RarityCheck VIBGYOR gilded #12 swept yesterday.

[krogothmanhattan]

Beyond the don't create your own cryptography if you're not a cryptographer as LoyceV said, why re-invent the wheel?

There are a bunch of really good options on how to do it in the previous few posts. They are known, they work, and people use them all the time.

Do you really want to find out some time in the future that since there were a lot less people seeing / using / auditing your code that a mistake you made someplace caused a problem.

-Dave

 I agree with Loyce and Dave here....Stick with what has worked for others for years. Tried and true software and hardware.
 
 We want you to get back on your feet....people might not be comfortable with new key generation software that has not been tried and tested thru the years.

  Wish you the best of luck in whatever you decide though.

Thank you for the feedback.

But issues are

1. We need to generate 30 char mini key
2. How can we be sure that hardware will be safe and not compromised
3. How slow is the ahrdware for generating 300+ keys?

  I think Mopar has answered your questions already...I do one key generation at a time with my mycelium so not sure that is what you are lookingfor as an answer. Also do not think a hardware wallet bought directly from the manufacturer like Trezor would be compromised. As long as its a legit hardware wallet from the maker you should be fine.

[raritycheck]

New keys generated

Please let us know which font for long keys is the most readable.

PRINTER: BROTHER HL-L2400DWE Mono Laser Printer

PAPER: Terraslate 5 Mil Waterproof Copy Paper


For key generation: vanitygen is used for key generation.

Scan of the paper with printed keys

LINK: https://rcpublicbucket.s3.amazonaws.com/NewKeysPrint.png

 

Note: Short keys are generated only to showcase how easy it will be to create readable short keys

[LoyceV]

Please let us know which font for long keys is the most readable.

I'd avoid any font where the characters touch each other.

[aoluain]

OCRB or Gothic I guess.

The obvious issues are going to be keeping the 1, i, I, J and a, e, c, o and 6, 8, 9, 3 and 4, 7, T
and H, K clear so they dont end up looking like each other.

I can see the "Long Key" being a problem

[LoyceV]

The obvious issues are going to be keeping the 1, i, I, J and a, e, c, o and 6, 8, 9, 3 and 4, 7, T

Base58 doesn't have l ^{(lower case L)}, I ^{(upper case i)}, 0 ^(zero) and O ^{(upper case o)}, so it's not a problem if you can't distinguish all of them.

[LoyceV]

why-not also include a piece of paper with each coin which has a full decode of every private key letter matched with a very clean alphabetic letter.

I'm not a collector myself, but doesn't that defeat the purpose of the coin? The point of a collectible is to have one physical coin that is the only way to access the Bitcoins. If there's a piece of paper, the coin can never be resold in a trustless manner.

[LoyceV]

- Include a sheet of paper with every coin, featuring an alphabetical and numeric list.
- The font used on this sheet matches the font used on the private keys.
- If a coin-holder has difficulty reading the private key, they can use this decoding sheet to help interpret the letters and numbers.

I thought you meant a separate piece of paper with the printed private key. This makes more sense, although it would be a lot better to avoid needing this altogether by using a proper font.

[markinaz]

Hi Loyce,

In this situation, some users struggled to read their private keys due to the font used on the coins. I propose including a decoding sheet with each coin sold.

Here’s the idea:

- Include a sheet of paper with every coin, featuring an alphabetical and numeric list.
- The font used on this sheet matches the font used on the private keys.
- If a coin-holder has difficulty reading the private key, they can use this decoding sheet to help interpret the letters and numbers.

This would minimize the need for users to seek help on forums or share pictures of their private keys for decoding.

I really like this idea, as I did have some difficulty with the original fonts.  Luckily I had 2 coins that were loaded and reviewing the other coins keys help me determine the first one.  I wholeheartedly agree this is a help, depending on the font.

[ChiBitCTy]

Aren’t there some lealana’s with shitty font and disappearing ink? But he rose above and people still buy his stuff even with about the shittiest customer service out there.

Either way - I hope RC learns and comes back better. Offer some DIY versions to take care of the people who want it.

He’s made some awesome coins. The enamel work is pretty damn good. Batman coin and these V series were very high quality work. Keys were lacking, obviously. Who here has been more affected than RC?

