o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
July 22, 2018, 08:54:22 PM |
|
My passphase is just God now. Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago.
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3976
Merit: 5408
Doomed to see the future and unable to prevent it
|
|
July 23, 2018, 12:28:13 AM |
|
My passphase is just God now. Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago. Hah, I was joking as "God" is/was the most common admin password ever.
|
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
alizay
Jr. Member
Offline
Activity: 123
Merit: 3
|
|
July 25, 2018, 01:49:49 AM |
|
wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.
BUT the bigger question is: if one of these wallets does get hacked will mcafee eat his own penis???
|
★ PRiVCY ➢ Own Your Privacy! ➢ Best privacy crypto-market! ★ ✈✈✈[PoW/PoS]✅[Tor]✅[Airdrop]✈✈✈ (https://privcy.io/)
|
|
|
nc50lc
Legendary
Offline
Activity: 2576
Merit: 6257
Self-proclaimed Genius
|
|
July 25, 2018, 03:22:49 AM |
|
wow this is interesting, Im going to keep an eye on this. I only have a ledger right now but am very interested in this "unhackable" wallet.
Did you even read the previous posts? Delete it from your " to buy" list. It's basically a brainwallet which has a horrible history in terms of security and compared to ledger, Mcafee's endorsed " unhackable" wallet is a joke.
Not sure if you are trolling, but the address that links to "god" had about $100 of Bitcoin transferred through it less than 12 hours ago. I've seen that too. Actually, I have an Electrum Wallet named " Collision Tester" which contained the private keys of the most common brainwallet passphrases like Satoshi, free bitcoins, free bitcoin, etc. But unluckily, I never got the chance to transfer the funds since it's impossible to monitor the wallet 24/7 manually.
|
|
|
|
bododk
Jr. Member
Offline
Activity: 51
Merit: 1
|
|
July 25, 2018, 07:45:16 AM |
|
* this device has three flaws in design:
- human factor - weak algorithm - self update mechanism
Please, do not use this wallet.
|
|
|
|
gentlemand (OP)
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
July 25, 2018, 09:58:12 AM |
|
- self update mechanism
That one is a little bit worrying. It appears they're saying you can't turn down updates and indeed there is no such thing as an update, you get the latest and livest version every time you fire it up. In that case that makes their servers a stunningly tempting target and you have no protection from a nefarious party feeding you something unhelpful. I get the feel they're trying to invent the wheel while barrelling down the highway and at some point they're going to miss something extremely gaping and obvious.
|
|
|
|
gentlemand (OP)
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
July 28, 2018, 09:36:11 AM |
|
A security researcher's review here - https://rya.nc/bitfi-wallet.htmlOverall it doesn't seem as screamingly bad as it first appeared, but there are still plenty of holes and the developers appear to lack diligence in quite a few areas. "I strongly advise against using one of these devices. While Bitfi is perhaps not an outright scam, the design is inferior to that of hardware wallets where the device really is needed (or the backup of the seed) along with the passphrase in order to spend the coins. The fact that they're using a lot of the same techniques to sell devices that have been used to sell snake oil so many times in the past makes me very concerned. I've notified Bitfi of these issues, however they showed no interest in fixing them."
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
July 28, 2018, 09:58:04 AM |
|
I've notified Bitfi of these issues, however they showed no interest in fixing them. Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?
|
|
|
|
gentlemand (OP)
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
July 28, 2018, 10:01:29 AM |
|
Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws?
They'll just think it's, like, his opinion, man. More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied: We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3976
Merit: 5408
Doomed to see the future and unable to prevent it
|
|
July 28, 2018, 01:49:35 PM |
|
I've notified Bitfi of these issues, however they showed no interest in fixing them. Haha, wow. If anyone wasn't already convinced not to buy this wallet, then this surely has to be the nail in the coffin? Why would you trust a company behind any product that show no interest in closing security holes and flaws? I dunno, ask Microsoft. They'll just think it's, like, his opinion, man.
More gold - "Kerckhoffs's Principal in essence says that a properly designed system should still be secure even if the attacker knows everything except the key. Here, Bitfi engages in some misdirection, claiming to be "open source", however their "source code" is just a PDF largely made of formulas copy/pasted from the description of scrypt and BIP32. A number of people called them out on this, and in response a comment on reddit, a user going by Bitfi-Team replied:
We never said we were providing full open source code. We clearly state that our wallet is open source. Just check our website before you spew garbage. But if you want the code, do some math. Don't be lazy."
