Bitcoin Forum
February 16, 2025, 03:50:25 AM *
News: Community Awards voting is open
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16]  All
  Print  
Author Topic: RarityCheck VIBGYOR gilded #12 swept yesterday.  (Read 4070 times)
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 26, 2024, 06:45:29 PM
 #301

Thank you all for the feedback on printing. Of course we can include a sheet if needed, but as the first priority now we will do more testing to try to find the best font for this paper size. The paper and printer quality already look much better, we just need to find the right font. Will keep you updated.

We appreciate the continued support from everyone in this community, it really means a lot!

raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 28, 2024, 10:55:07 PM
 #302

Hey  guys

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

Just like bitaddress.org, there is another site and turns out that site is easy to be RNG attacked (it uses weak entropy generation). Not only our keys were impacted but around 2.5 BTC of other people BTC was also impacted.

So, even with air-gap PC, this happened.

We have received new stickers for VIBGYOR coins and we will update the the announcement thread with new stickers.



seavodin
Member
**
Offline Offline

Activity: 159
Merit: 16


View Profile
August 29, 2024, 01:17:32 AM
 #303

All right, now i'm thoroughly confused.

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

This isn't something you're re-iterating, because you never iterated it.
You're now saying something completely different than you did originally.

If I understand you correctly, you're now claiming:
- you did not use walletgenerator.net (although you dont say what you did use)
- that you used an air gapped PC
- that you didnt do anything insecurely, it was just weak entropy generation (and it would have to be catastrophically weak to be guessable)
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 29, 2024, 06:37:23 AM
Last edit: August 29, 2024, 06:49:51 AM by raritycheck
 #304

Apologies. Yes the site was walletgenrator. ( we didn’t want to name it in last post so people don’t use it i.e. don’t give more publicity.)
Ofcourse, We always have used airgapped laptop/printer that we wipe after.
Yes, that site has weak entropy generation.

Also, we want to mention that some people have given us feedback saying we have claimed to be incompetent. Rest assured that the only incompetency we showed was in choosing the wrong key-generator(walletgenerator) for VIBGYOR coin. Of course the whole system of keygen was end to end secure.

LoyceV
Legendary
*
Offline Offline

Activity: 3584
Merit: 18203


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 29, 2024, 08:25:49 AM
Merited by minerjones (1)
 #305

Of course the whole system of keygen was end to end secure.
.... said no one ever after getting his private keys compromised.

▄▄███████████████████▄▄
▄█████████▀█████████████▄
███████████▄▐▀▄██████████
███████▀▀███████▀▀███████
██████▀███▄▄████████████
█████████▐█████████▐█████
█████████▐█████████▐█████
██████████▀███▀███▄██████
████████████████▄▄███████
███████████▄▄▄███████████
█████████████████████████
▀█████▄▄████████████████▀
▀▀███████████████████▀▀
Peach
BTC bitcoin
Buy and Sell
Bitcoin P2P
.
.
▄▄███████▄▄
▄████████
██████▄
▄██
█████████████████▄
▄███████
██████████████▄
███████████████████████
█████████████████████████
████████████████████████
█████████████████████████
▀███████████████████████▀
▀█████████████████████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀

▀▀▀▀███▀▀▀▀
EUROPE | AFRICA
LATIN AMERICA
▄▀▀▀











▀▄▄▄


███████▄█
███████▀
██▄▄▄▄▄░▄▄▄▄▄
████████████▀
▐███████████▌
▐███████████▌
████████████▄
██████████████
███▀███▀▀███▀
.
Download on the
App Store
▀▀▀▄











▄▄▄▀
▄▀▀▀











▀▄▄▄


▄██▄
██████▄
█████████▄
████████████▄
███████████████
████████████▀
█████████▀
██████▀
▀██▀
.
GET IT ON
Google Play
▀▀▀▄











▄▄▄▀
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 29, 2024, 03:36:33 PM
 #306

Of course the whole system of keygen was end to end secure.
.... said no one ever after getting his private keys compromised.

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?

LoyceV
Legendary
*
Offline Offline

Activity: 3584
Merit: 18203


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 29, 2024, 03:40:45 PM
 #307

The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.
It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.

Quote
Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?
Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?

▄▄███████████████████▄▄
▄█████████▀█████████████▄
███████████▄▐▀▄██████████
███████▀▀███████▀▀███████
██████▀███▄▄████████████
█████████▐█████████▐█████
█████████▐█████████▐█████
██████████▀███▀███▄██████
████████████████▄▄███████
███████████▄▄▄███████████
█████████████████████████
▀█████▄▄████████████████▀
▀▀███████████████████▀▀
Peach
BTC bitcoin
Buy and Sell
Bitcoin P2P
.
.
▄▄███████▄▄
▄████████
██████▄
▄██
█████████████████▄
▄███████
██████████████▄
███████████████████████
█████████████████████████
████████████████████████
█████████████████████████
▀███████████████████████▀
▀█████████████████████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀

▀▀▀▀███▀▀▀▀
EUROPE | AFRICA
LATIN AMERICA
▄▀▀▀











▀▄▄▄


███████▄█
███████▀
██▄▄▄▄▄░▄▄▄▄▄
████████████▀
▐███████████▌
▐███████████▌
████████████▄
██████████████
███▀███▀▀███▀
.
Download on the
App Store
▀▀▀▄











▄▄▄▀
▄▀▀▀











▀▄▄▄


▄██▄
██████▄
█████████▄
████████████▄
███████████████
████████████▀
█████████▀
██████▀
▀██▀
.
GET IT ON
Google Play
▀▀▀▄











▄▄▄▀
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 29, 2024, 03:58:47 PM
 #308

It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.
You are correct. It does take one fuckup.
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
You trusted the printer but printer itself is at fault whose fault it is?

Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?
You are correct it is impossible. Just creating a hypothetical scenario. who will be at fault?
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Let's consider another example, we know many other creators in forums use bitaddress.org, if tomorrow turns out there was some vulnerability with that site,
and all keys are compromised, who is it at fault?

Point is to our knowledge, we followed all the steps securely.
And in fact for vigilante we did use  bitaddress.org, it's just that for VIBGYOR v1 coins we were trying a different generator and this happened. If only we could go back in time and not use walletgenerator.

LoyceV
Legendary
*
Offline Offline

Activity: 3584
Merit: 18203


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
August 29, 2024, 04:40:02 PM
 #309

But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.

Quote
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?
Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.

Quote
Point is to our knowledge, we followed all the steps securely.
My point is a simple Google search would have been enough to know it's compromised.

▄▄███████████████████▄▄
▄█████████▀█████████████▄
███████████▄▐▀▄██████████
███████▀▀███████▀▀███████
██████▀███▄▄████████████
█████████▐█████████▐█████
█████████▐█████████▐█████
██████████▀███▀███▄██████
████████████████▄▄███████
███████████▄▄▄███████████
█████████████████████████
▀█████▄▄████████████████▀
▀▀███████████████████▀▀
Peach
BTC bitcoin
Buy and Sell
Bitcoin P2P
.
.
▄▄███████▄▄
▄████████
██████▄
▄██
█████████████████▄
▄███████
██████████████▄
███████████████████████
█████████████████████████
████████████████████████
█████████████████████████
▀███████████████████████▀
▀█████████████████████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀

▀▀▀▀███▀▀▀▀
EUROPE | AFRICA
LATIN AMERICA
▄▀▀▀











▀▄▄▄


███████▄█
███████▀
██▄▄▄▄▄░▄▄▄▄▄
████████████▀
▐███████████▌
▐███████████▌
████████████▄
██████████████
███▀███▀▀███▀
.
Download on the
App Store
▀▀▀▄











▄▄▄▀
▄▀▀▀











▀▄▄▄


▄██▄
██████▄
█████████▄
████████████▄
███████████████
████████████▀
█████████▀
██████▀
▀██▀
.
GET IT ON
Google Play
▀▀▀▄











▄▄▄▀
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 29, 2024, 04:47:39 PM
 #310

But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.
You are correct 'Build a Faraday cage' will solve the problem. But no one normally builds a Faraday cage. Right? So who will be at fault?

Quote
Quote
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?
Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.
Right. Apologies if you felt we are arguing, just trying to make the point that no matter how secure one thinks their process is, it is possible that a mistake is made.

Quote
Quote
Point is to our knowledge, we followed all the steps securely.
My point is a simple Google search would have been enough to know it's compromised.
Yes. Correct. That is the mistake. Mistake is trusting the generator. But to us the whole process end to end was secure.

 

polymerbit
Hero Member
*****
Offline Offline

Activity: 736
Merit: 1037



View Profile WWW
August 29, 2024, 07:34:09 PM
Last edit: August 29, 2024, 07:50:09 PM by polymerbit
 #311

A solicitor could argue that under UK law you've displayed negligence.

This generator was known to be compromised, which you failed to disclose to your customers.

Simply put, this has opened you up to potential litigation. Regardless of the fact that you refunded the loaded amounts.

Without an Ltd., this liability is practically unlimited to you personally.

---

Both other key makers, and clients may have a claim against you and your project now.

You really should not be making keys if the results suggest you have no idea what you are doing.

seavodin
Member
**
Offline Offline

Activity: 159
Merit: 16


View Profile
August 29, 2024, 08:01:24 PM
Last edit: August 29, 2024, 08:13:24 PM by seavodin
Merited by hybridsole (1)
 #312

Raghavsood previously reported, that the system you used to generate keys was connected to a network (the internet in this case).
This was information he received from your team:

Based on a discussion I had with the team separately earlier today, they opened the website on the computer, before removing the internet connection and generating the keys.

And yet you state:

Ofcourse, We always have used airgapped laptop/printer that we wipe after.

An air gapped system, by definition, should never be connected to an external network.
If you hadn't connected it to the internet, more than likely you wouldnt have used the walletgenerator website directly.
You would have downloaded the source code from github (which isnt malicious), loaded it onto a flash drive, then transferred it to the air gapped system.

It seems like you might have a different definition to what an air gapped system is?
It does not protect from all threats, but it limits the possible attack vectors when the system has never had direct contact with external networks.
It also means that all data transfers to and from the system are very intentional and should be scrutinized.


Edit:
I see here that you mention that the system was never connected to the internet:

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

But in earlier posts (and from raghavsood), you stated that it was:

Hi Raghav

We know you are trying to help and we will answer your questions.
But please note that most of the team are software engineers in their day job and the only mistake in this whole process is that we truly blindly trusted a compromised software.

We think the wallet generator either has a back door or someone has done an RNG attack

How we created the keys were we connected the computer via lab cable to the internet to download the client side side site from walletgenerator and the disconnected the cable
No hardware (printer) was connected to wifi.

All hardware is wiped (windows uninstalled and hard disk  wiped) after usage.

About dates that is the main reason why we took sometime. After i reached home after my day job I started looking at my personal device to check historically  when was the first time i was researching on key gen software and looking at all sales thread and when exactly it could be that we created the keys.
But unfortunately as we have no back up of any kind it is impossible to tel exactly. But we feel it might be between July and November  2022.  
raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 29, 2024, 10:33:31 PM
 #313

A solicitor could argue that under UK law you've displayed negligence.

This generator was known to be compromised, which you failed to disclose to your customers.

Simply put, this has opened you up to potential litigation. Regardless of the fact that you refunded the loaded amounts.
 

We didn’t know it was compromised until the whole thing happened.
If we knew we wouldn’t even sell the coins and contact the customers immediately (which we did as soon we got to know)





polymerbit
Hero Member
*****
Offline Offline

Activity: 736
Merit: 1037



View Profile WWW
August 29, 2024, 11:20:32 PM
 #314

You're focusing on the wrong thing here. There's still a duty of due care. This is others peoples money you ended up affecting.

Your conduct is the issue. I find it particularly abhorrent that you tried to get your project into the gallery in Sicily.

This can be argued to be predatory. You have a project on your hands that you tried to PR wash to people who may not be aware of your multiple failures.

The damage you did is inexcusable. People are already weary of key makers, and for good reason. You proved them right.




raritycheck
Copper Member
Full Member
***
Offline Offline

Activity: 718
Merit: 182


View Profile WWW
August 30, 2024, 05:20:46 AM
Last edit: August 30, 2024, 06:26:20 AM by raritycheck
 #315

You're focusing on the wrong thing here. There's still a duty of due care. This is others peoples money you ended up affecting.

Your conduct is the issue. I find it particularly abhorrent that you tried to get your project into the gallery in Sicily.

This can be argued to be predatory. You have a project on your hands that you tried to PR wash to people who may not be aware of your multiple failures.

The damage you did is inexcusable. People are already weary of key makers, and for good reason. You proved them right.


What gallery in Sicily?
Edit: Are you talking about the bitbolo post (above this post on main thread)
That was a post in collectibles.
We thought it’s cryptoonly  coin related event  and we wanted to bring new hole coin v2.
And meet fellow makers and discuss. And  generally since the whole situation been feeling very low and chat to people. So asked bibollo about more details of the event.
We don’t want to PR wash(no idea what that means). But we messaged now to bibollo about this post.
But we really wanted to bring the new v2 coins and show to fellow makers.

Ofcourse, in general we don’t want to hide, we want people to know that this can happen.
Also  we want to ensure that this doesn’t happen again. We want to in general make the whole thing  safer.
Hence created the mini-key generator with better entropy and asking for feedback.
And hence we are continuing this discussion to make people aware.
And also updated on the site https://crypto.raritycheck.com/vibgyor that these coins are compromised.

Edit2:
Inevitably, new makers will come in this space and we are also getting messages from other makers about what we find in our research.

About ‘multiple failures’. That’s not factually correct. In this post itself there are multiple accusations against multiple creators of bad printed key. Then the whole Yogg thing that happened last year. (Mind you in that we actually donated everyone impacted). We think buyers should know that there is a risk.

One thing interesting about the this whole situation for VIBGYOR coins is that Even now if you look at the list of coins
https://crypto.raritycheck.com/vibgyor
Not all coins are actually redeemed and some of the redeemed coins are manually redeemed by buyers.
How could that be ?

Anyways, all we are hoping is that going forward what happened with us doesn’t happen with others
And we can help some trust back into the hobby.

Edits
Member
**
Offline Offline

Activity: 369
Merit: 29


View Profile
October 21, 2024, 08:03:08 PM
Last edit: October 22, 2024, 01:45:43 AM by Edits
 #316

Vouched, mine are gone.

Such is the world of physicals and trusting people within a system designed for us to not need trust.

Oh well.

You know what, we can all get burned. These were 0.001 coins so does it really matter?
The hardest burn is their reputation. I had high hopes for them as their coins were fantastic.
Make shit right, refund the stolen BTC and learn the lesson to create your own keys.

Im not sure if I will buy RC coins again, but thats where we are.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!