It's been a long time coming, but what with the massive rises in fiat-based prices and corollary public attention, it is high time I got down to business and got all expository on how to keep your cryptoassets safe.
First a little background on why security is so crucial. Bitcoin, altcoins, and cryptoassets (@ARKblockchain's epic umbrella term of choice) are different from other things of value that you may own. Because they are virtual, you can't actually hold them-- this concept you're familiar with if you have a bank account with a balance and use credit or debit cards without actually holding fiat cash in your hands, purse, or pockets. But because they are decentralized and trustless, they are also not actually ownable-- what I mean by this is, they are owned by everybody and nobody like some fucked up Schroedinger financial experiment. Through the properties of the cryptographic public/private keypair, a cryptoasset only confers you with the ability to spend it irrevocably, or also hodl it by not spending it irrevocably, I guess. Ownership of a cryptoasset is thus fickle like a secret-- possession of a secret doesn't mean you own and control that secret information exclusively. It's that way with your private keys. Whomsoever knows the private key to "your" cryptoassets, by virtue of cryptography, also controls them and has an equal claim to them. Prisoners' dilemma dictates that, if a private key is known by multiple people, the person who is first to exercise its spend ability, is entitled to the full benefits of that spend, to the exclusion of all the other knowers.
The bottom line of this is: you don't own your cryptoassets unless YOU, and ONLY YOU, know your private key.! That key might be the actual private key of a bitcoin wallet address, or the twelve-random-word seed of a BIP-39-enabled wallet, or the PIN to your Trezor (which you should already goddamned know NOT TO EVER SHARE A PIN WITH ANYONE EVEN YOUR TRUE LOVE).
sorry babe respect my pin privacy please babe
There is a somewhat scary realization that comes from this. Your Coinbase account? Yup, those bitcoins aren't yours. Coinbase controls the private keys. Sure, as a service provider they have a US-government regulated contract with you to help you as their client manage "your" bitcoins. But what's stopping them from emptying your account and saying bye-bye? On a software level, literally nothing. Same with your Poloniex account. All those altcoin positions you have actually belong to this guy: Tristan D'Agosta, who reprints sheet music as his former main hustle.
sup you want some private keys because i have mostly all of them
You have entered into a trusted relationship with these businesses, in which you contractually agreed to surrender access to any private keys in order to use the services they provide. "Your" assets are no longer protected by the trustless cryptography of their respective blockchains. Coinbase and Polo have a client duty to keep "your" assets "yours", but on a cryptographic software level, you own fucking zero times zero. This is what counterparty risk means, and ask Mark Karpeles of Mt. Gox if it's real.
Given these examples, it's worth yelling this in your face again: you don't TRULY own your cryptoassets unless YOU, and ONLY YOU, know your private keys. So to amass and protect cryptoasset wealth, you MUST learn to become very, very good at keeping cryptographic secrets. And I will tell you this right now: security is a big responsibility...it's a FUCKING CHORE. It is also the #1 chore I keep up with in my life. I learned the hard way-- got my dumb ass trojan'd in April 2015 and lost 80% of the cryptoasset wealth I had built up at that time. It was an expensive lesson I will never forget. Please let me pass it on to you at zero cost. PLEASE. The responsibility of security is YOURS ALONE, and it is HOLY SERIOUS.
There is a very large and nuanced scale of technological affinity out there. Cryptoassets started at the high-tech-geek end and are moving toward the Apple end at an accelerating clip. But we’re still in the fairly early days before Jony Ive UX-es a grandma-friendly cryptoasset platform, and your security responsibility is partnered with the responsibility to know and understand the technology you’re using. This may take you out of your comfort zone! And if it does, maybe you should think twice about accumulating assets you don’t understand how to protect-- you shouldn’t buy a house if you don’t know how to lock your damn door. Know at least that a search will take you to all kinds of resources-- like this one-- with advice, instructions, forums and discussions. Don’t be afraid to ask dumb questions, as the more people are comfortable dealing with cryptoassets and the related technology, the more value is conferred to the cryptoasset class as a whole. The rising tide lifts all boats moonward on the sea of wealth!
To exercise the benefits of cryptoasset wealth, you have to routinely jeopardize your private keys somewhat: by interacting with third party services, by using software that can be at times experimental, and by dealing with weak links in the fiat (regular noob money like USD) spending world, into which you'll have to integrate until they get a clue and go full crypto. This security primer is meant to help you understand the nuances of that jeopardy, and make informed, intelligent decisions on how to manage its risks. Starting with the big one that nobody thinks about.
1. MINIMIZE COUNTERPARTY RISK.
This means, hold as few cryptoassets as possible on outside services like exchanges or corporate wallet providers. Not trading? Don't let your coins sit on Poloniex or Bittrex. Socking away bitcoins into a long-term hodl? Don't use your Coinbase account for that. These are companies governed by the laws of the countries in which they happen to be, not regulated, insured banks with policies that protect your holdings with them for a price. They give you specific services and anything beyond those you choose to use-- like using Poloniex as a multi-altcoin wallet instead of just for trading-- is 100% at your risk and responsibility.
So what do you do instead? You download and use your own software wallets.
But not so fast! (heh.) You have to know and trust the provider of the software wallet that it only includes standard code that allows you to manage your cryptoasset. There are thus several levels of security to this; choose the one that is right for you.
Inspect the code at https://github.com/bitcoin/bitcoin (or the open source code repository of the cryptoasset in question). Once you are sure it contains nothing out of the ordinary, copy and compile it yourself for your own operating system, and use that wallet you created. If there is no publicly open source code to inspect, it is not safe.
Download a wallet binary (a runnable program) from a trusted provider. This could be the developer of the cryptoasset in question, IF you trust that person. For something like Bitcoin, there are well-trusted options like https://samouraiwallet.com/ (my favourite) or all the standards you can get at https://bitcoin.org/en/getting-started (note the .org, do not visit .com, it is a VERy silly place). For an altcoin, practice all the most secure security measures above, and ONLY take it from a link on its official website or in its original Bitcointalk announcement (ANN) posting.
2. PRACTICE SAFE WALLETING.
step 1 put on your favourite colour comdom or 2nd favourite colour
Cryptoasset wallets are software programs that connect to the entire network of that asset, sending and receiving blockchain transaction information (and its derivatives, like smart contract information). If you fuck with altcoins, the sketchier the altcoin, the more likely it was created simply as a red herring to actually get a hidden virus onto your machine, which could empty your other cryptoasset wallets, steal your personal info, or do any number of unwanted things. But if you want to download and use a wallet whose private keys you control exclusively, you will be taking the risk of installing experimental software on your devices and allowing it access to your network. Here is how to do that safely.
Once you have downloaded a wallet file from the most trusted source available, check the MD5, SHA1, or SHA-256 hash of what you downloaded (using http://onlinemd5.com/ or a similar trusted service) with the hash of the provider, and discard the downloaded file if the hashes don't match. Then, no matter what, run the downloaded wallet program through virus scanners to make every possible effort to ensure it is safe. Upload it to https://www.virustotal.com/en/ , then run it through paid Malwarebytes and paid EmsiSoft and paid HitManPro scans. No hits? You may continue. Run the wallet on its own computer or device, with no other programs or identifying information on that device. Then, encrypt your wallet with a unique, random password (more about passwords and encryption later).
The reality is, it's worth the calculated sacrifice to run all the programs/apps we need to on the same device; having one phone for every app or one computer for every program is too ridonkulous for the practical user.
If you have the time, networking chops, and physical space to do so, it can be worthwhile to dedicate some physical machines to cryptoasset wallet functions anyway. Microcomputing is inexpensive and accessible using a Raspberry Pi (https://www.raspberrypi.org/), though the Pi’s resources don’t easily handle Windows wallets, which is the most common operating system for which cryptowallets are built. A more expensive Intel NUC will handle Windows wallets. http://www.intel.co.uk/content/www/uk/en/products/boards-kits/nuc.html
Virtualization using a virtual machine is another second-best-fit solution: it chops off a segment of a computer’s CPU power, hard disk, and RAM, and creates its own virtual computing environment using those resources, as though they belonged to an entirely separate machine which runs windowed on the main machine. You can install the operating system of your choice on this machine, and any infected software on the VM can’t access or damage anything on the real host. Sandboxing using Sandboxie (https://www.sandboxie.com/, Windows only) is a similar process that dynamically (as opposed to statically with a VM) allocates your physical host’s resources across segregated sandbox environments, allowing you to run more processes with less resource usage: a slightly more nimble solution at a small security cost.
If you do end up with a virus, it most likely won’t be able to infect anything outside the sandbox or VM, whose contents you can delete. The air gap between dedicated wallet machines in the Most Secure option is a lot harder for infections to traverse.
3. PRACTICE SAFE COMPUTING.
Rather than a most secure and less secure option set, here you get a menu. The most secure option is doing EVERYTHING in this menu. You get less secure the more you skip, so this is your chance to be a hacker’s worst date ever, and order one of everything.
There’s not much to say about backups that isn’t already covered out there by services that recover items of personal sentimental value, which you’ll know about if you’ve ever lost a hard drive full of old pictures. And if you’ve ever worked with a business that had its shit together, you were likely aware of their systems and protocols that backed up valuable records. With cryptoassets, the need to run sound backup policy has an additional wrinkle: every backup of a wallet needs to be as secure as your private key, because it IS your private key. It’s creating and backing up your money, which is an amazing feature that assets like cash or gold don’t have, but it’s a recipe for loss if your backup system and protocols are not robust and secure.
Briefly, the fundamentals of backing up electronically stored value are:
- Backup regularly and frequently
- Store multiple backups for redundancy
- Store backups in multiple geographic locations
- Encrypt your backups
also get one of these
The very best part of backing up cryptoasset wallets is that you don’t have to do it regularly! Your private key just puts your name and claim on your spendable cryptoassets; its blockchain is by definition always up to date. You will always be able to restore your cryptoasset from its private key with a new wallet. The only time you’ll need to update your backups is if you need to backup new wallets containing assets on new blockchains. (ERC20 tokens on Ethereum and similar chains are already backed-up in your Ethereum wallet).
Multiple geographic locations are extremely important. I personally have one easily accessible in my home (for frequent addition of new wallets, if I need that); one elsewhere in my home; one with a family member; and one in a safety deposit box. If I were to keep all the backups sitting by my computer, it wouldn’t matter whether I had one or a hundred USB keys: if my place burned down, they’d all burn with it. A seemingly easy shortcut would be to store your backups in the cloud for automatic redundancy this way, but as we all know, cloud storage services have been hacked before and will be hacked again. And even if your cloud-backups of wallets are encrypted, they are also likely tied to your personal information, which if leaked in a hack could make you more of a target than you would want to be. So be aware of the risks of cloud backups.
Thus, the most important part of cryptoasset backing-up is encryption. If one of your backups is hidden and unencrypted, someone finding it would instantly know your private keys, and as we now know, finders keepers is a fundamental rule of cryptographic private keys! Your backups NEED to be encrypted with a strong, unique password, which you have committed to memory exclusively or which you have at least written down somewhere completely separate from where your backups are kept.
Note that encryption doesn’t just lock files with a password; it also scrambles their meta-information, so someone looking at the files doesn’t know exactly what they are.
COLD WALLETS AND YOUR GO BAG
Cryptoasset exchanges stay secure by having two levels of security: the hot wallet, which handles the smaller percentage of coins that are available for quick withdrawal; and the cold wallet, the coins in which are kept offline, usually airgapped (not connected to any other services), sometimes even on a paper wallet (a printed-out, scannable public/private keypair that can be cashed in to the hot wallet on demand). Your long-term storage wallets should all be cold. Because not all cryptoassets have paper wallet functions, here’s how to create a cold wallet:
- Wipe an old laptop’s hard drive, and without connecting it to the internet, install a fresh instance of your chosen operating system.
- Install your chosen cryptoasset’s wallet from a clean (newly formatted, virus-scanned) USB key. The blockchain won’t download and this is what you want.
- SERIOUSLY DO NOT LET THAT LAPTOP EVER CONNECT TO THE INTERNET.
- Encrypt the wallet using a strong, unique password.
- Backup the wallet for dissemination amongst your backups.
- Note the main wallet address and label it “Cold Storage” or something similar.
- Now, after confirming you’ve backed up the cold storage wallet, close the wallet, delete the wallet.dat file in C:\Users[your_username]\AppData\Roaming, and reopen the wallet, whereupon it will create a new wallet.dat with a new public/private keypair. Back this wallet up as you did with the first one.
- Create a few extra wallet addresses and save them in an unencrypted text file, if you like: this is your Go Bag.
- Repeat the above processes for each additional cryptoasset for which you wish to create cold storage.
- Once you’re all done creating cold wallets and Go Bags, send all long-term hodl funds to your cold wallet addresses.
Once you’re finished, create an easily-accessible file (cloud storage is fine) with all your Go Bag addresses, associated with the cryptoasset to which they belong. Though these are valid addresses, you will not see them in a block explorer until and unless they are used. Ideally, you will never have to use them… but if you suspect your security has been breached, via exchange hack, trojan, or any other reason, you can empty all your exchange and/or hot wallet funds into these secure, heretofore-secret addresses.
VPNS JUST MAKE SENSE
It’s just general good personal infosec to always use a Virtual Private Network, no matter how you’re connected to the internet. Your ISP can’t track you, or leak or sell your internet information; you can bypass regional barriers and access any content; you can obfuscate your location, creating personal safety via disinformation. And the more your personal information is out there, the more likely it is that it can all be connected back to you in aggregate to create a profile. If that profile gets attached to cryptoassets, you are more likely to be a target for any kind of hack or social engineering attack. So just secure your shit behind a VPN.
There’s an even better reason to use a VPN religiously if you’re a cryptoasset user. You know how hackers will sniff around looking for unsecure networks to attack? Cryptoasset wallet traffic is very easy to identify on a network. It’s small, regular packets which often travel through the same specific ports as configured for each specific wallet. Those ports need to be open in order for your wallet’s daemon to connect and send and receive blockchain information. If you’re behind a VPN, anyone trying to snoop on your network traffic has no idea you’re running blockchains from a wallet node, and thus won’t know to specifically target your network for specific attack by scanning for open ports they know cryptoasset wallets use. Coupled with decent home network security, a VPN won’t necessarily protect you better from an attack on your network, but it will obfuscate your cryptoasset node traffic so you aren’t seen as a more lucrative target than any other network out there.
There’s always a decent deal on VPN subscriptions at https://store.boingboing.net/?rid=2048155, but search for a comparative review before you choose one.
oh look a terrible pun
Lots of Bitcoin-only users choose not to run a full node and process transactions through the network, and as the bitcoin network (and other cryptoasset networks) grows, that’s OK, even a necessity. It takes a lot of resources to run a busy network node, and because you have specific ports and IP addresses that are always open, your node can attract DDoS attacks (distributed denial of service), or even hacks that attempt to exploit your open port.
However, if you want to earn rewards from a cryptoasset that runs Proof of Stake, you will have to run a full, open node for that client. The safest way to do this is to install your node on a separate machine (Raspberry pi, Intel NUC, or even a server slice), that connects to the internet using a dedicated internet connection (sim-card internet works!) separate from your main ISP.
A less secure but still acceptable way to stake is to install your staking wallets on different virtual machines within one single physical machine dedicated only for staking.
You are terrible at this. It’s OK, because we’re all pretty bad at this, because passwords are not easy to use. The ones that are easy to remember are easy to guess and hack; the ones that are hard to remember get forgotten, or have to be written down insecurely, and then, what’s the point?
Managing passwords and security is the modern-day example of the adage, “If a bear is chasing you and your friends, you don’t have to outrun the bear, you just have to outrun your slowest friend.” The more you tighten up your own password security, the more likely an attacker will pass you over for an easier target. But still: tighten up your password security, because it’s goddamned terrible, probably.
Get a password manager. Some people can create their own from a personal encrypted database, but for most people, a password manager product is the way to go. Pick one from here:
You will want to create a very unique, very strong, randomly generated master password that you will then carry around on a card for weeks until you’ve got it memorized cold… then burn the card and rely on your brain forever. It has to be unique because if you use it anywhere else then it’s no longer secure, it’s a gateway for an attacker. It has to be strong and randomly generated because there are dictionary and rainbow attacks that can blow right through your “b4s3b4ll” password in 3 seconds; sentences and cutely character-swapped words might as well be “12345” at this point.
I’m a very big fan of Lastpass (https://www.lastpass.com/) as they have built-in features that scoop all your passwords out of your browser, obliterate any insecure or duplicate passwords, create strong, unique, random, encrypted new ones, then save them forever behind your master password. They do all the hard security work for you.
Passwords still suck on their own, even after all that. Your master password can be compromised, or bypassed during a social engineering attack. An attacker will social-engineer an attack by getting some personal info about you, then repeatedly calling services you use until they reach a bored, underpaid telesupporter who divulges a little more or succumbs to pressure and lets them bypass your security measures and access your account. The most common attack point is a phone number: once a social-engineering attacker gets access to your phone provider’s settings, it’s game over, especially if you’ve connected your phone number as a backup verification method to ANY service: your email, your bank account, anything. SO, RIGHT NOW, DISCONNECT YOUR PHONE NUMBER FROM GMAIL, FROM FACEBOOK, FROM LITERALLY EVERYTHING IT’S ATTACHED TO. I even use a second number, that nobody has ever called and nobody but my provider knows about, to secure services that force me to use it.
The concept behind using something as a second factor to authorize you is sound, though. (Just that factor being a phone number protected by a minimum wage call centre employee is what’s terrible.) You’re probably already familiar with this if you trade cryptoassets on Poloniex or Bittrex and have set up Google Auth or Authy. These are the two most popular methods of software-based 2FA/MFA (Two/Multi Factor Authentication), based on a TOTP protocol. There’s a public/private keypair check-in where your app issues a Temporary One Time Password that expires every 20 seconds. Even if an attacker could intercept one of these passwords, it would expire forever in at maximum 20 seconds.
More secure than software-based 2FA is hardware-based 2FA. Lots of corporate security structures employ this but it’s excellent security practice to use it yourself. You can even protect your password manager with a 2FA key, which has to be plugged into your USB port and touched in order to move you through to full access. I love Yubico’s Yubikey (https://www.yubico.com/), but plenty of cryptoasset users prefer the Trezor (https://trezor.io/), which doubles as a hardware wallet for several popular cryptoassets and their subtokens, and requires you to enter a PIN from a scrambled keypad. Your only challenge is to not lose your keys and to manage its physical security… because again, a savvy attacker could see its unique shape on your keychain and know you have cryptoassets making you a worthy target. There are other hardware wallets out there, but the Trezor is the most versatile at time of writing.
and plus it's vaguely spermlike for a few laughs
4. RUN YOUR FINANCES LIKE THE QUIETLY WEALTHY.
In the cryptoasset wealth paradigm, where only you are responsible for securing your assets, bling is your enemy! You are the only one protecting your assets, and an easy way to protect them is to form good habits around not letting everyone know they exist-- regular people AND people who would want to steal them (because you can’t tell which is which until it’s too late!).
This advice to be quietly wealthy might be the most difficult to put into practice, being as we are in the age of social media, aspirational signalling, and massaging the storyline by filtering others’ perception of us to be HAVING THE BEST TIME EVER, ALWAYS. However, discretion with your cryptoassets is sacred, and they should not be a part of this. A favourite anecdote of mine is that of an old NYSE trader buddy who had a fantastic week on the markets and decided he’d fly to Rio de Janeiro for a weekend to celebrate by throwing some money around. He packed a bag with his best baller clothes, stuffed his pockets with Reals, and got on the plane. As soon as he walked out of his hotel he was overjoyed to have two gorgeous Brazilian ladies latch on to him. He asked them where the party was, and they giggled and led him down the street to where their accomplices mugged him and took everything he had. Contrast his experience with that of my videographer brother, who would wander all over Rio for months, even in the favelas shooting a documentary, and who never got hassled because he kept his expensive camera in a ratty plastic grocery store bag.
Act more like my brother and less like a young dumb trader with more money than is sensible. I’m not saying you have to distress a plastic grocery store bag until it’s sufficiently ratty to carry with you at all times and fend off muggers with your homelessness aura. But there is a plethora of small ways you can conduct yourself in public and on social media, so that nobody is ever sure you’re a worthwhile target. Together they form another menu, from which you can again order one of everything and make your hacker date forehead-slap even louder. This menu is, in most cases, just good common sense specifically tuned to cryptoassets. But I’m betting I’m not the only one who’s lacked good common sense at times.
When prices of cryptoassets are hitting all-time moon highs, and everyone to whom you’ve ever talked starts coming out of the woodwork to ask you about your hobby you mentioned in passing a year ago, it’s time to think seriously about what you disclose and to whom. Banks have serious privacy protocols, where tellers don’t just blab out THANK YOU FOR YOUR WITHDRAWAL OF EIGHTEEN THOUSAND DOLLARS CASH SIR I BID YOU GOOD DAY in the middle of a crowded lobby. As your own bank, you need to be at least thoughtful, and at best discreet, about what you tell people. As a passionate cryptoasset hobbyist who might want to onboard friends and share good fortune with loved ones, your human feelings will clash with your stone cold corporate bank discretion. This is just finance in the age of cryptoasset wealth. Get used to it!
WHO YOU TELL, WHAT YOU TELL THEM
You hear anecdotes all the time of lottery winners who hit it big and suddenly they have a dozen best friends fallen on hard times, or exes with rekindled interest, or needy cousins, or whatever, coming out of the woodwork. Lottery winners are forced to disclose that they won, take a picture with a big cheque, have their names and pictures published… you, fortunately, are not compelled to disclose how many bitcoins you have (or shares of AAPL/GOOG, or anything else). I’m not lottery-winner rich, neither are you probably, but if some of those wild projections out there come true, we may get closer to that point, and past casual brags may come back to haunt you. That public tweet of “I just earned my first full bitcoin!” might be a target on your back years later if a bitcoin is worth $100,000 US dollars...
I’ve learned from collaborating with some of the greatest cryptoasset traders in the English-speaking world a wonderful rule of thumb: we don’t talk about size. This is a way to talk about trades in terms of percentage gains and losses, without quantifying anything and turning it into an inadvertent contest. It lets smaller capitalized traders bask in well-earned pride, and larger capitalized traders stay out of the spotlight when they don’t wish to be in it. To this day I am not entirely sure who’s filthy rich and who’s just a happy hobbyist, nor do I need to know. Though the urge to brag can be strong, you can conduct yourself with similar humility and discretion when asked.
Let casual askers know it’s your hobby and you’re passionate about it, but prepare some canned answers if someone gets too curious. The “it’s not real money, it’s hard to spend anywhere” deferral is all but a falsehood at this point, but it’s easy for nosy acquaintances to be brushed off with a humble admission that it’s only a hobby and you play with dust. Depending on the strength and quality of your closer relationships, if you ever do amass significant wealth, that’s another matter, well within the boundaries of common decency, humility, and acute awareness of your own privacy. If you happen to be the type that can handle the attention, fame, and everything else that comes with being filthy rich, then by all means, throw caution to the wind and have at it!
urrghhh boughta shurtloadda bitcoin todayyygggh
Anonymity is a useful tool for protecting your real-world identity, and it’s not only a cover for maliciousness as many might think. If you protect yourself using an anonymous handle, do it all the way: don’t talk about cryptoassets on your social media associated with your email@example.com account, and be extremely selective when giving out personal background information on your aliased account.
WRAP IT UP
Thank you for reading this far and for sharing my passion for bitcoin, shitcoins, cryptocurrency, cryptoassets, tokens, and everything to come. Follow me on Twitter: @notsofast for more of this stuff.