Pages:
Author

Topic: RarityCheck VIBGYOR gilded #12 swept yesterday. (Read 3976 times)

member
Activity: 366
Merit: 29
Vouched, mine are gone.

Such is the world of physicals and trusting people within a system designed for us to not need trust.

Oh well.
copper member
Activity: 577
Merit: 171
You're focusing on the wrong thing here. There's still a duty of due care. This is others peoples money you ended up affecting.

Your conduct is the issue. I find it particularly abhorrent that you tried to get your project into the gallery in Sicily.

This can be argued to be predatory. You have a project on your hands that you tried to PR wash to people who may not be aware of your multiple failures.

The damage you did is inexcusable. People are already weary of key makers, and for good reason. You proved them right.


What gallery in Sicily?
Edit: Are you talking about the bitbolo post (above this post on main thread)
That was a post in collectibles.
We thought it’s cryptoonly  coin related event  and we wanted to bring new hole coin v2.
And meet fellow makers and discuss. And  generally since the whole situation been feeling very low and chat to people. So asked bibollo about more details of the event.
We don’t want to PR wash(no idea what that means). But we messaged now to bibollo about this post.
But we really wanted to bring the new v2 coins and show to fellow makers.

Ofcourse, in general we don’t want to hide, we want people to know that this can happen.
Also  we want to ensure that this doesn’t happen again. We want to in general make the whole thing  safer.
Hence created the mini-key generator with better entropy and asking for feedback.
And hence we are continuing this discussion to make people aware.
And also updated on the site https://crypto.raritycheck.com/vibgyor that these coins are compromised.

Edit2:
Inevitably, new makers will come in this space and we are also getting messages from other makers about what we find in our research.

About ‘multiple failures’. That’s not factually correct. In this post itself there are multiple accusations against multiple creators of bad printed key. Then the whole Yogg thing that happened last year. (Mind you in that we actually donated everyone impacted). We think buyers should know that there is a risk.

One thing interesting about the this whole situation for VIBGYOR coins is that Even now if you look at the list of coins
https://crypto.raritycheck.com/vibgyor
Not all coins are actually redeemed and some of the redeemed coins are manually redeemed by buyers.
How could that be ?

Anyways, all we are hoping is that going forward what happened with us doesn’t happen with others
And we can help some trust back into the hobby.
hero member
Activity: 722
Merit: 1027
You're focusing on the wrong thing here. There's still a duty of due care. This is others peoples money you ended up affecting.

Your conduct is the issue. I find it particularly abhorrent that you tried to get your project into the gallery in Sicily.

This can be argued to be predatory. You have a project on your hands that you tried to PR wash to people who may not be aware of your multiple failures.

The damage you did is inexcusable. People are already weary of key makers, and for good reason. You proved them right.



copper member
Activity: 577
Merit: 171
A solicitor could argue that under UK law you've displayed negligence.

This generator was known to be compromised, which you failed to disclose to your customers.

Simply put, this has opened you up to potential litigation. Regardless of the fact that you refunded the loaded amounts.
 

We didn’t know it was compromised until the whole thing happened.
If we knew we wouldn’t even sell the coins and contact the customers immediately (which we did as soon we got to know)




member
Activity: 149
Merit: 16
Raghavsood previously reported, that the system you used to generate keys was connected to a network (the internet in this case).
This was information he received from your team:

Based on a discussion I had with the team separately earlier today, they opened the website on the computer, before removing the internet connection and generating the keys.

And yet you state:

Ofcourse, We always have used airgapped laptop/printer that we wipe after.

An air gapped system, by definition, should never be connected to an external network.
If you hadn't connected it to the internet, more than likely you wouldnt have used the walletgenerator website directly.
You would have downloaded the source code from github (which isnt malicious), loaded it onto a flash drive, then transferred it to the air gapped system.

It seems like you might have a different definition to what an air gapped system is?
It does not protect from all threats, but it limits the possible attack vectors when the system has never had direct contact with external networks.
It also means that all data transfers to and from the system are very intentional and should be scrutinized.


Edit:
I see here that you mention that the system was never connected to the internet:

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

But in earlier posts (and from raghavsood), you stated that it was:

Hi Raghav

We know you are trying to help and we will answer your questions.
But please note that most of the team are software engineers in their day job and the only mistake in this whole process is that we truly blindly trusted a compromised software.

We think the wallet generator either has a back door or someone has done an RNG attack

How we created the keys were we connected the computer via lab cable to the internet to download the client side side site from walletgenerator and the disconnected the cable
No hardware (printer) was connected to wifi.

All hardware is wiped (windows uninstalled and hard disk  wiped) after usage.

About dates that is the main reason why we took sometime. After i reached home after my day job I started looking at my personal device to check historically  when was the first time i was researching on key gen software and looking at all sales thread and when exactly it could be that we created the keys.
But unfortunately as we have no back up of any kind it is impossible to tel exactly. But we feel it might be between July and November  2022.  
hero member
Activity: 722
Merit: 1027
A solicitor could argue that under UK law you've displayed negligence.

This generator was known to be compromised, which you failed to disclose to your customers.

Simply put, this has opened you up to potential litigation. Regardless of the fact that you refunded the loaded amounts.

Without an Ltd., this liability is practically unlimited to you personally.

---

Both other key makers, and clients may have a claim against you and your project now.

You really should not be making keys if the results suggest you have no idea what you are doing.
copper member
Activity: 577
Merit: 171
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.
You are correct 'Build a Faraday cage' will solve the problem. But no one normally builds a Faraday cage. Right? So who will be at fault?

Quote
Quote
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?
Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.
Right. Apologies if you felt we are arguing, just trying to make the point that no matter how secure one thinks their process is, it is possible that a mistake is made.

Quote
Quote
Point is to our knowledge, we followed all the steps securely.
My point is a simple Google search would have been enough to know it's compromised.
Yes. Correct. That is the mistake. Mistake is trusting the generator. But to us the whole process end to end was secure.

 
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.

Quote
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?
Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.

Quote
Point is to our knowledge, we followed all the steps securely.
My point is a simple Google search would have been enough to know it's compromised.
copper member
Activity: 577
Merit: 171
It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.
You are correct. It does take one fuckup.
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
You trusted the printer but printer itself is at fault whose fault it is?

Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?
You are correct it is impossible. Just creating a hypothetical scenario. who will be at fault?
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Let's consider another example, we know many other creators in forums use bitaddress.org, if tomorrow turns out there was some vulnerability with that site,
and all keys are compromised, who is it at fault?

Point is to our knowledge, we followed all the steps securely.
And in fact for vigilante we did use  bitaddress.org, it's just that for VIBGYOR v1 coins we were trying a different generator and this happened. If only we could go back in time and not use walletgenerator.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.
It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.

Quote
Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?
Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?
copper member
Activity: 577
Merit: 171
Of course the whole system of keygen was end to end secure.
.... said no one ever after getting his private keys compromised.

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Of course the whole system of keygen was end to end secure.
.... said no one ever after getting his private keys compromised.
copper member
Activity: 577
Merit: 171
Apologies. Yes the site was walletgenrator. ( we didn’t want to name it in last post so people don’t use it i.e. don’t give more publicity.)
Ofcourse, We always have used airgapped laptop/printer that we wipe after.
Yes, that site has weak entropy generation.

Also, we want to mention that some people have given us feedback saying we have claimed to be incompetent. Rest assured that the only incompetency we showed was in choosing the wrong key-generator(walletgenerator) for VIBGYOR coin. Of course the whole system of keygen was end to end secure.
member
Activity: 149
Merit: 16
All right, now i'm thoroughly confused.

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

This isn't something you're re-iterating, because you never iterated it.
You're now saying something completely different than you did originally.

If I understand you correctly, you're now claiming:
- you did not use walletgenerator.net (although you dont say what you did use)
- that you used an air gapped PC
- that you didnt do anything insecurely, it was just weak entropy generation (and it would have to be catastrophically weak to be guessable)
copper member
Activity: 577
Merit: 171
Hey  guys

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

Just like bitaddress.org, there is another site and turns out that site is easy to be RNG attacked (it uses weak entropy generation). Not only our keys were impacted but around 2.5 BTC of other people BTC was also impacted.

So, even with air-gap PC, this happened.

We have received new stickers for VIBGYOR coins and we will update the the announcement thread with new stickers.


copper member
Activity: 577
Merit: 171
Thank you all for the feedback on printing. Of course we can include a sheet if needed, but as the first priority now we will do more testing to try to find the best font for this paper size. The paper and printer quality already look much better, we just need to find the right font. Will keep you updated.

We appreciate the continued support from everyone in this community, it really means a lot!
copper member
Activity: 577
Merit: 171
Aren’t there some lealana’s with shitty font and disappearing ink? But he rose above and people still buy his stuff even with about the shittiest customer service out there.

Either way - I hope RC learns and comes back better. Offer some DIY versions to take care of the people who want it.

He’s made some awesome coins. The enamel work is pretty damn good. Batman coin and these V series were very high quality work. Keys were lacking, obviously. Who here has been more affected than RC?

I dunno. I’ve been scammed and rug pulled - zero people stood up, owned their mistakes, refunded people out of their own pocket and yet the one person that does just continues to get shitted on.

We are all human. If you don’t want to trust his keys then don’t, but this is 1000% Better than Coldscam, 1hodlclub missing funding issues, lealanas missing addresses, and btc penny owing people product and loans.

You would think people would cut the guy a little slack or at least not publicly talk shit on someone that is holding themselves accountable and making amends as best they can.

You will need to show proof of better key printing tho, plus outline your process or subcontract it out I don’t know but I’m not gonna kick a guy that’s down and trying to do the right thing

A FULL refund is the only legitimate way to make things right. Simply refunding load value is not legitimately “making good” on their mistakes.

I continue to see a pattern of questionable statements and back-tracking.  Imploring people to not peel their coins (I’ve been around this hobby nearly a decade and never seen any maker say this and stress this like they are.  

They state they had a team work on things, I asked who the team was, where they are located and general info on them and it was met with crickets until Mopar pressed them on this again, where they stated their is no team, it’s just them.

I’m not so sure most really know how to look for the red flags in this space, or how to spot certain patterns.  Then again most haven’t been scam busting /exposing poor practices for a decade either (doesn’t make me cool or special, just someone who found the hobby pretty early on as a long time coin collector and bitcoin advocate. cares a lot and has too much time on their hands).
 


Thank you for the suggestions ChiBitCTy. We understand how full refund would be better for some, we are happy to take coins back and refund as needed. Also some of the collectors prefer to keep the coins in their collection and have asked us to reload, in which case the full refund is not necessary at all.

We apologise for previously asking people not to peel their coins without enough information. We all knew it’s best to peel the compromised VIBGYOR coins - all of them most probably. We were advising collectors not to peel the other series however. This was just advice, and of course everyone is free to decide what to do.

At the time we were too busy replying to refunds that we just didn't have the time. We sometimes hire different people for different tasks pictures, certs. But for key generation, there has been only one person involved for every single series.

If you have one of our collectibles, please don't hesitate to reach out directly, we will refund with the original sale price. And we will do as much as possible.
legendary
Activity: 2282
Merit: 3014
Aren’t there some lealana’s with shitty font and disappearing ink? But he rose above and people still buy his stuff even with about the shittiest customer service out there.

Either way - I hope RC learns and comes back better. Offer some DIY versions to take care of the people who want it.

He’s made some awesome coins. The enamel work is pretty damn good. Batman coin and these V series were very high quality work. Keys were lacking, obviously. Who here has been more affected than RC?

I dunno. I’ve been scammed and rug pulled - zero people stood up, owned their mistakes, refunded people out of their own pocket and yet the one person that does just continues to get shitted on.

We are all human. If you don’t want to trust his keys then don’t, but this is 1000% Better than Coldscam, 1hodlclub missing funding issues, lealanas missing addresses, and btc penny owing people product and loans.

You would think people would cut the guy a little slack or at least not publicly talk shit on someone that is holding themselves accountable and making amends as best they can.

You will need to show proof of better key printing tho, plus outline your process or subcontract it out I don’t know but I’m not gonna kick a guy that’s down and trying to do the right thing

A FULL refund is the only legitimate way to make things right. Simply refunding load value is not legitimately “making good” on their mistakes.

I continue to see a pattern of questionable statements and back-tracking.  Imploring people to not peel their coins (I’ve been around this hobby nearly a decade and never seen any maker say this and stress this like they are.  

They state they had a team work on things, I asked who the team was, where they are located and general info on them and it was met with crickets until Mopar pressed them on this again, where they stated their is no team, it’s just them.

I’m not so sure most really know how to look for the red flags in this space, or how to spot certain patterns.  Then again most haven’t been scam busting /exposing poor practices for a decade either (doesn’t make me cool or special, just someone who found the hobby pretty early on as a long time coin collector and bitcoin advocate. cares a lot and has too much time on their hands).



What is up with the Lealana? Never heard of an issue. I know when I bought he sent me a list and I funded the coins.
Did something change?


-Dave

Refused to address it - https://bitcointalksearch.org/topic/lealana-isolated-incident-of-coin-duplicates-2011139

This is not all.

More meets the eye than I can discuss at the moment with certain projects.  I will share anything and everything I can as soon as I can.

full member
Activity: 436
Merit: 132

Hi Loyce,

In this situation, some users struggled to read their private keys due to the font used on the coins. I propose including a decoding sheet with each coin sold.

Here’s the idea:

- Include a sheet of paper with every coin, featuring an alphabetical and numeric list.
- The font used on this sheet matches the font used on the private keys.
- If a coin-holder has difficulty reading the private key, they can use this decoding sheet to help interpret the letters and numbers.

This would minimize the need for users to seek help on forums or share pictures of their private keys for decoding.

I really like this idea, as I did have some difficulty with the original fonts.  Luckily I had 2 coins that were loaded and reviewing the other coins keys help me determine the first one.  I wholeheartedly agree this is a help, depending on the font.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
- Include a sheet of paper with every coin, featuring an alphabetical and numeric list.
- The font used on this sheet matches the font used on the private keys.
- If a coin-holder has difficulty reading the private key, they can use this decoding sheet to help interpret the letters and numbers.
I thought you meant a separate piece of paper with the printed private key. This makes more sense, although it would be a lot better to avoid needing this altogether by using a proper font.
Pages:
Jump to: