Don't trust. Verify!

What can be done to improve the general users' awareness of security issues?

The average Bitcoin user is quick to spread memes like "verify all the things" or "don't trust. Verify!" but then goes on and uses custodial services to store his bitcoins or doesn't care that nobody does verify the software they use, as long as it's open source.

Probably people think that somebody else in the community is doing the verification and indeed, bitcoin core is highly scrutinized and the binaries are independently verified by many more than one person, yet the majority of wallets deployed are not bitcoin core or desktop wallets in general, where verifiability is more common. The majority is mobile apps.

My field of expertise is Android and there, the situation is really grim:

  • Coinbase - a custodial service - has more than 10 million downloads. Another 3 million downloads are spread out over other custodial "wallets"
  • Luno, Coinomi and Coins.ph all claim to not be custodial but they are closed source - having a million downloads each! (Yes, Coinomi is closed source!). Another 1.5 million downloads can be found across other closed source "non custodial" wallets.
  • "Blockchain Wallet" by blockchain.com has 5 million downloads and while they claim to be open source, their builds cannot be independently verified. There is another 3 million downloads across other wallets in that category.
  • Only 2 million downloads are shared between verifiable wallets on Android.

"Being your own bank" is not the only viable option but ...

  • Custodial services are of course the least verifiable. They are subject to

    • hacks
    • "hacks" (inside jobs)
    • regulatory oversight (read: sorry, without further KYC you can't have your bitcoins back)
    • fractional reserve (the bitcoins you "own" don't exist)
    • lack of control (those fork coin "airdrops" we won't do and by the way, "Bitcoin wood" is the real bitcoin.)
    • legal action (what happens to "your" money stored at Coinbase if Billbase sues Coinbase out of existance?)

    If you are fine with all the above, your choice of custodial service might still be better than all the rest but it sure requires a lot of trust!

  • Closed source wallets might do the right thing but if "Don't trust. Verify!" means anything to you, stay clear of those. They could at their sole discretion decide to need your coins with the next update and there would be no way for you to know it is happening until they emptied all their users' wallets at once. Under distress this might happen despite the best moral and intentions. In a sense this might be worse than institutional custodial services with a good cold storage system where a release manager catching a virus wouldn't put all customer funds at risk.

  • Not verifiable open source wallets right now are kind of "under observation". Most of them did not even have an issue in their GitHub repositories about verifiability but WalletScrutiny made sure they now do. Check any of the non-verifiable wallets for a link in the header: "We discuss the issue with verification with the provider here." to see how they respond and chime in on the discussion so they know you care!

  • Verifiable open source wallets might still be evil. Just because they are verifiable, doesn't mean anybody does verify them. WalletScrutiny took a snapshot of when the build was verifiably matching the public source code but the code might still leak the keys to the servers or otherwise put your money at risk. Also the next update might do harm. For verifiability to matter, somebody would have to actually verify the code is doing no harm. But that only makes sense if the code matches the released app. This is why WalletScrutiny is starting there and will care about actual code review later.



Submitted January 16, 2020 at 08:02AM by giszmo https://ift.tt/2st4mrH

Comments

Post a Comment

Popular posts from this blog

Coinmarketcap are listing BCH sites as BTC

Under here: https://coinmarketcap.com/currencies/bitcoin/ They have links to https://bitcoin.com/ and https://forum.bitcoin.com/ which are no longer BTC sites; they're BCH sites. I'm not good at twitter and don't have many followers but I've tweeted at them here: https://twitter.com/bitplane/status/955918445014585344 Can we raise awareness of this and get them to change it please? Submitted January 24, 2018 at 02:47AM by david-song http://ift.tt/2DtOW70
Read more

15 years of BTC Power Law

5 years ago I made a post in this subreddit showing that BTC is a power law: Price=A*days^n, (days from Genesis Block), n=5.8. Many didn't believe me and said the past doesn't predict the future. Well, after 5 years it turns out that BTC continues its power law behavior with similar exponent. A power law is not another formula or model but the same mathematical behavior behind river formation, mountains growth, cities development, GDP vs population, and metabolic rate. Everything important is ruled by power laws, so BTC. BTC is a force of Nature. Here is the original post: https://www.reddit.com/r/Bitcoin/comments/9cqi0k/bitcoin_power_law_over_10_year_period_all_the_way/ https://preview.redd.it/ygtk3bb1fkac1.png?width=3211&format=png&auto=webp&s=46261e53d34b1d904f72eaf159cfaaf2999290ba ​ Submitted January 05, 2024 at 11:26AM by Econophysicist1 https://ift.tt/sdnkAoG
Read more