Protecting the honey pot: Interview with creator of Bitcoin Vigil

Tuesday 29 April 2014

With security a paramount concern for many people holding or considering holding bitcoins, BitScan’s Jeran Campanella sits down and talks with Eric Springer the creator behind Bitcoin Vigil.

Bitcoin Vigil interview by BitScan

JC: Hello Eric, thanks for meeting with us and giving us a chance to ask about BitcoinVigil. Tell us first, a bit about your background.

ES: Thanks so much for having me. My name is Eric, and I'm a software developer. I was born in Canada and raised in Australia. I worked at a few big software companies, most recently at Amazon and I realized that's not what I want to be doing with my life. So, I packed up my stuff, and moved to Guadalajara, Mexico, where I found a home inside of Agave Lab.

JC: Very cool. So, at what point did you become a fan of bitcoin?

ES: I've been interested in crypto since I was a teenager. I remember when I was 15 years old my mind was completely blown by the Diffie–Hellman key exchange. While at university, I wrote a p2p encrypted chat client, and now I'm back to working on things I really care about. Bitcoin Vigil was written by me and two other programmers at Agave Lab – Omar and Ruben.

JC: Okay, tell me about Bitcoin Vigil and how it can help me keep bitcoin safe.

ES: It's really quite a simple concept. To safely use bitcoins on a device, it's essential that the device is not infected with bitcoin stealing malware. A huge and common misconception is that if you use an online wallet, or have two factor authentication, then you’re safe, but if your computer is compromised, that's just not true. So what better way to detect bitcoin stealing malware, than putting some bitcoins on the computer and see if it gets stolen?

JC: So, I sign-up at your site, and then what?

ES: We walk you through creating a file, or a “Money Pot”, and you place a small amount of sacrificial money, normally around $5-$10 there and leave it on your computer. It is really an unencrypted wallet file. This file functions as an early warning for a compromised system. Malware in general loves nothing more than stealing this easy money, and when they do, we instantly notify you so you can take immediate action.

JC: What sort of action? My $5 would be gone then right?

ES: True, but more importantly you would then know your system was compromised and you would know not use that device to enter sensitive information like decrypt anything or enter any passwords. Who knows, the next thing you might have done on your compromised system would be to open a wallet file from a USB, exposing the entire content to Malware.

JC: And you said I would be notified instantly… So how long after a scammer or malware program attacks my precious bitcoins will I get notified and in what ways?

ES: The entire process is normally under 10 seconds. We only support email and SMS currently. Typically it takes about 2 or 3 seconds for the transaction to propagate to one of our 2 bitcoind nodes. Add another 1 second, and it's dispatched an email (via amazon SES) and an SMS (via twilio). The email system definitely seems a lot more reliable, as we’ve noticed some texts getting dropped or in some cases they have taken a little while and that’s something unfortunately beyond our control.

JC: I signed up for the service and it seems very simple but I also noticed there was a spot to enter my personal addresses. Will you monitor any of my addresses?

ES: Yup. We think this is an extremely important feature as it allows people to generate their own money pots which is something I am going to try and encourage more.

JC: Would I have use for your service if I owned no bitcoin?

ES: Absolutely, I think Bitcoin Vigil is a handy tool on anyone’s computer as it detects malware that steals bitcoins but I'm not familiar with any malware that exclusively steals bitcoins. So in general it's just a really good way to detect malware in general.

Of course, there are a lot of people who don't care if they have malware

but there's also a big class of people who use their computer for sensitive things such as banking

and it's a cheap price to sacrifice $5 or $10 to know the moment your computer is infected.

JC: Okay the big question... the cost?

ES: Totally free! The only amount out of your pocket twill be however much you want to set as a trap and we recommend baiting with around 0.02 bitcoins.

JC: Free? Wow. How are you able to offer that?

ES: The business model we're really going for here is a freemium one. However, instead of waiting until both the free and premium features were ready, we released with only the free features. That has worked out extremely well, and we've had heaps of useful feedback, talked to security researchers, and been able to help people with infected computers. It's really helped guide the direction we're going in right now.

JC: So, I sent my $5 in bitcoin to your generated address, and you gave me an unencrypted wallet file. I placed that file in my documents folder on my desktop and I’m all set right?

ES: Yes, that’s correct. Now you just do as you normally do and if by chance you get infected with a virus or some Malware, when that carrot is taken and the wallet emptied, we will notify you.

JC: Okay, so, I may lose my $5 when I’m notified but I would then know that something or someone is on my computer. So, then I could clean the infection or restore my computer to a factory state before I enter another password or plug in my USB stick that has my bitcoin wallets?

ES: Exactly! You would know your system was compromised. Without the service, you would not lose the $5 wallet, but maybe the next time you opened your USB wallets, instead of the $5 that disappeared, it could be the 5 btc or what you have on the USB stick. So, I think the $5 is worth it.

JC: Well thanks Eric. It is very nice of you to offer the free service and I think it is a useful tool that can help both bitcoin users and non-bitcoin users to be proactive and hopefully protect us from a larger loss. Is there anything else in the bitcoin world that you are excited about or have been watching?

ES: In the bitcoin world, I'm really excited about hardware wallets.

I've seen how hard it is to keep your computer safe,

how impossible it is to detect every infection,

yet how crucial it is to not have any malware.

Offline wallets are great, but one truly needs to be an expert to be able to use them from none-trusted devices. I feel like hardware wallets are a crucial step before mass adoption – as without one, I don't feel like I can recommend my non-technical friends and family to play with large amounts of money in the bitcoin space.

JC: Well thanks so much, Eric. I think some services like yours are helping people to be safe and going forward people need to start thinking from a security standpoint as cyber criminals will continue to get smarter and their hack tools will get better. With secure passwords, your next biggest threat is any kind of malware or virus looking for private keys and with BitcoinVigil, I think I feel a bit safer knowing my system is not compromised if no one has taken from my Money Pot.

BitcoinVigil is available at bitcoinvigil.com and remember you can even add your own addresses to the site and it will help you keep an eye on those as well.

As Always ….BE ALERT, BE ACCURATE, BE AWARE.


comments powered by Disqus