Bitcoin Forum

Can anyone recommend a light wallet for btc? Must have a linux version. Multibit was fine but its been abandoned. I have 0 trust in Electrum.

I do have Jaxx and Exodus for scraps but I don't trust these do it all wallets with btc.

Why? Because of the recent phishing attack?

The Electrum wallet is probably the only SPV wallet I trust. Even with the recent vulnerability, which was “only” showing messages and never really risked anyones funds directly.

Are you serious? 200 + btc stolen and you downplay it. Come on.

Yes. I’m not “downplaying” anything. I’m saying that even with the vulnerability, Electrum is pretty safe. If those users didn’t download the fake wallet (or verified the signatures), they wouldn’t have lost anything.

AGAIN, I’m not saying it’s the users’ fault. I’m just saying thet while I consider this a major exploit from the point of making people easily trust the messages, it’s not a direct issue with the code. At the end of the day, Electrum is way far ahead than most other wallets.

Wasabi is probably the next best, though it's certainly missing a ton of features compared to Electrum. Nothing lightweight comes close to Electrum's features.

Wasabi recently passed (https://github.com/bitcoin-dot-org/bitcoin.org/pull/2788) bitcoin.org's strict criteria for being listed.

You can choose other wallets instead if you don't feel safe on using electrum there are some other options but I'm not sure if which wallet is the safest to use nowadays. You can check some other Linux wallet option from here https://bitcoin.org/en/wallets/desktop/linux/

One of the wallet that I know safe is a green address this is my own alternative wallet but I can not guarantee that this wallet is 100% safe. I haven't experienced any issue yet while you using it. It is good for a temporary wallet while the electrum still in phishing attacks.

Thanks for the suggestions. I'll check out wasabi and greenaddress.

using a different wallet is never going to solve your security concerns.
you and everyone else have to start following certain security concepts in order to remain safe. two of the most important ones are usage of cold storage (https://en.bitcoin.it/wiki/Cold_storage) and learning how to verify PGP signatures 1 (https://security.stackexchange.com/questions/108471/verifying-a-downloaded-file-with-gpg) and 2 (https://bitcointalk.org/index.php?topic=1588906.0).
for example if you download wasabi wallet and still don't verify its signature with the valid PGP public key you are still not increasing your security!

Last hack issue on electrum caused this kind of thinking on having electrum wallet. I see there is no issue on last updated one on electrum. That will be perfect to have since the issue has been solved already.

wasabi is recommended by our admin hence op take it serious and then still there is not security complaints on wasabi so it does not cause the harm to users so security is there.

Let's be honest.. it was the fault of every single user who fell for this phishing scam.

Nothing is wrong with electrum security-wise. Some malicious electrum server exploited a low-severity-vulnerability in electrum to show a (very unprofessional) message (that's all they could do).

Electrum has never notified user about an update this way.
Each user who fell for this and downloaded the faked wallet without verifying the signature is fully responsible for their own loss.


@OP:
You have 0 trust in electrum, but use jaxx and exodus?
Both of them have already been proven to be exploitable (multiple times) which can easily result in a loss of funds / private keys.

Yet, there only was one severe vulnerability in electrum (the RPC vuln) which also required to have no password set in order to be really exploitable regarding stealing funds / private keys.

Yes, I have a few "scraps" in Jaxx and Exodus. Losing those scraps would not be a hardship. For the record, I did not lose funds from the recent electrum exploit but I am pissed off it happened. It would have been a huge loss for me. So, ya, I dodged a bullet.

Blaming unsuspecting users is not fair. Not everyone is as savvy as you. It's ok to be smug when you're not the ones that got hit.

Why do I keep seeing fresh reports of lost coins if people are being warned via electrums wallet?

There seems to be a concerted effort to downplay the exploit when in fact it was serious shit.

There are still people falling for the "Dear sir, you have won $60million USD in Nigerian State Lottery" emails... there are still people falling for the "Hello, I am calling from Microsoft Security about virus on your computer" phone calls...

Try as hard as you can, you simply cannot protect people from themselves... Unfortunately, some are going to learn "the hard way"™ about security and personal responsibility when dealing with cryptocurrency :-\

Was the recent exploit serious... yes... was it downplayed... No. There was even a "News" link at the top of all Bitcointalk pages by Theymos warning about it when it first happened. The exploit is now weeks old and it has been patched. If users are not updating and not staying up to date when dealing with their personal finances, you cannot blame the software developers for this.

I've said it multiple times... "Be your own bank" also implies "Be your own Bank's security department".

I'm pretty sure the majority of users do not check bitcointalk for wallet warnings. They tend to show up after they're hacked.

Assume the hacked ones downloaded electrum from the proper place and verified the download. I'm sure they never expected a message from the wallet to update, to be anything but above board.

Yes, I agree people should have disregarded the message and went to electrum.org to get and verify the new version. You can't fairly make this a comparison to Nigerian and Microsoft scams. It was unexpected and pretty damned slick.

Its all about trust. No one wants to entrust their bitcoins to dodgy software.

Don't trust, verify!

Which is why, regardless of the fact that I always download Electrum from electrum.org... I will always verify the digital signature before installing and using it. I also always check the Electrum website on a semi-regular basis to look for updates.

In my opinion, Electrum isn't "dodgy"... and at the end of the day... the real blame lies at the feet of the scumbags executing these attacks.  >:(

that is a dangerous way of thinking.
there are no 100% secure applications. there is always going to be some exploits in every code without an exception. it has been like this for as long as computer programming existed. thinking there is no more issues with Electrum or thinking there is no issues with other wallets is going to result in carelessness and losses.

For the newbies reading.

Use the Green Address wallet. It uses Segwit addresses that start with a "3" by default. You will not have any problems with compatibility when you're sending coins to a legacy address, unlike Electrum which uses the incompatible Bech32 address format as a default.

https://greenaddress.it/en/

With Green Address, there's no need to generate a BIP39 seed to use in Electrum, in generators like Ian Coleman's, https://iancoleman.io/bip39/

Simple.. The source code.

Electrum is completely open source.

And if you don't trust the developer, simply check the whole code at github.
You only need to verify the source code once, then after each update you will simply be looking at the commits only to make sure no backdoor whatsoever has been built in.

You can even build it yourself from source if you don't want to download a prebuilt binary.

Yes, thats why i have suggested to check the source code.

You can always trust the source code.




Of course they do the same thing. But you are SURE that the program is doing what it is supposed to do.
You are eliminating the risk of the source code and the binary being actually 2 different programs (e.g. prebuilt binary including backdoor).

There is a good reason to "not show security alerts". This offers way too much room for exploitation and would create new potential attack vectors.


Each user IS and SHOULD responsible for his/her own security.
If you are depending on others to tell you when it is safe or not safe to use a software, you are doing something wrong.




There is nothing which needs to be fixed currently.

Also he didn't mention anywhere that he is not a developer, even tho its pretty probable, it's just what you are assuming.


I don't understand the big crying about this "vulnerability". All it allowed was to show a message from the electrum server.
That's nothing security-related at all.

This wouldn't even get a CVSS score of 3 of 10 (i calculated it myself). That's definitely just low severity.

Who cares about what Microsoft does? Their whole main product is a spyware (Windows). Stop using the “Microsft does” card all the time. We are presenting you FACTS. No expert is going to deny that PGP signatures are WAY safer than hash files verifications. Period.

Look at what I found. Where is your god (Bill Gates) now? ::)

https://www.microsoft.com/en-us/msrc/pgp-key-msrc

As soon as you download a malicious software from a fake page, the hashes on the *fake* page will also be fake. How the heck do you use an information from the fake page to verify itself as legit? It’s like asking a scammer if he is a scammer. If he says “no”, you instantly trust him.

By verificating the file signature, which was previously set up from a trusted source, you don’t depend the confirmation bis from a single untrusted source, which is a fake website.

If you still didn’t understand that (somehow), then you are a moron and I will not discuss with you anymore. I’m not that patient with ignorent prople like you. Goodbye.

 ???

A computer does EXACTLY what is written in the code.

If YOU can't read or understand it, it is your fault.




Actually, the brains behind microsoft are very clever.
They are gathering more information from you than allowed by law and make money out of it.

To be precise, YOU are stupid for using microsoft without turning off all spying settings.




I don't think you know how CVSS works.

Actually.. it doesn't effect:
- Confidentiality
- Integrity
- Availability

The vulnerability doesn't allow the attacker to do anything except just SHOWING A MESSAGE.

That's like sending you an email with the title of "electrum is vulnerable, plz udpate from this very very offcial siite: electrummalware.org/iamstupid/forclickingthis" (mistakes intended)

People like you actually would click on it and install malware  ::)

---

1. Because it is way easier (especially for non-techy people like you who don't understand anything at all)

2. Because Microsoft has a very very bad security policy

3. Yes

4. Depending on the source of the hashes to verify with, yes

5. I am actually 99.9 % sure that TomasV is smarter than billy gates.

most of hardware wallets use electrum for SPV, it is one of the best SPV wallets. just ensure that you download and use original version.

actually Microsoft already has a similar mechanism at work with digital signatures using asymmetric cryptography using RSA keys, where you have to pay and buy a "certificate" if you want to have your applications have that.

but for some reason this user you are arguing with here, doesn't want to accept any reply and keeps pushing for hashes to replace the secure PGP signatures! which will never happen by the way.

One begins to wonder "why" someone would campaign so hard for Electrum to reduce security by switching to using simple hashes for binary file verification? ???

Perhaps a "long con" to try and get the Electrum devs to help condition less knowledgeable users to implicitly trust file hashes to prove authenticity... so that they can then setup a fake site, with fake .exe and fake hashes to fool users who now believe that file hash = secure.  :-X ::)

Although, I think I'm probably giving some people too much credit. :P

i think you are giving him too much credit, haha
and as i said above, this will never happen no matter how much he pushes for it. it is too obvious that it is not safe to do that and it has been discussed a very long time ago and Thomas. V. commented on it by the time.

besides if a user is too lazy to check the signature, they are also too lazy to check the hashes so it wouldn't even make any differences! they still have to open their terminal (in Linux) or install an application (in windows) to do the hashes and their verification so the steps are nearly similar!