Time to upgrade your security | Bitcointalksearch.org

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: prezbo on January 25, 2013, 06:07:26 PM

Quote from: superbit on January 25, 2013, 05:03:37 PM

Quote from: twolifeinexile on January 25, 2013, 02:15:09 PM

Quote from: prezbo on January 25, 2013, 01:52:32 PM

Quote from: superbit on January 25, 2013, 01:26:57 PM

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt?

No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.

Server side security is not sth google authenticator could help, I guess, but it protect you from get your password hacked and then all is F*ked.

prezbo

sr. member

Activity: 430

Merit: 250

Quote from: superbit on January 25, 2013, 05:03:37 PM

Quote from: twolifeinexile on January 25, 2013, 02:15:09 PM

Quote from: prezbo on January 25, 2013, 01:52:32 PM

Quote from: superbit on January 25, 2013, 01:26:57 PM

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt?

No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.

superbit

hero member

Activity: 763

Merit: 500

Quote from: twolifeinexile on January 25, 2013, 02:15:09 PM

Quote from: prezbo on January 25, 2013, 01:52:32 PM

Quote from: superbit on January 25, 2013, 01:26:57 PM

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet? Could it not require a password and google authenticator to unencrypt?

nobbynobbynoob

hero member

Activity: 784

Merit: 1000

Annuit cœptis humanae libertas

bitcointip wormbog +BTC0,01

A bit less poverty now. Tongue

wormbog

hero member

Activity: 561

Merit: 500

Quote from: jl2012 on January 23, 2013, 11:49:55 PM

Quote

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

Now it is

Ominous.

Now a thief only has to identify me, defeat my home security systems, subdue the dogs, and hope I wasn't lying about the secret location of the private keys to grab them. Oh, and hope I own enough bitcoins to make the effort worthwhile. (psst... I don't!)

The only thing better than security through obscurity is security through poverty.

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: prezbo on January 25, 2013, 01:52:32 PM

Quote from: superbit on January 25, 2013, 01:26:57 PM

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

prezbo

sr. member

Activity: 430

Merit: 250

Quote from: superbit on January 25, 2013, 01:26:57 PM

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.

superbit

hero member

Activity: 763

Merit: 500

Kind of new to armory, but it seems to allow offline and encryption. Would it be possible for them to include google authenticator?

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: marcus_of_augustus on January 24, 2013, 04:23:16 AM

Upgrade complete.

how do you handle small letters?

Carlton Banks

legendary

Activity: 3430

Merit: 3071

brain wallet mnemonic, etched into a ceramic block with 3D printer and stored in a safe FTW!

RodeoX

legendary

Activity: 3066

Merit: 1145

The revolution will be monetized!

Another thing to consider in your security regime is silence. If you are using cloud storage for a wallet, for example, don't mention that online. Or don't say "my coins are safe because I put them on a flash drive and buried it in my back yard." Shhh. Lips sealed

niko

hero member

Activity: 756

Merit: 501

There is more to Bitcoin than bitcoins.

Quote from: wormbog on January 23, 2013, 08:54:43 PM

Quote from: dunand on January 23, 2013, 06:37:09 PM

Quote from: wormbog on January 23, 2013, 04:16:13 PM

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.

Excellent points. However, if your savings are in any way significant, make sure to provide a way for your beneficiaries or estate to identify and control your offline wallet.

Jan

legendary

Activity: 1043

Merit: 1002

Quote from: RodeoX on January 23, 2013, 02:06:27 PM

But why not make today the day you back up your wallet and clean out any scraps of old wallets. Or change your password from "god" to something robust.

This!
I heard of an incident yesterday where someone got a phone replacement and forgot that he had BTC in BitcoinSpinner on it. BitcoinSpinner warns you that you should make a backup as soon as you have coins on it. Come on folks, it is not that hard. 3 clicks and take a picture.

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: foo on January 23, 2013, 11:41:56 PM

Quote from: twolifeinexile on January 23, 2013, 04:54:45 PM

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

The first step to steal is to get privileged to be able to read your file in the server, for that step, they usually use a exploit, and that is usually done on the client side ( a windows running putty, login in a linux server) and keylog and read files from your client. So you password to server will be stolen, but for One time password, it is of no use, they still could not log on so no way to get privileged.

If they attacking server directly, that is another story, and I believe in sshd much much more than any windows software. It is been tested attacked for so many years and get to know handle these thing better than client side. (be it firefox, chrome, java, whatever it is)

Fiyasko

legendary

Activity: 1428

Merit: 1001

Okey Dokey Lokey

PAAAAAPPPEEERRR WAAAALLLEEEETTTTTSSS PRRRIIINNNTTTEEEDDDD WWIIITTTHHH AAA CCYYYPPHHHEEERRR KKEEYYYYY

marcus_of_augustus

legendary

Activity: 3920

Merit: 2348

Eadem mutata resurgo

Upgrade complete.

Jutarul

donator

Activity: 994

Merit: 1000

Also worth learning:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

I applied it to software.
One user account = one cryptocurrency, one set of trusted software

Be wary of malicious clients, and only do revised upgrades.

jl2012

legendary

Activity: 1792

Merit: 1087

Quote

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

Now it is

foo

sr. member

Activity: 409

Merit: 250

Quote from: twolifeinexile on January 23, 2013, 04:54:45 PM

Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

wormbog

hero member

Activity: 561

Merit: 500

Quote from: dunand on January 23, 2013, 06:37:09 PM

Quote from: wormbog on January 23, 2013, 04:16:13 PM

6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.

Topic: Time to upgrade your security (Read 3250 times)