That is pure Gold, apparently the moron doesn't know what open sauce means.
|
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
Ndok88
Newbie
Offline
Activity: 85
Merit: 0
|
|
July 29, 2018, 07:42:36 AM |
|
Thank you for review... I cancelled buy bitfi
|
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
July 29, 2018, 10:29:41 PM |
|
Just... WOW. It essentially confirms ALL the worst assumptions made about this device... and then adds some more. The entire thing is a basically snake oil wrapped up with a nice $120.00 bow The Bitfi wallet is only $120 USD. As a computing device it is much more costly to manufacture than ordinary hardware wallets, however, our mission is to make this technology accessible to everyone and to keep it affordably priced as long as possible.
My condolences to anyone who bought one. https://www.reddit.com/r/Bitcoin/comments/92dnf8/bitfis_hardware_wallet_is_terriblehttps://rya.nc/bitfi-wallet.html
|
|
|
|
ryanc
|
|
July 31, 2018, 08:18:12 PM |
|
They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.
This is false - I engaged on a very similar crusade when the now defunct ether.camp site was offering brain wallets without explaining what they were.
The siren call of brain wallets is strong, but we must fight back.
|
|
|
|
gentlemand (OP)
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
August 02, 2018, 07:53:39 PM |
|
They're currently trying to throw shade on me, claiming I'm out to get them due to some perceived personal slight.
Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.
|
|
|
|
ryanc
|
|
August 02, 2018, 10:50:57 PM |
|
Well, the opinion of every single person in crypto worth listening to on this corroborates your conclusions. They can screech all they want. That's not going to convince anyone.
I think "screech" is a good description of their social media "strategy".
|
|
|
|
gentlemand (OP)
Legendary
Offline
Activity: 2590
Merit: 3014
Welt Am Draht
|
|
August 02, 2018, 10:57:36 PM |
|
https://twitter.com/OverSoftNL/status/1024684201575108615Bring on so much shrillness that checking their and Mcafee's Twitter accounts will cause your speakers to shatter. So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder? As there's nothing on board I presume that also means there's nothing to stop you being fed whatever someone wants you to see and everything you do going straight to them.
|
|
|
|
bob123
Legendary
Offline
Activity: 1624
Merit: 2481
|
|
August 03, 2018, 05:50:22 AM |
|
So assuming it can be rooted, and most likely third parties will be selling compromised versions, what steps are needed to gain someone's funds assuming they use a compromised device from the off? Would it be very straightforward or are there are some steps that would be considerably harder?
Since this wallet is auto-updating itself each time it has an internet connection, you don't really need to sell compromised versions. You would just need to find a vulnerability and use an exploit to compromise ALL devices which are logging in (auto updating) their wallet within the trame frame of the beginning of your attack and the end of your attack (when bitfi wallet server gets shut down). But, assuming it can be rooted.. it would really be straight forward to create a malicious version which will serve as a backdoor. This is nothing compared to an attack on a ledger nano s / trezor.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18726
|
|
August 03, 2018, 10:52:43 AM |
|
https://mobile.twitter.com/OverSoftNL/status/1025000286119780353: "So yeah: you don't need a BitFi device to run a BitFi wallet. I repeat: there's nothing in that device that is required for the BitFi app to function. There's NO secure element. They could've released it on the Play Store as an app." Maybe this is a good thing - instead of forking out hundreds of dollars for what is essentially an unsecure old android phone, you can just download the APK and run it on any device with an android emulator.
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3976
Merit: 5408
Doomed to see the future and unable to prevent it
|
|
August 03, 2018, 09:41:05 PM |
|
https://mobile.twitter.com/OverSoftNL/status/1025000286119780353: "So yeah: you don't need a BitFi device to run a BitFi wallet. I repeat: there's nothing in that device that is required for the BitFi app to function. There's NO secure element. They could've released it on the Play Store as an app." Maybe this is a good thing - instead of forking out hundreds of dollars for what is essentially an unsecure old android phone, you can just download the APK and run it on any device with an android emulator. But why would you want to?
|
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
|