Pages:
Author

Topic: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector (Read 380 times)

HCP
legendary
Activity: 2086
Merit: 4363
All SW & HW can & is compromised, hell the US Gov largely demands backdoors in all tech.
It's been proven that most hw&sw wallets and exchanges are run by scammers.
The entire premise of bitcoin was trustless, or trust no one, now your saying 'gotta trust somebody'?

Hell no.
But we're supposed to "trust" the word of an internet rando who has provided no proof of their claims or cited any sources to backup the quite serious allegations they're making regarding the integrity of software wallets, hardware wallets and exchanges??!? Huh

#irony Roll Eyes
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
It's been proven that most hw&sw wallets and exchanges are run by scammers.
Would you like to get these answers? Would you really want to respond you that same way? If you're trying to convince someone, at least, provide some arguments. So, from the whole post I wrote you, you answered that the majority of HW & SW wallets are created by scammers. Not a surprise you aren't taken seriously from this community.

As for the wallets, I highly disagree if we're talking about the open-source ones.

If you do not trust the entropy generated by your kernel, then you shouldn't trust the device that you're using.
I believe that there's a difference between trusting your device and trusting its RNG. For example, if you roll your dices and derive your addresses like so, you do know that it was a completely random choice of entropy. You can try it on other devices too to confirm that your main device won't “betray” you. But, if you do this with the RNG, you have no proof of your randomness.
legendary
Activity: 2730
Merit: 7065
@btc-room101
You are welcome to back up your claims with some proof, but based on your post history and trust ratings on Bitcointalk, you wont and you can't. Trusting any service blindly isn't recommended and I don't think there is anyone who wouldn't agree with you on that. But baseless claims like the ones you are bringing to the table have no value.

You should stop posting multiple posts in a row and reply to the users you want to reply to in just one post. Use the "Insert Quote" button for that. 
copper member
Activity: 41
Merit: 0
The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:
Quote
Re: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?

It's been proven that most hw&sw wallets and exchanges are run by scammers.

Got any proof or just your "sources"??
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Throw the dice 32 pairs, right down the sequence of digits,  has far more entropy, than a deterministic random number with a known seed; A generated random-number, can always be determined by those who wrote the software, they knew the seed, they can generate all possible outcomes, and then later check the generated-keys for balance.

With dice, nobody can ever guess or know what I rolled.
32 pairs of dice rolls provides 165bits of entropy, OK fair enough. That assumes the user throws the dice in a manner that negates any possible bias from the design of the dice or the way the user selects the number of throws it.

Most of the desktop wallets either sources the entropy from dev/urandom or OpenSSL. There is no pre-determined seeds from either of those sources as it gathers entropy on the go. If you do not trust the entropy generated by your kernel, then you shouldn't trust the device that you're using.
member
Activity: 182
Merit: 30
The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:
Quote
Re: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?

It's been proven that most hw&sw wallets and exchanges are run by scammers.
member
Activity: 182
Merit: 30
That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk Smiley
That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.
I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.     

The entire premise of bitcoin was trustless, or trust no one, now your saying 'gotta trust somebody'?

Hell no.

All SW & HW can & is compromised, hell the US Gov largely demands backdoors in all tech.
member
Activity: 182
Merit: 30
Wallet Software is dangerous, free trojan horses.
They're not.
Everything is offline. Get a couple of dice, say roll the 32 times and write down the numbers, then enter the numbers on an offline laptop, that is virgin, no web-browser, sort of like the hive-model, virgin clean no chance of malware. You run "KU" for python bitcoin/pycoin, ku will take the generated random number and generate your WIF, you write that WIF down. Your done. You engrave that WIF on some metal, and put it away. If you want more special private-keys, do this again.
Debatable. To any newbies, don't go throw your 6 sided dice 32 times and expect to not get hacked. That is not sufficient entropy. Humans are mostly worse than computers at generating anything with sufficient entropy and considering that you've been preaching about your magical private key cracker, I would think that you would have emphasize for people to generate their keys with more entropy Huh


I believe the rest has been addressed enough. Your paranoia is unfounded; Trezor gives you the full schematics to build your own, so does ColdCard and various other HW wallet operators. You can just as easily supply your own entropy to them or use your own generated seed. If you cannot trust any wallets, then I really don't see how you're going to use Bitcoin at all.

Throw the dice 32 pairs, right down the sequence of digits,  has far more entropy, than a deterministic random number with a known seed; A generated random-number, can always be determined by those who wrote the software, they knew the seed, they can generate all possible outcomes, and then later check the generated-keys for balance.

With dice, nobody can ever guess or know what I rolled.
legendary
Activity: 3472
Merit: 10611
That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk Smiley
That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.
I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.     
You are right but when using this method you are spreading the "trust" among multiple sources that you know have no chance of coordinating with each other to scam you. So yes the risks are significantly reduced because the chances of all your sources being wrong or malicious is practically zero.
legendary
Activity: 2730
Merit: 7065
That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk Smiley
That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.
I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.     
legendary
Activity: 3472
Merit: 10611
And one more thing. It's recommended to verify the signatures of the applications you use. What do you need for that? You need the public key or the public key fingerprint of the developer and signer. Where do you get that? You copy/paste or download it from online sources.

Since you have to trust someone or something, you are trusting those sources not to have been compromised. If you can't do that, get the public keys directly from the signer. But can you be 100% sure you are getting them from the real person and not an imposter? If you start thinking that way, you'll keep walking in circles and realize you have to start trusting something and somewhere.   
That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk Smiley
That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.
legendary
Activity: 2730
Merit: 7065
The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.
And one more thing. It's recommended to verify the signatures of the applications you use. What do you need for that? You need the public key or the public key fingerprint of the developer and signer. Where do you get that? You copy/paste or download it from online sources.

Since you have to trust someone or something, you are trusting those sources not to have been compromised. If you can't do that, get the public keys directly from the signer. But can you be 100% sure you are getting them from the real person and not an imposter? If you start thinking that way, you'll keep walking in circles and realize you have to start trusting something and somewhere.   
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Wallet Software is dangerous, free trojan horses.
They're not.
Everything is offline. Get a couple of dice, say roll the 32 times and write down the numbers, then enter the numbers on an offline laptop, that is virgin, no web-browser, sort of like the hive-model, virgin clean no chance of malware. You run "KU" for python bitcoin/pycoin, ku will take the generated random number and generate your WIF, you write that WIF down. Your done. You engrave that WIF on some metal, and put it away. If you want more special private-keys, do this again.
Debatable. To any newbies, don't go throw your 6 sided dice 32 times and expect to not get hacked. That is not sufficient entropy. Humans are mostly worse than computers at generating anything with sufficient entropy and considering that you've been preaching about your magical private key cracker, I would think that you would have emphasize for people to generate their keys with more entropy Huh


I believe the rest has been addressed enough. Your paranoia is unfounded; Trezor gives you the full schematics to build your own, so does ColdCard and various other HW wallet operators. You can just as easily supply your own entropy to them or use your own generated seed. If you cannot trust any wallets, then I really don't see how you're going to use Bitcoin at all.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:
Quote
Re: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange

Few users like me already know OP's feedback/history. For example, that's why @HCP post image of tin foil hat.

Government trying to control your mind? Aliens? The Illuminati? Simply place a tinfoil hat on your head to block their signals, as the trope popularly goes. Tinfoil hat is a shorthand for saying someone believes in conspiracy theories, is paranoid, or is crazy more generally.

Oh I know what tinfoil hat means.
https://mashable.com/article/tin-foil-hats-def-con-hackers/

Paranoid tinfoil hat nut-job does not mean fudding troll.

I was making the point that responding to him is just feeding the troll.
As I said I have him on ignore but since others, who I know are not 100% not trolls and usually don't respond to them were responding I popped in for a look.

-Dave
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
legendary
Activity: 3472
Merit: 10611
Yours is more like a selected paranoia. You appear to be paranoid about some things and not others. For example how are you paranoid about software wallets calling them scams and not an offline python tool that converts your randomly dice generated private key to public key and address? You definitely can't do that conversion by hand and can't write the code yourself. Heck why trust python or even your computer?
HCP
legendary
Activity: 2086
Merit: 4363
Perhaps you might like one of these to go along with your dice rolled, paper, metal engraved, WIF, seed mnemonic, tattoo on your foot Roll Eyes (I kind of lost track of what you were actually recommending as the best way to create/store a key)


https://mcphee.com/products/tin-foil-hat
legendary
Activity: 2730
Merit: 7065
This is solid advice, but a newbie wouldn't necessarily know not to buy a used HW wallet.  That's the kind of knowledge that comes with experience in crypto. 
You are right about that. Unfortunately, that's the mentality that people have. They can't cope with the fact that they don't know something or don't understand something, so they act before asking questions. That's why when you see people ask for help, it's usually already too late. They already made the mistake and now they are asking if what they did was wrong. Getting to the point of understanding that with crypto there is no going back after you click that send button will take a very long time.

And hey, maybe OP is right and I haven't learned as much as I think by continuing to trust wallets like Ledger.  I would never rule that out entirely.
OP mentioned Trezor a few times and all hardware wallets in general, but the brand is not important right now. On what basis is he accusing hardware wallet producers of inserting Trojans and other malware. I would love to see some examples where Trezor or Ledger stole money from a hardware wallet.
legendary
Activity: 1134
Merit: 1599
Hardware Wallet is a joke, how do you really know its doing what you think? How can you trust the company.
Interesting point of view, but in the end this question you asked will be continuously repeated. How do you really know the wallet is doing what you think? Replace "wallet" with private server, Tor, CoinJoin etc and you'll find out there still has to be a relationship of trust no matter what you try and do. Unless you support just open-source stuff and inspect every single line of code of the apps you use and physically/technically inspect the hardware components, you still have to trust something in some way.

If you generate the privkey using dice, it is 100% safe and random until you insert it into a wallet. And then, how do you know the wallet you've installed isn't going to show you another address instead of yours so that any money you send will go to someone else while you think your cold wallet is safer than anything else? Unless you've checked the code behind the software, there's no such assurance.
Pages:
Jump to: