Corporate VPN usage and personal VPN usage are two different things, however.

I would also suggest that if your government blacklists Tor because they cannot spy on you if you use it, but they are fine with you using a VPN, then your VPN is probably not providing the protection you think it is. What is more likely - they are fine with people trivially bypassing their blacklists, or they know they can get whatever information they want from your VPN provider?

No, it's secret. Wasabi won't even tell you something as basic as why your coins are being censored. They certainly aren't going to tell you what is in the small print of their agreements.

He is deliberately not answering that because either he doesn't know, or he does know and it's awful as I described above. If he does respond to this direct question, I fully expect him just to repeat his same nonsense sound bites.

A taproot input is smaller than a P2WPKH input, but a taproot output is larger than a P2WPKH output.

A standard segwit v0 P2WPKH has 107 bytes of witness data, comprised of 1 byte item count, 1 byte signature length, 71 byte signature, 1 byte pubkey length, and 33 byte pubkey.
A taproot input will have 65 bytes, comprised of 1 byte signature length, and 64 byte signature.
This difference of 42 bytes is witness data and results in a taproot input being 10.5 vbytes smaller.

A P2WPKH output will be 21 bytes long, comprised of OP_0 and the 20 byte pubkeyhash.
A P2TR output will be 33 bytes long, comprised of OP_1 and the 32 byte output key.
This difference of 12 bytes is not witness data and results in a taproot output being 12 vbytes larger.

Therefore whether a given transaction is cheaper if using all P2WPKH addresses or all P2TR addresses will depend on the exact ratio of inputs and outputs.

I was thinking less about forgetting your derivation path and more about if you ever needed to use some different piece of software.

As I said above, you can easily back up your derivation path alongside your seed phrase, and therefore have no additional risk of losing your coins. The issue would come if you want to import your multi-sig in to a different piece of software for whatever reason that does not let you specify arbitrary derivation paths.

If you back up your full descriptors and always use the same version of Sparrow then of course there will be no problems. But it is fairly easy to imagine a scenario where you need emergency access to your funds and you are forced to recover the seed phrases using different software, perhaps on a different OS, perhaps on mobile instead of a computer, and so on. In such a case it is always going to be an easier process if you have used the widely accepted standards rather than done something unique.

It is of course up to you - just explaining my rationale behind preferring to stick to standard practices.

If your ISP has the technology, capabilities, and resources to monitor your connection and detect (for example) meek obfuscation of Tor traffic, then it will be trivial for them to identify your VPN traffic.

I have to say I don't quite understand your threat model. You seem to want to avoid Tor because you think your government will blacklist you if you use Tor to hide your traffic from them, but you think they will have no problem if you use a VPN to hide your traffic from them instead?

This is the sad truth. After Voyager collapsed, there were warnings everywhere to withdraw all your coins. And yet loads of people lost everything when Celsius collapsed a week later. And again when BlockFi collapsed. And again when FTX collapsed. And loads of people will still lose everything when Huobi or Kucoin or Binance or whoever collapse next.

Whatever Huobi do or do not say is irrelevant. Every single one of the exchanges I just listed above were tweeting about how everything is FUD and fUnDs ArE sAfU in the days and hours leading up to their collapse. No exchange which is fractional reserve will ever come out and say "Yup, we are fractional reserve", because they know that doing so will trigger a bank run which will collapse them within hours. Ignore what is or is not being said and get your funds in to your own wallet before it is too late.

I previously used Wasabi. I previously recommended Wasabi. I previously vouched for Wasabi.

Then Wasabi completely sold out everything they once stood for by funding and cooperating with blockchain analysis in order to protect their own profits at the expense of all their users. They are now pro-surveillance, pro-censorship, anti-fungibility, and anti-privacy. They are actively supporting the enemies of bitcoin and directly undermining everything bitcoin stands for.

No one should ever use Wasabi again. There are far better wallets and far better coinjoin implementations you can use instead.

It was reported as far back as 2017 that Huobi were using clients' deposit without their knowledge or consent and therefore running a fractional reserve system. I've been warning people on this forum about this for literally years:


The writing has been on the wall for years. Anyone who still had coins on Huobi is just asking to lose them all.

This is bad advice. The only way that withdrawals lead to bankruptcy is if they are fractional reserve. If they store every deposit in a secure cold wallet like they should, then they will have more than enough coins to process each and every withdraw. Everyone should withdraw all their coins now (or ideally, years ago).

That's not entirely accurate. A majority of miners colluding to manipulate the timestamps of blocks (or a single miner with 51% of the hashrate) could also create and maintain an artificially low difficulty.

I explain how such an attack would work on a forked chain with 100% of the hashrate taking part in the attack here: https://bitcointalk.org/index.php?topic=5452676.msg62269397#msg62269397

But if we consider the scenario with say 60% of the hashrate taking part in the attack, then of the last 11 blocks we would expect 4 or 5 blocks to have a timestamp of the current time, and 6 or 7 blocks to have an altered timestamp of weeks ago. If you consider the median timestamp of those 11 blocks, it is still weeks ago and so the attack is still successful.

If a hot wallet is all you can use, then they can still be relatively secure if you take all the sensible precautions. One of those precautions is not importing your seed phrase in to multiple different pieces of software. Choose a good piece of wallet software such as Electrum, use it to generate a new wallet and write down your seed phrase, and then never enter that seed phrase in to any other wallet unless you are recovering your coins in an emergency.

And yes, that hardware will be absolutely fine with Cinnamon.

Simply because it is the standard. I am not aware of a single wallet which derives P2SH address at m/49/0/x by default, while there are hundreds which follow the BIP49 standard of m/49'/0'/x'.

Just like there is nothing stopping me deriving a single sig wallet at m/3894329'/284760'/1609266' and backing up my derivation path, it is much safer to just stick to the standard m/84'/0'/0'.

The real question is: Why are you importing it?

I have a mobile hot wallet, for which I accept the poor security of hot wallets because of the convenience they bring. In this wallet I store a small amount of bitcoin I can afford to lose. That's my only hot wallet. I don't need to import it anywhere else, because it's already on my phone. If I needed to change phones, then I'll set up a new wallet and send the coins across.

For every other wallet I own, of which there are many, there is almost no scenario in which I would ever import the seed phrase on to a phone. These are a variety of cold wallets, paper wallets, hardware wallets, etc. I have never imported one of these wallets to a phone, and if I ever did, then that wallet is immediately compromised and insecure.

If you are looking for the closest feel to Windows, and your computer isn't ancient, then Cinnamon. If you need something light on resources for older devices, then MATE or Xfce will be better.

There is a much simpler solution to all the issues being raised here about keyboard apps: Don't type your seed phrase in anywhere. Simple. If I type any seed phrase in to any non-airgapped device ever, I immediately consider it compromised.

Moving from Windows to Linux is always a good idea, but as I said above, don't think that making this one change suddenly makes all your wallets secure. If you have a bit of technical knowledge, then I would suggest using Debian. If you don't, then I would suggest Mint since it is the closest in look and feel to Windows and relatively easy to set up and use.

The weakness that if you use Wasabi, you can no longer use bitcoin as it was designed - peer to peer with no third parties. You can't do this because you have to ask Wasabi to ask Coinfirm for permission to spend your coins in the way you want. If Coinfirm decide you are a naughty child, then you are censored. This is obviously a significant weakness compared to other coinjoin implementations.

A typo. Fixed.

He was specifically asking what Coinfirm do with the data Wasabi pay them to gather on your UTXOs. Whether or not Wasabi is open source is utterly irrelevant to this question. As usual you are answering completely different questions to what is actually being asked because you aren't honest enough to give the uncomfortable answers.

Coinfirm are a blockchain analysis company whose entire purposes and entire existence depends on gathering and selling data. Any data Wasabi pay them to gather will be used for any other analysis they want and sold to any other third parties they want.

Not at all. There are plenty of secure ways to store your keys, but a hot wallet is never one of them.

So use a hardware wallet where all the hardware and software is open source, such as Passport. Should they come under pressure to implement backdoors or similar, that will be viewable in the code.

A good Linux distro will be safer than Windows or MacOS, but simply using Linux does not make your wallets magically impenetrable. It is a single part of a good security set up.

That's the whole point behind pluggable transports. They mask your Tor traffic as something else which prevents your ISP or government from identifying it as Tor traffic. As I mentioned above, obfs4 makes your data look totally random, while meek makes it look like you are browsing a clearnet website. Given that these work in many different jurisdictions to bypass many different types and methods of censorship, we know that they work.

This is a completely false sense of security. Any decent malware can just wait until internet access is reestablished in order to transmit data. Devices are either airgapped or they are not. There is no such thing as this temporary airgap that people talk about.

The stock OSs which come pre-installed on phones are almost all closed source, so the answer is generally no, unless you are one of the few people using phones such as PinePhone or Librem.

Which one you choose matters less when it comes to this particular attack vector for multi-sig wallets, yes.

However, I would highly recommend sticking to the standard of using hardened paths for the first three levels if you are using 49 at the purpose level, not least of all to make your life easier when recovering your wallet in the future.

Not necessarily, no. It depends where you get the xpubs from.

If you are using the xpub already at m/49'/0'/4', then it will derive the right addresses. If you are using the xpub at m, then you will need to specify the derivation path.

m/49 is unhardened. m/49' is hardened. The relevance is that unhardened levels can be derived only using public keys, while hardened levels require the private keys. In short, they are entirely different numbers and will derive entirely different addresses.

If your output descriptors either include your derivation path, or are using the xpubs already derived from the relevant derivation paths, then yes.

Just be careful with hardened paths. You've said m/49/0/4, but I suspect you mean m/49'/0'/4'.