Topic: Square is considering making a hardware wallet for Bitcoin - page 10. (Read 4002 times)

Or even worse, how many don't know due to poor procedures & policies?
Secrets may and probably will eventually leak. If nobody ever knows about it......


Or it was sold but nothing has been done with it yet.
Just out there 'fermenting' till we all forget about it because the next breach has happened.

-Dave

A new breech of customer data and this time it happened back in December. I wonder how many other hardware and crypto companies have been hacked but are keeping it a secret. It's getting to a point where you should consider that your personal data has been leaked unless proven otherwise.

So the ex-employee has client names, portfolio values, payment information, and social security numbers. Wonderful. At least we haven't seen the data being sold somewhere. I guess they got to him in time.

After a mad few days at work I was just winding down for the weekend and then you hit me with this? Consider my jimmies rustled.

But yeah, it's a bad look. 8.2 million customers being contacted four months after the event. Any data breach is bad obviously, but not informing customers for four months is unforgivable. That's four months to have the data shared and sold, four months to have accounts hacked, four months to be targeted for hacks and scams, four months for fraud to be committed in your name. Customers should be informed immediately so they can take proactive steps to protect themselves, such as password changes and credit monitoring/freezing.

Well, I'd certainly feel safe having my "hardware" wallet rely on servers ran by a company which forgets to terminate the accounts or permissions of ex-employees.

Here is your warning, do not read below this line :-)

Block / CashApp data breach:

https://techcrunch.com/2022/04/05/block-cash-app-data-breach/


So, do we REALLY want these people making a wallet for us?
We know they have some bad ideas as it is for how to make the wallet, now it takes them MONTHS to admit and report on a data breach.

-Dave

Lucky man!

I believe since they have the ability to restore everything with the loss of phone and hardware device, Block has full control over the coins and can thus send them to the family after they provide proof of death.

I don't see the issue with this as well. It's not very hard and you could just store printed instructions with the seed.

Right, above the limit. So you would set the limit to 1sat to get privacy, that was kind of how Lindsey worded it. As you say, the fact that they can recover everything means they must have the ability to see all your transactions and funds. From the presentation, I'm not sure if the architecture is actually not done / thought through yet (why do they already have prototypes of the hardware device then) or if Lindsey just doesn't know her own project's architecture which seems weird since she's the Business Lead at Block for this new wallet. It appears that it's one of the two, since she couldn't answer NVK's basic technical questions such as if they hold an xpub.

I had no idea what that was until I just looked it up about 60 seconds ago.

But again, I don't see how Block's set up is going to be any easier here. If all my coins are in their multi-sig wallet and I die, then best case scenario my family member can access my phone, knows my unlock code/password/PIN (or can access a written back up), knows my app unlock code/password/PIN (or can access a written back up), can access my hardware device, knows my unlock PIN (or can access a written back up), and can send all the coins out to a different wallet. If they can't physically or digitally access my phone, then it is unclear how they would recover my coins, but would likely involve them sending proof of my death to Block so they can co-sign a transaction. If they can't physically or digitally access my hardware device, or I have used a fingerprint instead of a PIN, then again, it is not clear how they can recover my coins. If they can't access both phone or hardware device, then coins are presumably lost forever.

Compare all this with my family member simply accessing my seed phrase back up and entering in to a wallet of their choice. Not to mention all the security and privacy drawbacks from using Block. I just don't buy the argument they are pushing that their set up is somehow simpler or easier to use.

It would be transactions above the limit, not below it, which are signed with phone + hardware as opposed to phone + server. But given that Block are offering recovery services if you lose either phone or hardware device, then it means they must be storing all three xpubs and therefore your privacy is zero.

Funny thing that Elon Musk is trying so hard to take over Twitter now and maybe we are going to see him making his own wallet version soon, it's ego thing you know.
Maybe we are going to see device war soon, Jack vs Elon, finish him 

Well I don't really care so much what other people are saying, it's just a noise like wind blowing.
I am not going to hide any bad sides or things I don't like for any device I test or write review, and even if they offer me money I will reveal that information.
In the end, people can decide for themselves if they are going to trust me or not.

