Topic: RarityCheck VIBGYOR gilded #12 swept yesterday. (Read 3976 times)

Vouched, mine are gone.

Such is the world of physicals and trusting people within a system designed for us to not need trust.

Oh well.

What gallery in Sicily?
Edit: Are you talking about the bitbolo post (above this post on main thread)
That was a post in collectibles.
We thought it’s cryptoonly  coin related event  and we wanted to bring new hole coin v2.
And meet fellow makers and discuss. And  generally since the whole situation been feeling very low and chat to people. So asked bibollo about more details of the event.
We don’t want to PR wash(no idea what that means). But we messaged now to bibollo about this post.
But we really wanted to bring the new v2 coins and show to fellow makers.

Ofcourse, in general we don’t want to hide, we want people to know that this can happen.
Also  we want to ensure that this doesn’t happen again. We want to in general make the whole thing  safer.
Hence created the mini-key generator with better entropy and asking for feedback.
And hence we are continuing this discussion to make people aware.
And also updated on the site https://crypto.raritycheck.com/vibgyor that these coins are compromised.

Edit2:
Inevitably, new makers will come in this space and we are also getting messages from other makers about what we find in our research.

About ‘multiple failures’. That’s not factually correct. In this post itself there are multiple accusations against multiple creators of bad printed key. Then the whole Yogg thing that happened last year. (Mind you in that we actually donated everyone impacted). We think buyers should know that there is a risk.

One thing interesting about the this whole situation for VIBGYOR coins is that Even now if you look at the list of coins
https://crypto.raritycheck.com/vibgyor
Not all coins are actually redeemed and some of the redeemed coins are manually redeemed by buyers.
How could that be ?

Anyways, all we are hoping is that going forward what happened with us doesn’t happen with others
And we can help some trust back into the hobby.

You're focusing on the wrong thing here. There's still a duty of due care. This is others peoples money you ended up affecting.

Your conduct is the issue. I find it particularly abhorrent that you tried to get your project into the gallery in Sicily.

This can be argued to be predatory. You have a project on your hands that you tried to PR wash to people who may not be aware of your multiple failures.

The damage you did is inexcusable. People are already weary of key makers, and for good reason. You proved them right.

We didn’t know it was compromised until the whole thing happened.
If we knew we wouldn’t even sell the coins and contact the customers immediately (which we did as soon we got to know)

Raghavsood previously reported, that the system you used to generate keys was connected to a network (the internet in this case).
This was information he received from your team:


And yet you state:


An air gapped system, by definition, should never be connected to an external network.
If you hadn't connected it to the internet, more than likely you wouldnt have used the walletgenerator website directly.
You would have downloaded the source code from github (which isnt malicious), loaded it onto a flash drive, then transferred it to the air gapped system.

It seems like you might have a different definition to what an air gapped system is?
It does not protect from all threats, but it limits the possible attack vectors when the system has never had direct contact with external networks.
It also means that all data transfers to and from the system are very intentional and should be scrutinized.


Edit:
I see here that you mention that the system was never connected to the internet:


But in earlier posts (and from raghavsood), you stated that it was:

A solicitor could argue that under UK law you've displayed negligence.

This generator was known to be compromised, which you failed to disclose to your customers.

Simply put, this has opened you up to potential litigation. Regardless of the fact that you refunded the loaded amounts.

Without an Ltd., this liability is practically unlimited to you personally.

---

Both other key makers, and clients may have a claim against you and your project now.

You really should not be making keys if the results suggest you have no idea what you are doing.

You are correct 'Build a Faraday cage' will solve the problem. But no one normally builds a Faraday cage. Right? So who will be at fault?

Right. Apologies if you felt we are arguing, just trying to make the point that no matter how secure one thinks their process is, it is possible that a mistake is made.

Yes. Correct. That is the mistake. Mistake is trusting the generator. But to us the whole process end to end was secure.

 

Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.

Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.

My point is a simple Google search would have been enough to know it's compromised.

You are correct. It does take one fuckup.
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
You trusted the printer but printer itself is at fault whose fault it is?

You are correct it is impossible. Just creating a hypothetical scenario. who will be at fault?
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Let's consider another example, we know many other creators in forums use bitaddress.org, if tomorrow turns out there was some vulnerability with that site,
and all keys are compromised, who is it at fault?

Point is to our knowledge, we followed all the steps securely.
And in fact for vigilante we did use  bitaddress.org, it's just that for VIBGYOR v1 coins we were trying a different generator and this happened. If only we could go back in time and not use walletgenerator.

It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.

Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?

.... said no one ever after getting his private keys compromised.

Apologies. Yes the site was walletgenrator. ( we didn’t want to name it in last post so people don’t use it i.e. don’t give more publicity.)
Ofcourse, We always have used airgapped laptop/printer that we wipe after.
Yes, that site has weak entropy generation.

Also, we want to mention that some people have given us feedback saying we have claimed to be incompetent. Rest assured that the only incompetency we showed was in choosing the wrong key-generator(walletgenerator) for VIBGYOR coin. Of course the whole system of keygen was end to end secure.

All right, now i'm thoroughly confused.


This isn't something you're re-iterating, because you never iterated it.
You're now saying something completely different than you did originally.

If I understand you correctly, you're now claiming:
- you did not use walletgenerator.net (although you dont say what you did use)
- that you used an air gapped PC
- that you didnt do anything insecurely, it was just weak entropy generation (and it would have to be catastrophically weak to be guessable)

Hey  guys

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

Just like bitaddress.org, there is another site and turns out that site is easy to be RNG attacked (it uses weak entropy generation). Not only our keys were impacted but around 2.5 BTC of other people BTC was also impacted.

So, even with air-gap PC, this happened.

We have received new stickers for VIBGYOR coins and we will update the the announcement thread with new stickers.

Thank you all for the feedback on printing. Of course we can include a sheet if needed, but as the first priority now we will do more testing to try to find the best font for this paper size. The paper and printer quality already look much better, we just need to find the right font. Will keep you updated.

We appreciate the continued support from everyone in this community, it really means a lot!

Thank you for the suggestions ChiBitCTy. We understand how full refund would be better for some, we are happy to take coins back and refund as needed. Also some of the collectors prefer to keep the coins in their collection and have asked us to reload, in which case the full refund is not necessary at all.

We apologise for previously asking people not to peel their coins without enough information. We all knew it’s best to peel the compromised VIBGYOR coins - all of them most probably. We were advising collectors not to peel the other series however. This was just advice, and of course everyone is free to decide what to do.

At the time we were too busy replying to refunds that we just didn't have the time. We sometimes hire different people for different tasks pictures, certs. But for key generation, there has been only one person involved for every single series.

If you have one of our collectibles, please don't hesitate to reach out directly, we will refund with the original sale price. And we will do as much as possible.

A FULL refund is the only legitimate way to make things right. Simply refunding load value is not legitimately “making good” on their mistakes.

I continue to see a pattern of questionable statements and back-tracking.  Imploring people to not peel their coins (I’ve been around this hobby nearly a decade and never seen any maker say this and stress this like they are.  

They state they had a team work on things, I asked who the team was, where they are located and general info on them and it was met with crickets until Mopar pressed them on this again, where they stated their is no team, it’s just them.

I’m not so sure most really know how to look for the red flags in this space, or how to spot certain patterns.  Then again most haven’t been scam busting /exposing poor practices for a decade either (doesn’t make me cool or special, just someone who found the hobby pretty early on as a long time coin collector and bitcoin advocate. cares a lot and has too much time on their hands).



Refused to address it - https://bitcointalksearch.org/topic/lealana-isolated-incident-of-coin-duplicates-2011139

This is not all.

More meets the eye than I can discuss at the moment with certain projects.  I will share anything and everything I can as soon as I can.

I really like this idea, as I did have some difficulty with the original fonts.  Luckily I had 2 coins that were loaded and reviewing the other coins keys help me determine the first one.  I wholeheartedly agree this is a help, depending on the font.

I thought you meant a separate piece of paper with the printed private key. This makes more sense, although it would be a lot better to avoid needing this altogether by using a proper font.