After some discussion with /u/river333 I’ve decided to start a debate on running nodes and minting with emphasize on security.
Latest trend is to urge and tip people for running full nodes on their rasperryPi’s. Why not, it is holly grail of crypto. To keep the network strong with extremely low-power machines. That is the message we want to show, right “Peercoin is green”? As for minting, it is also a lot cheeper then GPU’s or ASIC’s.
However I’m concerned about this trend. I’m paranoid.
Security and quality of peercoin client (or any bitcoin client) is not tested enough. Most coins (the other forks of bitcoin) wallet’s are not being used in this way (running 0-24 with coins inside). They are mined with specialized software, not linked with wallet.
Peercoin minting requires that wallet is unlocked and then connected to 8 peers on the network, each and everyone of those peers now know IP of person minting, thus enabling attack vector.
Running full node is even more risky, now you connect to 16-30 peers and with port 9901 forwarded! That means this port, on which peercoin wallet is running is now completely open to anyone on the internet. I see an attack vector.
I’m not an expert, I know this stuff due to using linux for many year and reading forums and wikis that are written by people who know their shit. Programs are full of bugs, developers make mistakes, sometimes not even a piece of software that you use within your program contains critical bugs (remember heartbleed?).
Do we know for sure that peercoin wallet is bug-free. We don’t know is it possible to hack into it via port 9901.
For example (just a theory), is it possible to overflow some buffer? http://en.wikipedia.org/wiki/Buffer_overflow
Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows.
Peercoin is coded in C++.
Do we know that is is definitely not possible to access the filesystem of computer running peercoin wallet by using such attack vector?
Now, about raspberryPi’s and running nodes.
Those manuals that showed up here on forum are very simple and easy to follow, but they take security for granted.
Peercoin-qt or peercoin daemon is being run as a normal user. Read this if you don’t know enough http://docstore.mik.ua/orelly/networking/puis/ch04_01.htm
Linux/Unix is more secure then other OS due to “multiuser” enviroment. That means it is possible to run something as a “dummy” user that has little or no access to “other parts of computer” (OS). So, let’s use this feature.
Classic use scenario of minting on raspberryPi:
Install OS on rasPi
Install peercoin wallet
set up, configure, run
This is all done as default user, default by installation.
In this case, peercoin wallet program is on the same privilege level as YOU. So, this peercoin wallet “see’s”, and can read/write/move/delete everything YOU can. So, if it is compromised it can do whatever you can do, ie delete your photos, delete your wallet.dat etc.
This sounds too risky if you ask me. We don’t know peercoin’s wallet enought, it is just not tested enough.
So, what I did since I’m paranoid is to use this security features of linux system.
More secure approach:
Install OS on rasPi (ArchLinux ARM)
Install peercoin - daemon as systemd service (https://aur.archlinux.org/packages/ppcoind/)
(this also enables peercoind to run as “fictional”, dummy user that has no access to anything)
set up /home/user/.ppcoin/peercoin.conf (so you as a user can communicate with daemon)
set up /etc/ppcoind/ppcoind.conf
set up separate partition in which wallet.dat and blockchain will reside, which can also be used only by that dummy user and has not “executable” flag, meaning that no binaries are able to start from this partition (if attacker injects some malicious program, it will not run)
This approach has several benefits.
Systemd will autostart ppcoind upon system boot, and if it “dies” (stops working for some reason) it will automagicaly restart it.
In this scenario, is peercoin wallet is compromised it can not harm the system, nor access my files (in home folder). Because it can not access it. It can still access wallet.dat, however. This will not help to stop this from happening.
I hope this you can understand this, if you have question please ask. And if I took this too far, being paranoid etc please debunk me.
In my next post I will propose some other security features.