Leo Wandersleb works with portfolios of cryptocurrencies from several years ago, as a developer you know the weak points that any application can get to have, and more if you need to interact with other applications on-line. The portfolios of cryptocurrencies meet all of these rerquisitos, with the addition of manage criptoactivos, which makes them particularly attractive to thieves and hackers.Leo gave us a tour of the vulnerability more obvious on the security of the wallets in general, and some (well-known) in specific. His crusade for the compilation of the code of any key fob can be verified by third parties and secured against attacks and errors requires the participation of all users and to do this it is necessary to raise awareness.To have more episodes or early access, before the regular publication, sign up on the Apple Podcast, Anchor, Breaker, Google, Podcasts, Overcast, Pocket Casts, RadioPublic, Spotify, Stitcher, ivoox or RSS feeds.
What makes it safe in a wallet?The role of GitHub in the security.The advantages of Android security.A tour of the home of Wallet Scrutiny.About the handling of the 12 words.Wallets that are not BTC.Apps that are not wallets.Trezor and Ledger and their priorities in security.The business models of the wallets.The methodology of Wallet Scrutiny.A call to action: write to the developers and ask that the code can be verified.
Notes of the episode
A preview of what you’ll find in this episode:
Elena: Leo what makes a portfolio safe? Leo: Well, if you want to be their own bank, which is one of the achievements in Bitcoin, one has to keep safe their private keys. Which is why it is super important not to spread those keys to any server, to any other app within a computer, for example the occurrence of a swap, and to ensure that there are a lot of things to see. An application typically has hundreds of thousands of lines of code that are programmed by many developers, and they could all try to make the application to be unsafe, and make the application submit the keys to a server of a hacker, etc Then, for security, there is an area of huge attack that you have to secure, and to have it secure, you need to check all of these possible attack vectors. Elena: Well, I just shoot all the paranoia in the world. How so? I do not know absolutely nothing of programming, I am confident in the portfolios non-custodial that the market says to me, or friends, or dudes if you know how to code, I say, “look, this if it works, this is good,” and I hold my private keys and I keep them in a paper and do not teach or my children. Until there comes my security. But, if you ask me to check the code, hence I missed it. what do I do? Leo: Already. Clearly no one can review all the code of a wallet. So, if I should review all the code of a wallet, or the wallet that I is paying since four years ago to do just that I know her completely. Then, I am part of the team of Mycelium from four years ago and three years ago and something I am in charge of posting the new versions. Then, I approve the source code, I approve the compile and I get an application that I upload to playstore and there is published. And as I am the one that compiled the application, earn the responsibility to review what it is that I’m compiling, then I review all the changes that are coming to the new versions. These changes are thousands of lines of code, and as I’m not a robot, I cannot be 100% sure that none of my colleagues is doing something that is evil. Maybe one of them makes a change that after stealing the silver of all the users of the wallet. What I want to explain is how it would be impossible for a single person to review all of the source code of a wallet, but I think it could be possible for a security expert in cryptography you can review the aspect of cryptography, a wallet, a security expert networks may investigate this aspect of it, and this way you can have many experts working together to analyze many wallets. That is what you can do to safe a wallet. And that is why the wallet needs to be transparent with what you are doing. Elena: That means that the codes have to be visible, you have to be open source. Leo: Aja. Open source is a term that many consider to be enough, but another problem is that if the provider of the wallet share your source code, and if I compiling this code, then I get an application that looks the same as the supplier’s application, but that is not exactly the same application. Maybe the version that compiles that person is going to send all the keys of all the users to the server when you pass the first of may. And my version does not. And as most people don’t compile their own version of the application, perhaps by compiling it, I am on the safe side, but the one I use the version of the playstore is not safe because you are using the modification of open source code. Elena: So how does a person like me, not technological, to be minimally safe? What do I do? Leo: A person who does not know to check the code, that is the 99.9% of people Elena: Yes, thank you. Manage code is a superpower. I say and what I say again. That to me is a superpower. Leo: It is something that anybody can do with 100% accuracy in security, and it is always a collaboration between many. Then, to say that every one is reviewing your own code is completely stupid, to think that that could work. But what can work is that one verify that the source code has to do with the application that is in the playstore. Then, if I could decompile the application that is in the playstore, and I came out the same source code, as it is in the public repository is on GitHub, I might know that that application in Google Play of truth is made based on the source code that is public. But you can’t do that. The thing you can do is to reproduce the build. Then, if I took the source code in another computer of the provider, and in this other computer I give it to compile and I get an application that is equal, bit-by-bit, that I can download from Google Play, then I can know that what is in Google Play is based on the source code that is public on GitHub. And if I can then establish this link, this has a value for all the users of this version of Google Play, a security researcher analyzed the source code located on GitHub. Elena: Ok. Then we have an important step. If compiling the code that is in the app store Joseph: Playstore, for example Elena: Exact. It has to be equal to the one in GitHub. That, then, we could say that it is a security step. What else? Leo: This is the only step in which focuses Wallet Scrutiny. Because there are many wallets that are open source, but they do not know how to play the build of your own application. To have more episodes or early access, before the regular publication, sign up on the Apple Podcast, Anchor, Breaker, Google, Podcasts, Overcast, Pocket Casts, RadioPublic, Spotify, Stitcher, ivoox or RSS feeds.