I think that's unlikely. What reason would someone have for backing up an invalid seed phrase to begin with? If they can't recover their wallet via BIP39, then they are going to search for other answers, not just immediately throw away their back up and assume their coins are permanently lost.

Note that Electrum isn't the only alternative to BIP39 either. There are others, such as AEZEED.

Or just be a switch.

It's worth noting that Electrum's seed phrase system pre-dates BIP39 by several years. Also, Electrum does not use a fixed wordlist like BIP39 does. BIP39 seed phrases will only work with the BIP39 wordlist. Electrum seed phrases will work with any wordlist you want. It uses the BIP39 one simply out of convenience, but you can replace the wordlist in the Electrum directory and use any wordlist you like.

There is no way you can tell if a seed is BIP39 or Electrum simply by looking at it, if they are both using the same wordlist. You simply have to try to import the seed phrase and see if it has an valid/invalid BIP39 checksum or a valid/invalid Electrum version number.

Oh damn. How did I never notice after all these years and all our Foxhole parties!?

It would seem I neglected to make this thread self-moderated. Please stop derailing this thread before I lock it.

They don't need to. An example:

Celsius owes you 5 BTC. Instead, they claim that 5 BTC is equivalent to 5,000 CelsiusScamTokens, convert your 5 BTC debt to 5,000 CST, and credit your account with 5,000 CST. Celsius have therefore just profited by 5 BTC by erasing the debt they owe you, and instead paying you in a made up shitcoin they just created out of thin air. They don't care what you do with your CSTs. They don't care that the market for them will crash to almost nothing very quickly. They have erased the debt they owe you, and so they have made a profit. Bonus points for them in that by you accepting this settlement, you can no longer sue them or join a class action lawsuit against them.

And in terms of the argument that this was a series of unfortunate events for Celsius: https://tokenist.com/celsius-network-was-selling-its-users-btc-and-eth-to-prop-up-cel-token-report/

This is deliberately malicious, not to mention completely illegal. Used coins belonging to customers to prop up the CEL market so that the top execs could dump their bags before the whole thing collapsed.

You should have a minimum of two back ups of each part, which mitigates this issue.

XOR is risky for the reasons I mentioned in my first post in this thread. Predominantly, you are entirely dependent on the implementation you are using being safe, secure, and not disappearing in the future, whereas passphrases are now standard across all good wallets.

Which is the same as using a multi-sig set up, which again, is standard across all good wallets, and does not have a single point of failure.

Not every time - just the first time. Once you've confirmed that you have definitely entered the correct passphrase the first time, by performing the process twice (or three times) and checking you reach the same set of addresses each time, then presumably you are going to fund the wallet. Every future time you enter the passphrase, you'll know that you entered it correctly because you will reach your wallet containing your coins.

But the chances of your seed phrase being compromised and your coins being stolen are exponentially higher than the chances of both your seed phrase and your passphrase being compromised.

That's the beauty of passphrases. There is no "right" wallet. Your hardware and software has absolutely no idea which wallet is the right wallet, and any string is a valid passphrase. This means it is harder to attack, and it gives you plausible deniability. This is a feature, not a bug.

That page isn't incorrect. When BSV first split, their max block size was indeed 128 MB. However, it is now 4 GB, and their total blockchain is over 8 TB.

Yeah, if you don't have the storage space for the entire blockchain then running a pruned node instead of a full node is a logical step. However, it's probably worth pointing out that even after 14 years, bitcoin's blockchain is yet to hit 500 GB in size, and you can buy a 4 TB hard drive for under $40. I don't think we will run in to the problem where it is prohibitively expensive to run a full node for a long time.

My point is that this half baked non-denouncing is not enough. He can and should just outright call CSW a liar and a fraud, as everyone else has.

As I mentioned earlier in this thread, I (and everyone else here) already fully know that Andresen's statements cannot be relied upon in any way. However, CSW continues to rely on witness testimony in court, because that is all he has. Having one his most well known and prominent witnesses make a complete denunciation is more powerful than the statement of "it was a mistake to trust CSW", as I'm sure CSW will no doubt perform his usual mental gymnastics to say that Andresen was referring to something else entirely.

I place no value whatsoever in the opinion of people like Mashinsky or SBF either, but I still think they should come forward, accept the blame, and apologize to all the users of their platforms for scamming them.

Fair points, but the implementation issue is only a single weakness out of many and so it doesn't change the fact that SSS is a poor suggestion for all the other reasons. This mitigation also relies on individuals using that specific implementation, and not other experimental ones, such as the one listed on Ian Coleman.

If you want a single sig wallet but with multiple back ups required to restore it, then I would say a seed phrase plus an additional passphrase is still superior to SSS. This set up can also be used to hold any altcoins which derive their keys via a seed phrase.

That's great news, and more than happy to have helped. Thanks also for updating us with your solution so we can refer anyone else in the future to the same solution.

For future reference, pybitcointools has a number of still maintained forks.

That link is very out of date. The most recent fork I am aware of is at block 772,981, which was around 2 weeks ago. There was a competing block with the hash 0000000000000000000682990a0dae862b48e0451d619938215dd47ed9560200 mined by Foundry. Usually we see on average around one such event a month.

I completely agree, with bitcoin as it is just now. But if you are talking about inflating the block size to several gigabytes or more, then such stale blocks become significant more frequent, and the chains of stale blocks also become longer.

It's actually 4 GB.

Because it takes longer to download, verify, and then broadcast that block to other nodes. It can take tens of minutes for such a block to make its way across the entire network, as opposed to the few seconds as happens in bitcoin at present. During those minutes, all other miners will continue to work on top of the previous block, and therefore have extra time to find a solution. If they find a solution by the time the other block finally arrives at them, they'll simply ignore it and keep trying to build on their own block, causing a growing re-org.

Let's call you miner A, and call me miner B. We are both mining on top of the same block. You find a block, which we will call A1, which you broadcast. It take minutes to reach me, and in that time, I find block B1, at the same height as A1. You are now mining on top of A1, and I'm mining on top of B1. I find B2, and broadcast it. By the time it reaches you, you have found A2, and some other miner has also found C2. Each of us keeps mining on top of our own blocks, because the time delay in broadcasting such oversized and bloated blocks means it takes a long period of time until someone finally gets ahead enough to win the race, resulting in a re-org many blocks deep.

Here's another link explaining this: https://bitcoin.stackexchange.com/questions/86169/why-do-large-blocks-increase-the-probability-of-chain-reorgs

That's a fair point. My counter would be that people aren't laundering billions of dollars to then spend a few hundred bucks on day to day transactions like buying groceries or paying for gas. If you want to spend that kind of money, then you are looking at buying mansions, yachts, that kind of thing. I'm not exactly au fait with that kind of thing, but I imagine KYC and AML are fairly heavily involved.

I mean, as I pointed out above they are already labeling any bitcoin touched by a company which the US government has sanctioned as "illicit". So the vast majority of bitcoin bought by Russian citizens via Russian exchanges is now "illicit", through absolutely zero fault of their own.

Imagine all your money suddenly being declared illegal and unspendable, by either your own government or even someone else's government on the other side of the world. Bitcoin fixes this, if you just avoid centralized scams exchanges.

I'm not sure I follow you here. Once you've entered the passphrase, your wallet software will use it along with your seed phrase to derive your master keys for that wallet. A salt of that length will make no noticeable difference to the length of time it takes to derive the master keys, and once the master keys are derived, then everything from that point on is identical. The only difference is how long it will take you to enter the passphrase, which I agree on a hardware wallet will take a significant amount of time selecting one character at a time.

What algorithms were being used to assess the entropy? Adding a space might be classed as a "special character", of which there are 33 in ASCII, meaning you go from 26 possibilities for each character (assuming only lower case letters), to up to 59 possibilities for each character, which gives you a falsely elevated entropy result. Different algorithms also make different assumptions about how much knowledge of the password the attacker has.

Which is no different to just writing down the passphrase on paper, as I've been saying all along.

Agreed. It's a drawback, but also an advantage. The mitigation is to enter your passphrase, note down the first address, reset your wallet, enter your passphrase a second time, and check the first address matches what you wrote down from the first round. Repeat a third time if you like to be extra sure.

This would be the ideal approach. I am by far an expert on the matter since I have zero interest in the vast majority of altcoins, but I was under the impression that there are decentralized exchanges which have trustless methods of automatically swapping one coin for another, via atomic swaps, smart contracts, and similar. If you employ one those, so that there is absolutely zero chance of the customer's coins being frozen and absolutely zero chance of KYC being demanded, then this would be a great service for a merchant. People can pay with whatever shitcoin they like, and I can receive bitcoin in return.

Deniability, and giving the attacker what they want.

I have my stash split among a range of wallets. These wallets are a range of single-sig, multi-sig, passphrased, etc., as well as a range of software, hardware, paper, airgapped, etc. I can easily hand over a couple of these wallets to an attacker. Meanwhile, all the wallets are completely separate, both from a physical perspective and a blockchain perspective, so no wallet gives any indication as to the presence of any other wallets.

This is part of the reason I am such an advocate for good privacy. Good privacy lends itself to good security. If an attacker does not know your addresses, your wallet configuration, or even if you have bitcoin at all, then you are less of a target.

Seems unlikely then that they would find a well hidden seed phrase, but personally I would still be looking to move any coins from any seed phrases hidden in that location to a new wallet.

Absolutely.

SSS is a poor method to use for a number of reasons. It requires the necessary threshold of shares to be brought together in one place on one device to recreate the wallet in question, which creates a single point of failure and compromise. There is no standard implementation, meaning you are completely dependent on the software you used to generate your shares, and without a copy of that exact software, it may be entirely impossible to recreate your wallet. There is also no guarantee whatsoever that the software you are using is actually secure, and the vast majority of users will be unable to audit the code for themselves.

Have a read of the following for more information: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

A far more secure approach is to use multi-sig.

A multi-sig still allows you to hide your seed phrases in several places.

Again, you can do this with multi-sig, without all the disadvantages that come with SSS.

You can read the (a?) NDA agreement that Gavin signed which was submitted as part of the Hodlonaut trial. It's available on Twitter here: https://nitter.it/Arthur_van_Pelt/status/1575785115061432320. There is of course the possibility of a second, still confidential, NDA existing.

I of course agree that everyone with any sense is already in complete agreement that Andresen was fooled by CSW. But this statement may be relevant to any upcoming CSW trials, where he relies heavily on witness testimony, since he is unable to provide any hard evidence of any sort, cryptographic or otherwise.

KuCoin is a centralized exchange which can request KYC from you at any time and seize your coins if you don't provide it. Just because you are using a non-KYC account with them at present does not mean you are either safe or private.

It baffles me that after a number of months in which millions of users have lost billions of dollars worth of crypto to various CEXs scamming, going bankrupt, shutting down, etc., people still try to claim that CEXs are safe or somehow better than trading peer to peer. Sending your coins to a CEX is one of the riskiest things you can do with your bitcoin.

What absolute nonsense. Can I put cameras all around your house? Can I have your email passwords? Why do you even wear clothes when out in public? What are you trying to hide!?