If you don't own your OS, you don't own your BTC(combatnerd.com) |
If you don't own your OS, you don't own your BTC(combatnerd.com) |
>"it is highly recommended to run on Free and OpenSource Software...This way, you know exactly what is running on your system"
I get this feeling as well: that when I use FOSS I know exactly what my computer is doing.
But I don't. Linux is about 14 million lines of code, and that doesn't include your distro. You might be able to cut this down by compiling it yourself, but you'll still have to be an expert to understand everything that is happening on your computer.
It's the same thing with Windows, millions of lines of source code written by thousands of people.
I think that until you hear that someone lost their wallet key and MS was to blame, you're probably safe. Key theft (through keylogging) may be harder to detect on a closed-source OS, but there are still a lot of people (outside of MS) working on MS security and playing around with the OS to learn things about it.
That all being said, Linux is easier to become an expert on due to all of the public resources/documentation. Microsoft tends to clam up when it comes to documentation about their OS.
None of this can happen or has happened with Windows. You gotta trust a company firmly shut to the outside world.
Hey writer, if you’re reading this and you need someone to talk to, my email is on my profile. Have a happy 2020.
The author is not saying anything that is not true. Given everything that happened and was disclosed in the past decade, I don't think one has to be paranoid to be deeply suspicious of black box software controlled by big tech.
> If Microsoft decides to terminate your license, what happens to your Bitcoin?
Your Bitcoin is represented by some kind of data stored on your computer I assume. So this data should be backed up, right? So the anwser is that you would access the bit coins from some device which you have a license to use?
If my understanding is right then I would consider the quoted statement to be a bit FUD:y.
In this case, let’s step back and add some perspective. Microsoft is one of the biggest companies in the world. Their valuation is buoyed by Microsoft’s role in the enterprise. Do you actually believe that Microsoft would want to sacrifice that position for some bitcoin?
Or, there’s the rogue employee hypothesis. Realistically, how many people at Microsoft could directly commit code into Windows without it going through a review? Do you think any of those people are interested in stealing bitcoin? Now, look at all the other employees who have to go through some sort of review before their code ships. Do you think one of them has teamed up with their entire review chain to steal bitcoin?
How probable is any of that? And if any of that was going on, how easy would it be to catch the offenders?
There is a massive gap between analyzing what I do for marketing purposes and stealing my keys.
Edit - We live in a very sad world where you can’t reach out and offer someone an ear without being accused of ‘humblebragging’. I can’t believe what the internet has become in the last 25 years. This is quite upsetting.
...
2) "The easiest way to get started is to install Linux in a Virtual Machine and get yourself familiar with the system."
Therefore, enter your password into an input field, in a virtual machine inside your proprietary Operating System key logging you?
He would probably need to invent his own internet though.
This, of course, is quite an academic worry in comparison to the gargantuan quest "bootstrap yourself from raw materials to a computer...and don't make any mistakes along the way."
[1] There is a secondary point that employees within OSCorp cannot be trusted to not access your data.
This basically never happens to private individuals - the license enforcement focuses on getting you to pay for it instead. The data in any case remains yours and you can theoretically lift it off the drive (or your backups!) with FOSS.
In the very unlikely event of getting raided for copyright infringement, they'll take all your hardware and sort it out later.
(Of course the whole thing is a tremendous anti-advert for bitcoin if it can't be safely used on normal computer systems...)
Maybe I'm missing some legal nuance. But if the license is revoked, wouldn't you still be able to recover your Bitcoin using a FOSS OS? Especially if it is stored on a separate disk or partition from the OS.
For those interested in BTC security, the best you can do IMO is glacier protocol (which I'm surprised isn't mentioned in this article) https://glacierprotocol.org/
ColdCard wallets are also an excellent choice, even better when used as a part of a multisig setup with your desktop, more cold cards, or another hardware wallet.
Multisig across multiple hw wallets / computers (2/3 at least) is the best solution to self custody IMO. Single sig is SPOFfy.
I guess at least :)
There are much bigger attack vectors than the operating system vendor. Even using with a FOSS OS, you are susceptible to viruses or other attacks not initiated by the OS vendor.
Use a hardware wallet or cold storage. Use a multi-sig wallet for corporate-sized quantities.
Holding your own BTC is not simple but there are good solutions. Be safe out there.
It’s not a matter of idealism, it’s a matter of reality. How long would it take a person of the Posters level of paranoia to guarantee they weren’t somehow compromised? And how long would it take to recheck on update?
There’s a point where the fear of bad actors becomes counterproductive.
It's obviously a matter of risk management (a term I was surprised to not see in the article); the more crypto you have the more care you should put into storing the wallet.
And with smartphones, adversaries can access the OS using StingRay etc.
Edit: I should have said "devices like StingRays". Perhaps StingRays can only track, and maybe see traffic. But the baseband is poorly secured, and has privileged access.
I was not aware of StingRay possessing any advanced capabilities, other than being used as a IMSI catcher and providing LE with 'tower dumps'?
https://en.wikipedia.org/wiki/Stingray_phone_tracker
https://eu.usatoday.com/story/news/nation/2013/12/08/cellpho...
Also, baseband firmware is totally black box, so we have no clue what its capabilities are. So the safest bet is isolating it in a subsystem, or better in a separate device, which can be firewalled.
https://www.osnews.com/story/27416/the-second-operating-syst...
The idea that ElementaryOS is less likely to steal your coins than Windows or OS X is simply laughable.
At least with Linux we have thousands of open source developers keeping an eye on things, chances are much higher that an issue would be caught with Linux since Windows is closed source.
A bit of pithy sarcasm for your morning: Those thousands of eyes worked so well with OpenSSL, didn’t it?
Those eyes are less vigilant than you might think, especially when the eyes aren’t being paid to monitor a particular chunk of code.
That’s all utterly irrelevant when ElementaryOS doesn’t even offer reproducible builds.
Besides, source code access doesn’t make finding bugs much easier. Usually you’ll be auditing binaries anyway.
But in any case, if you care about security, you have a hardware wallet and store the seed somewhere secure.
That is, Windows is a target that's an order of magnitude bigger - of course there will be more attacks.
The kernel is auditable...maybe, possibly, theoretically, to a point - but what good is a kernel, when there's unauditable firmware between the OS and the hardware?
That isn't even counting the hardware stack underneath your kernel. What parts of your machine were manufactured in China? Is Intel IME trustworthy? What about all those firmware blobs?
I’m sorry, but it’s really obvious that you don’t really know what you’re talking about.
Very few commits are looked at by more than a handful of people. If you’ve ever had any involvement in FOSS development you must know this.
I'm probably just adding to the paranoia though. In reality, this whole thing is a very unrealistic attack. What hluska has stated is mostly true, but I'd like to add that an employee that could write code into an OS that would steal bitcoin and stay undetected would have to have a lot of skill. More than that random engineer that they just hired, think a guy with a PhD. Those types of people generally don't risk their jobs to steal because they're usually committed to their work and make a lot of money.
If you store data on a computer without backups you can expect to lose that data. Disks breaks, files are corrupted, computers are stolen, node.js deletes your crap. Or whatever.
As for employees embedding stuff in OS code. Sure, that can happen. Open source developers can also embed such code into any code they write, which has happened many times already. Unless you are writing your OS yourself from scratch or manually reviewed all source code for all code running on your machine (which I suspect no one has done the last decades), this is a risk. Open source or not.
I believe that what Grifball is saying is that if your disc was fully encrypted and you lost the ability to decrypt, you’d be in a lot of trouble. In the BitLocker case, if you had a valid Windows license, encrypted your disc and lost your license, it would be a very bad day.
As for your comments about backups, you’re correct though in this case, a backup wouldn’t be much use if you lost access to BitLocker. That would take a really serious ops failure, but far stranger things have happened.
That there have been two major OpenSSL security fumbles (first was the Debian OpenSSL fiasco, second Heartbleed) sort of suggests that the value of "many eyes" for ensuring security is vastly overrated.
And not to mention that Windows - the explicitly called out alternative from this article - makes their source available for security companies (as well as general developers who sign up for their MSDN program).
Why? Heartbleed was discovered by fuzzing the compiled binaries, not by eyeballing the source code.
Nothing prevents you from performing the exact same research on proprietary software.
> backup wouldn’t be much use if you lost access to BitLocker
Why? What kind of backup are you talking about? This statement makes no sense to me.
However I think Linux's security is partly an artifact of a more techie user base. For a non-technical or too busy to be technical user I would say Apple offers the best security out of the box.
Both Linux and Mac users have been hit with ransomware.
In terms of the security of the operating system itself, Windows may well be more secure than Linux. Many Windows applications, however, are going to be much less secure than the OS--although it's not like Linux applications are stellar in this regard as well (e.g., Docker).
I believe the latter is true; I've seen some incredibly intelligent individuals fall victim to shady crap.
We (as in the entire software development community) need to lower that bar.
>Windows may well be more secure than Linux
This is very obviously the case if you look into the deployed exploit mitigation technologies.