Pages:
Author

Topic: Tutorial: Compiling Armory and getting it onto an offline computer - page 2. (Read 2314 times)

legendary
Activity: 3430
Merit: 3080
Yes, that's better, and putting the SD on read only while on the offline machine is another assurance of safety... Is an SD exploitale through hardware this way?

My understanding of SD cards is that they dont have to negotiate a utility class like USB, they are identified only as storage by the OS, and their drivers only allow for that anyways.

On the other hand, USB can negotiate several classes for the same PID&VID, mostly the infamous HID class. The grand majority of USB attacks come from that unrestricted class negotiation allowed by the standard and most of them rely on the power of the HID class.

Does anyone know more about this? Is Linux safe from these USB attacks? What about OS X? I assume it's Windows that's most vulnerable?

I wasn't aware of this attack vector. I thought USB sticks were just treated as storage and nothing else. Seems like I was wrong.

Thanks for starting the discussion unamis76. Looks like I may have to start all over from scratch. Sigh. Isn't life fun?

USB storage vulnerabilities can be mitigated using virtualised OS's and IOMMU. I use Qubes OS, which is a ready-made implementation of that kind of configuration.
pf
full member
Activity: 176
Merit: 105
Yes, that's better, and putting the SD on read only while on the offline machine is another assurance of safety... Is an SD exploitale through hardware this way?

My understanding of SD cards is that they dont have to negotiate a utility class like USB, they are identified only as storage by the OS, and their drivers only allow for that anyways.

On the other hand, USB can negotiate several classes for the same PID&VID, mostly the infamous HID class. The grand majority of USB attacks come from that unrestricted class negotiation allowed by the standard and most of them rely on the power of the HID class.

Does anyone know more about this? Is Linux safe from these USB attacks? What about OS X? I assume it's Windows that's most vulnerable?

I wasn't aware of this attack vector. I thought USB sticks were just treated as storage and nothing else. Seems like I was wrong.

Thanks for starting the discussion unamis76. Looks like I may have to start all over from scratch. Sigh. Isn't life fun?
legendary
Activity: 3766
Merit: 1364
Armory Developer
Yes, that's better, and putting the SD on read only while on the offline machine is another assurance of safety... Is an SD exploitale through hardware this way?

My understanding of SD cards is that they dont have to negotiate a utility class like USB, they are identified only as storage by the OS, and their drivers only allow for that anyways.

On the other hand, USB can negotiate several classes for the same PID&VID, mostly the infamous HID class. The grand majority of USB attacks come from that unrestricted class negotiation allowed by the standard and most of them rely on the power of the HID class.
legendary
Activity: 1512
Merit: 1012
How do you know the USB key is safe?

Then change "USB key" into "SD card", and make sure it's properly erased before use?

Yes, that's better, and putting the SD on read only while on the offline machine is another assurance of safety... Is an SD exploitale through hardware this way?

How do you know the USB key is safe?

Then change "USB key" into "SD card", and make sure it's properly erased before use?

CD ROM is best.

Cannot be altered once finalised, so you can use uncompromised systems to check whether the contents of the CD ROM have been burned as per your instructions (and so you can reliably detect whether your Armory dependencies packages are definitely what they purport to be).


Also, as the OP states, these instructions will work for Debian 7 "wheezy" and Debian 8 "jessie". Ubuntu is essentially a bloated fork of Debian, targetting the consumer/business market. Not really necessary for offline Armory as such, Debian will do the job just as well.

CD is indeed the best, but it will make costs higher. One will probably need an external CD drive and CD's to burn Cheesy

Cheaper than losing all the coins though, that for sure...
legendary
Activity: 3430
Merit: 3080
How do you know the USB key is safe?

Then change "USB key" into "SD card", and make sure it's properly erased before use?

CD ROM is best.

Cannot be altered once finalised, so you can use uncompromised systems to check whether the contents of the CD ROM have been burned as per your instructions (and so you can reliably detect whether your Armory dependencies packages are definitely what they purport to be).


Also, as the OP states, these instructions will work for Debian 7 "wheezy" and Debian 8 "jessie". Ubuntu is essentially a bloated fork of Debian, targetting the consumer/business market. Not really necessary for offline Armory as such, Debian will do the job just as well.
newbie
Activity: 58
Merit: 0
How do you know the USB key is safe?

Then change "USB key" into "SD card", and make sure it's properly erased before use?
legendary
Activity: 1512
Merit: 1012
How do you know the USB key is safe? I'd gladly blind-trust binaries on the Armory page than any USB key. I've had USB keys being used in a countless amount of computers and caught quite a few viruses (fortunately none contaminated any of my machines. So far). There are also keys rumored to be tampered with from their factories and hardware exploits...

I think some questions you've been making on this subforum and the fact you don't trust no one at whatever cost are a good thing, but I had to question this, since you seem to care a lot about security Cheesy (I do too. But maybe not as much as you, or not as much as I should Smiley)
pf
full member
Activity: 176
Merit: 105
The following steps show you how to compile Armory from source code and get it onto your offline computer with Ubuntu Linux.

Why should you compile Armory from source code? Because you can't fully trust yet that the binaries Armory publishes come from the source code they're supposed to be coming from. And also, because it's dead simple to do, so why not just do it?

I have tested these steps for Ubuntu 14.04 LTS and Armory 0.93.2, but I suppose it will work with other systems and versions as well.

Here are the steps:

  • On a virtual machine (or a real machine if you want) that is allowed to connect to the internet, do a clean install of the same system that is on your offline computer. In my case, that is Ubuntu 14.04 LTS.
  • On this fresh online system, download this Python script by Alan Reiner (the originator of Bitcoin Armory).
  • On the Terminal, run "python apt-get-offline.py" followed by a list of all of the dependency packages you see after "sudo apt-get install" on the official Armory "building from source" page. In my case, I typed in python apt-get-offline.py git-core build-essential pyqt4-dev-tools swig libqtcore4 libqt4-dev python-qt4 python-dev python-twisted python-psutil
  • Use a USB key to get the resulting folder of .deb files onto your offline computer.
  • On your offline computer, use sudo dpkg -i *.deb within that folder to install all these dependencies on your offline computer. (I know, I know. git-core and build-essential are probably not needed on the offline computer. But since the Armory guys haven't really made a distinction between dependencies that are needed for compilation and dependencies that are needed to run the compiled program and I'm not 100% sure which is which, I just throw them all into the offline computer. No big deal.)
  • Now go back to your online Ubuntu and compile Armory according to the official instructions. In my case, I just ran these commands: gpg --recv-keys --keyserver keyserver.ubuntu.com 98832223, sudo apt-get install git-core build-essential pyqt4-dev-tools swig libqtcore4 libqt4-dev python-qt4 python-dev python-twisted python-psutil, git clone git://github.com/etotheipi/BitcoinArmory.git, cd BitcoinArmory, git checkout v0.93.2, git tag -v v0.93.2 (and check that the signature matches), make.
  • Use a USB key to get the BitcoinArmory folder onto your offline computer.
  • On your offline computer, run Armory through the Terminal with python ArmoryQt.py

See also my other tutorials:
Tutorial: Installing R on an offline Ubuntu computer
Tutorial: Using R to statistically test a die for bias
Tutorial: Creating a bulletproof 255-bit entropy Armory wallet
Pages:
Jump to: