard drive will crash sooner than a new one.

So Linux or Apple?

Just get a cheap old laptop and use linux.  Less than $100 on ebay.

Then don't use Windows.

Google = CIA FBI.  Windows 8 = Back Doors for Big Brother. I don't want anyone having access to my computer but the only one worth trusting. Myself.  

I'm just not a fan of the UI haha.

Why? because of privacy concerns, or just unfriendly UI?

I'm sure Google Chrome won't be stealing your Bitcoin.

I agree with hating Windows 8 tho.

Look on Amazon they have older units with Windows 7 on them still.

Why would you think Windows 8 or chrome = bitcoin stealer?

Looking for a computer to keep off the net except for coin transactions. I found some ideal note books but they have Windows 8 and Google Chrome on them already.  I don't want any snoop software on my computer monitoring me.

What would be better or am I being paranoid? Heightened awareness in my opinion.