As far as I am informed, Sunday’s attacks on silver Casascius Coins left behind evidence of tampering and were not ruled a successful defeat.
That said, they only had one coin and chance. It’s entirely possible that, given multiple chances, they’ll succeed, and I intend to give them more chances. This, of course, was true from the beginning: physical security is a cat and mouse game that always favors the hacker. Just look at this year’s DefCon course lineup: a session on how to de-cap silicon chips, presumably made by companies with a decent budget to throw at physical security. It’s prudent to acknowledge from the beginning that any physical security contraption is going to be vulnerable, it’s just a matter of at what cost.
(That said… I really did generate the private keys with a good random number generator, completely offline, and really trashed all copies of them not needed for coin production, so the set of private keys at large isn’t going to be at risk, period, even if someone kicks my door down and digs through everything I own. More recent batches of private keys are done on machines with full disk encryption, adding another layer.)
As to be expected, I received the following in an e-mail:
Is there any way of letting my potential customers know that I am the only other person to have touched this coin and it has come directly from you? Ideally a list of the coins I have purchased from you?
Since the same thing will be on many people’s minds, I’d be pleased to answer yes. I am willing to offer a PGP-signed acknowledgment that I sold particular coins to a particular buyer on or about a particular day.
casascius 