Topic: what is the "scratch"? it's FUD or truth? (Read 4327 times)
I would like to see a physical Bitcoin only option available someday. A client that only works via scanning a barcode or OCR that manages the physical wallets would eliminate the fear of electrons vaporizing due to forgetting a pw.
Since almost no services exist that have irrecoverable passwords casual users likely need an education.
Nothing educates better than losing a bunch of money 
Never herd more true words, but sadly any new regulars to bitcoin would be considerably disheartened if they lost a whack of funds, even if it was through their own stupidity.
Since almost no services exist that have irrecoverable passwords casual users likely need an education.
Nothing educates better than losing a bunch of money 
Because for every one of those examples a password recovery option is available. People use password recoveries all the time. There is no password recovery for an encrypted wallet. Encrypted wallets by default would be a disaster.
Worse many "casual" users may be confused by the very concept of irrecoverable password. Since almost no services exist that have irrecoverable passwords casual users likely need an education.
I would imagine enabling encryption on the 1.0 client would need to be pretty comprehensive. Something more like a wizard explaining that losing password means a complete and irrecoverable loss of funds and that there is no "forgot password" option.
It would also be good to:
* compare the user's password against a known password list ("your attempted password is already known to attackers please try another one")
* give the user a password strength meter with practical strengths ("your password can be guessed in less than 4 days by an attacker with a single computer"
* providing a "print out page" for safe keeping (with warnings like store this in a safe, all your funds can be stolen is this document is lost)
It would also be a good idea to provide "popup" warnings with frequency and intrusiveness directly related to the balance.
Gavin is absolutely correct in pointing out Bitcoin is 0.x. It is 0.x for a reason.
i think the general population is very much used to entering passwords and remembering them for their bank account, their utility providers, email, netflix, facebook, etc. i also don't think entering a password is more difficult or off putting than waiting for the blockchain to download.
Because for every one of those examples a password recovery option is available. People use password recoveries all the time. There is no password recovery for an encrypted wallet. Encrypted wallets by default would be a disaster.
i don't think i have the most correct answer. i just think that security isn't as hardened as it could be, and there is at least one area where it could be relatively easily strengthened, and an open discussion would probably be beneficial.
You mean like:https://bitcointalksearch.org/topic/idea-to-step-up-wallet-security-34562
or
https://bitcointalk.org/index.php?topic=19080.80
or
http://gavinthink.blogspot.com/2011/06/why-arent-bitcoin-wallets-encrypted.html
or
https://bitcointalksearch.org/topic/ewallet-provider-w-web-based-keyboard-2574
It has been a while since I wrote a "State of Bitcoin Development" update (too busy...), but wallet security was my second priority, behind network stability, the last time I did one. It is still right at the top of my priority list.
would have been really cool if your first post told me the discussion is ongoing, and gave me those links. your a spokesman for bitcoin. i know how easy it is to get frustrated and take things personal, but nobody benefits from that kind of reaction.
Brainstorm:
If the user have zero in his wallet, do not warn that it doesnt have password.
If the user have X amount advice the user to chose a long password they will never forget.
And some advice on how to chose such a password.
If the user have Huge amount of Bitcoins give warnings to encrypt right away?
Question is, what is considered huge and for one user 5 Btc can be much, for another 500 is much.
That's pretty much what I proposed in post 33 up above. ^^If the user have zero in his wallet, do not warn that it doesnt have password.
If the user have X amount advice the user to chose a long password they will never forget.
And some advice on how to chose such a password.
If the user have Huge amount of Bitcoins give warnings to encrypt right away?
Question is, what is considered huge and for one user 5 Btc can be much, for another 500 is much.
Although I didn't mention the advice on choosing a good password. A strength meter and a reminder to REMEMBER THE DAMN PASSWORD would be appropriate.
i don't think i have the most correct answer. i just think that security isn't as hardened as it could be, and there is at least one area where it could be relatively easily strengthened, and an open discussion would probably be beneficial.
You mean like:https://bitcointalksearch.org/topic/idea-to-step-up-wallet-security-34562
or
https://bitcointalk.org/index.php?topic=19080.80
or
http://gavinthink.blogspot.com/2011/06/why-arent-bitcoin-wallets-encrypted.html
or
https://bitcointalksearch.org/topic/ewallet-provider-w-web-based-keyboard-2574
It has been a while since I wrote a "State of Bitcoin Development" update (too busy...), but wallet security was my second priority, behind network stability, the last time I did one. It is still right at the top of my priority list.
maybe you can explain the justification for not encrypting the wallet by default?
Here's the thinking:
Joe Random User finds out about bitcoin, and decides "what the heck, I'll check it out."
They run it. First thing it does is ask him for a passphrase, with tons of "DO NOT FORGET YOUR PASSPHRASE" and/or "CHOOSE A LONG PASSPHRASE" warnings. What does he do? Many users will either:
1. Type "passphrase".
or
2. Bang on the keyboard to create a long, random passphrase: "b;lkaj425[09234kjvfda,nvfd;nkj34toht4"
He gets a little coin from the Faucet, writes me an email asking when they will arrive (because he hasn't yet downloaded the entire blockchain and didn't bother to read the information about that on the Faucet's "Sent!" page), and then shuts down the client.
Time passes. Eventually the Faucet coins show up.
He decides Bitcoin really doesn't suck as much as he first thought, so he decides to buy some Bitcoin on Mt. Gox.
Time passes while Dwolla verifies his bank account and stuff.
Then he buys Bitcoin, and manages to send them and see them show up in his running Bitcoin.
Yay!
Time passes. He decides he wants to spend the Bitcoin, and now he has to enter the passphrase that he set a week or three ago. But back then, wallet security wasn't at all important to him. He didn't have an Bitcoins to keep secure.
So either he forgot that his passphrase is "passphrase" or he remembers that he typed a bunch or random letters just so he could get past that annoying "enter passphrase" dialog box so he could just try the damn thing.
In short: wallet encryption is not the default because the right time to enter a passphrase to encrypt the wallet is when you KNOW that the wallet is valuable, and will take the steps necessary to protect it.
Brainstorm:
If the user have zero in his wallet, do not warn that it doesnt have password.
If the user have X amount advice the user to chose a long password they will never forget.
And some advice on how to chose such a password.
If the user have Huge amount of Bitcoins give warnings to encrypt right away?
Question is, what is considered huge and for one user 5 Btc can be much, for another 500 is much.
Well... I've told this to every person who I introduced to Bitcoin:
Would you leave your wallet unattended in a table on the middle of a shopping mall? With Bitcoin you also have to be careful, just like with your pocket wallet. They seem to get it...
Would you leave your wallet unattended in a table on the middle of a shopping mall? With Bitcoin you also have to be careful, just like with your pocket wallet. They seem to get it...
yeah, i have stories from users that still wake me up in the middle of the night.
generally though, the ones that curl your hair are a smaller percentage of the user base (from my experience anyway), and i personally believe in designing for the majority, and i think the majority of people would remember their password. i don't think its that hard to include a passphrase strength indicator. if someone wants to be a dipstick and use 123456, and the bitcoin client tells them its a near worthless password, then bitcoin has done all it can reasonably be expected to do, and nobody is to blame but the user who is lazy.
i don't think i have the most correct answer. i just think that security isn't as hardened as it could be, and there is at least one area where it could be relatively easily strengthened, and an open discussion would probably be beneficial.
generally though, the ones that curl your hair are a smaller percentage of the user base (from my experience anyway), and i personally believe in designing for the majority, and i think the majority of people would remember their password. i don't think its that hard to include a passphrase strength indicator. if someone wants to be a dipstick and use 123456, and the bitcoin client tells them its a near worthless password, then bitcoin has done all it can reasonably be expected to do, and nobody is to blame but the user who is lazy.
i don't think i have the most correct answer. i just think that security isn't as hardened as it could be, and there is at least one area where it could be relatively easily strengthened, and an open discussion would probably be beneficial.
see rjk, now the conversation is taking a more productive direction, which is, you know, more productive then taking things personal and/or being condescending. i wasn't making any personal attacks, and am still genuinely confused why i got such a negative response.
i used to be a project manager for an iphone dev company. i don't have the technical skills to give specific procedural suggestions, but i worked hand in hand with the designers to the programers. there was a flow of ideas, and while it was down to the more technically capable members of the team to implement, everyone's thoughts and ideas were valued. different perspectives from people with different skill sets lead to a stronger finished product. best job i ever had btw.
