User talk:Ryanc - Revision history

Liraz: typos

2017-01-25T13:55:29Z

typos

← Older revision		Revision as of 13:55, 25 January 2017
Line 131:		Line 131:

	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 23:45, 24 January 2017 (UTC)		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 23:45, 24 January 2017 (UTC)
	# I'd like to point out you are so fixated on only one branch of the attack tree that you're not seeing how your argument could apply equally well to the other branch that you dismiss a "tinfoil hat threat" despite massive real-world evidence to the contrary. I could rephrase your comment: "You are wrong. The consensus on endpoint security experts ~~are~~ that you are wrong, and your recommendations to just trust endpoint software is gross negligence that will end up hurting users. If you don't believe me go talk to another expert on endpoint security. Oh but it's fine for me if I setup a perfectly secure endpoint, so it's OK for everybody. Automatic wallet generation on untrusted ~~endpoint~~ are a trap for smart people who don't understand how effective endpoint comprimising techniques are at subverting the integrity of their system in endlessly creative ways". My argument isn't that "my" threat is more important that "your" threat. My argument is that both threats are substantial and that I don't think we should dismiss either of them. If there's a tradeoff to be made where mitigating one risk comes at the expense of mitigating another we need to find the right balance to make a wise choice. Seeing things in black and white, your camp vs my camp, as an argument to be won, that's an all too human but very dangerous an unproductive attitude for a security expert to take.		# I'd like to point out you are so fixated on only one branch of the attack tree that you're not seeing how your argument could apply equally well to the other branch that you dismiss as a "tinfoil hat threat" despite massive real-world evidence to the contrary. I could rephrase your comment: "You are wrong. The consensus of endpoint security experts is that you are wrong, and your recommendations to just trust endpoint software is gross negligence that will end up hurting users. If you don't believe me go talk to another expert on endpoint security. Oh but it's fine for me if I setup a perfectly secure endpoint, so it's OK for everybody. Automatic wallet generation on untrusted endpoints are a trap for smart people who don't understand how effective endpoint comprimising techniques are at subverting the integrity of their system in endlessly creative ways". My argument isn't that "my" threat is more important that "your" threat. My argument is that both threats are substantial and that I don't think we should dismiss either of them. If there's a tradeoff to be made where mitigating one risk comes at the expense of mitigating another we need to find the right balance to make a wise choice. Seeing things in black and white, your camp vs my camp, as an argument to be won, that's an all too human but very dangerous an unproductive attitude for a security expert to take.
	# Trustworthy is a probability not a binary value. Convenience is also a matter of degree. There's an inescapable trade-off. You can say: As an expert, I recommend you hold up to $100 in your pocket, up to $10000 in a steel vault and the rest in stocks or whatever. You'd be right to criticize my position if I was being simple minded to the point of absurdity. If I somehow miscommunicated that impression, I wouldn't blame you for feeling like there's no point in talking to this idiot.		# Trustworthy is a probability not a binary value. Convenience is also a matter of degree. There's an inescapable trade-off. You can say: As an expert, I recommend you hold up to $100 in your pocket, up to $10000 in a steel vault and the rest in stocks or whatever. You'd be right to criticize my position if I was being simple minded to the point of absurdity. If I somehow miscommunicated that impression, I wouldn't blame you for feeling like there's no point in talking to this idiot.
	# For the record, Hardware CSPRNGs are no more trustworthy, if anything I trust them even less because they're such high value targets. That's why I limit their use to relatively small sums. Great for day-to-day use though. Very convenient. But I'm anticipating to wake up one day and learn a whole bunch of wallets got their funds swept and we eventually trace that back to weak/weakened wallet creation. I hope I'll be proven wrong but in the meantime, like you, I'm trying to help users minimize their exposure.		# For the record, Hardware CSPRNGs are no more trustworthy, if anything I trust them even less because they're such high value targets. That's why I limit their use to relatively small sums. Great for day-to-day use though. Very convenient. But I'm anticipating to wake up one day and learn a whole bunch of wallets got their funds swept and we eventually trace that back to weak/weakened wallet creation. I hope I'll be proven wrong but in the meantime, like you, I'm trying to help users minimize their exposure.

