Verifiable builds need attention. Only 3 of 68 Android wallets are verifiable

Flexystar

full member

Activity: 1092

Merit: 227

First of all thank you for the great work you are doing with the wallet scrutiny, I just stumbled upon your thread while I was reading through this section. It is amazing how you started your journey since 2019 and have already sirupted lot of information about various wallets. I think CoinBase is now even worst at this point. The user base is has outgrown the previously published number which means there are more and more users who just want to use nice looking apps, with easy to handle request. I mean pick a wallet which is non custodial, they have basic UI, (though its advancing) people are not used to it somehow. May be they like to share their private keys with the custodial wallets. Sadly the number of such wallets is huge which makes us think there is such under education about the "Not your keys, not your bitcoin".

Quote from: dkbit98 on May 29, 2023, 01:02:42 PM

Quote from: o_e_l_e_o on May 28, 2023, 03:57:48 AM

So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes

We should clearly name those custodial wallets and tell more people to avoid using them.
WalletScrutiny received this legal actions two times so far, first time it was from Mercado Bitcoin, and now they received it from Foxbit.
Both of this services are located in Brazil, that makes me think there is some connection between them, and this was targeted attack.

I am sure this is targeted attack only. They are just trying to take down the information and do not want to get hampered with their brand. This is what makes them afraid. Since you are openly stating the information about the custodial wallets they would lose the client base. Not sure how you are going to fight back but definitely under information acts this isn't illegal. Good luck.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: giszmo on June 09, 2023, 03:47:12 PM

MercadoBitcoin's review was removed due to a DMCA takedown notice and I had forgotten to put it back up until the Foxbit takedown notice.

Today the latter just had its deadline to take court action expired, so I will re-instantiate it, too.

Excuse me, but what the fuck is going on? Are some companies apparently angry at your website or something? Huh

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

MercadoBitcoin's review was removed due to a DMCA takedown notice and I had forgotten to put it back up until the Foxbit takedown notice.

Today the latter just had its deadline to take court action expired, so I will re-instantiate it, too.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: o_e_l_e_o on May 28, 2023, 03:57:48 AM

So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes

We should clearly name those custodial wallets and tell more people to avoid using them.
WalletScrutiny received this legal actions two times so far, first time it was from Mercado Bitcoin, and now they received it from Foxbit.
Both of this services are located in Brazil, that makes me think there is some connection between them, and this was targeted attack.

Yamane_Keto

hero member

Activity: 406

Merit: 443

Quote from: dkbit98 on May 27, 2023, 04:18:05 PM

WalletScrutiny website was recently shut down due to a DMCA takedown notice, and we it was unavailable for few days but now it's working again.
I don't know why anyone would have a problem with website like this, but maybe some closed source wallets and centralized exchanges are involved with this.
If you want to follow what happened follow their twitter account @WalletScrutiny.

The power of these "custodial exchanges" and the time that a lawyer took to litigation and all this for open source code?
I will download the website files, run it offline, and will everywhere give Foxbit (which was the reason for DCMA) a negative rating. Cool

187 wallet with No Source! and 591 Custodial! All this in a decentralized industry.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

So because they point out that a custodial wallet is custodial, that custodial wallet attempted frivolous legal action because they didn't like someone pointing out that they are custodial? Roll Eyes

What incredibly scummy and shady behavior, but unfortunately anyone who is already using a custodial wallet is unlikely to swayed by said behavior.

dkbit98

legendary

Activity: 2212

Merit: 7064

WalletScrutiny website was recently shut down due to a DMCA takedown notice, and we it was unavailable for few days but now it's working again.
I don't know why anyone would have a problem with website like this, but maybe some closed source wallets and centralized exchanges are involved with this.
If you want to follow what happened follow their twitter account @WalletScrutiny.

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Quote from: dkbit98 on December 11, 2021, 08:22:08 AM

Some people also reported that NVK blocked them on twitter so they can't comment on any of coldcard twitter posts, and he is hating all other hardware wallet devices...

#metoo

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: giszmo on December 10, 2021, 10:48:22 PM

Cringy :/ I used the term "open source" in a sloppy way, too but once somebody complained, I replaced it everywhere with "public source", as that is what I need to reproduce binaries.

I don't know why NVK is pushing this open source label so hard, but it's crystal clear that you can't have common clause license in your code and still advertise code of your device as open source.
Some people also reported that NVK blocked them on twitter so they can't comment on any of coldcard twitter posts, and he is hating all other hardware wallet devices...

Quote

Is this “Open Source”?
No.

https://commonsclause.com/

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Quote from: dkbit98 on November 09, 2021, 05:50:10 AM

btw ColdCard wallet is not open source anymore, but he still claims differently on his website... maybe he will change that in future also

Cringy :/ I used the term "open source" in a sloppy way, too but once somebody complained, I replaced it everywhere with "public source", as that is what I need to reproduce binaries.

Quote from: pooya87 on November 09, 2021, 10:48:36 PM

As long as the site is not created to advertise certain project(s) and as long as they are giving correct information instead of falsified claims, things can remain healthy otherwise that's another case of why centralized "review" sites are generally bad.

WalletScrutiny is certainly not created to advertise any specific products. I did work for Mycelium before but I quit because of this conflict of interest and I'm pretty open about my disagreements in direction when it comes to shitcoins. Ideally WS would be easy to fork though but I don't dare yet to make the reviews themselves creative commons or something. The framework and tools are open source already though.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: dkbit98 on November 09, 2021, 05:50:10 AM

I don't think there is anything wrong with some (healthy) competition and it can help improve both of your websites.

As long as the site is not created to advertise certain project(s) and as long as they are giving correct information instead of falsified claims, things can remain healthy otherwise that's another case of why centralized "review" sites are generally bad.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: giszmo on November 08, 2021, 09:58:50 PM

I feel like bitcoinbinary was launched as a reaction to WalletScrutiny's review of ColdCard. It's @NVK's project.

Yeah it's his project, and he even ''donated'' himself, but it appears he now removed that info from the page bottom (maybe because of my remarks), however it was archived on time Coinkite = Coldcard = NVK

I don't think there is anything wrong with some (healthy) competition and it can help improve both of your websites.

btw ColdCard wallet is not open source anymore, but he still claims differently on his website... maybe he will change that in future also

https://coldcard.com/

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

I feel like bitcoinbinary was launched as a reaction to WalletScrutiny's review of ColdCard. It's @NVK's project.

dkbit98

legendary

Activity: 2212

Merit: 7064

There is one alternative website I found for WalletScrutiny and it is called bitcoinbinary.org, interesting part is that one of bitcointalk moderators achow101 was testing wallets and participating in this exercise,
I don't know if this website is sponsored by Coinkite aka Coldcard, but they did receive 0.025 BTC donation from them and githuib page is posted on Coinkite github,
so it looks like ColdCard wanted to proved how their code is still reproducible even if it's not open source anymore.
Conclusion is that many wallets have bad documentation or incorrect build instructions so they couldn't be reproduced.

Github: https://github.com/coinkite/bitcoinbinary.org
Website: https://bitcoinbinary.org/

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Quote from: dkbit98 on August 07, 2021, 10:12:03 AM

Quote from: giszmo on August 02, 2021, 10:16:55 PM

...

How exactly are you testing Hardware Wallets?
I guess you first need to have actual device in your hand (purchased or received for testing from manufacturer) and then try to reproduce the code.

We look at claims about the functionality of the device to see if it falls into any of the k.o. criteria like not having a screen to verify what you approve. Then we look for the source code and the binary. If the source code compiles into the binary, the wallet is reproducible. Check out our full methodolgy.

Quote from: dkbit98 on August 07, 2021, 10:12:03 AM

Quote from: giszmo on August 02, 2021, 10:16:55 PM

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink

I am helping in spreading the word about WalletScrutiny and I am monitoring hardware wallet changes, especially if they claim they are open source.
You can track that in my topics that is updated on regular basis like this one for example: LIST - Open Source Hardware Wallets.

I think we have all the products you list. We have to review most of them still.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: giszmo on August 02, 2021, 10:16:55 PM

...

How exactly are you testing Hardware Wallets?
I guess you first need to have actual device in your hand (purchased or received for testing from manufacturer) and then try to reproduce the code.

Quote from: giszmo on August 02, 2021, 10:16:55 PM

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink

I am helping in spreading the word about WalletScrutiny and I am monitoring hardware wallet changes, especially if they claim they are open source.
You can track that in my topics that is updated on regular basis like this one for example: LIST - Open Source Hardware Wallets.

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Hi dkbit98,

WalletScrutiny is a ton of work and we are a small team, only.

In our Methodology you can read our priorities:

Quote

1. Re-evaluate new releases of Reproducible wallets as they become available. If users opt for a wallet because it is reproducible, they should be waiting for this re-evaluation before updating.

Today I tested the latest releases of AirGap Vault and Green Wallet. Today, Green was a bit more work than usual.

Quote

2. Check if any of the Unreproducible! wallets updated their issues on their repositories.

We really hope to see more reproducible products, so we always have an eye on the dozens of open issues.

Quote

3. Make general improvements of the platform

That is the a catch-all for improving scripts, design and often just investigations. It's probably the bulk of the work.

Quote

4. Evaluate the most relevant Development wallets

For Android we have a good proxy for relevance - downloads. For iPhone we don't and neither for hardware wallets.

Unfortunately we are not progressing in the top category as fast as I wish we would but that has to do with severe lack of people to work with code. The k.o. criteria (custodial, bad interface, defunct, ...) are verdicts relatively inexperienced Bitcoiners can come to but when it comes to reproducing a wallet, it's mostly on me. Emanuel also does play with code and does a ton of work but refuses to open merge requests, so writing the difficult reviews is all on one person that also looks into all the other stuff.

So ... if you want to help, there is a ton to do from simple triage to compilation to design to spreading the word. Wink

dkbit98

legendary

Activity: 2212

Merit: 7064

WalletScrutiny website added many hardware wallets on their website and only four of them had reproducible codes, Trezor model One, Trezor model T, BitBox02 and KeepKey.
I was a bit surprised to see that ColdCard wallet is still under development, but maybe @giszmo and his team didn't have enough time to finish testing for ColdCard and other wallets that known to be Open Source.
They made several categories like Defunct (feature many dead wallets), No Source (Ledger), Bad Interface (Coldlar, Secalot, Bepal), Leaks Keys (Opendime), Development (ColdCard and many other wallets), and No BTC category.
I noticed some hardware wallets are missing from the list, like Keystone that should be open source, and it is now replacing defunct Cobo hardware wallet.
Clicking on each wallet is showing small window with basic information, price, size, review date, links and detailed full analysis report.

https://walletscrutiny.com/?verdict=all&platform=hardware

I have the give props to giszmo and his team for keeping their promise and doing this huge work of adding hardware wallets like they promised.

giszmo

legendary

Activity: 1862

Merit: 1114

WalletScrutiny.com

Quote from: dkbit98 on March 22, 2021, 12:46:51 PM

If you think like that than you should not consider Lightning Network Bitcoin as a real Bitcoin and any wallet that is using LN (custodial or not) should not be on WalletScrutiny website.
Bitcoin Blue wallet is not custodial, and you can create separate page for all Lightning Network wallets and other second layer solutions if you want.
LN Blue wallet wallet can be custodial and non-custodial and there are many shitcoins that can work with LN and not just Bitcoin.
Just my suggestion.

LN Blue wallet is by default custodial and does not warn the user.

I see your point for LN-only wallets like Phoenix but else, the protocol not being as good as Bitcoin in the presence of an actual non-custodial Bitcoin account doesn't make the wallet custodial. Maybe Phoenix is "not a BTC wallet" but certainly not custodial.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: giszmo on March 22, 2021, 12:39:45 PM

...

If you think like that than you should not consider Lightning Network Bitcoin as a real Bitcoin and any wallet that is using LN (custodial or not) should not be on WalletScrutiny website.
Bitcoin Blue wallet is not custodial, and you can create separate page for all Lightning Network wallets and other second layer solutions if you want.
LN Blue wallet wallet can be custodial and non-custodial and there are many shitcoins that can work with LN and not just Bitcoin.
Just my suggestion.

Topic: Verifiable builds need attention. Only 3 of 68 Android wallets are verifiable (Read 587 times)