Hacker News new | ask | show | jobs
by scotty79 1111 days ago
It's a great place but when you need to cash out you need fresh linux system with fresh wallet software connected to the internet only when you make the transaction. Not an app for your phone. Everybody will have malicious keylogger on their phone eventually if they install apps and sometimes even if they don't.
3 comments
somsak2 1111 days ago
> a fresh linux system with fresh wallet software connected to the internet only when you make the transaction

wow, what a practical way to be able to store and use money!

link
tourmalinetaco 1111 days ago
It is rather safe and practical, for storing assets. It’s called a cold wallet.

If you want “practical” and unsafe, then store all your crypto in hot wallets like Atomic, that sure ended up well.

link
lxgr 1111 days ago
> Everybody will have malicious keylogger on their phone eventually

Are there actually any keyloggers for iOS and Android? Unlike on desktop OSes, there isn’t even an API for that, so you’d need an actual OS exploit.

> fresh linux system with fresh wallet software

And how do you make sure that that doesn’t come with a keylogger (in a world where a significant number of people were to actually do that)?

link
tourmalinetaco 1111 days ago
> you’d need an actual OS exploit

Not necessarily, for instance 3rd party keyboards like Grammarly are keyloggers by their very nature. They grab your input, process it, and give output in terms of grammar corrections. And a rogue app update can absolutely do the same.

> And how do you make sure that that doesn’t come with a keylogger

The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

link
lxgr 1111 days ago
It's possible to disable third party keyboards for sensitive data entry at least on iOS. Not sure if the same is possible on Android – worst case, a wallet could just provide their own keyboard/passphrase entry method.

> The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

How do you determine a given hash to be trustworthy? And how do you know you can trust your `sha256sum` implementation?

You're always trusting someone. Any security analysis pretending otherwise is worthless.

link
contravariant 1111 days ago
Of course you also need a clean version of linux and all software compiled with a clean compiler.

Thankfully we can be reasonably sure that some compilers at least predate cryptocurrency.

link