Liraz: /* What about salting? */ In opposition to black and white thinking

2017-01-25T13:51:56Z

What about salting?: In opposition to black and white thinking

← Older revision		Revision as of 13:51, 25 January 2017
Line 130:		Line 130:
	* [[User:RyanC\|RyanC]] You are wrong. The consensus on this from other experts is that you are wrong. Your recommendations will harm users. I've talked to several otherwise smart people who have lost painfully large sums of money to various deterministic wallet tools. Such tools are a trap for people who are smart, but don't quite understand how effective password cracking can be. Many people think they do, but there is a lot of bad advice about passwords and passphrases out there. I personally have used passphrases in the past for things like GPG keys that would have gotten me 0wned if I'd used them even in WarpWallet. I'm done arguing with you, it's clearly not productive. Please talk with some of the Bitcoin developers about this if you still don't believe me. Please also understand how incredibly frustrating it is to have seen firsthand how much damage tools like this can cause their typical users (a paper was published about this), and then have people say "oh, but it's fine if I use it perfectly, so it's okay for everyone". If you want to use it, I can't stop you, but recommending these tools to random newbies is gross negligence. I also want to point out that it's a bit absurd to recommend hardware wallets if you categorically don't trust CSPRNGs. Why are their CSPRNGs trustworthy and others not?		* [[User:RyanC\|RyanC]] You are wrong. The consensus on this from other experts is that you are wrong. Your recommendations will harm users. I've talked to several otherwise smart people who have lost painfully large sums of money to various deterministic wallet tools. Such tools are a trap for people who are smart, but don't quite understand how effective password cracking can be. Many people think they do, but there is a lot of bad advice about passwords and passphrases out there. I personally have used passphrases in the past for things like GPG keys that would have gotten me 0wned if I'd used them even in WarpWallet. I'm done arguing with you, it's clearly not productive. Please talk with some of the Bitcoin developers about this if you still don't believe me. Please also understand how incredibly frustrating it is to have seen firsthand how much damage tools like this can cause their typical users (a paper was published about this), and then have people say "oh, but it's fine if I use it perfectly, so it's okay for everyone". If you want to use it, I can't stop you, but recommending these tools to random newbies is gross negligence. I also want to point out that it's a bit absurd to recommend hardware wallets if you categorically don't trust CSPRNGs. Why are their CSPRNGs trustworthy and others not?

	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 23:45, 24 January 2017 (UTC)		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 23:45, 24 January 2017 (UTC)
			# I'd like to point out you are so fixated on only one branch of the attack tree that you're not seeing how your argument could apply equally well to the other branch that you dismiss a "tinfoil hat threat" despite massive real-world evidence to the contrary. I could rephrase your comment: "You are wrong. The consensus on endpoint security experts are that you are wrong, and your recommendations to just trust endpoint software is gross negligence that will end up hurting users. If you don't believe me go talk to another expert on endpoint security. Oh but it's fine for me if I setup a perfectly secure endpoint, so it's OK for everybody. Automatic wallet generation on untrusted endpoint are a trap for smart people who don't understand how effective endpoint comprimising techniques are at subverting the integrity of their system in endlessly creative ways". My argument isn't that "my" threat is more important that "your" threat. My argument is that both threats are substantial and that I don't think we should dismiss either of them. If there's a tradeoff to be made where mitigating one risk comes at the expense of mitigating another we need to find the right balance to make a wise choice. Seeing things in black and white, your camp vs my camp, as an argument to be won, that's an all too human but very dangerous an unproductive attitude for a security expert to take.
	# Trustworthy is a probability not a binary value. Convenience is also a matter of degree. There's an inescapable trade-off. You can say: As an expert, I recommend you hold up to $100 in your pocket, up to $10000 in a steel vault and the rest in stocks or whatever. You'd be right to criticize my position if I was being simple minded to the point of absurdity. If I somehow miscommunicated that impression, I wouldn't blame you for feeling like there's no point in talking to this idiot.		# Trustworthy is a probability not a binary value. Convenience is also a matter of degree. There's an inescapable trade-off. You can say: As an expert, I recommend you hold up to $100 in your pocket, up to $10000 in a steel vault and the rest in stocks or whatever. You'd be right to criticize my position if I was being simple minded to the point of absurdity. If I somehow miscommunicated that impression, I wouldn't blame you for feeling like there's no point in talking to this idiot.
	# For the record, Hardware CSPRNGs are no more trustworthy, if anything I trust them even less because they're such high value targets. That's why I limit their use to relatively small sums. Great for day-to-day use though. Very convenient. But I'm anticipating to wake up one day and learn a whole bunch of wallets got their funds swept and we eventually trace that back to weak/weakened wallet creation. I hope I'll be proven wrong but in the meantime, like you, I'm trying to help users minimize their exposure.		# For the record, Hardware CSPRNGs are no more trustworthy, if anything I trust them even less because they're such high value targets. That's why I limit their use to relatively small sums. Great for day-to-day use though. Very convenient. But I'm anticipating to wake up one day and learn a whole bunch of wallets got their funds swept and we eventually trace that back to weak/weakened wallet creation. I hope I'll be proven wrong but in the meantime, like you, I'm trying to help users minimize their exposure.

Liraz: /* Another reply */ On second thought, 5 words should be the minimum, juuuust in case

2017-01-25T13:16:55Z

Another reply: On second thought, 5 words should be the minimum, juuuust in case

← Older revision		Revision as of 13:16, 25 January 2017
Line 89:		Line 89:

	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:20, 24 January 2017 (UTC)		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:20, 24 January 2017 (UTC)
	# I really like your idea, though I would implement it differently because I'm not much good at doing XOR in my head, and the more friction something involves the less likely I am to do it. I do agree that creating a user-verifiable key generation tool could blend the best of both manual and automatic entropy. That could be a good default and a real improvement to existing key generation techniques. I'm thinking there's a good way to implement that which would feature the best of what I like about Warpwallets and HD wallets. There would be two steps. First, we would have an entropy collection step that we can reproduce and verify in a deterministic way. For example our tool generates 4-8 mnemonic words (52 - 104 bits) from the CSPRNG and then prompts the user for N additional bits of entropy, using a tool like zxcvbn to measure the entropy. We don't need to XOR, we can just append the manually entropy to the computer entropy. From that we generate a new mnemonic 4-8 word code. The output is deterministic so we could have another mode that allows us to repeat and verify the result, for the "tinfoil" crowd. If it's malware at least it's deterministic malware. Different implementations in different languages running on different platforms could be compared for bonus tinfoil-hat points. Now that we have 52 - 104 bits of entropy, we can use the warpwallet algorithm WITH a mandatory salt to generate the final 12 word BIP39 key. I'd get more tinfoil points for suggesting we force users to seed the wallet with more than 4 words, even with a strong KDF and salt, but 4 truly random words should ~~actually~~ be enough for ~~someone~~ who isn't holding huge sums in their wallet, and we should balance the risk of theft from monster botnets with the much more banal and routine risk of misplacing/exposing your paper wallet and/or forgetting a long mnemonic. If a to-be-stretched-and-salted seed is just 4 words, users are much more likely to store it successfully in their heads, ALA XKCD. For more high risk wallets, 6-8 seed words would be more appropriate, so that could be a choice.		# I really like your idea, though I would implement it differently because I'm not much good at doing XOR in my head, and the more friction something involves the less likely I am to do it. I do agree that creating a user-verifiable key generation tool could blend the best of both manual and automatic entropy. That could be a good default and a real improvement to existing key generation techniques. I'm thinking there's a good way to implement that which would feature the best of what I like about Warpwallets and HD wallets. There would be two steps. First, we would have an entropy collection step that we can reproduce and verify in a deterministic way. For example our tool generates 5-8 mnemonic words (64 - 104 bits) from the CSPRNG and then prompts the user for N additional bits of entropy, using a tool like zxcvbn to measure the entropy. We don't need to XOR, we can just append the manually entropy to the computer entropy. From that we generate a new mnemonic 5-8 word code. The output is deterministic so we could have another mode that allows us to repeat and verify the result, for the "tinfoil" crowd. If it's malware at least it's deterministic malware. Different implementations in different languages running on different platforms could be compared for bonus tinfoil-hat points. Now that we have 64 - 104 bits of entropy, we can use the warpwallet algorithm WITH a mandatory salt to generate the final 12 word BIP39 key. I'd get more tinfoil points for suggesting we force users to seed the wallet with more than 5 words, even with a strong KDF and salt, but 5 truly random words should be enough for anyone who isn't holding huge sums in their wallet, and we should balance the risk of theft from monster botnets with the much more banal and routine risk of misplacing/exposing your paper wallet and/or forgetting a long mnemonic. If a to-be-stretched-and-salted seed is just 5 words, users are much more likely to store it successfully in their heads, ALA XKCD. For more high risk wallets, 6-8 seed words would be more appropriate, so that could be a choice. With 5 random words a 250,000,000 brainflayer botnet generating 100 guesses a second (10X faster than you're currently getting) would take 12 years to crack an '''unsalted''' Warpwallet. Salting the Warpwallet would banish cryptographic attacks to the realm of science fiction.
	# The above scheme wouldn't be idiot proof (I believe that's an impossible goal), but it would be more idiot proof than either letting a potentially unfaithful wallet/RNG generate keys for you or trusting the user to do enough die rolls. I also think that user stupidity is something we could a lot to mitigate with a good UX embedding educational elements and an interface that doesn't encourage the user to cheat themselves.		# The above scheme wouldn't be idiot proof (I believe that's an impossible goal), but it would be more idiot proof than either letting a potentially unfaithful wallet/RNG generate keys for you or trusting the user to do enough die rolls. I also think that user stupidity is something we could a lot to mitigate with a good UX embedding educational elements and an interface that doesn't encourage the user to cheat themselves.
	# If someone is rolling dice instead of letting the computer generate the seed for them, they're probably already quite a bit more informed regarding the risks		# If someone is rolling dice instead of letting the computer generate the seed for them, they're probably already quite a bit more informed regarding the risks

