Topic: HW Wallets & SW Wallets are a Scam - They & Exchanges are Main Theft Vector (Read 312 times)

But we're supposed to "trust" the word of an internet rando who has provided no proof of their claims or cited any sources to backup the quite serious allegations they're making regarding the integrity of software wallets, hardware wallets and exchanges??!?

#irony

Would you like to get these answers? Would you really want to respond you that same way? If you're trying to convince someone, at least, provide some arguments. So, from the whole post I wrote you, you answered that the majority of HW & SW wallets are created by scammers. Not a surprise you aren't taken seriously from this community.

As for the wallets, I highly disagree if we're talking about the open-source ones.

I believe that there's a difference between trusting your device and trusting its RNG. For example, if you roll your dices and derive your addresses like so, you do know that it was a completely random choice of entropy. You can try it on other devices too to confirm that your main device won't “betray” you. But, if you do this with the RNG, you have no proof of your randomness.

@btc-room101
You are welcome to back up your claims with some proof, but based on your post history and trust ratings on Bitcointalk, you wont and you can't. Trusting any service blindly isn't recommended and I don't think there is anyone who wouldn't agree with you on that. But baseless claims like the ones you are bringing to the table have no value.

You should stop posting multiple posts in a row and reply to the users you want to reply to in just one post. Use the "Insert Quote" button for that. 

32 pairs of dice rolls provides 165bits of entropy, OK fair enough. That assumes the user throws the dice in a manner that negates any possible bias from the design of the dice or the way the user selects the number of throws it.

Most of the desktop wallets either sources the entropy from dev/urandom or OpenSSL. There is no pre-determined seeds from either of those sources as it gathers entropy on the go. If you do not trust the entropy generated by your kernel, then you shouldn't trust the device that you're using.

It's been proven that most hw&sw wallets and exchanges are run by scammers.

The entire premise of bitcoin was trustless, or trust no one, now your saying 'gotta trust somebody'?

Hell no.

All SW & HW can & is compromised, hell the US Gov largely demands backdoors in all tech.

Throw the dice 32 pairs, right down the sequence of digits,  has far more entropy, than a deterministic random number with a known seed; A generated random-number, can always be determined by those who wrote the software, they knew the seed, they can generate all possible outcomes, and then later check the generated-keys for balance.

With dice, nobody can ever guess or know what I rolled.

You are right but when using this method you are spreading the "trust" among multiple sources that you know have no chance of coordinating with each other to scam you. So yes the risks are significantly reduced because the chances of all your sources being wrong or malicious is practically zero.

I bolded parts of your post because you confirmed that there has to be trust somewhere, by it a friend or another source you consider to be trustworthy. You are trusting your friend and the medium of storage (the floppy disk). I also bolded mitigate and reduce because they are the correct terms for this topic. The risk is not eliminated entirely. it's reduced or alleviated by a certain/significant degree.     

That is why the Web of Trust concept was created. You mitigate the risk of seeing a compromised key by asking other sources whom you already trust to sign the key for you. For example it could be a friend(s) that you know in real life that you receive their PGP public key on a floppy disk
That way you are reducing the risk of having an impostor's key by getting the real key from multiple sources that you could trust.

And one more thing. It's recommended to verify the signatures of the applications you use. What do you need for that? You need the public key or the public key fingerprint of the developer and signer. Where do you get that? You copy/paste or download it from online sources.

Since you have to trust someone or something, you are trusting those sources not to have been compromised. If you can't do that, get the public keys directly from the signer. But can you be 100% sure you are getting them from the real person and not an imposter? If you start thinking that way, you'll keep walking in circles and realize you have to start trusting something and somewhere.   

They're not.
Debatable. To any newbies, don't go throw your 6 sided dice 32 times and expect to not get hacked. That is not sufficient entropy. Humans are mostly worse than computers at generating anything with sufficient entropy and considering that you've been preaching about your magical private key cracker, I would think that you would have emphasize for people to generate their keys with more entropy

---

I believe the rest has been addressed enough. Your paranoia is unfounded; Trezor gives you the full schematics to build your own, so does ColdCard and various other HW wallet operators. You can just as easily supply your own entropy to them or use your own generated seed. If you cannot trust any wallets, then I really don't see how you're going to use Bitcoin at all.

The given replies are more than enough to convince the newcomers that you can't really trust no one. If the project is closed-source, you have to trust the developers. If it's open-source, along with your coding skills, you have to trust that the developers haven't hidden anything malicious. Besides that, you have to trust your operating system, whether if it's open or closed-source for the reasons above AND the programs you've installed. You also have to trust that the people from the place or the factory you bought your computer didn't have any intends to weaken your RNG.

But, I'd like to focus on the title of this thread:

How can you state that SW and HW are scams, if you haven't proved that they, indeed, steal people's money? I do get your paranoia, but just like you can't know if they will steal your money, you can't prove the opposite. So saying that they're “scams” is rather misinforming. As said above, you can't really trust no one, but you can reduce the people you'll have to trust. Is it the same to trust the developers of the application, the programs of your computer, your operating system and your RNG strength compared with *just* your coding skills? Knowing that the software/firmware is open-source is a strong letter of guarantee.

Do you trust less on a bank?

Oh I know what tinfoil hat means.
https://mashable.com/article/tin-foil-hats-def-con-hackers/

Paranoid tinfoil hat nut-job does not mean fudding troll.

I was making the point that responding to him is just feeding the troll.
As I said I have him on ignore but since others, who I know are not 100% not trolls and usually don't respond to them were responding I popped in for a look.

-Dave

Did anyone take a look at the OPs feedback?
https://bitcointalk.org/index.php?action=trust;u=2038954

Or how about some of the threads they started?:

https://bitcointalksearch.org/topic/bitcoin-wasnt-created-to-make-you-rich-it-was-created-to-enslave-u-track-u-5333252
https://bitcointalksearch.org/topic/at-75-dogecoin-will-be-more-valuable-than-btc-5332176
https://bitcointalksearch.org/topic/gold-in-the-hand-versus-chinese-bitcoin-in-the-bush-which-has-real-value-5332842

Just a Fudding troll. I have him on ignore, no idea why I even clicked in here, but be aware of what they are saying elsewhere before wasting more of your time replying to him.

-Dave

Yours is more like a selected paranoia. You appear to be paranoid about some things and not others. For example how are you paranoid about software wallets calling them scams and not an offline python tool that converts your randomly dice generated private key to public key and address? You definitely can't do that conversion by hand and can't write the code yourself. Heck why trust python or even your computer?

Perhaps you might like one of these to go along with your dice rolled, paper, metal engraved, WIF, seed mnemonic, tattoo on your foot (I kind of lost track of what you were actually recommending as the best way to create/store a key)


https://mcphee.com/products/tin-foil-hat

You are right about that. Unfortunately, that's the mentality that people have. They can't cope with the fact that they don't know something or don't understand something, so they act before asking questions. That's why when you see people ask for help, it's usually already too late. They already made the mistake and now they are asking if what they did was wrong. Getting to the point of understanding that with crypto there is no going back after you click that send button will take a very long time.

OP mentioned Trezor a few times and all hardware wallets in general, but the brand is not important right now. On what basis is he accusing hardware wallet producers of inserting Trojans and other malware. I would love to see some examples where Trezor or Ledger stole money from a hardware wallet.

Interesting point of view, but in the end this question you asked will be continuously repeated. How do you really know the wallet is doing what you think? Replace "wallet" with private server, Tor, CoinJoin etc and you'll find out there still has to be a relationship of trust no matter what you try and do. Unless you support just open-source stuff and inspect every single line of code of the apps you use and physically/technically inspect the hardware components, you still have to trust something in some way.

If you generate the privkey using dice, it is 100% safe and random until you insert it into a wallet. And then, how do you know the wallet you've installed isn't going to show you another address instead of yours so that any money you send will go to someone else while you think your cold wallet is safer than anything else? Unless you've checked the code behind the software, there's no such assurance.

I appreciate your strict paranoia, OP, but I've used both and never lost any funds--so that statement above isn't quite true.  It certainly could turn out to be true for some wallets, and I think that's a lot of people's fears, but I don't think either a mobile or online wallet has yet turned out to be a full-out scam (except for the imitation wallets you mentioned on places like Google Play).

I guess I'm old school and still feel like there's always some trust involved between people when it comes to money--and yes, I still use the banking system.  Do I like the fact that Ledger's code is closed-source?  No, not really.  Do I think they're going to pull off a massive exit scam with all the funds on everyone's Ledger wallets?  No.  No I don't.  So sue me if I still have some trust in companies like them.

This is solid advice, but a newbie wouldn't necessarily know not to buy a used HW wallet.  That's the kind of knowledge that comes with experience in crypto.  And hey, maybe OP is right and I haven't learned as much as I think by continuing to trust wallets like Ledger.  I would never rule that out entirely.

Source: https://xkcd.com/285/

P.S. bad design doesn't mean it's scam

That's why you don't buy hardware wallets on Ebay or from Nigerian princes. You buy them from the official websites only or an approved resellers.

Again, this problem goes away when you purchase such devices from the manufacturer and not from a cheap Chinese online store. Since when do Trezor wallets have scratch-off keys? You are not supposed to trust or use a wallet that comes pre-installed. If it comes with a filled out seed phrase or a seed phrase is being suggested to you, it's a scam.

You don't trust the company. You verify what it does yourself. You trust the fact that the software is open-source. If you are a coder, feel free to check it yourself. Since it's open source, you can be rest assured that it has been thoroughly inspected by a lot of people. If you can't do the verification yourself, you have to trust someone at some point, so you are right about that. The fact that the company has been around for many years and people aren't losing their coins in the way you described, shows that the wallet is doing what it was designed to.

Why have my coins not been swept yet or the coins of 100s of other hardware wallet users on this forum? I wonder what the developers are waiting for?

And whose fault is that? Are you saying Trezor is at fault because fraudsters are cloning and selling their wallets? If you purchase a fake Rolex from the heroin-addict living on your street, should Rolex be held responsible?

People shouldn't try to memorize their seeds, use brain wallets, or try to generate their own words randomly. The words we chose aren't random and any injury to the head and loss of memory can result in forgetting the seed and losing access to your coins.

But they told me that HW wallets were "Safer than Gold"

Private key wallets are usually at risk of being hacked, but hardware wallets are completely risk-free, so many large investors have turned their attention from software wallets to hardware wallets.

There are more 'fake' "Trezor Wallets" coming out of China, that there are 'fake' Apple Store, and iPhones; and that's a lot. In China, the people who work at the Apple stores don't even know they're not working for Apple, and its the same for the Trezor Universe.

U might trust Trezor as much as the baby-jeebuz, but its irrelevant, unless you bought your 'Trezor' in person from the CEO at the Company, and even then he probably doesn't know if its a real device. Often these things are fabricated by the 100's of 1,000's in China on contract, and the rejects that fail 'test' are thrown in a bin and sold for cheap, then end up in Nigeria where they're resold on ebay

Lot's of ways to scam the hw-wallet, the big one is the fake scratch-off key, the second is to have pre-determinstic random numbers, say you generate 1M random keys from a seed, then you send out the Trezor clones, now you have a database, and you scan all the addresses, on the mining-pool of BTC, when you see an address from your pre-deterministic database of priv-key/address-map on bloom-filter in real time, you 'sweep', or even better you flag and have a human watch&wait until big money appears on that address.


Wallet Software is dangerous, free trojan horses.

Hardware Wallet is a joke, how do you really know its doing what you think? How can you trust the company.

Why have so many addresses you have ONE for your serious, like the big-miners, you see they have one address with 150k btc's

You have a few addresses for junk stuff

You run your own bitcoin full-node, your own electrum-server  if you wish to make lots of addresses, you use coin-join, if you wish to do your own mixing

...

Everything is offline. Get a couple of dice, say roll the 32 times and write down the numbers, then enter the numbers on an offline laptop, that is virgin, no web-browser, sort of like the hive-model, virgin clean no chance of malware. You run "KU" for python bitcoin/pycoin, ku will take the generated random number and generate your WIF, you write that WIF down. Your done. You engrave that WIF on some metal, and put it away. If you want more special private-keys, do this again.

Now you have a private-key, on the same offline virgin, when you ran KU to get your WIF, you also got all the address formats, right now the one you with to use, comp, uncomp, bc up to you Your done.

Your PRIV-KEY has never seen the internet, your PRIV-KEY is hard saved permanently. You tell nobody, ever. Your security is 100%. NOTHING no random generator on earth can better the dice rolls, as all computers do pseudo-random generation.

Given that you have your own private full-node, and electrum server, you run the wallet software, so it only connects to your server internally, use TOR if you wish. Nobody on earth can connect your IP, to that address, I'm saying you have imported your secret priv-key into this private wallet node. This just be for coin-joining or mixing internally to save coins; You can always create throwaway addresses, bringing in new funds, but you can mix them back to your secret address.

Of course once you have gone to the trouble of making a 'super-priv-key' you never share it with COINBASE, or sweep using a wallet, you never use mobile-wallets, unless you fund toy-accounts for pocket money

...

All wallet software online is a scam. All wallets on mobile's is a scam. The only safe wallet is on your own private wallet-server, that nobody can see what your doing. If you can't afford to lose it, don't use it with public domain software.

Most hardware wallets are a scam. Either they give you rub-off key, which they sweep your funds later, or the hw-wallet has a serial number where they can later activate malware, why would anyone think that companys making wallets are safe? It only takes 1-2 dishonest employees in cahoots with a Nigerian OP, to destroy a company. Hell anybody that gets into any wallet hw or sw is not to be trusted free or not.

At least with your own node you can monitor 'call 2 home', and prevent malware

...

In summary making a super-secure private key is easy, just roll a few dice a few times. Keeping that private-key off of the computer, and off of the internet is the secret. Running your own wallet-server is most important of all to make sure NOBODY associates your high-value address with your geo-ip

What in the hell is a paper-wallet Paper is where you do your scratch work rather than on a computer, storage of your magic number is up to you, hell grind it into the bottom of your desk with a drill

'wallets' are 100% bullshit hw or sw, running your own BTC full-node, you can do your own transaction 100% anonymous

All exchanges are either ran by the GOV, or criminal in nature.


Private key wallets are usually at risk of being hacked, but hardware wallets are completely risk-free, so many large investors have turned their attention from software wallets to hardware wallets.

10's of 1,000's of people have been robbed by buying cheap trezor clones online from ebay

Over $2Billion USD lost every year from BTC theft, but its a dirty little secret

hw-wallets are USB devices, the easiest thing in the world for NSA to hack is USB devices, these days lots of malware out there to scan, super easy to get into a device read-only dump the memory, and decrypt it later

but most hw-wallets use the ebay scam, where a scratch off key is included in the package, and of course as soon as you use the wallet with that key, your funds are swept by a 3rd party

but even making your own key isn't safe, because all wallets hw or sw are trojan horses

original btc design didn't even have 'wallets', it came later by criminals and exchanges and governments




Its not that the paper is wrong, but the idea of printing the private key on it is very dangerous. Thankfully they were replaced with seed words which are better.

In short, its the modern, safer version of it. Private keys should never be handled directly.

Seed words require a dictionary to map those words to a 12 bit digit, typically 12 or 24 seed words, what a pain in the ass. Not all sw even uses the same software mapping. This crap was invented by the same dildo that brought you 'brain-wallets', another scam that caused people to lose millions

Just roll two dice 3 dozen times writing down each pair of digts, and your done. U have your numeric private-key. Convert to WIF format offline secure, and tattoo that on bottom of foot. Done.

WIF is typcially about 28 characters, easy to write down.

I think memorizing 12 or 24 words in an order is as dangerous as 'brain wallets', people are constantly forgetting the order, or one word, read the net, not a day goes by somebody messes up and loses all their btc forever

Just convert the numeric key to a WIF, and write on system using a permanent marking system, welding rod if you wish, or plasma-ionic rifle, bury it with your gold, so know its in a safe place.

Why pick on paper, there are scrolls laying around with old ink 10's of 1,000's of years; going to last longer than you, especially if stored in dry place. Like a PVC gun tube, where you keep your gold buried.

Most of the time when people first start BTC they don't know what they're doing, they go online and get an 'address' and never backup that priv-key, then years go by they think their rich, and then when they go to spend their btc ( cuz they hodl ), they find out they don't have the key, or the password to the wallet; So many gimmicks and pitfalls in BTC to lose your money




A mnemonic seed wallet has many advantages - you only need pen and paper to make it, it creates a full wallet with as many addresses as you need, as well as change addresses, and you can even memorize the seed to additionally store it in your head.


Why indeed? Because most people can't remember where they left their car keys ten minutes ago.

Write it down, or lose it.


On Ethereum they tell you they intend to reduce eth  live holdings, to increase price, on btc they can count on people being stupid to reduce active addresses. Lost coins, means price goes up. By Design. More theft price, goes up; by design.

Like you already KNOW, if you use an online/mobile-phone wallet, and  use their private-key generated, then you have already lost your money.