Topic: HOWTO: create a 100% secure wallet - page 5. (Read 276150 times)
Thanks for the advice. At least now I know how to deal with my paranoia. I've been looking at buying and mining but the whole stealing aspect has made me very nervous. I'm going to start with dogecoins so if I fuck up I won't feel too bad.
I absolutely love this OP! Great info and not all geeky worded, it's nice to see that some people still have personality. I'm going to start working with digital coins and found this with some searching online.
For both sending & receiving coins you need to connect internet.
What do you mean by "receiving"?
If I have created a wallet and copied the receiving addresses on a piece of paper I don't really need internet connection to receive coins.
I can just give the address to someone and that's it.
Now If I want to spend these coins then I will need internet, but that is sending, no receiving.
You can also spend coins by generating (signing) a transaction on an offline computer, then use a thumbdrive or sd card to move the raw tx to a service that will broadcast that tx to the bitcoin network for you. That way, your private key or brainwallet passphrase need never be revealed to a computer with an internet connection (and its possible collection of installed malware).
There are wallets, such as brainwallet.org that can be run on an offline computer.
As a well-disciplined newbie (although I already bought a bunch of BTC while still at $200-250), I tried to read this thread thoroughly, and the more I read the more I started to suspect that, unless I’m grossly missing something, the thing about “100% secure wallet” is a little bit paranoiac.
First I’ll state my conclusion: besides backing up the data to an external media, the only thing I have to do is to soundly encrypt the wallet and keep the passphrase out of the system. For additional protection I’ll put the wallet in an encrypted volume.
Now my arguments:
1. I think that most users generate and keep their passwords (the passphrase in this case) via a serious, dedicated app, protected by a healthy master password. This app will enter the passwords in any box you direct it to, bypassing the clipboard.
2. I know a thing or two about hacking (the now and then pass-time with friends in the nineties, as a teenager), and I’ll say that even if you are a greenhorn that opens unknown emails, visits unsafe sites etc., and thinks that the costliest antivirus, antispy and antimalware programs do protect you (they don’t), still:
My 2¢. I’ll be grateful to the enlightened of this forum to show what am I missing. Perhaps things are more complicated. I still have to work out how using the same address for multiple transactions makes you vulnerable, as asserted in a previous reply in this thread.
First I’ll state my conclusion: besides backing up the data to an external media, the only thing I have to do is to soundly encrypt the wallet and keep the passphrase out of the system. For additional protection I’ll put the wallet in an encrypted volume.
Now my arguments:
1. I think that most users generate and keep their passwords (the passphrase in this case) via a serious, dedicated app, protected by a healthy master password. This app will enter the passwords in any box you direct it to, bypassing the clipboard.
2. I know a thing or two about hacking (the now and then pass-time with friends in the nineties, as a teenager), and I’ll say that even if you are a greenhorn that opens unknown emails, visits unsafe sites etc., and thinks that the costliest antivirus, antispy and antimalware programs do protect you (they don’t), still:
- keyloggers may work only if you enter the password manually. You should be quite a nerd to enter a 20 chars long gibberish password manually.
- spyware and such are useless against encrypted data.
- theoretically, a second-rate hacker may enter your system any time he wants and, finding a hot keyword in your files (as bitcoin, for example), he may start digging. But why choose precisely your computer? If you kept a low profile and your mouth shut, chances that he’ll find you are nil. And again, if your data is well encrypted, you are safe.
My 2¢. I’ll be grateful to the enlightened of this forum to show what am I missing. Perhaps things are more complicated. I still have to work out how using the same address for multiple transactions makes you vulnerable, as asserted in a previous reply in this thread.
Very well said. I totally agree with that.
Dude you really rock.
As a well-disciplined newbie (although I already bought a bunch of BTC while still at $200-250), I tried to read this thread thoroughly, and the more I read the more I started to suspect that, unless I’m grossly missing something, the thing about “100% secure wallet” is a little bit paranoiac.
First I’ll state my conclusion: besides backing up the data to an external media, the only thing I have to do is to soundly encrypt the wallet and keep the passphrase out of the system. For additional protection I’ll put the wallet in an encrypted volume.
Now my arguments:
1. I think that most users generate and keep their passwords (the passphrase in this case) via a serious, dedicated app, protected by a healthy master password. This app will enter the passwords in any box you direct it to, bypassing the clipboard.
2. I know a thing or two about hacking (the now and then pass-time with friends in the nineties, as a teenager), and I’ll say that even if you are a greenhorn that opens unknown emails, visits unsafe sites etc., and thinks that the costliest antivirus, antispy and antimalware programs do protect you (they don’t), still:
My 2¢. I’ll be grateful to the enlightened of this forum to show what am I missing. Perhaps things are more complicated. I still have to work out how using the same address for multiple transactions makes you vulnerable, as asserted in a previous reply in this thread.
First I’ll state my conclusion: besides backing up the data to an external media, the only thing I have to do is to soundly encrypt the wallet and keep the passphrase out of the system. For additional protection I’ll put the wallet in an encrypted volume.
Now my arguments:
1. I think that most users generate and keep their passwords (the passphrase in this case) via a serious, dedicated app, protected by a healthy master password. This app will enter the passwords in any box you direct it to, bypassing the clipboard.
2. I know a thing or two about hacking (the now and then pass-time with friends in the nineties, as a teenager), and I’ll say that even if you are a greenhorn that opens unknown emails, visits unsafe sites etc., and thinks that the costliest antivirus, antispy and antimalware programs do protect you (they don’t), still:
- keyloggers may work only if you enter the password manually. You should be quite a nerd to enter a 20 chars long gibberish password manually.
- spyware and such are useless against encrypted data.
- theoretically, a second-rate hacker may enter your system any time he wants and, finding a hot keyword in your files (as bitcoin, for example), he may start digging. But why choose precisely your computer? If you kept a low profile and your mouth shut, chances that he’ll find you are nil. And again, if your data is well encrypted, you are safe.
My 2¢. I’ll be grateful to the enlightened of this forum to show what am I missing. Perhaps things are more complicated. I still have to work out how using the same address for multiple transactions makes you vulnerable, as asserted in a previous reply in this thread.
I'm still trying to figure out how it works, and I haven't done any transactions yet.
I use bitaddress.org aswell, can recommend.
Just use bitaddress.org (web page) or NoBrainr (offline tool) to generate robust brainwallets and cold storage addresses.
Crypto currencies are a game-changer. But, as currently implemented, they are designed to fail. The proposals here won’t change the outcome.
Simply put: there is no spend password on the private key!
To illustrate: my PGP/GPG private keys are only created and used offline; printed and stored in an offsite safe. But, they are vulnerable to replication. Somebody sitting at a keyboard and hammering out a random string that just may be identical to my original PGP/GPG private key.
So, when somebody finally replicates my PGP/GPG private key they must still crack my random password to impersonate me. That, is to transact with my key.
The Android Bitcoin flaw proved that the Bitcoin 51 character private key is much easier to replicate. It starts with the digit 5 and the rest of the key are randomised characters from the Base58 symbol chart on the Base58Check encoding page.
It doesn’t matter if you follow best-practice privacy measures, such as cold storage, paper-wallets, encrypted USB drives, etc. No passphrase, no security.
It won’t be long before some script-kiddy writes an algorithm to replicate all possible Bitcoin private keys. Run them through the JavaScripts available online that calculate the individual public keys. Query sites such as Bitcoin Block Explorer for addresses with transaction histories. Download the JavaScript to create secure offline Bitcoin transactions. Then, broadcast the transactions.
All without touching a single encrypted wallet.dat.
––––
REFERENCES
····
The Android Bitcoin vulnerability explained
http://blogs.avg.com/mobile/android-bitcoin-vulnerability-explained/
····
Base58Check encoding
https://en.bitcoin.it/wiki/Base58Check_encoding
····
Query private wallet keys at
https://www.bitaddress.org
····
Watch wallets online at
https://blockchain.info/address/
····
Retrieve transaction history at
http://blockexplorer.com/q/mytransactions/
····
Create offline send with
http://www.howtovanish.com/images/offline-transactions.zip
····
Broadcast spend at
http://blockchain.info/pushtx
Simply put: there is no spend password on the private key!
To illustrate: my PGP/GPG private keys are only created and used offline; printed and stored in an offsite safe. But, they are vulnerable to replication. Somebody sitting at a keyboard and hammering out a random string that just may be identical to my original PGP/GPG private key.
So, when somebody finally replicates my PGP/GPG private key they must still crack my random password to impersonate me. That, is to transact with my key.
The Android Bitcoin flaw proved that the Bitcoin 51 character private key is much easier to replicate. It starts with the digit 5 and the rest of the key are randomised characters from the Base58 symbol chart on the Base58Check encoding page.
It doesn’t matter if you follow best-practice privacy measures, such as cold storage, paper-wallets, encrypted USB drives, etc. No passphrase, no security.
It won’t be long before some script-kiddy writes an algorithm to replicate all possible Bitcoin private keys. Run them through the JavaScripts available online that calculate the individual public keys. Query sites such as Bitcoin Block Explorer for addresses with transaction histories. Download the JavaScript to create secure offline Bitcoin transactions. Then, broadcast the transactions.
All without touching a single encrypted wallet.dat.
––––
REFERENCES
····
The Android Bitcoin vulnerability explained
http://blogs.avg.com/mobile/android-bitcoin-vulnerability-explained/
····
Base58Check encoding
https://en.bitcoin.it/wiki/Base58Check_encoding
····
Query private wallet keys at
https://www.bitaddress.org
····
Watch wallets online at
https://blockchain.info/address/
····
Retrieve transaction history at
http://blockexplorer.com/q/mytransactions/
····
Create offline send with
http://www.howtovanish.com/images/offline-transactions.zip
····
Broadcast spend at
http://blockchain.info/pushtx
This already exists: Deep Space Vagabond
Google it.Perhaps more interesting than the app is the discussion thread, read it all, it's very educational.
All possible Bitcoin private keys, eh? 
Crypto currencies are a game-changer. But, as currently implemented, they are designed to fail. The proposals here won’t change the outcome.
Simply put: there is no spend password on the private key!
To illustrate: my PGP/GPG private keys are only created and used offline; printed and stored in an offsite safe. But, they are vulnerable to replication. Somebody sitting at a keyboard and hammering out a random string that just may be identical to my original PGP/GPG private key.
So, when somebody finally replicates my PGP/GPG private key they must still crack my random password to impersonate me. That, is to transact with my key.
The Android Bitcoin flaw proved that the Bitcoin 51 character private key is much easier to replicate. It starts with the digit 5 and the rest of the key are randomised characters from the Base58 symbol chart on the Base58Check encoding page.
It doesn’t matter if you follow best-practice privacy measures, such as cold storage, paper-wallets, encrypted USB drives, etc. No passphrase, no security.
It won’t be long before some script-kiddy writes an algorithm to replicate all possible Bitcoin private keys. Run them through the JavaScripts available online that calculate the individual public keys. Query sites such as Bitcoin Block Explorer for addresses with transaction histories. Download the JavaScript to create secure offline Bitcoin transactions. Then, broadcast the transactions.
All without touching a single encrypted wallet.dat.
––––
REFERENCES
····
The Android Bitcoin vulnerability explained
http://blogs.avg.com/mobile/android-bitcoin-vulnerability-explained/
····
Base58Check encoding
https://en.bitcoin.it/wiki/Base58Check_encoding
····
Query private wallet keys at
https://www.bitaddress.org
····
Watch wallets online at
https://blockchain.info/address/
····
Retrieve transaction history at
http://blockexplorer.com/q/mytransactions/
····
Create offline send with
http://www.howtovanish.com/images/offline-transactions.zip
····
Broadcast spend at
http://blockchain.info/pushtx
Simply put: there is no spend password on the private key!
To illustrate: my PGP/GPG private keys are only created and used offline; printed and stored in an offsite safe. But, they are vulnerable to replication. Somebody sitting at a keyboard and hammering out a random string that just may be identical to my original PGP/GPG private key.
So, when somebody finally replicates my PGP/GPG private key they must still crack my random password to impersonate me. That, is to transact with my key.
The Android Bitcoin flaw proved that the Bitcoin 51 character private key is much easier to replicate. It starts with the digit 5 and the rest of the key are randomised characters from the Base58 symbol chart on the Base58Check encoding page.
It doesn’t matter if you follow best-practice privacy measures, such as cold storage, paper-wallets, encrypted USB drives, etc. No passphrase, no security.
It won’t be long before some script-kiddy writes an algorithm to replicate all possible Bitcoin private keys. Run them through the JavaScripts available online that calculate the individual public keys. Query sites such as Bitcoin Block Explorer for addresses with transaction histories. Download the JavaScript to create secure offline Bitcoin transactions. Then, broadcast the transactions.
All without touching a single encrypted wallet.dat.
––––
REFERENCES
····
The Android Bitcoin vulnerability explained
http://blogs.avg.com/mobile/android-bitcoin-vulnerability-explained/
····
Base58Check encoding
https://en.bitcoin.it/wiki/Base58Check_encoding
····
Query private wallet keys at
https://www.bitaddress.org
····
Watch wallets online at
https://blockchain.info/address/
····
Retrieve transaction history at
http://blockexplorer.com/q/mytransactions/
····
Create offline send with
http://www.howtovanish.com/images/offline-transactions.zip
····
Broadcast spend at
http://blockchain.info/pushtx
I think it's safe to summarize this post as: Armory is your home safe and Coinbase is the wallet you take when you get out of the house.
Naturally, the actual solutions hereby named change from time to time, but these two are pretty good options as of Nov 2013. Would someone disagree?
Naturally, the actual solutions hereby named change from time to time, but these two are pretty good options as of Nov 2013. Would someone disagree?
Wel in the end the only cecure wallet is a downloaded wallet freshly installed not up dated at all And send you coins to that address ,don't update wallet. Wallet dat. can be backed up but do not update the wallet
Until you connect to internet, your wallet wont have the coins.
Blockchain shows the address has coins, not in your wallet.
You need to connect to internet, then only the coins will reach your wallet.
Blockchain shows the address has coins, not in your wallet.
You need to connect to internet, then only the coins will reach your wallet.
Sorry, but your understanding of how Bitcoin works is wrong.
The wallet doesn't contain any coins
It contains your public and private keys to spend coins, that belong to it.
So basically the blockchain knows your address has some coins and your wallet contains the right to spend them.
So, no you don't need an internet connection to receive coins, but you need internet connection to spend them
For both sending & receiving coins you need to connect internet.
What do you mean by "receiving"?
If I have created a wallet and copied the receiving addresses on a piece of paper I don't really need internet connection to receive coins.
I can just give the address to someone and that's it.
Now If I want to spend these coins then I will need internet, but that is sending, no receiving.
Blockchain shows the address has coins, not in your wallet.
You need to connect to internet, then only the coins will reach your wallet.
100% is a strong statement
True, but it is a reasonable approximation, given that, if one follows proper procedure for creating an offline wallet, there is essentially no way to steal the funds besides failure of Bitcoin protocol. Even robbery with violence can be stymied by splitting up private keys or key-access passphrases and storing them in multiple sites. I guess one could try to extort bitcoin via kidnapping and the like, just as with fiat.
100% is a strong statement
For both sending & receiving coins you need to connect internet.
What do you mean by "receiving"?
If I have created a wallet and copied the receiving addresses on a piece of paper I don't really need internet connection to receive coins.
I can just give the address to someone and that's it.
Now If I want to spend these coins then I will need internet, but that is sending, no receiving.
OK, so for receiving coins you don't have be connected to the internet, in fact you don't need to do anything as long as you have your wallet secured.
For both sending & receiving coins you need to connect internet.For to just check the balance in a particular address you dont need to connect your wallet software to internet.
you can just check the address in blockchain.info for balance
Quote
But what about sending coins? - I assume internet connection is needed in order to broadcast the transaction, but do I need to download the full blockchain in order to successfully send coins?
YesQuote
Can I just open a fresh client for less than a minute, send some coins and close it immediately after that? Is that enough time for the transaction to appear in the blockchain?
No Jump to: