Bitcoin Forum
February 09, 2023, 04:05:01 AM *
News: Community Awards results
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Open source wallet and closed source wallet discussion  (Read 515 times)
Tamedbeast (OP)
Newbie
*
Offline Offline

Activity: 18
Merit: 8


View Profile
September 26, 2022, 05:26:06 PM
 #1

We all appreciate open source wallets, they are the best around but have we ever thought that being closed source is security? If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?

open source says > see this is how we run things, we are transparent and we have nothing to hide

Closed source says > we don't want you to see how we run the codes, you can target us or something
1675915501
Hero Member
*
Offline Offline

Posts: 1675915501

View Profile Personal Message (Offline)

Ignore
1675915501
Reply with quote  #2

1675915501
Report to moderator
"The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 3024
Merit: 4837



View Profile
September 26, 2022, 05:31:05 PM
Last edit: September 26, 2022, 05:42:12 PM by OmegaStarScream
Merited by hugeblack (4), pooya87 (2), ETFbitcoin (1), Pmalek (1), dkbit98 (1)
 #2

We all appreciate open source wallets, they are the best around but have we ever thought that being closed source is security?

There should be nothing (serious).to target if everything is stored on the user's device locally. If I remember correctly, they were afraid people would create similar copies of the wallet (same design) and add malicious code to it...which by the way, is something that scammers still do.

dkbit98
Legendary
*
Offline Offline

Activity: 1778
Merit: 5704



View Profile
September 26, 2022, 06:01:58 PM
Merited by hugeblack (4), pooya87 (2), ETFbitcoin (1)
 #3

There should be nothing (serious).to target if everything is stored on the user's device locally. If I remember correctly, they were afraid people would create similar copies of the wallet (same design) and add malicious code to it...which by the way, is something that scammers still do.
Exactly, and they could even turn out to be very shady like Safepal hardware wallet that is closed source but they still used bunch of open source code and they breached original license they used.
Both of this wallets (safepal and trust wallet) are supported by binance exchange, so you can understand why I don't trust both of them with their lame excuses.
I am sure they didn't built anything from scratch, they cloned and forked other code, made few changes and than made it closed source so they could hide all the bugs in code from public.

DireWolfM14
Copper Member
Legendary
*
Offline Offline

Activity: 1750
Merit: 3638


Join the world-leading crypto sportsbook NOW!


View Profile WWW
September 26, 2022, 06:04:26 PM
Merited by hugeblack (4), Pmalek (1)
 #4

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?

It might make things harder on scammers, but if they're determined enough that's just a small obstacle.  Many malicious wallets aren't even that sophisticated, and in large part they don't need to be.  In some cases they only need to look like the original, and obviously the code is going to differ somewhat for the scam to occur.

On the other hand, of course, is the trust issue:  How do we know that a rogue employee doesn't imbed some malicious code into Binance's wallet?  Without being open-source, verifiable, and reproduceable by the general public something like that may months before it's caught.

Open source is especially critical in the crypto world, where we are expected to operate without the need to trust anyone.

BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1064
Merit: 5261


Magic Internet Reserve Currency


View Profile
September 26, 2022, 07:30:14 PM
Merited by hugeblack (4), pooya87 (2), ETFbitcoin (2), Pmalek (1)
 #5

That's a fallacy.

Closed-source software is nowhere close to better than reputable open-source software in terms of security. Being open-source doesn't mean more vulnerable than closed-source. Most attacks, from dynamic which work as a black-box (push inputs, observe outputs) to static which use pattern matches against binaries require no source code. Even if source code is necessary for an attacker, they can use disassemblers to reverse engineer part of the source code they want.

All in all, even if the entire source code is required, and the attacker can't reverse engineer the entire thing, revealing the source code, if reputable, can attract more defenders than attackers. If the software is not open-source, there can't be defenders. Only the centralized entity of developers that are responsible for it.

So, if somebody ever tells you this:
we don't want you to see how we run the codes, you can target us or something

You should respond them that if they rely on closed-sourceness for their security, they are benighted. And that's before we even mention that I'm not indulged to trust a random developer's coding skills and intentions.

vv181
Legendary
*
Offline Offline

Activity: 1624
Merit: 1121



View Profile
September 26, 2022, 08:24:59 PM
 #6

A closed-source wallet does more harm than good on many levels. Being a free and open source wallet invites those who can comprehend the code and the ones who are interested in the wallet itself, to collectively monitor how the codebase behaves. It gives them more eyes, rather than a fixated number of people that work on the closed source wallet, whose solely controlled by a centralized entity. It gives complete freedom to the users, in which it does not make sense if the underlying system(Bitcoin) itself is free and open-sourced.

