Tangem collecting user seedphrases?

[libert19]

I have tangem card and I did use seed phrase option, I imported my ledger seed into tangem, thinking it's safe, thankfully didn't message their support so I assume I must be safe? I mean my funds are still there.

I just came to know about this issue yesterday and ranted on their discord for about two hours. I was disappointed with vulnerability itself — how can you record seed? Even literal hot wallets don't do that, and with their communications.

I am done with them and moving to trezor. Reminder for me to stick with tried, tested and reputed HW providers.

[satscraper]

I have tangem card and I did use seed phrase option, I imported my ledger seed into tangem, thinking it's safe, thankfully didn't message their support so I assume I must be safe? I mean my funds are still there.

If you didn't communicate with their support during one week after your imported you SEED your stash should be safe ^{You may check this via Tangem mobile app.}  providing Ledger SEED did not leaked in a different way .
P.S. I wouldn't use old SEEDs generated by Ledger to initiate any new wallet.

[libert19]

I have tangem card and I did use seed phrase option, I imported my ledger seed into tangem, thinking it's safe, thankfully didn't message their support so I assume I must be safe? I mean my funds are still there.

If you didn't communicate with their support during one week after your imported you SEED your stash should be safe ^{You may check this via Tangem mobile app.}  providing Ledger SEED was not leaked in a different way .
P.S. I wouldn't use old SEEDs generated by Ledger to initiate any new wallet.

I checked tangem app, there is no in-app notification to me as they said you would get if you were affected.

Regarding importing seed, my old ledger display is impossible to work with so imported seed directly into tangem. But yes, now gonna create new one with trezor.

[DubemIfedigbo001]

Who let their programmer add code which log seed phrase or other sensitive data? Anyway, looking at their blog post[1] makes it clear Tangem company trying to downplay this security vulnerability. They use term "Potential Vulnerability" which is wrong since people can reproduce the security vulnerability.

[1] https://tangem.com/en/blog/post/tangem-resolves-log-issue/

What the actual fuck. That code was clearly not reviewed (or they don't have a proper process in place).

Going to repost something I have posted here and reddit and github and other places over time.

So more or less quoting myself.

There are countless open source apps out there run by millions and millions of people that have still had major security vulnerabilities in them for years. Open souure does not mean shit in terms of security. All it means that if people want to and have the ability to understnd it they can check what is going on. Most people don't since unless you fully understand every function and every step you can't be sure that the one section you didn't fully comprehend was the bad one.

Examples sshd and openssl 2 things that you know run on 90% of the servers on the internet: https://www.logpoint.com/en/blog/the-story-of-regresshion/

https://www.threatintelligence.com/blog/openssl-vulnerabilities

And lets not forget the Apache log4j screw up: https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance

I can go on with dozens of other examples if you want.


So the code could have been reviewed. But people missed it.

If 1000s of people reviewing the above projects over years and years missed some (after the fact) totally obvious issues like these then a smaller company missing something like this is GOING TO HAPPEN.

Or to put it another way.

OPEN SOURCE IS NOT MORE SECURE. OPEN SOURCE ALLOWS PEOPLE TO SEE WHAT IS HAPPENING. AND POSSIBLY FIND MISTAKES THAT OTHERS HAVE MADE. BUT UNLESS THE PEOPLE LOOKING AT IT SEE THE MISTAKE AND REPORT IT THEN IT'S NO BETTER THEN CLOSED SOURCE.

Ending rant.

-Dave

I can relate with the fact that it is possible that most open-source projects are weakly scrutinized if at all by anybody since the job on validating the security of those projects aren't easy and it may be without a reward and most experienced white-hat hackers would not be willing to do it for free and black-hat hackers would gladly do it to take advantage.

If there are mouth watering bounties attached to reviewing these security limitations  and every bug found has a big reward, it would go a long way to make the open-source pattern serve its full purpose as participants would want to take the prize. I feel those that offer good rewards would get most of their bugs identified on time before it causes a real trouble for their users.

[Meuserna]

If you didn't communicate with their support during one week after your imported you SEED your stash should be safe

How do you PROVE it?

I'll never understand why people put their Bitcoin at risk by using closed source wallets, especially when there are outstanding fully open source alternatives.

[Forsyth Jones]

Tangem... I've never heard of this wallet. This serves as an example to show that it's not enough to be a hardware wallet, it needs to be open source too to avoid such discrepancies as this. It seems like an amateur mistake, it's so absurd that even hot wallets are more secure than this type of HW.

P.S. I wouldn't use old SEEDs generated by Ledger to initiate any new wallet.

The seed is not a problem if I can use passphrases. 

[DaveF]

Tangem... I've never heard of this wallet. This serves as an example to show that it's not enough to be a hardware wallet, it needs to be open source too to avoid such discrepancies as this. It seems like an amateur mistake, it's so absurd that even hot wallets are more secure than this type of HW.

P.S. I wouldn't use old SEEDs generated by Ledger to initiate any new wallet.

The seed is not a problem if I can use passphrases. 

But, and this point has been made the software that had the issue IS OPEN SOURCE.
The card itself is closed source, but the software that runs it (and that had the issue) it's right here: https://github.com/tangem

But open source is soooo much better:   https://www.splunk.com/en_us/blog/security/my-cups-runneth-over-with-cves.html

-Dave

[The Sceptical Chymist]

But open source is soooo much better:   https://www.splunk.com/en_us/blog/security/my-cups-runneth-over-with-cves.html

I missed this thread initially, saw it got necrobumped (sort of) for some reason and also saw your previous post about open-source software still being vulnerable to being exploited despite the fact that the code is out there for all to review.

Can you just clarify something here?  Are you arguing that open-source software isn't better than closed-source because oversights have been made?  That runs contrary to everything I've ever read here and also to my own *tech ignorant* opinion, and I guess I'd ask if you agree or disagree that, all things being equal, it would be better to use a HW wallet or its software that has open-source code than using a competing alternative that has closed-source code.  Even if you don't know that the open-source code has been extensively reviewed (or reviewed at all), I just can't see how any HW wallet that doesn't divulge its code is any better in light of the argument you made.

I ask this question respectfully.

Also, I have a Tangem wallet around here somewhere that I bought as a collectible thingee.  Never used it, never wanted to, and whatever their state is now there's no way in hell I'm ever going to.

[DaveF]

But open source is soooo much better:   https://www.splunk.com/en_us/blog/security/my-cups-runneth-over-with-cves.html

I missed this thread initially, saw it got necrobumped (sort of) for some reason and also saw your previous post about open-source software still being vulnerable to being exploited despite the fact that the code is out there for all to review.
 
Can you just clarify something here?  Are you arguing that open-source software isn't better than closed-source because oversights have been made?  That runs contrary to everything I've ever read here and also to my own *tech ignorant* opinion, and I guess I'd ask if you agree or disagree that, all things being equal, it would be better to use a HW wallet or its software that has open-source code than using a competing alternative that has closed-source code.  Even if you don't know that the open-source code has been extensively reviewed (or reviewed at all), I just can't see how any HW wallet that doesn't divulge its code is any better in light of the argument you made.

I ask this question respectfully.

Also, I have a Tangem wallet around here somewhere that I bought as a collectible thingee.  Never used it, never wanted to, and whatever their state is now there's no way in hell I'm ever going to.

No, what I am saying is that people have the mentality of open source being "more secure" and that closed source is "less secure"
But, as has been shown both have glaring gaping holes in them at times.

Open source means others can see what is going on.
That's all. And let me point out that code with 10's of thousands of eyes on it FOR DECADES can have GAPING SECURITY HOLES FOR DECADES

https://en.wikipedia.org/wiki/Shellshock_(software_bug)

September 1989 to September 2014

So, yes in terms of wallets open source is PROBABLY better.
But, as I pointed in another thread

...I can open source a wallet that automatically sends everything from everyone's wallet into mine once a year.  Could even put comments in the code as to what it does. People are going to still install / use it if I promote it enough because too many people don't read the code.

And that's the problem.

You can put out an open source hardware wallet with bad code that links to a software wallet with bad code and people will still buy and use it. Because open source is "better"

But, if you make a closed source one that is 100% secure, people automatically think it's bad.

It's not black and white, it's one big mess of grey. And people have to get used to living in the grey.

Because if bash, a piece of software that was on just about all *nix systems forever had a vulnerability that was there for 25 years, how well do you think any piece of crypto wallet software run by a much smaller segment of the population is going to be reviewed for vulnerabilities?

-Dave

[satscraper]

~

You're generally right about the vulnerabilities that might be present in both open-source and closed-source software. However, there is still a difference between the two. Closed-source code may contain both intentional and unintentional backdoors while open-source code is less likely to include intentional backdoors, simply because developers know that their presence is likely to be discovered by the community, ^{sooner or later}.

[DaveF]

~

You're generally right about the vulnerabilities that might be  present in both open-source and closed-source software. However, there is still a  difference between the two. Closed-source code may contain both intentional and unintentional backdoors while open-source code is less likely to include intentional backdoors, simply because developers know that their presence is   likely to be discovered  by the community, ^{sooner or later}.

I think it's a bit of terminology.
Open source should be considered SAFER since you (or someone) can check to see what is happening. If you (or someone) understands the code.
This would prevent the send all coins to Dave issue.

But, you can't really say it's more *secure*.

A bit pedantic on my part but when dealing with customers I have to point things like this out.

In the end discussing it here probably does not matter as much, but when talking to non tech people it's probably better to make the distinction between safer and secure.

-Dave




 

[Cricktor]

I think it's important that people understand the consequences properly. I'm with you that open-source doesn't automatically mean, it's more secure. But it's likely a better starting point than closed-source.

But with open-source AND reproducible builds you know exactly what source code yielded the executable. In my opinion only when these two conditions are met, you can then audit the source code and check how things are actually done and executed.

Not having reproducible builds means, I can't be sure what's in the executable. Is something missing or has something been added? It's possible that the open-source code doesn't show all the truth. Not being reproducible is probably less worse than closed-source, but in my opinion not very much, because it would be difficult to prove that the executable doesn't contain something that's not in the open-source code.

Of course, you need to have people who are capable of a code audit and who do it or have done it, unless you can do it yourself which is likely rarely the case either by lack of skills or lack of time or both.

[DaveF]

I think it's important that people understand the consequences properly. I'm with you that open-source doesn't automatically mean, it's more secure. But it's likely a better starting point than closed-source.

But with open-source AND reproducible builds you know exactly what source code yielded the executable. In my opinion only when these two conditions are met, you can then audit the source code and check how things are actually done and executed.

Not having reproducible builds means, I can't be sure what's in the executable. Is something missing or has something been added? It's possible that the open-source code doesn't show all the truth. Not being reproducible is probably less worse than closed-source, but in my opinion not very much, because it would be difficult to prove that the executable doesn't contain something that's not in the open-source code.

Of course, you need to have people who are capable of a code audit and who do it or have done it, unless you can do it yourself which is likely rarely the case either by lack of skills or lack of time or both.

The problem with relying on reproducible  is that there have been several discussions over the years where people have built / compiled from source but it was deemed not reproducible because they were using a totally different generation of software to build it.

What I would like to see too is better / more detailed instructions in the wallets github, or wherever in terms of build instructions too.

Even tell us the compiler version and os and everything else that was used to make the build.

But all you usually get is clone git and type make run and that is if you are lucky.

-Dave

[Cricktor]

Hm, I don't do such reproducability checks myself, would maybe only do it for the firmware build of my hardware wallet or so, occasionally.

I sort of assumed that the required exact build stack is part of the build instructions, maybe in the form of a Docker container build where you specify exactly the environment what's used to build from the sources. Because, how would reproducability otherwise work. You must be able to produce an exact bit-copy of the executable that's usually offered for download, too.

But all you usually get is clone git and type make run and that is if you are lucky.

Yeah, been there, seen that, too.