Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software
Pages:
Author

Topic: Open source wallet and closed source wallet discussion (Read 539 times)

ABCbits
legendary
Activity: 2842
Merit: 7333
Crypto Swap Exchange
Open source wallet and closed source wallet discussion
October 19, 2022, 03:49:16 AM
#32
Quote from: witcher_sense on October 19, 2022, 01:35:25 AM
Quote from: ABCbits on October 13, 2022, 08:09:08 AM
But depending on what kind of personal data is collected stolen, there are few obvious giveaway such as asking lots of permission on your Android/iOS device. And usually it's not impossible since it can be revealed with network traffic tool (such as Wireshark).
I am not sure if a wallet application asks for permission to track your transactions.

When i say permission, i mean permission on OS level. Here are few example,


Source: https://www.howtogeek.com/211623/how-to-manage-app-permissions-on-your-iphone-or-ipad/


Source: http://arstechnica.com/gadgets/2015/05/android-m-dev-preview-launches-permission-controls-fingerprint-api-and-more/

Quote from: witcher_sense on October 19, 2022, 01:35:25 AM
For example,

--snip--

Is there a way to check that your node is the only "server" that receives transactions, or is it only one of many, with others being malicious surveillance servers that attempt to deanonymize you?

--snip--

Advance/power user could use tool such as Wireshark to find out, but for everyone else they're forced to trust the application or ask someone to perform audit.
ABCbits
legendary
Activity: 2842
Merit: 7333
Crypto Swap Exchange
Re: Open source wallet and closed source wallet discussion
October 13, 2022, 08:09:08 AM
#30
Quote from: witcher_sense on October 12, 2022, 05:01:46 AM
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
It is not only about stealing users' coins, it is also about "stealing" users' personal data, which is very hard, if not impossible, to spot early in the case of closed-source wallets.

--snip--

But depending on what kind of personal data is collected stolen, there are few obvious giveaway such as asking lots of permission on your Android/iOS device. And usually it's not impossible since it can be revealed with network traffic tool (such as Wireshark).
Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Re: Open source wallet and closed source wallet discussion
October 30, 2022, 09:35:09 AM
#29
Quote from: ABCbits on October 19, 2022, 03:49:16 AM
When i say permission, i mean permission on OS level. Here are few example
All or some of those permissions can be manually turned off from the phone's settings menu. And then when you start an app or attempt to use a particular feature of it, your phone is going to ask you to give the app permission to perform certain actions. That's when you know what permissions are needed to complete those actions, and whether or not you can keep them turned of. For example, it might sound weird that an app needs access to your storage and you ask yourself why does it need to go through my phone's storage and what is it looking for there? But you won't be able to download and install an update for the app without it. Of course, the permission can be given when you perform the update and you revoke it straight after that.
witcher_sense
legendary
Activity: 2310
Merit: 4313
🔐BitcoinMessage.Tools🔑
Re: Open source wallet and closed source wallet discussion
October 19, 2022, 01:35:25 AM
#28
Quote from: ABCbits on October 13, 2022, 08:09:08 AM
But depending on what kind of personal data is collected stolen, there are few obvious giveaway such as asking lots of permission on your Android/iOS device. And usually it's not impossible since it can be revealed with network traffic tool (such as Wireshark).
I am not sure if a wallet application asks for permission to track your transactions. That is the major concern with closed-source software: you're unable to verify that it actually does what it says it does. For example, you may have the option to specify and connect to your own full node to prevent collecting the information about your transactions, or rather, you make it slightly more difficult for malicious developers to collect such a piece of information because you cannot verify everything. Is there a way to check that your node is the only "server" that receives transactions, or is it only one of many, with others being malicious surveillance servers that attempt to deanonymize you? Needless to say that an application that doesn't even pretend it is legit, that is, which doesn't allow to specify a specific server is clearly malware waiting for your information.
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Open source wallet and closed source wallet discussion
October 13, 2022, 01:47:58 AM
#27
Quote from: NotATether on October 12, 2022, 11:56:09 AM
Time will tell if the power of marketing and "first mover" can withstand the sorry shamble of rubble that Windows has quickly become.

It's not enough to just be the first one in the field, you have to make actually good stuff to convince people to stay. That's why so many people still use Apple even though they were laggards behind MS in the 80's and 90's.
I don't think that much is going to change with passage of time alone. It is evident that people are too lazy to make a change. Take web browsers for example. The closed source proprietary software called Chrome that is mining user personal info has more than 65% of the total number of users on all platforms while the far superior and open source Firefox has less than 4% (according to Wikipedia).
BlackHatCoiner
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 12:00:14 PM
#26
Quote from: pooya87 on October 12, 2022, 11:41:16 AM
Another major reason is the first mover advantage that Windows has though.
AFAIK, Linux comes with a user interface since 1992, which was a major upgrade (from CLI to GUI). I don't know how Microsoft had spread their software back then, to get advantage of their first moving position, I wasn't even born, but I know that offices did have a massive upgrade in efficiency with Microsoft Office in 90's. It might had been late to move to a brand new OS for most managers, and perhaps a risky move too, given that Excel is just better than the LibreOffice alternative.

Bill had an impressive strategy, no doubt for that.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 11:56:09 AM
#25
Quote from: pooya87 on October 12, 2022, 11:41:16 AM
Quote from: BlackHatCoiner on October 12, 2022, 10:24:41 AM
Quote from: pooya87 on October 12, 2022, 10:13:33 AM
The best example is Windows.
And yet, number one in usage. That's the power of marketing.
Good point. Another major reason is the first mover advantage that Windows has though. Not to mention the fact that Linux has major differences that has discouraged many regular users from making that migration.

Time will tell if the power of marketing and "first mover" can withstand the sorry shamble of rubble that Windows has quickly become.

It's not enough to just be the first one in the field, you have to make actually good stuff to convince people to stay. That's why so many people still use Apple even though they were laggards behind MS in the 80's and 90's.
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 11:41:16 AM
#24
Quote from: BlackHatCoiner on October 12, 2022, 10:24:41 AM
Quote from: pooya87 on October 12, 2022, 10:13:33 AM
The best example is Windows.
And yet, number one in usage. That's the power of marketing.
Good point. Another major reason is the first mover advantage that Windows has though. Not to mention the fact that Linux has major differences that has discouraged many regular users from making that migration.
BlackHatCoiner
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 10:24:41 AM
#23
Quote from: witcher_sense on October 12, 2022, 05:01:46 AM
It is not only about stealing users' coins, it is also about "stealing" users' personal data, which is very hard, if not impossible, to spot early in the case of closed-source wallets.
Exactly, that's why I don't consider them private, SPV asides. If you don't put transparency above all, you can neither convince us you have good intentions, nor you have coding skills, and therefore, your software can't be called secure nor private. And that's exactly what's happening with closed-source wallet software. The developers either put some backdoor, or they're just not competent enough.

Quote from: pooya87 on October 12, 2022, 10:13:33 AM
The best example is Windows.
And yet, number one in usage. That's the power of marketing.
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 10:13:33 AM
#22
Quote from: witcher_sense on October 12, 2022, 05:01:46 AM
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
It is not only about stealing users' coins, it is also about "stealing" users' personal data, which is very hard, if not impossible, to spot early in the case of closed-source wallets. Developers of closed-source wallets may be experienced enough to avoid introducing critical bugs in their wallets, but if they behave maliciously collecting and selling the information about users' transactions to whoever pays more, you have no way to catch them red-handed because everything essential is hidden from public view. Even if they promised to compensate for all my losses, I wouldn't use their software because I wouldn't be sure if the money they offer me hadn't been earned by selling my personal information and the information of others.
The best example is Windows. It is closed source and historically all versions have had backdoors many of which were put there intentionally so that they can access your machine like the backdoors placed in Windows and used by NSA to access your webcam and a lot of other things!
It is so much easier to do something like that in a closed source cryptocurrency wallet. Specially the light wallets that depend on a centralized server to sync and use encrypted communication.
witcher_sense
legendary
Activity: 2310
Merit: 4313
🔐BitcoinMessage.Tools🔑
Re: Open source wallet and closed source wallet discussion
October 12, 2022, 05:01:46 AM
#21
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
It is not only about stealing users' coins, it is also about "stealing" users' personal data, which is very hard, if not impossible, to spot early in the case of closed-source wallets. Developers of closed-source wallets may be experienced enough to avoid introducing critical bugs in their wallets, but if they behave maliciously collecting and selling the information about users' transactions to whoever pays more, you have no way to catch them red-handed because everything essential is hidden from public view. Even if they promised to compensate for all my losses, I wouldn't use their software because I wouldn't be sure if the money they offer me hadn't been earned by selling my personal information and the information of others.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: Open source wallet and closed source wallet discussion
October 10, 2022, 10:54:43 AM
#20
Quote from: Tamedbeast on September 26, 2022, 01:26:06 PM
We all appreciate open source wallets, they are the best around but have we ever thought that being closed source is security? If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?

open source says > see this is how we run things, we are transparent and we have nothing to hide

Closed source says > we don't want you to see how we run the codes, you can target us or something

It's easier to make a phishing/scam copy of an open-source wallet than a closed-source one, but if people are financially motivated enough (like NK's Lazarus Group) then they will go out of their way to make a scam clone of the closed-source wallet as well.
Pmalek
legendary
Activity: 2730
Merit: 7065
Farewell, Leo. You will be missed!
Re: Open source wallet and closed source wallet discussion
October 04, 2022, 04:35:12 AM
#19
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code...
Yeah right, of course they will. Two Playboy models will deliver the lost coins in physical form on a red pillow to your doorstep. You get to pick which models.
 
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
The only essential difference is that in the open source wallet, bugs can be identified and fixed without anyone losing their money, but this rarely happens in closed source wallets.
No one knows what happens with closed-source wallets except what they tell us.

I found a GitHub research report from December 2020. It is not directly related to Bitcoin but open-source projects in general. The report claims that the average detection of vulnerabilities is not that good and that over 4 years can pass (on average) before certain code vulnerabilities are detected. But once they are, they are fixed in a month or so. Another interesting find is that over 80% of the bugs aren't malicious in nature, they are mostly mistakes made by the developers.

Quote
On average, vulnerabilities can go undetected for over four years in open source projects before disclosure. A fix is then usually available in just over a month, which GitHub says "indicates clear opportunities to improve vulnerability detection."

However, the majority of bugs in open source software are not malicious. Instead, 83% of the CVE alerts issued by GitHub have been caused by mistakes and human error -- although threat actors can still take advantage of them for malicious purposes.

In total, 17% of vulnerabilities are considered malicious -- such as backdoor variants -- but these triggered only 0.2% of alerts, as they are most often found in abandoned or rarely-used packages.
n0nce
hero member
Activity: 882
Merit: 5814
not your keys, not your coins!
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 03:12:10 PM
#18
Quote from: OmegaStarScream on September 30, 2022, 01:52:55 PM
Quote from: n0nce on September 30, 2022, 01:23:43 PM
Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
-snip-
Noncustodial wallets? Not as far as I know. It wouldn't make sense if they would do that anyway. For exchanges, I believe there is a couple of them.
Yeah, he mentioned 'closed-source wallets'; I suspect he meant closed-source, but non-custodial wallets. Something like Ledger hardware wallet, Trust Wallet or Coinomi.

Exchanges probably just have to comply with deposit insurance laws.
https://en.wikipedia.org/wiki/Deposit_insurance
OmegaStarScream
staff
Activity: 3402
Merit: 6065
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 01:52:55 PM
#17
Quote from: n0nce on September 30, 2022, 01:23:43 PM
Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
-snip-

Noncustodial wallets? Not as far as I know. It wouldn't make sense if they would do that anyway. For exchanges, I believe there is a couple of them.
n0nce
hero member
Activity: 882
Merit: 5814
not your keys, not your coins!
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 01:23:43 PM
#16
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
Even if it does, for one, it's not good enough as pooya87 said, and also how do you enforce it?
dkbit98
legendary
Activity: 2212
Merit: 7064
Cashback 15%
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 06:25:46 AM
#15
Quote from: pooya87 on September 27, 2022, 11:41:21 PM
Well because Ethereum was open source we knew from day one that the protocol is very buggy and has a lot of room for hacks like the ones you mentioned. The fact that nobody listened is their own fault so we can't really mention those breaches in this context since they were already expected.
And they keep advertising some fake decentralization now that they fully switched to Proof-of-stake model, and on top of everything they are not censorship resistant blockchain.
Ethereum is now mostly controlled by few individuals, corporations and exchanges, with 25% of their blocks being OFAC compliant, as everyone can see on website mevwatch.info.
This number is constantly growing, and it doesn't really matter anymore if they have wallets and everything else open source, when they have protocol level censorship.

Let's learn some lesson from this shitshow fiasco, and let's not allow something similar to happen with Bitcoin.

Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
Nobody in the right mind would do that, and closed source is sadly pretty much the norm in the normie world.  Tongue
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 04:03:22 AM
#14
Quote from: hugeblack on September 30, 2022, 03:13:24 AM
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
The "promise" alone is not enough, having a way of enforcing that promise is what matters. Otherwise there has been many centralized exchanges (that people used as wallets) that promised their users that their funds are safe and yet when they scammed people or got hacked, they never compensated the users for their losses. Nobody could make them answer for it either.
hugeblack
legendary
Activity: 2464
Merit: 3548
Buy/Sell crypto at BestChange
Re: Open source wallet and closed source wallet discussion
September 30, 2022, 03:13:24 AM
#13
I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.

The same applies to the open source wallet. If you have not reviewed every line or trust someone who has reviewed each line, there will be no difference between it and the closed source wallet.

The only essential difference is that in the open source wallet, bugs can be identified and fixed without anyone losing their money, but this rarely happens in closed source wallets.
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Open source wallet and closed source wallet discussion
September 27, 2022, 11:41:21 PM
#12
Quote from: Pmalek on September 27, 2022, 04:26:06 AM
But we have also seen some open-source Ethereum smart contracts being breached and hacked for reasons that could be bad code, exit scams, lack of knowledge how to secure them properly, etc. It's very important who looks at the code and tags it as verified. If I am not wrong, some hacks occurred even though the projects were called audited and secure.
Well because Ethereum was open source we knew from day one that the protocol is very buggy and has a lot of room for hacks like the ones you mentioned. The fact that nobody listened is their own fault so we can't really mention those breaches in this context since they were already expected.

The audits were also mostly fake, basically they created a business of auditing smart contracts and in the end they ended up getting paid (or bribed) to publish fake results.
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion>Wallet software
Jump to: