Another day and another hack, this time for Trezor model T hardware wallet, and it was done by Crypto Security Firm Unciphered. First thing I will say is that it's very strange coincidence for this news to be released in same time when ledger messed up with their Recover disaster news, but whatever. I am not surprised at all about this, we all know that Trezor devices don't have secure element and if it was possible to do this with Trezor One than it was going to happen to Trezor Model T as well. Maybe this was sponsored by one French company, or Unciphered simply decided to use this opportunity for their own promotion. Unciphered build a custom board, connected Trezor T to it and they had to wait a long time for extraction of PIN and mneomonic words, but they eventually did it.  This is nothing new for all devices without secure element, but there are few ways people can protect against attacks like this: 1. Use multiple strong passphrases - this is easy and free solution available to anyone, and it makes hackers job much harder. 2. Use Multisig setup with your Trezor wallet - this makes it impossible for anyone to extract keys with this procedure. 3. Use Secret Shamir Sharing with passphrase - this should in theory work in similar way like Mutlisig setup. 4. Don't keep any of your keys inside wallet if you don't use it daily, only import when you need to send transaction and then reset it. 5. Use other open source hardware wallet with secure element. Trezor is making their own secure element so new generation device will be much better, but knowing all this I was not recommending Trezor wallets for some time. However, risk of this happening to regular people is very low, especially if you improve security like I mentioned. Hacking Trezor T video process: https://www.youtube.com/watch?v=50eiA-75NMY |
|
|
|
Joj htio jesam jer mi ful napeta, ali nažalost sam uvijek kotirao upravo oko te industrije u kojoj bi me žalio  Kad smo kod filmova... nastavlja se De Kwon Montenegro saga kako piše Bloomberg... ponovo je u zatvoru mučenik i odbijeno mu je 400,000 eura  https://archive.ph/WuMkV |
|
|
|
kripto sam opcenito ignorirao zadnjih nekoliko godina također, bio sam u komplet drugoj industriji.
Da nisi možda pored gambling industrije bio u u filmsk0j industriji kao Sylvester Stallone? Imao je on vrlo teške početke  Što manje pratiti novosti to je bolje (za mene), osim ako ne radite u medijima a onda vas žalim. |
|
|
|
It is not an option that appears right away, but once you follow the first steps (Destination -> Custom uploader settings...) :
Thank you. This worked out and I was able to upload few test images without any issues, BUT... I really don't like how ShareX works. It is to complex for me, it has weird sound, popups and bunch of other things I don't use. I tried to disable most of the things in settings, but I still don't like it, so I am now looking for alternative. Before I was using Image Uploader open source software, but I don't know how to set up TalkImg with it  https://github.com/zenden2k/image-uploader |
|
|
|
Please I suck at math... I took the prizes awarded by myself and PowerGlove (in addition to the Shiftcrypto prizes) and did 50% for 1st, 30% for 2nd and 20% for 3rd.
You skipped the match class at school? Maybe I made a mistake in my calculations? I don't know, because I didn't check anything you did, only thing that was strange to me is UNITS you used, that is SATS. I hope you understand how small is that, it's impossible to send that low amounts so it was funny to me. 0.00115 sats = 0 CHF 0.00069 sats = 0 CHF 0.00046 sats = 0 CHF Here are most used bitcoin units and convereter: https://bitcoindata.science/bitcoin-units-converter.htmlI think this should be written BTC units instead of sats units. For shipping, it is possible to get the contact of Shiftcrypto directly.
Cool. Please give me some time to organize something and I will contact you. |
|
|
|
According to my calculations here is the list of winners Are you kidding me... I actually won something and that is first prize?! Better double check that again sir Becassine. Who is pessimist now?  The 1st wins 0.00115 sats, the 2nd 0.00069 sats and the 3rd 0.00046 sats.
Does everyone agree, I haven't forgotten anything? Wait a minute, is that sats or bitcoin value? Can you please add current CHF or USD value for clarification? 1 BTC = 100,000,000 sat 1 sat = 0.00024279 CHF For the shipping of the items, please tell me how you want to do it.
I will send you shipping details once I found someone who actually want's to use hardware wallet. This is perfect time for someone to replace ledger wallet for BitBox02, I think this is better device and it's open source. I want to say thank you Becassine for doing this contest. |
|
|
|
"Opening more source" "over time" can mean anything and is something I'll believe when I see it. And even if they start opening more of their source code -- as long as parts of their code stays closed source there will always be insecurity. Here we go again... same old story of semi-open source, little tiny bit of closed source, mostly open source, etc... This sounds to me like they are just buying some time and hoping people will forget about this issue in few days, so they can continue business as usual Case in point, Ledger's software is already mostly open source, except for the firmware. And that's where the bodies were buried. So even if part of it gets open sourced, as long as some parts stay hidden, they will always have room for burying bodies. "Welcome to my basement officers, feel free to look around, just don't open the freezer, that one's off-limit."
Nobody cares about their stupid buggy ledge live app, they can open source that up in their asses. I understand that it's not easy to have open source secure element, but why the heck would someone hide firmware code, unless they have hidden plans with it. With Trezor you can download the source code and compile it yourself. Heck, if you feel especially nifty you can just go ahead and make your own Trezor clone [1]. Can't get much more trustless than that.
I think this is also possible with Passport wallet, but it's much harder to assemble all parts to make your own device. Another open source wallet you can make is Jade, and it's super easy. It also doesn't fix past 'mistakes'. For instance, they could have spied on users for the last few years, patch it out and then open-source the firmware.
It is easy to see that if you used the firmware before it was fully open, there will always be a risk that some of your information has been compromised (by Ledger or others). They spied in last few months for sure. Someone found out early code was pushed in several previous releases for ledger nono X, possibly for other models as well. Your thoughts?
Bullshit. They postponed Recover crap and posted this as a distraction. Let me tell you now and check back if I was right in few months/years, ledger will never be true open source wallet, but they could put another open source false advertisement label. I agree. To me it looks like they are just throwing sand into people's eyes and aren't addressing the issue directly
This reminds me on exact strategy main stream media is using, or magicians in circus, or tricksters on street with matches Putting down fire is never an easy task... |
|
|
|
This reduce the loss no matter what happen, i know its a little bit more work, but it can prevent you for more than one headache.
No, I would say don't put anyone eggs in rotten stinky baskets that have bunch of snakes inside. This would be correct representation for safepal, ledger and other similar closed source devices, so putting ''eggs'' in more bad baskets is not a good thing in this case. Stay away from safepal basket to keep your eggs safe. |
|
|
|
Essentially, if the total fee is more than is needed after selecting the two fee paying pre-mix inputs in order to perform a coinjoin, instead of enrolling three post-mix inputs as usual the coordinator will now enroll additional post-mix inputs. This makes the coinjoin transactions larger and therefore even harder to break, as well as increasing the throughput of remixes meaning everyone gets more free remixes faster, all for no additional cost to the users.
Wouldn't this in theory also increase fees a lot for coinjoins? If we have another ''ordinals tsunami'' like we did recently I doubt this will be usable for most people, except maybe for big whales, but they would also experience big delays. I am more interested in mixing and privacy in second-layer and I heard about one interesting project is coming out soon, or even better to introduce privacy on protocol level for bitcoin (but that probably won't happen any time soon). |
|
|
|
I want to move my Bitcoin from my trustwallet to another hot wallet that is compatible with IOS
If you are making a transition from Trust wallet than I would suggest checking out Unstoppable wallet, if you want to have support for Bitcoin and other altcoins. Unstoppable is open source wallet, it is working fine and it's very easy to use compared to some other wallets, and it has built in privacy features like Tor. In case you want to use wallet for Bitcoin only than you can consider Blue wallet or Green wallet from Blockstream. Green wallet also supports Liquid sidechain, so there is optional support for L-BTC, L-USDt and few other liquid tokens, and they have confidential transactions. Don't use any of this mobile wallet for storing large amount of Bitcoin, use it only for pocket money. |
|
|
|
Based on your thread about secure elements in hardware wallets, Safepal also has one but you couldn't find the exact model. Have you managed to find any more information on it in the meantime? Maybe they are also using one of the ST3x models.
No I didn't, but they are not using ST3x models for sure. There was some speculation from Kraken security team but nobody could identify secure element with 100% accuracy, it's probably some cheap chinses junk chip. It may be just the hunger for money. They may have been seeing Ledger's crap news and thought "what a wonderful idea, let's do that ourselves and get rich from selling to the idiots monthly subscription on making the seed less secure".
I think it's more stupidity than hunger for money. We can see the clear pattern here, closed source devices collecting bunch of money and than they need to repay that with stupid cloud services like this. There is an argument that hardware wallet companies are not earning as much money as smartphone companies, so they wanted to do some kind of subscription model for regular income, so they want to be like Netflix I'm pretty much soured on all HW wallets now.
Don't be. I suggest listening to the latest talk between Andreas Antonopoulos and Jameson Lopp (I posted it in different topic), you will hear some good sugesstions. |
|
|
|
It may be possible to clone https://github.com/LedgerHQ/ledger-live and patch out all the connections to Ledger servers, or even just do it through your firewall. Someone may even have done it before, not sure about that. It should be evident that I'm not too knowledgeable or experienced with Ledger products myself. You didn't miss out much, it's just a regular cheap circus show I don't think patching ledger live is possible, blocking ledger servers is certainly possible, but than I think device wont work correctly. From my understanding it's not only ledger that are going to receive data from customer wallets, they are only one of 3 companies, other two companies are located in United Kingdom and United States. Now imagine any of this three governments wanting to do mass seizure of coins, they won't have any problem doing that, since user controls nothing if they applied for Recover. Even in case if they didn't apply for anything there is a chance keys could be exposed somehow. Let me look from the bright side of this incident... I think ledger nono X eternal battery problem will not exist anymore EDIT: I found one interesting ledger commercial driving down the Internet Highway 101  |
|
|
|
After doing that punched both SE and MSU on Ledger board by two strokes of hummer. The final result is simple as that Good move... shame you didn't upload a short video while doing that People don't have to be so brutal with their devices, and if they still have old ledger nono S model, but I will suggest slowly migrating and starting to move coins to different open source devices. Everyone who owns ledger nono X already have some parts of malicious firmware, because they released bits of code in older updates. Don't update newer firmware because you could enable access to your keys, and some government could potentially seize coins from you in future, especially if you live in US, UK and France. Good for everyone to listen and learn something from latest conversation between Andreas Antonopoulos and Jameson Lopp talking about aftermath of ledger Recovery incident: https://odysee.com/@aantonop:8/ledger-recover-what-the-hell-is:8You don't have to listen to me, but this two guys (JL and AA) are one of the biggest bitcoin security experts in the world today. |
|
|
|
EttaWallet is 100% open source and is developed for android and ios devices.
There is no official website I could find, EttaWallet twitter account didn't post anything so far, so only thing we have is a fresh github account. I wouldn't jump right on to use this device for more that testing with few sats, and I don't recommend it is standard LN wallet, but I like they started with open source code. |
|
|
|
Hardware security models aswell as the security design in general of mobile devices is way more secure and battle tested compared to the currently available hardware wallets.
Maybe that is the case but they only have security updates for few years at most, I think apple has 5 years, samsung flagship devices has 4 years, cheap phones 1 or 2 years, and than they become unsecure. Since Airgap wallet is based on older device, that means that most of those devices are generally unsecure. The knox lockdown performed is one step deeper than what is offered to the user through i.e. settings. Also user errors (i.e. accidentally turning on wifi) are taken care of by the lock down.
So is there a way to revert changes to default state with Reset phone function, and remove AigGap later if we changed out minds? |
|
|
|
Tor and open-source code are an absolute must for me. Robosats does have a 'F2F' option, by the way. You can even enter a custom payment option yourself.
Even if Peach may have more features, privacy should always be number 1 priority. But I guess it could be a good alternative to CEX for mobile users who don't own a computer that runs Tor Browser. Yes that is exactly the reason why I like what Peach is doing. There are much more mobile users than computer users today, especially in third world countries, so growth potential is much bigger. If I had the option to choose I would always use desktop solution with Tor, something like Bisq or Robosats is good for that. Why limited? I'm really interested to understand why this needs to be an app. Maybe I will just install it in an emulator and have a look myself. It's limited for The Bitcoin Company (and their cards), and I don't know why, maybe because it's still in early beta phase. I have no idea how thsi would work for Peach Bitcoin. Their Google Play page says they collect the in-app messages, crash logs, diagnostics, and device identifiers. Such an identifier would let them connect your trades, whereas reloading Robosats will give you a completely fresh, unlinked identity.
Well yeah, that is what you get when you install most of the google and iOS apps, but I am not sure if the same happens with direct APK file. It's certainly a good to read Terms & Conditions and Privacy Policy page before using Peach: https://peachbitcoin.com/privacy-policy/https://peachbitcoin.com/terms-and-conditions/ |
|
|
|
Maybe this year we won’t have a proper competition, but I smell a surprise coming!
They are cooking something special on twitter for this year? In case some kind of competition happens I propose to ban all Italians from participating, to make it fair for everyone else Did anyone ever made one of those fat pizzas from Chicago? They are probably blasphemy for all Italians...  |
|
|
|
Now the button is automatically checked. Either way, the person uploading an image accepts the terms of service.
I hope this makes everything easier to use.
I tested it and it works perfectly now, no more clicking for me. It makes perfect sense to accept all the TalkImg terms if you agree to upload images. 2. Destination -> custom -> Import from clipboard -> Put your API key where it says "API-KEY-HERE"
I can't find Import from clipboard option anywhere. Is this under Custom Image Uploader, Customer Uploader settings or somewhere else. I know about Sharex but it was always a bit complex for me since I would use it mostly for uploading forum images. |
|
|
|
|
I missed forum down time, but I am getting a lot of this gateway errors in last few days, and many cloudflare boxes to check in, pages sometimes load very slow so I guess there was another round of ddos attacks towards bitointalk forum.
|
|
|
|
|
Show Posts
