Pages:
Author

Topic: Time to upgrade your security (Read 3296 times)

full member
Activity: 154
Merit: 100
January 25, 2013, 05:20:23 PM
#40
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?
No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.

Server side security is not sth google authenticator could help, I guess, but it protect you from get your password hacked and then all is F*ked.
sr. member
Activity: 430
Merit: 250
January 25, 2013, 05:07:26 PM
#39
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?
No. Once it's encrypted, the only way to re-encrypt it is to decrypt it first. Since google auth tokens change over time, you can see the problem here.

Google auth will protect from someone else logging in your name, for example to mtgox, but if mtgox itself gets hacked google auth won't protect your coins anymore, that's why it can't really be of any use in a bitcoin client.
hero member
Activity: 763
Merit: 500
January 25, 2013, 04:03:37 PM
#38
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.

Does it not have the ability to encrypt your wallet?  Could it not require a password and google authenticator to unencrypt?
hero member
Activity: 784
Merit: 1000
Annuit cœptis humanae libertas
January 25, 2013, 01:48:21 PM
#37
bitcointip wormbog +BTC0,01

A bit less poverty now. Tongue
hero member
Activity: 561
Merit: 500
January 25, 2013, 01:33:17 PM
#36
Quote
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.


Now it is

Ominous.

Now a thief only has to identify me, defeat my home security systems, subdue the dogs, and hope I wasn't lying about the secret location of the private keys to grab them. Oh, and hope I own enough bitcoins to make the effort worthwhile. (psst... I don't!)

The only thing better than security through obscurity is security through poverty.
full member
Activity: 154
Merit: 100
January 25, 2013, 01:15:09 PM
#35
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
Google authenticator's main use is to against keyloggers to get password to get privileged right in your computer from a unsecured client. Once they get access the privileged right, it is no longer relevant.
sr. member
Activity: 430
Merit: 250
January 25, 2013, 12:52:32 PM
#34
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
A bitcoin client is not something that can be protected by google authenticator. Hopefully multisig transactions will become more user friendly in the near future - I believe that is something etotheipi is working towards.
hero member
Activity: 763
Merit: 500
January 25, 2013, 12:26:57 PM
#33
Kind of new to armory, but it seems to allow offline and encryption.  Would it be possible for them to include google authenticator?
legendary
Activity: 1764
Merit: 1002
January 25, 2013, 11:51:18 AM
#32


Upgrade complete.

how do you handle small letters?
legendary
Activity: 3430
Merit: 3080
January 25, 2013, 10:14:13 AM
#31
brain wallet mnemonic, etched into a ceramic block with 3D printer and stored in a safe FTW!
legendary
Activity: 3066
Merit: 1147
The revolution will be monetized!
January 25, 2013, 09:41:38 AM
#30
Another thing to consider in your security regime is silence. If you are using cloud storage for a wallet, for example, don't mention that online. Or don't say "my coins are safe because I put them on a flash drive and buried it in my back yard." Shhh.  Lips sealed
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
January 24, 2013, 02:49:02 PM
#29
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.
Excellent points. However, if your savings are in any way significant, make sure to provide a way for your beneficiaries or estate to identify and control your offline wallet.
Jan
legendary
Activity: 1043
Merit: 1002
January 24, 2013, 01:57:44 PM
#28
But why not make today the day you back up your wallet and clean out any scraps of old wallets. Or change your password from "god" to something robust.

This!
I heard of an incident yesterday where someone got a phone replacement and forgot that he had BTC in BitcoinSpinner on it. BitcoinSpinner warns you that you should make a backup as soon as you have coins on it. Come on folks, it is not that hard. 3 clicks and take a picture.
full member
Activity: 154
Merit: 100
January 24, 2013, 08:53:12 AM
#27
Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.

The first step to steal is to get privileged to be able to read your file in the server, for that step, they usually use a exploit, and that is usually done on the client side ( a windows running putty, login in a linux server) and keylog and read files from your client. So you password to server will be stolen, but for One time password, it is of no use, they still could not log on so no way to get privileged.

If they attacking server directly, that is another story, and I believe in sshd much much more than any windows software. It is been tested attacked for so many years and get to know handle these thing better than client side. (be it firefox, chrome, java, whatever it is)

legendary
Activity: 1428
Merit: 1001
Okey Dokey Lokey
January 24, 2013, 08:21:57 AM
#26
PAAAAAPPPEEERRR WAAAALLLEEEETTTTTSSS PRRRIIINNNTTTEEEDDDD WWIIITTTHHH AAA CCYYYPPHHHEEERRR KKEEYYYYY
legendary
Activity: 3920
Merit: 2349
Eadem mutata resurgo
January 24, 2013, 03:23:16 AM
#25


Upgrade complete.
donator
Activity: 994
Merit: 1000
January 23, 2013, 11:41:21 PM
#24
Also worth learning:
http://en.wikipedia.org/wiki/Principle_of_least_privilege

I applied it to software.
One user account = one cryptocurrency, one set of trusted software

Be wary of malicious clients, and only do revised upgrades.
legendary
Activity: 1792
Merit: 1111
January 23, 2013, 10:49:55 PM
#23
Quote
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.


Now it is
foo
sr. member
Activity: 409
Merit: 250
January 23, 2013, 10:41:56 PM
#22
Keylogger is single biggest side channel attack hard to totoally avoid, it is time for bitcoin client utilize two factor authentication, and the second factor should be one time password, (based on time like RSA token or Google authenticator.

That won't work. One-time passwords (OTP) are based on a shared secret. (Both the web site you are logging in to and your token uses the same PRNG seed.) If you use it for a Bitcoin wallet, then the secret has to be stored in the wallet itself, which doesn't provide any extra security.
hero member
Activity: 561
Merit: 500
January 23, 2013, 07:54:43 PM
#21
6. make a few copies of your address list. secure at least one copy in your home safe, safety deposit box, etc. I've got a copy behind a family photo in my office... not a compelling target for a thief.

If you keep unencrypted paper copies of your private keys you should not write Bitcoin in bold on it. This is just security by obscurity but for 98% of people this is just a random string of numbers.

Agreed, and even better: add a few extra random characters at the beginning or end of the key.
Pages:
Jump to: