Topic: Trust No One - page 111. (Read 161312 times)

Paper bitcoin would be just a piece of paper with a really nice number draw on to it by the owner.

Basically that's what happens when a forum impose a post count limit on newbies. It just makes them more spammy.

Is this how newbies build up their post count so they can get out of this section? I feel kind of sorry for them . . .

All great advice for a newbie like me, thanks!

There's still time to change your username, because that would have been most fitting!

BTC to Cash locally is tough, I would suspect mostly because this is a pretty small community by most standards and we're spread out all over the globe.  I haven't found a good solution yet either, I'm just hoping that as Bitcoin matures so will the locator services and alike.

But, until then, I just had to offer my kudos on a truly terrifying amount of encryption on your part.   

"Don't trust no one but your mama, and still cut the deck.."

I'm ultraparanoid. It should be my username...

I have my wallet on my Linux box who's / is under 4 concurrent layers of DM_crypt. I ran that system before I ever heard of bitcoin. I'm not doing anything illegal, I just don't think my business is anyone's damn business. I take my wallet offline with a flash drive using TrueCrypt. I use the triple cascade encryption option on a file container. I even use that tiny new lexar echo drive and geocache a backup of the wallet in a similar container file. It's tiny, and even if somebody finds it, what can they do? That degree of encryption is just stupid. I'm considering a MicroSD geocache instead, it's even smaller.

If I could do that to the cash in my wallet, I would. You can't hide cash in a geocache as an off-site, off-line backup, and still be assured of it's safety. BTC is the best.

I only wish I could find someone local to buy BTC from w/ cash... The locator services are useless. If the forums had a geographicaly organised section, it would be a dream...

Hey kids! Just trust the really smart guys!

paper bitcoin is a good idea

I like paper bitcoin wallets like those from Casascius, although you have to trust that he kept no copy (I do). Then, since the private key has at no time been near the internet, you're safe from computer crime.  Encode the private key with a literally-unbreakable one-time code (see link in my sig) and you're all set. Until you want to start spending from that wallet, but that's another story.

We can move at least part of the way there if the namecoin network gets moving correct? If you had a .bit address that contained your personal bank. I dont know where the .bit website info is held, and on that part Im confused...but it sounds like for a price ,a piece of cyberspace can be had to run your personal transactions....but again, maybe Im completely misunderstanding namecoin.

makes sence

Not to mention, when you do get screwed with a bank.  Not only is your money stolen, but getting a new encrypted wallet on a new piece of hardware is probably a lot easier than dealing with a bank to get a new account or password.

I do think that a more secure method should be establish to securely keep your wallet safe. The only thing that comes to my mind is a bank of some sort, but i would also y scare of that, just by thinking that im giving someone or an organisation control of my coins.

Perhaps, but it really depends on how the person chooses to generate his/her password. If the person is naive enough to use the same password or the same passphrase or same method always, then obviously he/she's going to be screwed. But the same person is also likely to be equally naive with physical security. In the end, the weakest link is still the user.



A password should always be long and safer if the code salts the password hash properly. The average person won't be able to remember a random sequence of letters, but a passphrase like "This is my password for getting into the bitcoin bank" and using "Timpfgitbb" is probably much easier. Of course the risk is again, a naive user might just end up using the same passphrase and effectively reducing it to a 2 letter password since only the last few letters would ever change.


Only the last suggestion would be useful IMO because if the logger screenshots just the active window (or even a reasonably wide area such as 200px instead of just a few pixels around the cursor), it would be able to see the entire keyboard. Randomizing that on every click doesn't help since every click gets the logger a new picture with all the keys except the one you used.

The problem with the scroller is that the average users may get rapidly annoyed with it and give up using the system or find ways to get around it if they have to deal with it daily. That's what make users put password stick-it  on office monitors in places where they implement draconian password policies such as minimum 10 letters, no reusing of last 12 passwords, no similar passwords, new password every 2 weeks or 30 log ins.


Frankly speaking if the user's system isn't secured in the first place against information leak, nothing we do can be considered secured. Just the initial entry of the password during registration, or even receiving a generated password in the email, could be the time of the leak, rendering whatever physical measures or random onscreen keyboard useless.

Disagree, the scenario you outlined is far more unlikely than a memorable password being hacked.  Also still limits the suspects to people who could theoretically gain access to the passwords.

Even if you do simple letter substitution, the password should still be over 13 characters for any amount of security from rainbow tables. Very difficult to remember for the average person.

Any way you look at it, there is always a way to get at your information.  The likely-hood of that event happening is determined by the level of security you pursue.  Use what works for you and be aware of the foreseeable ways that your chosen method can be abused.

Also- Micro screenshot loggers take images of the surrounding area of a mouse click.  Rarely do you have to worry about your entire screen being recorded since live recording of your screen would drag most computers down enough for the average person to be concerned anyways.  Even if they take an image of the entire screen with every mouse click, a simple solution would be to make the secure keyboard randomize positions with every entry.  Another level of complexity would be to have the keyboard scroll so only a line of characters was visible to click on at a time, so you could not use a process of elimination.

