Topic: Some thoughts about wallets. Random thoughts from Dave. (Read 460 times)

Taking that to the next step. Should be, any "hot wallet" that is not securely encrypted with a very safe encrypted backup.

It's nice that I have a PC in my house with a full node on it that has BTC on it.
It's secure in the fact that it's an Intel NUC ( https://www.intel.com/content/www/us/en/products/boards-kits/nuc/mini-pcs/nuc7i3bnhxf.html ) that unless you know where it is even if you rob the place you are probably not going to find it.
It's secure in the fact that it has a somewhat complex password on it that with current computing power and BTC price it's going to cost more to crack it then it's worth.
I have a backup of the wallet.dat file in a secure location with some other documents and recovery stuff.

But to say it's REALLY secure is a stretch. It's secure enough that if it does get stolen I am out more for the cost of the unit and the drive then the BTC I have on it if they do manage to actually crack the password before I get to the secure location and move it.

If my leather wallet with $20 get's stolen then I am out the cost of the wallet and the $20

If my phone get's stolen then I am out the cost of the phone.
Because I have the recovery words someplace safe and..the phone is pin / fingerprint protected and the wallets are both password / fingerprint protected and I can remote wipe the phone.

The security of the phone and PC are both moot however, if we go back to the original thought of what happens if the wallet software itself is compromised.

So multiple layers people. Hardware signing only for wallets with large amounts, cold properly created offline wallets for storage and hope that the hot wallets we use day to day with non critical amounts are properly written.

-Dave

that's the problem with centralized exchanges, they can do whatever they want. of course when they "promise" not to ask for KYC for below 2 BTC they stick to that promise most of the times but there are always cases where they simply break that promise!
for instance Bittrex which was  the number one exchange before Binance was promising not to want KYC at all for old accounts and not change that rule. then overnight they changed that rule and blocked all accounts that hadn't completed KYC verification and also banned half a dozen countries from accessing their website and stole the balance of every user from those countries.

Although I agree with your argument, the critical and most important thing to note is that we're talking about mobile wallets, which are only as secure as your ability to prevent your phone from being lost, stolen, or unlocked.  Any mobile wallet should be considered the same as having cash in your pocket.  If you can't afford to lose your leather wallet and $20 cash, don't have more than $20 worth of BTC in your mobile wallet.

You can withdraw up to 2 BTC each day from Binance without verifying your identity. Have their been incidents where they have help user funds without reasonable grounds? They are on top of my list and I don't think they would damage their reputation just like that.

Don't trust Binance. They can do shotgun-KYC, and hold your withdrawal anytime they want.

I want to see your guide for P2P trading plus BISQ done efficiently.

But all that becomes irrelevant whenever an update is published. Taking the example that I discussed in a previous post, the Copay wallet is open source and has been on GitHub for 5 years. It has 75 contributors and over 16 thousands commits. Even then, malicious code managed to be introduced without people noticing for a short period of time.

Precisely, but you need to apply that same logic to all updates of existing software, and not just new software. Open source is only good if you ensure the code you are downloading matches the code that is published, and the code that is published is thoroughly vetted prior to you downloading it. Allowing automatic updates of anything that is pushed defeats the whole point.

It is not about if a wallet is open source and on GitHub, it is about how long they have been there, how many issues and fixes have their been and how many people have had a chance to inspect the code. I would never download a piece of software just because it is open source but it got released 2 days ago. 

it is worth keeping in mind that risks aren't just about security and having your coins stolen. the bigger risks is usr privacy being invaded. a closed source wallet may not be stealing your coins but it can easily gather all kinds of information from your wallet and sell that!
for example Windows is closed source and Microsoft is not stealing your money but it is obviously gathering a lot of information by invading your privacy and abusing that.

Probably less.

For starters, an exchange is almost certainly going to release a custodial web wallet as opposed to a non-custodial wallet, so it's an immediately fail for me on that front.

However, assuming we are talking about it releasing a non-custodial wallet similar to Mycelium or Electrum, my answer is still probably less, for the exact reasons you have stated in your previous post. Release a genuine wallet, have the auditors examine it and state that it's all clear, become evil, keep updating as normal for a while, maybe have a second all clear audit performed to build even more trust, release a malicious update, steal coins.

I appreciate the above is also possible if you auto-update open source wallets without checking the code first, but at least with open source, checking the code is possible.

---

I'll consider that sometime, but there's no big secret to it. There are more and more on ramps for fiat now than ever before - P2P trading locally, P2P on this forum, decentralized exchanges (I generally use BISQ), ATMs, and so forth. I have little interest in most altcoins, but the couple that I do buy, again I simply trade peer-to-peer. There are also plenty of centralized exchanges such as Binance which will let you trade altcoins without KYC.

You should teach everyone. Please open a new topic about your method, and which services you use. I believe avoiding KYC has become its own art form. Hahaha.

I forgot about that. I know last week there was the discussion about the malicious Python libraries https://bitcointalksearch.org/topic/two-malicious-python-libraries-caught-stealing-ssh-and-gpg-keys-5206906
Makes you wonder what else is lurking out there.


You can't because most places will not. BUT lets put this hypothetical out there.
Take a well regulated exchange. Since Gemini is taken lets call it Aires.
Aires is in NY so they have all the NY and USA regulators looking at everything they do. They decide all the wallets out there are crap so they release their own.
They have auditors give a list of all the security processes but at the end of the day it's still closed source.
Do you trust it more or less then say Mycelium?


That is very rare, most people just set it and forget it.

-Dave

let me add an additional thought. when it comes to wallets and being open source i have seen some beginners think that just having a github link means they are open source. but unfortunately it is becoming a common scam method where the hacker releases the compiled malicious wallet on github and tries fooling beginners into thinking it is safe.

Oh absolutely. I think the Google and Apple app stores give people a lot of false security, not just in terms of apps matching their open source code, but also apps not spying on them, being outright malicious or malware, invasive permission, faulty, and so on. The criteria for being published on the stores is very minimal, and no one should assume something that has been published has been vetted or that automatically makes it safe or trustworthy.

Sure, but how can you prove the closed source wallet has 2 levels of review on a secure PC if not without trust?

I don't, and I don't think anyone should. I don't feel comfortable giving any app, program, or software the ability to automatically download and execute code on my devices.

Something similar happened last year with the Copay wallet: https://www.coindesk.com/fake-developer-sneaks-malicious-code-into-bitpays-copay-wallet. Copay is open source, but a malicious third party obtained control over a JavaScript library dependency and it was pulled in to Copay updates without anyone realizing.

I never said open source was automatically better, but it is better than closed source if you evaluate and verify the code before installing or updating. If you do this, then your point about it being edited from a coffee shop is moot. It doesn't really matter where the code was edited or who edited it if you are going to check it all first.

Agree with this.

But, unless someone is checking every build that gets released to the play store vs what is in github in somewhat real time it is as I said a false security for most people.

As I said above, do you know who has the access to push the apk to the play store? Do you know what access and security controls they have to that PC that they upload the file from? Do you know what kind of internal reviews exist to make sure all code is internally reviewed? Oh, and can you prove all of the above?

Which is safer? A closed source wallet that has 2 levels of review and a separate PC in a secure area of an of a data center for uploading OR an open source one where the main developer has every password saved on his laptop that they leave in their car so they can work in the coffee shop where they connect to the open WiFi?

Now, if you don't auto update and wait for people to review the code before compiling yourself that is a different story. But if you have your phone / tablet do the normal daily checks for updates then everything above is moot. 

Step 1 develop new wallet
Step 2 publish code and release app.
Step 3 update on a regular basis
Step 4 become evil
Step 5 keep updating as normal
Step 6 repeat #5 for a while
Step 7 release an update that steals coins to the app store / play store
Step 8 Run with the BTC

Yes you have to trust some people at some times, that is just a fact. But, saying that open source is better or more secure that is really pushing it. It lets you find bugs / security issues quicker. It does not make it more secure. Unless you can verify the whole process.

What we should be telling people IMO is "Over time open source things have had better security but you cannot always rely on that fact. Use separate hardware wallets when possible and don't store life altering amounts of coin in a hot wallet"

https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html

As someone who deals with it likes to say to me.
"When the PCI compliance (Payment Card Industry)  audit comes remember to answer truthfully. They ask you if you store customers credit card information on your computer, and you don't. They don't ask you if you have that information on post it notes stuck to the wall in the warehouse so you don't need to tell them that.

-Dave

I agree. I also like to think of being open-source as decentralizing trust. If you don't have the ability or time as DaveF points out to review the code yourself, at least if it is open source then other people can and will flag up any issues. With a closed source wallet I have to trust the developer(s). With an open source wallet I can decentralize that trust from a single person or small team to an entire community.

---

Don't want to go too far off topic here, but it's entire possible not to go through it. I've never completed KYC for any bitcoin or crypto exchange, service, third party, what have you, and I have absolutely no trouble interacting with the bitcoin ecosystem. In fact, I would wager that I use bitcoin more often than the average person, spending it both online and in person on actual goods or services several times each week.

It's not a fair point. The ones who are "OK" with KYC/AML are probably the people who forgot about one of the reasons why cryptogtaphy, Bitcoin, exists. A path to socio-political change of the system. A system that tells you that you are a "criminal" unless you go through KYC/AML.

I know that it is sometimes impossible not to go through it, especially in times of necessity. But we should not forget.

Regardless what other people said, being open-source or partially open-source should be important aspect when looking for Bitcoin wallet.
People should remember than Bitcoin and most P2P protocol (Tor, BitTorrent, BitTorrent's DHT etc.) only able to success because they are open-source.

Fair point you made, and I just commented elsewhere about Coinbase BUT it's worth noting that insurance and a contact number don't mean squat if the customer service is unhelpful and the insurance doesn't pay out.

I tell a lot of people the reason I don't have everything in BTC is because I'm hedging my risk. My fiat may lose value over time, but it also gains interest (so somewhat slows down devaluation) AND is fully insured for free by my government. YES, there is a chance they'll renege that promise, but they haven't yet.

Same why I tell people regulations could be a good thing for traders and speculators. Thanks to MtGox now all licenced exchanges in Japan MUST cover customer deposits with insurance. Hard to beat that kind of protection.

Like you said, until we all know better about coding and shit, we should practice typical security and safety. Don't put it all in one basket. And try and choose baskets that are better protected/insured.

Nothing is completely safe, risks are what makes things valuable.
You can download 33 wallets to get some altcoins (you must download 33 open-source wallets, which many verified.)
If it is difficult, you have to sacrifice some security to easily download one wallet with one recovery seed.


On the other hand, web wallets are not bad, especially with small amounts that require the use of more than one device in more than one place.

The essential thing is to know and understand all the words before downloading any wallet. For example: Before a period I was using greenaddress and I did not understand the meaning of multi-sig, which faced me a lot when I wanted to extract the private keys.

I think this is the bottom line. There is no set up in the world which is 100% secure. There is a quote I like from Gene Spafford which goes as follows:


Similarly, there is no wallet which is truly secure. Every wallet carries a risk, and every wallet involves trusting a third party at some point of the process. All we can do is evaluate how big that risk is for each wallet, and try to choose the ones with the smallest amount of risk.

Web wallets require a huge amount of trust. You have to trust the company running it (and everyone in that company) to not have written malicious or sloppy code, to not try to steal your coins, to not collaborate with an attacker, to have good security practices, to be storing your coins securely, and so on. You need to trust your web browser, your OS, your ISP, and so forth to not try to steal your login details, log your key presses, direct you to a phishing page, MITM attack you, not be infected with malware, and so on.

On the other end of the spectrum, a fully air-gapped machine or paper wallet, is much safer, but is it 100% trustless? Did you generate your own entropy? Did you evaluate the program you used to turn that entropy in to a seed, private keys, public keys, and addresses? What about the hardware it is being run on? What about the software on the printer you used to print it out? The chances of losing your coins to something like this are minuscule, but never 0%, hence the quote from Gene Spafford.

Having said all that, I use every type of wallet except web wallets. I appreciate that each has a different risk profile, and I store appropriate amounts of money in each. The amounts stored are inversely related to the safety and risk profile of each wallet: Large amounts in air-gapped and paper wallets, medium amounts in a hardware wallet, small amounts on a desktop and mobile wallet.