If someone has access to your Google account, then they can generate as many back up codes as they like by following these instructions: https://support.google.com/accounts/answer/1187538

They can also transfer your Google authenticator to their phone by following these instructions: https://support.google.com/accounts/troubleshooter/4430955?hl=en#ts=4430956

Google authenticator is only as secure as your Google account. It would be better to use an open source 2FA app which you can back up with an encrypted database locally.

That's not how 2FA authenticators work. When you first set them up with a new site, the site generates a shared secret, which you input in to your app usually by scanning a QR code. The app then uses that shared secret and the current time (usually floored to the nearest 30 second interval) as inputs in to a hashing process to generate a code. The site in question does the same thing to confirm the code you enter is correct. All that is required is for both both your phone and the site in question to know the shared secret (which they remember from the first time you set it up), and are able to tell what time it is. No internet access is ever required.

2FA does not make you 100% safe or immune to being hacked. It is a useful addition to your security set up, but it should not be treated as foolproof, and should not solely relied upon. If you use a SMS based 2FA method, then the additional security it provides is actually quite low. SMS messages can be intercepted or redirected, and SIM jacking is a relatively straightforward attack with a little bit of social engineering. An authenticator app is better, but unfortunately most people use Google Authenticator, which can be reset or have its back up codes accessed by anyone who can hack your email account. A physical 2FA hardware key is the best option.

If they can't be trusted to keep a paper wallet safe, then why give it to them at all? If you are going to keep a copy safely yourself anyway, then why risk them losing their copy and having someone steal the coins? Why not just create a wallet for them, store it yourself, and hand it over to them in 5/10/whatever years' time? You can tell them you've done so and where to find/access the wallet should something happen to you in the meantime.

This is partly why I think it's better to get someone to create their own wallet and them send some coins to them, rather than just handing them a pre-loaded wallet. If they are willing to spend the time to educate themselves on how to set up, back up, and securely store a wallet, then they are far more likely to keep it safe and not be careless with it.

Agree with you both.

The description for the Off Topic board is "Other topics that might be of interest to bitcoiners." Off Topic should have been a board for discussions regarding privacy, security, online safety, encryption, PGP, programming, coding, hardware, and so on. Technical topics which are of interest to bitcoiners. Somewhere along the line it has turned in to a board of "Literally any old spam". As you say, topics in there are viewed almost exclusively by spammers and are bereft of any intelligent discussion.

I wouldn't be in favor of heavily moderating Off Topic and trying to turn it in to the kind of board I've described above, as I think the fall out to the rest of the forum would be horrendous. Many spammers would flood over in to other less moderated boards and spam them instead. I think it would be better to leave Off Topic as it is, change the description to better fit what it is, and create a new board for the kinds of topics we are discussing here.

Threads on these subjects already have misleading or incorrect information in them, as do many threads on every board. Thankfully there are plenty of knowledgeable members around to clarify and correct misinformation, and there is no reason why a Security and Privacy board would be any different.

Agreed. A couple of stickied threads at the top of a Privacy and Security board explaining some basic concepts, much like we have with the stickied thread about wallets in Beginners and Help, could help to address this.

It's not a true VPN, just a proxy server for the browser. It routes your traffic through a server hosted by SurfEasy, whose Privacy Policy includes logging "Temporary usage data" and "Internet and data traffic, such as destination website or IP address and originating IP address". I wouldn't use it.

The United States has the worst healthcare system in the developed world, and also some of the most unhealthy citizens in the world, with well above average rates of obesity, diabetes, heart disease, and so on. Patients with other serious comorbidities are the ones most likely to die from coronavirus.

Maybe not a board just for privacy, but certainly something like "Privacy, Security, and online Safety" would be useful. There are plenty of threads which would fit in to this category which are currently spread across the forum in boards they don't really fit. For example, on the front page of Beginners right now we have threads about reporting phishing ads, autosaving log in details, tools for catching phishing, KYC, 2FA, bitcoin privacy and anonymity, VPNs, Discord phishing, and info stealing malware, all of which would be better on a privacy/security type board. There are quite a few similar threads which start on Beginners and get moved to Off Topic, where they are then only seen by spammers. On the front page of Off Topic right now we have threads about disabling autofill on browsers, protecting your data on old devices, Brave browser, antivirus, and password security.

That's 14 threads just from the front page of two boards. If we go back a few pages and look in other boards I'm sure we would find plenty more to rapidly fill a new board. Time and time again we see people being careless with their online security and privacy. A dedicated board doesn't just help to keep all these topics together, but would also be beneficial to the community.

This is the correct approach. Locally encrypted database for your passwords. Airgapped or hardware wallets for your private keys. Seed phrases written down on paper.

To expand on BitCryptex's answer:

He is right in stating you should generate a receiving address from your watch only wallet. But technically speaking, you can generate a receiving address from either your watch only or your airgapped wallet, as they contain the exact same set of addresses. The only difference is that the airgapped wallet also contains the private keys to those addresses, and so can sign transactions, whereas your watch only wallet can only watch those address, as the name suggests.

There is also a common misunderstanding that your wallet is storing your bitcoin, which is why people get confused about having two wallets for the same address. This is not the case. The blockchain is simply a record of which addresses are allowed to spend which bitcoins. The bitcoins never actually leave the blockchain, and are never stored in your wallet. All your wallet stores is a list of addresses which you control, and the blockchain stores a list of all the coins those addresses are allowed to spend.

And if anyone hacks your Google account they have your password to everything. Or if they perform some simple social engineering and get your Google account password reset. Or steal your phone and reset it that way. Or sim jack you. Or your password is leaked in one of the many database breaches. Or because Google have been caught multiple times storing passwords in plain text. You are also placing complete trust in a closed source system. You are 100% confident that Google encrypt your passwords securely locally, transmit them securely, store them securely, are unable to access them, don't have a single rogue employee who might try to access the database, etc? Auto-saving your passwords to the browser or to your Google account are equally as risky.

Use an open source password manager such as KeePass, and encrypt the database.

I would agree that a paper wallet is the best option for storing bitcoin untouched for 5-8 years, but creating and loading up paper wallets to hand out to family members who are otherwise unfamiliar with bitcoin isn't great advice. First of all, it makes them trust you unequivocally. They have to fully trust that you created the paper wallet in a secure method and left no traces of the private key on any device, and they have to fully trust that you don't have a back-up or another copy of the private key stored somewhere that either you could access in the future or could be stolen. It leaves them with zero knowledge about basic security practices, and also zero knowledge about what the string of digits or QR code you have handed them is or means.

I would suggest guiding them through the steps to create their own wallet, and then sending coins to them. It doesn't necessarily have to be a "paper wallet" in the classical sense - as long as they have the seed phrase written down on paper and stored securely, they will always be able to recover their coins from it.

See which apps are installed, show how much space each app is taking up, make it easier to install and uninstall apps, links for altcoins which are not supported...

So, this update is entirely targeted towards useless altcoins, while they still don't have proper UTXO/coin control or address management for bitcoin. Pretty disappointing really. I'll stick with Electrum.

This is the whole point of an offline wallet, in that it remains permanently offline. You sign the transaction offline, and then transfer it to a computer with internet access to broadcast it. In practice it would look like this:

1 - Set up a "watch only" wallet on an internet connected device using your public key, but not your private key. This wallet can see your addresses and balance, but can't spend anything and can't be hacked since your private keys are not part of it.
2 - Set up an airgapped wallet on a device with no internet connection using your private keys. This wallet won't be able to see up-to-date balances, since it has no internet connection, but will be able to sign transactions using the private keys.
3 - Open your watch only wallet on your online device, create a transaction you would like to make, and rather than hitting "Send", click on "Preview" and then "Export".
4 - Save the unsigned transaction you just created, transfer the file to a USB stick, and then transfer the USB stick to your airgapped device.
5 - Open your airgapped wallet, click on "Tools", "Load Transaction", "From file", and open the unsigned transaction from the USB stick.
6 - Sign the transaction on your offline, airgapped wallet.
7 - Repeat the steps above to export your signed transaction, save it to the USB stick, transfer the USB stick back to your online device, and load the signed transaction on your online wallet.
8 - Broadcast the signed transaction.

There's more info on this process in the Electrum documentation here: https://electrum.readthedocs.io/en/latest/coldstorage.html

People need to stop installing random software they come across and stop using Google to find services they want to use. Google serves up malicious ads constantly, and hosts malicious extensions and apps on their web stores constantly. They don't care about your security or privacy - they care about making money. If a scammer will pay to advertise their malicious site, Google will happily accept it.

Stop using Google altogether. They invade your privacy and serve you with malicious ads. Swap to a better search engine such as DuckDuckGo or SearX.
Install the uBlock Origin extension to block ads altogether.
Don't search for products, services, apps, extensions, etc., you want to use. Visit the official site and go from there.
Don't download any software, app, or extension, without really asking your self if you really need it.
Never enter your seed phrase on random sites or programs which ask for it.

Yeah, although these devices are closer to a paper wallet in similarities than they are to classical hardware wallets, they still don't fulfill the same purpose. I have a couple of paper wallets I use for long-term cold storage, because they are very secure and easy to back up by creating multiple copies. This isn't possible with an OpenDime or Tangem card. Similarly, you can't really use paper wallets as cash, since the receiving party has absolutely no way to know whether you created the paper wallet securely, or whether you have another copy of the wallet which you can use to then rip them off.

That certainly used to be the case, but since the security flaws in the Trezor discovered by Ledger and Kraken, I have stopped using my Trezor devices. Ledger certainly has the lead with the current devices on the market.

It doesn't rely on Bluetooth, as you can disable it entirely and use a USB-C cable instead if you want. Only public data is transmitted via Bluetooth anyway - an unsigned transaction from phone to wallet, and a signed transaction back from wallet to phone - and even then it is encrypted. As far as I know, no one has demonstrated any potential security risk from using Bluetooth. There's more info here: https://www.ledger.com/ledger-nano-x-bluetooth-security-model-of-a-wireless-hardware-wallet/

Yup, that's the same address I was given on both my "orders". 100% a scam.

Only if I don't get the required amount of lubrication. https://www.youtube.com/watch?v=PLRZ0dIvwHY

Sure, but it will cost you a 55-gallon drum of WD40. I have lots of things requiring lubrication.

That's ok, I'll film it.

Here is the list of all users who are trusted by at least one banned member who has earned more than 10 merit:


All of them have enough inclusions to remain on DT1 without the banned user(s) votes. The closest anyone comes is SyGambler, who has 11 votes (9x 250+ and 2x 10+), and would lose one 10+ vote from Bit-Exo.com, or zazarb, who has 15 votes (3x 250+ and 12x 10+), and would lose one 250+ vote from vit05 and one 10+ vote from Skeptical One, leaving them both with the minimum number of votes needed.

Having said that, I obviously can't take in to account the fact that not everyone including these two users will necessarily be voting for them, due to the limits on the numbers of votes each user is allowed to cast. So it could very well be that the votes from the banned users are needed.