Okay, I finished it now. NVK does question Block on the technical level which is great; e.g. if they have access to the xpub and notes that if they do, there is no privacy since Block knows every single transaction. Lindsey says they're still working on the implementation and has no direct response to his question. I am highly suspicious that transactions below the 'limit' which don't require interaction with the server, actually are oblivious to Block. I also don't believe that the hardware device is already finished and the basic architecture of the whole system (do they have your xpub or not) isn't...

What's interesting from Lindsey too is that I sense they want to implement the app in a way that reminds me of Muun. 'Customers don't want to think about if this is a QR code for Lightning or a QR code for on-chain'. So it seems it will use a combination of both, maybe also depending on what's cheaper at the time. I honestly don't fully understand how Muun works, but my understanding is that it does something similar, somehow using on-chain or LN depending on mempool, transaction size and such parameters.

There were a couple of parts where she talked about: "What if you die? How do you pass it on to your family?" + they "absolutely have inheritance in mind"...
^{- This may sound like I'm defending their product design, but the issue with the latter part is if one of my family members, somehow manages to get their hands on my seed phrases, there's still no "easy" way for them to use it and I can easily think of various ways that they could lose it.}

I have mixed feelings about it ^{[they look nice, but I think it can easily slip through our fingers]}!

Unfortunately, that's exactly what it is. There will be no mass adoption without the convenience and ease of use of BTC. Square is only trying to give what is the social demand of society. Yes, this is a different, traditional community, using banks, bank accounts, credit cards and so on. This is a completely different society, radically different from crypto community. But with the most important feature for Square - this society is larger, which means it will bring the company a huge number of users, and therefore profit. Both sides win in this scheme: users get what they want (simplicity and ease of use of the device, convenient support and the illusion of a guarantee of the safety of funds), and the company gets clients, money and control of users' finances.

I am not the first day on this forum, so I don’t like this concept at all, but unfortunately, I see that the world will move in this direction: everyone (service and product providers) will adapt to the mass user, who is lazy, stupid and not ready to take responsibility for their finances. And it will set global trends.

It turns out a kind of paradox: crypto community is waiting for BTC mass adoption, but it is precisely the masses that will destroy all ideas and values bitcoin.

Because most people have gotten used to others fixing and doing things for them that they don't want it to change. There is an issue with your credit card, call your bank, they'll fix it. The car won't start, call your auto insurer. The AC isn't cooling like it did last year - don't try to clean it, but call the service personnel. People know what accounts and passwords are. They are familiar with PINs. God forbid we learn new things. Seeds, phrases, private and public keys, and derivation paths... what da hell are those?

Regular people: Can't I just register an account without all that other stuff?
Block: Sure you can, We've got just the thing for you.   

Like freshwater turtles. 

Stop calling it a hardware wallet. The official term is "device".

I would review it, but I also don't feel like giving them money for something I know from the start is fundamentally flawed..
On the other hand, if I get a review unit and I say a single good thing about it, someone will rightfully assume that I say it only because I got it for free or might speculate I got paid for the review. It's such a dilemma!

I've watched a part of it so far and what I find hilarious is how the Arculus guy claims 'if a smartcard is good for securing fiat, it's good for securing BTC'. I mean, if someone finds my credit card, I can block it via a phone call to the bank. If they find my Bitcoin smart card, there is no bank to call and tell 'block this seed'.
So far it seems like everyone is advertising their product and no one's claims are questioned or challenged. Like a big ad block.
I do like the SeedSigner guy; he doesn't even mention his name and doesn't show his eyes.. While NVK brags about 'doing NFC'.

I know you said that about Casa and I would agree with you on that, but I was actually referring to upcoming Block hardware wallet.
More things I discover about that device, less I like it, and it's going to be hard to change my opinion about that, unless they make total remake from start.
However, I would like to test this device or read some review before making my final conclusions
 

What I meant to say was that I am not recommending Casa (Block is completely out of the picture anyway), but it seems much better than Block if you really want to give a third-party one of your keys for the added benefit of helping you restore your wallet in case you mess up. Since Casa seems to be just selling services and encourages & helps people use actual hardware wallets.

Maybe they should consider renaming their hardware wallet from Block to BlackBox, but it reminds me on the model Blockstream is using for their Jade hardware wallet, that is also using server instead of secure element.
This probably means that Block hardware wallet won't have any secure element, that is the reason why they borrowed this idea from Blockstream.
I am not sure have exactlty they plan to sell this crap to millions of customers like they planned, but when I think again it's not that hard when you know they are mostly dealing with brainwashed masses.

We probably have different definitions or meaning for word sexy, because this looks like shit or those cheap fake gemstones you can find on ebay.
It also reminds me on something I would use to put my glass off juice or bottle of beer on...



I will never recommend anyone to buy their hardware wallet if they make it like this, even if they put open source sticker on it and give it away for ''free''.

 

Geometrically, yes, but hell, the shape is a 'Twitter NFT profile pic' reference, isn't it?

Honestly, I wouldn't advocate for any such product and prefer to teach self-custody, but if someone really needs it, from what I've heard, Casa sounds like a way better option. As far as I know they have a multisig setup as well, to help you restore your wallet and stuff, but you definitely can just stop using them or still have access to your funds if they disappear.

The higher plans are not cheap, but I see this as a big plus, because as we all know if you're not paying, you're the product. It doesn't mean your data is not sold when using a paid product, but the business is less incentivized to do so if they already make thousands of $ per year from your subscription, right.

So I found a video of Lindsey Grossman talking at Bitcoin Miami. She is the Business Lead at Block for this new wallet: https://youtu.be/WbjzZQwDozw

No offense to her as a person, and she is good speaker, but everything she says just confirms what we said above. There will be no seed phrases, and there will no privacy. NVK makes an important point that you won't be able to just take your seed phrase and put it in to another wallet if you need to, if something goes wrong, if the company disappears, etc. You buy this wallet, and you are completely tied in to Block and their ecosystem. Yes, I appreciate that I am not their target market here, but I fail to see how a 2-of-3 multi-sig reliant on Block's servers and requiring some form of account, identification, passwords, etc., is "more complex" than just writing down 12 words on a piece of paper.

Although I will concede that the prototypes look sexy as hell: https://nitter.net/JesseDorogusker/status/1511714178326695939

Their intention is to build a device for complete newbies to crypto who don't want to or can't focus on protecting their own data. That includes writing down and storing a set of 24 words. It's supposed to make it easy to use. We know that easy doesn't mean safe, but we are not the target audience. I doubt there will be a seed for the end-user. Maybe they can opt in to get one during the setup process. if not, it will be an account-based app where all operations are confirmed with a PIN, password, fingerprint, and similar.   

Sure, but that's not what I'm getting at here. If I lose 2 of the 3 keys, and Block are claiming to only hold one key, then my wallet should be irrecoverable. And yet, they say that is not true and I will still be able to recover my wallet. For that to be the case, then unless I have seed phrase back ups (which doesn't seem to be possible from what I've read about this wallet), then Block must somehow have access to the other keys. And if that's the case, then everything else they have said about this wallet is meaningless.

We need more details, and the fact they aren't providing any is concerning on its own. Almost as if they are deliberately trying to keep the inner workings of this secret.

Block developing team is making this reports to get more feedback from people.
They can't answer clearly about anything because they are just in early discussion phase, and as far as I know they didn't even start developing device or making early models.
Pin code or fingerprint security protection and recovery is fine with some people but for me, and servers will probably holding this information in some encrypted formats.

Chances for losing both devices are low in reality, it would be similar like losing multiple devices or backups in any other multi-sig setup.
Holding those devices on different places may be a good idea, but it adds complexity if you are using them often or for daily transactions.