Want to know how I detect suspicious activity in my password manager? I have a plaintext bitcoin private key in my password manager as a note. The name is 'bitcoin wallet'. It contains 0.5 BTC. If my password manager ever get compromised, I can reasonably expect the bitcoins to be move from that wallet address.
I then have a BTC node that will send me an SMS if those coins ever move.
The passwords in my manager could potentially cause more financial harm than 0.5 BTC going missing. Everyone has their own price for security. I've also not moved those BTC since 2014 so the price has appreciated considerably.
The idea is anyone who compromised my password manager would likely go for the wallet first since it's as good as cold hard cash. Using the private keys and other secrets stored in my manager would take much more time for an attacker to exact meaningful value.
I would expect the BTC to be moved first and foremost which would hopefully give me enough time to mitigate any other damage that could be caused by the content of my password manager being exposed.
I think they would be more likely to copy all of the data first, in an effort to avoid detection methods like this, then make their move compromising everything in near parallel. At least that is how I would do it.
It's a question about not touching an easy $15k, in exchange for a chance at a bigger score.
I'd assume most attackers wouldn't be able to resist securing the low hanging fruit first.
And even if there's a parallel move, it's even less likely they would leverage everything but the $15k, so OP would still receive a realtime indicator of compromise.
From a game theory perspective, it's a pretty compelling trap for OP to get what they want.
What is “the average attacker”? If someone is compromising your entire password manager then that’s far from average and sophisticated
If OP is part of a bigger breach, those data dumps will almost certainly get analyzed automatically and multiple wallets swept at once. Passwords to interesting stuff likely aggregated and then tried. It’s not some script kiddy that browses through the vault 1by1
But OP's point is which will happen first in a breach?
(a) Trivially accessible Bitcoin is stolen or (b) passwords are used to ferret items/info of value out of additional individual sites
For OP's plan to fail, someone has to leave $15k laying on the table, in plain sight and for the taking, while they plan their subsequent moves. Which is why the amount matters.
I don't play the minimization game. In 2014 when I started this strategy 0.5 BTC was like 100 bucks. Now that it's 15,000 bucks doesn't make a damn bit of difference. If they spent the time to figure out what the rest of the credentials were worth and exploited them to the maximum extent, they'd be walk away a multi-millionaire. However.... 15k in a plaintext wallet is an easy score and I argue that the vast majority of people who could compromise my password manager would take that in a heartbeat.
An intruder will rifle through the top drawers and go for the obvious stuff and let's face it half a BTC is a bit of a shiner. You seem to be able to afford to lose it, given that its loss will trigger the shutters coming down and hopefully allow you to secure the rest of your stuff.
I get that and hopefully that is close to the last resort in your defence in depth approach to security.
No it really isn't dumb at all. Its the basis of a "honeypot".
Museums and galleries etc put their wares on show in public - can you be sure that what is shown is what you think it is or secured as you think it is?
Please don't describe anyone as dumb - its as much demeaning to you as it is anyone else.
I don't think it needs to be 15k in value to entice someone to steal it. You could also get compromised by someone who doesn't know anything about btc or misses that note and you would not know.
Sounds like a great idea for a service that manages this automatically for users (but using a more reasonable amount of BTC, like 0.01 BTC or ~$300 worth-- it has to be enough to be worth stealing I suppose!). Then it would automatically do the monitoring of that address and send the user the alert that they should change all their passwords when the coins move. If it happens to just that one account, then its likely the user's account was hacked. If it happens to a bunch of accounts at the same time, it's more likely that the password manager service was hacked. Like a canary with a bounty attached to it.
Just spitballing on the idea of this being a service- Wonder if it would work for the canary-creator to also have a bot that watches the btc mem pool, and if it sees the .5 btc from this address being spent, it front-runs it with a transactions that has a much high transaction fee and directs the funds to a new safe wallet. Probably some risk of the bot failing to front-run, but otherwise it would have all the benefits of a $15k canary without the downside of losing all of the money.
Interesting idea. Would also be cool to try to trace back the IP of the first node that announced the transaction to the network so you could try to figure out who the thief is (assuming they aren't using a VPN).
a cheaper way would be to have a highly valuable token in the address without any of the chain’s native asset to pay for moving it
then just alert yourself when the native asset is moved to that address, because then someone is trying to sweep. your node can also send some some of the same asset faster at a higher transaction fee and move all of your tokens somewhere safe
people already do this
mostly as a scam to take the tiny amount of funds that thieves send to try to move the more lucrative bounty
you can take this one step further and have many assets worth sweeping, including assets that merely look like lucrative tokens. one of those is backdoored so that the transfer() function is nonstandard and transfers all the assets out of the attackers address when they try to move yours. or you can at least get just your own assets back if you want to be morally superior, moved to a safe address. this wont work if they dont take your backdoored token though. but all other parts about intercepting your assets before accepted into a block still would.
Debatable - the objective is to play on an attacker's greed and convince them to go for the BTC before any other credentials. Too low of an amount and the other credentials in there might start to look more interesting.
Yeah, I like to leave my Rolex Rose Gold GMT out on my nightstand when service people are working in the house to detect suspicious activity in my household. :/
Sorry man, I dunno if this is a weird flex or what, but it's kind of ridiculous to leave $15K of bitcoin as a canary for your password manager. Gotta call a spade a spade.
It all depends on how costly the fallout from a compromised password manager would be - 15k can be totally reasonable insurance policy if the other credentials in there could give them access to multiples of that?
Yeah, I like to leave my Rolex Rose Gold GMT out on my nightstand when service people are working in the house to detect suspicious activity in my household. :/
i don't think that is a bad idea . It can be a cheaper one or a replica. The idea is it's a small price to pay when being deceived costs far more
That needs to be weighed against the likelihood of a compromise (probably low), and the cost of such a compromise (probably quite a bit higher than $15k).
I then have a BTC node that will send me an SMS if those coins ever move.