Topic: As a Bitcoin Core only user, how im supposed to pay someone in person? (Read 552 times)

It reminds me of few people who use old laptop (usually Thinkpad) with Linux OS to avoid proprietary hardware (e.g. closed source BIOS). Anyway, Google Play state Electrum require Android version 5.0[1] which means you can run Electrum on Replicant OS. But aside from security issue, you need to find ancient device in good condition which isn't trivial task.

[1] https://play.google.com/store/apps/details?id=org.electrum.electrum

Did further research on this and turns out there's another option, Replicant OS:
https://www.replicant.us/freedom-privacy-security-issues.php


I don't think it gets as anymore free as in freedom than Replicant for the mobile phone, the problem is, just like how it happens with computers, you are limited to a tiny amount of devices that meet the requirements. So you would need to find some ancient S3 phone. Would Electrum run there?

Note that even if you get the higher open source levels here, the last security update for Android 6 is was from October 2017, so that's another compromise, so at some point you have to wonder where is the balance there.

If you've used to Samsung phones, then maybe your best course would be to install LineageOS on this 10-year-old Galaxy. It'd be my first attempt. It's easy to install, does provide decent security and is specifically designed to work on old devices (thus, is more lightweight).

If that doesn't work for you, and you attempt to buy a new smartphone, my recommendation would be a Pixel without doubt. It'll cost you around 300 EUR and you'll get yourself GrapheneOS with the newest Android version, which from my experience, is the best there is. Check out this website, it contains a lot of tutorials around Graphene: https://sideofburritos.com/.

You can always wipe the outdated OS and use a FOSS one instead. In addition to the distros ETFbitcoin has already mentioned, there is also Ubuntu Touch. Your best bet will probably be LineageOS or DivestOS though, which both support a wide range of old Samsung models:

https://wiki.lineageos.org/devices/#samsung
https://divestos.org/pages/devices

If you are only using the wallet to store a single UTXO received from elsewhere and then to later send that UTXO to your trading partner, then there will be minimal privacy loss from using a third party Electrum server via Tor. The server would be able to see all the other addresses in your wallet, but provided you are never going to use them for anything then that is irrelevant. It does mean using a new wallet for each trade you make, though, otherwise the server would be able to link all your trades to the same person.

I'm more surprised that Galaxy phone still running after 10 years, Anyway, i don't recall any Android custom ROM which as secure/private as Graphene. But i've seen some people mention Lineage, Calyx and DivestOS as Graphene's alternative. Although i've only tried Lineage to make old Android phone last longer where you can avoid installing Google Apps or install Google Apps you wish to use.

The thing with these devices is, they stand out. It looks like some sort of odd thing you are doing, you don't blend in with the average Joe. This to me is a thing to avoid. The way I see it is that when it comes to mobile transactions, you want to use a device that is not flashy, like a very common looking phone, and do not carry more than you could afford to lose carrying on your physical wallet, in terms of cash. This way, you don't make yourself a target, and if you lose the phone, you wouldn't lose some crazy amount, and you would still have a backup at home anyway. By the time they cracked access to the phone, you just would transact these funds into another address you own.

What I want to do now is to find a new phone, because I have some Galaxy phone from 10 years ago, so im assuming this Android version it's using is not updated and thus dangerous to use. And also look at what to do in terms of configuring it to find some reasonable amount of privacy. I've read on Orbot to use Tor on Android phones. I've seen Graphene but that is limited to Google phones. There are no other alternatives?

I would then basically use Electrum, and transact through Tor. I would need to consider if I would even need to transact through my node or just use some of the reasonable to use servers through Tor. Since the amounts aren't even big, it should be enough. And I don't want to connect my phone back to my node which is sitting at home physically anyway, I would rather compromise using someone else's server and send through there.

I'm also going to put this out there. While the question that the OP asked is a legitimate question. It does bring up another issue of how many one off situations are there that can happen.
Most people are fine with an insecure hot wallet on their phone and the bit of loss of privacy that comes with it.

There are ways to get around the privacy issue by running your own node and electrum server and connecting to that.

There are ways of using https://tapsigner.com/ or some similar product for more security. You can even have a large amount of funds in an encrypted paper wallet that you import & sweep & then pay the person.

There are 100s of different scenarios / options and each person will have to figure out what will work for them.

We can go down the rabbit hole of what works for the OP, but for the next person it may not be a good answer. There is not a one size fits all for things like this.

So....how do we as a group come up with a general framework that can be more tailored to people, or is it not worth it and we treat every one as an individual thing.

-Dave

Ahh ok, that makes sense. Still, I would prefer really sensitive data (like a bitcoin wallet) to be encrypted at all times except for the few minutes I am actively using it.

There are much easier ways to do it. On GrapheneOS for example, you can create multiple user profiles which are encrypted when not in use. Simply create a profile simply for bitcoin related things and install your wallets there. When you are in your main profile for calls, messaging, etc., the other profile is shut down and completely encrypted, and so an attacker wouldn't even be able to see you had a bitcoin wallet app installed. Just log in to that profile for the few minutes you need to use it, and then log out of that profile when done to re-encrypt it.

Phones are also easier to get stolen from the same pocket. Nobody can steal my laptop from the laptop backpack on my back without me noticing.

I'm assuming you don't run your Bitcoin Core on Windows, and don't install malware on your laptop.

I did a quick Google search right now after your comment and I have to admit that you are right, some .gov and .edu websites say that 1 in 10 individuals will have their laptop or smartphone stolen at some point. Okay, I am not going to argue with you over this but I think this person has to make his choice by considering his location. I can say this from personal experience that laptops are stolen more often than smartphones because almost everyone moves with iPhones or with expensive smartphones but you'll rarely see someone with laptop. By the way, it's easier to hide smartphone or put it in a safe pocket quickly if you notice any threat. Okay, I am not arguing here, it's very individual but aren't laptops more likely to get victim of cyber attacks?

Android itself is a dumbed-down version of Linux but it's even more dumbed-down when companies like Samsung, Xiaomi, Oppo and Sony make plenty of modifications to Android.

I initially mention encryption since OP said about phone getting stolen or other scenario. If the delay between attempt to crack the device and next reboot is very short, the attacker would have much hard time to crack the device.


Before first unlock, basic functionality already enabled. IIRC that include WiFi/internet connection and receive SMS/call.

Am I the only one who doesn't find any of this easy to do on a phone?

My approach is much simpler: my phone itself is worth more than any crypto in my mobile wallet. I'm careful with it anyway.

Very easy to do with GPG, you don't need any system software to do this except for a PGP client.

First, zip the folder into a .tar.gz or a .zip or something, Then encrypt and delete the folder.

When you want to decrypt, then you can unzip the decrypted contents.

Of course, this does have one flaw in that somebody can just extract your hard disk and look for unencrypted sectors, since deletion does not overwrite file data in-place[1] (this is the case for journaled filesystems like ext4 used in Android).

---

[1]: https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html

Forgive me if I'm missing something, but what does this actually achieve?

When the phone is off, all data is encrypted. Great. When you turn it on, it remains encrypted until you unlock it for the first time. But you need to unlock it for the first time before you can actually use it as a phone. It will not receive calls, notifications, etc., until you have done so, at which point it isn't encrypted anymore. It is only protected by your lock screen, of which I have serious doubts about the security.

So if you reboot your phone every few hours or every day but are going to unlock it immediately after reboot so you can actually use it as a phone again, then what difference does that make to just having it turned on all the time?

This is why my suggestion was to have a dedicated folder on your phone which is separately encrypted and contains your bitcoin wallets, which you would only unlock when interacting with those wallets. Then at least you can still use the rest of the phone as a phone without having your bitcoin wallets unencrypted all the time. I do this on computers as well - I use full disk encryption on all my devices, but still have further separately encrypted files and folders which I will only decrypt when in use.

That's because it is a dumbed-down version of Linux with an extremely old kernel, no daemons, no way to compile stuff from scratch and overall, is more designed to be a Google product than anything that has anything to do with Linux

That is not to say that Linux ports to mobile phones have been particularly successful yet (Ubuntu Touch I think and there are some others who have also failed).

That's like: "you've replaced my bicycle lock, now you can take my car".
Android always feels like a dumbed-down version of Linux. On a slow old tablet, after switching users, the lock screen takes many seconds to load. During that time you can view the entire screen, and even starts apps (including Authenticator).

That removes basic functionality from your phone: you'll need to unlock it every few hours to be able to receive phone calls again.

But how good is it? If the phone is off then maybe, but if the phone is on and simply locked? There have been various methods to bypass the lock screen, such as this one: https://www.androidpolice.com/one-minute-hack-allowed-lock-screen-bypass-on-android-current-pixels-are-safe/. And once the lock screen is bypassed, everything can be accessed.

I'd rather have an entirely separate encrypted container which I know cannot be accessed without my decryption key.

But it sucks
My phone for instance gives me the option to encrypt my MicroSD card. But if I do, I can no longer read the card in another phone, and if I reset my phone to factory settings, I also lose the data on my MicroSD card. On a (Linux) laptop, at least I'm allowed to keep my decryption key. I don't want to tie decryption to one specific device.

An added bonus of using a laptop rather than a phone is you can install and run Bisq on it. Before arranging your face to face trade you can place any bitcoin you are selling in Bisq's multi-sig escrow, and then release them from escrow after the buyer hands you the cash. If someone steals your laptop, they can't steal the bitcoin out of the escrow.

A quick Google search shows that both laptops and cell phones have a 1-in-10 chance of being stolen. I trust laptops a lot more though, since I can install my own software and easily encrypt a user directory. Pick one up from Craigslist (for $50) and you don't have to worry about losing your expensive laptop.