Yes. It also took me an embarrassingly long time to use the "Import" buttons on the page which displays the private keys, and to stop copy and pasting each one individually.

Definitely. I would suggest setting up Tails, setting up the persistent volume, setting up Electrum, creating a wallet and saving it in the persistent volume, noting down the first address, and then shutting down your computer, unplugging the flash drive, and then loading everything up again from scratch to ensure your wallet is still there before you send any coins to it. And as I said above, you should still be securely storing your seed phrase on paper as protection against loss or damage of your flash drive.

I would still feel very uncomfortable with that set up.

So my documents still have to be uploaded somewhere, and stored on an immutable ledger, meaning that once they are uploaded they can never be deleted. There must also be a mechanism for revealing my details to the other party if they feel I have wronged them in some way. Who oversees this process? There must still be a trusted third party here, or else everyone could just put in a scam report and have my details revealed to them. What if the third party gets it wrong? What if it turns out there is a bug in the encryption or storage process, which means someone manages to breach the entire database?

I'm much happier trading with no KYC at all.

The only way one qubit can encode 2 bits of information is if two parties share an entangled qubit prior to transmitting data to each other. For most cases of quantum computing at the moment, 1 qubit is equal to 1 bit.

Breaking SHA256 is not the concern when it comes to quantum computing. At best, a quantum computer running Grover's algorithm could reduce the operations needed to break SHA256 from 2²⁵⁶ to 2¹²⁸, which is still far too large for any computer, and certainly far too large for the small quantum computers we are talking about. Breaking elliptic curve multiplication is the concern, as a quantum computer running Shor's algorithm could reduce the operations required from 2¹²⁸ to somewhere in the region of 128³, which is achievable.

This 5000 qubit machine is not a universal quantum computer in the same sense of the ones being developed by other vendors. It is a quantum annealer, which can only be used to perform a few very specific calculations. It is irrelevant to bitcoin. True universal quantum computers which may be able to break elliptic curve multiplication are still a few decades away.

Even so, when we reach the stage that elliptic curve multiplication becomes vulnerable, then there are two things which can happen. One, and very simply, users can stop reusing addresses. The private key is only vulnerable once the public key is known, and the public key is only revealed when a transaction is made. If you haven't made a transaction out of an address yet, then your funds remain safe. Secondly, we can fork to create a new address type which would be quantum resistant, just like we forked to create SegWit addresses.

Yes. As jackg has said, after only an hour then the chain with the most work would also be the longest chain. There would need to be a chain split which lasted for a week or more, including over a difficulty adjustment, to create a chain with more blocks but less difficulty.

This is different issue, and yes, this is also possible. We see block times of over an hour not infrequently. Let's say there is a chain split right now which lasts an hour. The hashrate is split 60%/40%. It is entirely possible that the part with 60%, through random chance, only finds a single block in the next hour, while the part with 40% could find two or more. When the chains recombine, the chain with the smaller hashrate during the split will become the main chain.

I've got nothing against companies remaining apolitical, but I have two issues with this statement from Coinbase.

First of all, stop dressing it up with obvious lies about "changing the world" and "solving inequality". Just be honest and say what you really mean - "We don't want to take sides in any political debate because that will alienate the other side and that might turn off some customers and affect our profits, which after all, is all we care about."

Second, and more importantly, this quote:

Fuck off. Just fuck off Coinbase. If this were even a little true, you wouldn't hand over customers' private data to the IRS. You wouldn't have formed a partnership with morally bankrupt human rights abusers to use their technology to spy on your users. You wouldn't have then sold this technology to the IRS, the DEA, the FBI, the CIA, and who knows who else. Global economic freedom? Please. You don't even give customers freedom over their own coins that they deposit to your exchange. This is such a brazen lie that Coinbase's users should feel insulted they even tried to pass it off.

As always: Delete Coinbase.

Yes. The ETA option gives an estimated number of blocks to have your transacted confirmed in - between 25 blocks and the next block. To estimate this, Electrum looks at the current size of the mempool, and places your transaction anywhere from 0.1MB from the tip for the next block, to around 10-12MB from the tip for 25 blocks.

This is, of course, only an estimate, as it is impossible to predict the future. It assumes that blocks are found at a 10 minute intervals, and while this is the average, it is not uncommon to have block times of up to an hour. Further, at any time someone (likely an exchange) could drop several megabytes of transactions in the mempool which could push your transaction down.

Correct. An attacker would need access to both.

You should obviously never purposefully share any of your private keys, but people will often export their master public key to either create watch only wallets, or to import in to some services to generate a new receiving address each time. Should you accidentally leak a single private key from this wallet, the combination of one private key and the master public key is enough to derive all the private keys in that wallet.

Not without also having your master public key.

---

A slightly more technical explanation follows. Let:

k = private key
K = public key
c = chain code
i = index
n = order of the secp256k1 curve

The steps for calculating an unhardened child key are

Calculate HMAC-SHA512(K_parent, c_parent, i)
Take the left 256 bits of the result, and add to k_parent (modulo n)

In simple English, this means to calculate a child private key, you first concatenate (join together) the parent public key, the parent chain code and the address index, hash the result, take the left 256 bits of the result, and add it to the parent private key.

We can simplify that equation to essentially the following:

Child private key = Hash calculation + Parent private key

In this scenario, an attacker knows a child private key, and can work out the "Hash calculation" from the master public key (which includes the parent public key and the parent chain code; the index can be brute forced). The only thing he doesn't know is the parent private key. So he rearranges the equation to:

Parent private key = Child private key - Hash calculation

Once he knows the parent private key, it is trivial to calculate every child private key in your wallet.

Correction: It would be the chain with the most work involved in creating it, which is not necessarily the longest chain. In your hypothetical scenario of a chain split, both chains would end up with less total hashrate and so would adjust their difficulty downwards to compensate. A chain with less hashrate could generate more blocks, but the shorter chain with fewer but "harder" blocks may have done more total work, and so would be the favored chain.

No, it isn't, exactly as we have just seen here. With stale blocks, a transaction can go from 1 confirmation back to zero confirmations if the block it is included in ends up being rejected in favor of a different block.

Firstly, you appear to be mixing up two concepts. There are individual public keys and there are master public keys. Individual public keys only generate a single address (or more specifically, can generate three addresses - a "1", a "3", and a "bc1" - but this is a very uncommon use). Master public keys can generate all the individual public keys in your entire wallet, and therefore, every address in your wallet.

It is not possible at the moment to brute force a private key from a public key. Such an attack may become possible in the coming decades with the ongoing development of quantum computers, but if such an attack was an impending possibility, bitcoin could fork to implement a quantum resistant address type.

There is one special case worth mentioning, and that is the case of if you have accidentally revealed any single private key from your wallet. If an attacker knows your master public key and any single private key, they can bruteforce all your private keys.

It's a fair point, but there are other ways Alice can mitigate the risk of compromise of her back up without having to resort to multi-sig and the decreased usability and increase fee which it brings. She can split her seed in to multiple parts, meaning an attacker needs to gain access to more than one part, which would make her risk the same as Bob's. She can encrypt her seed phrase before backing it up. She can use multiple passphrases.

I would also suggest that 2% is far too high a risk of compromise, and if you estimate that for your seed phrase then you need to think about storing it more securely. The stark differences in your final numbers because much smaller when you estimate a 1 in several thousand chance of compromise, rather than a 1 in 50.

---

As an aside (and a pedantic one at that), your math is slightly off for Alice's risk of compromise. Given the the chance of any of her back ups being compromised are independent events, then the probability P of event A or event B or both occurring is:
So the chance of her seed phrase being compromised would be 5.88%, rather than 6%.

1 - Single point of failure. This is only true if you have a single back up, which is a bad idea all round.

2 - Entropy. This is an improvement if you cannot be certain about your source of entropy. If you can be certain about your source of entropy, such as flipping a coin, then this argument is unnecessary. If 2²⁵⁶ can be broken then your private keys can be broken, regardless of how many signatures are required.

3 - Privacy. You shouldn't reuse addresses anyway, so revealing the public key when you spend from an address is not an issue.

4 - Shamir's secret sharing. I would never use cloud storage for anything, but you can quite easily split a single seed with Shamir's secret sharing and spread that across multiple cloud servers if you want. I would add the splitting 3-5 different keys each in to 3-5 parts and spreading them across multiple sites is going to make your recovery process very difficult and error prone.

Multi-sig can certainly be more secure in some cases, but for the majority of users it is unnecessary. It would add no additional security to my permanently airgapped, fully encrypted cold storage, for example. It also comes with a cost of being more cumbersome to use and requiring significantly higher fees.

Two problems with this.

First of all, there is no way to know your information is not being stored. If you are sending your details and data to a third party, you have to completely take them on their word that they will delete it after they are done. You need to trust them completely. There is also the possibility of your information being intercepted in transit or accessed by someone other than the intended recipient.

Second of all, I'm not sure what this achieves. KYC on centralized platforms is so they can comply with government regulations, and on decentralized platforms such as this it is seen as a security measure to help prevent scamming. If I verify my identity, and then all record of the verification is wiped, then what has really changed? A CEX can't prove to the government I am who I say I am because all my information has been deleted, and a trader on a DEX can't hand my details to the police if I scam because all my information has been deleted.

The stress tests by Jameson Lopp are great, but what is more important the the individual ratings he gives is the general outcome from different kinds of devices.

The majority of devices which have tiles being placed in to a holder or template perform very poorly. Even a small amount of bending from crush damage or warping from fire damage is enough for all the tiles to fall out, resulting in catastrophic data loss. Conversely, the majority of devices which involve either stamping letters or inscribing letters by hand on to a durable metal plate, typically stainless steel or titanium, perform very well against all forms of damage.

With this in mind, these devices are unnecessarily expensive. You can walk in to any good hardware store (or even just use Amazon) and find a stainless steel plate for a couple of bucks which you can etch your words on to. No need to be a custom device for $50 or more.

This is the most important point. Having your seed phrase backed up on a metal plate is all well and good, but nothing is indestructible, and it could still be lost, misplaced, etc. You should always have more than one back up of important information.

Actually, I think the exact opposite.

An argument can be made for regulating centralized exchanges as the businesses that they are - these exchanges are often holding millions of dollars of their customers' money, often with no oversight. They frequently lock, freeze, shutdown or seize customers' coins and accounts, and offer little to no mechanisms for customers to challenge their decisions. Time and time again we see exchanges simply lock accounts and steal coins stating vague reasons or the triggering of unspecified algorithms, and the customer simply has to take the loss. It is one of the many reasons I have never used a centralized exchange, and I encourage others also to stop using these exchanges. You shouldn't be trusting a centralized exchange to look after your money, but if you are going to go against all good advice and do that anyway, then you should at least have some legal recourse available to you when that exchange decides to steal your coins or lock your account.

However, bitcoin itself does not need regulating, and governments, tax agencies, fiat banks, and all the rest should stop sticking their prying noses and grubby fingers where they don't belong. The whole point of bitcoin is to be decentralized and not to rely on third parties (which includes not relying on centralized exchanges).

Sure, I have nothing against law enforcement stepping in to try to track down a hacker and thief as in this case. What I do have a problem with is centralized scam coins which can unilaterally and without recourse lock a user's money. That's even worse than fiat.

No, there is no way to display the seed phrase again after the initial set up. It does have a "Recovery Check" where you can input your seed phrase and it will confirm that you have written it down correctly, but it won't just display the seed phrase in plain text to you.

It's very risky to hold coins in a hardware wallet where you do not have the seed phrase. You are a single piece of hardware failure away from losing your coins. I would suggest that you move the coins out to a different wallet, reset the Ledger, back up your new seed phrase, and then return the coins to this new wallet.

The main significance of the fact that they are P2PK rather than P2PKH is that the public key is known for all 2 million or so of these coins. This means they are potentially vulnerable to being stolen in the future by quantum computers running Shor's algorithm.

The script type used for these coins is pretty much irrelevant to the discussion regarding premines, as far as I can tell.

Trust feedback should be related to trading, honesty, or likelihood of scamming. However, in your first paragraph you are talking about your ranking on default trust, which is related to your judgement and not necessarily your honesty.

I would flip that question over and ask "If there are no business opportunities which interest you on the forum, then why do you need a high trust rating?"

The Ledger box, a fanny pack, a standard safe, etc., will all be useless to protect against humidity since they are not airtight. You need something which is airtight to store it in, but you also need to remove the moisture from the air inside the container.

I'm thinking something like an airtight watertight case for digital cameras, phones and other small electronics that you can find on Amazon, and have a supply of silica gel packets so you can throw a fresh one in every time you have to open it.

The ends do not justify the means, though. Sure, no one wants the hacker to get away with it and freezing all their stolen coins seems like a good outcome, but the very fact that an anonymous person can unilaterally decide just to freeze some funds or lock down some addresses with zero oversight and zero ability for the affected parties to appeal or contest the decision is the complete opposite of decentralization. It's even worse than fiat banks. At least banks have rules they must follow, if they lock your account for some reason there are set processes you can go through to reverse the decision and have your account unlocked, and there are banking regulators you can appeal to if you disagree with your bank's decision. As much as I prefer decentralized systems, and as much as I dislike centralized fiat banks, they are at least regulated. Centralized scam coins like this are the worst of both worlds - zero decentralization and zero oversight. All the power in the hands of one person who can do whatever they like.

These scam coins can lock your coins at any time, for any reason, and there is nothing you can do about it.