Topic: security window 10 Microsoft have access to my priv. keys. (Read 940 times)

Who said anything about being shady, paranoid or high status?

If someone thinks Windows users owe them money, and Microsoft accepts that, then there's nothing those Windows users could do to stop Microsoft handing the keys over. Except ditching Windows for all crypto stuff (or using a secure hardware wallet)

It's not happened yet, but Microsoft started as a fraud (the original Microsoft products was someone else's work), and has been consistently unscrupulous ever since. You'd be unwise to trust Microsoft with your Bitcoin keys.

All of these things are extreme edge cases imo. I doubt OP is someone shady enough, or has high enough status to become paranoid of such things. I myself would only start caring about these things if my fiat worth was in the 7 digits and above.

I'm sure there are hundreds if not thousands of people with 6-digit worth of money on their computers, so unless one of them has done some explicitly shady stuff, and actually feel targeted then it's a very long shot for either a 3rd party or for Microsoft themselves to try and pull a fast one on them.

No, I mean Microsoft can give your data to a different organisation. As long as someone powerful enough comes up with a good enough excuse, Microsoft will happily give some other organisation your keys

Yes, Microsoft have many employees. I'm sure they have many security measures in place so most employees won't have the access. However, many companies tend to give more access to those with more responsibility. All you need is one of these employees with the required access to go rogue.

That is what I use.  The idea behind VMWare is that it can detect keyloggers if configured properly.
If you get a keylogger in spite of all the precautions you will at least know and can abort and re-format, reinstall etc.

I would not put my coins in any wallet other than bitcoin core encrypted wallet.  Backed up in multiple physical locations, on various types of media.

I agree with others, a hardened version of Linux with your own version of bitcoind/cli or qt compiled from sources (on a dev machine) is the way to go.

No


Microsoft won't steal your money, but if someone Microsoft is friendly with wants to steal your Bitcoins, Microsoft will almost certainly give them your keys.

You would be told that the money wasn't rightfully yours of course, but successful thieves always have a good psychological angle as well as brutality

I mean, yes, you could do all those things for increased security. But it would be safer, easier and cheaper to just use any old laptop/PC you have lying around, remove the WiFi card, format it, install an open source OS of your choice and run it as an airgapped wallet. Or if you want a really easy option, just buy a hardware wallet.

Short version:

If you paid (close to) $100 for the legit OS and don't have any viruses that can access your PC, then no, Microsoft won't steal your Bitcoins.

It depends.  If you are running some pirated version of Windows it might come with a keylogger.

If you must use Windows you should take some extra security steps.

When you get a new dedicated PC for your cryptos.  The first thing you should do is buy a genuine version of OS, format your disks and install OS yourself.

Then buy and install VMWare and install the OS you prefer.  Be careful only to use the original iso files from trusted sources, like Microsoft.

Only run bitcoin core wallet in VMWare and keep blockchain and wallet on the USB media accessible only from the VMWare.

Never use this VMWare OS image for anything else.  If you do, start the process again, and move your coins to a new clean, encrypted wallet.

Only use wallet online when sending coins from a clean environment.  Otherwise, use dummy wallets to update the blockchain.

Create a separate VMWare OS image to access online crypto accounts.

Are you sure that Windows 7 is responsible for malware that stole your BTC? Maybe the same thing would have happened even if you used another operating system. It is important to make critical and security updates for any OS, but without some good antivirus+firewall+antimalware software your OS is like house where all doors are open, and thieves come in whenever they want, and take whatever they want. You were simply a victim of Clipboard Hijacker Malware (this is just newer version).


I agree that nothing is wrong with Windows 7, it is still very good OS and I have never problems with my coins even I store them in desktop wallet for years. Also in that time I did not experience any bigger problem with virus/malware infection, but this is because main problem is not only in OS, but in how people handle their device/OS.

Windows 7 is old, obviously, but is actually still supported and will continue to receive security updates for another year - until January 14th 2020: https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support

Having said that, I can see why people don't want to move from Windows 7 to 10. As we've seen in this thread, Windows 10 is an absolute privacy nightmare. Even if you are completely unfamiliar with linux, you have a year to learn before Windows 7 is no longer updated. That would be a better option than upgrading to Windows 10, in my opinion.

Windows 7 is an old operation system which shouldn't be used anymore. It lacks security updates and support, so you will likely have security problems.

Windows 10 is much better than 7. Ofc Linux is even safer for security, but you don't need to use it to avoid problems like you had. Windows 10 is pretty safe if you have some good habits online.

 You're right about this concern, I was accustomed to using windows7 until I got a malware that stole my bitcois during a withdrawal that I made in 2016 that changed my address to the attacker's address, so I switched to linux and since then I had no more of this problem but we never know when we are infected so we should think about the possibility of being infected, so I took advantage of buying a hardware wallet nano S, I suggest you or to generate a paperwallet downloading a TailsOS and run it offline, download the bitaddress.org or iancoleman page if you want to generate an HD wallet, download it directly from github for you to check the sha256 signature to see if you downloaded the genuine file.

After you have done this save the TailsOS ISO on a pen drive (2gb minimum) and zip the bitaddress zip (or the iancoleman_bip39 zip) and generate your paperwallet or hd wallet (if you want to add a bip39 protection to encrypt your recovery phrase would look even better, but if you have no idea what that is, search first.)

Do not forget to print the generated key or write down the recovery phrase. If you have a pc that you do not use anymore then you can consider downloading an offline wallet like electrum and generating the keys on it or the more option.

I'm not saying it's impossible, because theoretically unless you block out all outgoing/incoming requests to windows servers, which can include updates, telemetry data, and all sorts of data you agree to submit by default, then Windows can have access to your data.

This is even possible for linux/ubuntu because software and package updates are enabled by defaukt, but since its an open source OS, updates are coming from a public repo, its hard to wear a tinfoil hat that big and believe that all Arch devs are out there to take your bitcoins

But even for Windows, dont you think its a bit too far? If you were to mistrust big corporations, the damage they can do to you if they go "rogue" is laughably dangerous. Do you use Gmail? What if Google filtered all emails related to blockchain, web wallets, and private keys? You trust google? So what about your ISP? Maybe they could intentionally modify your traffic to screw with your payments... You can clearly see I can go all day with this, from your laptop down down to your smart toaster connected to the internet, if you were to distrust everything around you, youd never sleep.

But maybe it can help you to think of how relevant of a target you are. Do you really think Windows or any other entity that you unwillingly have to trust, care about targetting you specifically? You know there are probably hundreds or thousands of people richer than you that use that operating system, chances are very unlikely that youd be targetted unless a massive breach happens within these corporations.

On another note, just make sure your windows is legit. Ive seen with my own eyes pirated windows copies that run a miner process upon installation.

The reason I was asking this question - After buying a brand new laptop "Lenovo Ideapad 330" I was downloading only the Blockchain and no other program.
The Laptop was updating in one month more than 5 times and after disable updates in "services.msr" it was still updating and download massiv data.
This was making me distrustful whats going on here and maybe you got the same problem.

I don't think you need to over-complicate things with obscure distributions.

If you are a windows user and windows is all you ever knew, then simply just get Ubuntu, and you will be ok, as long as you get the setup done in an offline computer there is nothing to fear within reasonable terms. Just don't use USB pendrives to transfer data, you can buy a QR reader ideally to pass raw tx to the online node.

If your laptop is old you can try Xubuntu or even Lubuntu, but Xubuntu is a good middle term between simplicity and features. Lubuntu is insanely minimalist and can run in super old PCs but looks ancient.

Then since you have windows, you have to also install a good enough antivirus/malware protection system, which will also "call home" and also have access to everything on your computer.
Normally nothing happens. Normally all are well intended and will not try to steal. But you never know really.

That's why for big funds it's recommended to use air-gapped cold storage or at least hardware wallets.

The chance that they can? Probably pretty good, considering that they typically get a heads-up (as is responsible) on newly discovered security vulnerabilities that could access everything on your computer.  Security researchers typically give confidential notification of their discoveries to the software vendor, remaining quiet about it for a period of time so that the vendor (Microsoft) can patch it, hopefully before the flaw is exploited in the wild.

