Def Con 21: Preliminary results from Sunday

As far as I am informed, Sunday’s attacks on silver Casascius Coins left behind evidence of tampering and were not ruled a successful defeat.

That said, they only had one coin and chance. It’s entirely possible that, given multiple chances, they’ll succeed, and I intend to give them more chances. This, of course, was true from the beginning: physical security is a cat and mouse game that always favors the hacker. Just look at this year’s DefCon course lineup: a session on how to de-cap silicon chips, presumably made by companies with a decent budget to throw at physical security. It’s prudent to acknowledge from the beginning that any physical security contraption is going to be vulnerable, it’s just a matter of at what cost.

(That said… I really did generate the private keys with a good random number generator, completely offline, and really trashed all copies of them not needed for coin production, so the set of private keys at large isn’t going to be at risk, period, even if someone kicks my door down and digs through everything I own. More recent batches of private keys are done on machines with full disk encryption, adding another layer.)

As to be expected, I received the following in an e-mail:

Is there any way of letting my potential customers know that I am the only other person to have touched this coin and it has come directly from you? Ideally a list of the coins I have purchased from you?

Since the same thing will be on many people’s minds, I’d be pleased to answer yes. I am willing to offer a PGP-signed acknowledgment that I sold particular coins to a particular buyer on or about a particular day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: