Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Pages:
Author

Topic: Looking for a way to add extra security (Read 474 times)

larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Looking for a way to add extra security
April 11, 2022, 08:52:59 PM
#47
Quote from: ABCbits on April 11, 2022, 05:39:04 AM
Few random article,
https://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify
https://easydns.com/blog/2019/06/03/googles-gmail-scans-parses-analyzes-and-catalogs-your-email/
it's automated. there's no person reading the emails. that doesn't affect me at all as far as something i store there that is encrypted because nothing can read that.


Quote
If you're looking for case where regular user is blocked/banned, there are many such posts on twitter, reddit or facebook. Few random example from reddit (since twitter/facebook won't let you search without login),

https://www.reddit.com/r/google/comments/2qhjf5/my_google_drive_account_was_randomly_suspended/
his account was reinstated. nothing was lost. but yeah he did have to jump through some hoops and google had him by the balls for a while...

Quote
https://www.reddit.com/r/GooglePixel/comments/7nrx07/google_permanently_banned_my_account_because/
Yeah, it says:
...Google banned my payments account because I returned some RMA pixel phones to them and their system didn't recognize the return. When I did a credit card charge back, they banned me. There was no appeal process

Seems like he flew off the handle and did a charge back. so none of what happened after that is surprising at all.

Quote
Besides, the risk is applicable to all kinds of Google users.
thats why you have to replicate your most important data to other places than just google. easier said than done but that's what you have to do. that's what I do. and i had planned to replicate it to some offline storage too but haven't gotten around to it due to being more inconveinent. but i will.


Quote
At the end of the day using cloud services (includes email) to store your private keys is still relying on third parties which is something you should never do when it comes to bitcoin, whether it is usage or storage.They may some day decide that they don't like bitcoin (maybe because google creates their own centralized shitcoin) and ban all accounts that had some activity that related to bitcoin!

i'll let you have the last word on this pooya. suffice it to say that some of this discussion made me realize i need to "beef up" my data storage protocol to make it a bit more robust. thanks guys! Grin




pooya87
legendary
Activity: 3472
Merit: 10611
Re: Looking for a way to add extra security
April 11, 2022, 08:34:07 AM
#46
At the end of the day using cloud services (includes email) to store your private keys is still relying on third parties which is something you should never do when it comes to bitcoin, whether it is usage or storage. They may some day decide that they don't like bitcoin (maybe because google creates their own centralized shitcoin) and ban all accounts that had some activity that related to bitcoin!
ABCbits
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Re: Looking for a way to add extra security
April 11, 2022, 05:39:04 AM
#45
Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
Quote from: o_e_l_e_o on April 10, 2022, 05:23:29 AM
Gmail? My god. The same service which openly reads all your emails and attachments?
says who?

Few random article,
https://www.theguardian.com/technology/2014/apr/15/gmail-scans-all-emails-new-google-terms-clarify
https://easydns.com/blog/2019/06/03/googles-gmail-scans-parses-analyzes-and-catalogs-your-email/

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
Quote
I'd like to mention that Google also could forbid access to "your" data. Usually either don't give the reason or mention vague ToS. And the appeal process isn't easy since usually you'll get robot response.

Check these articles,
Game developers, google play developers, those arent' your typical user. Not surprising at all that this might have happened to them. Not sure they deserved it but they shoudl have realized the risk...

Yahoo mail lost a huge amount of peoples' emails a long time ago. Stuff happens like that. you just have to roll with the punches.

If you're looking for case where regular user is blocked/banned, there are many such posts on twitter, reddit or facebook. Few random example from reddit (since twitter/facebook won't let you search without login),

https://www.reddit.com/r/google/comments/2qhjf5/my_google_drive_account_was_randomly_suspended/
https://www.reddit.com/r/GooglePixel/comments/7nrx07/google_permanently_banned_my_account_because/

Besides, the risk is applicable to all kinds of Google users.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18587
Re: Looking for a way to add extra security
April 11, 2022, 05:28:09 AM
#44
Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
says who?
Says Google:

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
hardware goes bad all the time, flash drives, smartphones, ssds, etc, etc. landfills are filled with the stuff i'm sure. some of it has peoples' data on it that they wish they didn't lose.
Which is why every good wallet tells you to write down your seed phrase on paper.

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
hard drives do overwrite unused sectors all the time so it's not like it's going to sit there forever.
Depends on how much data your write to the hard drive. And if it's an SSD, then it might deliberately not write to that sector due to wear leveling.

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
Therefore, no one should ever store sensitive data online. It's a necessary thing.
It's a necessary thing for some types of sensitive data, such as an online fiat bank account. It is absolutely not necessary for anything to do with a bitcoin wallet.

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
But yet when it comes to crypto that's somehow different and it shouldn't be stored online along with their pictures of their family, house, dog, car, credit cards, bank account details etc.....
Why on Earth are you storing pictures of your credit card online?

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
Game developers, google play developers, those arent' your typical user.
Google ban accounts all the time. Just Google it (heh). Even something as simple as the credit card linked to your account expiring has been enough for accounts to get shutdown.

Quote from: larry_vw_1955 on April 10, 2022, 09:09:40 PM
Not sure they deserved it but they shoudl have realized the risk...
Much like you are dismissing all the significant risks you are taking?
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 10, 2022, 09:09:40 PM
#43
Quote from: o_e_l_e_o on April 10, 2022, 05:23:29 AM
Gmail? My god. The same service which openly reads all your emails and attachments?


says who?

Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
One person throwing out a hard drive does not mean offline back ups are unsafe. Shall we compare how many people have thrown away a hard drive to how many online accounts have been hacked or how many people have lost their passwords? The later is orders of magnitude larger than the former.
the word hard drive in this context could encompass any form of offline storage. so i'm not sure i would agree with your assessment. hardware goes bad all the time, flash drives, smartphones, ssds, etc, etc. landfills are filled with the stuff i'm sure. some of it has peoples' data on it that they wish they didn't lose.

Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
I don't waste time with live OS's.
In which case, your seed phrase likely still exists in plain text somewhere on your hard drive, unless you have overwritten the relevant sector of your hard drive with junk data, either manually or with a dedicated program, which most people don't do.
that's an unlikely attack vector but i suppose it could happen but not in all cases. for example say I am using electrum. i'll just encrypt the wallet. no seed phrase is stored on the hard drive "in the clear". as well, hard drives do overwrite unused sectors all the time so it's not like it's going to sit there forever.

Quote
There is literally no system in the word which is invulnerable to being attacked. Pretty much every email provider in existence has been hacked at some point. Google were caught storing passwords in plain text for 14 years without any of their security team noticing. Plenty of encryption software have had flawed implementations or critical bugs, including very popular ones like TrueCrypt.If you upload something to the internet, then it is at risk.
Therefore, no one should ever store sensitive data online. It's a necessary thing. And I think almost everyone does it. They just don't want to admit to it. But yet when it comes to crypto that's somehow different and it shouldn't be stored online along with their pictures of their family, house, dog, car, credit cards, bank account details etc.....

Quote
I'd like to mention that Google also could forbid access to "your" data. Usually either don't give the reason or mention vague ToS. And the appeal process isn't easy since usually you'll get robot response.

Check these articles,

Game developers, google play developers, those arent' your typical user. Not surprising at all that this might have happened to them. Not sure they deserved it but they shoudl have realized the risk...

Yahoo mail lost a huge amount of peoples' emails a long time ago. Stuff happens like that. you just have to roll with the punches.
ABCbits
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Re: Looking for a way to add extra security
April 10, 2022, 07:14:53 AM
#42
Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
Quote
Said every single person who has ever lost their coins.
that guy that has his bitcoins stored on a hard drive. the whole world knows where the hard drive is located. he does too. problem is, he can't get access to the hard drive because they won't let him go near the garbage dump and he probably has anxiety knowing that maybe someone else has a plan to try and dig up his hdd out of that trash dump. seems to me, if he would have just used gmail to store his btc private keys, he would be good to go. but he wanted to store them offline to keep them safe. they're safe alright. safe from his reach.

I'd like to mention that Google also could forbid access to "your" data. Usually either don't give the reason or mention vague ToS. And the appeal process isn't easy since usually you'll get robot response.

Check these articles,
https://www.businessinsider.com/google-users-locked-out-after-years-2020-10
https://medium.com/@sixacegames/how-google-destroyed-our-startup-by-terminating-our-google-play-developer-account-6a8cca09ea88
https://arstechnica.com/gadgets/2021/01/googles-bots-decide-ass-subtitle-support-is-too-risque-for-the-play-store/
o_e_l_e_o
legendary
Activity: 2268
Merit: 18587
Re: Looking for a way to add extra security
April 10, 2022, 05:23:29 AM
#41
Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
gmail has ways to recover an account if you forgot your pw. they are called backup recovery methods. you should check it out.
Gmail? My god. The same service which openly reads all your emails and attachments? And now your back up is duplicated on hundreds of servers around the world which are accessible by thousands of individuals, with unknown physical or digital security.

Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
that guy that has his bitcoins stored on a hard drive. the whole world knows where the hard drive is located. he does too. problem is, he can't get access to the hard drive because they won't let him go near the garbage dump and he probably has anxiety knowing that maybe someone else has a plan to try and dig up his hdd out of that trash dump. seems to me, if he would have just used gmail to store his btc private keys, he would be good to go. but he wanted to store them offline to keep them safe. they're safe alright. safe from his reach.
One person throwing out a hard drive does not mean offline back ups are unsafe. Shall we compare how many people have thrown away a hard drive to how many online accounts have been hacked or how many people have lost their passwords? The later is orders of magnitude larger than the former.

Quote from: larry_vw_1955 on April 09, 2022, 11:20:19 PM
I don't waste time with live OS's.
In which case, your seed phrase likely still exists in plain text somewhere on your hard drive, unless you have overwritten the relevant sector of your hard drive with junk data, either manually or with a dedicated program, which most people don't do.
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 09, 2022, 11:20:19 PM
#40
Quote from: pooya87 on April 09, 2022, 12:59:42 AM
Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?
Same thing could be said about any other storage method for example what happens when you forget your login password to your gmail account or wherever else you stored it online!

gmail has ways to recover an account if you forgot your pw. they are called backup recovery methods. you should check it out.

Quote

Said every single person who has ever lost their coins.

that guy that has his bitcoins stored on a hard drive. the whole world knows where the hard drive is located. he does too. problem is, he can't get access to the hard drive because they won't let him go near the garbage dump and he probably has anxiety knowing that maybe someone else has a plan to try and dig up his hdd out of that trash dump. seems to me, if he would have just used gmail to store his btc private keys, he would be good to go. but he wanted to store them offline to keep them safe. they're safe alright. safe from his reach.

Quote
Did you encrypt it on an airgapped live OS to ensure you left no traces? Did you use an open source piece of software which you have personally examined the code to ensure it is secure and bug free? Did you use a long and completely random encrypted key generated by a true source of entropy? Did you ensure the connection between your computer and the server you are uploading it was completely secure? Did you physically visit and examine the server to ensure it is physically secure? Have you examined all the software it is running and its electronic security? Do you know all the people who have physical or electronic access to it?
I don't waste time with live OS's. But I do use open source for encryption and no I didn't examine the code but I'm reasonably certain it is not phoning home because other people have no doubt audited it. And I could if I wanted to, although I may not have the expertise to really understand if there are less obvious bugs. But that's why I test the software. make sure it works before I start using it in a "production environment". I use long passwords so no one is going to guess them. They are generated by software in many cases. But I don't have a radioactive decay detector hooked up to my windows machine if that's what you're asking. I do assume though that things I upload to the cloud are inspected and people are actively trying to take a look at it and decrypt it to find out what is inside the container. thanks for the comment!
kalihunter
member
Activity: 64
Merit: 15
Re: Looking for a way to add extra security
April 09, 2022, 02:16:33 PM
#39
I suggest using Veracrypt , it encrypts and u also can put 21 longs password too. encrypted files is non readable. second way is to write seeds on papers and save it.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18587
Re: Looking for a way to add extra security
April 09, 2022, 05:13:46 AM
#38
Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
Something that is properly encrypted is not attackable by anyone in the world with a computer is how i see it. So i'm not worried.
Did you encrypt it on an airgapped live OS to ensure you left no traces? Did you use an open source piece of software which you have personally examined the code to ensure it is secure and bug free? Did you use a long and completely random encrypted key generated by a true source of entropy? Did you ensure the connection between your computer and the server you are uploading it was completely secure? Did you physically visit and examine the server to ensure it is physically secure? Have you examined all the software it is running and its electronic security? Do you know all the people who have physical or electronic access to it?

There is literally no system in the word which is invulnerable to being attacked. Pretty much every email provider in existence has been hacked at some point. Google were caught storing passwords in plain text for 14 years without any of their security team noticing. Plenty of encryption software have had flawed implementations or critical bugs, including very popular ones like TrueCrypt.If you upload something to the internet, then it is at risk.

Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?
Far less of a hassle than securely storing something online. And what happens if you forget your email password? Or your decryption key? Or your email provider shuts down your account? Or wipes their servers?

Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
who uses weak passwords? not me.
Most people.

Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
they never have been and so there you go.
And I could drive with no seat belt or airbags for 10 years and suffer no harm from it. Doesn't mean it's a smart idea.
pooya87
legendary
Activity: 3472
Merit: 10611
Re: Looking for a way to add extra security
April 09, 2022, 12:59:42 AM
#37
Quote from: larry_vw_1955 on April 09, 2022, 12:33:06 AM
Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?
Same thing could be said about any other storage method for example what happens when you forget your login password to your gmail account or wherever else you stored it online!

Quote
they never have been and so there you go.
Said every single person who has ever lost their coins.
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 09, 2022, 12:33:06 AM
#36
Quote from: o_e_l_e_o on April 08, 2022, 05:58:55 AM
Quote from: larry_vw_1955 on April 07, 2022, 08:39:46 PM
online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages.
I don't see that as an advantage at all, but rather a significant disadvantage. I don't want my seed phrase to be able to be accessed from anywhere. I want it securely locked down in one or two specific and secure locations, and not attackable by anyone in the world with a computer.

Something that is properly encrypted is not attackable by anyone in the world with a computer is how i see it. So i'm not worried.

Quote from: larry_vw_1955 on April 08, 2022, 02:50:24 AM
That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.
Then just use redundancy with your paper back ups for the same but more secure outcome.

Backing things up in physical form is a hassle. And then you have to keep track of where you hid them. What happens if you forgot about some of the "secure locations" ?

Quote from: larry_vw_1955 on April 08, 2022, 02:50:24 AM
You can use whatever password you want to when using AES-256. Nothing to invent there.
Use a weak one and it will be brute forced.
who uses weak passwords? not me.

Quote
Problem not solved at all. If anything, you've just made it significantly more likely your coins are stolen.
they never have been and so there you go.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18587
Re: Looking for a way to add extra security
April 08, 2022, 05:58:55 AM
#35
Quote from: larry_vw_1955 on April 07, 2022, 08:39:46 PM
online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages.
I don't see that as an advantage at all, but rather a significant disadvantage. I don't want my seed phrase to be able to be accessed from anywhere. I want it securely locked down in one or two specific and secure locations, and not attackable by anyone in the world with a computer.

Quote from: larry_vw_1955 on April 08, 2022, 02:50:24 AM
That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.
Then just use redundancy with your paper back ups for the same but more secure outcome.

Quote from: larry_vw_1955 on April 08, 2022, 02:50:24 AM
You can use whatever password you want to when using AES-256. Nothing to invent there.
Use a weak one and it will be brute forced.

Quote from: larry_vw_1955 on April 08, 2022, 02:50:24 AM
Well I don't write down passwords on paper. not my thing. I would store the pw online too but not in the same place the encrypted seed is stored. problem solved.
Problem not solved at all. If anything, you've just made it significantly more likely your coins are stolen.
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 08, 2022, 02:50:24 AM
#34
Quote from: pooya87 on April 07, 2022, 11:44:53 PM
There is a higher chance of you not being able to access your Gmail account for different reasons than you losing your paper wallet.
That's why I would use redundancy. Storing the encrypted seed in at least 2 different email accounts.

Quote
And when it comes to encryption, it all comes down to what kind of password and what algorithm you used to encrypt it. There is no BIP for encryption mnemonics so you'll have to come up with your own and security of that method may not be enough.

You can use whatever password you want to when using AES-256. Nothing to invent there.

Quote
Grin
 Not to mention that now you would have to write down the password on a piece of paper so that you don't forget it! In other words we are back where we started.

Well I don't write down passwords on paper. not my thing. I would store the pw online too but not in the same place the encrypted seed is stored. problem solved.
pooya87
legendary
Activity: 3472
Merit: 10611
Re: Looking for a way to add extra security
April 07, 2022, 11:44:53 PM
#33
Quote from: larry_vw_1955 on April 07, 2022, 08:39:46 PM
i'm not sure where i read this but just because you store something on fire resistant metal or something doesn't mean it can't become inaccessible to you. online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages. if i encrypt my seed phrase and store it in my gmail, to me, that's pretty solid. otoh, if i store it unencrypted in my gmail, that's not very solid. assuming gmail doesn't go out of business, i should be good right?
There is a higher chance of you not being able to access your Gmail account for different reasons than you losing your paper wallet.
And when it comes to encryption, it all comes down to what kind of password and what algorithm you used to encrypt it. There is no BIP for encryption mnemonics so you'll have to come up with your own and security of that method may not be enough. Not to mention that now you would have to write down the password on a piece of paper so that you don't forget it! In other words we are back where we started.
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 07, 2022, 08:39:46 PM
#32
Quote from: pooya87 on April 06, 2022, 10:58:39 PM

Just because some people used a bad medium (paper instead of laminated paper or metal sheet, etc.) to store their key on and they weren't careful when storing it, that doesn't mean a very terrible method of storing backups such as online storage is suddenly a good idea.

i'm not sure where i read this but just because you store something on fire resistant metal or something doesn't mean it can't become inaccessible to you. online storage has the benefit of being accessible from almost anywhere...so it's not like it doesnt have its advantages. if i encrypt my seed phrase and store it in my gmail, to me, that's pretty solid. otoh, if i store it unencrypted in my gmail, that's not very solid. assuming gmail doesn't go out of business, i should be good right?

pooya87
legendary
Activity: 3472
Merit: 10611
Re: Looking for a way to add extra security
April 06, 2022, 10:58:39 PM
#31
Quote from: larry_vw_1955 on April 06, 2022, 09:12:20 PM
and yet people occasionally come to the forum with a "a rat ate part of the paper my seed phrase was stored on" or some other story about how part of the paper got destroyed or is unreadable...i bet those people wish they would have saved a backup online somewhere.
Just because some people used a bad medium (paper instead of laminated paper or metal sheet, etc.) to store their key on and they weren't careful when storing it, that doesn't mean a very terrible method of storing backups such as online storage is suddenly a good idea.
larry_vw_1955
sr. member
Activity: 1036
Merit: 350
Re: Looking for a way to add extra security
April 06, 2022, 09:12:20 PM
#30
Quote from: Asiska02 on April 06, 2022, 04:08:04 AM
Saving your recovery seed online can be prone to attack by other users, it can never be guaranteed 100% safe as long as it is online. It is prone to attackers, virus or even system damage and you’ll eventually lose everything. The best way to keep it safe is to get it written down in a safe place. You can write it down with a code only you understand in order to be able to access it by yourself even if someone sees where you kept it.

and yet people occasionally come to the forum with a "a rat ate part of the paper my seed phrase was stored on" or some other story about how part of the paper got destroyed or is unreadable...i bet those people wish they would have saved a backup online somewhere.
Asiska02
hero member
Activity: 812
Merit: 675
Re: Looking for a way to add extra security
April 06, 2022, 04:08:04 AM
#29
Saving your recovery seed online can be prone to attack by other users, it can never be guaranteed 100% safe as long as it is online. It is prone to attackers, virus or even system damage and you’ll eventually lose everything. The best way to keep it safe is to get it written down in a safe place. You can write it down with a code only you understand in order to be able to access it by yourself even if someone sees where you kept it.
o_e_l_e_o
legendary
Activity: 2268
Merit: 18587
Re: Looking for a way to add extra security
April 05, 2022, 06:16:58 AM
#28
Quote from: JohanM on April 05, 2022, 05:42:42 AM
I see no problem in putting it in a file, but it needs to be done securely.
"But it needs to be done securely". That's the problem right there. Most people cannot do it securely. The average person does not know what an airgapped device is, let alone how to open up a computer and physically remove all the necessary hardware. The average person does not know what Linux is, let alone how to format their new airgapped device and install a clean open source OS on it. The average person does not know what encryption is, let alone how to get Veracrypt downloaded, verified, safely transferred over to their airgapped device, installed, and used to create a hidden container. The average person does not know what open source is, let alone being able to review the code of Veracrypt and the encryption algorithm they choose to ensure their encrypted files are safe and secure. The number of steps which could go wrong is huge, and the average person will not be able to identify any steps which have gone wrong or any points in which they have compromised their security.

However, the average person is able to very securely write down 24 words on a piece of paper.

So yes, if you know what you are doing then go ahead and use encrypted airgapped wallets or back ups (I do), but you must realize there is a significant learning curve compared to paper back ups.

Quote from: JohanM on April 05, 2022, 05:42:42 AM
Remember: paper or metal backups can be found, stolen or confiscated easily.
If your paper back ups can be easily found and stolen, then you need to find a more secure storage location. I have far more trust in my physical storage locations than I would in, for example, a cloud storage provider not closing my account and losing my files.
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: