How can a hardware wallet firmware be open source? Saying that electrum's code is open-source means that you can build the software by yourself. How can you build a hardware wallet? Also, why don't you need to examine the device in which you're connecting the hardware wallet?
They're available on github: https://github.com/trezor/trezor-firmwarehttps://github.com/Coldcard/firmwareI think someone has actually built a Trezor from the parts they acquired. You'll require some skills though. Electrum's code may be open sourced but it won't mean that the hardware you're running on is free from backdoors (I don't think you'll want to audit the OS, it's very complex). Side channel attack may not seem as much of a concern for most but it's reasonable to assume that it's still a viable attack vector (for which most hardware offers little to no protection from them).As with the device used to connect the hardware wallet, if you can verify that the firmware does not transmit any private key nor modify any raw TXes to a malicious address intentionally, that should be fairly safe. On open-source projects you always have to trust yourself. Although, on hardware wallet you're trusting a company, but on electrum you're trusting the coding skills of 277 contributors plus the issues that they've answered. I trust Electrum as much as you but there are also hardware wallets which are open sourced as well. If both the firmware and the application is open source, then you'll probably want the machine that you're working on and it's firmware to be open sourced as well. Hardware wallets, with the inclusion of a secure chip, makes it harder for the attacker to compromise the device given it's various protection against the attack vectors (mostly sidechannel).
I don't think you can compare the security that a hardware wallet can provide against the myriad of attack vectors against a cold storage wallet. I don't dispute that it's difficult for someone to compromise your Electrum (through compromising your offline OS) but given physical access, it's much harder for someone to breach a hardware wallet than an Electrum wallet. That, and it's smaller margin of error is where HW wallets excel at. |
|
|
|
I meant that I trust an open-source project more than a device, a company sold me, that I cannot examine how it works inside. Even if everyone says it. Even if no one had problems with hardware wallets before. I don't understand why I should have this "trust" on my mind. On softwares, code talks.
But you need to examine the hardware for which you're running it in. Most of the hardware wallet's firmware are open sourced and you can also sideload them. In the hardware aspect, I'm pretty sure the machine you're running Electrum on is not open sourced as well. If having open source and viewable components is favorable to you, have a look at ColdCard. Having a cold storage wallet does not mean that it'll be completely safe from attackers, physical attacks can still take place with relative ease. I think it's debatable (being over-paranoid or not) whether sidechannel attacks are possible with the hardware that you're running in. But there are some vectors which hardware wallets are designed to be hardened against while software wallets cannot guard. Electrum is great for a normal use, other than the pretty serious vulnerability which affected JSONRPC using CORS preflight request of your browser. I don't think it really affects the discussion on cold storage wallet but it really reinforces the fact that having open source software and reviewing it doesn't mean that you can spot all the vulnerabilities. You must be able to trust yourself to review each line of the code diligently and understand what they're doing to ensure that it's free of zeroday exploits. |
|
|
|
If you deposit a huge amount of money in your bank account, the financial agency may investigate on how the money was made.
Yes. It's probably because they want to catch you off-guard and want to seize your funds. But why would you use a bank account? Cold, hard cash is completely untraceable and no one would probably find out if you hide it well enough. But if you own 2000 bitcoin, no one knows who you are to question you. For this and some other reasons, Bitcoin is preferred for their criminal activities.
Problem arises when you're trying to use it. Can the big criminal organisation utilise Bitcoin? Sure they can and I'm sure that it's good for them. Does the fact that they're using it for criminal activities undermine what Bitcoin is for? No. I need to reiterate. Fiat is the only currency in the world that is the most suitable for criminal activities. If you want to use Bitcoin, the liquidity and the low adoption rate is a good enough deterrence for large scale operations. I think it'll be good if you can eliminate them completely of course. You NEED to have some central authority tracing each and every transaction, manually do a background check on everyone and block transactions if necessary. Sounds familiar? That's Paypal for you. Fact is, Bitcoin is designed to be decentralised and pseudonymous. I don't think anyone should change that at all and I definitely don't think having criminal activities on Bitcoin is a problem that is serious enough to ruin the whole idea why Bitcoin was invented in the first place. |
|
|
|
Bitcoin was created as a means of payment, and some people are using it for that purpose. Unfortunately, this includes criminals. The rate at which criminals use Bitcoins to enhance their operation and make their footsteps sophisticated is just increasing!
Yet, fiat is known to be one of the largest untraceable currency that is most commonly used in illicit transactions. Heck, even Standard Chartered laundered billions of dollars. If you want the government to stop snooping in your daily lives, it comes at a cost and that cost is that it's attractive to criminals as well. Haven't you heard that "Bitcoin is a scam"? This phrase only comes up because people have been seeing Bitcoin used for such purposes. Bitcoin is available to everyone, so how can we stop/reduce the misuse of cryptocurrency? Considering that KYC is not involved because I and some people prefer being discreet about our identity. So, how can we stop this, and I'd still have my secrecy? This is already rubbing dirt on us and needs to be attended to.
Only? Is the term being alluded to Bitcoin facilitating illegal activities or is the term used because most governments do not recognise Bitcoin as a legal tender? I'm pretty sure it's the latter; it's not a scam even if illegal activities are happening on it (why don't people call your fiat currency a scam???) . You cannot stop or reduce the misuse without compromising your own privacy. I don't think it's an issue at all. If you want to address it, you have to address the prevalence of illicit money involving of the most widely known and untraceable currency which is your fiat. |
|
|
|
If I want to share some of my PGP information shit in my Bitcointalk signature in what way can I share it?
You should either share the fingerprint or use an online database[1] to store your PGP public key. if I share my publc key what is it even going to be used for? And If I share my Fingerprint what is the use of sharing some of your PGP info in your BitcoinTalk signature?
With the public key, people can encrypt messages to prevent third party from snooping with your information. The public key will allow people to import it into their own PGP WOT and be able to validate your messages when you use it. The fingerprint is like a hash of your public key. It'll be useful for people to validate your identity when the public key is too long. [1] https://pgp.mit.edu/ |
|
|
|
Having your own cold storage setup with an old computer or other device is very close to a hardware wallet, maybe sometimes even better. It's a bit harder to setup and use, but it's not rocket science, any advanced user will be able to do it, and it could be cheaper than a hardware wallet, as people upgrade their computers from time to time, so they probably have a spare computer quite often.
That's not true. Most computer are not designed to be resistant against side-channel attacks be it timing attacks, leakage of electromagnetic radiation, power analysis during the signing of txs etc etc. It will undoubtedly be cheaper than a hardware wallet but given that the information cannot be stored in a secure chip, it's fairly easy to at least obtain the encrypted copy of the wallet. Most hardware wallets have a feature which will wipe the wallets after too many tries and the ColdCard that I've gotten offers a feature with duress wallets to provide plausible deniability. Setting up an air-gapped cold storage is not difficulty or requires any special skills but keeping it anywhere near to the security level of hardware wallets could be fairly hard. |
|
|
|
|
There's nothing that can be compared to a hardware wallet. They are designed with security in mind. Their focus is on eliminating the possible attack vectors through both physical and non-physical means. Most hardware wallets has a security chips which is used to harden the device against bruteforce attack and are often designed to reduce the number of possible sidechannel attacks. Removing the software wallet and wiping the device does not mean anything if the malware was already on your device when you were generating the keys. They can and will be compromised regardless.
Even if you were to generate it offline, the problem arises when you have to send coins. Improper handling of the private keys and/or seed will make you vulnerable to attacks. Hardware wallet eliminates this possibility due to the fact that they cannot be infected by malware nor the private keys can be compromised through data transfers.
|
|
|
|
|
Contrary to popular belief, central banks of the country are not a private institution and are directly regulated by the government. In times of recession or similar crisis, the government will lower the interest rate so as to encourage borrowings from the consumers and firms, which will in turn result in an increase in consumer's expenditure and investment expenditure by firms. This results in an increase in the GDP as both are components of it.
The commercial banks should have a lower than usual interest rates when the central bank sets the interest rates lower. There's a difference between what a central bank and a commercial bank.
Tl;dr: Central Banks do not have to necessarily make a profit. They have to sometimes align with the policies enacted by the government as a stopgap to further deterioration of the economy.
|
|
|
|
Can this be a problem even if the charger remains at room temperature? Can I expect it to burn down the house, for example?
I don't think it'll spontaneously combust. Modern cell phone chargers has a bunch of safety features and fuses within the casing itself. Raspberry Pi Zero draws such a small current that I don't think it'll go anywhere near the limit of your cellphone charger. My Pi3 B+ has been running continuously since a year ago and the charger is still working fine. The charger does get warm to the touch at times but I keep it well ventilated. Oh yes. You will want a circuit breaker, a surge protector is not necessary but it's good to have one.
I think it's a fun project. But if I were you, I would've saved all the hassle and just buy a cheap printer. Most of them are decently cheap and has WiFi functionality with their own software as well. |
|
|
|
|
I would say Gold or other similar commodity are a hedge against inflation. It would make sense for the more conservative population to be purchasing precious metals as compared to other commodities. I wouldn't say that it for certain but most of the younger generation tends to be more well versed in technology and are generally more willing to take the risks. I find Bitcoin to be more of a suitable investment as compared to Gold and if history is any indication, Bitcoin tends to fare well in the long term.
|
|
|
|
|
PPS+ and FPPS(Full pay per share) are basically like a PPS(Pay per share) system but with the added benefit of the miner being able to receive the transaction fees generated from the mined block that is calculated within the number of shares (or rather proportion as compared to the rest of the pool's miners) in the last N rounds. I guess it's an improvement from a PPS system which assumes the TX fees to be absorbed by the pool operator.
I think it does reduce the varience of the earnings but you'll most likely be paying a higher fee than PPLNS or PPS.
** Mikey corrected me in the subsequent post. I had the impression that FPPS and PPS+ is the same. Learning new things everyday.
|
|
|
|
If you don't let it run continuously, it won't help the network too much. It helps but not much. Afaik, some node operators decide to manually config their nodes to connect some nodes they are thinking as reliable nodes. I don't know how know those nodes and how they choose. If your full node is run in 30 minutes, turns off, run again next 4 hours, and so forth I doubt your nodes will have connections with too many other nodes.
I think the addr advertisement will have some delay when you shut down the node for an extended period of time. After all, most only connect when they start their node up and are trying to find peers. When your node is offline for too long, I believe certain nodes will remove your IP from their peers.dat after a certain number of failures and resulting in poorer propagation. As with the issue of whether it runs continuously or not, I think that's pretty debatable. Running a full node primarily is beneficial for the user itself and for the Bitcoin network, I think it'll benefit from the addition but a single node and its uptime won't make too much of a difference. As with the uptime, I think your bandwidth (if you have any limitation) will play a bigger role to determine how much you can contribute to the network. |
|
|
|
I think there's an option in file > preferences > fees to enable manual fee setting.
The manual fee option is shifted to the dialog that is shown after the user presses Pay in the later versions. I don't think there's any preset fees and the user has to choose it at the point of the transaction.
Electrum shouldn't freeze when processing small inputs because it has no reason to. Can you go to Tools>Preferences and check Write Logs to files? Do the transaction again to make Electrum freeze and go to %appdata%/Electrum/Logs and paste the latest logs here. Anyways, the only option I see fit if Electrum is unusable is that you can try to import to another compatible wallet or create a raw transaction using Coinb.in. I think latter is still viable since Electrum will show you the transaction information when you try to sign it. |
|
|
|
|
If you were to draw comparison between the banning of gold and Bitcoin, it won't be valid. Physical items are easier to ban due to the fact that enforcement is way easier combined with the fact that all of it's transaction has to be physical. If you were to ban Bitcoin, the effects would be way lesser.
It's no secret that the government is collecting information about its citizens. If your government can be recording your metadata of your phone logs, you can be sure that they'll attempt to track your Bitcoins from the moment it leaves the exchange.
|
|
|
|
Had a brief email exchange with them and this is their response: Hi ranochigo,
Hopefully the customers who buy dice specifically, will understand that putting them back into order after rolling would be bad idea. We ship them loose in a plastic bag, so they will arrive with lots of entropy ready to go. Let's hope our customers don't undermine that!
I guess that's your answer. Their stand is that they hope the customer doesn't specifically choose the sequence of the dice. I don't think it's a great idea to not at least put a warning but if that's their stand then so be it. Tried to convince them otherwise through quite a few (lengthy) emails but I guess they have their own rationale as well. Hope it works well for them and the customers buying it (I personally think the coldcard is okay but nothing else). Don't get why they won't recognise it as a potential (however small) issue that they have given how the design is geared towards those who are paranoid. But hey, who am I to criticize them on this?  |
|
|
|
You mean the ECDSA keypair? This site has quite a few useful resources and I assume that's what you're talking about: http://gobittest.appspot.com/. |
|
|
|
The sequence doesn't matter, you must be paranoid if you ask this!
They counted their dices the way they saw fit and got a random number: 1111111111111222222222222222222333333333333333333333344444444444444444444444444 44555555555555555555555555......6666666666666666
They inserted that number and generated a seed phrase.
Their response is quite underwhelming to say the least. Isn't their hardware wallet designed for the paranoid with the inclusion of all the epoxy transparent chips and stuff? This issue isn't about paranoia at all and is a legitimate concern. Oh wells, I hope they actually misunderstood your point. |
|
|
|
|
Larger pools tends to have lesser varience when it comes to the time between the blocks they mined due to the percentage of the network's total hashpower that they own. If you choose to go with a larger pool, your payout would be more frequent while if you go with a smaller pool, your payout is probably more sporadic.
Luck is just a concept for the pool to measure how many shares are submitted before one meets the minimum target. It shouldn't differ too much across the pool and certain pools have payout schemes that discourages block withholding attack as well. In the long run, you'll probably earn the same amount across the pools with the only factor being the fees incurred. If I were you, I'll choose a pool which is reputable and has a low fee and just stick with it.
|
|
|
|
This information will be located in a block. This block will have a header that only miners can make. And the miners who make this header check the block for correctness. A non-mining full node will not be able to make a header for a block with incorrect information.
Then you have to assume that the information is only located within the honest chain. What stops someone from isolating you from the rest of the network and build a rogue chain with similar information and thereby tricking your node? The block header will have transparent information and it is not possible to implement such a system without some degree of reliance on a third party. This is not enough. To create a fake block header, you need to find the hash of this block with the appropriate hash rate. If you don't have the mining capacity, you can't do it.
If a SPV wallet doesn't implement checkpoints, it would theoretically be fairly easy to trick the SPV wallet by building an alternative chain. Since that chain is the only chain the client will see, it is assumed to be the longest valid chain. With a checkpoint system, the attacker will have to build the chain after the checkpoint which is significantly more difficult but will not require anywhere near 50% of the network's hashpower. You see, the reason why 51% attack works is because it can generate valid blocks faster than the rest of the network. You don't need anywhere near 51% of the hashpower if you have all the time in the world. I can probably generate a block with enough POW in a few days if I purchase enough hashpower. I don't need to worry about someone else generating the block before me because the client won't be able to see it. |
|
|
|
If there is no possibility now, it doesn't mean that it can't be done.
If there is information in the blockchain that can be used to determine which of the chains you need, you can always get this information from the full node without downloading the entire chain from the very beginning.
I don't like to fantasize about things so I'll prefer if there is at least a proof of concept that is available. What information are you trying to get from the blockchain??? How would you know if the full node you're referring to is telling the truth??? To feed the spv client a fake chain of block headers in real time, the attacker must have ~50% of the hashrate power.
OR, be the only source of information that the SPV wallet have. You'll in effect be able to feed the SPV client whatever you need, and you probably wouldn't need that much hashpower at all. The lack of information makes it seems like you're the 100% of the network and you are the (only) person who has the longest chain, proof of work wise. I think I can't make my point about sybil attacks clearer than it already is.
You really have to explain your points clearly, I'm having a lot of difficulty trying to understand what you're trying to say. I don't think Bitcoin is meant to be operated when you have to trust someone. |
|
|
|
|
Show Posts
