# Gavin Andresen
# 2011-03-29 16:05:25
# https://bitcointalk.org/index.php?topic=4983.msg74911#msg74911

@s{quotedtext}
@s{quotedtext}
 @p{brk}
I think that's the right way to think about it.  And I think Jeff actually implementing a straw-man proposal is exactly the right thing to do. @p{par}

So:  I say we don't try to defend against (3), at least not right now.  If you have root then you can install a keylogger, read memory, intercept any system call, etc etc etc.   (I would like to see somebody implement a bitcoin client that required payment verification using a cell phone app or telephone call or PIN-sent-to-email and did all the magic key management to make that work securely, but I think that's beyond the scope of what we can reasonably do right now). @p{par}

Defending against (1) and (2) would help with: @p{par}

a) you forget to logout so attacker sits down at your computer, starts bitcoin and empties your wallet. @p{brk}
b) attacker gets a hold of a filesystem backup that is not encrypted. @p{brk}
c) sysadmin sets file permissions incorrectly so attacker on multi-user system can read your wallet.dat @p{brk}
d) attacker guesses or finds out your ssh password, logs in remotely and steals your wallet.dat. @p{par}

It won't help with: @p{brk}
- sysadmin with root privileges is evil @p{brk}
- system compromised by rootkit/trojan/keylogger @p{par}

 @p{brk}
RE: encrypt everything:  I say maybe later.  Just encrypt everything isn't trivial: users would have to wait a minute or two or ten for Berkeley DB to rewrite all of blkindex.dat (bottleneck will be disk I/O, not the encryption), and we have to deal with "my disk filled up when I changed my password, things are half-encrypted and half-not, what do I do now?"   And I don't see a lot of value in encrypting all of wallet.dat; forget to shutdown bitcoin and an attacker that wants to know your public addresses can just open up the address book and take a screenshot.