Questions regarding security | Bitcointalksearch.org

Kprawn

legendary

Activity: 1904

Merit: 1074

Quote from: DaveF on November 02, 2019, 06:52:10 AM

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

For the ColdCard not only is the software open source so is the hardware:

Firmware:
https://github.com/Coldcard/firmware

Build your own hardware:
https://blog.coinkite.com/coldcard-hardware-shared/

So, yeah you can trust them.

-Dave

Well, if I am not wrong.. Blockchain.info also used Open source code to randomly generate Bitcoin addresses, but at one stage people figured out

that it was not that random at all. Here is a article to show you what happened when the random generator was flawed and not that random at

all https://www.coindesk.com/blockchain-info-issues-refunds-to-bitcoin-theft-victims Important note : Blockchain.info patched the bug, so this

is not a problem anymore.

DiamondCardz

legendary

Activity: 1134

Merit: 1118

Quote from: unsoindovo on November 02, 2019, 05:15:10 AM

Quote from: Deathwing on November 02, 2019, 04:42:15 AM

If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one.

I'm really interested in this use case!
Can you share a link to a tutorial?
I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it.

This is a relatively basic example of proper cold storage, in fact I'd probably say that Bitcoin Core on an airgapped computer is the most simple form of cold storage you can get. If you're using a virtual machine that's effectively still a hot wallet as a hacker with access to the host machine can gain access to the virtual machine.

There are many tutorials on how to set up cold storage, but the most simple way is: Set up a PC that has no internet connection, download a Bitcoin wallet to a USB stick, install it on the PC with no internet connection, randomly generate a private key and import it onto the airgapped PC, and then send Bitcoin to that wallet. Your Bitcoin is now in cold storage.

When you want to get Bitcoin off that machine, you generate a transaction on an online computer using the public key of the cold storage wallet's address, transfer the transaction file to the cold storage computer, sign it on that computer using the cold storage's private key, and then finally move it back onto the online computer and broadcast it.

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

I used to use something like Glacier when I had a lot of contracts, but it was a lot of work and not that much more added security. Paper wallets and air gapped machines are more practical. I actually only recently discovered Glacier and I find it too much, even for someone storing thousands of coins. I'm pretty sure the cold and hot wallets of big exchanges use something else.

VMs running in a machine you have physical control over and where you personally installed the hypervisor and keep it secure or update would be fine in my opinion. I got a refurbished or off-lease rack server for cheap and use that for plenty of different VMs, I mean that's the only way to maximize usage of plenty of RAM. 32 GB to 48 to 64 GB. Could even add more.

Nunuface

newbie

Activity: 16

Merit: 4

Awesome, thank you!

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

For the ColdCard not only is the software open source so is the hardware:

Firmware:
https://github.com/Coldcard/firmware

Build your own hardware:
https://blog.coinkite.com/coldcard-hardware-shared/

So, yeah you can trust them.

-Dave

Deathwing

legendary

Activity: 1638

Merit: 1329

Stultorum infinitus est numerus

Quote from: unsoindovo on November 02, 2019, 05:15:10 AM

Quote from: Deathwing on November 02, 2019, 04:42:15 AM

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised).
I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol.

Would appreciate help! Thank you!

If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one.

I'm really interested in this use case!
Can you share a link to a tutorial?
I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it.

Virtual machines can be hacked if the main one is hacked. Don't use virtual machines, just get a cheap computer and/or raspberry pi to store your coins there without connecting it to the internet.

Rath_

legendary

Activity: 1876

Merit: 3132

Quote from: unsoindovo on November 02, 2019, 05:15:10 AM

Quote from: Deathwing on November 02, 2019, 04:42:15 AM

If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one.

Can you share a link to a tutorial?

The whole process looks a bit complicated for Bitcoin Core. It's more common for its users to keep the wallet online in order to have all the (latest) blocks downloaded. Consider choosing Electrum instead, it will be much easier for you. No commands involved.

unsoindovo

legendary

Activity: 1932

Merit: 1042

https://locktrip.com/?refId=40964

Quote from: Deathwing on November 02, 2019, 04:42:15 AM

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised).
I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol.

Would appreciate help! Thank you!

If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one.

I'm really interested in this use case!
Can you share a link to a tutorial?
I'm using a vmwave virtual machine to store my bitcoin core wallet. Dat. But I use it with internet connection. The only improve I got, is to shutdown the machine when I don't use it.

Deathwing

legendary

Activity: 1638

Merit: 1329

Stultorum infinitus est numerus

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised).
I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol.

Would appreciate help! Thank you!

If you don't want to trust a third party, just get Bitcoin Core to a computer without any internet connection, generate your keys and use it that way. You can sign a transaction on the computer and push it to blockchain on another one.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device?

Is it open source? If yes, you can verify this. If not, you can not verify this.

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

Of course, this is trivial to do.

Quote from: Nunuface on November 02, 2019, 04:24:08 AM

I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol.

I find it unlikely that anyone who has mentioned the Glacier Protocol in this context (on the forum; from what I've seen) has the sum of money that requires something like the Glacier Protocol. A simple air-gapped system which you wipe afterwards is fine.

Nunuface

newbie

Activity: 16

Merit: 4

Hi guys,

I've just purchased a Ledger and a Coinkite. The beauty of Coinkite hardware wallet is that you never have to connect it online. However, I am thinking: how can I be sure that the BIP39 seed they generate for me is actually randomly generated and not pre-programmed into the device? For example could Coinkite or Ledger could pre-program 1000's of seeds into the devices so that they know there is a high probability that I end up using one of these seeds?

I know Ledger is extremely reputable and are not doing this, but for a smaller company like Coinkite I would like to be sure. I checked both of my devices and they are genuine (not compromised).
I just don't want having to trust a 3rd party, if it can't be guaranteed that these seeds are in fact generated randomly I will just have to generate my own private key using dice rolls via the Glacier Protocol.

Would appreciate help! Thank you!

Topic: Questions regarding security (Read 171 times)