as for the keylogger, as i said, i was referring to bitcoin doing all it could do to be secure. obviously a user has responsibilities. there is only so much that can be done to secure software installed on end user machines. i just think its best practices to do some simple things like having the wallet encrypted (by whichever procedures and at whatever specific time in the installation/update process is deemed appropriate by those more technically inclined) to increase security.
julz, i can see some kind of nag screen pushing a user to encrypt the wallet being a better compromise between the two. i just don't think a screen telling someone to enter a password and make sure they remember it, or having a password to begin with is such a show stopper. i think the general population is very much used to entering passwords and remembering them for their bank account, their utility providers, email, netflix, facebook, etc. i also don't think entering a password is more difficult or off putting than waiting for the blockchain to download.
I think we got fired up by your comment of vulnerability where there really wasn't one. As someone that developed applications for iFail devices, I am sure you have had your share of thick/stupid/newb/etc users, and figure you would appreciate the reasoning that Gavin put forth.i used to be a project manager for an iphone dev company. i don't have the technical skills to give specific procedural suggestions, but i worked hand in hand with the designers to the programers. there was a flow of ideas, and while it was down to the more technically capable members of the team to implement, everyone's thoughts and ideas were valued. different perspectives from people with different skill sets lead to a stronger finished product. best job i ever had btw.
as for the keylogger, as i said, i was referring to bitcoin doing all it could do to be secure. obviously a user has responsibilities. there is only so much that can be done to secure software installed on end user machines. i just think its best practices to do some simple things like having the wallet encrypted (by whichever procedures and at whatever specific time in the installation/update process is deemed appropriate by those more technically inclined) to increase security.
julz, i can see some kind of nag screen pushing a user to encrypt the wallet being a better compromise between the two. i just don't think a screen telling someone to enter a password and make sure they remember it, or having a password to begin with is such a show stopper. i think the general population is very much used to entering passwords and remembering them for their bank account, their utility providers, email, netflix, facebook, etc. i also don't think entering a password is more difficult or off putting than waiting for the blockchain to download.
A virus doesn't get blocked by AV vendors unless something bad happens to someone and they report it. So it is inevitable that someone would lose their wallet(s) to a keylogger, even if they only enter their password once a week, since someone has to figure out that something is wrong to start with. Nevermind that the virus was probably acquired by visiting some shady site on the net, users will be users and there isn't much you can do about that.
Unfortunately, my experience with users has been very similar to the situation that Gavin laid out - if they are prompted to enter their passphrase, it is pretty much a guarantee that they would enter a lame dictionary word of 6 characters or less, and then promptly forget it as if they were being paid to forget things.
Damn users.
see rjk, now the conversation is taking a more productive direction, which is, you know, more productive then taking things personal and/or being condescending. i wasn't making any personal attacks, and am still genuinely confused why i got such a negative response.
i used to be a project manager for an iphone dev company. i don't have the technical skills to give specific procedural suggestions, but i worked hand in hand with the designers to the programers. there was a flow of ideas, and while it was down to the more technically capable members of the team to implement, everyone's thoughts and ideas were valued. different perspectives from people with different skill sets lead to a stronger finished product. best job i ever had btw.
as for the keylogger, as i said, i was referring to bitcoin doing all it could do to be secure. obviously a user has responsibilities. there is only so much that can be done to secure software installed on end user machines. i just think its best practices to do some simple things like having the wallet encrypted (by whichever procedures and at whatever specific time in the installation/update process is deemed appropriate by those more technically inclined) to increase security.
julz, i can see some kind of nag screen pushing a user to encrypt the wallet being a better compromise between the two. i just don't think a screen telling someone to enter a password and make sure they remember it, or having a password to begin with is such a show stopper. i think the general population is very much used to entering passwords and remembering them for their bank account, their utility providers, email, netflix, facebook, etc. i also don't think entering a password is more difficult or off putting than waiting for the blockchain to download.
i used to be a project manager for an iphone dev company. i don't have the technical skills to give specific procedural suggestions, but i worked hand in hand with the designers to the programers. there was a flow of ideas, and while it was down to the more technically capable members of the team to implement, everyone's thoughts and ideas were valued. different perspectives from people with different skill sets lead to a stronger finished product. best job i ever had btw.
as for the keylogger, as i said, i was referring to bitcoin doing all it could do to be secure. obviously a user has responsibilities. there is only so much that can be done to secure software installed on end user machines. i just think its best practices to do some simple things like having the wallet encrypted (by whichever procedures and at whatever specific time in the installation/update process is deemed appropriate by those more technically inclined) to increase security.
julz, i can see some kind of nag screen pushing a user to encrypt the wallet being a better compromise between the two. i just don't think a screen telling someone to enter a password and make sure they remember it, or having a password to begin with is such a show stopper. i think the general population is very much used to entering passwords and remembering them for their bank account, their utility providers, email, netflix, facebook, etc. i also don't think entering a password is more difficult or off putting than waiting for the blockchain to download.
i understand nothing is perfect...ever. the specific enhancement i suggested was to have the wallet encrypted from the get go. gavin explained he thought the average user couldn't handle remembering the password they set it up with, so the decision was made to make it easier, but less secure.
The broader picture of security includes user behaviour. Coins lost through mistakes made jumping security hurdles are just as lost as stolen coins.
I'd argue that the chosen path as explained by Gavin is superior from this perspective, and it would be better to pursue improvements along the lines of striking visual cues that the wallet remains unencrypted.
By time and effort, I didn't necessarily mean coding, although that helps.
Since you didn't come up with an answer, I just thought it up for you. Here is my proposal:
1. On wallet creation, it is unencrypted as it is currently.
2. Encryption will be suggested to the user once:
a. The blockchain has fully downloaded and
b. The wallet balance exceeds 0
3. If encryption was enabled prior to blockchain download completion, or prior to the balance exceeding 0, no popup/prompt will occur.
4. The popup/prompt will have an option to disable future notices:
a. When checked, no further notices will be created, although
1. A reminder will be written to the log
b. If left unchecked, the reminder will be shown any time the wallet's balance is incremented or decremented.
5. There will be an easily accessible help link within the notification.
How does this sound? What needs added to this proposal is the following:
a. The suggested format of the notification:
1. Tray notification
2. Modal popup (application specific, not system modal)
3. Text notification in the same format as remote system messages
b. The suggested text of the notification
1. Including the text of the help link
c. A decision on whether the help link is local or whether it goes to the wiki
This will increase security, although it still does not address the keylogger issue. (On-screen keyboard anyone? Yeah I thought not.)
Since you didn't come up with an answer, I just thought it up for you. Here is my proposal:
1. On wallet creation, it is unencrypted as it is currently.
2. Encryption will be suggested to the user once:
a. The blockchain has fully downloaded and
b. The wallet balance exceeds 0
3. If encryption was enabled prior to blockchain download completion, or prior to the balance exceeding 0, no popup/prompt will occur.
4. The popup/prompt will have an option to disable future notices:
a. When checked, no further notices will be created, although
1. A reminder will be written to the log
b. If left unchecked, the reminder will be shown any time the wallet's balance is incremented or decremented.
5. There will be an easily accessible help link within the notification.
How does this sound? What needs added to this proposal is the following:
a. The suggested format of the notification:
1. Tray notification
2. Modal popup (application specific, not system modal)
3. Text notification in the same format as remote system messages
b. The suggested text of the notification
1. Including the text of the help link
c. A decision on whether the help link is local or whether it goes to the wiki
This will increase security, although it still does not address the keylogger issue. (On-screen keyboard anyone?
Yeah I thought not.)
wow. so its your opinion that bitcoin belongs to a select few? i must have really really misunderstood what bitcoin is all about.
and your familiar with my efforts? are furthering the adoption and developing business around bitcoin a valuable contribution? is there a chart i can refer to or is an individuals non technical contribution evaluated by the select few on a case by case basis?
i understand nothing is perfect...ever. the specific enhancement i suggested was to have the wallet encrypted from the get go. gavin explained he thought the average user couldn't handle remembering the password they set it up with, so the decision was made to make it easier, but less secure.
i disagree with that decision.
i am still left confused by the hostility in the responses to a suggestion to increase security.
and your familiar with my efforts? are furthering the adoption and developing business around bitcoin a valuable contribution? is there a chart i can refer to or is an individuals non technical contribution evaluated by the select few on a case by case basis?
i understand nothing is perfect...ever. the specific enhancement i suggested was to have the wallet encrypted from the get go. gavin explained he thought the average user couldn't handle remembering the password they set it up with, so the decision was made to make it easier, but less secure.
i disagree with that decision.
i am still left confused by the hostility in the responses to a suggestion to increase security.
you put a lot of time and effort into bitcoin. i understand and appreciate that, but bitcoin belongs to the community. some individuals, like yourself, are more important to bitcoin then others, like myself, but without community support and involvement, its just a bunch of fancy math.
No, it really belongs to the people that bother to put time and effort into it. If you cared, you would put a lot more of your time and effort into it.No code, no UI, no API is perfect from the beginning, and will never be perfect, ever. If you have specific enhancements available or ideas on how to implement a better way, I am certain that the dev team, or indeed everyone, would love to hear about them. I have yet to hear you utter a workable solution to the problems that we have been discussing.
What Gavin meant by alternate worlds was that the BETA project can only be tested on the open, in production, because there is no collection of users and hackers available privately to make it "perfect" before public launch. If you don't like this, you aren't required to use it, and are welcome to throw all your time and skill into improving it. Improvements are always a good thing, whether to the UI and usability, or whether to security and interoperability.
As is commonly stated in open-source projects, "Pull requests are welcome".
so in your opinion, no merchants should be using it until it reaches 1.something?
you seem to be getting a bit agitated, or at least that's how i'm reading the sarcastic part of your response about alternate universes, and i'm not sure why. aren't these the type of conversations that happen in open source projects, within the community, that strengthen the project? i make no qualms about the fact that i'm still new to bitcoin and learning. maybe this doesn't have the same dynamic as many of the more successful open source projects?
you put a lot of time and effort into bitcoin. i understand and appreciate that, but bitcoin belongs to the community. some individuals, like yourself, are more important to bitcoin then others, like myself, but without community support and involvement, its just a bunch of fancy math.
you seem to be getting a bit agitated, or at least that's how i'm reading the sarcastic part of your response about alternate universes, and i'm not sure why. aren't these the type of conversations that happen in open source projects, within the community, that strengthen the project? i make no qualms about the fact that i'm still new to bitcoin and learning. maybe this doesn't have the same dynamic as many of the more successful open source projects?
you put a lot of time and effort into bitcoin. i understand and appreciate that, but bitcoin belongs to the community. some individuals, like yourself, are more important to bitcoin then others, like myself, but without community support and involvement, its just a bunch of fancy math.
my only comment is that bitcoin is not offering the most secure implementation it can. the fact that its a conscious decision doesn't change that.
Ummm...You know when you choose "About Bitcoin-Qt" and it says "Version 0.something BETA" ?
When we've got an implementation that is safe and secure (both from hackers and from accidental loss) out of the box that will change to say "Bitcoin Version 1.something".
Unfortunately, I don't know how to launch Bitcoin in an alternate universe where it will be attacked by highly motivated black-hats and then bring back the battle-tested source code to this universe to be launched as a perfectly secure Version One.
So, to repeat myself: Bitcoin is experimental software. Do not invest time or money in it that you cannot afford to lose.
thank your for the thorough response.
when confronted with a classic conflict in programming, between security and user convenience, you chose convenience.
there are merits to both choices. users are very used to entering passwords, and somehow manage to stay on top of them. if they choose a crappy one and it gets cracked, or if they choose a crazy one and forget it, thats on the user, not on bitcoin. my only comment is that bitcoin is not offering the most secure implementation it can. the fact that its a conscious decision doesn't change that.
when confronted with a classic conflict in programming, between security and user convenience, you chose convenience.
there are merits to both choices. users are very used to entering passwords, and somehow manage to stay on top of them. if they choose a crappy one and it gets cracked, or if they choose a crazy one and forget it, thats on the user, not on bitcoin. my only comment is that bitcoin is not offering the most secure implementation it can. the fact that its a conscious decision doesn't change that.
Jump to: