Bitfi wallet - most user-friendly functionality, does not store private keys

[TheBitfi]

Hi Bob123,

The definition of a troll is: “a person who makes a deliberately offensive or provocative online post.”

When we have taken to the time to patiently answer every comment & question.

1) Please advise what logical argument are we not understanding or ignoring?

2) So your logic is, that a wallet that contains no private keys and therefore cannot be seized even by the NSA is a one of the worst possible ideas in crypto?

If that’s your logic then ok.

Thanks,

Bitfi Team

o_e_l_e_o, please..  don't feed the troll.

The majority of this community knows what 'kind of wallet' the bitfi wallet is.
Only newbies without much information and people who want to find another vulnerabilities are going to buy a bitfi wallet.

Here is not the right place to inform newbies about why this wallet is one of the worst possible ideas to be used for crypto.


They are obviously not capable of understanding (or ignoring) each logic argument.
They will never admit that their wallet is broken by design (and additionally implemented badly). It is just a waste of time.

[bob123]

I see no reason in debating with you. All you do is trying to make your wallet looking good. No matter what we say

The real question is whether you are REALLY believing that shit you are saying, or whether you just want your wallet to look good.

1) Please advise what logical argument are we not understanding or ignoring?

You do not understand that the whole concept of the bitfi wallet is trash.

2) So your logic is, that a wallet that contains no private keys and therefore cannot be seized even by the NSA is a one of the worst possible ideas in crypto?

The 'key' to your BTC has to be stored somewhere.
It is better to store them on a device, than in your own head (= brainwallet).

Brainwallets are bad. This is a fact.
There is 0 sense in using a bitfi wallet if you are going to store coins on a brain wallet. Might as well use free software instead.

Quite funny that people still were able to extract private keys from a bitfi 
They can't extract private keys from a 'software brain wallet'...

So YOUR brain wallet is even worse than a standard brain wallet. Congratulations.


This was my last post in this thread. You are obviously just making provocative online posts. Call it trolling or not.

[pfuschi77]

Oh boy I worked me through this thread and I don´t know what to think of all the posters attacking Bitfi with such a passion and wonder what their real drive is.
Come to the point guys.

As far as I understood there was NOBODY that did empty the delivered wallet, is that fact or not? Don´t come with the "but I got root-access sh..." that was clearly not the part of the deal.
If somebody found out that the device RAM was readable than he should just do the transaction and got the 250k.

So we have hackers who clearly can´t read bounty rules because they where only able to do sh... after modifing the device and then trace the RAM, but still the stored coins could not be extracted right?

On the other hand we have a company who did lean a bit to much out of the window, not knowing that the device RAM did store their private keys for some time.
I guess they did fix that with an firmware update for the first generation and on the getgo with the second generation.

To me, both claims are somekind of wrong, but in the end, Bitfi was more right, their claim could not be broken.
The product needed some more "optimization" as we learned and they delivered on that.

What else should be answered:
Who did found the weakness first?
Hacker of the bounty? Then this person might "deserve" a reward for saving Bitfis ass, this could have ended in a big scandale many years later.
It simply would be a nice gesture of Bitfi, with the help of the bounty they where able to optimize their product.

Fix was implemented, has since then anybody came out proving they are able to move coins out???
Was someone able to root-hack, modify device and trace the RAM again???

Is the device still rootable?
The device is branded with a unique ID great, but how can I be 100% sure the firmware was not modified?
Is there somekind of an online check today where we can see and be sure that the device was not modified on the way or anytime later.
In the past hackers did modify with root-access and the Bitfi Dashboard didn´t even detected that. Is it even possible to protect yourself from that
or is this technically not possible? Would be bad if not, the integrity of the device is super important.

All in all I would say this is great alternative on the market. I´m using both trezor and ledger at the moment and as far as I know, using the trezor with extra 25th phrase is as secure
as you can get. I´m not scared about losing my fund on them. So I´m not in a hurry to buy an Bitfi but in the next few month I think I will buy one.

[o_e_l_e_o]

The real drive is we don't want newbies who don't know any better to be ripped off by buying a glorified brain wallet and end up losing all their hard earned bitcoin.

The only reason the bounty wasn't awarded is because Bitfi kept changing the goal posts and then cancelling it all together so they didn't have to pay out. The conditions were met several times by different people. They managed to extract the seed in plain text from the device, meaning all coins can be instantly stolen. Bitfi's claim was their wallet was "unhackable". I'm pretty sure extracting the seed counts as being hacked.