And I bet a closed source wallet adds an unnecessary burden of a closed system where it is also designed for surveillance/tracking in mind. How can we be sure that the wallet key generation process is secure? What we do within the application isn't being tracked identifiably? or simply we just don't want the generated address being "processed" as what Trust Wallet does[1].

If we take an example of the recent aftermath of closed source Slope Wallet hacks, it is not so conceivable. It seems closed source wallets add their own unnecessary complexities and even the true root causes of the vulnerability can't be conclusively identified, after conducting an audit with 2 security firms.

[1] https://trustwallet.com/privacy-policy


███████████████████████████
█████████▀▄▄▄▄▄██▀▀████████
█████▀▄█▀▀▄▄▄▄▄▄▄▀▀▄▄▀█████
████ █▀▄███████████▄▀██████
███▄█ ███████▀ ██████ █ ███
██▀█ ███  ▀▀█  ▀██████ █ ██
██ █ ████▄▄      ▀▀▀██ █ ██
██ █ █████▌        ▄██ ████
███▄█ █████▄▄   ▄▄███ █▀███
████▀█▄▀█████▌  ▀██▀▄█ ████
█████▄▀▀▄▄▀▀▀▀   ▄▄█▀▄█████
████████▄██▀▀▀▀▀▀██████████
███████████████████████████
.
█ █▀█ █▀█ █▀█  ▄  ▄▀▀ █   ▄▀█ ▀█▀ ▄▀▀   ▄███▄
█ █▀█ █ █ █ █ ▀█▀ ▀▀█ █   █ █  █  ▀▀█   ▀███▀
█ █▄█ █▄█ █▄█     ▄▄▀ ▀▄▄ █▄▀  █  ▄▄▀     
                                          █
████████████  ████████████  ████████████ 
███▀▀▀▀▀▀███  ███▀▀▀▀▀▀███  ███▀▀▀▀▀▀███ 
█▀▄██▀███▄▀█  █▀▄██▀███▄▀█  █▀▄██▀███▄▀████▄
█ █ ▀ ▀███ █  █ █ ▀ ▀███ █  █ █ ▀ ▀███ █████
█ ██    ▄█ █ █  ██    ▄█ █ █  ██    ▄█ █████
█▄▀██  ▀█▀▄█  █▄▀██  ▀█▀▄█  █▄▀██  ▀█▀▄████▀
███▄▄▄▄▄▄███  ███▄▄▄▄▄▄███  ███▄▄▄▄▄▄███
████████████  ████████████  ████████████

.OVER 3,000,000,000 BETS!.
               ▄███▄
            ▄████████

        ▄▄██████████
       █▀▀▀██▀▀▀████
      ███████████
    ▀▀▀████████████
      ▀███████████▀
      ▄███████████▄
 ▄
    ▀▀▀▀▀▀▀▀███▀▀   ▄
▀▀█▀▀
███████████▀▀▀█▀▀
    ████████████████
    ████████████████
▄▄▄▄▄▄███████████████▄▄▄▄▄▄
.
..PLAY NOW..
       ▄▄▄▄ ▄▄█████▄
     ████████████████
 ▄▄▄█████████████████████▄
███████████████████████████▄▄
▀█████████████████████████████
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ▄█▄      ██
    ▄█▄▄█▄▄█▄          ▄▄
    ▄▄▄███▄▄▄    ▄ ▄ ▄ ▀▀
     ▀ ▄█▄ ▀  ▀▄█ ▀█▀ █▄▀
    ▄▄  ▀     ▀▀▀▀███▀▀▀▀
    ▀▀        ▀██▀▀█▀▀██▀
         ██   ▀ ▀▄▀█▀▄▀ ▀
sheenshane
Legendary
*
Offline Offline

Activity: 1960
Merit: 1155


🔰Buy/Sell Cryptocurrencies🔰


View Profile WWW
September 26, 2022, 11:26:50 PM
 #7

open source says > see this is how we run things, we are transparent and we have nothing to hide
This is how decentralized works on open-source coding, you can even follow the developer's progress which means the code itself can be checked by anyone who wanted to know the progress.  So there is more advantage to open-source than the close source wallet.  The reliability, security, and decentralization were open-source.

However, closed-source reduced the increase of imitators wallet or exchange but this isn't a problem if you know how to verify the legitimate one.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
pooya87
Legendary
*
Offline Offline

Activity: 2996
Merit: 8356


RQ-4C vs Balloon!


View Profile
September 27, 2022, 04:06:47 AM
 #8

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?
The answer is pretty simple the most popular projects are open source and they are very secure. From Linux to bitcoin core and Electrum. Everyone sees "how things are run" and they are still secure.

In some cases they only need to look like the original, and obviously the code is going to differ somewhat for the scam to occur.
They actually don't need to look like the original at all. All they need is the name.
Think about their target victims. They are either people who have never used the software before so they already don't know how it looks like. Or they are people who want to upgrade to a newer version, in which case all the malicious software has to do is to tell them "it's a new version where UI was changed!".

Besides it is trivial to look at the UI and create something that looks similar.

mindrust
Legendary
*
Offline Offline

Activity: 2800
Merit: 2265



View Profile
September 27, 2022, 04:22:03 AM
 #9

We all appreciate open source wallets, they are the best around but have we ever thought that being closed source is security? If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?

open source says > see this is how we run things, we are transparent and we have nothing to hide

Closed source says > we don't want you to see how we run the codes, you can target us or something

You can get scammed by either of them if you are not careful with what you are doing. However, opensource will act like a safety belt in most situations preventing the dev from doing silly stuff. With the closedsource wallets, you simply have no idea what is going on behind the scenes and this is China we are talking about. They will collect and use every information about you. They may not steal your funds directly but they will find a way to make up for it.

Pmalek
Legendary
*
Offline Offline

Activity: 2310
Merit: 5629


Defend Bitcoin and its PoW: bitcoincleanup.com


View Profile
September 27, 2022, 08:26:06 AM
Merited by pooya87 (2)
 #10

If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?
It's possible, but it's guesswork. That could be the reason why the wallets are closed-source or because there is something there they don't want you to know about.

Close-source is saying trust me it's good. I promise.
Open-source is saying take a look and make up your own mind. Don't trust me just because I am telling you it's good.

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?
Yes, but the coin has two sides. You mentioned one. The other is if someone is a security expert who understands coding, they could tell the developers what to improve based on what they see in the codebase. If there is nothing to see, no one can make corrections. And attacks could still happen with or without a public codebase.     

Closed source says > we don't want you to see how we run the codes, you can target us or something
Again, it's guesswork. It can also say we don't want you to see our code because we are targeting you.

The answer is pretty simple the most popular projects are open source and they are very secure. From Linux to bitcoin core and Electrum. Everyone sees "how things are run" and they are still secure.
Open-source does not mean secure by default. Although after years of testing, improving, and probably being thoroughly put under the microscope by those with bad motives, it's pretty safe to say that the brands you mentioned are all secure. But we have also seen some open-source Ethereum smart contracts being breached and hacked for reasons that could be bad code, exit scams, lack of knowledge how to secure them properly, etc. It's very important who looks at the code and tags it as verified. If I am not wrong, some hacks occurred even though the projects were called audited and secure.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 2422
Merit: 5776


DO NOT store your coin on third-party service!


View Profile
September 27, 2022, 10:02:58 AM
 #11

but have we ever thought that being closed source is security?

Also called security through obscurity. But personally i'd rather have more transparency rather than small security gain through obscurity.

If Binance Trust wallet could be a closed source maybe they did this because they don't want malicious people to find out how they run things which could make their wallet become a target?

Both open and closed source software could be targeted if they're popular enough.

n0nce
Hero Member
*****
Offline Offline

Activity: 546
Merit: 4788


'21 Discovery of the year ᵔᴗᵔ


View Profile WWW
September 27, 2022, 10:01:51 PM
 #12

If you can't see how things are running (coding) wouldn't that make it harder to attack such code or network?
That's wrong. We still see it; we need to get a binary of some sort to run after all, right.
Hackers can look at either the binary directly or its disassembly, it's possible to fuzz test a binary and do all sorts of static and dynamic program analysis.

How else do you think jailbreaks and Windows exploits are created?

pooya87
Legendary
*
Offline Offline

Activity: 2996
Merit: 8356


RQ-4C vs Balloon!


View Profile
September 28, 2022, 03:41:21 AM
 #13

But we have also seen some open-source Ethereum smart contracts being breached and hacked for reasons that could be bad code, exit scams, lack of knowledge how to secure them properly, etc. It's very important who looks at the code and tags it as verified. If I am not wrong, some hacks occurred even though the projects were called audited and secure.
Well because Ethereum was open source we knew from day one that the protocol is very buggy and has a lot of room for hacks like the ones you mentioned. The fact that nobody listened is their own fault so we can't really mention those breaches in this context since they were already expected.

