Topic: security recomendations (Read 1482 times)

Just as an update, here are a couple of threads that may suggest what happened to your funds:

https://bitcointalksearch.org/topic/have-i-been-hacked-how-251743
https://bitcointalksearch.org/topic/announce-android-key-rotation-271831

I'm not an IT security professional. But I try to fully digest anything related to the topic that I come across. From everything I've encountered, that second password probably isn't very strong. Only eight characters, consisting of a simple, repeated lowercase pattern and two digits on the end? I wouldn't trust it; I would think any reasonably-sophisticated password-testing algorithm wouldn't take too much time to stumble onto it.

Actual IT security professionals, feel free to corroborate or correct....

well, my passwords (rather the ROT(n) versions of them, which i changed)
were "gafa973p3l5h7" to login and "txtxtx18" to withdraw.  Granted these may not be award winning passwords, but they are not THAT easy to hack, are they?  And the 2nd passwd can only be entered on a virtual keyboard. 

Here is the complete list of all warning on my linux, from 'rkhunter'

[19:21:23] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
[19:22:20] Checking if SSH root access is allowed          [ Warning ] 
[19:22:20] Warning: Hidden directory found: '/etc/.java'
[19:22:20] Warning: Hidden directory found: '/dev/.udev'
[19:22:20] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

none of these have the ability to read a virtual keyboard.

As for the multiple hacks, no, not on the samne service

1) BTC-e (and consequently MtGox as I used the same password)  (100btc)
2) Bitcoin-24 (government shutdown, but no bitcoins were confiscated... they simply have decided to not return them) (100btc)
3) Blockchain (300btc)

Now, one of many things that is weird about BTC-e is, i always get a "Successful authorization." when I log into BTC-e.  But the day I was hacked, there was no such notices... just a "Successful Withdrawl" as midnight, followed by a "Successful auth" from my IP 2 hours later when I logged in, which implies they did not log into my account but came in another way, no?   

This sounds like FUD to me. If you use a secure password, then access to your bitcoins is encrypted and inaccessible to anyone at blockchain.info or anyone who gains access to blockchain.info's servers.  The only places that have access to those bitcoins are the computers where you type the password.  This means that either:

• You chose an extremely poor password that a hacker discovered
• or, you typed your password on a computer that was compromised with malware

Do you have any evidence to the contrary?


Wait.  You're saying your account was repeatedly hacked multiple times over a course of a year, and that you continued to use the service each time it was hacked until you had lost a total of 300 BTC?



This doesn't make any sense.  It's starting to sound to me like you are sending bitcoins and then forgetting that you sent them.

OS X would be vulnerable to java malware, so either don't install java or don't ever allow java applets to run.

I want one so bad

When Trezor comes out it will probably be one of the most secure ways to store bitcoins next to a paper wallet.

I believe this is an erroneous assumption. At this point in the growth of bitcoin, you simply can't trust anyone else to hold your coins for you. IMHO, the main reason that bitcoin businesses can't and that banks can boils down to two simple issues: insurance, and the nature of the money itself.

There are no bitcoin insurance companies yet. So if Mt. Gox gets hacked and loses all of it's bitcoins, everyone--you, Mt. Gox, and all their customers--are just out of luck. And while every hacker on the planet knows about Mt. Gox, and knows they hold millions of dollars worth of bitcoins, very few know about any bitcoins you keep stashed away yourself, so the risks to Mt. Gox's bitcoin stash are far greater than the risks to your own. This will likely change as bitcoin continues to grow, but yes, currently this is an advantage banks have over the bitcoin network.

The second issue, the nature of the money, is something that simply isn't going to change, because of the way it all works. Bitcoin is different from the fiat banking systems, with advantages and disadvantages. The only way bitcoin will have those disadvantages removed is to use an infrastructure built on top of bitcoin that changes it to effectively act like the traditional banking system. It's an either-or thing; you can't have the advantages without the corresponding downsides.

All that said...



Ideally, you would design (or have designed for you) a system that does exactly what you expect Mt. Gox or blockchain.info to do, but does it more securely, and in secrecy. This isn't a monumental undertaking; Bitcoin-Qt is already designed to process most of what you need, the backups and redundancy is routine, and there are extra tools to help with security (Armory comes to mind.) But of course, it's going to cost some money and involve some effort setting up and handling the hardware, just as if you wanted to custom-design and run your own website rather than letting someone else build and run one for you.

It sounds like that's what it will take to securely do what you want to do with bitcoins.


Yes, there's a way to make an online wallet (more) secure. You mainly do it by not having your private keys online. You setup a server that checks and processes incoming transactions, dispenses pre-generated payment addresses, and creates unsigned transactions for spending the bitcoins. Then you transfer those unsigned transactions to an offline system that has the private keys, and checks and signs them; you then transfer the transactions back to the online system to be broadcast. There are a number of ways to do the transfer, and ideally it would require physical movement of a file and manual authorization each time, but that's the basic idea.

If that doesn't fit into the time constraints of your system (you HAVE to have automated spending of the bitcoins, you don't want customers to have to wait to pull out funds,) you could keep a "hot wallet," but keep the bulk of your bitcoins in an offline system. The hot wallet is online, but has few bitcoins at any given time, and it transfers bitcoins to the cold storage stash whenever it goes over an certain limit. You transfer bitcoins from cold storage to the hot wallet as needed, and at best you'll only lose what's in the hot wallet. There's still the risk that some customers will have to wait for a transfer from cold storage if a lot of them make withdrawals all at once, but it should automate most of the system, at the cost of reduced security.

But you still have to do all this yourself. Even if some company did this as part of their regular operations, they still would be in control of your bitcoins, and it's still a significant security risk.

OSX seems to be pretty secure in my two years running it without any problems

so, that is the answer I was afraid of... basically saying "no, there is no safe place to keep your money online.  You have to hide it under your pillow, next to your gun.", which makes banks a little bit more attractive, even with all their downsides.  it is surprising to me that a bank can do this security easy-peasy, yet crypto-nerds can't.  It shakes my faith.

As for the hacks, it was not all at once, but over a year, and unless someone secretly installed a vnc server on my linux box, and then secretly open that port, they could not know the 2nd password (at blockchain) entered on a virtual keyboard.  I think there is a far more likely scenario.  And the bitcoin-24 shutdown certainly had nothing to do with my security.

It starts with you, it is more likely that your computer got compromised or email then all those services you used suddenly got hacked to get to your coins. I'd advise to first make sure the computers you use are well secured and you know enough on how to keep them secure. Second, if you trade on an exchange don't leave large chunks online but only what you can afford to lose. Third, if you run your own online business with an online wallet make sure to empty it often so if something happens it'll not cause you a serious loss and invest in the security of your business.

ok, so think of it like a penny arcade.  you give the cashier 1 dollar and she gives you 10 tokens, which you can spend in the arcade.  When you leave, you cash in your remaining tokens.   

Bitcoins are send yo the account to get credits and then bitcoins are sent back to client when they cash in their credits.  That is how the coins are used.

Now, i assume (perhaps in error) that the mtgox's and blockchain  of the world have better security than i can privide while allowing me to receive/send bitcoins.

If I do not keep them online anywhere, how does that work?  Do I send all the accumulated coins to my private wallet every hour, and then make a cd backup of that wallet every hour? 

Regardless of how I use the coins, the question is the same:  What is the best way to make an online wallet secure?

Probably depends on why they have to be stored online. What specifically do you need? I know you said "with regards to running an online business that moves bitcoins to and fro" but with more details, you will be more likely to get a helpful answer.

Is it because the bulk of the coins you receive as income are quickly spent (meaning nothing of significance stays stashed away) so you want one location to easily view and manage transactions, and spend from, all by hand?

Is it because you do not want to (or cannot) setup your own system/hardware to manage the transactions automatically?

Do you have several employees and want to use a distributed system "in the cloud" rather than relying on direct-access systems that an employee can compromise?

The more we know (that isn't personal info,) the more of a help we can be. But you should also understand that the answers may not be the ones you were looking for.

I am painfully aware of the risks involved with keeping bitcoins online (https://bitcointalksearch.org/topic/m.2749654)... but i i can't trust the exchanges, and I can trust double password access, what is the secure way to store bitcoins onl9ine, specifically with regards to running an online business that moves bitcoins to and fro? 

My original plan was to keep them in blockchain as they seem to have very good security, but as their security was not able to stop my 300 coins for getting disappeared, I guess that is out of the question... so, what IS the best way to store coins online what they HAVE to be stored online?