Topic: walletscrutiny: the majority of "wallets" are either custodial or closed source - page 2. (Read 1664 times)

We need your help.

Our #opensource #bitcoin project critically examines wallets - by looking into code reproducibility.

We're trying to raise funds to keep the project going. There are thousands of wallets and hundreds of devices.
Visit http://walletscrutiny.com for more info.

First time I hear about Tangem.

https://tangem.com/apps/ looks like a companion app  which would not be reviewed by us but in the case of Ballet I made an exception as the private keys are handled by that "companion" app but in the case of tangem ... as the card has no display it can only blindly sign and surrender data it's been asked to do, so while it might not surrender the private keys, the "wallet" might empty the full account while the user thinks to be paying a coffee. Not funny. Not sure how to add it to walletscrutiny.

Edit: What a shitty product All recent reviews claim it doesn't work at all. And as it has 1k downloads on GPlay, it meets the criteria to get a review. I need a pause ...

I have been going on rants about collectibles things like the ballet that are funded in general.
Too many issues with potential vulnerabilities all around. But I don't think that is going to stop anyone.

Have you been able to find anything on the Tangem software?  I did not find anything last time I looked.

-Dave

Uhm ... I suppose that button works on that tropical island, too. During Covid-home-office, he can pretend from the beach. I didn't mean to say that going to work normally would be a good idea although there is ways, too. If Dave is the release manager, he could "catch a backdoor" that conveniently deleted all its traces of infection. He'd just have to make sure to mix well that stash.


The standard claim by all of them is "We have the best security in the industry". I'm so tired of reading superlatives in every wallet description.


People trust non-reproducible wallets provided by anonymous developers. They trust custodial wallets that make no statement about using cold storage. Yesterday I reviewed a Ballet, a wallet that uses provider-generated BIP38 paper wallets and calls those "hardware wallets" and the app "companion app" and it's ok because Charlie Lee is running this shop. Unfortunately most people in the space are not at all literate about cryptography.

Because if you leave Friday and don't come back Monday people are going to start looking.
IF someone does notice the code change and they come looking for you it's good to be someplace else.
Might as well be a beach on a tropical island with no extradition.


Nobody has it, that I know of in the crypto space and that is the issue.
Yeah, possibly the big players [Coinbase, Gemini, Kracken, etc]
But, Mycelium, Electrum, etc. If they do they don't talk about it.

I would love for one of them to actually do some epic security measures and be somewhat upfront about it.

-Dave

I agree. My approach on that (not sure if I shared it here in this thread) is a monitoring app that can pull the plug (switch phone offline). This feature could maybe be added to the wallet itself with less than 100 lines of code, to make sure the wallet becomes less of a target for hackers as pulling the plug would happen for all users, not only those that run an extra app if something weird is detected but for a start it also works as a separate app. That app would detect every install of a relevant app (enlisted Bitcoin wallets) and check the fingerprint with ideally more than one independent server. If the hash is unknown, upload the apk and go offline. If the server finds the apk to be a non-white-listed release, signed with the provider's keys, it triggers an alert. All that run the app get their phones switched offline (or otherwise updates disabled) and a notification shown. For this to work, the provider has to publish their soon to be releases, reproducible binaries (maybe without signature if they don't want users to update to it just yet) for white-listing.


The machine or the machine's administrator. Under duress, who knows what would happen?


Is there any reason to press the button before he sees an update of the app on Google/Apple or his credentials revoked? I don't think so. He can probably keep pretending for a week or two.


Tell me who has that setup? I have yet to find a project that would even claim to do reproducible builds of their closed source product. Without reproducible builds, people sign off blindly.


It signals but the open source community also helps fix issues at times. Mycelium got several issues fixed thanks to outside contributions.


Public Source doesn't proof security. It only can make it painfully obvious if the app lacks security. Any app that cannot be deterministically built cannot avoid a single point of failure. A closed source app skips that scrutiny and has less of an incentive do do things right. Without really technical people demanding it, managers let it slip down in priority until "Dave" actually pulls it off and goes on prolonged vacation. (You actually got your cast wrong. It's Eve who goes on vacation )

Sorry about that, from the way I read it you were part of them. My fault, owe you an apology.

I know I have said it before and will keep saying it about open source wallets or anything. Unless you compile it yourself OR make sure that any auto-updating is turned off you are probably getting a false sense of security. Unless they can prove an audit of their update security.

Having a code audit and being open source is good. But it the machine that uploads the files to the play store / itunes is not secure then it all goes out the window.

Employee "Dave" goes evil. Owner / programmer "giszmo" does everything properly, open source, code audits, etc.
3:30 PM on Friday Dave uploads the bad wallets to the online stores. They have nothing to do with the GitHub code. Says to giszmo "See you Monday" as always and walks out the door.
3:45 PM stores start pushing out bad version
4:00 PM Dave arrives at airport
10:30 PM Dave lands in some tropical island
11:45 PM Dave checks and 500 copies of the wallet have been downloaded and have ~ 35BTC in total.
6:00AM Sat 7200 copies have been downloaded and have ~90BTC in total.
Dave sits and wait's till there are 100+ BTC in the compromised wallets. And then hits the "Send to Dave" button.
Will probably get some more BTC till everyone figures out what is wrong and happening.

So is that better then a closed souse wallet that needs 3 checks against their internal code before it's uploaded and the uploads needs 2 different 2fa devices that 2 different people have?

I like open source, I use open source, unless everything has multiple separate checks in the process it's not any better some times.

Sorry, but I am going to keep saying that. And that the above rant or a similar one should be on every page that discussed the benefits of open source.

-Dave

I agree with many of your concerns. I'm not a contributor to YetiCold and only had a lengthy call with the main contributor @JWWeatherman_ which probably is worth nothing if in the end people lose funds but it might have skewed my confidence. I edited my comment above.

Your comment sounds like I was part of YetiCold. I am not. I just see this project is addressing many things in a very good way although I have not audited it very carefully. Many concerns can be mitigated the way they step through the whole process but one of my criticisms was also that there is no concise instructions one could read from start to finish. You actually have to do it to know how it goes. @JWWeatherman_ counters this with the videos that show the whole process.

Let's admit I wouldn't probably use Yeti Cold
As far as I am concerned after November, in which I wrote that last post, many things have changed I do have a set-up which I find reasonable now. Of course, I'm not going to disclose it because it is better to keep it private where sharing it on a public forum may always be a problem.

Seriously?
You talk about security then you send people to an unknown github to download software?

You pick amounts to tell people which version to use without even commenting on the fact that for some $5000 might be a years worth of savings and for others it's what they made last Tuesday.

You have statements like this in your readme.md (bold mine):
Are hardware wallets perfect? No, but telling people not to use one for daily spending?

And you have such other great quotes as:
That does not take into account internet speed, how high you can set dbcache in the bitcoin.conf file due to laptop ram, and other things. There are discussions popping up here from time to time about how long it can take. But seriously go to any of the download calculators out there and figure out how long its going to take with some slow ass DSL or 1M line that large portions of the world have. Not to mention the people with capped download amounts.

Oh and this:

Go search for the amount of cheap phones that come out of the factory compromised and how many crap noname phones are pre-infected. Tons of discussions about this too. Not even a mention about that.

Don't see a signing key / pgp signature for you / this project but didn't look that hard.

-Dave

Thanks for spreading the word. Much appreciated!

I won't go into detail about my personal setup for my own security but you should generally not have easy access to your savings and you should make sure that if something happens to you, your loved ones will get your bitcoins. Google and you will find instructions. YetiCold tries to make this secure setup fool proof, for non- to semi-technical users for example.

Edit: I personally kind of trust before mentioned project as I voiped with a contributor about security concerns and he's certainly very knowledgeable although quite opinionated but strictly speaking I don't absolutely trust the website and share many of Dave's concerns below. When it comes to multi signature, I don't have anything better to point to neither though. Certainly not Casa, Specter maybe? Haven't investigated Unchained or other options. Electrum with multiple hardware wallets is an option but no fun for the non-technical user neither.

Hey giszmo, thanks a lot for your work. I am not a tech guy otherwise I would be helping you more. I am sharing your site with my closest friends to let them abandon everything which is not (reproducible) open source.
Listen, I have a question for you, if you would like to answer it: what is your current bitcoin storing set up? how do you make your coins secure? how about your keys and passphrases? etc.
I am all ears if you wish.

The problem is that you might not notice any difference because it's a long con. The provider might be collecting backups of all the users' wallets an carefully watch if the BTC are getting more or less. He would have some staff to provide a good product etc. Then at some point he cashes out. He might even sell the product and then, a week later pull the rug and put blame on the buyer who paid him already on top of the loot.

I'm 100% confident that there are are project out there that are highly regarded by their users but ultimately the providers are psychopaths with no regards for the damage they will do when they pull the rug.

The most important for mobile crypto wallet is to be non-custodial. I use both open source wallets like Samourai and BRD and closed source like Ownr. And I notice any differences.

We list

• Trust as closed source
• Eidoo as closed source
• Lunes as not reproducible (there is some code but who knows if it's behind the Google Play release).

Is there any mistakes?

Edit: Why the hack did you mention "Lunes" of all wallets? That one did not get updated in 2 years and looks like a dead project.

Trust wallet can also be used to store BTC. It is possible to say a few more wallets on security.
Eidoo and lunes wallet are among the important wallets that are trusted.

you may also want to look into how many people are actually checking the hash versus the one devs release to actually verify reproducibility of the released binaries.
for example a while ago i asked about Electrum and whether people were checking the hashes, not that many were interested in that poll and the handful of those who replied hadn't checked the hashes.
in contrast bitcoin core has many individuals who are not only checking the hashes but also release it independently.

WalletScrutiny is expanding to Linux and could use your help.

For Android the take was that there is basically just one binary distributed via Google and Google defines an appId for every app that we go by.

On Linux this gets a liiitle bit more complicated. Projects like bitcoin core distribute not only via bitcoincore.org but also via bitcoin.org, a bunch of mirrors and different binary packages via the different Linux distributions and then there is the snap store.

My initial take was to track each distributor but that will massively delay listing Linux wallets at all.

Now I lean towards tracking the best every project has to offer in terms of reproducible binaries and warn the user that the verdict "reproducible" doesn't imply reproducibility via alternative providers.

Any volunteers interested in helping with this, please chime in via https://gitlab.com/walletscrutiny/walletScrutinyCom/-/merge_requests/68

Wallet Scrutiny changed look with a brand new website. A few wallet verdicts have been update and some new ones were added; the new search bar to find your preferred wallet is quite handy.
https://walletscrutiny.com/

Yep, you are right on this one giszmo. We are the sort of Don't trust verify people and the Sammy guys seem to avoid such topics as you said.