Liraz: /* What about salting? */ clear up ambiguity

2017-01-25T00:08:59Z

What about salting?: clear up ambiguity

← Older revision		Revision as of 00:08, 25 January 2017
Line 137:		Line 137:
	# We both agree that the threats are real and significant, we just place different weights on them. Before our correspondence it was my understanding that ROI for attacking '''salted''' warpwallets was so low that it would make the operation of a botnet most likely unprofitable. I don't think we disagree on that. I think we might disagree on the optimal set of trade-offs to factor into our recommendations to non-experts where protecting against one risk necessarily weakens protection against another. We agree that salts are essential and should be mandatory, key stretching adds security but isn't a silver bullet, humans are bad as sources of entropy, end-point security is really hard, blindly trusting RNGs is unwise, Warpwallet being a PITA to use and a privacy risk to use as your main wallet, and that your research is very important it and you're doing the Bitcoin community a huge service being an advocate against unsafe practices. That's a lot of common ground. Nice chatting with you Ryan (for me anyhow).		# We both agree that the threats are real and significant, we just place different weights on them. Before our correspondence it was my understanding that ROI for attacking '''salted''' warpwallets was so low that it would make the operation of a botnet most likely unprofitable. I don't think we disagree on that. I think we might disagree on the optimal set of trade-offs to factor into our recommendations to non-experts where protecting against one risk necessarily weakens protection against another. We agree that salts are essential and should be mandatory, key stretching adds security but isn't a silver bullet, humans are bad as sources of entropy, end-point security is really hard, blindly trusting RNGs is unwise, Warpwallet being a PITA to use and a privacy risk to use as your main wallet, and that your research is very important it and you're doing the Bitcoin community a huge service being an advocate against unsafe practices. That's a lot of common ground. Nice chatting with you Ryan (for me anyhow).

	** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing ~~coints~~ to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:		** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing Warpwallets <s>coins</s> to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:
	# Trust endpoints that can and have been compromised in endlessly creative ways		# Trust endpoints that can and have been compromised in endlessly creative ways
	# Get that endpoint to create a hard to remember seed for your wallet		# Get that endpoint to create a hard to remember seed for your wallet

Liraz: /* What about salting? */ BIP38 clarification

2017-01-25T00:01:10Z

What about salting?: BIP38 clarification

← Older revision		Revision as of 00:01, 25 January 2017
Line 145:		Line 145:

	* [[User:RyanC\|RyanC]] People run these botnets already! I gave a talk last summer, one of the bots robbed our bait wallet live on stage! This problem is solved trivially with BIP38 paper wallets. Risk of loss can be mitigated by making multiple copies and storing them in different locations. Requiring adversaries to steal your paper wallet and crack the passphrase is better than publishing what is effectively a hash of your passphrase and hoping for the best.		* [[User:RyanC\|RyanC]] People run these botnets already! I gave a talk last summer, one of the bots robbed our bait wallet live on stage! This problem is solved trivially with BIP38 paper wallets. Risk of loss can be mitigated by making multiple copies and storing them in different locations. Requiring adversaries to steal your paper wallet and crack the passphrase is better than publishing what is effectively a hash of your passphrase and hoping for the best.

			[[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 00:01, 25 January 2017 (UTC) Clarified what I meant regarding botnets above. Regarding BIP38, like all automatic wallet generation procedures, the security of a BIP38 wallet depends on the security of the endpoint generating it, which is not a trivial problem for users to solve. We integrate a BIP38 paper wallet generation tool into BitKey. It's very useful, but I tell people if they don't trust us, our build process and/or their ability to independently verify the integrity of the software, they might want to use something else instead they don't have to trust. Trust-minimized solutions are better than solutions that require trust. I think that was the one of the key innovations Bitcoin/blockchain introduced: http://nakamotoinstitute.org/trusted-third-parties/

Liraz: OK, thanks anyway

2017-01-24T23:45:50Z

OK, thanks anyway

← Older revision		Revision as of 23:45, 24 January 2017
Line 129:		Line 129:

	* [[User:RyanC\|RyanC]] You are wrong. The consensus on this from other experts is that you are wrong. Your recommendations will harm users. I've talked to several otherwise smart people who have lost painfully large sums of money to various deterministic wallet tools. Such tools are a trap for people who are smart, but don't quite understand how effective password cracking can be. Many people think they do, but there is a lot of bad advice about passwords and passphrases out there. I personally have used passphrases in the past for things like GPG keys that would have gotten me 0wned if I'd used them even in WarpWallet. I'm done arguing with you, it's clearly not productive. Please talk with some of the Bitcoin developers about this if you still don't believe me. Please also understand how incredibly frustrating it is to have seen firsthand how much damage tools like this can cause their typical users (a paper was published about this), and then have people say "oh, but it's fine if I use it perfectly, so it's okay for everyone". If you want to use it, I can't stop you, but recommending these tools to random newbies is gross negligence. I also want to point out that it's a bit absurd to recommend hardware wallets if you categorically don't trust CSPRNGs. Why are their CSPRNGs trustworthy and others not?		* [[User:RyanC\|RyanC]] You are wrong. The consensus on this from other experts is that you are wrong. Your recommendations will harm users. I've talked to several otherwise smart people who have lost painfully large sums of money to various deterministic wallet tools. Such tools are a trap for people who are smart, but don't quite understand how effective password cracking can be. Many people think they do, but there is a lot of bad advice about passwords and passphrases out there. I personally have used passphrases in the past for things like GPG keys that would have gotten me 0wned if I'd used them even in WarpWallet. I'm done arguing with you, it's clearly not productive. Please talk with some of the Bitcoin developers about this if you still don't believe me. Please also understand how incredibly frustrating it is to have seen firsthand how much damage tools like this can cause their typical users (a paper was published about this), and then have people say "oh, but it's fine if I use it perfectly, so it's okay for everyone". If you want to use it, I can't stop you, but recommending these tools to random newbies is gross negligence. I also want to point out that it's a bit absurd to recommend hardware wallets if you categorically don't trust CSPRNGs. Why are their CSPRNGs trustworthy and others not?

			* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 23:45, 24 January 2017 (UTC)
			# Trustworthy is a probability not a binary value. Convenience is also a matter of degree. There's an inescapable trade-off. You can say: As an expert, I recommend you hold up to $100 in your pocket, up to $10000 in a steel vault and the rest in stocks or whatever. You'd be right to criticize my position if I was being simple minded to the point of absurdity. If I somehow miscommunicated that impression, I wouldn't blame you for feeling like there's no point in talking to this idiot.
			# For the record, Hardware CSPRNGs are no more trustworthy, if anything I trust them even less because they're such high value targets. That's why I limit their use to relatively small sums. Great for day-to-day use though. Very convenient. But I'm anticipating to wake up one day and learn a whole bunch of wallets got their funds swept and we eventually trace that back to weak/weakened wallet creation. I hope I'll be proven wrong but in the meantime, like you, I'm trying to help users minimize their exposure.
			# Before I sign off and stop troubling you with unwanted discussion, I just wanted to express my appreciation for the time you've taken to explain your position, the efforts to protect users and also that you went public with your research and didn't use it to run another botnet. You're a philanthropist. I've been benefiting from your advice and have been spreading it to anyone foolish enough to consider using SHA256 brainwallets. I've even done experiments with leaving various amounts of funds in SHA256 brainwallets just to see what would happen and have seen them grabbed with my own eyes. I never meant to downplay your research or imply that brainwallet stealing botnets don't exist. They obviously do and it's important to take that risk into account. If there's a gap in our understanding I think it's due each of us spending more time researching different classes of threats. I used to work with the military and spent a good chunk of my life researching sophisticated malware. Endpoint security risks looms ever large in my mind. I guess that makes me atypically skeptical of claims of system integrity. I imagine for you the risk of users choosing bad passwords/passphrases, having cracked so many of them seems to deserve more of an emphasis.
			# Sorry you feel the discussion was unproductive. If I've rubbed you the wrong way I apologize. FWIW, I found it productive.You've also convinced me that Warpwallet makes it too easy to avoid salting and the default should be changed. I'll try to get a patch through. I'll also be updating my recommendations on the resources I control to stress that the salt is mandatory and that using Warpwallet is unsafe without it.
			# We both agree that the threats are real and significant, we just place different weights on them. Before our correspondence it was my understanding that ROI for attacking '''salted''' warpwallets was so low that it would make the operation of a botnet most likely unprofitable. I don't think we disagree on that. I think we might disagree on the optimal set of trade-offs to factor into our recommendations to non-experts where protecting against one risk necessarily weakens protection against another. We agree that salts are essential and should be mandatory, key stretching adds security but isn't a silver bullet, humans are bad as sources of entropy, end-point security is really hard, blindly trusting RNGs is unwise, Warpwallet being a PITA to use and a privacy risk to use as your main wallet, and that your research is very important it and you're doing the Bitcoin community a huge service being an advocate against unsafe practices. That's a lot of common ground. Nice chatting with you Ryan (for me anyhow).

	** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:		** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:

Ryanc: mic drop

2017-01-24T18:15:01Z

*mic drop*

← Older revision		Revision as of 18:15, 24 January 2017
Line 127:		Line 127:

	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.

			* [[User:RyanC\|RyanC]] You are wrong. The consensus on this from other experts is that you are wrong. Your recommendations will harm users. I've talked to several otherwise smart people who have lost painfully large sums of money to various deterministic wallet tools. Such tools are a trap for people who are smart, but don't quite understand how effective password cracking can be. Many people think they do, but there is a lot of bad advice about passwords and passphrases out there. I personally have used passphrases in the past for things like GPG keys that would have gotten me 0wned if I'd used them even in WarpWallet. I'm done arguing with you, it's clearly not productive. Please talk with some of the Bitcoin developers about this if you still don't believe me. Please also understand how incredibly frustrating it is to have seen firsthand how much damage tools like this can cause their typical users (a paper was published about this), and then have people say "oh, but it's fine if I use it perfectly, so it's okay for everyone". If you want to use it, I can't stop you, but recommending these tools to random newbies is gross negligence. I also want to point out that it's a bit absurd to recommend hardware wallets if you categorically don't trust CSPRNGs. Why are their CSPRNGs trustworthy and others not?

	** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:		** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:
Line 134:		Line 136:

	If worst comes to worse and the government, or criminals or whatever are looking for your coins, they'll ransack your house and bank vaults, find that piece of paper and all of our sophisticated crypto goes up in smoke. I think the future will look back to us and laugh: secrets are meant to be remembered, not written down!		If worst comes to worse and the government, or criminals or whatever are looking for your coins, they'll ransack your house and bank vaults, find that piece of paper and all of our sophisticated crypto goes up in smoke. I think the future will look back to us and laugh: secrets are meant to be remembered, not written down!

			* [[User:RyanC\|RyanC]] People run these botnets already! I gave a talk last summer, one of the bots robbed our bait wallet live on stage! This problem is solved trivially with BIP38 paper wallets. Risk of loss can be mitigated by making multiple copies and storing them in different locations. Requiring adversaries to steal your paper wallet and crack the passphrase is better than publishing what is effectively a hash of your passphrase and hoping for the best.

Liraz: /* What about salting? */

2017-01-24T17:50:09Z

What about salting?

← Older revision		Revision as of 17:50, 24 January 2017
Line 128:		Line 128:
	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.

	** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:		** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:
	# Trust endpoints that can and have been compromised in endlessly creative ways		# Trust endpoints that can and have been compromised in endlessly creative ways
	# Get that endpoint to create a hard to remember seed for your wallet		# Get that endpoint to create a hard to remember seed for your wallet
Line 134:		Line 134:

	If worst comes to worse and the government, or criminals or whatever are looking for your coins, they'll ransack your house and bank vaults, find that piece of paper and all of our sophisticated crypto goes up in smoke. I think the future will look back to us and laugh: secrets are meant to be remembered, not written down!		If worst comes to worse and the government, or criminals or whatever are looking for your coins, they'll ransack your house and bank vaults, find that piece of paper and all of our sophisticated crypto goes up in smoke. I think the future will look back to us and laugh: secrets are meant to be remembered, not written down!


	~~# Write it down to~~
	~~these terribly untrustworthy end-points to computer~~

Liraz: /* What about salting? */

2017-01-24T17:49:05Z

What about salting?

← Older revision		Revision as of 17:49, 24 January 2017
Line 126:		Line 126:
	Even aside from the entropy issue, WarpWallet isn't a good tool. It generates uncompressed addresses and keys which are more expensive to use. It has no built-in scheme for multiple addresses. Partially spending a WarpWallet requires tedious manual transaction work of the sort that people can and do screw up.		Even aside from the entropy issue, WarpWallet isn't a good tool. It generates uncompressed addresses and keys which are more expensive to use. It has no built-in scheme for multiple addresses. Partially spending a WarpWallet requires tedious manual transaction work of the sort that people can and do screw up.

	* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.		* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.

			** [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:49, 24 January 2017 (UTC) I mean, it boggles my mind how worried we are about losing coints to exotic risks such as Bitflayer botnets with millions of nodes, and meanwhile, the standard recommendation is to:
			# Trust endpoints that can and have been compromised in endlessly creative ways
			# Get that endpoint to create a hard to remember seed for your wallet
			# Write down the seed on a piece of paper(!), that can be lost, stolen, burned, or water-logged

			If worst comes to worse and the government, or criminals or whatever are looking for your coins, they'll ransack your house and bank vaults, find that piece of paper and all of our sophisticated crypto goes up in smoke. I think the future will look back to us and laugh: secrets are meant to be remembered, not written down!


			# Write it down to
			these terribly untrustworthy end-points to computer

Liraz: /* What about salting? */

2017-01-24T17:35:02Z

What about salting?

← Older revision		Revision as of 17:35, 24 January 2017
Line 125:		Line 125:

	Even aside from the entropy issue, WarpWallet isn't a good tool. It generates uncompressed addresses and keys which are more expensive to use. It has no built-in scheme for multiple addresses. Partially spending a WarpWallet requires tedious manual transaction work of the sort that people can and do screw up.		Even aside from the entropy issue, WarpWallet isn't a good tool. It generates uncompressed addresses and keys which are more expensive to use. It has no built-in scheme for multiple addresses. Partially spending a WarpWallet requires tedious manual transaction work of the sort that people can and do screw up.
	[[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.
			* [[User:Liraz\|Liraz]] ([[User talk:Liraz\|talk]]) 17:34, 24 January 2017 (UTC) For sure, it isn't a good tool to use for your main wallet. That was not my recommendation. Neither is a paper wallet. For my main day-to-day wallet I use (and recommend) a hardware wallet. Partially spending Warpwallet isn't as convenient or efficient, but it's not that much different in that respect from other cold storage transactions. In practice, it takes a few seconds of additional work relative to a standard cold storage transaction. I've documented that workflow on bitkey.io if you're interested. My point is that even in it's current form it's a useful way to place funds in cold storage. The concept of a Brainwallet is actually a pretty good one in my opinion. Encouraging people to backup their wallets in paper (which most wallets do) opens a whole other can of worms. I find it hard to believe we would be doing that if we had a decent easy to remember alternative that wasn't pitifully insecure.

User talk:Ryanc - Revision history

Liraz: typos

Liraz: /* What about salting? */ In opposition to black and white thinking

Liraz: /* Another reply */ On second thought, 5 words should be the minimum, juuuust in case

Liraz: /* What about salting? */ clear up ambiguity

Liraz: /* What about salting? */ BIP38 clarification

Liraz: OK, thanks anyway

Ryanc: *mic drop*

Liraz: /* What about salting? */

Liraz: /* What about salting? */

Liraz: /* What about salting? */

Ryanc: mic drop