Technically, Coinbase is correct! Not your keys, not your coins!

[zaybxc]

Well store has a Identification number for the specific ledger, Ledger has a identification reference for the ledger, and ledger live pulls in data from the end users device including the identification reference.

Yes, but it doesn't mean they know your personal info; you might also have asked a friend to buy the device. It's long time I don't use ledger live, using the device through metamask.
Trezor stores your info in anonymized form after 3 months from the purchase and delete it when the warranty expires.

 

[0xDEADBEEF]

Neither GrapheneOS nor CalyxOS can be considered nor are secure - not just because they have integrated Google application ecosystem, which is entirely different topic.

Could you elaborate on this?

 

[mraleph]

Could you elaborate on this?

GrapheneOS and its predecessor CopperheadOS are AOSP derivatives.

CalyxOS is a fork of LineageOS.

Our further comments are impartial even though we have a business involved with tailor made closed source secure O/S and application ecosystem development.

We are not going to discuss security of AOSP and it's derivatives vs iOS vs Ubuntu touch and similar.

Security is a result of preferences - a choices and decisions. Regarding O/S development, we must differ original contributions vs simple changes of present code and rebranding those.

GrapheneOS advertizes certain features as comparative advantages

https://grapheneos.org/features
We'll offer an analysis for a glimpse.

The password maximum lenght is an arbitrary value in AOSP source code with default

MAX_PASSWORD_LENGTH = 16

The number 16 can be changed to any other value, up to the maximum value for a 32-bit signed integer which is 2.147.483.647.

The default number of user profiles is 4 in AOSP, where GrapheneOS simply changes that arbitrary value in "default.xml" and "config.xml" in source code with 32.

The encryption is an AOSP default, FBE (file based encryption) with identical cryptographic primitives.

Regarding sandboxing, there is no difference between AOSP, LineageOS or other derivates compared to GrapheneOS. By installing Google application ecosystem on GrapheneOS in advertized sandboxed manner, the end user defeats the purpose of his original intent to use supposedly O/S that offers security and privacy.

By changing Google's services and servers for location, the end user simply switches one dependancy for another.

As we test every competitor's product on forensic platforms both our in-house and commercial ones such as Cellebrite, we know from which vendors and commercial or open source O/S platforms is possible to perform (forensic) data acquisition.

Quite unfortunately, it is possible to compromise GrapheneOS, CalyxOS and LineageOS platform with spyware and perform separate data extraction. We assume that specific set of both vendor and user preferences downgrades effective security.

We'll offer selected resources regarding security, privacy and anonymity in time to come.

 

[0xDEADBEEF]

GrapheneOS and its predecessor CopperheadOS are AOSP derivatives.

CalyxOS is a fork of LineageOS.

Our further comments are impartial even though we have a business involved with tailor made closed source secure O/S and application ecosystem development.

We are not going to discuss security of AOSP and it's derivatives vs iOS vs Ubuntu touch and similar.

Security is a result of preferences - a choices and decisions. Regarding O/S development, we must differ original contributions vs simple changes of present code and rebranding those.

GrapheneOS advertizes certain features as comparative advantages

https://grapheneos.org/features
We'll offer an analysis for a glimpse.

The password maximum lenght is an arbitrary value in AOSP source code with default

MAX_PASSWORD_LENGTH = 16

The number 16 can be changed to any other value, up to the maximum value for a 32-bit signed integer which is 2.147.483.647.

The default number of user profiles is 4 in AOSP, where GrapheneOS simply changes that arbitrary value in "default.xml" and "config.xml" in source code with 32.

The encryption is an AOSP default, FBE (file based encryption) with identical cryptographic primitives.

Regarding sandboxing, there is no difference between AOSP, LineageOS or other derivates compared to GrapheneOS. By installing Google application ecosystem on GrapheneOS in advertized sandboxed manner, the end user defeats the purpose of his original intent to use supposedly O/S that offers security and privacy.

By changing Google's services and servers for location, the end user simply switches one dependancy for another.

As we test every competitor's product on forensic platforms both our in-house and commercial ones such as Cellebrite, we know from which vendors and commercial or open source O/S platforms is possible to perform (forensic) data acquisition.

Quite unfortunately, it is possible to compromise GrapheneOS, CalyxOS and LineageOS platform with spyware and perform separate data extraction. We assume that specific set of both vendor and user preferences downgrades effective security.

We'll offer selected resources regarding security, privacy and anonymity in time to come.

Interesting take. Is there any information you can share now about how your solution differs in terms of hardware and software?

 

[mraleph]

Interesting take. Is there any information you can share now about how your solution differs in terms of hardware and software?

If we maintain the presence on the OCT, we'll provide appropriate channel for information and offer a discount and free-of-charge use for certain class of members. We believe that there is a genuine need for usable but safe solutions that are in line with current and anticipated regulatory density. Those solution became costly, but we can't go against the tides and winds in the ocean.

 

[diatessaron]

Someone has already advised not to use your name and address when buying Ledger/Trezor...
Who is going to guarantee you that there won't be data leaks from crypto friendly banks/EMIs and nobody will know your wallet's address and see the balance in it?
Or that maybe your accountant "sells" your crypto-company's wallet address?
Are you sure your name won't show up on a deanonymizing tools like Arkham intelligence?

Blockchain is still missing privacy, there will be solutions for that, but for the moment every wealthy crypto guy might be at risk of being kidnapped.

How old is the bank you're using and when was the last time there was a leak? Your hypothetical scenarios are just that, hypothetical. Can you be less paranoid please? If the accountant you're dealing with needs to sell your information then try hiring someone who doesn't sell themselves through Craigs List (?). And yes, I am sure my name does not show up on any tool, including those of Arkham Intelligence, there's a limit to how intelligent intelligence can be.

 

[zaybxc]

How old is the bank you're using and when was the last time there was a leak? Your hypothetical scenarios are just that, hypothetical. Can you be less paranoid please? If the accountant you're dealing with needs to sell your information then try hiring someone who doesn't sell themselves through Craigs List (?). And yes, I am sure my name does not show up on any tool, including those of Arkham Intelligence, there's a limit to how intelligent intelligence can be.

There's nothing paranoid in checking points of failure... a crypto holder is actually sleeping with his money under the mattress.

 

[incognitbro]

Who is going to guarantee you that nobody will know your wallet's address and see the balance in it?
Or that maybe your accountant "sells" your crypto-company's wallet address?
Are you sure your name won't show up on a deanonymizing tools like Arkham intelligence?

This is just you exposing that you don't understand crypto, theres no "accountant" lurking in your self hosted wallet.
You can easily bypass arkham/chanalysis by converting to monero on a DEX before exchanging to a new wallet, so on and so forth.

 

[zaybxc]

theres no "accountant" lurking in your self hosted wallet

Sleep with one eye opened if you are sure that someone knows your millionaire self hosted wallet's address and where you live (maybe the accountant is a good guy, but what about the random IT consultants who maintain his databases containing your info? Just to make an example).
https://www.bbc.com/news/articles/cw5w5zyg979o

You can easily bypass arkham/chanalysis by converting to monero on a DEX before exchanging to a new wallet, so on and so forth.

And how are you going to explain to the crypto-bank about the first deposit on your newly created wallet when you need to cash out?
I see Monero as a source of troubles.

Not interested in anonymity but privacy: two different concepts.
The average Joe knows I have a bank account but he can't see what's in it; but Joe can see what's in my crypto-wallet once he knows the address.

 

[incognitbro]

Sleep with one eye opened if you are sure that someone knows your millionaire self hosted wallet's address and where you live (maybe the accountant is a good guy, but what about the random IT consultants who maintain his databases containing your info? Just to make an example).
https://www.bbc.com/news/articles/cw5w5zyg979o

And how are you going to explain to the crypto-bank about the first deposit on your newly created wallet when you need to cash out?
I see Monero as a source of troubles.

Not interested in anonymity but privacy: two different concepts.
The average Joe knows I have a bank account but he can't see what's in it; but Joe can see what's in my crypto-wallet once he knows the address.

I do not get your made up scenario, is it that your own accountant would go behind your back and sell your info? Because thats the only guy that would realistically have that info, the wallet providers themselves do not and your keys are generated locally. Then I don't see what your concern is and its not really a problem with crypto itself, he could just as well leak your other investments.

If you save your prior wallets you will have a clear trail to show as SOF, you can always provide your viewkey to show that you just did those self transfers. That way you achieve what I think your definition of privacy is, a setup where the only one to really know the full story is the government.

 

[JohnLocke]

The thread started with an illustration of what has been said many times here. Not your keys, not your coins! And that's indeed true as long as you rely on a wallet provider like Coinbase, Kraken, etc. They can freeze your wallet in a matter of seconds if they feel like it or are asked to do so.

 

[jafo]

The thread started with an illustration of what has been said many times here. Not your keys, not your coins! And that's indeed true as long as you rely on a wallet provider like Coinbase, Kraken, etc. They can freeze your wallet in a matter of seconds if they feel like it or are asked to do so.

Exactly! 100% this!

PS. All of a sudden, we're getting newly formed users who are acting like Agent Provocateurs

Based on my past personal experience being the IT guy for almost two decades with "the real criminals who wear badges," this is EXACTLY their Modus Operandi! Be careful who you interact with! If they tell you to STOP being paranoid and drop your guard, they want you to get knocked out, lose the fight, and lose your purse! (Boxing euphemism)

Caveat Emptor!

 

[incognitbro]

Exactly! 100% this!

PS. All of a sudden, we're getting newly formed users who are acting like Agent Provocateurs

Based on my past personal experience being the IT guy for almost two decades with "the real criminals who wear badges," this is EXACTLY their Modus Operandi! Be careful who you interact with! If they tell you to STOP being paranoid and drop your guard, they want you to get knocked out, lose the fight, and lose your purse! (Boxing euphemism)

Caveat Emptor!

What did I say that can be interpreted as entrapment? Nothing I've said is illegal to do

 

[zaybxc]

I do not get your made up scenario, is it that your own accountant would go behind your back and sell your info? Because thats the only guy that would realistically have that info

I don't mean accountants are bad guys, but they might have weak IT security policies and no knowledge at all of crypto and blockchain: that might be a problem, because the client manages the crypto himself.

Then I don't see what your concern is and its not really a problem with crypto itself, he could just as well leak your other investments.

No, nobody is going to break into your house in the middle of the night if, for example, they know you have 1 million on your bank account, because the bank doesn't permit you to move all of your money at will.
On the contrary, the blockchain is permissionless: you have the keys, don't ask for permission to anybody and have no limits on the crypto you want to move.

If you save your prior wallets you will have a clear trail to show as SOF, you can always provide your viewkey to show that you just did those self transfers. That way you achieve what I think your definition of privacy is, a setup where the only one to really know the full story is the government.

Ok, I see.

 

[jafo]

I am convinced everybody should peruse Jameson Lopp's security wisdom:

Known Physical Bitcoin Attacks. A list of known attacks against Bitcoin / crypto asset owning entities that occurred in *meatspace*. NOTE: this list is not comprehensive; many attacks are not publicly reported.

 

[incognitbro]

I don't mean accountants are bad guys, but they might have weak IT security policies and no knowledge at all of crypto and blockchain: that might be a problem, because the client manages the crypto himself.


No, nobody is going to break into your house in the middle of the night if, for example, they know you have 1 million on your bank account, because the bank doesn't permit you to move all of your money at will.
On the contrary, the blockchain is permissionless: you have the keys, don't ask for permission to anybody and have no limits on the crypto you want to move.


Ok, I see.

I'm not denying that accountants, bank managers, people working at the tax office can go rogue or get compromised, I just don't agree that its cryptos fault.

Rich people have gotten extorted/kidnapped since before blockchains were a thing, but criminals being able to see what you got in realtime is of course a downside hence why I recommend obfuscation.

 

[zaybxc]

I'm not denying that accountants, bank managers, people working at the tax office can go rogue or get compromised, I just don't agree that its cryptos fault.

Rich people have gotten extorted/kidnapped since before blockchains were a thing, but criminals being able to see what you got in realtime is of course a downside hence why I recommend obfuscation.

I get your point, but with crypto it's actually like keeping your money under the mattress and accountants, bankers etc. know it...
Give a look to the link @jafo provided in his last post

 

[incognitbro]

I get your point, but with crypto it's actually like keeping your money under the mattress and accountants, bankers etc. know it...
Give a look to the link @jafo provided in his last post

And I get your theory now somewhat too, but I'm certain that most if not all told the wrong people that they're rich (hell some even do it on social media) or had a public crypto company and so on, atleast thats what I've seen. I guess you can file your own taxes or become a resident somewhere with no CGT to avoid the scenario you're thinking of but I wouldn't worry about it too much.

 

[diatessaron]

https://twitter.com/x/status/1789016046608740531

 

[JohnLocke]

I am convinced everybody should peruse Jameson Lopp's security wisdom:

Known Physical Bitcoin Attacks. A list of known attacks against Bitcoin / crypto asset owning entities that occurred in *meatspace*. NOTE: this list is not comprehensive; many attacks are not publicly reported.

Really good reading and people should have a look at it.