/biz/ - Business & Finance

god i wish i was her

>>25316351
what's stopping you

>>25316351
you want to be a pornstar with daddy issues and poor self image?

blease resbond

>>25316669
Ok

>>25316669
You just attract coomers with pictures like these, I've already not read your initial post and reverse image searching pics.

Imagine that underwear slicing a log in half as it shoots out.

>>25316669
the left one has a cute face, would fug

>>25316824
>>25316843
>>25316847
when you're finished coooming BLEASE read my OP and i would be grateful for your advices <3

>>25316345
>>25316345
>What are the possible attack vectors and how could I improve this setup?

I agree, go with Trezor over Ledger, because Ledger Corp. are fucking idiots.

Possible attack vectors:

1) Someone finding your seed backup
2) Ransom/torture

Solution to both: Use a passphrase to your seed, a 13th/25th word that you store separately from your main seed, equally redundant. Make it *non* memorable, so you can't be tortured for it. Store it somewhere, where if someone forces you to go there, you can alarm someone, like a bank-clerk.

3) Man-in-the-middle attack between you and your computer-screen

By verifying the receiving address on the HWW, this is mitigated greatly. Still, there remain a few attack vectors. Make sure, that the transaction you sign does exactly what you mean. Let's say you have 1 STC (=shitcoin, idk what you're going to use it for) and you want to send 0.3 STC to Alice. So you get the address from Alice by... E-Mail? On the Web? If you have malware on your computer, how do you know that that truly is Alice's address? Ask her out-of bounds. Like personally call her up, use a second device running a different operating system in a different network. If you verified it's Alice's address, make sure the transaction your HWW is going to sign is actually 0.3 STC to Alice and ONLY that, not 0.3 STC, verified on the HWW display, but what you don't see is 0.7 STC to Eve (who is evil and infected your computer).

HWW are great, but I think a cheap, maybe used PC, with a fresh-install of whatever flavor of Linux you want is a good addition to use the HWW.

>>25316345
FEETA!

>>25317087
Fantastic, thank you anon.

Yes, one concern I've had is a keylogger or malware on my laptop which would install a "fake MetaMask" or somehow switch the recipient address as I'm making a transaction. I guess the way to prevent this is to simply triple check the recipient address. I don't know how crafty a fake MetaMask would be though or if I'd fall for it.

Does the Trezor support adding a passphrase to the seed? And surely it should be a memorable word, otherwise you've added just another risk factor (of losing the passphrase)? If it's a memorable word then you'd be safe in the case of somebody discovering the seed backup because they wouldn't know your simple passphrase nor could they brute force it (shouldn't be a dictionary word)

>>25317501
>Does the Trezor support adding a passphrase to the seed?

Yes, but get the Model T with the touch-screen-display, so you can type the passphrase in on the HWW itself.

If you add a non-memorable passphrase, you have to back it up just like the seed. The point of making it non-memorable is twofold: A) Harder to brute-force (like 10-15 alphanumeric characters) B) resistant to torture. You can't give up something you don't know.

But yes, you would have to back it up like the seed. It's equally important.

>porn
Not going to help.
Dont post porn. The pros hate it.

>>25317501
Jesus Christ those tits. Sauce?

How do you use Metamask with a hardware wallet? Do you have to transfer from HWW to Metamask when you want to trade or can you trade right from the HWW?

>>25317087
>Solution to both: Use a passphrase to your seed, a 13th/25th word that you store separately from your main seed, equally redundant. Make it *non* memorable, so you can't be tortured for it. Store it somewhere, where if someone forces you to go there, you can alarm someone, like a bank-clerk.
this is not recommended. someone can still bruteforce their way in if they are just missing 1 word

>>25316351
Same

>>25317698
Metamask is then just a front-end to the HWW. Instead of reaching into its own memory to get the keys to sign the transactions, it just makes the transactions and hands it over the HWW. Which then signs it and hands it back to Metamask. Really, every HWW-interface works that way. The trezor.io-web-interface, Ledger-Live, Electrum, Wasabi, Specter,...

>>25317666
random bint on tiktok

>>25317631
Thanks a lot anon.

>>25317698
From what I know, the hardware wallet is not storing your coins. It's simply a physical authenticator. So you can use metamask as normal but you use the HWW to verify transactions meaning hacking software on your computer can't harm you.

>>25317727
"Word" doesn't mean "a human word in a dictionary". It means any string of characters. So "McdL5hVHSP3r1YLTGh" is word in that sense. A whole 12 word seed is equally a word in that context. Or 700 space characters.

>>25317727
If it's a dictionary word they can, but if it's a made up word with lots of characters and numbers also then surely not?

>>25316345
Hardware wallets are a scam, build your own one.
all you need is a USB thumbdrive and tails OS on it.

its 100 times safer than trusting hardware wallet companies and other 3rd parties.

>>25317659
>The pros hate it.
the Pros practice Post Nut Clarity

>>25317501
come on bro why did you cut the tiktok post it

>>25317815
>>25317821
i don't understand. how would you do this under a bip39 passphrase where you get 24 dictionary words for example?

>>25316345
That's a man

>>25317872
you think I trawl tiktok to make coomer webms buddy?

>>25317867
everybody says this but what you don't understand is that somebody who doesn't have the technological understanding to do this confidently then it simply increases the risk of fucking up and losing keys and crypto. it's more likely that I will make a mistake and fuck everything up than a hardware wallet company trying to do a exit scam.

PAPER WALLET FAGGOTS

ONLY

>>25317911
You get 23 words, chosen at random out of 2048 (the last is a checksum). That's an entropy of 253 bits. i.e. the chance of someone guessing YOUR 24 words is 1 over 1.4*10^76. Impossible in our universe, even with a perfect computer running on the energy of a supernova.

These 24 words are then put into a one-way hash-function, over and over again to artificially increase the computing demand of going from the words to the actual keys.

If you append something to the 24 words before you put it through the one-way-hash-function, the result is of course different. So you get different keys. Even if you add only one Byte (i.e. one character, let's say an "a") to the 24 words, you arrive at different keys after the hashing is done. And because the hashing doesn't care which bytes are fed into it, you can add whatever you want as the 25th "word". In a sense, you always add a 25th word, but the default is that the word is empty.

>>25317966
> somebody who doesn't have the technological understanding
then go sit down and learn how to do it retarded brainlet faggot.

>>25318160
no i'm not a virgin

>>25317121
based footfag

>>25317966
>a hardware wallet company trying to do a exit scam.
It's not just the whole company exit scamming and moving to the bahama's. They could just have shit-tier security (for example see ledger), a single rogue employee who manages to subtly break the key generation in a way that noone notices (not that hard to to really), a hacker who gains access to their systems without them noticing for a while, extortion, government interference, secret service interference, they probably have not vetted each and every dependency they use so someone could take it over, etcetera etcetera. You really think nobody considers this sort of stuff when it's literally 100s of millions of dollars you could steal possibly without any repercussions?
>be employee
>contribute anonymously to some open-source project used by the company
>introduce some subtle bug
>decide, as an employee, to use that project as a dependency
>at this point you even have plausible deniability because they don't know it was you who introduced the vuln in the external project
>wait a few years until you think there's enough crypto stored on the compromised wallets
>by this time you don't even work there anymore

Woah, is that a butt? Of a girl? I think I’m gonna, think I’m gonna, think I’m gonna, oh no, oh no, oh no, ohnono, this is bad, it’s gonna happen, happening now.......now wait, oh yikes, it’s here

>>25318188
but you are poor and thats even worse than being a virgin.
mentally and financially poverty.

>>25318222
But if it's a Trezor then the code is open source and can be freely audited no?

>>25317666

> 666
> Jesus Christ

What does it mean?

>crypto bullshit

lol kid

>>25318274
Already answered that in the previous thread
>>25296668
>Even if it's open source you can't verify that the firmware actually running on the thing is the same one that you have the source of
>There could be an additional mechanism somewhere on the chip that applies a patch on the firmware even if you'd install it from source

>>25317087
You seem to be knowledgable maybe you can help me as well.
This summer I got hacked for 50eth (metamask and trojan on windows machine)
Now I've ordered a Trezor and want to do it right.
For small transactions I have Trust wallet on iOS and I install metamask every now and then to do transactions and then uninstall it again.

How do I get the both of best worlds as in security from hw wallet combined with handiness of metamask for defi stuff?

Also do I literally invent my own 12 words and write them onto the trezor and throw away the seed that comes with it? How does that work with a 13th word to increase security? Thanks in advance

>>25318321
>$448k (+164%) total return

So you invested $250k+ ?

>>25318517
there's literally an option in metamask to access your hw wallet IIRC

>>25316345
COOOFFFEEEEEE

>>25316345
I love coffee!

>>25318331
Is the firmware not audited? Surely every patch is scrutinized

>>25318517
I would go with a read-only system to be as secure as possible. That means a Live Linux USB and reinstalling MetaMask everytime.

The HWW generates the seed, usually 12 or 24 words. If you want to create a 13th/25th word as passphrase offline, you can use dice.

Make 6x6 matrix, fill it up with symbols (a-z, 0-9 for example) and then roll the dice. 2, 3 gives you 2nd column, 3rd row, ah, a "m" or whatever. Do that 15 times and you have a very strong passphrase for your 13th/25th word.

>>25316345
Stupid whore

>>25316345
use shamir secret sharing for your passphrase

>>25316351
"her"

>>25318102
ty

>>25316345
imagine the smell

>>25316843
That would be crazy hahaha imagine you catch that sliced turd and put in on a sandwich to eat with gusto hahahaha

>>25318718
Ok dude go ahead and buy a hardware wallet and put 100k on it I don't actually care.

>>25316669
Sauce ?

Weak ass thot posting. Garbage tier

It there an absolute sureshot way to tell if a trezor hasn't been tampered with?

>>25316669
>>25316345
>>25317501
Why are U.S. white women like this?

>>25318331
>>25318718

Ken Thompson pointed out in a 1984 lecture that it would be trivial to add malicious code to a program via its compiler, even while having all its code (and even its compiler's code) available, audited, and without a hint of maliciousness.

Interesting read if you're a nerd like me: https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

>>25318719
But how does this work, the 12 words are my seed words and I need a password on top of that? To decrypt the 12 words or what? Like I'm literally a software engineer but confused about the setup since I've only used 12 words so far

>>25319025
I'd like to know this too. You must buy it from Trezor, based in based Czech Republic. How would you know that a worker didn't tamper with the device during manufacture? I don't know.

>>25319083
If this is the case then how is there even a market for hardware wallets? Why do exchanges as well as so many reputable crypto personalities use them and recommend them? If an employee could sneak a bit of code in like a HIV virus then what's the use of it all?

>>25319006
Next time I'll post food

>>25319062
Decline of Christianity, rise of social media

>>25319207
>If this is the case then how is there even a market for hardware wallets?
there's a sucker born every minute, anon
>Why do exchanges as well as so many reputable crypto personalities use them and recommend them?
cuz they're suckers who fell for the hw wallet marketing or perhaps they are simply paid shills
>If an employee could sneak a bit of code in like a HIV virus then what's the use of it all?
siphon money off suckers

>>25316345
why has no one mentioned paper wallet?

>>25319131
No, the 13th word doesn't encrypt the 12 words. It is appended and the whole string is then hashed. And from that hash the keys are derived.

>>25319207
It's the same chance of someone fucking with metamask or desktop wallets' code, but with hw wallets you get to make transactions without connecting your key to a computer (your private key never leaves Trezor, only the signed transactions).

>>25319131
You can just read
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
if you want to know how it works exactly. Not much too it, really.

>>25319418
One person mentioned it here and multiple in his previous thread but OP is just waiting until there's a bunch of replies confirming his preconceived ideas and then he's gonna ignore all the other advice and do what he's already decided to do anyway

>>25319207
>If this is the case then how is there even a market for hardware wallets?

It provides the illusion of security, and people don't really understand how computers work.

>>25319405
Nigger, the day that Trezor or Ledger customers have their funds stolen by a company entity is the day I quit crypto forever and open a degiro account

>>25319418
>>25319548
I know paper wallets exist but how do I trade shitcoins with a paper wallet?

>>25317931
you will never be a woman

>>25316351
>>25316484
literally who

>>25319810
reverse search and you'll get "Eliza Eves" (not her real name)
she's an American tourist I banged almost two years ago. she does porn now.

>>25317501
Is everything alright the gentleman in that webm? He doesn't look like he's doing well.

>>25316345
If people know you have BTC you risk torture.. have small amount say 1.4btc in separate store so you can give it up keeping the rest safe. Human condition is the week link.

>>25318274
>>25318331
So just run it all on a Raspberry Pi. The Trezor firmware is open-source, you can compile it yourself to run on a Pi, and you can build your very own hardware wallet out of it.

Or just use dice rolls to generate your own keys and save them in a textfile, then encrypt that.

>>25318517
>for defi stuff?
>>25319646
>trade shitcoins
>>25319646
Just throw your Bitcoin paper wallet in a giant fire. That way you don't have to go through the anguish of wondering how you got scammed out of all your money.

>>25320208
I wouldn't trust the prng on a rpi desu

>>25320188
they can eat a bullet

>>25319646
you dont trade shitcoins from your paper wallet vault you absolute retard

>>25320314
So paper wallets can't store shitcoins?

>>25320482
You nigger, just transfer some eth to your Metamask account and trade using that, dont use paper wallet as a daily trading thing.

>>25320517
I see. So the paper wallet will store my big sums of BTC and ETH, and I'll put some shitcoin pocket money on MetaMask and it'll be exposed to keyloggers and hackers still but at least I won't lose my entire net worth?

If it's so simple, and paper wallets are so much safer, then why doesn't everybody just do it this way? Every time I make these threads I have more questions than I originally had, but it's a good thing.

>>25316345

>>25320853
>oversized
thanks for the bump gook

>>25317501
I need a name

>>25320662
i am an infosec consultant and have some experience in high security embedded systems.
Despite the recent high profile fuckup i would still chose a ledger nano x over a trezor in regards to the amount of protection that it offers from physical attacks even tho it's not open source/open hw.
It uses a dual architecture to isolate trusted and untrusted domains, a general purpose MCU and a high secure (EAL4+ certified iirc) secure enclavw to handle the crypto material and operations/key generation,signing etc).
Things like being hardened to side channels attacks like power analysis, glitching,timing/power attacks etc are veyr advanced attack vectors that require a nation state or a highly skilled adversary anyway but stiull.

>>25320937
also consider the Passport from Foundation devices(airgapped, btc only) and
what i consider to be the most resilient and hardened(altho stationery and not portable) hw wallet of them all the Lattice by grid+

>>25317501
Source

>>25316669
Why is her face so shiny?

>>25321145
Thanks for the response
Does the leak not make you skeptical of Ledger's security? Even if their nation-state level security would be true, it's a bit redundant no?

>>25321415
no because they are two very distinct areas of expertise, shipping secure and audited embedded system using off the shelves components is hard and has nothing to do with being able to properly secure your web properties and e commerce. we don't even know if it was outsourced or what. I mean seeing the industry they operate in it's still reckless and a incredibly stupid to get owned like that but eh, shit happens.
Do not trust the absolute brainlets in this bread saying you're better off making your own hw wallet or going with trezor, they don't know shit.

>>25318546
Exactly. But it paid off, I invested a slightly less amount. But I’m still making gains

>>25316345
also the setup you describe is already very safe imho the only obviosu step further you could take(but i freely admit this is reaching high levels of tinfoil hat tier paranoia) would be to use a multisig, well audited wallet and have one the controlling keys split between both ledgers and trezors.as long as the multisig is well done with a low attack surface you negate the risk of getting owned if one of the devices is compromised because of the M of N key scheme
/thread

>>25321628
Have you looked at the ngrave zero? It's out next year I was thinking of upgrading to that maybe. Its totally offline and just has a camera to scan qr codes and a screen to give qr codes. Looks pretty cool

to all brainlets in here
GET A FUCKING HARDWARE WALLET
it does not matter ledger and trezor both are fine and if you don't trust the source of the device just generate your own seed in a secure way

if you store your crypto on a live machine you will get hacked eventually
if you try shenanigans with airgapped offline ubuntu systems and do not know exactly what you are doing you will fuck up and lose your crypto

>>25316345
Yr secure. It takes specialized knowledge to crack a trezor. Physical security or bragging about it woumd be yr only security weakness

>>25317666
>>25317872
>>25321049

Ashley Matheson or

peepeepoopoogangnamstyle

>>25321831
yes i did, very vague info and seems vaporware for now.lofty claims and has not withstood the test of time, being investigated by pentesters and the infosec community at large. my nose says it's a scam or they misrepresenting its capabilities and their expertise in the induetry but i'd love to be proven wrong as more competition is always good.

