Pages:
Author

Topic: What risk is there creating a cold storage on a public computer considering... (Read 409 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
"Tails" come with a standard old version of Electrum, so you have to update that version to the latest version and the only way to do that is to enable a Persistent volume.

It's not that old, AFAIK newer Tails have Electrum 4.0.2 and can you use without any problem.

I think enabling a Persistent volume on Tails defeats the purpose of a clean boot with Tails.  Roll Eyes

That depends on what kind of feature you use, see https://tails.boum.org/doc/first_steps/persistence/warnings/index.en.html
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
You can probably use Tails, use Persistent volume, and update using an offline download. Still keeps it offline... But I would still not use any public computer, better to get your own.
legendary
Activity: 2898
Merit: 1823
It's almost the same price as a chromebook  Grin
if he gonna store some bitcoin in cold storage, I'm sure he is rich enough to afford it.
btw the cheapest cold storage wallet is probably Blockstream Jade, which is only 40 USD.


I believe it’s safer to buy hardware to use for Bitcoin, that will not be known that you will use it for Bitcoin. This especially rings true after the Ledger privacy leak. Plus we shouldn’t trust third-parties anymore, not when Bitcoin is going to 6 digits. EVERYONE will be going after the thing they want most from you. Your Bitcoins.
copper member
Activity: 1652
Merit: 1901
Amazon Prime Member #7
Tails is designed and maintained by the NSA, and is funded by the government.
Follow the money.

Aren't the same sources telling that ToR and also Bitcoin were created by NSA?
TOR was actually created by the US Navy, although it has been open source since its creation.


Don't use a public computer to create cold storage private keys. Public computers often have surveillance tools installed so whoever owns the public computer can monitor its usage. Even if this was not the case, there is the risk that someone has installed malware on the computer, or that the private keys will remain in memory after you finish for the next person to find.

It would be best if you were to purchase any equipment for a cold storage device in person without using any kind of order-ahead type service aka you pick up the equipment off the shelf at the store. You should also maintain possession of any equipment used to generate cold storage private keys after you have created them.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
"Tails" come with a standard old version of Electrum, so you have to update that version to the latest version and the only way to do that is to enable a Persistent volume. I think enabling a Persistent volume on Tails defeats the purpose of a clean boot with Tails.  Roll Eyes
It's a cold storage. The version available on Tails is sufficient to generate the seeds and it shouldn't go online at all. Using outdated Electrum is fine, there isn't any concurrent vulnerabilities present in the installed binaries on the latest Tails that would impact the security.

I use a vanilla flavor the latest "Tails" for the creation of my paper wallets. (for the clean boot) and then I use bitaddress.org to create the paper wallets. (I download the script and then I go offline to create the wallets)  Grin
Paper wallets are actually not very great to use. You'd have to use a printer without any wireless connectivity, ensures that it isn't stored in the ram to ensure that the paper wallets remains as an offline cold storage. If you don't print it out, then you can't store it without the persistent storage either. If you were to use an OS for that already, might as well just use the Electrum that is provided on it. Needless to say, Bitaddress doesn't even have Segwit on it and it's arguable that using an offline Electrum *could* be potentially safer than trying to download a script online to use it in a browser.
legendary
Activity: 3514
Merit: 1963
Leading Crypto Sports Betting & Casino Platform
"Tails" come with a standard old version of Electrum, so you have to update that version to the latest version and the only way to do that is to enable a Persistent volume. I think enabling a Persistent volume on Tails defeats the purpose of a clean boot with Tails.  Roll Eyes

I use a vanilla flavor the latest "Tails" for the creation of my paper wallets. (for the clean boot) and then I use bitaddress.org to create the paper wallets. (I download the script and then I go offline to create the wallets)  Grin
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
I don't know what phones you have or used, but I have some 5 year old phones with me still working today. Samsung J1 (2016). I believe they were still being sold up to last year as brand new for around $100 USD.

You can regularly get refurbished old desktops for below $100 as well, they can all run the latest update of Windows 10. You'll want to add a keyboard, mouse, cheap monitor and maybe a webcam, but you can keep that machine behind an air gap and completely offline.
hero member
Activity: 1680
Merit: 655
If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future.
Can't see how that's an argument at all. Unless you bring your phone around to dunk in the ocean and lakes, I don't think phones are that unreliable. There's a reason why the wallet always asks the user to write down the seeds on a piece of paper and to keep it safe. In the event of any hardware failure, the user can just restore it to another phone or device.

Old laptops are fairly cheap nowadays, if you purchase one, it could be a good investment and would probably serve as a decent airgapped wallet if you run a LiveCD using a USB flash drive.

I'm talking about personal experience here. When I have bought a new phone and just kept my old (working) phone in one of my storage after a couple of months when I decided to open my old phones to transfer some contact numbers it wasn't turning on. Now if I made my old phone into a cold storage during that time then I have created a big problem at present. Yeah old laptops might be a good idea but only if he will be buying one from a reliable store probably one of those refurbished ones. Just by buying old laptops or just second-hand ones without knowing the real running condition of the laptop will just give him the same problems of having an old unreliable phone.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future.
Can't see how that's an argument at all. Unless you bring your phone around to dunk in the ocean and lakes, I don't think phones are that unreliable. There's a reason why the wallet always asks the user to write down the seeds on a piece of paper and to keep it safe. In the event of any hardware failure, the user can just restore it to another phone or device.

Old laptops are fairly cheap nowadays, if you purchase one, it could be a good investment and would probably serve as a decent airgapped wallet if you run a LiveCD using a USB flash drive.
hero member
Activity: 1680
Merit: 655
If you want something almost as secure, do it on a phone that you have just factory reset.

If you are talking about having an extra phone and making it as a cold storage where he would just download an electrum wallet and after that be disconnected to the internet then I think this is a much better option for him but of course the problem here would be the reliability of that extra phone if it can withstand any hardward issues in the future. If the problem here mainly is you not having a personal computer I think the best alternative here is if you can't buy one ask someone who you are close with first like a family member perhaps and scan first for any viruses and malware before doing the method you already know. At least in this way you have some privacy in a creation of your cold storage.
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
Cold storage implies at least an air gap. Public computers are almost always infected and most that you can rent have some sort of monitoring software (or hardware) installed.

If you want something almost as secure, do it on a phone that you have just factory reset.

Blowing up the computer shop is for movies.

Quote
Robert Clayton "Bobby" Dean: "What the hell is happening?"
Edward "Brill" Lyle: "I blew up the building."
Bobby: "Why?"
Brill: "Because you made a phone call!"
 - Enemy of the State.
legendary
Activity: 1624
Merit: 2481
probably (or at least potentially) infected public computer.
I'm curious: what are the real probabilities of this possibility to happen?

It is hard to precisely answer this question, since i don't have any numbers.
There might be a study made somewhere, but i am not aware of it.

However, i personally, wouldn't ever trust a public computer to be secure. It is simply too easy to infect them. Anyone can gain access to it.

As ranochigo has mentioned, formatting the hard drive might not be enough. Root kits are horrible to deal with.
And further, anyone can gain access to the hardware. This makes it even harder (than it already is) to be sure about the integrity of the hardware.

I really wouldn't be surprised if there was a relatively high number infected (at least with key loggers).
legendary
Activity: 1932
Merit: 2354
The Alliance Of Bitcointalk Translators - ENG>SPA
A cold storage is supposed to be secure anyways. If you consider the wallet being created as a normal wallet then I assume it's alright.

OK, this makes a lot of sense: if you create cold storage is because you want extra safety, and lacking that creating it from a public computer without further security measures makes no sense.

I now realise that my comment might make sense only when talking about a common wallet (or not, that's why I wrote it, to be challenged Tongue).

Thank you ranochigo.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
I'm curious: what are the real probabilities of this possibility to happen?
Public computers infected with malware is not uncommon. Even with LiveCDs, I wouldn't rule out the possibility of side channel attacks especially when everyone has access to it, a seemingly harmless USB at the back of the computer, a VGA splitter, an additional connection between the keyboard and the computer, etc. I don't consider this paranoia as you're supposed to be at least this paranoid if you have to generate a wallet that could possibly contain your entire year worth of wages.

So it is not 100% safe, ok, but could we say it is safe in the 99% of the cases? just like using condoms? yes, accidents happen but I think we keep focusing too much on them.
I don't consider public computers safe precisely because it's public. The loopholes for a bunch of vulnerabilities is unlimited. Wiping the entire OS might not be sufficient, especially if there is a persistent rootkit within the public computers. If it's public enough, then I wouldn't believe that there is a chance that it wouldn't be infected. As with your reference to condoms, I don't think that's a fair comparison at all. Small computers like Raspberry Pis are cheap and would probably give you some reassurance. If you're handling Bitcoins that you can't afford to lose, I don't think you would settle for anything less than that.

A cold storage is supposed to be secure anyways. If you consider the wallet being created as a normal wallet then I assume it's alright.
legendary
Activity: 1932
Merit: 2354
The Alliance Of Bitcointalk Translators - ENG>SPA
probably (or at least potentially) infected public computer.

I'm curious: what are the real probabilities of this possibility to happen?

I use to say that it is better safe than sorry, but I have the feeling that every time someone poses a question about how to create a wallet safely we all go into the worst case scenario and take for granted that this is what is going to happen (me the first one).

Personally, and after questioning my own conventional thoughts, if I had to create it on a public computer, unless I was storing there all my savings, I think that maybe it is not necessary to be so fearful. I guess that many of us know that it is possible to infect these computers with a keylogger or whatever, but then because of ethics and self-control almost no one does it (just some script-kiddies, maybe). And if it happened, afaik, public computers are usually reset every night in order to keep them "clean", apart from other security measures.

So it is not 100% safe, ok, but could we say it is safe in the 99% of the cases? just like using condoms? yes, accidents happen but I think we keep focusing too much on them.

Please, if this reasoning is wrong, challenge it, I consider myself more a noob than any other label in this topic, but sometimes it may be good to hear an outsider's version on mostly consensual thesis like this one creating whatever on a public computer is not safe.

legendary
Activity: 1624
Merit: 2481
6. Did you blow up the public computer after you used it?

Ridiculous, you'll be arrested and must pay for the damage.

It's the price you have to pay for a secure cold storage generated on a publicly available and probably (or at least potentially) infected public computer.

Even tho you could buy a private computer for that price and create the cold storage at home... you wouldn't have any fun doing so!
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
4. Did you use a blanket to cover your head so no one else sees what you're doing? Is the computer shielded so wireless emanations from the monitor are not captured a few feet away by some evil maid with RF scanning equipment ... Is that Johnny English or James Bond behind you?

5. Is there enough white noise that your key strokes are not recorded by audio and then translated into something readable later?

6. Did you blow up the public computer after you used it?
legendary
Activity: 1624
Merit: 2481
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

Even with CD you cannot always be sure (!).
I've had my own experience with a bootable "recovery" (antivirus) CD, I've booted from it, used it, all good, and next day I've noticed that it has left a temporary folder on my C drive (I don't remember though if it was empty or had also files).

I think he meant that using a CD guarantees that no files are written onto the CD.
And his assumption was, since an USB flash drive is by default not write-protected, a live distro could write files to the USB flash drive.

Obviously, any live distro can write files to a hard drive. But this requires the drive to be mounted. An AV recovery CD might do this by default, but with a proper live distro, you have to do this by hand.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

Even with CD you cannot always be sure (!).
I've had my own experience with a bootable "recovery" (antivirus) CD, I've booted from it, used it, all good, and next day I've noticed that it has left a temporary folder on my C drive (I don't remember though if it was empty or had also files).

So I'd rather check with the community than assume things.



However, overall the points are good.
legendary
Activity: 1624
Merit: 2481
1. Are you sure? If it were a CD, then you know nothing can write to it. USB is usually not write protected.

There is no partition for the OS to write to.
He would need to create 2 partitions on the USB and mount the second one to be able to write to it.

So, yes, non-persistent linux distros on a USB flash drive can not write if there is no other partition which can be mounted.

You'd make sure to install a genuine distribution by verifying its signature of course.
Pages:
Jump to: