Home, company that provides security systems key multifirma, received strong criticism due to the new portfolio Home Keymaster does not have open source verifiable. In addition, it was questionable whether the company maintains control of the keys of all the portfolios of Bitcoin that it provides to its users.
In an analysis published recently in the page WalletScrutiny.com, listed some reasons to consider the application House Keymaster as a service unreliable in use. This is because you can not verify openly the configuration of the portfolios multifirma, which involves risks is not advised, although it is touted that the end-user has the full control of your portfolio.
The moderator of the site and the author of the post, Leo Wandersleb, pointed out that it is unlikely to verify if the wallet really is multifirma, because the software is not open-source and public. The verdict of this criticism is based on that last point, mainly.
“Internally the company could be doing everything right, but while we can’t verify it, there is nothing to protect the user from suffering a scam (…) If the provider is oriented to be a criminal, probably has already collected the endorsements of the portfolio, being ready to be emptied with the press of a button”
Leo Wandersleb, Wallet Scrutiny
Based on the comments that Jameson Lopp, chief of technology at Home, do so in the chapter 182 of the podcast of Stephan Livera, Wandersleb points out that Home could be controlling the majority of the keys of the portfolios of their clients, as they obviously already have one of the firms that claim to have. This could be achieved by avoiding proper scrutiny to verify that the user controls the other key of the portfolio through the application.
House could unveil its code in an open manner, without giving up their licenses to use publicly. Source: blog.keys.home
The researcher further points out that, at the time of applying for a portfolio of cold, from Home, insist to send themselves directly to the buyer, which exposes them to attacks of the supply chain, which could compromise the security from the portfolios before it reaches its new owner (the purchaser).
Because you can’t find a link to verify the software in the Google Play and GitHub, and in the light of the plans offered to its customers, Wandersleb indicates that the risk is huge.
Lopp for his part argued in the podcast that they had not found the form of Google Play and Apple Store validation the authenticity of your software, since these shops will accept these apps by the cryptographic signature of their developers, but does not verify or display the underlying code.
In comments exclusive to Breaking News, Wandersleb assured that the compatibility with Google Play would not be a problem because the company has source code for public download, along with instructions to run it.
“They (House) suggest that their business would not work if you publish the code, that is false due to the differences between open source code and public”, he said when asked if the reluctance to open the code are due to problems or reservations with the license, explaining the differences between the two concepts.
“Code Public: Anyone can read the code and run it but if the license prohibits itcan not use it for anything else. You can’t compete with the supplier of the code and ni even take a small part for use in an app that will compete.
Open source: as I learned recently, the UN considers that “Open source” is a technical term that means what used to be calledit ‘FLOSS’ (Software Free and Open source, for its acronym in English). LUN considers only an “Open source” if it is licensed under the OSI (Open SourceInitiative)”
Leo Wandersleb, WalletScrutiny
Yesterday Wandersleb invited by Twitter to the Home team to respond to their observations on the security of this portfolio, without receiving answers until the moment.
The past month of may, Wandersleb commented on the podcast On Consensus, of Breaking News, several of the crucial aspects about the security of the wallets of Bitcoin and other cryptocurrencies, being emphatic in the importance of open source and the role of the user in check.