Topic: Bitcoin wallet stolen (25,000 coins worth ~$500,000 USD)

• Bitcoin wallets work by using public/private key pairs
• Each wallet, by default, has 100 keys, and you allocate them as needed, and then new ones are generated so that you always have 100 ready for use
• If someone manages to steal your wallet.dat file, they have the private keys for your addresses that contain the coins, and they can cryptographically sign a transaction using that private key, and therefore transfer the coins
• User who had their coins stolen admits that they found spyware/malware on their computer. Possibly also a trojan
• The attack also accessed the users account at a mining pool, and changed the destination address for payouts (some pools off the option to lock this address so that i can never be changed)
• Bitcoin transactions are irreversible and there is no central authority to settle disputes or forcibly undo a transaction (This is both a feature and a flaw, it is a trade off to allows BTC transactions to avoid many forms of interference)

How to protect your wallet file:

• Use separate wallet files, and don’t keep all of your money in one place.
• Backup your wallet file regularly. The wallet file contains the private keys that actually control the coins, without them, you cannot transfer the coins. If you totally lose your wallet file without a backup, those coins are lost to everyone forever.
• Your backups of your wallet file must be recent, because of the ‘100 key buffer’, that your wallet file has, if your backup is more than 100 transactions old, it will not contain the keys used for the newer transactions, and you will not be able to control those coins. Make sure you backup your wallet file on a regular basis. You can also adjust the configuration of your client to created a larger key buffer.
• Your wallet file is the same as your GPG key ring, protect it as best you can. It should be stored in an encrypted volume (like a TrueCrypt mount or a GBDE file system) . It might also be advisable to run the bitcoin client as a dedicated user with much more locked down permissions on your machine.
• As we learned from this incident, and the banking trojan news last week, it is imperative that you ensure that no one is logging your keystrokes, sniffing your traffic, or remotely controlling your machine (a remote control trojan such as the ZeuS banking worm, would be able to access your truecrypt partition when you mount it to use your bitcoin wallet)

mybitcoin.com – The bitcoin bank Chris is “trying”.

BITCOIN BLASTER:

- Our current Mining efforts -

Allan:
It all started with the dual GPUs in my gaming machine and the spare cycles on some of my servers, but CPUs and older nVidia cards were just not worth the power and effort with the higher difficulty.

So, a two friends and I have built a dedicated mining rig (2×5870, 1×6950) that is doing over 1100 Mh/s with a bit of overclocking. Sadly, the difficulty jump came only a few hours after we got the machine online, and it cut the profitability down. We are looking at another more expensive machine, but this will mean a longer wait for ROI.

Chris:
I’m pushing about 500 – 600 Mh/s during the day, nearing 810 MH/s at night. I plan to add two more moderately powerful ATI cards in the next week.

I bought my first physical good, a video card to mine some more. Using a “service” to convert bitcoins to Amazon gift-cards: http://www.bitcoinredemption.com/

FEEDBACK:

Q: (Michal) Is there a way for me to tell if my machine has been compromised while I was asleep?
A: Yes, using an application such as Tripware, or the Verification system in some backup software (Bacula, etc), allows you to detect which files have been changed since the last time the tool was run (ie, you run it daily). This way, when an important system file is changed, you are notified, if you did not cause this change (OS or package update/install), then it is possible someone has successfully compromised your system and modified important system files.

Q: (Dale) Is continuing to use Dropbox safe if i use TrueCrypt to encrypt my files before uploading them?
A: While it is theoretically safe to store your encrypted files in dropbox, because of the way dropbox works (copy on write deduplication), you would have to reupload the entire TrueCrypt volume every time you changed a file (because of the nature of the encryption, the changes to the encrypted volume will also be bigger). Unless you only store some very small files, or are using separate TrueCrypt volumes for each file you are storing, this will quickly get unwieldy and slow.

Q: (Michal) How can I store my users’ files such that they are encrypted with the users’ password, but can still be recovered if the password is lost/forgotten
A: The short answer is that you cannot. Strong cryptography does not have any recovery method. If you want the files to be truly secure, then they need to be able to be accessed by only a single key, and if that key is lost, the files are lost. The only real option is to encrypt the files to two different keys, one of the user, and one of the ‘Recovery Agent’, the person responsible for decrypting the files if the user loses their key. This lowers the security of the encrypted files, because the Recovery Agent can decrypt the files without the users’ permission.

Q: (Justin) How secure is it to enable to ‘text a password reset token to your mobile phone’ in gmail?
A: Mostly that depends on how secure your phone is. Does it display part of the text message when it comes in? How quickly does your phone lock it self when it is inactive. Can your unlock code be reset? How many other people have your unlock code? How easily can the unlock code be defeated? It is really up to you to decide how secure you feel your phone is. I for one, just don’t lose my passwords :p

Q: (brotherlu) What is the difference between a NAS and a SAN. Also in which environments would you use each.
A: a NAS (Network Attached Storage) is a dedicated storage device that you connect to your network. a SAN (Storage Area Network) is a dedicated network for storage devices. Usually SANs are much higher performance and sometimes use technologies other than ethernet. Really, it depends how much performance you need, SANs are much more expensive.

Grab bag bonus links:
Senate Bill Requires Permission to Collect & Share Location Data
LulzSec’s busy week:
Senate website, CIA.gov hacked. LulzSec claims responsibility.
LulzSec opens hack request line
LulzSec takes Eve Online and Minecraft offline
Ex-Googler Calls Out Google Infrastructure as Obsolete
Sophisticated Cyberattack Is Reported by the I.M.F.