The chance that they will? In my view, extremely unlikely, even if you are a major BTC whale.  Any such breach would almost certainly not be a company effort, but the action of a person or persons within their security teams having "gone rogue".  A business like Microsoft will have in place elaborate measures to prevent access to the full breadth of information necessary (some through vuln knowledge, some through their telemetry, etc.) in order to effectively mount an operation to steal private keys.

However, and this is key: There's a chance I'm wrong about any/all of this.  It is possible that there's a super secret team within Microsoft devoted to theft of keys, with full access to remote right into every Windows PC on the planet.  Or even worse, perhaps an algo built into their disk cleanup maintenance that runs when idle and scans your computer for wallets/keys, uploading its finds.  It is pretty clear that Windows 10 spys quite a bit, even if you take considerable steps to disable/defeat the telemetry.  The amount of tracking they've built into Windows should be something that everyone is concerned about, in particular if you create or store anything of value (confidential business documents, closed-source software, art/music/creative content that you sell for money, etc.) on your PC (and most people do in some form, on some PCs).  Consider the hacks of TV and film content that leaked and cost those studios millions of dollars.  Consider inside corporate information that could be worth lots of money to those seeking to frontrun a trade, or classified information that could be stolen from one government and sold to an adversarial government.  Given that, consider implementing the measures necessary for you to both feel safe as well those that actually make your data safer (the two are not always the same).

The way I see it, any key protection measures boil down to a tradeoff between convenience and safety, which is pretty much the same as physical money.  You could lock all of your money inside of 10 nested vaults, but then it wouldn't be very spendable.  You could carry all of your money in your wallet, but then it wouldn't be so safe if something happened to you.  In many places, you could keep wads of physical cash inside of a drawer in your unlocked house and it'd not be stolen, most of the time.  No one would try to enter your house, most of the time.  One day, however, someone may come to your door that has no problem with entering an unlocked house and taking a look around for some easy loot.  So, we generally lock our doors because it's easy and it increases the protection of what's on the other side of the lock (even nominally given the flimsy quality of many door locks).

I recommend keeping spending money in an easier to access place (but still with some protection, of course), and any savings or large amounts in more elaborate storage.  Crypto Twitter seems to be enamored with https://keys.casa/, including several people I'd weight very highly in having a high amount of security expertise.  They sell hardware wallets, have a multisig wallet protection service, and are also selling a pretty cool Raspberry Pi-based mini BTC/Lightning node.  You might want to check them out.

Personally, I don't hold much cryptocurrency, but here's what I do.  I use Qubes OS (a "reasonably secure" flavor of Linux) on an air-gapped (offline) laptop that stores all of my private keys and is protected under physical lock and key.  On the laptop, the keys are stored inside of encrypted files protected by long, manually entered diceware passphrases with pretty high entropy.  I'm sure my system has many flaws, but it works for me.  If I held substantial sums, I'd certainly spend some time looking into how to improve on it.

Best regards,
Ben

Imagine this situation from the perspective of software companies making products for Windows, using Windows 10 development machines (or non-software companies competing with Microsoft or with someone MS sells your data to). Microsoft just pushed up their running costs a great deal, as those competing companies must now protect their data from Microsoft and the other companies Microsoft sells user data to. Would it be cheaper to ditch Windows completely? Maybe this wouldn't always be viable, but the incentive to support Windows as a platform is reduced now that Microsoft are behaving like this.

I agree with everything else you say, but you are mistaken here. The number of hours you spend tweaking Windows 10 is irrelevant - it is tracking you, regardless of what you do. You can make it better, certainly, but I would never consider it "secure enough" to be using for anything truly sensitive.

Even if you turn off all tracking and telemetry features, Windows 10 still tries to phone home a staggering 5,500 times in 8 hours. The additional use of third party tools designed to stop this did help a bit, but these researchers still reported 2758 connections in 30 hours.

Other researchers have similarly found that even when you disable Windows 10 features like Cortana, it is still logging your activity and sending it to Microsoft.