They claim to be completely anonymous but the app won't work outside the US, meaning that at a minimum they are tracking your IP, your location, or both. That doesn't sound very anonymous to me, not to mention the fact they are clearly lying when they claim to be anonymous.

They do provide a seed phrase, but it is displayed via your phone, making it only as secure as any closed source mobile app (i.e. not secure in the slightest).

Also, just lol at how wrong this answer on their support pages is: https://support.arculus.co/hc/en-us/articles/6218984488087-I-tried-to-send-multiple-transactions-of-BTC-and-only-one-succeeded-the-others-are-pending-and-I-do-not-see-them-on-the-blockchain

If the transaction is stored locally, then it is only stored locally in your Bitcoin Core client. By exporting the relevant private key(s) and importing them to Electrum, this unconfirmed transaction will not also be transferred to Electrum. You won't need to abandon it from Electrum because it won't exist in Electrum in the first place and Electrum will be entirely unaware of it. Whatever outputs were "stuck" in this unconfirmed transaction in Core won't similarly be "stuck" in Electrum and should be available to spend.

When you consider 11 fixed words and randomly selecting the 12th word, then yes, the numbers become exact rather than averages, as for any given first 7 bits (not 8 as you have used) of the last word then there is exactly 1 combination of the last 4 bits which is valid.

When approaching the problem from OP's point of view of randomly selecting words and hoping for a valid seed phrase then it becomes an average as if you were to take a 12 word seed phrase and cycle through all possibilities for the first word (for example) there is no guarantee that you would end up with 128 valid seed phrases, due to the unpredictable nature of the checksum.

There are (on average) 128 words which will be a valid checksum for a 12 word seed phrase. It is 8 words (on average) for 24 word seed phrases.

Don't do this! It is an incredibly insecure method of generating a seed phrase. You will not and can not choose words randomly, despite your best efforts. Humans are not random. Whatever seed phrase you end up with at the end of this process will not represent 128 bits of entropy.

Do not select words. Instead, flip a fair coin 128 times to create your entropy, calculate and append the 4 bit checksum, and then encode that 132 bit number in to the corresponding words. For each 11 bit section you will need to convert to decimal and then add 1 before looking up the word on the BIP39 word list.

You're not wrong. Having a deep and complex derivation path does add additional difficulty for an attacker. Derivation paths can be up to 255 levels, and each level can have any value between 0 and 2³² (2³¹ for unhardened paths and 2³¹ for hardened paths). This allows for a huge number of possibilities, a number which is many orders of magnitude higher than the number of possible seed phrases or possible private keys. If I told you my 12 word seed phrase, but had hidden coins on a derivation path along the lines of the code I've given below, I can be relatively certain you will never find them.


However, look at that number above. Compare it to the seed phrase given above. How easy do you think that number is to back up? How easy would it be to make a mistake while backing that up? There is no checksum, and no possibility to brute force or figure out a mistake. So a single missed digit, a single 1 read as a 7 or a 0 read as a 8, a single extra ' or extra number, and so on, will mean your coins and permanently and irretrievably lost. The risk of doing something like this is incredibly high and simply not worth it when there are better methods available.

If you are envisaging a scenario where both your seed phrase and passphrase have been stolen by an attacker, then your time would be much better spent figuring out better ways to secure your back ups of these things. If you want yet more layers of security on top of that, then you should use a multi-sig approach.

Incidentally, the address generated from the above would be bc1q690uf3jhzm7sjrhavdckk4jr44wxfy779gnuq8

I tend to agree. In a $5 wrench situation, then your best way of getting out of that situation alive and minimizing harm is to give the attacker what they want, which is some bitcoin. If they see you own a bunch of bitcoin which then automatically moves to a different wallet or your wallet app self destructs or whatever, then they still know you own that bitcoin and can just hit you until you reveal your back up, the other wallet, whatever. Instead you need to be able to hand over some amount of bitcoin to them while keeping them unaware of your main stash. This means segregated wallets with different devices, seed phrases, passphrases, etc., and it also means good on-chain privacy so there are no obvious blockchain links between your daily wallet you are going to hand over and your larger holdings.

Sure, but it is still not foolproof. The other option I considered would be storing the text file of addresses encrypted, so you can be sure it isn't being edited in between the times you decrypt it. But can you be 100% sure there is no malware which will change the address in the few seconds between you decrypting the file and opening it? Or in the few seconds between you closing the file and encrypting it again?

There are various things you can do to make your electronic file safer, but much like backing up a seed phrase, if you want the ultimate in security then you should have a non-electronic physical copy.

Mainly rich idiots he has fooled in to believing his scam. There are a handful of users on this forum who pop up occasionally with their support for BSV, but usually leave after being confronted with mountains of evidence against CSW for which they have no rebuttal.

It's not, really. We all know he is wrong. He has been proved wrong multiple times, from signed messages from addresses he claimed to own calling him a fraud, through to complete dismantling of the forgeries he presents as "evidence". But CSW has been smart enough so far to make sure none of his court cases are to determine whether or not he is Satoshi (because he isn't), but are on parallel nonsense like "These tweets hurt my feelings" and "The devs are legally bound to fork the code".

100% this.

Easily explained by the fact CSW does not understand the math in the whitepaper and therefore had no idea his forgery was incorrect. There are similar instances of him incorrectly plagiarizing equations in many of his academic publications and not realizing his mistakes because he doesn't understand what he is plagiarizing.

There are lots of risks involved and potential attack vectors when connecting to a public WiFi, from man-in-the-middle attacks to loading malware on to your device. It's best to avoid public WiFi altogether and use your own mobile connection.

We don't know that because both of the wallets OP talked about are closed source, so they could be sending the seeds anywhere and you would have no idea. Other closed sources wallets have been caught sending unencrypted seed phrases across the internet (for example, Coinomi sent seed phrases to a Google server).

The facts are that neither your app nor your hardware is open source. It is impossible for the end user to verify anything that is going on and they must have complete trust in you and your product. They cannot verify their seed phrase or keys were created securely, and they cannot verify they are signing what they think they are signing. Having the seed phrase displayed on the phone is a huge security risk and makes the product barely any better than a free closed source mobile wallet. Users have no idea what the app is doing in the background, how much data it is collecting about what is going on, or how much data you are collecting through your servers which your app is connecting to.

The price is ridiculous when you can get a proper open source hardware wallet with a screen like a Trezor for 20 bucks less.

I got a server error on your landing page, but it seems a new Tor circuit has solved this.

The whitepaper is not a whitepaper at all - it is an advertising brochure. It explains nothing about the inner workings of the app or the hardware.

There are so many problems with CSW's 0.0.8 code that it cannot be believed by a thinking person. He somehow included a bug fix which Hal Finney wouldn't point out for several months, but then reversed the bug fix for when he released 0.1.0. He somehow includes a compressed bitcoin address, support for which wouldn't be implemented for several years. His 0.0.8 file has an incorrect checksum, but its checksum just magically happens to validate perfectly for version 0.1.0. He includes code plagiarized directly from this forum, including cutting off early with incomplete code as a post on this forum did when it hit the character limit (apparently he was too stupid to realize the next post in the thread had the rest of the code).

The whole thing is an absolute smorgasbord of incompetence.

But in both cases, how do you convince the attacker to stop hitting you?

You could prove the address sent to is a multi-sig, by either revealing its script or spending from it before so its script can be viewed via any block explorer. But how do you convince the attacker that it is a multi-sig with other people and not just 3 of your own wallets? In the case of the timelocked transaction, how do you convince the attacker that although there has been a timelocked transaction you don't still have the seed phrase/private key to the wallet which created the timelocked transaction and could just create a normal transaction any time you want?

At the end of the day, having a not-that-secure mobile wallet with a small amount of funds is not the worst thing in the world to lose, if by handing it over to an attacker you thereby avoid revealing anything about your main stash.

The issue with this is that you have no way of verifying the address at a later date. If I copied an address from a hardware wallet in to a text file, and then came back to that text file a few weeks or even months later, then I would almost certainly not notice if the address had been changed to a different address. If you store the list locally then you are at risk from malware, and if you store it online then you are at risk from attackers or hacks. If you are planning to do this, then I would also keep a way of verifying the addresses had not been tampered with - the simplest way to do this would be to have a hand written list you carry in your physical wallet, phone case, etc.

Need an address -> open your digital file of addresses -> copy and paste the next one to the site in question -> confirm what you have pasted against your hand written back up -> proceed.

Now, I'm not saying this is what is happening, but if I was wanting to pull off a widespread hardware wallet scam, this is what I might do:

• Create a closed source device which can be mass produced very cheaply, like a simple bank card
• Make this device seem far more expensive than it is (such as by stamping "Retail Value $99.00" on the box - I mean who does this? And seriously? A 100 bucks for a card with a chip in it? The kind that banks and stores give away for free to all their customers?)
• Make the device generate a seed phrase from a predetermined list which I secretly have access to
• Hand out as many of the devices as possible for free

The whole thing seems very suspect to me. I tried to poke around their website for some more info, but it returns a server error. If the device truly does cost 100 bucks, where did they get the funding to be able to hand out thousands of the device for free? And why would they do that? No other hardware wallet manufacturer has needed to do that to get their product established.

I'm sorry for the loss of your coins, but there are a lot of things you (or your wife) did wrong here:

• Atomic wallet is closed source
• Trust wallet is closed source
• Interacting with your seed phrase anywhere except the security of your own house
• Probably doing all this while connected to a public WiFi network

This will only find cameras which are emitting infrared light. Not all cameras do this, so it is not 100% reliable.

Gavin Andresen was referred to heavily in the recent Hodlonaut court case by CSW's lawyers, with explicit mention to the fact that Andresen has never withdrawn his statement that he believes CSW to be Satoshi. Andresen has also been referred to similarly in previous court cases, and no doubt will be referred to in future ones too. All this ends if Andresen releases a statement saying "I was wrong".

Yes, we all know that signatures should be publicly shared and publicly verified, but since CSW knows he can never do that, he is pushing the view that the opinion of enough noteworthy individuals is enough to declare himself Satoshi, and the media (and to some extent the courts) seem to be going along with his nonsense. Andresen is front and center of that collection of noteworthy individuals. The sooner he does the right thing then the better for all of us, especially all the victims of CSW's sham lawsuits.

Until they hit you so much you reveal how to access the destination address.

You need something with plausible deniability. Different passphrases as Loyce has pointed out is the usual route to take. To build on your system, I guess you would need some way of making your phone appear like it was infected with malware. Perhaps it broadcasts the attacker's transaction with a very low fee, and then a few seconds later RBFs it to a different address. Or every time they enter their address, it makes it very obvious that the address is being "maliciously" changed to a different one.

This is different. An online account can have its password attacked remotely by anyone anywhere in the world without ever being near the device (physically or electronically) which is storing both the password and the 2FA. While having both password and 2FA on the same device is not optimal, in such a scenario it does still add additional security. This is not the case for a mobile wallet which is being discussed here. An attacker must compromise your device somehow to access your wallet file, in which case everything else on that device is similarly vulnerable to compromise.

Yeah. At the start of the proceedings however many years ago, CSW was being represented by Ontier. At some point he changed over to these new layers from Schjodt. In the trial he claimed it was because his previous lawyers refused to let him bring forward witnesses (). Perhaps it was actually his previous lawyers insisted on some kind of hard evidence rather than just hearsay, and when presented with the stack of obviously forged documents, emails, code, etc. which ended up being submitted, they just noped out of there realizing that CSW is a complete liability. But as you say, there is always someone else willing to take on losing cases if they will be paid handsomely for doing so. And although costs have not yet been submitted, I've been reading suggestions CSW's legal fees were more than double those of Hodlonaut.

And yet, every single one of those has the power to lock your account and seize either your fiat or your crypto, which is exactly what OP wants to avoid. Tried and trusted means nothing, and I can find plenty of examples for every single one of those exchanges of people having their accounts locked or restricted. I'm also curious as to why you call P2P sites "risky", considering they are far more secure than centralized exchanges. You can't have your coins seized or your information leaked/hacked if you never hand over control of either of things to begin with.

The only issue with using a good peer to peer exchange such as a Bisq for OP is that he has never used one before and wants to spend $50k. I would suggest OP makes a few small purchases first to familiarize himself with the process, and then he will likely need to spread his total $50k across multiple trades for liquidity reasons, but that's not necessarily a bad thing.

It is becoming increasingly clear that CSW's complete ineptitude with all things bitcoin extends to all things technical and computing related. These forgeries are some of the most obviously faked things I can possibly imagine. The whitepaper equations being invalidated and him not even realizing are hilarious. Here's another hilarious one: https://nitter.it/bitnorbert/status/1573577987525574656#m. He tried to forge Kleiman's signature by typing it in a handwriting font.

I do wonder why his lawyers allowed this nonsense to be submitted? Are they completely incompetent too? Or did CSW submit it without their knowledge?