Topic: Open source wallet and closed source wallet discussion - page 2. (Read 547 times)

That's wrong. We still see it; we need to get a binary of some sort to run after all, right.
Hackers can look at either the binary directly or its disassembly, it's possible to fuzz test a binary and do all sorts of static and dynamic program analysis.

How else do you think jailbreaks and Windows exploits are created?

It's possible, but it's guesswork. That could be the reason why the wallets are closed-source or because there is something there they don't want you to know about.

Close-source is saying trust me it's good. I promise.
Open-source is saying take a look and make up your own mind. Don't trust me just because I am telling you it's good.

Yes, but the coin has two sides. You mentioned one. The other is if someone is a security expert who understands coding, they could tell the developers what to improve based on what they see in the codebase. If there is nothing to see, no one can make corrections. And attacks could still happen with or without a public codebase.     

Again, it's guesswork. It can also say we don't want you to see our code because we are targeting you.

Open-source does not mean secure by default. Although after years of testing, improving, and probably being thoroughly put under the microscope by those with bad motives, it's pretty safe to say that the brands you mentioned are all secure. But we have also seen some open-source Ethereum smart contracts being breached and hacked for reasons that could be bad code, exit scams, lack of knowledge how to secure them properly, etc. It's very important who looks at the code and tags it as verified. If I am not wrong, some hacks occurred even though the projects were called audited and secure.

You can get scammed by either of them if you are not careful with what you are doing. However, opensource will act like a safety belt in most situations preventing the dev from doing silly stuff. With the closedsource wallets, you simply have no idea what is going on behind the scenes and this is China we are talking about. They will collect and use every information about you. They may not steal your funds directly but they will find a way to make up for it.

The answer is pretty simple the most popular projects are open source and they are very secure. From Linux to bitcoin core and Electrum. Everyone sees "how things are run" and they are still secure.

They actually don't need to look like the original at all. All they need is the name.
Think about their target victims. They are either people who have never used the software before so they already don't know how it looks like. Or they are people who want to upgrade to a newer version, in which case all the malicious software has to do is to tell them "it's a new version where UI was changed!".

Besides it is trivial to look at the UI and create something that looks similar.

This is how decentralized works on open-source coding, you can even follow the developer's progress which means the code itself can be checked by anyone who wanted to know the progress.  So there is more advantage to open-source than the close source wallet.  The reliability, security, and decentralization were open-source.

However, closed-source reduced the increase of imitators wallet or exchange but this isn't a problem if you know how to verify the legitimate one.

A closed-source wallet does more harm than good on many levels. Being a free and open source wallet invites those who can comprehend the code and the ones who are interested in the wallet itself, to collectively monitor how the codebase behaves. It gives them more eyes, rather than a fixated number of people that work on the closed source wallet, whose solely controlled by a centralized entity. It gives complete freedom to the users, in which it does not make sense if the underlying system(Bitcoin) itself is free and open-sourced.

And I bet a closed source wallet adds an unnecessary burden of a closed system where it is also designed for surveillance/tracking in mind. How can we be sure that the wallet key generation process is secure? What we do within the application isn't being tracked identifiably? or simply we just don't want the generated address being "processed" as what Trust Wallet does[1].

If we take an example of the recent aftermath of closed source Slope Wallet hacks, it is not so conceivable. It seems closed source wallets add their own unnecessary complexities and even the true root causes of the vulnerability can't be conclusively identified, after conducting an audit with 2 security firms.

[1] https://trustwallet.com/privacy-policy

That's a fallacy.

Closed-source software is nowhere close to better than reputable open-source software in terms of security. Being open-source doesn't mean more vulnerable than closed-source. Most attacks, from dynamic which work as a black-box (push inputs, observe outputs) to static which use pattern matches against binaries require no source code. Even if source code is necessary for an attacker, they can use disassemblers to reverse engineer part of the source code they want.

All in all, even if the entire source code is required, and the attacker can't reverse engineer the entire thing, revealing the source code, if reputable, can attract more defenders than attackers. If the software is not open-source, there can't be defenders. Only the centralized entity of developers that are responsible for it.

So, if somebody ever tells you this:

You should respond them that if they rely on closed-sourceness for their security, they are benighted. And that's before we even mention that I'm not indulged to trust a random developer's coding skills and intentions.

It might make things harder on scammers, but if they're determined enough that's just a small obstacle.  Many malicious wallets aren't even that sophisticated, and in large part they don't need to be.  In some cases they only need to look like the original, and obviously the code is going to differ somewhat for the scam to occur.

On the other hand, of course, is the trust issue:  How do we know that a rogue employee doesn't imbed some malicious code into Binance's wallet?  Without being open-source, verifiable, and reproduceable by the general public something like that may months before it's caught.

Open source is especially critical in the crypto world, where we are expected to operate without the need to trust anyone.

Exactly, and they could even turn out to be very shady like Safepal hardware wallet that is closed source but they still used bunch of open source code and they breached original license they used.
Both of this wallets (safepal and trust wallet) are supported by binance exchange, so you can understand why I don't trust both of them with their lame excuses.
I am sure they didn't built anything from scratch, they cloned and forked other code, made few changes and than made it closed source so they could hide all the bugs in code from public.

There should be nothing (serious).to target if everything is stored on the user's device locally. If I remember correctly, they were afraid people would create similar copies of the wallet (same design) and add malicious code to it...which by the way, is something that scammers still do.

We all appreciate open source wallets, they are the best around but have we ever thought that being closed source is security? If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?

open source says > see this is how we run things, we are transparent and we have nothing to hide

Closed source says > we don't want you to see how we run the codes, you can target us or something