Even forgetting how horribly insecure their device is, even forgetting it had been hacked wide open multiple times, even forgetting the seed is extractable, even forgetting you can gain root access and install custom firmware; even forgetting all that, at the end of the day, it's still a brain wallet. Brain wallets are even worse than web wallets on the scale of "good security".

Buy one if you want, but realise that your funds are at constant risk of being stolen, and there is literally nothing it does that cannot be achieved more securely and for free with some freely available and open source software.

[pfuschi77]

The real drive is we don't want newbies who don't know any better to be ripped off by buying a glorified brain wallet and end up losing all their hard earned bitcoin.

The only reason the bounty wasn't awarded is because Bitfi kept changing the goal posts and then cancelling it all together so they didn't have to pay out. The conditions were met several times by different people. They managed to extract the seed in plain text from the device, meaning all coins can be instantly stolen. Bitfi's claim was their wallet was "unhackable". I'm pretty sure extracting the seed counts as being hacked.

Even forgetting how horribly insecure their device is, even forgetting it had been hacked wide open multiple times, even forgetting the seed is extractable, even forgetting you can gain root access and install custom firmware; even forgetting all that, at the end of the day, it's still a brain wallet. Brain wallets are even worse than web wallets on the scale of "good security".

Buy one if you want, but realise that your funds are at constant risk of being stolen, and there is literally nothing it does that cannot be achieved more securely and for free with some freely available and open source software.

I´m not sure if I agree with you 100%, you focusing to much on the bounty IMO

The hackers were able to hack into the firmware, modified the whole device and only then do a transaction and tracing the seed out of the RAM as long as it was there in using a security whole in the device.
Am I wrong with that? They did not get into anything that already was on the device, didn´t do a withdrawl of the original transfered coins.
To me this is totally fine with the bounty rules. If they said, buy a new one, load it up with your coins yourself and try to hack it, that would be a different story, then they would have
lost the bounty.

Is it OK to not reward the bounty hackers with something after there experts didn´t find that RAM problem themself and actually produce the first Bitfi? Or did they find out themself???
I think rewards should get paid out if it can be proven. There was something paid so don´t know for what and if that front is cleared or not, lost overview with that 

So as I said before, we have 2 parties who are not 100% right or wrong. Doesn´t Bitfi have the right to correct themself even if they had a big mouth?

- I´m with you that a security device at first should not be hackable that easy and get root-access on top of that -- is this fixed? I don´t think so, is it feasible at all? I don´t know!
- Nothing in the device should store anything from a past transaction -- that was fixed, can anybody prove it is not so? That would solve the most important big problem IMO
- The Dashboard did not detect that the device was modified -- is a fix feasible? I don´t know, but this is a problem every device has and SURELY I WANT THEM ALL TO FIX THAT.
 
If your device can´t be 100% secured from a root-hack, your software/portal/dashboard, whatever !!! HAS TO DETECT THAT AND WORN YOU THAT THE DEVICE WAS COMPROMISED !!!
I don´t care how they do it but without that safety of our funds are at risk. You know how I shit myself when Komodo had their problem with the Agama Wallet? I sick of all that nonsense.
If I can´t be 100% sure that my device is 100% as the manufacturer produced it how secure can I feel then?

[jerry0]

Is this wallet better or worst than nano ledger s?  Is there a reason why anyone would use any wallet besides trezor or nano ledger?

[bob123]

Is this wallet better or worst than nano ledger s?  Is there a reason why anyone would use any wallet besides trezor or nano ledger?

Read the thread.

Short summary:

• It is just a brainwallet, and we all know how bad brainwallets are..
• It had tons of vulnerabilities (no clue about the current state, but wouldn't expect it to be better now)
• The company is doing shady stuff
• It is just a brainwallet.

I think you can answer the question, whether it is better or worse than a regular hardware wallet, yourself.


P.s. Even a webwallet is more secure than this crap.

[pfuschi77]

Is this wallet better or worst than nano ledger s?  Is there a reason why anyone would use any wallet besides trezor or nano ledger?

Vertbase and Digibyte are happy with the security Bitfi has TODAY, so I guess I will buy one, split my coins over trezor, ledger and bitfi