Topic: delete (Read 2660 times)

Any government standards like FISMA - http://csrc.nist.gov/
San's CIS Critical Security Controls - https://www.sans.org/critical-security-controls/

There are real frameworks out there that are valid.  I'm not trying to be rude.  I'm trying to keep this sounding the nicest way possible with being able to pass the information.  That is just some of the frameworks, there are MANY MANY more and compliance's security company's have to meet if dealing with US government.   

Yours are ideas for what you think is needed for government/military standards.  But you have nothing to back up that has been vetted and proven needed, or that it makes them comply with (insert tons of frameworks and compliance here).

I'm not the one making things up.  I asked a simple question and you dodged it.  Did you make up criteria for "9) Military-grade offline wallet storage"?  Is there really any documentation showing that you meet any military standards? If so which country and what standards?

It sounds like you made up things that sounded good to you.  But did not follow any real requirements.

But you are fantasyzing about about wild west scenarios.

There are no armed gangs roaming around streets and raiding places, where do you live in Somalia?

Even in the most crowded cities banks have 1 or 2 security guards, and bank robberies are rare too. You would imagine a post apocalyptic world where para-military gangs roam around and pillage everything. That is not what happens in the real world.

In the real world if you have 4-5 armed guards, nobody dares to attack it. You watch too many movies.

How can you say it's solid?  Have you used it.... guessing not.. all you have is a fictional story about it.  It keeps getting more and more far fetched to help anyone with storage.

You can do the back/forth all day.  For example on your last post sure even if you have all 100 percent honest guards what if a bigger group of bad guys decided to take it over and try to force your BTC info out of you... it makes no sense to go back and forth on scenarios like this.

How did you even come up with "Military-grade offline wallet storage"?  Is there set documentation on what it should be or did you make up what you thought should be?

I still say I would take a paper wallet only I know, or a hardware wallet only I know.   I don't wan't guards if I was doing huge amounts of money compared to what they pay.

Greed is a strong thing.  Sadly some fall into greed and you could easity have a bad security guard.  Imagine when the security guard figures out if he gets your BTC there is no reverse button... I hope you don't get anyone who greed shines it's head to.

I think most bitcoiners learned the lesson "Trust no one" (at least when it is in bitcoin area) the hard way. Having to trust someone is always an additional risk. Like having coins laying on an exchange. They might have a vault and all but still... risky.

And i think you miss that wolfs are pack animals. They hunt in packs. One mafioso speaking about all the money they guard and their measly wager they get each month. Well... i would not be so sure about the outcome.

If i would have to trust i think i would collect the persons by checking their personalities very carefully.

Sure, though they have insurance. And the fiat bills have to be physically moved. When exchanged they can be found via serial number. It is no fun washing such money... i imagine. No problem at all with bitcoin.


I think that theory is wrong. Blackwater... or The Rock, i believe, they are named now, hire such ex military. But these guys are EX for a reason. The end result is that the US government hires these soldiers to make war and these guys regularly are involved in killings of civilians and such things. These ex soldiers often enough are psychos or have some kind of problem.

Having to trust someone is always a risk

In reality you hear that the bank employees silently worked together with the bank robbers and similar things. Bank robbery nowadays is not rewarding. Normal banks rarely have more than 10k USD in their bank building and even then, all fiat bills are marked with serial number.

Stealing bitcoins is very easy instead when it comes to getting away.

Being hidden unknown still is safer. If you have to spend money then tell your surroundings that you hold shares of some company. They will believe it and be pleased. No attack vector opened.

Banks hold trillions of $$$ in their vaults, or if you dont like reversible ones, then check the gold exchanges.

Gold exchanges hold tons of gold in their vaults, none of them raided yet.

I think you guys watch too many movies, in reality nobody dares to raid a compound full of armed guards.

I think the guy with the hardware wallet or properly done paper wallet and stored in good location like bank is just about as secure as most need.  I think it comes down to cold vs hot wallet. Even if you have a bunker your relying on guards who I would assume make much less then what is being stored.  As long as there is greed there is a chance of them going "bad"

I like mine to only rely on myself.  I see bank as ok as for the level of security it's hard to beat price for a security deposit box.    

But I kinda agree with shorena it's kinda hard to have a discussion.  It seems a little adversarial which is not healthy for a discussion.

