Wallet.is a service striving to succeed where instawallet has failed

[roalwe]

Hello!
I am the founder of  a small team working on wallet.is , a simple yet versatile wallet service.

Our service was conceived when Instawallet suffered a break-in. With some of my bitcoins still there (probably stolen), I decided that I should do something about it.
Something like a small, simple wallet service that would be more secure, and which could eventually grow to provide additional features to its users (I'll talk about that in more details a bit later). So I got a few guys together, took some nice open source code and got down to work.

And here we are, at your service - https://wallet.is

BTW, we will release most of our code when it goes out of beta  - wallet.is not afraid of competition !

Feedback, suggestions, and constructive criticism are very welcome.

[titus]

Do you know how instawallet was hacked?

[roalwe]

Well, since I am not an Instawallet employee (and not a member of a forensics team I hope is working on their case) I don't have the details...

But they mentioned a database intrusion.

Wallet.is team has taken proper steps to keep little Bobby Tables out.

[farlack]

Hey man, good luck hopefully its secure 

[roalwe]

Hey man, good luck hopefully its secure 

While security is, sadly, a bit like a scientific theory (can only really be disproved for good), we are committed to doing our best.
When we grow big, we'll have a proper audit.

[grue]

the reason instawallet failed was because it had control of all the private keys. unless you store all private keys clientside, and ensure all signing operations are done clientside, your wallet service will always be insecure.

[glitch003]

the reason instawallet failed was because it had control of all the private keys. unless you store all private keys clientside, and ensure all signing operations are done clientside, your wallet service will always be insecure.

^this^ people, don't store coins that you would be uncomfortable losing with this service.  The private keys are server side and your money is not safe!

[roalwe]

the reason instawallet failed was because it had control of all the private keys. unless you store all private keys clientside, and ensure all signing operations are done clientside, your wallet service will always be insecure.

Well, doing stuff user side in javascript isn't exactly a pretty thing to do, it turns out

A good way to do proper user-side browser key management would be browser plugin (Nadim eventually went that way with the cryptocat chat), but that kind of defeats the whole "no hassle" aspect of the service in a very fundamental way (as do mandatory passwords / registrations - hence our passwords are optional)

Of course there is a certain inherent risk to having a server-centric design, but I have good reasons to believe it is reasonably small*.

Neither web frontends nor backends serving them are inherently insecure (You can always prove me wrong and hack Gox, taking their hot wallet   ), and we intend our design to be very robust.

____________
* it should be noted that there is oftentimes a tradeoff between comfort and security going on

^this^ people, don't store coins that you would be uncomfortable losing with this service.  The private keys are server side and your money is not safe!

Strictly speaking, nothing is absolutely safe, only safe to varying degrees.

Javascript crypto isn't safe by a very long shot, and it would be rather hard to tell whether a well-done classic approach would not turn out "safer" than a user-side implementation done via such means (cryptocat abandoned this approach after almost singlehandedly pioneering it, after all)

Your stuff isn't absolutely safe even if stored in a physical safe

There are, however, degrees to safety, and tradeoffs between safety and other utility forms (such as comfort, ease of use, setup speed, additional valuable functionality, etc.)

[passerby]

My superficial assessment suggests these guys, at the very least, know their shit better than instawallet guys did (no privkey exposure in the link).

Now, what concerns me most isn't key storage schedule per se (if I'm really paranoid about people running off with coins, I will store coins on a dedicated encrypted laptop in a "thin client". And the laptop will be locked up in a large metal box most of the time. ), but rather, what features beyond "hassle free" and "easy" are you going to implement ?

'cause I can like myself a strongly pseudonymous, online wallet that is sufficiently feature-rich...So come on, AMAZE ME.

[someguy123]

'cause I can like myself a strongly pseudonymous, online wallet that is sufficiently feature-rich...So come on, AMAZE ME.

The only feature I see that instawallet didn't have, is the ability to password your wallet.
Also I don't even know if these guys charge fee's, they don't mention it anywhere on their site, so that could be a plus if there isn't a fee.

[🏰 TradeFortress 🏰]

Unless I'm the only person that has my private keys, and all signing is done on my computer, you are a fucking dumbass if you use this wallet because you will lose "your" coins.

You just admitted that nothing is 100% safe. Besides, do some reading.. the chrome extension for Blockchain.info is quite secure. Not bulletproof of course, but a hundred orders of magnitudes better than your current setup with is "send me coins".

Here is what WILL happen (guaranteed):

1. Operator goes AWOL, with no renewals server goes down
2. Operator disappears along with the coins in the wallet. Possibly a "hack" explanation.
3. Site actually gets hacked by someone else, you lose some or all of your coins

Don't store private keys on server.

If you don't have the private key, you don't own the bitcoins. Period.

Sorry if I'm a bit harsh, but this will end up with people losing their bitcoins to a hacker, to you, or to /dev/null.

Especially considering how the operator was registered a couple of days ago, he most likely saw how instawallet could have stole 10 million USD and wanted to scam others.

[🏰 TradeFortress 🏰]

'cause I can like myself a strongly pseudonymous, online wallet that is sufficiently feature-rich...So come on, AMAZE ME.

I guess you didn't want a secure online wallet.

[🏰 TradeFortress 🏰]

If you are STILL considering the idea of losing your bitcoins on wallet.is:

TORWallet - Scammer, Lost Coins
https://bitcointalk.org/index.php?topic=112327.0

Instawallet - Lost coins
https://bitcointalk.org/index.php?topic=164143.0

MyBitcoin - Scammer
https://en.bitcoin.it/wiki/MyBitcoin

Wallet.is - Future Scammer / Hacked Site
http://wallet.is/

[passerby]

You just admitted that nothing is 100% safe. Besides, do some reading.. the chrome extension for Blockchain.info is quite secure. Not bulletproof of course, but a hundred orders of magnitudes better than your current setup with is "send me coins".

I don't think he "admitted" is the right word for describing a situation when someone says a truism that is well-known in all security-related fields.

Also, is your "hundred orders of magnitudes" assessment based on some formal estimation process, or are you just fond of throwing around brown-number claims that sound BIG ?  

Here is what WILL happen (guaranteed):

1. Operator goes AWOL, with no renewals server goes down
2. Operator disappears along with the coins in the wallet. Possibly a "hack" explanation.
3. Site actually gets hacked by someone else, you lose some or all of your coins

Guaranteed ?

As in, you would be willing to bet money on that ?  Interesting... We could do something... about that

Sorry if I'm a bit harsh, but this will end up with people losing their bitcoins to a hacker, to you, or to /dev/null.

Well well... user-side encrypted keys which are stored (encrypted) elsewhere can be rather vulnerable to /dev/null incident happening "on the server side" (of course, proper service should have backups - but that does not mean a given specific service does)

Especially considering how the operator was registered a couple of days ago, he most likely saw how instawallet could have stole 10 million USD and wanted to scam others.

Are you, by any chance, related to Glenn Beck ? (I'm just asking questions )

'cause I can like myself a strongly pseudonymous, online wallet that is sufficiently feature-rich...So come on, AMAZE ME.

I guess you didn't want a secure online wallet.

Now, now, it depends.

Personally, I don't think that "really fast one-time wallet" services are "done for", that's all.

Yes, they do have attack vectors and failure modes that are specific to them, but at a number of circumstances I have found such trade-offs acceptable (I have used Instawallet in the past, as an "intermediate" coin deposit of sorts, and was quite satisfied by the outcome).

Also, I don't think anything can be completely secure - my vanilla satoshi client, with password-protected wallet and regular automatic backups, can be argued to be safer than any "online-shmonline" service could ever be, but to claim it is "totally" secure would be just pure hubris.

The question is, what the tradeoffs are.

As it stands, Wallet.is doesn't do anything interesting enough to make me consider moving coins into it, though I probably will use it as a "lazy man's cheap-ass coin decorrelator" at some point in the future.
Hence, dear wallet.is, please amaze me. Or something.

I suggest we move the discussion from "Ye Greate Battle of Wallet Service Philosophies" to "what cool features one could add to a "classic" wallet service"

I can start a separate thread for great philosophical battles, if someone considers it necessary.


P.S.:
Dear TradeFortress, if Modify button was a bunch of rattlesnakes, your next-of-kin would have already received your possessions.  

[parno]

unlike others I would welcome you around and suggest Google Authentication as an option, honesty and trust is hard when it comes to money so maybe you understand how "others" see you

[roalwe]

'cause I can like myself a strongly pseudonymous, online wallet that is sufficiently feature-rich...So come on, AMAZE ME.

What features would you suggest?

unlike others I would welcome you around and suggest Google Authentication as an option, honesty and trust is hard when it comes to money so maybe you understand how "others" see you

I'm not easily offended, and I certainly see why people might be suspicious of a wallet service.

Thanks for the welcome - very appreciated.

As to google auth - well, it's not exactly a nice thing code-wise, but it is rather useful, thanks for the suggestion.

I think that adding support for their two-factor auth system is not out of the question if/when we decide to expand beyond "quickiewallet" philosophy (which is what I think passerby is hinting at)

The only feature I see that instawallet didn't have, is the ability to password your wallet.
Also I don't even know if these guys charge fee's, they don't mention it anywhere on their site, so that could be a plus if there isn't a fee.

Well, so far we're just on BTC fees - would be kinda unfair to charge people for an early beta of a service, I think.

Speaking of fees, it seems that if we were to expand to a more... comprehensive feature suite, we'd have to either adopt some fee system or place ads, and it appears to me that people loathe ads in  wallet services (and not only the rather risky "rich media" ads, it seems)

[MPOE-PR]

I think people are having serious trouble selling themselves on using well known, aged and trusted services like blockchain.info's wallet. Take a chance on a newcomer? Not this month. Probably not this year and quite possibly never ever.

[tvbcof]

I liked Instwallet very much for it's URL only usability.  My philosophy in using it was for spending money only.  I always knew that a whole range of possible issues existed, and am not complaining bitterly about my loss.  I am pursuing the failure vigorously, but for different reasons.

My feeling about URL access is that a whole range of issues from a different but overlapping set exist with other solutions also.  Losing one's password is high among these.  I see no reason why it could not be reasonably secure and well managed on the back end.  The 'killer app' for me was not needing to provide an e-mail addy, SMS, etc, and the lack of a password made that smooth.

---

Here are the things I would look for:

 - A team which is well known and respected (this failed in the case of ~davout though.)

 - A good description of the back-end to architecture.  Opens-source if possible.  I think the pro's outweigh the con's, but it is debatable.

 - A good understanding of the funding.  Limited hot-wallet with occasional funds exhaustion is preferable to insolvency on failure.  Fees going into an auditable pool to be re-distributed absent failure would lend some credibility.  Or even let the user select thier preference on limits.

 - A documented recovery plan in case of failure.

 - A 'lock out' URL which, if visited, would lock the account.

 - A 'recovery token' which could be used to unlock a locked account or prove ownership of a URL

 - A 'maximum exceeded warning' mechanism whereby a user could be reminded that the service is for limited funds.

 - I've already forgotten some of the stuff I thought of.

I'll use your service without any of this stuff for minor spending, temporary funds shuffling, and new user demonstration purposes.  As always, with the anticipation that you guys could rip me off at any time.  Also with the full knowledge that you could be logging my IP's, transactions, etc.  Just as was the case with Instawallet.

[someguy123]

 - A good description of the back-end to architecture.  Opens-source if possible.  I think the pro's outweigh the con's, but it is debatable.

IIRC this is based on some code I did a while back which is public domain, they listed it on the about page: https://github.com/g2x3k/litecoin-instawallet-simple

[passerby]

Well, I guess I will first comment on tvbcof's suggestions a little bit, then will offer my own

 The 'killer app' for me was not needing to provide an e-mail addy, SMS, etc, and the lack of a password made that smooth.

Same here.

 - A team which is well known and respected (this failed in the case of ~davout though.)

I'd rather look for formal positions confirming competence - then again, I'm pretty sure that Citibank doesn't outsource its operations to 12 year old boys with ADHD and yet... THIS

- A good understanding of the funding.  Limited hot-wallet with occasional funds exhaustion is preferable to insolvency on failure.  Fees going into an auditable pool to be re-distributed absent failure would lend some credibility.  Or even let the user select thier preference on limits.

I think there definitely should be hot wallet and cold wallet, though given how insta-wallets aren't exactly Goxes, the cold wallet might be cold in more than one sense for a rather long time.

- A 'lock out' URL which, if visited, would lock the account.

 - A 'recovery token' which could be used to unlock a locked account or prove ownership of a URL

I like this, but I think the complexity added can be sidestepped with having a recovery email and a "lock account" button.

I mean, if I have to write a "de-mothballing token" I might as well just use an email recovery process.

- A 'maximum exceeded warning' mechanism whereby a user could be reminded that the service is for limited funds.

I think just adding a line of text clarifying that this is not a "bitcoin bank" should be enough. After all, "only keep as much bitcoins here as you really need" is rather subjective.
I had, at one point, about 100 btc in Instawallet (long before the whole thing went down in fire, luckily ), and would have been pretty annoyed if it started nagging me about the need to take them out.
 

Now, some suggestions of my own.

• outgoing-fees

People hate ads. People who think they are security-conscious hate ads even more. Also, bitcoinfolk is savvier than your average soccer mom, so a lot of us have adblockers. Thus, ads won't work for paying your bills, roalwe.

Fees might.

I, however, hate the ever loving hell of "storage" fees (guys, I trust your little wallet shop with my coins, and you repay my trust and loyalty by charging me ? Yes, easywallet.org , I am looking at you )

• free internal transactions

You should introduce a mechanism one "vault" (in your terminology) can send BTC to another "vault"  without actually going through BTC network, and such transactions would be free.
This would require the account to have a secondary identifier that can be shared freely... I don't know, like an email. Or something.

It should NOT be related to anything that can be used for vault auth (URL, password, etc).

Ideally, I should be able to attach notes (like, "thx 4 all Z drugz - kissz, lawl nF0rc3r" ) to internal payments

• Recovery email

If I bother to set up a password, I might also bother enough to set up a recovery email.

• Dead man's switch

Yeah, easywallet has it. So what ? It's damn cool, and I think every wallet should have it. Not like it's rocket science or a huge server load.

• QR codes

Personally, I think they aren't all that useful, but ladies like them or something.

That's all for now