It seems like crypto has created a whole lot of people who are now rich but don't know how to be rich. People with normal assets can't transfer ownership of those assets by clicking on a popup link downloaded from the Internet. They have teams of accountants, bankers, brokers, lawyers, who sure, slow things down, take a cut, require that they know who you are and what you're buying, but they also keep you from accidentally giving $68 million to criminals.
And those same financial services companies will end up managing these in the end game for crypto. This is just early adopter syndrome. Risk and reward, freedom and responsibility.
There are already Bitcoin ETFs and other stock-market tradable products in many jurisdictions (not US though). These are very straightforward for casual user, I don't see how it would be any more insecure than buying for example Gold ETF.
Bitcoin (let alone a Bitcoin ETF) doesn't scratch the surface of all of the financial services that can be implemented with Smart Contracts. I agree though that is certainly going to be a piece of the overall landscape. Beyond financial services are things like Smart Trusts.
The people have been always there, it is just that now they have the tools. I personally have no problem, bitcoin should be for adults who can manage their own risks. You can always opt out and not use it. This whole thing has been repeated since the early Bitcoin times ad infinitum and shouldn't be a surprise.
This issue has been fixed in Electrum a long time ago already. However the problem is that no one can prevent people from running older versions.
This kind of problems are to be expected in crypto in the future as well, so always stay cautious.
Once again: Crypto currency is about tearing down the old rules and institutions of banking and finding out one failure at a time why each rule and institution exists.
I understand that often, we think something new will solve all our problems, but it only changes how they look and the old solution ends up being good enough already.
However, isn't it kind of pessimistic to think that there's nothing new to learn from rebuilding existing institutions from the ground up based on new knowledge?
I'm by no mean a crypto apologist. I think it's important to discuss why those new ideas fail and what we can learn from them in the future rather than mock them for trying to reinvent the wheel.
> I understand that often, we think something new will solve all our problems
New things fix some old problems, but also introduce new ones that we hadn't before. The value of solving the old problems is greater than the total cost of the new problems, why we stay with new things even when they add problems to our lives.
However crypto has made lots of people millionaires and that kind of hippie stuff doesn't. It is not like reinventing old institutions, Bitcoin has features that central banking based systems are fundamentally unable to offer (such as limited supply).
On the other hand, there are likely some old rules / institutions that it turns out we don't need anymore. If we're lucky, crypto will end up being garbage collection for financial regulation.
Wow. The desktop application allowed random nodes to trigger popup alerts that could just say anything they wanted. It sounds like that was a super old version? It's a bit unclear which version of Electrum was the last to have that issue.
It's pretty crazy the number of people who bought Bitcoin/crypto at such an early stage (e.g spending >$1000 on something nearly worthless and very obscure) yet are very bad at the security of this. You would think the first step to recovering >$10M plus would involve a Google search or two.
Yeah I'm glad I'm not the only one who finds this a bit shocking, and their initial response doesn't really impress me that much. I don't expect a desktop app to be displaying random unverified messages to me in the same way my email or phone might, and especially so if it's not made that clear where the message is from. It's certainly true that this guy shouldn't have made this mistake anyway, but there are plenty of steps Electrum could do to make it clear whether a message should be trusted or not, and to their credit it does at least sound like they did make changes in this area in later versions. Of course, to clarify I have not actually tried this thing, I'm just basing that on their description of changes they made such as no longer displaying RTF and/or arbitrary messages.
What can they do about old versions? Yes clearly it is an exploit but patching only fixes it in new versions. If someone insists on using an old version with that bug, they are on their own.
I agree with that, I was just objecting a bit to the tone of the original comment. IMO it's a bit of a hard sell to me to say "we're sorry, there's nothing we can do" after listing a bunch of things they did to fix this in later versions. Rather than going on and on about how it's an unfixable problem, they could have just said they have made steps to address the issue in later versions but there isn't a way to fix existing versions.
> It's pretty crazy the number of people who bought Bitcoin/crypto at such an early stage (e.g spending >$1000 on something nearly worthless and very obscure) yet are very bad at the security of this. You would think the first step to recovering >$10M plus would involve a Google search or two.
Though $1000 is a money typical let's say IT employee can easily spend and lose without having major issues. The issue with some early BTC adopters is that it was like buying a lottery ticket, most probably assumed that they would be likely losing the money, therefore they didn't invest in security and careful planning. Many people working for FAANG for example don't have to work that long to make $1000, so it is quite natural not to spend several hours of r&d on $1000 investment.
The lack of security at the time of purchase isn't really the issue... it's the lack of security & best practices at the time of recovery that is the issue. Anyone getting >=10,000x returns on crypto basically had to have either forgotten or temporarily lost their crypto because 99.99% of people would sell after getting 1000x gains.
I think the main issue in this vulnerability was only fixed in early 2019 so it is super recent compared to the value & state of cryptocurrenty. Even I would expect any crypt wallet software from 2018 to be secure because crypto was no longer a niche interest at that point. Sure regular security & bug fixes are a norm for modern software but having such an egregious issue as recent as late 2018 is unacceptable.
It would be interesting to interview people like this and publish their stories. What happens to someone in between spending $1000 USD on something nearly worthless and very obscure and having a wallet worth $10M USD?
i.e. perhaps a trend is people are so terrified of anyone finding out about it that they avoid Google etc and do everything in secret.
There have been plenty of news articles about these people. For example in Scandinavia top tax payers are published yearly, there have been some crypto investors who have made it to the top of the list, and have given out interviews.
Reading some of these it is not that much different to someone winning in the lottery or getting some making million-level exit from IT business.
You can overdo the security too though. I'd have a house right now if I had kept my wallet passphrase on a computer instead of in a notebook that I lost.
Looks like this guy installed an old and vulnerable version.
Electrum has a history of severe security bugs. If you want to store crypto safely, I recommend a Trezor hardware wallet. If you want crypto exposure in your portfolio without the technical/security headaches, I recommend Grayscale's investment products. GBTC, for example, is backed by Bitcoin and you can buy it through any investment account.
I don't understand the point - are you suggesting that he earlier on leaked the fact that he had lots of crypto and faked losing it to no longer be a target? If so he seems to be posting from a throwaway account which defeats the purpose.
perhaps he can provably point to it in the future if the government comes knocking. mainly i am remembering the guy in the uk that made a big show of looking for his old hard drive in a landfill, my immediate suspicion was that it was a ruse.
So how do we prevent this? Not everyone can cryptographically verify software updates, like I can't expect my mom to do that, and that is assuming you can reliably determine which key to use for verification in the first place, and that you trust whoever owns that key, and that this signer properly checked all commits or trusts the people that did.
Perhaps a start would be not to keep more than, say, a fifth of your cryptocurrency in a single place if you have many millions' worth?
I’m far, far from an expert, but it seems to me that the unforgiving “software is the law, nothing can be reversed” nature of crypto means that all sorts of vulnerabilities and/or mistakes can instantly lead to you losing all your money. It feels inherent to the system - the core reasons behind these weaknesses are also the core strengths of crypto. You can patch individual vulnerabilities, and try not to make mistakes, but it seems it’ll always be the case that if all your money gets stolen, nothing can really be done.
This is correct, and why the average end consumer will never actually use Bitcoin for anything.
It may have some utility as an asset class but the crypto fan boys seem to ignore that it is largely incompatible with our current financial and legal system.
I’ll happily agree with anyone that Bitcoin is an interesting and novel invention but I fail to see how it does anything useful for me other than as a speculative investment.
Now that crypto markets are a parody of wildcat banks in the 1800s I won’t even touch it with a 10 foot pole.
In early 2017 I bought breakfast every day on my way to work in Oxford with cryptocurrencies. A bacon and avocado sandwich, and a large latte. It was pretty cool to buy these items with currencies I had mined myself, or bought by trading minded coins for other currencies. I checked the other day and each of those breakfasts would be around £200 today had I saved them but I don't regret the nerdy enjoyment of paying in that way :)
Edit: I found it amusing when the cafe closed a year later presumably because both owners retired after selling at the peak in early 2018.
Yeah I don’t think the convenience is what is holding it back. It’s pretty easy to pay for something with BTC. I think it’s more to do with how there is limited coin supply, no dispute or consumer protection, and then the issue of taxes.
If I have to pay for breakfast I’d rather use a credit card app on my phone that has a dispute process and gives me a % cash back.
In Canada those breakfasts would technically be taxable capital gains, which means calculating the adjusted cost basis based on mining input costs and then half of that taxable gain is added to your annual income.
There is just no real incentive to use crypto unless you’re buying something questionable on the internet.
What has really helped me to relax with my crypto holdings was reading couple of cancer stories. Basically as how nature is, cancer can come any time and take anyones life away. Just treat Bitcoin as the nature, but a less severe version as you won't die if you lose your crypto.
That said, crypto loss is very preventable. Lots of people have put lots of effort to make holding bitcoin/crypto more secure.
People in invest in crypto because the gains have been ridiculously good. However some people have lost their money because of bad security or scams. You can mentally it like, you invest $1000, plan to exist when the value hits 10x and have 5% probability of losing it all, you can calculate the expected value and decide if the risk is for you.
Better analogy would be "it is not worth living because you might die"
> Not everyone can cryptographically verify software updates
In this case don't use cryptocurrencies, or at least don't hold your own coins and delegate that to a third-party (keep them in an exchange, etc).
Keeping your coins in a self-hosted wallet is like handling millions in physical cash or precious metals. You can do it, but it requires responsibility and precautions, which is why in the real world it's typically delegated to financial institutions (as in you keep that cash in the bank) and they themselves use precautions such as moving physical cash in armored trucks.
With this kind of amount, you need to take the appropriate precautions and have (or build) a digital "armored truck" and definitely not keep them on an online machine. Use a hardware wallet at the very least, or "build your own" hardware wallet by using an air-gapped machine with no direct access to the internet.
> Keeping your coins in a self-hosted wallet is like handling millions in physical cash or precious metals.
Definitely not. I'm sure that for someone who has middle-level skills at basic IT and basic understanding of cryptocurrencies, safe storage and handling of cryptocurrencies is 10x safer than handling the same amount of physical cash or gold at home. Considering also that you want to use your assets.
If I were routinely transfering tens of thousands worth of cash from my home to somewhere to spend it would surely catch some attention, I would guess. With crypto I can just use it from safety of my own home at online shops and similar.
Custodial services is one area where the BTC community is sorely lacking.
Typically you can safely work with an independent financial advisor as your money is stored with a custodian like fidelity. Fidelity is on the hook to make basic tax reports, account statements, and provide security for your funds. Obviously a part of that security is controlling transfers and not dealing with dubious business partners.
I can’t point to any vault where my money is stored, but I can reasonably bet that fidelity has enough safeguards that it won’t vanish. I wish there were more such custodians for btc assets providing “cold wallets”. BTC makes audits and other activities to verify nothings gone odd with the custodian for your and everyone else’s accounts without requiring privileged access to the ledger.
Paying .05% for the price large of not having your btc vanish is a bargain.
There are lots of custodians with different storage models. If you have account at some reputable service, good password and 2FA set up (non-mobile) then I think accidents are always super ultra-rare or basically nonexistant. Of course you also have to just HODL and for example not send your crypto to some scammer (that ofc isn't a problem that a custodian will solve anyway).
Have to note that when there are millions or maybe hundred of millions of people with crypto wallets, there will be also some amount of "false positives" reporting lost BTC, for example people who have sent their BTC to wrong address drunk or high, and then afterwards think that its the platforms fault.
I think the UX of crypto is its biggest failing. People don't need to know how SWIFT works to send a transaction and they shouldn't need to understand cryptography to use cryptocurrencies. Hopefully companies focus on solving these issues so anyone can open an account and use crypto just like cash but with a few of the extra advantages you get from crypto.
Except where reversing transactions is how the fraud is conducted. Such as Ebay buyers pretending they didn't receive their goods. Or scams in the form of "I'll send you some money then you forward it to my friend" but the sender uses a way that's reversible for a longer period than the victim and reverses it in the window of difference between them.
You don't. People want full control, with 0 oversight. Such incidents are going to be not uncommon. In all the solutions you've provided, they all require the user to do something other than click a random popup on outdated software. The issue is a people problem, not a tech problem.
I good start would be to write security critical software right the first time and not require frequent updates if at all. Every time an update happens it imposes a time cost and security risk on users. No other engineering discipline has the concept of updates to an in use product. When Toyota sells you a car if it has a "bug" in a control arm that results in it breaking and you losing control on the highway there is no software update. There is an NHTSA investigation and a recall.
Bitcoin and others are just numbers. As such they are not backed by anything material. They have no intrinsic worth. You can't touch them or hold them. When the electricity stops they don't exist.
Your choice as to whether you entrust your assets to a scheme like that. I prefer something solid like real physical assets that I can hold or touch and that doesn't rely on a source of energy for its existence.
I wish it would be easier to use Bitcoin Core with multisig hardware wallets, as it's much more thorowly reviewed as other wallets. Partially signed transactions were a huge step forward, but there's still a lot to go to get rid of other software for managing large amounts of Bitcoins.
If I recall correctly the issue was something like electrum permitted any full bitcoin node to broadcast any message and a nefarious node (since anybody can run a node anonymously) broadcast a message to users to update their electrum client to a trojan client. Just goes to show that "security" is amatuerish in much of the bitcoin community. Bitcoin may be cryptographically secure but how people use it often is not.
On top of all this around the same time I was trying to access some small amount of bitcoin in an older electrum wallet. It was no longer supported so I would have been forced to upgrade while there was this trojan variant going around.
Any way what the lesson should be is when writing security critical software do it right the first time, don't force users to upgrade frequently, don't allow messages from anybody to be broadcast to users, don't break existing secure installations forcing users to upgrade unnecessarily. Keep it simple and secure. KISS.
What is interesting or unusual about this GitHub issues link? Someone had coin stolen and they’re complaining about it. What makes this worth being on the front page?
This does happen. Then they're tracked down and prosecuted and the money returned - sometimes. But the regular banks also put a bit more effort into authentication. And amounts over certain figures attract more scrutiny.
Two specific design decisions of crypto - irreversibility and pseudonymity - make this much harder for crypto.
I guess this is my disconnect or naïveté, but I thought the whole point of crypto is that it’s fairly traceable - obviously, there’s no decentralized way to address fraud, but couldn’t we have a decentralized report system that can warn people before sending tokens to known malicious actors?
"Often" word is used because it also covers the case of small transactions. As transactions get bigger, systems get slower. I have had personal phone calls from bank to ensure I wanted to send big sum of money.
Depends on the bank, account type, and the destination for the funds.
My bank requires in-person to send a wire transfer, meaning in person identification at a bank branch with photo ID and PIN.
You can only transfer money on the app within your own accounts or to payees that are in the system (e.g your utility company, insurance company, etc.) or by using interac e-transfers with a limit of ~$1500.
Even if you’re trying to pay your taxes to the Canada Revenue Agency the bill payment system has a limit that I have hit. You can bet that a review process is triggered when that happens as well.
Any deposit of >$10000 from a wire transfer usually triggers a phone call as well where someone will politely ask you if you were expecting the transfer.
As an example, someone once had to write me a check for $10,000. The bank transferred the amount incrementally to give the originator time to object. The first day it transferred $100, then $200, $500, $1000, $3000 and so on until the full amount had been paid.
This page has further examples that appear to vary for ACH transactions (one of the more common means for app/website transfers), indicating that for would-be thieves it would be a guessing game, and the limits are generally pretty low: https://www.mybanktracker.com/news/ach-transfer-limits
I don't know why people keep saying this. They're often not. There was a case in my country of someone receiving a pile of money by mistake and he withdrew or transferred it quickly and fled the country. I also know someone overseas whose dad lost his life savings through a phishing scam that asked for his password and 2FA token via text message. The bank could only tell them where the money went (multiple accounts in other banks) but not get it back. Elder abuse often happens by the abuser using the victim's bank card and PIN to buy groceries/etc. then also taking money for themselves. The banks blame the victim who broke the rules by giving away their PIN and the abuser says it was a genuine payment for services or rent or whatever.
If your bank's app has a vulnerability that you lose money through, they bank will probably compensate you out of their own pocket even if they can't reverse the transaction.