I dunno. I’ve been scammed and rug pulled - zero people stood up, owned their mistakes, refunded people out of their own pocket and yet the one person that does just continues to get shitted on.

We are all human. If you don’t want to trust his keys then don’t, but this is 1000% Better than Coldscam, 1hodlclub missing funding issues, lealanas missing addresses, and btc penny owing people product and loans.

You would think people would cut the guy a little slack or at least not publicly talk shit on someone that is holding themselves accountable and making amends as best they can.

You will need to show proof of better key printing tho, plus outline your process or subcontract it out I don’t know but I’m not gonna kick a guy that’s down and trying to do the right thing

A FULL refund is the only legitimate way to make things right. Simply refunding load value is not legitimately “making good” on their mistakes.

I continue to see a pattern of questionable statements and back-tracking.  Imploring people to not peel their coins (I’ve been around this hobby nearly a decade and never seen any maker say this and stress this like they are.  

They state they had a team work on things, I asked who the team was, where they are located and general info on them and it was met with crickets until Mopar pressed them on this again, where they stated their is no team, it’s just them.

I’m not so sure most really know how to look for the red flags in this space, or how to spot certain patterns.  Then again most haven’t been scam busting /exposing poor practices for a decade either (doesn’t make me cool or special, just someone who found the hobby pretty early on as a long time coin collector and bitcoin advocate. cares a lot and has too much time on their hands).

What is up with the Lealana? Never heard of an issue. I know when I bought he sent me a list and I funded the coins.
Did something change?


-Dave

Refused to address it - https://asktom.cf/index.php?topic=2011139.0

This is not all.

More meets the eye than I can discuss at the moment with certain projects.  I will share anything and everything I can as soon as I can.

[raritycheck]

Aren’t there some lealana’s with shitty font and disappearing ink? But he rose above and people still buy his stuff even with about the shittiest customer service out there.

Either way - I hope RC learns and comes back better. Offer some DIY versions to take care of the people who want it.

He’s made some awesome coins. The enamel work is pretty damn good. Batman coin and these V series were very high quality work. Keys were lacking, obviously. Who here has been more affected than RC?

I dunno. I’ve been scammed and rug pulled - zero people stood up, owned their mistakes, refunded people out of their own pocket and yet the one person that does just continues to get shitted on.

We are all human. If you don’t want to trust his keys then don’t, but this is 1000% Better than Coldscam, 1hodlclub missing funding issues, lealanas missing addresses, and btc penny owing people product and loans.

You would think people would cut the guy a little slack or at least not publicly talk shit on someone that is holding themselves accountable and making amends as best they can.

You will need to show proof of better key printing tho, plus outline your process or subcontract it out I don’t know but I’m not gonna kick a guy that’s down and trying to do the right thing

A FULL refund is the only legitimate way to make things right. Simply refunding load value is not legitimately “making good” on their mistakes.

I continue to see a pattern of questionable statements and back-tracking.  Imploring people to not peel their coins (I’ve been around this hobby nearly a decade and never seen any maker say this and stress this like they are.  

They state they had a team work on things, I asked who the team was, where they are located and general info on them and it was met with crickets until Mopar pressed them on this again, where they stated their is no team, it’s just them.

I’m not so sure most really know how to look for the red flags in this space, or how to spot certain patterns.  Then again most haven’t been scam busting /exposing poor practices for a decade either (doesn’t make me cool or special, just someone who found the hobby pretty early on as a long time coin collector and bitcoin advocate. cares a lot and has too much time on their hands).
 

Thank you for the suggestions ChiBitCTy. We understand how full refund would be better for some, we are happy to take coins back and refund as needed. Also some of the collectors prefer to keep the coins in their collection and have asked us to reload, in which case the full refund is not necessary at all.

We apologise for previously asking people not to peel their coins without enough information. We all knew it’s best to peel the compromised VIBGYOR coins - all of them most probably. We were advising collectors not to peel the other series however. This was just advice, and of course everyone is free to decide what to do.

At the time we were too busy replying to refunds that we just didn't have the time. We sometimes hire different people for different tasks pictures, certs. But for key generation, there has been only one person involved for every single series.

If you have one of our collectibles, please don't hesitate to reach out directly, we will refund with the original sale price. And we will do as much as possible.

[raritycheck]

Thank you all for the feedback on printing. Of course we can include a sheet if needed, but as the first priority now we will do more testing to try to find the best font for this paper size. The paper and printer quality already look much better, we just need to find the right font. Will keep you updated.

We appreciate the continued support from everyone in this community, it really means a lot!

[raritycheck]

Hey  guys

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

Just like bitaddress.org, there is another site and turns out that site is easy to be RNG attacked (it uses weak entropy generation). Not only our keys were impacted but around 2.5 BTC of other people BTC was also impacted.

So, even with air-gap PC, this happened.

We have received new stickers for VIBGYOR coins and we will update the the announcement thread with new stickers.

[seavodin]

All right, now i'm thoroughly confused.

One thing we want to re-iterate that we did not sell VIBGYOR coins with compromised private keys i.e. the process we followed was not insecure.

This isn't something you're re-iterating, because you never iterated it.
You're now saying something completely different than you did originally.

If I understand you correctly, you're now claiming:
- you did not use walletgenerator.net (although you dont say what you did use)
- that you used an air gapped PC
- that you didnt do anything insecurely, it was just weak entropy generation (and it would have to be catastrophically weak to be guessable)

[raritycheck]

Apologies. Yes the site was walletgenrator. ( we didn’t want to name it in last post so people don’t use it i.e. don’t give more publicity.)
Ofcourse, We always have used airgapped laptop/printer that we wipe after.
Yes, that site has weak entropy generation.

Also, we want to mention that some people have given us feedback saying we have claimed to be incompetent. Rest assured that the only incompetency we showed was in choosing the wrong key-generator(walletgenerator) for VIBGYOR coin. Of course the whole system of keygen was end to end secure.

[LoyceV]

Of course the whole system of keygen was end to end secure.

.... said no one ever after getting his private keys compromised.

[raritycheck]

Of course the whole system of keygen was end to end secure.

.... said no one ever after getting his private keys compromised.

It's true. The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?

[LoyceV]

The only reason keys were compromised because the key-generator itself is compromised(we weren't aware of that).
But the process of key generation was secure as we never connected any of the devices to internet.

It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.

Let's say someone brute forces(say with some quantum computer) 52 char key combinations and lands on your wallet and drains your wallet.
Who is at fault? Did you follow an insecure process or is it because the generator you used wasn't strong enough?

Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?

[raritycheck]

It's a "weakest link" thing: all it takes is one fuckup and all other components of your security become irrelevant.

You are correct. It does take one fuckup.
But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.
You trusted the printer but printer itself is at fault whose fault it is?

Are you seriously comparing using well-known compromised malware for key generation to something that's generally considered as being completely impossible?

You are correct it is impossible. Just creating a hypothetical scenario. who will be at fault?
Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Let's consider another example, we know many other creators in forums use bitaddress.org, if tomorrow turns out there was some vulnerability with that site,
and all keys are compromised, who is it at fault?

Point is to our knowledge, we followed all the steps securely.
And in fact for vigilante we did use  bitaddress.org, it's just that for VIBGYOR v1 coins we were trying a different generator and this happened. If only we could go back in time and not use walletgenerator.

[LoyceV]

But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.

Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.

Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.

Point is to our knowledge, we followed all the steps securely.

My point is a simple Google search would have been enough to know it's compromised.

[raritycheck]

But what if (hypothetically) you bought the printer and turns out printer has a sim in it that sends every single print job via cellular n/w to server.

Don't buy printers on the black market. Get a signal jammer. Build a Faraday cage.

You are correct 'Build a Faraday cage' will solve the problem. But no one normally builds a Faraday cage. Right? So who will be at fault?

Of course it is impossible but if it does happen Or say someone randomly writes a key and it happens to be your wallet.  Who is at fault?

Arguing about impossible scenarios is pointless. If a randomly generated private key wouldn't be safe, there would be no Bitcoin.

Right. Apologies if you felt we are arguing, just trying to make the point that no matter how secure one thinks their process is, it is possible that a mistake is made.

Point is to our knowledge, we followed all the steps securely.

My point is a simple Google search would have been enough to know it's compromised.

Yes. Correct. That is the mistake. Mistake is trusting the generator. But to us the whole process end to end was secure.