1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <brian.erdelyi@gmail.com>) id 1YILPk-0001d5-UI
for bitcoin-development@lists.sourceforge.net;
Mon, 02 Feb 2015 18:08:00 +0000
Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.192.53 as permitted sender)
client-ip=209.85.192.53; envelope-from=brian.erdelyi@gmail.com;
helo=mail-qg0-f53.google.com;
Received: from mail-qg0-f53.google.com ([209.85.192.53])
by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1YILPj-0000pW-Q4
for bitcoin-development@lists.sourceforge.net;
Mon, 02 Feb 2015 18:08:00 +0000
Received: by mail-qg0-f53.google.com with SMTP id a108so48642699qge.12
for <bitcoin-development@lists.sourceforge.net>;
Mon, 02 Feb 2015 10:07:54 -0800 (PST)
X-Received: by 10.140.30.7 with SMTP id c7mr8750403qgc.48.1422900474129;
Mon, 02 Feb 2015 10:07:54 -0800 (PST)
Received: from [192.168.1.126] ([64.147.83.112])
by mx.google.com with ESMTPSA id u65sm9393492qge.7.2015.02.02.10.07.53
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Mon, 02 Feb 2015 10:07:53 -0800 (PST)
Content-Type: text/plain;
charset=utf-8
Mime-Version: 1.0 (1.0)
From: Brian Erdelyi <brian.erdelyi@gmail.com>
X-Mailer: iPad Mail (12B466)
In-Reply-To: <CALkkCJbk0czFj5mdMB6_0+Umw5V-fo-4tdBHgvg92zhyRZWiYQ@mail.gmail.com>
Date: Mon, 2 Feb 2015 14:07:52 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F8BA8BFA-94F3-4AD5-9A04-82193AD8B886@gmail.com>
References: <27395C55-CF59-4E65-83CA-73F903272C5F@gmail.com>
<54CE3816.6020505@bitwatch.co>
<68C03646-02E7-43C6-9B73-E4697F3AA5FD@gmail.com>
<CALkkCJbk0czFj5mdMB6_0+Umw5V-fo-4tdBHgvg92zhyRZWiYQ@mail.gmail.com>
To: =?utf-8?Q?Martin_Habov=C5=A1tiak?= <martin.habovstiak@gmail.com>
X-Spam-Score: -1.3 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(brian.erdelyi[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.3 AWL AWL: Adjusted score from AWL reputation of From: address
X-Headers-End: 1YILPj-0000pW-Q4
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Proposal to address Bitcoin malware
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 18:08:01 -0000
Martin,
Yes, the second signing could be done by a mobile device that I owned and co=
ntrolled (I wasn't thinking that initially). I was thinking that online ser=
vices are popular because of convenience and there should be a better way to=
address security (privacy issues not withstanding).
I think these are practical approaches and just doing a sanity check. Thank=
s for the vote of confidence.
Brian Erdelyi
Sent from my iPad
> On Feb 2, 2015, at 1:54 PM, Martin Habov=C5=A1tiak <martin.habovstiak@gmai=
l.com> wrote:
>=20
> Good idea. I think this could be even better:
>=20
> instead of using third party, send partially signed TX from computer
> to smartphone. In case, you are paranoid, make 3oo5 address made of
> two cold storage keys, one on desktop/laptop, one on smartphone, one
> using third party.
> If it isn't enough, add requirement of another four keys, so you have
> three desktops with different OS (Linux, Windows, Mac) and three
> mobile OS (Android, iOS, Windows Phone), third party and some keys in
> cold storage. Also, I forgot HW wallets, so at least Trezor and
> Ledger. I believe this scheme is unpenetrable by anyone, including
> NSA, FBI, CIA, NBU...
>=20
> Jokes aside, I think leaving out third party is important for privacy reas=
ons.
>=20
> Stay safe!
>=20
> 2015-02-02 18:40 GMT+01:00 Brian Erdelyi <brian.erdelyi@gmail.com>:
>> Another concept...
>>=20
>> It should be possible to use multisig wallets to protect against malware.=
For example, a user could generate a wallet with 3 keys and require a tran=
saction that has been signed by 2 of those keys. One key is placed in cold s=
torage and anther sent to a third-party.
>>=20
>> It is now possible to generate and sign transactions on the users compute=
r and send this signed transaction to the third-party for the second signatu=
re. This now permits the use of out of band transaction verification techni=
ques before the third party signs the transaction and sends to the blockchai=
n.
>>=20
>> If the third-party is malicious or becomes compromised they would not hav=
e the ability to complete transactions as they only have one private key. I=
f the third-party disappeared, the user could use the key in cold storage to=
sign transactions and send funds to a new wallet.
>>=20
>> Thoughts?
>> -------------------------------------------------------------------------=
-----
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is y=
our
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a=
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
|
