Author

Topic: Launched a cybersecurity bitcoin product. Looking for feedback (Read 313 times)

newbie
Activity: 4
Merit: 1
I find your service is rather unique. Although looking at pricing, it's weird it's based on total UTXOs or transactions. Someone who wish to use your service might perform consolidation to new address in order to choose cheapest pricing option. And since average user probably either don't use wallet which create signed TX without broadcasting it or know how to only create signed TX, i expect you'll need to write some tutorial or collaborate with certain wallet software.

Our pricing is based on our resource consumption for our monitoring solution. At the moment the constraint is based on number of UTXOs that needs to be monitored. We have no qualms if users prefer to do UTXO consolidation to get the cheaper option as that will free up even more resources for us to monitor.


As for tutorials, yes totally agree we’ll need to make a few. We will probably only have a limited set of wallets we recommend in the short term. Those are
- blue wallet
- sparrow
- electrum

Would definitely love to see more wallets support the ability to create a signed transaction without broadcasting.
newbie
Activity: 4
Merit: 1
Thanks for the input. I completely agree education awareness is paramount and multisig solutions definitely offer a  significant enhancement to security if implemented properly. Lucid Tactics is more so a last resort in spite of all of that.
member
Activity: 156
Merit: 13
Creating a vault using the existing Bitcoin protocol without relying on covenants is indeed a challenging task, but it's possible to implement some protective measures using multisignature (multisig) wallets and time-locked transactions. Below is simplified approach for additional security!

Multisignature Wallet: Set up a multisig wallet that requires multiple signatures (e.g., two out of three) to authorize transactions. This means that even if one set of keys is compromised, the attacker would still need access to the other set of keys to spend funds from the wallet.

Time-Locked Transactions: Implement time-locked transactions to add an extra layer of security. Time-locked transactions can only be spent after a certain period has elapsed. By setting a delay on outgoing transactions, you give yourself time to react in case of a security breach.

Emergency Recovery Transactions: Prepare emergency recovery transactions as your "countermeasures." These are additional signed transactions that you keep securely stored in a separate location, such as a safety deposit box or with a trusted friend or family member. These emergency recovery transactions can be used to reclaim your funds in case of a compromise or loss of access to your primary keys.

Regular Monitoring: Regularly monitor the activity in your wallet for any unauthorized transactions or suspicious activity. Set up alerts or notifications to notify you of any unusual behavior.

Education and Awareness: Educate yourself and others about best practices for securing Bitcoin wallets, including the importance of storing private keys securely and being vigilant against phishing attacks and malware.

It's important to note that while these measures can enhance the security of your Bitcoin holdings, they are not foolproof, and there is always some level of risk involved. Additionally, implementing these measures may require a certain level of technical expertise, so it's essential to thoroughly understand the process and seek assistance if needed. Overall, by combining multisig wallets, time-locked transactions, emergency recovery transactions, regular monitoring, and education, you can create a more resilient and secure Bitcoin storage solution without relying on covenants.
newbie
Activity: 4
Merit: 1
If I get your product right, does it try to publish a transaction that will get accepted by the network before the attacker successfully takes the money

Yes exactly. It’s a multi-pronged approach.
1. We have message propagation techniques that will get your transaction to more nodes on the network than the attacker.
2. If attacker has a higher fee than your transaction there’s a chance that your transaction will still be accepted over the attacker’s as quite a few nodes on the network will accept the first transaction that spends a given UTXO and will reject any subsequent transactions spending the same UTXO
3. If the node supports full replace by fee it will accept whichever transaction has the higher fee this is where our countermeasures come into play. We’ll detect if the attacker is spending a higher fee and will allow you to send subsequent transactions that will be higher than the attacker’s transaction. This is all at the user’s discretion so they can go as high or as low as they want


What if the attacker tried to outspend it then? What is the limit of the RBF? Will you continuously try to bump the fee?

If the attacker outspends your countermeasure there’s always a chance that it can still be accepted, but this is where the not being bullet proof portion comes in. There’s also a chance the attacker will win in this case

This also means that someone will need to store a large amount of their wealth in one wallet, which probably limits flexibility (but I guess that's not a problem if the goal is creating a cold wallet). It makes me wonder if your product is better compared to running a macro or something similar, but it is hard to trust that your product will help the average joe if they can simply learn a little bit about how to store their seeds.

If you have your bitcoin stored across various wallets to avoid having all your wealth in a single wallet that is not a problem for our service. You’ll just need to back a backup transaction for each wallet.

As for the macro piece, yes if you are sophisticated enough to build out a service like lucidtactics.com on your own definitely no need to use our service; though I wouldn’t be surprised if it would still be cheaper to use our service than to spin up your own infrastructure.

Regarding helping the average Joe learn how to use seeds that is our goal. We want to spread security awareness in the field our solution is more so a last resort if something went wrong in spite of that.



https://lucidtactics.com/blog/2022-02-27/how-lucid-tactics-leverages-the-bitcoin-protocol/

transactions in the mempool are signed transactions, and if there are any “unauthorized expenditures attempts” they will not pose a risk to your wallet (your private key) because it is not recorded on the mempool.


Thanks for the feedback. We’re toeing the line between being high level and technical here erring more so on the high level side. But happy to break down the technicals here.

We are more so targeting HODLERs with cold wallets here. Most users rarely spend funds from their cold wallet so if we ever see any of your UTXOs being spent we assume it’s a malicious transaction and activate defensive procedures.


https://lucidtactics.com/blog/2022-02-27/how-lucid-tactics-leverages-the-bitcoin-protocol/

This information is incorrect, as the speed of broadcasting your transaction will not help your transaction to get included in the next block faster, as the sat/vByte fees are what determine the priority.

We may need to write a whitepaper on this. From our testing we’ve found that message propagation does matter in a peer to peer network. There’s no guarantee that the miner that will win the block will support full RBF. In that scenario they’ll accept the first transaction spending a given UTXO and yes if your initial fee falls within their block acceptance parameters it could beat an attacker trying to spend your UTXO especially if our transaction gets to them first.

https://lucidtactics.com/blog/2022-02-27/how-lucid-tactics-leverages-the-bitcoin-protocol/

Quote
The Power of Full Replace-by-Fee (RBF)
Almost any good wallet supports RBF, and in the future, if all nodes implement full RBF, we will not need this option.

Ahh in this case we are more so referencing the nodes on the network and not the wallet portion.

While we’re on the subject of wallets and RBF from our testing we’ve noticed that quite a few wallets will actually not allow the attacker to adjust their original malicious transaction as they tend to replace it with the higher transaction they saw. This means that attackers will now need to implement some programmatic logic to steal your funds as if they were using a regular wallet it would not allow you to double spend the same UTXO



I kinda see where you are going with this. Let's take the example of the thread that are somewhere on this forum, where you post the Bitcoin address linked to your account and where you sign that address with a message saying that you are the owner of that Bitcoin address and that Bitcointalk.org account.

So, people can hack your account, but they cannot sign that Bitcoin address that you used to prove that you were the original owner of that account. (You simply sign a message again and you have solid proof that you are the owner of that account)

It is just a added layer of protection for your account.  Wink


Yes exactly!

And there’s quite a few scenarios where this extra layer is almost a must have e.g.
- hardware failure with no seed backup in place
- seed backup exposure



I find your service is rather unique. Although looking at pricing, it's weird it's based on total UTXOs or transactions. Someone who wish to use your service might perform consolidation to new address in order to choose cheapest pricing option. And since average user probably either don't use wallet which create signed TX without broadcasting it or know how to only create signed TX, i expect you'll need to write some tutorial or collaborate with certain wallet software.

Our pricing is based on our resource consumption for our monitoring solution. At the moment the constraint is based on number of UTXOs that needs to be monitored. We have no qualms if users prefer to do UTXO consolidation to get the cheaper option as that will free up even more resources for us to monitor.


As for tutorials, yes totally agree we’ll need to make a few. We will probably only have a limited set of wallets we recommend in the short term. Those are
- blue wallet
- sparrow
- electrum

Would definitely love to see more wallets support the ability to create a signed transaction without broadcasting.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I find your service is rather unique. Although looking at pricing, it's weird it's based on total UTXOs or transactions. Someone who wish to use your service might perform consolidation to new address in order to choose cheapest pricing option. And since average user probably either don't use wallet which create signed TX without broadcasting it or know how to only create signed TX, i expect you'll need to write some tutorial or collaborate with certain wallet software.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
I kinda see where you are going with this. Let's take the example of the thread that are somewhere on this forum, where you post the Bitcoin address linked to your account and where you sign that address with a message saying that you are the owner of that Bitcoin address and that Bitcointalk.org account.

So, people can hack your account, but they cannot sign that Bitcoin address that you used to prove that you were the original owner of that account. (You simply sign a message again and you have solid proof that you are the owner of that account)

It is just a added layer of protection for your account.  Wink
hero member
Activity: 630
Merit: 510
https://lucidtactics.com/blog/2022-02-27/how-lucid-tactics-leverages-the-bitcoin-protocol/

Quote
The first line of defense involves vigilant monitoring of the mempool, the repository of unconfirmed transactions. Lucid Tactics keeps a watchful eye, identifying and flagging any transactions that appear malicious – those unauthorized expenditures attempting to siphon funds from your wallet.
transactions in the mempool are signed transactions, and if there are any “unauthorized expenditures attempts” they will not pose a risk to your wallet (your private key) because it is not recorded on the mempool.

Quote
Rapid dissemination is crucial, especially considering that many nodes accept the first transaction spending a known Unspent Transaction Output (UTXO).
This information is incorrect, as the speed of broadcasting your transaction will not help your transaction to get included in the next block faster, as the sat/vByte fees are what determine the priority.

Quote
The Power of Full Replace-by-Fee (RBF)
Almost any good wallet supports RBF, and in the future, if all nodes implement full RBF, we will not need this option.
legendary
Activity: 2254
Merit: 2003
A Bitcoiner chooses. A slave obeys.
It is not full proof but definitely a layer of defense for the everyday individual

If your idea is not fool proof then it will not be used as any weakness will be identified and exploited quickly.  

Quote
Step 5
If your transaction’s fee was higher than the attacker’s the network should accept your transaction

If you want people to pay for this, offer some sort of guarantee on the funds you are protecting.   If a person does everything you require, and they lose coins, do you cover those loses?  If not, why are they paying for a broken service?



I agree.

Also, 'green' tech is not going to impress anyone. Working on it longer and improving it further is a better idea than introducing it too early and having it not only fail but also cost people who use it their money. It just takes time, patience, and diligence, like anything else. Nobody cared about owning personal computers when they could do semi-useful things as most families did not need a giant, extremely expensive machine that could calculate their taxes. But now they are relatively cheap, and we can do many things with them. Take your time and improve the flaws in your idea.

legendary
Activity: 3346
Merit: 3130
I watched the video, and looks like you avoided the thief by doing a double spend, but i don't understand why you have to make manually that second transaction. It would be nice if your service sent the second transaction in auto, but I see a problem here. The second transaction should always have a bigger fee than the first one, other ways miners could give priority to the 1st one.

And maybe it would be better if you offered this as software and not as a service, maybe big companies would be interested in it.

legendary
Activity: 2170
Merit: 1789
If I get your product right, does it try to publish a transaction that will get accepted by the network before the attacker successfully takes the money? What if the attacker tried to outspend it then? What is the limit of the RBF? Will you continuously try to bump the fee? This also means that someone will need to store a large amount of their wealth in one wallet, which probably limits flexibility (but I guess that's not a problem if the goal is creating a cold wallet). It makes me wonder if your product is better compared to running a macro or something similar, but it is hard to trust that your product will help the average joe if they can simply learn a little bit about how to store their seeds.
newbie
Activity: 4
Merit: 1
I’m just being honest in regards to it not being bullet proof. Think about antivirus or a home security system; they work, but against a very motivated attacker not so much.

I don’t see a home security or antivirus company ever offering a guarantee you’ll never get a virus or that the world’s greatest thief could not beat their home security system.

What we’re offering is akin to that. An extra layer of defense that you can implement in the worst case scenario. It raises the bar for an attacker trying to steal your funds. We stack the probabilities heavily in your favor, whereas without this service your odds of protection drops to 0 if your keys are somehow compromised.

Imagine if you got a family member to invest a lot into bitcoin but they aren’t the most technically competent. Or perhaps they are technically competent but decide to keep their keys in their home and are robbed.

We want to lower the bar for protecting your wallet in the case it is compromised. The technicals are there and folks can easily test the service out on the testnet and do their own audit to verify that it works as advertised.

Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
It is not full proof but definitely a layer of defense for the everyday individual

If your idea is not fool proof then it will not be used as any weakness will be identified and exploited quickly.   

Quote
Step 5
If your transaction’s fee was higher than the attacker’s the network should accept your transaction

If you want people to pay for this, offer some sort of guarantee on the funds you are protecting.   If a person does everything you require, and they lose coins, do you cover those loses?  If not, why are they paying for a broken service?
newbie
Activity: 4
Merit: 1
Hello.

Given that covenants aren’t accepted into the protocol I wanted to find a way to create a vault using the existing bitcoin protocol. The goal is to protect your wallet if somehow you accidentally expose your keys. I’m also looking to make this concept easy for the every day Bitcoin user who might not be technical.

The approach?

You provide a signed transaction; with optional ‘countermeasures’.

A countermeasure is additional signed transactions you provide that can thwart semi motivated attackers. It is not full proof but definitely a layer of defense for the everyday individual and even the technical individual as well as building a system like mine might be a costly endeavor to under take.

The countermeasures feature is a paid feature but you can try it out on the testnet for free here.
https://defender.lucidtactics.com/public-defender

I wrote a high level blog post talking about additional measures I take here
https://lucidtactics.com/blog/2022-02-27/how-lucid-tactics-leverages-the-bitcoin-protocol/

I also have a video of it working here:
https://lucidtactics.com/howitworks/
Jump to: