What security? Securing PHP against SQL injection and include? Do you know about various buffer overflows and how to exploit them? Do you know about how are ROP chains used to defeat DEP and partial ASLR?
We are talking about third party hardware here, one that has to accept various inputs through a USB. It opens such a vast attack surface you probably can't imagine it.
So lets ask the developers, are they planning to do complete ASLR on their little device? If not no one should trust it at all. Although no one will probably bother exploiting it if it will have a small user base.

It does, I was referring to when you just run a client and then encrypt your wallet in fancy ways. Most of that is useless.



And you think endorse equals use? I doubt those smart people would care to entrust private keys to a new device. Not to mention they are selling it for so much they all probably got a piece of the pie.

But then it's intended for people who know nothing of security. Google "security theater" maybe it will help you realize why you wasted your money.

They changed it to a pin? Shows only 2 buttons in their video.
And it's easy to say those problems were mentioned before, a source would help.

It's called social engineering, if you carefully listen for multiple transactions where the user has to sign each one it would be easy to interject your own and have a large fraction of users fall for it. Likewise if it lets you sign multiple transactions at once on that puny screen you just insert your own.

Why would people want a device like that? Get an old PC, airgap it, store wallet on it. Sign stuff and propagate signed messages from any online PC. Anything else is asking for malware to steal it, no encryption would help you since the computer at some point has to know your private key to sign a transaction - the moment it knows it malware can get it.

And the funny thing is if you are cheap you don't need a second PC even, put an encrypted *nix OS onto a USB with networking disabled, sign transaction, copy onto another usb without any encryption the signed transaction and propagate it from your insecure windows.

The more I think about the concept of this device the more it seems to be intended for idiots. All theater, no actual security.

You claim your device provides security, could you explain how does it provide security comparable to an airgapped computer?
What if malware intercepts wallet sign request and give out a forged request to the device when you legitimately ask it to sign something? The person with the device will have to read the small screen each time to be sure he isn't about to sign away all his bitcoins. How many will do so, especially if the malware is careful and does it only after it detects mass manual transactions when a user is less likely to pay attention for example?

You failed to respond to my earlier post, I wonder why.

It doesn't necessarily relate to only bitcoins but it does partially.


Region: Canada

What can be done in regards to key disclosure? How can you refuse to give the government the decryption key or data and not face contempt charges?

My current approach is to write down an impossible to remember string of numbers with other sparse characters (a-zA-Z!@#$%^&* etc) randomly in between to make bruteforce impossible (big charset) and copying easy. This is not the password, only a salt which means if it's compromised nothing really happens in on by itself.
If I am compromised I have the means to destroy that piece of paper easily and completely making any recovery of that particular drive impossible.

But this precaution is useless if it won't be believed by the judge etc...


Any advice on how to create a legally proof way of not giving decrypted data?

What happens if a miner or miners working on the current block get one transaction and x time later get another transaction which is a double-spend of the first while the block is not yet completed? Do they discard both transactions? Or what?

And what happens if the double spend transaction comes a block later? 2 blocks? 3 blocks? etc...    - I assume in those instances the latter double-spend transaction is simply discarded?


Then what happens if one transaction gets into 1 block by miner A. The double spend transaction gets into 1 block by miner B. If the time difference is not large it's hard to believe either would surrender to the other and both will try to continue their block chain for the time being to try and earn extra 25 BTC.

Just some thoughts I have. The probability of this obviously decreases with every block radically especially because un-involved miners will just go the faster block so the stack is loaded against miner B after just 1 extra block (his chances become nill and he has to go with the herd).

This adds an additional attack surface. And if they make it open source like they claim finding a vulnerability in it might not be difficult, just takes an overflow somewhere.
Hard to implement ASLR well on a device so simple, afaik no one even bothers.

But this would only apply to a compromised system and many tricks are possible with such a system, such as moitoring wallet process memory and getting the private keys or downright making it send all your bitcoins to someone else.

If it comes down to it I'm sure someone will try to make the client give forged requests to the device when you legitimately ask it to sign something and I wonder how many people will read the small screen before hitting the accept button, not many I bet.

This device is security theater. Use an offline old laptop to sign everything. Nothing beats an airgap computer. This device interacts with an online computer directly... really bad theater.

Thank you but I am looking for a C/Cpp implementation, I do not like java dependency and the bot need be able to run without a potential JVM bottleneck. It will be performing a lot of cryptography and many instances may have to be run.

Thank you but I forgot to mention I do not want to rely on any static source(s).

I want to bootstrap into the p2p network and pull the info out of there.

I also don't want to store the whole blockchain in the process but only the last N blocks. Also the possibility of offline time is possible so it should be able to somehow query only the last N blocks even if the last block it has is N+x (x>0) away.

Sorry I wasn't clearer, I was in a bit of a hurry.

My goal is to create a bot that would listen to the bitcoin network for a list of specific transactions associated with specific bitcoin addresses.

To achieve this I figured it would be best to query the network for the latest blocks, verify them and look for the transactions there.

Does anyone know how I could best do this? A high level description would do.

And I assume libbitcoin is the best cpp lib out there?

Bitcoin is used as a go-between currency mostly. Though there are probably a few investors who dabble in playing this market.

Best bet is: (buy bitcoin - use multiple mixers - pay for service) or (receive bitcoin - use multiple mixers - withdraw)

It's pretty good for this purpose because of irreversible transactions.
It does raise a problem though, early adopters have too much wealth if they all start withdrawing cash the boat will instantly sink.

Perhaps someone will decide to do the right thing and recreate bitcoin to be more useful, no early adopter bias and no deflationary model to reward hoarding. That would be far more useful for what bitcoin is currently used for (go-between currency).