The audits were also mostly fake, basically they created a business of auditing smart contracts and in the end they ended up getting paid (or bribed) to publish fake results.

hugeblack
Legendary
*
Offline Offline

Activity: 2058
Merit: 2695



View Profile
September 30, 2022, 07:13:24 AM
Merited by OmegaStarScream (2)
 #14

I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.

The same applies to the open source wallet. If you have not reviewed every line or trust someone who has reviewed each line, there will be no difference between it and the closed source wallet.

The only essential difference is that in the open source wallet, bugs can be identified and fixed without anyone losing their money, but this rarely happens in closed source wallets.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
pooya87
Legendary
*
Offline Offline

Activity: 2996
Merit: 8356


RQ-4C vs Balloon!


View Profile
September 30, 2022, 08:03:22 AM
Merited by OmegaStarScream (2)
 #15

I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
The "promise" alone is not enough, having a way of enforcing that promise is what matters. Otherwise there has been many centralized exchanges (that people used as wallets) that promised their users that their funds are safe and yet when they scammed people or got hacked, they never compensated the users for their losses. Nobody could make them answer for it either.

dkbit98
Legendary
*
Offline Offline

Activity: 1778
Merit: 5704



View Profile
September 30, 2022, 10:25:46 AM
Merited by pooya87 (4), hugeblack (4)
 #16

Well because Ethereum was open source we knew from day one that the protocol is very buggy and has a lot of room for hacks like the ones you mentioned. The fact that nobody listened is their own fault so we can't really mention those breaches in this context since they were already expected.
And they keep advertising some fake decentralization now that they fully switched to Proof-of-stake model, and on top of everything they are not censorship resistant blockchain.
Ethereum is now mostly controlled by few individuals, corporations and exchanges, with 25% of their blocks being OFAC compliant, as everyone can see on website mevwatch.info.
This number is constantly growing, and it doesn't really matter anymore if they have wallets and everything else open source, when they have protocol level censorship.

Let's learn some lesson from this shitshow fiasco, and let's not allow something similar to happen with Bitcoin.

I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
Nobody in the right mind would do that, and closed source is sadly pretty much the norm in the normie world.  Tongue

ETFbitcoin
Legendary
*
Offline Offline

Activity: 2422
Merit: 5776


DO NOT store your coin on third-party service!


View Profile
September 30, 2022, 11:38:17 AM
 #17

I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.

Even if they make such pledge, i wonder if they'll try to deny compensating stolen coin due to either user mistake or there's no proof it's stolen due to buggy code.

The same applies to the open source wallet. If you have not reviewed every line or trust someone who has reviewed each line, there will be no difference between it and the closed source wallet.

But IMO trusting someone else already perform review or audit is still better than trusting closed source application. If the application is popular enough, it's more likely someone will find and report the bug/security vulnerability.

n0nce
Hero Member
*****
Offline Offline

Activity: 546
Merit: 4788


'21 Discovery of the year ᵔᴗᵔ


View Profile WWW
September 30, 2022, 05:23:43 PM
 #18

I have no problem with closed source wallets if the developers pledge to compensate any coin that is stolen if there is a problem with the code, otherwise the security of the central platforms is considered higher than the closed source wallets.
Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
Even if it does, for one, it's not good enough as pooya87 said, and also how do you enforce it?

OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 3024
Merit: 4837



View Profile
September 30, 2022, 05:52:55 PM
 #19

Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
-snip-

Noncustodial wallets? Not as far as I know. It wouldn't make sense if they would do that anyway. For exchanges, I believe there is a couple of them.

n0nce
Hero Member
*****
Offline Offline

Activity: 546
Merit: 4788


'21 Discovery of the year ᵔᴗᵔ


View Profile WWW
September 30, 2022, 07:12:10 PM
Merited by xandry (2)
 #20

Is there such a wallet? That promises to compensate lost coins? I've never heard of something like that.
-snip-
Noncustodial wallets? Not as far as I know. It wouldn't make sense if they would do that anyway. For exchanges, I believe there is a couple of them.
Yeah, he mentioned 'closed-source wallets'; I suspect he meant closed-source, but non-custodial wallets. Something like Ledger hardware wallet, Trust Wallet or Coinomi.

Exchanges probably just have to comply with deposit insurance laws.
https://en.wikipedia.org/wiki/Deposit_insurance

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!