Would be interesting to know how his BTC were stolen. Because he is a BTC core developer, I believe he followed the best practices, like not writing down his password. So infection or keylogger?
I am not a security person, but I can't help but wonder where the advice of not writing things down comes from? I think my wife's password book on her desk is a lot more safe than most computer experts.
That advice mostly originates from security folks working in workplace environments, where passwords that are written down may be visible to people who are threat vectors.
Password books are basically physical password managers. The only problem I have with them is that the passwords in most password books I've seen aren't very creative or random. As long as you write down randomly generated passwords instead of permutations of the names of your kids/pets/parents, I don't know what people are panicking about.
The perfect password book is combined with a word you remember but don't write down as a pepper, but I doubt it's much of a problem in practice; it takes one leak of an u hashed password to break the code.
I think for many the risk of someone breaking in and stealing your password book is much smaller than the risk of a centralised password manager getting hacked (LastPass and friends).
Say your wife is a well known Bitcoin billionaire.
And your wife bought something from my eBay store. Now I have your home address.
And if I am a ruthless character then I quietly break into your house one day with th3e objective of leaving no sign I was ever there. Search for written down passwords, take a photo, leave.
Okay, so assuming you get past this theoretical billionaire's physical security (at a minimum gated fences and an alarm system; if they're actually a billionaire, probably 24/7 armed private security as well) and into their mansion, how long do you think it would take you to search their 7 bedroom 10000 square foot mansion for these written down passwords which you have no information as to whether they even exist?
Of course its obvious there's many ways to get someone's address.
The point is that companies put vast effort into digital security but in many cases it's easily compromised by going to the home of the person that is the hacking target.
Someone kept theirs in their wallet, and their passphrase showed up on a publicly released police body cam the other day when their insurance was checked or something.
I think it’s reasonable advice for most people. The alternative is usually having a simpler password which is worse if your threat model is ‘hashed password shows up in big breach’. If your threat model is ‘someone turns up to your house to get your password’ your worry should not be theft of the paper.
It comes from the threat model, having a password book on your desk in a cubicle is absolutely not secure.
On a desk at home? It is marginal, certainly a burglary is a low frequency event, but we also have events like fire that make it insecure in other ways.
This is my personal view on the topic. I don't claim it strictly matches any "official" definition.
A "hot" wallet is a type of wallet that's typically stored in internal storage of a network-connected device, such as your personal computer or your smartphone. This is riskier way of storing funds because they can be exfiltrated by malware. You would typically use a hot wallet for day to day transactions.
A "cold" wallet is a type of wallet where private keys to control the funds are never in contact with a network-connected device. They're typically stored in the form of recovery phrases written on paper or metal (in a secure location), or some kind of a smart card that securely stores private keys and exposes an interface to sign individual transactions (e.g. Ledger devices). Funds stored in a cold wallet are much harder to access, but are extremely (or completely) resistant to theft, short of physical access.
In crypto a "hot" wallet should be treated as cash, while a "cold" wallet is more like a savings account.
I don't know if it has a concrete definition but I generally say it to mean a crypto wallet that is directly or indirectly exposed to the internet.
It's possible to create a bitcoin wallet completely offline in a secure environment. The details to the wallet are then stored physically in a secure location/medium. This is called a cold wallet. People typically use a cold wallet for long-term storage of coins.
and the bulk of it should be on a paper wallet, in the vault of a bank or another real world institution. the hardware used to generate this key should be wiped out. so if he followed best practices, he didn't lose this money
edit: just found out that the btc was stolen from a dedicated server on ColoCrossing. this makes no freaking sense. no server connected to internet should have access to the keys to your btc (or access to any keys that could be used to later on grab cryptocurrency keys). hot wallets should be hardware wallets, cold wallets should be acid free paper
As others have said, he for whatever reason had a completely lazy setup for someone who develops for Bitcoin Core. He doesn't even use a hardware wallet or use a separate computer for his BTC bag or other sensitive data.
That's not how it works at all. "Bitcoin" is just a unit of measure, except for the brief moment of mining a new one. Would you be less paranoid if your savings were denominated in pennies vs dollars?
