I'm not sure if it's already been mentioned in these 33 pages of posts (sorry I was lazy and didn't read it through) but wouldn't the most secure wallet on creation be the one that's put on a USB stick (encrypted or not) then shoved in a bank safe deposit box.
Nothing beats physical security offered by the brick & mortar people that have been securely holding stuff for decades.
Stu
Topic: HOWTO: create a 100% secure wallet - page 95. (Read 276221 times)
To have zero risk from a wallet, can I just not have one?
For example, I can just accept BTC directly into my mtgox account, and if I need to pay someone with BTC, with draw the BTC from my mtgox directly into the other person's wallet/mtgox account. Would this be safe?
For example, I can just accept BTC directly into my mtgox account, and if I need to pay someone with BTC, with draw the BTC from my mtgox directly into the other person's wallet/mtgox account. Would this be safe?
no.
entrusting all your coins to anyone but yourself is most definitely not 'zero risk'.
To have zero risk from a wallet, can I just not have one?
For example, I can just accept BTC directly into my mtgox account, and if I need to pay someone with BTC, with draw the BTC from my mtgox directly into the other person's wallet/mtgox account. Would this be safe?
For example, I can just accept BTC directly into my mtgox account, and if I need to pay someone with BTC, with draw the BTC from my mtgox directly into the other person's wallet/mtgox account. Would this be safe?
Useful information,thanks.
But Armory can be used only for bitcoin right?
Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed.
This is an impractical overkill. I am talking about securing your everyday use wallet. Not the one for lifesavings! For that I would generate address on bitcoinaddress.org and use paper wallet. This armoryclient looks promising though...
Even that malware you are talking about should not be able to overcome ntfs permissions and access the folder unless it impersonates as the only user account who has permissions to access it. And it should not be able to do it if there is no process running under this account. I am not sure how big is a chance that some malware would hijack the session of a bitcoin-qt process when you "run as" it as this designated account though...
You can also do online transactions with Armory on your normal computer for your everyday funds. The wallet file (or files since it supports multiple wallets) is far easier to maintain and only needs to be backed up once (unlike the Satoshi client with its keypool). Armory supports encryption of the wallet as well, so installing it gives you a secure wallet without having to deal with live cds or anything like that. A key logger would still be bad, but if you didn't mind setting up a live cd like these instructions recommended, you can just use armory with a live cd. That's what I did until I got an old laptop running.
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure:
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess.
In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able.
Cncmasterw - p.s. I'm not student major with English.
and im not very good with periods and commas!~ Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed.
This is an impractical overkill. I am talking about securing your everyday use wallet. Not the one for lifesavings! For that I would generate address on bitcoinaddress.org and use paper wallet. This armoryclient looks promising though...
Even that malware you are talking about should not be able to overcome ntfs permissions and access the folder unless it impersonates as the only user account who has permissions to access it. And it should not be able to do it if there is no process running under this account. I am not sure how big is a chance that some malware would hijack the session of a bitcoin-qt process when you "run as" it as this designated account though...
Thanks for the info!
Wouldn't you have to download the entire block chain every time you used the LiveCD (which could take over 24 hours)? Also, because they don't have persistence, wouldn't that use over a gig of ram?
I think we need a client that allows for easy/secure temporary account usage (so you can carry around your private key and account info on a USB drive, and be able to use it temporarily). Right now, I think the only way is to keep your entire wallet.dat and swap it out when you want to use your stored accounts, which is a PITA.
I think we need a client that allows for easy/secure temporary account usage (so you can carry around your private key and account info on a USB drive, and be able to use it temporarily). Right now, I think the only way is to keep your entire wallet.dat and swap it out when you want to use your stored accounts, which is a PITA.
This is great info for a BTC newbie like me. Been having fun reading all the possible ways to keep your wallet safe.
Disconnect your computer from the network and generate some Bitcoin addresses. Print them to paper several times.
intermediate step: secure-wipe your printer's flash-memory cache. (don't ask me how to do this, i'd have to look it up).
Close your browser and reconnect to the Internet.
lol, just write down the code on paper. lol
The only 100% secure wallet is a wallet that on a flash drive in a vault.
I think on paper in a vault is better.
The only 100% secure wallet is a wallet that on a flash drive in a vault.
thanks, useful information
Putting my 2 BTC in...
You need to diversify your holdings.
A large portion must go off-line. If your Bitcoins have been secure up to this point, it's relatively safe to assume that your computer has not been compromised so download the BitAddress.org page and save it to disk. Disconnect your computer from the network and generate some Bitcoin addresses. Print them to paper several times. Close your browser and reconnect to the Internet. Send the majority of your Bitcoins in multiple denominations to different Bitcoin addresses. For instance, if you have 1000 Bitcoins and 10 addresses, send 100 Bitcoins to 9 addresses and leave 100 Bitcoins in your online wallet.
Next, download BitcoinSpinner, or some other method to keep a wallet on your phone. Send 10-20 Bitcoins to your phone for casual spending while out and about - offering to pay your friends, family, coworkers Bitcoins in return for buying your lunch or paying your beer tab.
The 50 remaining Bitcoins in your desktop wallet should be for funding your phone and online purchases and holding new bitcoin you purchase from exchanges, etc. When you exceed 50 BTC, send some more to your off-line addresses. Only keep on your phone and desktop what you need for spending.
When it comes time for a big purchase, you only need to import one or more off-line addresses to fund your purchase - rather than the entire amount offline and risk losing it to malware.
Now... to protect your online wallet... you need to be operating outside of the 80% of the average users because that is what malware targets. Anything you do differently will help you miss becoming a target. Encrypt your wallet. Store it in a truecrypt volume. Use a VM. Use Linux as your Bitcoin OS. Buy a dedicated netbook and never use it for anything but Bitcoin.
You need to diversify your holdings.
A large portion must go off-line. If your Bitcoins have been secure up to this point, it's relatively safe to assume that your computer has not been compromised so download the BitAddress.org page and save it to disk. Disconnect your computer from the network and generate some Bitcoin addresses. Print them to paper several times. Close your browser and reconnect to the Internet. Send the majority of your Bitcoins in multiple denominations to different Bitcoin addresses. For instance, if you have 1000 Bitcoins and 10 addresses, send 100 Bitcoins to 9 addresses and leave 100 Bitcoins in your online wallet.
Next, download BitcoinSpinner, or some other method to keep a wallet on your phone. Send 10-20 Bitcoins to your phone for casual spending while out and about - offering to pay your friends, family, coworkers Bitcoins in return for buying your lunch or paying your beer tab.
The 50 remaining Bitcoins in your desktop wallet should be for funding your phone and online purchases and holding new bitcoin you purchase from exchanges, etc. When you exceed 50 BTC, send some more to your off-line addresses. Only keep on your phone and desktop what you need for spending.
When it comes time for a big purchase, you only need to import one or more off-line addresses to fund your purchase - rather than the entire amount offline and risk losing it to malware.
Now... to protect your online wallet... you need to be operating outside of the 80% of the average users because that is what malware targets. Anything you do differently will help you miss becoming a target. Encrypt your wallet. Store it in a truecrypt volume. Use a VM. Use Linux as your Bitcoin OS. Buy a dedicated netbook and never use it for anything but Bitcoin.
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure:
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess.
In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able.
Cncmasterw - p.s. I'm not student major with English.
and im not very good with periods and commas!~ Get a cheap netbook and put Armory on it. No one will ever be able to steal your funds over the internet, 100% guaranteed.
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure:
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
Now, i am not a genius when it comes to computers, but i have enough basic knowledge that i feel like i can come up with an educated guess.
In theory you're idea should work, but i would in combination use a virtual machine that only can be accessed by this NONE admin account, while also blocking all access to the ADMIN account and blocking ITS access to the basic account. What you said is what i am basically saying. Stick a virtual machine on too the computer with a very STRICT Admin account that BLOCKS ALL INTERNET access ( you can set the virtual machine to unplug its internet per-say and only plug it in.. * turn it on * when needed to Add money to the account. While also adding a whole bunch of system security to the whole computer and its virtual machine.. doubling the needed strength to get into the file.. yes if he accesses the virtual machine he in theory could crack it open, but if you lock it down in a file with a extremely long password the computer it self should be fine. I dont have a whole lot of experience with virtual machines but if im sure i dont think the bios is that mod-able.
Cncmasterw - p.s. I'm not student major with English.
and im not very good with periods and commas!~
That's right but I think it WOULD work if you used your computer as non-admin user on XP or have UAC enabled of Win 7 and vista. Most computer viruses launch themselves under the currently logged on user by somehow stealing the session, so that brings me to another idea how to make your wallet more secure:
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
- create another user account in your system (non admin)
- Install bitcoin (or whatever coin you are interested in) client, but do not run it.
- run the client by using "run as" context menu command or "runas" from command line as this newly created user
- change the NTFS permissions on it's data folder so only this new account can access it (also remove "administrators" group from it - you may have to turn of permissions inheriting in advanced menu to do this)
- run the client under this new account
Now your wallet should be relatively safe against wallet stealers or whatever malware, because the file is inaccessible for your account which you normally use and if that malware does not somehow elevate itself to run with admin rights it should not be able to tap into bitcoin-qt's process memory either.
Am I right?
This is a very good idea
Jump to: