Topic: Bitfi wallet - most user-friendly functionality, does not store private keys - page 3. (Read 651 times)

You closed the old bounty without paying. Launching a second bounty (which you also won't pay) is not the same. Here is where you tweeted about cancelling your bounty program: https://twitter.com/TheBitfi/status/1035279307617259523.

https://twitter.com/saleemrash1d/status/1035269363903946755 - he cold booted the wallet and extracted the previously used passphrase from RAM, which allows him to steal every single coin stored on the device. You refused to pay.

That's all well and good, but your first post in this thread claims "unhackable" was only used by McAfee, and that he isn't part of your company. Both of those are not true, as I've shown in my previous posts. Here is the tweet where McAfee states that Bitfi is "his product", and here is an archive of your website with the unhackable claim on the front page.

You are right. A true brain wallet doesn't allow the passphrase to be extracted from its RAM.

I very much doubt this will actually equate to open source, otherwise you would just have used GitHub. It's good enough for every other crypto project out there, but not for you? Please.

Attacker hits you until you tell him your passphrase.

So you finally admit that your device was hackable?

Please read this post and my previous one where I systematically explain how pretty much every claim you make is a lie.

Here are the facts:

1 - Release a wallet you claim is unhackable, and post a $250,000 bounty for anyone that can hack it
2 - It is hacked multiple times within days
3 - Insult the researchers, deny the proof of it being hacked, and cancel your bounty program without paying
4 - Wait for 6 months or so, hoping that people forget about your scammy behavior
5 - Relaunch the exact same insecure product again

This is all glossing over the fact that even if your hardware wasn't easily hackable, brain wallets are a terrible way to store your coins and only a moron would choose them.

TL:DR for anyone else: buy a Ledger or a Trezor.

Hi bones261,

You make excellent points and we would like a chance to comment on them to clarify these issues.

First, there are two ways to set a passphrase for your Bitfi. One is a totally custom phrase and the second is a phrase using Diceware (please see: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/). The Bitfi device comes included with a physical die that you will roll for perfect analogue randomness to choose words out of a Diceware word list. With this method only 7 words are needed. You might think that 24 words as used in ordinary hardware wallet must have higher entropy than 7 words, but its actually the opposite. This article here does a decent job explaining why these 7 words on Bitfi give more protection than 24 words: https://medium.com/@surprisedwarrior/the-art-of-mnemonics-90fa439c76f3

The Bitfi Wallet requires two passwords a salt & your passphrase. But lets say you use a completely custom phrase like Bones261LovesBitcoinTalk.orgFor$Advice. If you want to see how long it would take a computer to crack this phrase, please use the following tool: hsim.pw or https://howsecureismypassword.net

Once you get the time involved, please note that should your phrase be cracked, it is still useless without the salt. The attacker can't even know if he/she cracked your phrase or not because they have no way to test it without knowing the salt. However, we want to also point out that there is still a significant advantage if you decide not to memorize your salt & phrase (this is only optional) and instead write it down. Here is why - if someone breaks into your house (or it could just be your babysitter) and they find 24 words they know instantly they just found a wallet, but if they find Bones261LovesBitcoinTalk.orgFor$Advice they are unlikely to think this is access to a wallet because its completely non-standardized and just a random phrase that can be anything. And again, should they manage to figure out that its access to a wallet, still useless without the salt.

Finally what happens if Bitfi disappears (for example, the government shuts us down for making a wallet they can't ever extract money from)? That would be no problem whatsoever and as long as you know your salt & phrase your money is always safe. The private key recovery tools are all on https://www.btknox.org and many copies have already circulated all over the internet. Here we demonstrate how easy it is to recover all your money in case Bitfi disappears: https://twitter.com/TheBitfi/status/1111434686645960707 It literally takes less than a minute to generate all your private keys and import them into another wallet.

Thank you for opportunity to respond to your comments and we would be delighted to see any other comments or questions from you.

Bitfi Team

     Unfortunately, in order to ensure that this password is only stored in a person's mind, that person needs to pick a passphrase that is easy to remember. Otherwise, if that person forgets, that person will not be able to access the coins. Unfortunately, phrases that are easy to remember are also easy to brute force. If a person picks a sufficiently difficult passphrase, they would have to write it down. Then it would no longer only reside in their mind and would be subject to confiscation/theft. Also, since your code is closed source, what happens if your company becomes defunct? In such an event will the person's device still be able to operate, if the website that they are supposed to interact with goes down? If it will still be able to function and the device itself becomes broken, will the person have to hope to somehow find a working device in order to access their coins? Also, what if the device owner becomes deceased or suffers an injury/illness that severely impairs their memory. In order to ensure their coins can still be accessed by their estate in such an event, they will either have to share their passphrase with a trusted individual or they would have to write it down and keep the piece of paper secure. Once again, the phrase no longer only existing in one's mind. The trusted individual can betray them or the piece of paper can be confiscated/subject to theft.

Hi o_e_l_e_o,

If you don't mind we have some more thoughts on your comments:

"Except you don't. You came out with some nonsense excuse about how their hack didn't exactly meet your criteria, insulted them on twitter, and shut down your $250,000 bounty reward program. Until you publicly apologize and pay the $250,000 you owe, no one will take you seriously."

The text for that bounty is still up and you can read it: https://bitfi.com/bounty Please explain who, how, or where the conditions for this Bounty were met and we will make the $250,000 payment immediately. What is the nonsense excuse? Are the rules stipulated in this bounty not clear or hard to understand? We genuinely want to pay out this bounty to anyone who achieved it, but we are not aware of anyone who achieved it. Please help us find someone who did this and as stated above payment will be made immediately.

Regarding, the claim "unhackable" please read the first FAQ on our website. It explains our position on what happened and why it was used.

It is a private key generator. Yes, it can be used to store everything in your brain with a single phrase. The only reason its wrong to refer to it as a brain wallet is because it has dozens of important differences with brain wallets and executed in a very different way. Calling it a brain wallet creates confusion. To be able to walk around with hundreds of different coins and tokens in your brain & potentially millions of dollars (and soon terabytes of data and many other things) is very exciting. Sounds almost like science fiction, except its real.

We have created our own custom system that allows all developers in the world to participate in reviewing and contributing to Bitfi code which is going live in 2 days, this announcement was made here: https://twitter.com/TheBitfi/status/1110744867951513600. We made it so that each developer will have their own private key, rather than using GitHub so that you know each post is made by the person who they claim to be. All users and developers can interact through this system and review code before it goes to device. In addition, we have already done forensic testing and revealed methods that anyone can use to verify for themselves that indeed the private keys don't exist on this device: https://twitter.com/TheBitfi/status/1054884530199449600

Please describe how a $5 wrench attack will lead to loss of coins? We would be very interested in your feedback.

The vulnerabilities discovered now almost year ago were on the first version of device and we are now shipping DMA-2 which had all potential vulnerabilities fixed.

Finally, can you please tell us which claims we are making at this time that are demonstrably untrue and we will immediately remove them.

We understand and appreciate why you are skeptical. All we are asking is that you monitor the facts and data that is being released over the next few weeks so you can make a decision based on fact and not rumor. You may decide that its absolutely not for you or you might realize that this is a tool you can benefit from. We are not asking for anything other than an open mind and collaboration. We are doing all we can to contribute to the cryptocurrency community, not to take anything away from it.

Thanks again.

Bitfi Team

Except you don't. You came out with some nonsense excuse about how their hack didn't exactly meet your criteria, insulted them on twitter, and shut down your $250,000 bounty reward program. Until you publicly apologize and pay the $250,000 you owe, no one will take you seriously.

You might want to tell that to McAfee. He seems to think it's his product: https://twitter.com/officialmcafee/status/1018933263107330049. You might also want to back off from the nonsense claim that the word "unhackable" was only used by McAfee since you had it plastered all over your website: https://web.archive.org/web/20180731202155/https://bitfi.com/

Yeah, that's still a brain wallet, regardless of how many private keys you derive from the phrase.

You are asking people to enter their phrase into, and therefore trust, your provably insecure and hackable wallet rather than their own potentially airgapped and encrypted computer. If for some reason I was forced to use a brain wallet, I know which one I would choose.

And we are supposed to take you on your word that your wallet is safe, since it's not open source?

Except the hacks I linked to before show that this isn't true. And a $5 wrench attack will quite easily lead to you losing your coins.

Maybe if you stopped making claims that are demonstrably untrue, people might be more willing to take you seriously.

Hi o_e_l_e_o,

There is a lot of misconception & false rumors going around regarding this. The fact is, we pay all of our obligations and all of our bounties. If we didn't who would take our bounties seriously? Regarding the hacks pertaining to the older model (before DMA-2) you are talking about, this was posted a long time ago: https://twitter.com/TheBitfi/status/1038339727961800704 and just 2 days ago we paid out the Jelurida challenge within 1 hour of them requesting payment: https://twitter.com/TheBitfi/status/1114618673061351426 So yes, we do pay everyone and we pay all of our obligations. We hope this clears up any confusion regarding this.

The article posted by TechCrunch is false and we will be definitely working on getting them to update it. Its false, starting with the title. For example, it is not "John McAfee's wallet" and never was. He has nothing to do with this company other than using the wallet himself and recommending it to his followers. TechCrunch could have easily reached out to us to confirm this, but they didn't bother.

Coins were never stolen from the device according to the bounty and this is provable fact. If you would like to dig further, we are happy to supply you with evidence that this did not happen.

Secondly, this is not like a brain wallet at all. First, lets imagine that you are storing 30 different digital assets and just for Bitcoin you have 15 different addresses. If you had been using a brain wallet, you would have to remember 45 different salts & phrases, which is completely impractical and unusable. With Bitfi, a single salt & phrase generates the correct private key for any currency or asset, and it can be an unlimited amount of currencies.

Then, a brain wallet has major security issues in creating the salt & phrase as it is done in a computer environment and then when you need to translate the salt & phrase back into a private key you have to do it in a computer environment again which can expose your private key. The other problem is that once you have imported that private key into some wallet, its no longer safe and you have to empty the entire balance and transfer it to a new brain wallet. Not to mention that you don't even know if the software you are using to create the brain wallet is safe and it is certainly not suitable for ordinary people who are not tech savvy (while our mission is mass adoption). With Bitfi, you never type your salt & phrase into a computer environment and the device never interfaces or connects with the computer environment or with any consumer device at all.

The point of all this is that Bitcoin was intended to be unseizable, but it can be seized from any wallet because they contain private keys. The only wallet that is congruent with the philosophy of Bitcoin is Bitfi because it is the only wallet that cannot be seized for one simple reason that you cannot steal what doesn't exist.

We thank you for the opportunity to respond to your comments and would welcome any other comments or questions.

Bitfi Team

Give it a rest.

The Bitfi wallet was repeatedly hacked, to the extent of having the coins stolen from the device: https://techcrunch.com/2018/08/30/john-mcafees-unhackable-bitfi-wallet-got-hacked-again/

In response to this hack, instead of paying the bounty like you should have done, you cancelled the bounty program and insulted and attacked the researchers who you should have been paying $250,000.

Even ignoring all of that, all Bitfi is is a glorified brain wallet, which is probably the single worst way to store your coins. No serious crypto user would ever purchase this wallet.

The Bitfi hardware wallet is a revolutionary blockchain hardware wallet capable of securing any digital asset without having to store a single thing. The device has been designed with one of the most sophisticated approaches to security while maintaining an intuitive and ease-of use interface.

The device is not a storage device, rather it works as a private key generator that calculates your private key which comes into existence for less than a second during a transaction. By generating a private key at the time of a transaction and storing nothing, Bitfi surpasses the security of all other hardware wallets. This makes stealing from it impossible. You cannot steal what isn't there.

Due to a significant amount unconfirmed media reporting and unverified claims there is a controversy surrounding our wallet which has resulted in very few people understanding the difference between the new Bitfi technology and other wallets and methods of securing digital assets. The controversy was triggered over the use of the word "unhackable" by John McAfee when Bitfi was first introduced.

To clarify our position on this matter, we would like to state for the record that we agree all electronic devices (or anything man-made) can be hacked, modified, taken apart, or altered. Bitfi took a security approach with this consideration in mind. The device was designed in such a way that should it ever be "hacked" - there is nothing to take. The device is always empty. Furthermore, John McAfee was not involved with the development or operations of Bitfi, and has no ownership in the company. However, he is an advocate of the use of Bitfi as he himself and his company, Team McAfee, use the Bitfi wallet. While he understands anything is hackable, his excitement comes from the innovation of never requiring the storage of private keys or data on the Bitfi device.

The word "unhackable" caused a significant amount of tension within the cyber security community and confusion in the market place and for that, we apologize. Our intention was to push a dialogue of what security means in the cryptocurrency community. Our goal is to have productive and open collaboration so that we may have the opportunity to clear up any misconceptions or questions surrounding the Bitfi wallet.


We welcome the opportunity to field any comments and questions you may have about our security, our approach and where we are heading in the future.


Twitter: @TheBitfi
Instagram: @TheBitfi
Facebook: @TheBitfi
Youtube: https://www.youtube.com/channel/UCIJXmTcPSUVW1I8PU05ZBbA

Our Youtube channel offers wallet tutorials in English, Korean, Japanese, German, and Portuguese.