Ninjastic
PostEdited versionsQuotes to this post
Post was edited
 3 months ago (view)
Post
Topic
Board Hardware wallets
Merits 1 from 1 user
Re: Tangem collecting user seedphrases?
by
DaveF
on 14/04/2025, 03:14:00 UTC
⭐ Merited by satscraper (1)
Quote from: The Sceptical Chymist on April 13, 2025, 10:30:22 PM
Quote from: DaveF on April 13, 2025, 06:05:04 PM
But open source is soooo much better:   https://www.splunk.com/en_us/blog/security/my-cups-runneth-over-with-cves.html

I missed this thread initially, saw it got necrobumped (sort of) for some reason and also saw your previous post about open-source software still being vulnerable to being exploited despite the fact that the code is out there for all to review.
 
Can you just clarify something here?  Are you arguing that open-source software isn't better than closed-source because oversights have been made?  That runs contrary to everything I've ever read here and also to my own *tech ignorant* opinion, and I guess I'd ask if you agree or disagree that, all things being equal, it would be better to use a HW wallet or its software that has open-source code than using a competing alternative that has closed-source code.  Even if you don't know that the open-source code has been extensively reviewed (or reviewed at all), I just can't see how any HW wallet that doesn't divulge its code is any better in light of the argument you made.

I ask this question respectfully.

Also, I have a Tangem wallet around here somewhere that I bought as a collectible thingee.  Never used it, never wanted to, and whatever their state is now there's no way in hell I'm ever going to.


No, what I am saying is that people have the mentality of open source being "more secure" and that closed source is "less secure"
But, as has been shown both have glaring gaping holes in them at times.

Open source means others can see what is going on.
That's all. And let me point out that code with 10's of thousands of eyes on it FOR DECADES can have GAPING SECURITY HOLES FOR DECADES

https://en.wikipedia.org/wiki/Shellshock_(software_bug)

September 1989 to September 2014

So, yes in terms of wallets open source is PROBABLY better.
But, as I pointed in another thread

Quote from: DaveF on April 03, 2025, 11:53:25 AM

...I can open source a wallet that automatically sends everything from everyone's wallet into mine once a year.  Could even put comments in the code as to what it does. People are going to still install / use it if I promote it enough because too many people don't read the code.

And that's the problem.

You can put out an open source hardware wallet with bad code that links to a software wallet with bad code and people will still buy and use it. Because open source is "better"

But, if you make a closed source one that is 100% secure, people automatically think it's bad.

It's not black and white, it's one big mess of grey. And people have to get used to living in the grey.

Because if bash, a piece of software that was on just about all *nix systems forever had a vulnerability that was there for 25 years, how well do you think any piece of crypto wallet software run by a much smaller segment of the population is going to be reviewed for vulnerabilities?

-Dave