>>25321704
Nigger you could put $250K on bitcoin/eth in coinbase or binance and you would have $700k
Stocks are cool and all but I'm tryna get a bugatti my nig

>>25321628
I see, thank you. Yeah I read some anons on here defending Ledger saying that these sort of leaks are commonplace (?) and when they happen it helps improve vulnerabilities.
Also your multisig idea is great but a 2-of-2 is unsafe (one is compromised and gg) and a 2-of-3 needs a third signature, what would you use for the third sig?
Of course the multisig is pretty tinfoil tier, a hassle and expensive, and I suppose a single sig with a Ledger would be adequate

>>25321831
Looks cool but apparently it's manufactured in China so that alone for me is a NOPE
Also new companies take a while to establish their reputation as safe and reliable so I wouldn't want to be a guinea pig. Perhaps in a few years Ledger or Trezor will switch to the QR method.

>>25316345
>>MetaMask
Keylogger, man-in-the-middle, shoulder surfing, trojan insertion, unknown zero-day, to obtain password

>Accessed by hardware wallet (Trezor/Ledger)
location vulnerability, armed robbery, confiscation, brute forcing, LOSS or damage

>Hardware wallet stored in a secret compartment
Metal detection, forensic investigation techniques, interrogation. By multiplying the locations a key is stored, you multiply risk vectors. Discovery risk. Confiscation risk.

>Seed phrases engraved on metal, memorized, stored in different secret compartments
Metal is a solid only at standard pressures and temperatures. It turns to liquid, or vapor at high temperatures, at, for instance, in a structure fire. Depending on the composition, it is liable to chemical attack, oxidation, etc. By separating into several components, you've increased the risk pool.

Memory is only a semi-reliable mechanism for data storage. It is stored in a perishable container. It is reliant on chemical and electrical properties. It is stored in a superstructure which is a mass of grey-white goo, floating in a fluid compartment encased in a thin calcium and carbon based shell. It frequently travels at velocities of an automobile. Deceleration of 1G can induce hematoma, internal bleeding and loss of control structures. In the absence of oxygen for approximately 5 minutes, individual components become irreversibly damaged. There are known flaws in the structure and integrity of the brain, but also unknown flaws. Many processes can progress to make individual data retrieval difficult or impossible. Some weaknesses cannot be determined without autopsy (spontaneous aneurysm).

>>25316408
yea-eaaah, you go girl.


>>25316345
i have the L. this gud?

>>25322130
Based
so I'll just store on binance
thank you everybody

>>25322130
>>25322205


mhh yea we fukkd.
>HOTSTORAGE IT IS

>>25321956
>>25321886
What do you make of the arguments made that the firmware on hardware wallets could be compromised by a rogue entity and it would be undetected by an audit?
As spoken about here >>25318331, >>25319083

Heres my scheme

> hardware wallet
Off brand, bought with crypto (Not trezor/ledger)

Approximate:
>1/3 of stack in my own keys
>1/3 in exchange custody cold storage
>1/3 securitized
>other amounts stored in other blockchains (wrapped)

By far the biggest problem is the keys >I< control. A hardware wallet is hackable, discoverable, subject to loss and destruction, and the vector is risk multiplied because you usually have the password or the keys or the seed separate. So for that, the risk is mitigated by having it in a fireproof box in a secret location which is a facility guarded by surveillance & thick walls: a bank vault, safety deposit box.

Thats still not enough. You need a chain of custody that ties those funds to your will. For that you need to partner with an attorney that can hold separate, sealed credentials in the event of your death to access and disburse those funds according to your wishes.

And finally you keep your mouth shut. You shouldn't talk about your personal finances with anyone anyway, because it is a social faux pas, and mentioning bitcoin is prima facie discussing your personal finances with people. People who are financial advisors, or promoters, or retailers have special risks which, by talking about your own assets, you are taking on for yourself for absolutely no upside for yourself.

>>25322274
So what could a modified firmware do?

a) Rigged seed generation algorithm. Generate your own seed, and you are safe
b) Show bogus on the display and instead sign wrong transactions. You'd know after the first transaction. Just test your device with a small sum first.

I can't think of anything else. Sure, someone could modify not only the firmware but the whole device to expose your seed via integrated 5G modem to a hacker. I dont know, ledger got some utility to verify your hardware to make sure its genuine, otherwise you'd be pretty fucked. Just buy a genuine device from the manufacturer.

>>25322456
Thanks for your response.
Why don't you use a ledger or trezor?
What would be the use of a hardware wallet kept in a safety deposit box? It would be good for simple storage but not for trading coins I guess. Unless you mean keeping the seeds in the bank vault, which would be a near perfect solution.

>And finally you keep your mouth shut
True. Too late for myself as there's at least six-seven friends who know that I'm into crypto because I was a bit euphoric about my gains and wanted a "crypto buddy". Chances of anything happening to me are remote but not zero.

>>25322493
the b) option except it could happen at a pre-determined time so it would be unexpected?

>>25321955
>peepeepoopoogangnamstyle
based?

>>25323192
imaginable, you'd have to also tamper with the node/wallet software to make sure it broadcasts the unexpected tx though

>>25322456
>>25322973
bleez resbond sir,,,,,, im ready to end this thread

>>25322973
>Why don't you use a ledger or trezor?
Just turned out that way. The most popular options are going to be the ones most studied as a target of hacks if you think about it. At the time I purchased I had a couple conditions: I wanted to pay crypto, and I wanted the transaction to remain in my country.

>What would be the use of a hardware wallet kept in a safety deposit box?
If I wanted to trade, I have an exchange account. The safety deposit box is a secure location.

>Unless you mean keeping the seeds in the bank vault, which would be a near perfect solution.
Perfection is impossible, but you can get closer. Bank vaults are time-tested.

Other risks:
Political - nationalization of banks, asset seizures
Geological/atmospheric - Earthquakes, fires, floods, EMP

EMP- Electromagnetic pulse from military or a high energy ion ejection event from the Sun, so keeping hardware in an effective faraday cage is advisable. This is achievable with a couple layers of aluminium foil with felt in between. The other physical risk is cosmic rays. I'm not sure if the same techniques block those.

The ultimate long term solution for seed storage might be pottery. They are still digging that shit up after 50,000 years. For that you can make an impression of your seed into the soft clay and fire it to 4000 degrees. The resulting mineral crystal is harder than concentrated metal to disintegration and chemical weathering.

>>25317501
Literally Tik tok Queen of /biz/
When porn
Thx

>>25324386
So you trade on an exchange, which is of course exposing you to malware? It's just a risk you accept?

>>25316345
HOLY FUCK.

GIVE ME THE SOURCE

>>25324750
How am I exposed to malware trading on an exchange? I'm exposed to malware using a computer. Thats another set of risks anyone using a computer should be aware of

>>25324932
That's what I meant. Do you have any general precautions when using a computer to prevent malware infections? It's something I never really considered because I never pirate or download things.

>>25325007
If you don't download things, you don't execute code, you should be okay- but you can never assume you are 100% safe. Trading itself involves lots of inputs, moving stuff around, and so forth, which makes it far less secure than not doing any of that stuff (hodling).

The device is a major security problem for a lot of reasons. For those reasons the device should be encrypted. SAFU Exchanges keep cold storage wallets on air-gapped PCs. They have an internal chain of custody, with someone monitoring things.

The more diversification you can apply the harder it is for a hacker to have "all the pieces" to effectively steal something. For example, having your 2FA on the same device. Or using the authenticating device for other purposes (downloading things). Or all your btc in one wallet or address. All of these are variations of concentration risk.

Make the trail hard to follow. Make the pieces hard to put together. Combine these things and criminals will spend their time going after far easier targets, where these things are easier to access.

>>25316345
>memorized

This could be your undoing. What if you get really drunk one day and start boasting about being able to remember 24 seed words?

You're engraving them on metal and storing them (hopefully) in different locations (i.e. off-site) so why also memorise? I wouldn't want to know mine.