I get that, but I am not sure if you understand why. You have no attack scenario so you cant properly judge the defenses. As SebastianJu pointed out, if are rich enough to set up a bunker + guard for your bitcoins you will have to consider attackers willing and able to cut your fingers off[1]. It does not even make sense to compare #9 to #1.

Anyway, I will not further pester your thread with my criticism.

[1] http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

Actually i think 9 is less secure than others. Because you are publicly showing up yourself as someone who has something to hide. I'm sure satoshi has no heavily guarded fault. And he is the richest bitcoiner alive. And he probably is way more safe than the operator of a big mining farm. Even with guarded vault.

I think having guards only will raise suspicion and attract thieves. Put the guards to sleep with gas and you can move on. Or especially in the bitcoin area... buy anonymous a hit team and let them  raid the vault.

I think the best protection would be that nobody knows you are rich. You take care about your privacy and prevent your bitcoin addresses to be connectable to you. You can hide your private key everywhere. Your whole computer is full of data where you could hide a privkey without anybody ever being able to find it.

Of course when you run a business and everybody knows you and your company then it might be something to consider.

Haven't you guys seen how easily a disc of data may be stolen from a military grade secure bunker in Mission Impossible ?

For owners of valuable but not priceless data such as a few hundred bitcoins, I suggest that you set up an Electrum Wallet on a new install of linux (preferably raspbian on a raspberry pi) and use a poem which you will remember or something comparable which you won't forget over many years as the encryption passphrase.  Transfer your BTCthere and wait for the transaction to confirm.

If you want to hoard much of your BTCfor a few weeks or months then a raspberryPi is small and cheap enough that you can lock it in the safe next to the bars of bullion and just not use it for that long.  If you know that you want to hoard BTCfor years then pull out the sd card from the raspberryPi and permanently erase or destroy all that is on it.  Unlike a pc with bios, raspberryPi is stateless hardware, meaning that the sd card is the only persistent data storage on it.  To fully recover your BTC, procedure is to install electrum on something which you trust and enter that same passphrase.  If you are being really careful then you can buy a new 4GB sd card to do this on and erase it afterwoods.  After a few minutes online to synch, your BTCare recovered from only the passphrase.  I think the devs came up with a snazzy name like "deterministic wallet generation" to mean that you can throw your computing hardware into the fiery bits of Mt Etna, just so long as you remember the passphrase.

Of course, if you do own all the money in the world or a priceless list of military contacts, then you have to beware of lovely ladies with foreign accents who demand "tell me the poem"


If anyone wants to spend a BTCto get me to do all or part of this for you, just pm me.


Now, how does "remember the poem" compare to 1-9 listed in the first post of this thread ?

Look it can be secured, relative to the level of paranoia.

There is always the possibility that an invisible goblin will watch the keystrokes when you enter your bitcoin wallet password, so what does it matter ?

So this discussion is pointless. There will be alway an attack vector. However method 9) is still the most secure and the odds of theft become so low, that you will have a higher chance of falling off the stairs and dying than to lose the bitcoins if you secure it properly, so at that point it doesnt matter.

More people die from car accidents than those that lose their bitcoin from bunker

So the videotape is protected better than the room with the computer?

If you have a fortified compound with armed guards, I dont think anybody will attack you

However if you do hold a lot of bitcoins, and somehow other people will know about it, and if you dont hire some armed guards, then it will be the biggest danger. All billionaires have a private army protecting them.


Those have different roles.

In my situation, the cameras serve the role of checking if the room has been entered without authorization.

For example: 1 infiltrator enters the saferoom to install some transmitter on your secure PC, that will leak the private key to him when you use it.

If you videotape the room all day, and check the footage before you use the PC, then you will not use the PC if it has been tampered with, and will replace it with a clean PC, and copy all data into that. Then burn the tampered PC.

Fingerprint you say?
-> https://www.youtube.com/watch?v=HM8b8d8kSNQ
-> http://arstechnica.com/security/2014/12/politicians-fingerprint-reproduced-using-photos-of-her-hands/


Like the cameras in public transport systems or banks that dont actually prevent the crime?

Fingerprint detector... normal ones easily cheatable with a bit of tesa and glue. And i would not want to risk that some thug cuts away my finger so that he can get into the vault. Even when the reader is detecting blood motion... it can be faked and was faked already. I would fear for my health with these kind of systems.

But you dont let the guards inside the room, only you can access the room with fingerprint detector.

The guards are only there to guard the entrance.

And the room would be surveiled + movement detectors, so that nobody but you can go there undetected.

The whole point military quality equipment makes it zero percent chance of losing BTC is just wrong.  As long as there is greed and "bad" people you cant just blindly trust.

Look at this coinbase - http://www.coindesk.com/former-silk-road-dea-agent-pleads-guilty-to-bitcoin-theft/ .  These DEA agents had military quality... they had secret clearances... should be great guys.  But in actual world they got greedy and stole BTC from what should have went into government holdings.

I still think cold wallet is key. I think hardware wallet and paper wallet are strongest ways to store BTC if done right.

My point exactly. The guards are a security risk as well as a feature.


https://en.wikipedia.org/wiki/Intrusion_detection_system

If they are a millionaire they can buy themselves a bunker, and private security to guard it.

And we know there are many bitcoin multi millionaires out there


Well if you have alot of money, and armed guards I dont think people will just do an armed robbery against you. Its far more likely that an infiltration can occur, so that is the risk you need to worry about.

What is "IDS"?

I would say its less secure than 8, because you have to rely on the guards to actually do their job. Its certainly not 100% either you have to get the transactions online somehow. If you use an USB Stick for this with malicous firmware all the gards cant help you. There is no attacker scenario at all.

The OP also misses honey pots, IDS just to name two high level methods.

Wreckless is not a word.

*rofl*

I hope you tested if this type of storage is really as safe as you believe?

I think your list will give newbies some hints about the risks. Though i doubt that any normal user will use your 9th solution.

There arent any sophisticated viruses for bitcoin, yet. Not that I know of. In the sense that AI viruses, that have basic intelligence and can adapt to PC enviroment, like there are for bank account thefts.


Most Bitcoin viruses are either:

• Corrupted bitcoin of altcoin wallet
• Basic keylogger that searches for password fields
• Web keylogger for blockchain.info and similar sites
• Teamvier based remote acces virus (Yes i saw many altcoiners lost their altcoins by this)
• Detector virus, that searches for default bitcoin installation and sends the wallet file outside when unencrypted

You can easily protect against these, with no-script browser addon, basic antivirus scan of files and checking signatures/ checksums.

However, in the future, the malware can get a lot more sophisticated, so beware!

but usually i only install certified things and i'm not visiting any shady website, there is no need to be very paranoid about virus, it's the user that let them enter no one else

this is true for any virus even those bios virus, the only exception would be that router virus that propagate because there was an hole in the router security or something, i don't remember the name

Oh sure, yes that is ok. We all use that, and its ok, I thought you keep all of them on an online PC which is very wreckless.

well not all, i still keep them in the cold storage like any other sane person, but i like to have an hot wallet with a certain amount

for faster spending

Trezors allow you to have multiple addresses. And they also have multiple accounts per device. It just depends on the password used.

No because he cannot know what accounts are on it since the accounts are determined by the password.

I`m not sure how trezor works, doesnt it only contain 1 bitcoin address or can you hold multiple?

Can the attacker browse through your fake accounts until it finds the real one and demand that from you instead?

Nice analysis! Why not just use a Trezor and set up all the bunch of fake accounts on it with a one word passphrase that you just must remember. In this way even the people that would extortion your coins can't do anything!

This would still be my option number 1, everything else is too complicated with too much hassle or not enough safe!

Yet. You cannot know what other dangers might lurk in the future.

I dont really recomment what you are doing, it is very risky to store all btc in online pc.


No it's not. The red dot is the risk meter, check again.

Paper wallets encrypted with BIP38 do use AES encryption. In fact, if you do make paper wallets for cold storage, you should ALWAYS have it BIP38 encrypted.

Why Professional online PC storage is more risky than Responsible online PC storage by your scale? Professional way is worse or it is a typo?

take your first point, and remove the "Then they start visiting shady websites, clicking on all shady ads, clicking on links from spam e-mail etc..." and you have the safest storage

it was i'm doing since i discovered bitcoin, and not even a satoshi was stolen from my desktop, the first secure option is your brain

Ok i change the title, if its so confusing.

But your logic isnt consistent too, if the attacker has military capacity to attack, then how else will you defend if you dont use the same quality defenses?

Instead of plain paper wallet storage in a lockbox in a bank (where millions of things can go wrong), why not use AES encryption that is military standard?

You basically want to give your bitcoins to the bank. Whats the point of bitcoin then. You should just use fiat then.

This will be my last post as I don't care to post in this thread and bump it up.  It should be changed from storage methods to Malware Threats as you say that is what your focus is.... but to each his own.

Read the article with it you missed a very important part by not reading. It is DEA agents with military grade equipment, and secret clearances doing bad things.  They took BTC so... the point is as long as the human factor and greed is there there is no 100 percent safe storage.  So you thoery about "Military-grade" being 100 percent safe is flawed.

I suggest changing thread title to Malare Threats, not Storage.  Paper wallets are a valid storage.  Hardware and Paper are great cold storage way's of storage but it all depends on the person and how they are using the BTC with what is best.

Don't post multiple times in a row in same thread in one day... one might think you are trying to push the thread to top of beginner thread.  So read the article I linked, and also the rules on bumping threads as this is not ok below:

Nov 26 - 2 post's in a row
11/28 - 2 posts in a row, 2 different times

What do you mean by this, I dont understand what you are telling me here.

Dude , I`m talking about PC malware stealing bitcoin. Do you not understand that you will have to import that private key eventually into a PC if you want to spend it.

That is the point I`m trying to make. So a paper wallet is irrelevant in this discussion, because eventually you will have to import that key into a PC to be able to use those bitcoins.

So, a paper wallet is not a point of access to bitcoins. Just as your credit card is not a point of access to your money: the ATM is.

No my thread is about safety & risks of different bitcoin storage methods that have point of access: keeping bitcoin safe against malware.

The whole point of a paper wallet is that it keeps your private key (and BTC address) offline.  So it is stored on a piece of paper.   Your thread is about storage... not transmission.  And I'm talking storage in a safty deposit box or similar, not in a desk like one mentioned above.

I think leaving a big some on a PC is a bad idea for the most part.  And even military grade can have someone take BTC there is a level of trust at this level that a "bad  guy" can take advantage of just look at silk road where agents took BTC - http://www.coindesk.com/former-silk-road-dea-agent-pleads-guilty-to-bitcoin-theft/   So even military computers are not perfect as long as a human is part of equation.   According to your list this cannot happen as these DEA agents no doubt were military grade hardware and site.... but it did.  No way of storage has zero risk.
 
Your logic if flawed in my view.

Yes, but i`m talking about malware security, not as in general risks.

Read the first posts , the topic of the thread is protection against malware and other digital hazards. Losing the keys by other means are a different discussion.

Yes that is what I meant. You said that a paper storage method is a method, but not in my list, because a signed data has to access an online PC to broadcast the transaction, which will happen in 1-9 ways.

So a paper wallet is irrelevant in this discussion, as I`m talking about PC security. Plus a paper wallet is worse secure than a hardware wallet, because both can be extorted from a person but a harware wallet atleast has access to the PC and its more practical.

There is risk in using any of those methods mentioned. You can lose you key in the paper mess called a desk, you hard drive can crash, the site for your web wallet can not be accessible and the exchange you store your coins on can get hacked.
Nothing really is safe to store your coins on.

How is paper wallet with private key not a "Bitcoin Storage method".   You store BTC on a address you have private key to.  Once you need it you can put private key into many different wallets depending on what's your favorite.

To use it you need to put it into wallet yes.  But it in no way is a backup plan.  Paper wallet is a valid storage method.

A paper wallet doesnt have access to bitcoin. It stores private keys.

Then you must have the private key on a computer to be able to sign a transaction. At which point you have to choose 1 out of the 9 methods to access that private key.

So a paper wallet is more like a backup plan, but not a bitcoin point of access.

I suggest putting like 8.5 or something like that and talk about storing a properly made paper wallet in a bank safety deposit box.  If it's done correctly no risk of hacking as it's a paper wallet (again IF done correctly).   And with bank it has high security that most places don't.

Its a good option for large sums of bitcoins. 

.