As for firewalls, I'm most concerned with methods that don't involve configuration of your computer, since more secure wallets and merchanting programs 'out of the box' will assist in widespread adoption

If somebody was smart enough to figure out where you kept the passbook and smart enough to unlock a secore lock box, he or she would also be smart enough to scan/photograph the passwords and replace everything as it is.

Even if they don't, they just need to pick a time you won't discover the lost for at least a few hours. More than enough time for them to clear out your accounts.

Writing down passwords is a major no no. It's safer to come up with your own personal methods like using first letter of every word in a sentence to make up long and relatively random passwords.


No use. Usually the  micro screenshot is set to the active window. So if I own a logger installed on your PC, it would likely already know what the arrangement of the keyboard is based on screenshots before your mouse reached the keyboard. Even if it was taken after you hover, it's only missing that ONE key you're hovering over.

You should have a firewall that can block outgoing traffic so even if the logger captures the shots, your firewall would alert you when it tries to send out.

Contracts are just a piece of paper....what you are really asking for is trust in the government...no thanks. The idea is to make people more self-reliant and if they dont want to be taken, they need to learn how to defend themselves....its just that simple.

My 2 cents vote is for social networking. As I posted somewhere else, Anon Plus(or whatever its name will be) is a really good start. Everyone has a confidential name and then social groups form. Its should be the social groups that have to fight or die in competition.

So for example, I would be an accepted member of the IAlwaysPayMyBillsOnTime which is endorsed by the SellersRUs group and vice versa. You dont have to know my government identity....all you need to know is that your risk has been spread. If the regulations are too high, a group will die...too low, a group will die. Too few members or too many members, same thing.I would also be in other groups and you could see that as well(if I wanted you to).

Lets note the social network info is encrypted on the internet....so if you forget your password, your identity is dead....you talk about losing your wallet, how about losing your identity?

Notwithstanding this is all speculation. In fact, the DOJ supposedly has sent Anon+ an email
http://pastebin.com/4VMdcDbg

So yes, there are people working on a lot of community issues and people just have to be patient and see if they can help out.

Alright, you added some stuff about encryption passwords that seems ridiculously complex when it doesn't need to be.

When you create a password for anything which could be sensitive (including email you idiots) it needs to be at least 13 characters, the longer the better. Julian Assange used a 52 character password for his encrypted distribution of his 'insurance plan.'

Every password you use should be written down.  Most preferably in the same spot (that isn't under your keyboard)  like one of those little journals you can get at Borders or something, you should also have a backup copy of this somewhere very secure (a lock box, bank secure box, etc). At most you should have 2 books, 1 for less secure information like your WOW account, E-mail, etc, another for Bitcoin passwords, Bank Accounts etc.  The reasons I say your passwords need to be written down are two-fold.

1- You can have super secure random passwords like 23Dhn#$qsxmnmnt953 and don't have to bother with memorizing them.

2- If somebody nefarious does take your password book.  You know EXACTLY what they have access too since you have one in a secure lock-box. It's easy to call your banks and tell them you know your passwords been stolen and you need your account information changed or a new password assigned until you can change it.  This also limits the suspects to people who had access to your notebook.  A HUGE advantage of the millions of possible people who may have just gotten access to your computer in one form or another.

Also if you are on a Microsoft computer, like myself, there is a large chance you have a keylogger already on your computer just pumping away at your personal information.  There is no way, i repeat NO WAY to eliminate the chances of your keys being logged because there is some pretty advanced software out there for keylogging and it only gets more advanced every day.  You can reduce it by quit a bit though by using the on-screen keyboard (Accessories>Ease of Access) for your password input.

Additional Note- One thing I'd like to see from (trusted, secure, something like windows or google doing this not some hack that could easily be a keylogger in itself) developers.  An on-screen keyboard that not only randomizes the keys, but blacks out the key your mouse is hovering over so that the 'micro-screenshot' used by some keyloggers use is rendered useless.

Paranoia is a good thing for sure when it comes to money/worth-related things BUT why don't revert to something which works quite well in real life/with fiat money: contracts/agreements/treaties (whatever you'd like to call them). At least when it comes to a larger transfer of money/btc this could come in handy. This even works within the digital world. Set up a contract both parties agree on and let both contractual partners sign this contract with a class II certificate issued by an approved CA. In Germany there are even offically accredited CAs (accredited by the "Bundesnetzagentur" (lit.: Federal Network Agency)) (accredited CAs). One of the accredited CAs is the "Bundesdruckerei" (lit. Federal print office). Its subsidiary D-TRUST offers class II certificates for personal use for 83,19 Euros (link) which are valid for two years. Tractis will help to find a CA near you :-)