Author Topic: All Bitshares, Protoshares, and DNS stolen from my wallet -- at the same time  (Read 10051 times)

0 Members and 1 Guest are viewing this topic.

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
@bytemaster
"We provide the YubiKey OTP Validation server for developers looking to integrate the YubiKey OTP Validation with an existing web site or service."
https://www.yubico.com/develop/open-source-software/validation-server/

What about the idea to integrate the YubiKey OTP Validation with our BTS client ?
I am sure the most delegates would be positive to fund such a integration, or not? Am I missing something?

@liondani , integration with YubiKey seems to be a great idea.  Thank you.

Here is a link for using YubiKey + Password manager for applications without YubiKey integration.
https://www.yubico.com/applications/password-management/consumer/keepass/
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline cass

  • Hero Member
  • *****
  • Posts: 4329
  • /(┬.┬)\
    • View Profile
@bytemaster
"We provide the YubiKey OTP Validation server for developers looking to integrate the YubiKey OTP Validation with an existing web site or service."
https://www.yubico.com/develop/open-source-software/validation-server/

What about the idea to integrate the YubiKey OTP Validation with our BTS client ?
I am sure the most delegates would be positive to fund such a integration, or not? Am I missing something?

yup or maybe BTS Trezor... i stay in touch with slush and alena from Bitcoin Trezor ...i'll contact them later this week …
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline liondani

  • Hero Member
  • *****
  • Posts: 3694
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
@bytemaster
"We provide the YubiKey OTP Validation server for developers looking to integrate the YubiKey OTP Validation with an existing web site or service."
https://www.yubico.com/develop/open-source-software/validation-server/

What about the idea to integrate the YubiKey OTP Validation with our BTS client ?
I am sure the most delegates would be positive to fund such a integration, or not? Am I missing something?

yup or maybe BTS Trezor... i stay in touch with slush and alena from Bitcoin Trezor ...i'll contact them later this week …
+5 to use your connection's...
but my understanding is that the yubikey solution is much cheaper for the end user than the trezor solution...  at least with the current prices... and the degree of security is about the same...   but it would be optimal to have both options in the near future...  Nobody could use the "security" argument against bitshares after that !  It would definitely help a lot  to get to mass adoption ...

Sent from my ALCATEL ONE TOUCH 997D

  https://bitshares.OPENLEDGER.info/?r=GREECE  | You are in Control | BUY | SELL | SHORT | SWAP | LOAN | TRADE |  

Offline bitmeat

  • Hero Member
  • *****
  • Posts: 1116
    • View Profile
You guys don't understand how Yubikey works. It requires a centralized server that knows the secret and verifies it. Not that it can't be done with crypto, but you will still need to put your trust in a centralized entity. I'd much rather have an app that receives all transaction details over the net and shows it to you on your phone, where you can then decide whether to sign it or not. So even if your PC is compromised you never ever have your private keys exposed on it.

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
I took Liondani's recommendation and purchased YubiKee Neo for $50 and using with it with password manager and generator KeePass. Excellent increase in security.
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
You guys don't understand how Yubikey works. It requires a centralized server that knows the secret and verifies it. Not that it can't be done with crypto, but you will still need to put your trust in a centralized entity. I'd much rather have an app that receives all transaction details over the net and shows it to you on your phone, where you can then decide whether to sign it or not. So even if your PC is compromised you never ever have your private keys exposed on it.

bitmeat, I don't think Yubikey needs a centralized server.   It works with KeePass and doesn't require a centralized server, you just had to install a KeePass plugin.

Here is the source to the plugin - http://keepass.info/extensions/v2/otpkeyprov/OtpKeyProv-2.3-Source.zip
Maybe someone could take a look at the source and implement it in Bitshares ... it is written in Visual C#
« Last Edit: November 06, 2014, 03:06:55 am by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline bitmeat

  • Hero Member
  • *****
  • Posts: 1116
    • View Profile
You guys don't understand how Yubikey works. It requires a centralized server that knows the secret and verifies it. Not that it can't be done with crypto, but you will still need to put your trust in a centralized entity. I'd much rather have an app that receives all transaction details over the net and shows it to you on your phone, where you can then decide whether to sign it or not. So even if your PC is compromised you never ever have your private keys exposed on it.

bitmeat, I don't think Yubikey needs a centralized server.   It works with KeePass and doesn't require a centralized server, you just had to install a KeePass plugin.

Here is the source to the plugin - http://keepass.info/extensions/v2/otpkeyprov/OtpKeyProv-2.3-Source.zip
Maybe someone could take a look at the source and implement it in Bitshares ... it is written in Visual C#

Thank you for the clarification! There are two modes, I was referring to the server mode. I see the static master password mode - that's fantastic. Should be easy to implement.

http://keepass.info/help/kb/yubikey.html

Offline bitmeat

  • Hero Member
  • *****
  • Posts: 1116
    • View Profile
Let me just add though - that even in this mode, if your PC is compromised you are not safe, as the produced master key could still be captured. The device won't do the signature, it will just produce the master key, which can be captured on a compromised PC.

However if the signature happens on another device (e.g. Trezor / mobile cell phone) it is far less likely that it will get hacked.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
Let me just add though - that even in this mode, if your PC is compromised you are not safe, as the produced master key could still be captured. The device won't do the signature, it will just produce the master key, which can be captured on a compromised PC.

However if the signature happens on another device (e.g. Trezor / mobile cell phone) it is far less likely that it will get hacked.

Just to add to what bitmeat said, all of these supposedly MFA schemes being recommended in this thread are just tiny marginal improvements in security that are insignificant compared to the true MFA security provided by multisig. The multisig security necessary can only be achieved when the BitShares client itself has been upgraded to implement those features. Then, a transaction can be signed by different devices each storing the private key for their part of the signature on the separate devices. The probability of all of the devices being simultaneously compromised is low, which is what provides the security. This is especially true when some of the devices are used specifically for these signing purposes only and do not have an internet connection. An example of such a device would be a Trezor or, more realistically for our purposes, a separate laptop with internet connectivity disabled that boots a live Linux environment from a read-only medium (this is also why offline transaction signing features are necessary for the client).

Here is an example of how the Yubikey may not protect you if you have malware running on your computer. You use the Yubikey to essentially auto-type a secure passphrase into Keepass and unlock the password manager. You then need to copy your BitShares wallet password from Keepass and paste it into the BitShares client to unlock it. You could have malware running on your computer that simply logs a copy of everything you copy and paste while using the OS. It could then upload the changes to this log to the attacker's server whenever it has internet connection. The malware could also scan your hard drive for something that looks like your Keepass database and your BitShares encrypted wallet private key and upload those to the server as well (worst case scenario the attacker could do this semi-manually with the help of screen captures after they are informed by the malware that the victim has cryptocurrency apps installed on their computer). With the BitShares encrypted wallet private key, the Keepass database, and the Keepass master passphrase which can be trivially bruteforced using the list of copied text from the clipboard log, the attacker could get access to the decrypted BitShares wallet private key and thus access to all of the funds held by all BTS accounts available via the BitShares wallet.

Offline fuzzy

Let's get together and help out with this.  I will gladly put information in the server to a new wallet and we can see if attendees would be willing to help make you at least partially whole again. 

Sorry this happened and I will gladly add any delegates to the Beyond Bitcoin Delegate Slate who are working on bringing real security solutions to non-technical holders of these chains's tokens.
WhaleShares==DKP; BitShares is our Community! 
ShareBits and WhaleShares = Love :D

Offline liondani

  • Hero Member
  • *****
  • Posts: 3694
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
Let me just add though - that even in this mode, if your PC is compromised you are not safe, as the produced master key could still be captured. The device won't do the signature, it will just produce the master key, which can be captured on a compromised PC.

Here is an example of how the Yubikey may not protect you if you have malware running on your computer. You use the Yubikey to essentially auto-type a secure passphrase into Keepass and unlock the password manager. You then need to copy your BitShares wallet password from Keepass and paste it into the BitShares client to unlock it. You could have malware running on your computer that simply logs a copy of everything you copy and paste while using the OS. It could then upload the changes to this log to the attacker's server whenever it has internet connection. The malware could also scan your hard drive for something that looks like your Keepass database and your BitShares encrypted wallet private key and upload those to the server as well (worst case scenario the attacker could do this semi-manually with the help of screen captures after they are informed by the malware that the victim has cryptocurrency apps installed on their computer). With the BitShares encrypted wallet private key, the Keepass database, and the Keepass master passphrase which can be trivially bruteforced using the list of copied text from the clipboard log, the attacker could get access to the decrypted BitShares wallet private key and thus access to all of the funds held by all BTS accounts available via the BitShares wallet.

Even on compromised  Computers it's much more difficult for the intruder to get the password when someone has combined these "techniques":

http://keepass.info/help/v2/autotype_obfuscation.html

http://keepass.info/help/kb/sec_desk.html

EDIT: Can somebody explain me how they can get the static password from Yubikey ? It don't work like copy/paste as I know...
« Last Edit: November 06, 2014, 07:49:02 pm by liondani »
  https://bitshares.OPENLEDGER.info/?r=GREECE  | You are in Control | BUY | SELL | SHORT | SWAP | LOAN | TRADE |  

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
Let's get together and help out with this.  I will gladly put information in the server to a new wallet and we can see if attendees would be willing to help make you at least partially whole again. 

Sorry this happened and I will gladly add any delegates to the Beyond Bitcoin Delegate Slate who are working on bringing real security solutions to non-technical holders of these chains's tokens.

Your help would be appreciated fuzzy.   That was a devastating hit.  Currently I'm very far away from being even partially whole.  I have received donations from two members so far.. which are very much appreciated.  That's less than 0.1% of my losses.  However I am very optimistic of this community, which seems to be very caring and supportive.

I only desire to be made hole again, and anything above that given back to the community to support "bringing real security solutions ... of these chains's tokens".   
« Last Edit: November 07, 2014, 02:30:30 am by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
I posted a summary of the donations received as of 11/16/2014.   Your help to recover my stolen funds will be appreciated.

https://docs.google.com/spreadsheets/d/1ZHQkYlMlHG1R20mKpqYLdJBdxwvS7TV_Af1F2vnQq5o/edit?usp=sharing

BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline toast

  • Administrator
  • Hero Member
  • *****
  • Posts: 4002
    • View Profile
  • BitShares: nikolai
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline liondani

  • Hero Member
  • *****
  • Posts: 3694
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
You seemed to have missed the memo:
https://github.com/BitShares/bitshares/blob/develop/build_sharedrop.py#L233
what does that mean?

Sent from my ALCATEL ONE TOUCH 997D

  https://bitshares.OPENLEDGER.info/?r=GREECE  | You are in Control | BUY | SELL | SHORT | SWAP | LOAN | TRADE |