Because by using such methods you can absolutely guarantee that a bunch of third parties will also know all the addresses you own and track all the transactions you make.

Here is what Ledger say on the issue:


So in theory, no, the third parties would not know if you are using one or more passphrases. But this all depends on whether you trust what Ledger are saying, since I'm sure there will be zero way for the user to actually verify this.

Absolutely, which is all the more reason we should be telling everyone to verify everything they download and never simply trust what they download because they think they are on the right URL.

I agree reporting to Google is a waste of time, since Google have shown consistently and repeatedly that they are happy to promote known and proven scams to the top of search results, as long as the scammer pays them. Google don't care whatsoever about their users' safety or security. As Lucius says, for ever site that is taken down (eventually!), five more will take its place. I would also recommend uBlock Origin, but alongside that, simply stop using Google. You can't fall victim to Google's promoted scams if you simply stop using Google.

The problem with this suggestion is the same as the problem with the other suggestions made above such as a blockchain explorer or Google sheets, as you rightly point out - privacy. As the old saying goes, if you are getting something for free, then you are the product. These services are almost certainly harvesting your data and sharing and selling that with third parties. Setting up an Electrum watch only wallet synced via your own node avoids all this.

If you do want to use a crypto portfolio app, then I would suggest manually entering aggregated balances rather than linking it with your wallet or specific transactions, so it cannot track your specific coins.

He can use the command listaddresses(balance=True) to get a list of all addresses alongside their individual balance, or the command getbalance() to get a total wallet balance.

The reason I suggested just doing listaddresses() on its own is because even if he imports a bunch of empty addresses, it means his watch only wallet will automatically stay synced with all this other wallets as he uses more addresses (until he exceeds the gap limit on a wallet, in which case he will need to import the next set of addresses).

I obviously agree as discussed above, but actually if OP is going to be running his own node anyway, then he could avoid the Electrum watch only wallet and simply use Core, importing the master public key from each of his Electrum wallets in to a single Bitcoin Core descriptor wallet.

Given that you cannot import multiple master public keys in to the same wallet in Electrum, then your only way of doing this will be to import all the addresses individually from each wallet in to a single watch only wallet.

Rather than copying and pasting each address one by one, in each wallet you want to watch go to the console (if you don't see the console tab then click View -> Show Console) and enter the following command:


It will spit out a list of all your receiving and change addresses visible on the addresses tab, so you can copy the whole list at once. You'll still need to manually remove the " and , symbols before attempting to import them, though.

Of course. I forgot that it loops if the value is not between 1 and q-1, which could result in more operations being required (although this is fairly unlikely). But then having said that, his half and half system would also be vulnerable to the exact same drawback, and could still calculate a nonce outside the required range.

So this then loops (heh) back round to your original question - why use any computational function at all? If speed is the most important factor here, then why not just have a nonce pre-calculated?

It's not a specific wallet - it's a user stealing funds.

If you read section 5.1, it explains that most of these peculiar nonces are coming from transaction spending coins from otherwise compromised addresses, such as brainwallets, addresses with previously repeated nonces (and therefore exposed private keys), or addresses with publicly revealed private keys (such as from various libraries). These affected transactions are a user implementing their own script to steal these funds, and inside their own script is this peculiar way of calculating a nonce for their transactions.

Interesting that they have linked all this to the forum user amaclin.

How long does it take on average to calculate a nonce following RFC 6979? Is it really a significant factor in getting your transaction broadcast first against other bots also trying to steal the same funds?

It's the first step, agreed, but it is entirely inadequate on its own. There are links on the Electrum download page to tutorials regarding how to verify your download, plus a quick search of this forum will find this excellent thread: [GUIDE] How to Safely Download and Verify Electrum [Guide].

Absolutely it's another step in the process, but we shouldn't be taking shortcuts when it comes to the security of our wallets.

No, it isn't.

Electrum does not have Telegram support. As with 99.9% of things on Telegram, this is a complete scam.

As DireWolfM14 has explained. Even if you don't touch the Wasabi functionality with Trezor, it reveals a lot about their mentality and their priorities. They also supported AOPP last year, which was essentially a method for centralized exchanges to enforce KYC on your own addresses, and they deliberately sweep their unfixable seed extraction vulnerabilities under the rug and do not warn new users about how to protect themselves against these vulnerabilities.

As with Ledger implementing more shitcoin support rather than addressing this Ledger Recovery debacle, it shows that Trezor care first and foremost about profits, with users' privacy and security way down their list of priorities. I would not trust them.

I'm fairly sure Foundation will never release official XMR firmware, but there is a community project started here (albeit with little activity, it seems): https://github.com/mjg-foundation/passport2-monero

Bookmarking the official site or only visiting the site via the software is not foolproof. There is nothing stopping an attacker from compromising the official site and uploading malicious software there.

You should be verifying all the software you download, regardless of where you download it from.

In addition to what has been mentioned above, strongly consider not using Windows and using an open source Linux distro instead. I would also suggest enabling full disk encryption when you install Linux, so if someone physically accesses your airgapped computer they cannot extract any useful or sensitive information from it.

Also make sure to verify the copy of Electrum you download on your live computer before transferring it to your airgapped computer for installation.

---

And subject yourself to mass surveillance and government sanctioned censorship? No thanks.

Yes, it's for Binance.us, but I for one don't believe for a second that Binance and Binance.us are entirely separate entities and don't co-mingle funds. The SEC filing even goes as far as ordering CZ to turn over customer coins which are in his personal possession. If CZ is personally holding users' coins, then Binance and Binance.us are almost certainly moving funds back and forth between them.

And the biggest typewriter company in the world thinks computers are too complicated and overpriced and says people shouldn't risk using them.

He wants people to keep their coins on his platform, because he can use them to make himself more money.

This is just factually incorrect. Let's add up all the centralized exchange hacks, scams, and insolvencies, shall we?

The only blog post they have made since this was shared 18 days ago (which is far more than "In the coming days" implies), is this one: https://www.ledger.com/blog/ledger-live-expands-cosmos-support-with-xprt-nom-qck-coins

Shows you exactly where their priorities lie. Instead of actually addressing this mess, they focus instead on implementing more shitcoins and staking to drive more profits for themselves.

Security is so boring! Shitcoins are the real important stuff!

 

Here's a new reason which RickDeckard flagged up here: https://bitcointalk.org/index.php?topic=5452900.msg62374464#msg62374464

The SEC has filed charges against Binance, and are ordering them to hand over all customer deposits, coins, assets, private keys, and anything else to the US government.

You are crazy if you are still holding your coins on a centralized exchange after the shitshow of the last few months.

If Sinbad were to release logs or similar, then they are signing their own death warrant.

The whole point of privacy services is to provide privacy, not to hand consent of exposure of your information to a random third party to decide based on their own arbitrary rules. Yes, a minority of users of privacy tools (such as mixers, coinjoins, VPNs, Tor, PGP, end to end encrypted messengers, etc.) are doing illegal things, but the vast majority of users of such services are just average people who do not want random third parties and governments spying on everything that they do. Would you use a encrypted messaging with a government backdoor? Of course not. Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?

Now you are just lying (or have absolutely zero understanding of the absolute basics of online privacy).

imperiume.io

whirlwind.money

If it was a problem with an incorrect or missing xpub, then Electrum would connect but then the EPS window would throw errors about the addresses being incorrect.

It looks like everything is set up correctly by OP, so I suspect the issue might be the expired certificates bug. See here for an explanation and a fix: https://github.com/chris-belcher/electrum-personal-server/issues/286

If that doesn't work, then at the top of the EPS window it should tell you where it is logging to. Find that file and examine it for errors. Similarly, enable logs in Electrum, and then examine that file for errors too.

Lol. Good find. SEC literally ordering Binance to hand over all customer funds and private keys.

Ledger: "We would only hand over your seed to the government in the case of a subpoena for terrorism or similar, which is never going to happen, so there is nothing to worry about."
US Government: "Hold my beer."

Their support team are limited to guesswork and regurgitating information from elsewhere. They apparently have been told absolutely nothing about Ledger Recover, and all they know is what the rest of us know from reading the Ledger website and Twitter:

Trezor are anything but reputable. They supported AOPP, and they actively fund blockchain analysis, mass surveillance, and government sanctioned censorship via their partnership with Wasabi. There is zero chance I would trust a hardware wallet from a company who are pro-government, pro-censorship, pro-surveillance, and anti-fungibility.

There are instead publicly known and unfixable vulnerabilities, which Trezor deliberately sweep under the rug and make no mention of in their set up guides, putting all new users at risk.

Trezor is a poor replacement.