HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: btc-room101 on May 26, 2021, 02:21:38 AM

All SW & HW can & is compromised, hell the US Gov largely demands backdoors in all tech.

Quote from: btc-room101 on May 26, 2021, 02:22:42 AM

It's been proven that most hw&sw wallets and exchanges are run by scammers.

Quote from: btc-room101 on May 26, 2021, 02:21:38 AM

The entire premise of bitcoin was trustless, or trust no one, now your saying 'gotta trust somebody'?

Hell no.

But we're supposed to "trust" the word of an internet rando who has provided no proof of their claims or cited any sources to backup the quite serious allegations they're making regarding the integrity of software wallets, hardware wallets and exchanges??!? Huh

#irony

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

Quote from: btc-room101 on May 26, 2021, 02:22:42 AM

It's been proven that most hw&sw wallets and exchanges are run by scammers.

Would you like to get these answers? Would you really want to respond you that same way? If you're trying to convince someone, at least, provide some arguments. So, from the whole post I wrote you, you answered that the majority of HW & SW wallets are created by scammers. Not a surprise you aren't taken seriously from this community.

As for the wallets, I highly disagree if we're talking about the open-source ones.

Quote from: ranochigo on May 26, 2021, 02:29:38 AM

If you do not trust the entropy generated by your kernel, then you shouldn't trust the device that you're using.

I believe that there's a difference between trusting your device and trusting its RNG. For example, if you roll your dices and derive your addresses like so, you do know that it was a completely random choice of entropy. You can try it on other devices too to confirm that your main device won't “betray” you. But, if you do this with the RNG, you have no proof of your randomness.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

@btc-room101
You are welcome to back up your claims with some proof, but based on your post history and trust ratings on Bitcointalk, you wont and you can't. Trusting any service blindly isn't recommended and I don't think there is anyone who wouldn't agree with you on that. But baseless claims like the ones you are bringing to the table have no value.

You should stop posting multiple posts in a row and reply to the users you want to reply to in just one post. Use the "Insert Quote" button for that.

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: btc-room101 on May 26, 2021, 02:19:59 AM

Throw the dice 32 pairs, right down the sequence of digits, has far more entropy, than a deterministic random number with a known seed; A generated random-number, can always be determined by those who wrote the software, they knew the seed, they can generate all possible outcomes, and then later check the generated-keys for balance.

With dice, nobody can ever guess or know what I rolled.

32 pairs of dice rolls provides 165bits of entropy, OK fair enough. That assumes the user throws the dice in a manner that negates any possible bias from the design of the dice or the way the user selects the number of throws it.

Most of the desktop wallets either sources the entropy from dev/urandom or OpenSSL. There is no pre-determined seeds from either of those sources as it gathers entropy on the go. If you do not trust the entropy generated by your kernel, then you shouldn't trust the device that you're using.

btc-room101

member

Activity: 182

Merit: 30

Quote from: BlackHatCoiner on May 23, 2021, 05:31:45 AM

The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:

Quote

Re: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?

It's been proven that most hw&sw wallets and exchanges are run by scammers.

btc-room101

member

Activity: 182

Merit: 30

Quote from: Pmalek on May 25, 2021, 04:00:03 AM

Quote from: pooya87 on May 24, 2021, 11:07:40 PM

That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk

That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.

I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.

The entire premise of bitcoin was trustless, or trust no one, now your saying 'gotta trust somebody'?

Hell no.

All SW & HW can & is compromised, hell the US Gov largely demands backdoors in all tech.

btc-room101

member

Activity: 182

Merit: 30

Quote from: ranochigo on May 23, 2021, 07:37:17 AM

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Wallet Software is dangerous, free trojan horses.

They're not.

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Everything is offline. Get a couple of dice, say roll the 32 times and write down the numbers, then enter the numbers on an offline laptop, that is virgin, no web-browser, sort of like the hive-model, virgin clean no chance of malware. You run "KU" for python bitcoin/pycoin, ku will take the generated random number and generate your WIF, you write that WIF down. Your done. You engrave that WIF on some metal, and put it away. If you want more special private-keys, do this again.

Debatable. To any newbies, don't go throw your 6 sided dice 32 times and expect to not get hacked. That is not sufficient entropy. Humans are mostly worse than computers at generating anything with sufficient entropy and considering that you've been preaching about your magical private key cracker, I would think that you would have emphasize for people to generate their keys with more entropy Huh

I believe the rest has been addressed enough. Your paranoia is unfounded; Trezor gives you the full schematics to build your own, so does ColdCard and various other HW wallet operators. You can just as easily supply your own entropy to them or use your own generated seed. If you cannot trust any wallets, then I really don't see how you're going to use Bitcoin at all.

Throw the dice 32 pairs, right down the sequence of digits, has far more entropy, than a deterministic random number with a known seed; A generated random-number, can always be determined by those who wrote the software, they knew the seed, they can generate all possible outcomes, and then later check the generated-keys for balance.

With dice, nobody can ever guess or know what I rolled.

pooya87

legendary

Activity: 3430

Merit: 10504

Quote from: Pmalek on May 25, 2021, 04:00:03 AM

Quote from: pooya87 on May 24, 2021, 11:07:40 PM

That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk

That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.

I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.

You are right but when using this method you are spreading the "trust" among multiple sources that you know have no chance of coordinating with each other to scam you. So yes the risks are significantly reduced because the chances of all your sources being wrong or malicious is practically zero.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: pooya87 on May 24, 2021, 11:07:40 PM

That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk

That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.

I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.

pooya87

legendary

Activity: 3430

Merit: 10504

Quote from: Pmalek on May 24, 2021, 05:13:26 AM

And one more thing. It's recommended to verify the signatures of the applications you use. What do you need for that? You need the public key or the public key fingerprint of the developer and signer. Where do you get that? You copy/paste or download it from online sources.

Since you have to trust someone or something, you are trusting those sources not to have been compromised. If you can't do that, get the public keys directly from the signer. But can you be 100% sure you are getting them from the real person and not an imposter? If you start thinking that way, you'll keep walking in circles and realize you have to start trusting something and somewhere.

That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk

That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: BlackHatCoiner on May 23, 2021, 05:31:45 AM

The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

And one more thing. It's recommended to verify the signatures of the applications you use. What do you need for that? You need the public key or the public key fingerprint of the developer and signer. Where do you get that? You copy/paste or download it from online sources.

Since you have to trust someone or something, you are trusting those sources not to have been compromised. If you can't do that, get the public keys directly from the signer. But can you be 100% sure you are getting them from the real person and not an imposter? If you start thinking that way, you'll keep walking in circles and realize you have to start trusting something and somewhere.

ranochigo

legendary

Activity: 2954

Merit: 4158

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Wallet Software is dangerous, free trojan horses.

They're not.

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Everything is offline. Get a couple of dice, say roll the 32 times and write down the numbers, then enter the numbers on an offline laptop, that is virgin, no web-browser, sort of like the hive-model, virgin clean no chance of malware. You run "KU" for python bitcoin/pycoin, ku will take the generated random number and generate your WIF, you write that WIF down. Your done. You engrave that WIF on some metal, and put it away. If you want more special private-keys, do this again.

Debatable. To any newbies, don't go throw your 6 sided dice 32 times and expect to not get hacked. That is not sufficient entropy. Humans are mostly worse than computers at generating anything with sufficient entropy and considering that you've been preaching about your magical private key cracker, I would think that you would have emphasize for people to generate their keys with more entropy Huh

I believe the rest has been addressed enough. Your paranoia is unfounded; Trezor gives you the full schematics to build your own, so does ColdCard and various other HW wallet operators. You can just as easily supply your own entropy to them or use your own generated seed. If you cannot trust any wallets, then I really don't see how you're going to use Bitcoin at all.

BlackHatCoiner

legendary

Activity: 1344

Merit: 6415

Farewell, Leo

The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:

Quote

Re: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?

DaveF

legendary

Activity: 3458

Merit: 6231

Crypto Swap Exchange

Quote from: ?? on ??

Few users like me already know OP's feedback/history. For example, that's why @HCP post image of tin foil hat.

Quote from: https://www.dictionary.com/e/pop-culture/tinfoil-hat/

Government trying to control your mind? Aliens? The Illuminati? Simply place a tinfoil hat on your head to block their signals, as the trope popularly goes. Tinfoil hat is a shorthand for saying someone believes in conspiracy theories, is paranoid, or is crazy more generally.

Oh I know what tinfoil hat means.
https://mashable.com/article/tin-foil-hats-def-con-hackers/

Paranoid tinfoil hat nut-job does not mean fudding troll.

I was making the point that responding to him is just feeding the troll.
As I said I have him on ignore but since others, who I know are not 100% not trolls and usually don't respond to them were responding I popped in for a look.

-Dave

DaveF

legendary

Activity: 3458

Merit: 6231

Crypto Swap Exchange

Did anyone take a look at the OPs feedback?
https://bitcointalk.org/index.php?action=trust;u=2038954

Or how about some of the threads they started?:

https://bitcointalksearch.org/topic/bitcoin-wasnt-created-to-make-you-rich-it-was-created-to-enslave-u-track-u-5333252
https://bitcointalksearch.org/topic/at-75-dogecoin-will-be-more-valuable-than-btc-5332176
https://bitcointalksearch.org/topic/gold-in-the-hand-versus-chinese-bitcoin-in-the-bush-which-has-real-value-5332842

Just a Fudding troll. I have him on ignore, no idea why I even clicked in here, but be aware of what they are saying elsewhere before wasting more of your time replying to him.

-Dave

pooya87

legendary

Activity: 3430

Merit: 10504

Yours is more like a selected paranoia. You appear to be paranoid about some things and not others. For example how are you paranoid about software wallets calling them scams and not an offline python tool that converts your randomly dice generated private key to public key and address? You definitely can't do that conversion by hand and can't write the code yourself. Heck why trust python or even your computer?

HCP

legendary

Activity: 2086

Merit: 4314

Perhaps you might like one of these to go along with your dice rolled, paper, metal engraved, WIF, seed mnemonic, tattoo on your foot Roll Eyes

(I kind of lost track of what you were actually recommending as the best way to create/store a key)

https://mcphee.com/products/tin-foil-hat

Pmalek

legendary

Activity: 2730

Merit: 7065

Farewell, Leo. You will be missed!

Quote from: The Sceptical Chymist on May 02, 2021, 10:03:23 AM

This is solid advice, but a newbie wouldn't necessarily know not to buy a used HW wallet. That's the kind of knowledge that comes with experience in crypto.

You are right about that. Unfortunately, that's the mentality that people have. They can't cope with the fact that they don't know something or don't understand something, so they act before asking questions. That's why when you see people ask for help, it's usually already too late. They already made the mistake and now they are asking if what they did was wrong. Getting to the point of understanding that with crypto there is no going back after you click that send button will take a very long time.

Quote from: The Sceptical Chymist on May 02, 2021, 10:03:23 AM

And hey, maybe OP is right and I haven't learned as much as I think by continuing to trust wallets like Ledger. I would never rule that out entirely.

OP mentioned Trezor a few times and all hardware wallets in general, but the brand is not important right now. On what basis is he accusing hardware wallet producers of inserting Trojans and other malware. I would love to see some examples where Trezor or Ledger stole money from a hardware wallet.

20kevin20

legendary

Activity: 1134

Merit: 1597

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Hardware Wallet is a joke, how do you really know its doing what you think? How can you trust the company.

Interesting point of view, but in the end this question you asked will be continuously repeated. How do you really know the wallet is doing what you think? Replace "wallet" with private server, Tor, CoinJoin etc and you'll find out there still has to be a relationship of trust no matter what you try and do. Unless you support just open-source stuff and inspect every single line of code of the apps you use and physically/technically inspect the hardware components, you still have to trust something in some way.

If you generate the privkey using dice, it is 100% safe and random until you insert it into a wallet. And then, how do you know the wallet you've installed isn't going to show you another address instead of yours so that any money you send will go to someone else while you think your cold wallet is safer than anything else? Unless you've checked the code behind the software, there's no such assurance.

The Sceptical Chymist

legendary

Activity: 3234

Merit: 6706

Proudly Cycling Merits for Foxpup

Quote from: btc-room101 on April 27, 2021, 09:33:10 PM

Like you already KNOW, if you use an online/mobile-phone wallet, and use their private-key generated, then you have already lost your money.

I appreciate your strict paranoia, OP, but I've used both and never lost any funds--so that statement above isn't quite true. It certainly could turn out to be true for some wallets, and I think that's a lot of people's fears, but I don't think either a mobile or online wallet has yet turned out to be a full-out scam (except for the imitation wallets you mentioned on places like Google Play).

I guess I'm old school and still feel like there's always some trust involved between people when it comes to money--and yes, I still use the banking system. Do I like the fact that Ledger's code is closed-source? No, not really. Do I think they're going to pull off a massive exit scam with all the funds on everyone's Ledger wallets? No. No I don't. So sue me if I still have some trust in companies like them.

Quote from: Pmalek on May 02, 2021, 04:36:48 AM

That's why you don't buy hardware wallets on Ebay or from Nigerian princes. You buy them from the official websites only or an approved resellers.

This is solid advice, but a newbie wouldn't necessarily know not to buy a used HW wallet. That's the kind of knowledge that comes with experience in crypto. And hey, maybe OP is right and I haven't learned as much as I think by continuing to trust wallets like Ledger. I would never rule that out entirely.

Topic: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector (Read 312 times)