Based on what I'm seeing under the " Bug Severity and Bounties" part of OneKey's program, I believe it means they were dealing with more than a single bug [perhaps we're not seeing the whole picture]! Or their bug founding was so big and important that OneKey decided to pay them extra reward to make them happy and (more silent) not so critical  I want to see researchers like this testing all other hardware wallets, because I am sure they could earn more money. You have a point, but the main issue is the fact that an average joe like me, doesn't have the necessary skills & knowledge to deal with such cases [unfortunately].
Average Joe probably can't do that for firmware, but luckily it's easier for developers to do it when wallet is open source. I would have not expected these news to come from China, to be honest. In my eyes, China is kinda a black hole if we talk about Bitcoin technology, gadgets, wallets and other tools.
Believe it or not, most of the hardware devices and chips are coming from China, so they are far from being a black hole. We already know that Ledger is made in China (and assembled in France village), Keystone is made in China, Safepal is made in China, and others that are less known. OneKey is most popular hardware wallets in China, some repots say they sold over 100,000 devices. Also, If I recall correctly Trezor wallets have a similar problem with physical attacks, back in the day after the Kraken video about that vulnerability, Satoshilabs suggested the use of a passphrase to mitigate the risk. Cannot all the Trezor based wallets do the same?
This is totally different from Trezor devices because they still don't have any secure elements, so it's logical that there is no communication between chips. It seems to me that the consequences of such hacks are overestimated. Hardware wallet continue to protect the security of crypto assets million users (online). For this it are needed. And if the attackers have gained physical access to HW, then it will no longer matter whether they use the help of a hacker or a $5 wrench attack.
It doesn't have to be hackers, it can be any regular lowlife thief or government parasite agents that finds or confiscates hardware wallet. Knowing they could hack it in one second would be nice surprise for them, especially in China. If I create the BEST and MOST SECURE hardware wallet on the planet. BUT I make it all closed source and remove all marking from all the chips so you can't see what they are.
Yeah, especially if you sign NDA with your partners, and create black box operating system for secure element, like some manufacturers are already doing |
|
|
|
I think I was the first person who asked that question to Sinbad in forum few days ago, if there are any connections with Blender and Sinbad mixer, but they still didn't reply anything so far. There are many similarities if you compare this two mixing services, but I would still like to hear what Sinbad has to say about this. We are not officials working for government agency so we won't sanction and judge anyone @Sinbad can you say more about claims I found posted on twatter by ErgoBTC. They claim that Sinbad mixer is working very similar like previously sanctioned Blender, with only difference being use of script type bech32 instead of P2SH. There are also claims of abusing coinjoins services like Wasabi and Whirlpool with purpose of fooling analytics. More information and links of transactions can be found in public, but they basically say that Blender is now Sinbad: https://twitter.censors.us/ErgoBTC/status/1624415264103190528#mWhy not just come out of maintenance and continue with the service as normal?
It's obvious why, to mitigate sanctions and operate as long as they can under new domain name. |
|
|
|
I supported the flag against saxydev, but I still hope you will receive coins you earned, and I can't wait to hear his reply after he comes back from that mysterious brb holiday vacation. One question for you c0ldbrewz, since you said that you don't know much about monero, who exactly asked for payment for your work to be sent in XMR instead of BTC or some other coin? |
|
|
|
I could not disagree more. Most of people already have those, probably, and even if not I don't see why you could not buy these separately. Imho there's no need to endlessly litter the planet with these when (at least in my experience) they mostly just end up in the bin.
Oh I see... you are one of those guys who is going to ''save the planet'' by paying more money for chargers and cables, sorry but I won't fall for that scam  We are talking about brand new hardware wallet here, and I am certainly won't pay more money to Coldcard for their special cables, and I am sure they are going to sell them separately with batteries as accessories. But few smartphone brand include poor quality USB cable and some people use/store their USB cable carelessly, So i feel a bit annoyed they expect customer have USB cable with acceptable quality when $199 no longer in cheap category for HW wallet.
And they forgot many people still have microUSB cables for their phones, but I guess that doesn't matter... |
|
|
|
My preference for now would be to drive down costs via higher volumes and manufacturing optimizations, as opposed to releasing a new low-end device (at least in near term). I'd love to get Passport's price point to $199. I think that would be more than fair price for Passport, especially when compared with hardware wallets from competition, Coldcard is from $149 to $199, Trezor is from $69 to $219, Ledger is from $85 to $300, Keystone from $119 to $169, etc. However, I would really like to see Foundation offering several devices with different prices, so people could choose for themselves what they want. Sorry dkbit98, the email notifications on BitcoinTalk are pretty bad, I will just keep it open in a tab in my browser and check frequently. You guys have a great community here, hoping to participate in more discussions.
No problem, we finally managed to get in contact Email notifications works fine for me for PM, but when someone mentiones your name in post Telegram bot @BTTSuperNotifier_bot is working great. |
|
|
|
Why not?
I said probably, mostly because of login feature, and because Bitcointalk is registered and operated in US, there could be some other issues related with rules and regulations. I don't know any other forum that works both on clearnet and onion domain, but I could be wrong about this. I just checked, and indeed didn't notice. My Tor browser works fine. I didn't know your browser had detection for Tor ddos attacks... It's easy to visit status page on Tor website and you will see why I said this: https://status.torproject.org/Tor is slow right now. Here is what is happening. https://blog.torproject.org/tor-network-ddos-attack/ |
|
|
|
Payment was promised will be send on 25th January. If he didn't send the payment like promised until 25th January than he broke a deal again, and he is known for doing that before his financial department will send the money on 25th January. Oh common please, this guy is lying that he owns some kind of company and people who work for him. His ''financial department'' couldn't send $90 without their master and commander, so they had to wait for him to return from Davos WEF meeting  Saxydev claimed he already sent the payment on 3rd February Even if with some miracle you receive this money in the end, it's a fact that he broke a deal and he was later with his payment. Nobody should trust this liar anything because it's obvious he can't keep his word. Oh yes, I almost forgot to say that I am still waiting to receive 0.1 BTC payment from him. |
|
|
|
It's high time that we get an onion address, don't you think?
No, I don't think we should get onion address and retire current .org domain, because we probably can't have bot of them in the same time. If you didn't notice Tor is currently under heavy ddos attacks and I think this can get much worse in future, that could makes bitcointalk forum almost unusable. Using onion domain for forum could be used only as alternative in cases when main domain is not accessible or down. |
|
|
|
I have one Ledger device, I want to input the private key not the phrase, is there a way to store the private key in the Ledger? I prefer to have a specific public address rather than a random one by phrase.
No you can't do that with hardware wallets, but you can generate seed phrase offline and import it in your ledger wallet, that way you don't have to trust device generating anything. Note that private keys or seed phrases should never be generated online, and you can just send coins from your old address to new one. I don't get it for leak things, does vanity is not safe? there is more than safe with phrase ?
Can you translate this in english language? Both seed phrase and private keys can be safe or unsafe, depending only on you and if you are doing things correctly or not, I am not know many about security or such program. how to proved the hardware is safe? 'cause I bought them from 3rd party.
You can verify if your device is genuine by following instructions on ledger website, but it should be fine if device was new and unopened. It's better to buy from official store or resellers, but you can always reset device and check inside for potential malicious changes. https://support.ledger.com/hc/en-us/articles/4404389367057-Is-my-Ledger-device-genuine-?docs=true |
|
|
|
 Ne znam samo kako je samo Krešo iskopao ovog ''stručnjaka'' Nevena i njegovu bradicu, a i komentari ljudi to potvrđuju Stablesi vrijede dolar samo dok su backani, čim nisu vrijede doslovno 0. Ovo treba dobro popratiti.
Imaš cijeli članak? Iza paywalla je.
Imam, plati mi Bitcoin ili CBDC Euro za full članak, za zaštitu od lažnih novosti i climate change support Šalim se malo, ima arhivni link: https://archive.is/bt3l6Još davno smo znali da trebamo pravi algoritamski stable coin ali onda je zbog nesreća, nemara, prevara i drugih faktora ta priča pala u vodu. Možda se sada ponovno aktualizira pa stvarno i dobijemo stable coin koji nema veze s fiatom iako to izgleda kao utopija trenutno.
Mislim da nismo daleko od stvaranja neke stabilne opcije na bitcoin blockchain i Lightning Network. |
|
|
|
Ima li plaćanje u gotovni (keš na ruke) jer sve skupa je uzaludno ako moraš
kripto preko banke i ostalih financijskih institucija kupovati / prodavati. Peachbitcoin je još u beta fazi, i za sada ima lokalna opcija za tri zemlje, ali bilo bi super imati gotovinsku opciju. Alternativna opcije koje sada možeš koristiti su Bisq, Localcoinswap.com, AgoraDesk... Svi referendumi i izbori su lažni, ako znaš kako se broje glasovi.
Binance je u velikom problemu sa svojim BUSD ''stabilnom'' kriptovalutom, kako piše WSJ Paxos prestaje sa izdavanjem BUSD tokena koji su vezani za dolar! Počeo je stable coin rat i ne bih se iznenadio da se nešto slično dogodi i sa USDT, USDC i drugima, i mislim da nije dobra ideja držati bilo što u ovim tokenima. https://www.wsj.com/articles/crypto-firm-paxos-to-stop-issuing-dollar-pegged-binance-token-94f65e52 |
|
|
|
It's $59 cheaper than passport HW wallet. But since Coinkite store mention "Batteries & USB cable not included", passport has better offer for those who consider cost of 3x AAA battery.
They started doing similar strategies like smartphones that don't ship chargers in package anymore, and I can't find information if microSD cards are included or not. I don't know any other wallet that don't ship with USB cable and I hope this won't be the new trend, but I guess everyone has some old cable from smartphones. For anyone who wants to sea size comparison of new Coldcard Q1 with older device and laptops, I found one interesting phone they posted. This device is very large in size and I don't think this can fit any normal pockets... just look how tiny mk4 is below  That annoys the crap out of me. You are taking pre-orders and have not finalized the design.
Someone asked for them to turn on device so we can see how screen will look.... they said it's impossible to turn it on right now, so it's basically just a dummy device riggt now. I think adding additional closed source secure element is nothing more than security theater, and there is no real benefit compared to using only one secure element and main chip. I think I chose the wrong set of words to portray the situation yesterday [my bad]... They might add "another" SE [from a different brand] on top of the existing ones that are present in Mk4, so it might end up having three SEs, but I also agree that they should've finalized the design first. - They also mentioned the same thing (three SEs) "is also part of the process for Mk5".So stupid... security circus that does (almost) nothing, except increasing production cost  |
|
|
|
I'll make myself available over the next 24 hours to answer any questions you have about Passport! Thank you n0nce for the amazing detailed review. I'll also do my best to spend more time monitoring this thread and on BitcoinTalk in general.
Available how exactly? I sent you personal message in forum more than two days ago and I still didn't receive any reply... maybe you didn't check your inbox  Like RickDeckard said before me, it would be a good idea to have official Passport distribution center in Europe, or have more options for resellers. I can't wait to see what is your next device going to look like, as response to Cooldcard Q1 and many others upcoming hardware wallets like Keystone Gen2, new Trezor with secure element, 1inch wallet, and lets' not forget Block wallet by Jack Dorsey. |
|
|
|
If possible passphrase is not stored on the wallet it is a good thing to go for while using a hardware wallet. That will give me the feeling of thinking that even if my seed phrase is known, I have different keys that the seed phrase can not generate without the passhrase.
It's true that passphrase is not stored anywhere on device but there are still methods to crack them especially if they are weak, so this is not a perfect protection. Good thing about this bug is that it could be fixed with software patch, but it shows that it's not enough just to put one or two secure elements and consider device secure enough. I am more interested to find what other closed source wallets had the same issue like this, Unciphered certainly knows about this but they can't release it in public because of NDA from manufacturer. |
|
|
|
Copper washers are also widely available and cheap, but I am sure everyone already have something from copper in their home, just make sure it's pure copper, not some of the cheaper alloys. I checked local prices for copper washers and they are very cheap, but I would always choose stainless steel if I had the option to choose, because it has much higher melting point and I think it's more durable. It would be interesting to see stress testing for copper washers, maybe that Italian member (can't remember his name) can do another round of testing soon with more acid and fire  |
|
|
|
The file storage permission is enabled, just like I meant before.
Can you tell us more information, what device you are using and what version of Android? Did you mes around with your smartphone, maybe installing some custom android rom, rooting phone and unlocking it? If everything worked fine on different device you can use it again, or maybe try installing Electrum in android emulator for testing. |
|
|
|
I am not surprised they are holding so much Bitcoins, and nobody knows how much fiat money they confiscated for all this years Maybe someone heard that PayPay was working on creating their own stable ccoin cryptocurrency for some time, but after recent regulations changes they decided to temporary stop with that activity. They worked with Paxos to create this new ''stable'' Paypal coin, but Paxos is currently under investigation by NY financial regulators, maybe because Binance is involved in alll this. I wouldn't connect any Bitcoin with PayPal account, and I wouldn't use any potential stable coin they may release in future. More info about this: https://archive.ph/oZP0B |
|
|
|
@Sinbad can you say more about claims I found posted on twatter by ErgoBTC. They claim that Sinbad mixer is working very similar like previously sanctioned Blender, with only difference being use of script type bech32 instead of P2SH. There are also claims of abusing coinjoins services like Wasabi and Whirlpool with purpose of fooling analytics. More information and links of transactions can be found in public, but they basically say that Blender is now Sinbad: https://twitter.censors.us/ErgoBTC/status/1624415264103190528#m |
|
|
|
...
Pmalek can you tell me if you are still in contact with Joe Grand aka Kingpin? I am interested to hear his opinion about recent exploit that affected OneKey hardware wallet, and maybe he can take a second look on OneKey devices since they forked from Trezor. If he manages to find new bugs in this devices it could be chance for him to earn more bug bounty money rewards I wrote more about that incident is one of my topics: https://bitcointalk.org/index.php?topic=5439320.0 |
|
|
|
This could be the first legit claim in this entire thread...
Or you have been smoking the same stuff like saxydev since you are the single person in the entire forum who is opposing my flag against this clown He actually owed money to another member before (and one more now), so this is not first accusation against him, but I guess you didn't read everything carefully. So, is there any certainty whether my work will be paid or not?
What work exactly you did for him? Provide some evidence for your work, it would be interesting to see this, but if address you gave him is showing zero coins, than you should make scam accusation against him. Even if he paid later than he promised means that he broke one more written agreement, that is reason for another flag against him. He owes me 0.1 BTC, and I am still waiting to receive this payment from him. |
|
|
|
|
Show Posts
