Coauthored byLixin LiuandPatrick Kim
刘立新和帕特里克·金合着
This article was written before the launch of oursecond-generation hardware wallets, which we are striving to make as open source as possible for the mass market. Our first-generation Cobo Vault Ultimate had a more specialized design targeted at institutional investors, who have an interest in using closed source hardware under service agreements with liability insurance. For our first generation, we believed the risks of opening the door to hackers outweighed the potential benefits of attracting developers to contribute to making our product more robust.
本文是在第二代硬件钱包发布之前撰写的他们对根据责任保险与服务协议使用封闭源硬件感兴趣。 对于我们的第一代人来说我们相信向黑客敞开大门的风险远胜于吸引开发人员为使我们的产品更强大做出贡献的潜在好处。
As passionate advocates of open source software, we have deep respect for pioneering developers who made their work available to the world, and it goes without saying that we in the cryptocurrency field owe much to the originators of blockchain technology. It is because Satoshi Nakamoto and other great trailblazers made their work open source that we are all able to share in the benefits brought by amazing innovations such as Linux, Bitcoin, and the booming cryptocurrency market.
作为开源软件的热情拥护者不用说我们所有人都能分享Linux比特币和蓬勃发展的加密货币市场等惊人创新所带来的收益。
However, when it comes to the question of whether making source code available is beneficial for the security of hardware wallets, we enter into a wholly new discussion. This article explains our reasons why we believe the nature of open source does not represent an upgrade for hardware wallets, but rather a significant security compromise.
但是我们进入了一个全新的讨论。 本文解释了我们为什么认为开放源代码的本质并不代表硬件钱包的升级而是重大的安全性折衷的原因。
In traditional fields of computing, supporters of open source have consistently emphasized one point — open source is safer because it enables the public to inspect source code and contribute to security by helping fix potential loopholes. Linus’s law is clearly illustrated by the statistic that a zero-day attack on Safari, a closed source, takes an average 9 days to fix, while a zero-day attack on Firefox, an open source, on average only takes a single day to fix.
在传统的计算领域中因为它使公众能够检查源代码并通过帮助修复潜在漏洞来为安全做出贡献。 统计数据清楚地说明了Linus的定律(“给了足够多的眼球对Safari的零日攻击(封闭源)平均需要9天的修复时间一个开放源代码平均只需要一天的时间就可以解决。
However, Linus’s law must be understood in context, namely that of traditional computing fields. When discussing the advantages of open source software in terms of hardware wallets, we must be mindful of the fact that the traditional computing development community is immense compared to that of hardware wallets.
但是即传统计算领域的定律。 在讨论开源软件在硬件钱包方面的优势时即与硬件钱包相比传统的计算开发社区规模巨大。
GitHub, the world’s largest host of source code, indicates that there are only around 180 contributors to the open source code of the oldest hardware wallet brand, Trezor. This statistic stands in sharp contrast with the communities of other hardware products such as the Raspberry Pi, whose contributors to its open source firmware number around 9,500.
GitHub是全球最大的源代码托管者Raspberry Pi为其开源固件数量大约为9,500做出了贡献。
No project, no matter how big, is entirely immune to the potential dangers of exposing its code. Take for example Linux Mint, which washacked in 2016. Although that backdoor issue was fixed within a day, the rapid response time was in no small part due to the size of the Linux open source community.
无论项目多大它在2016年被黑客入侵。 尽管该后门问题在一天内得到解决快速响应时间在很大程度上不容小small。
In the context of our relatively small development community, we need to be especially wary of the fact that sharing source code is a double-edged sword. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks. Open source code can even open the door for cybercriminals to produce counterfeit hardware wallets capable of deceiving consumers — a security threat Trezor has alreadybeen the victim of.
在我们的开发社区相对较小的情况下不幸的事实是以生产能够欺骗消费者的假冒硬件钱包-Trezor已经成为安全威胁。
An aspect of security hardware wallet owners need to be keenly aware of iszero-day attacks. In zero-day attacks, the period of time between when a previously unknown vulnerability is exposed or announced and when it is fixed presents a perfect window of opportunity for a hacker to carry out an attack. Because vulnerabilities in hardware wallets are often resolved through firmware upgrades, it usually takes a while after official security patches have been released for users to actually install them and fix the issue. With some users who, after having set up their hardware wallet, don’t open it for months or even years, exposure to zero-day attacks is dramatically increased. Perhaps counterintuitively for those experienced with open source software development, a black box, or device with a closed source code, is more secure than a white box with an open source code.
安全硬件钱包所有者需要敏锐地意识到零日攻击。 在零日攻击中因此通常需要一段时间才能发布正式的安全补丁遭受零日攻击的风险急剧增加。 对于具有开放源代码软件开发经验的人来说黑匣子或具有封闭源代码的设备比具有开放源代码的白箱更安全。
While it is tempting to fall back on our knowledge and appreciation of Bitcoin as a prime example of the security offered by open source code, to assume that all blockchain projects should follow suit and become open source is a logical leap. The security Bitcoin enjoys from its open source development community is a direct result of the scale of its community involvement. Whether it is source code or mining functions, the Bitcoin community has gotten involved in maintaining and protecting the project, with larger numbers of involvement correlating to more secure functionality. However, because there are comparatively so few developers currently involved in hardware wallet security, we can make no assumptions about the benefits of sharing source code carrying over to this space.
虽然倾向于依靠我们对比特币的了解和欣赏作为开放源代码提供的安全性的主要示例比特币社区都已参与维护和保护项目由于目前涉及硬件钱包安全性的开发人员相对较少因此我们无法假设共享源代码到此空间的好处。
Apart from vastly increasing the number of reviewers inspecting code, another benefit of open source development in traditional computing fields is enabling anyone to download, install, burn, debug, or even remove certain aspects of the source code themselves.
除了大量增加检查代码的审阅者之外任何人都可以自己下载刻录调试甚至删除源代码的某些方面。
The security that comes with this level of autonomy is reliant on a foundation of specific technologies. However, even with a solid technological base, there is always the potential for security measures to be outdone. Those in computing fields will be familiar with how theKen Thompson Hack (KTH)created a backdoor in the C compiler than can conceivably monitor or place controls on any software program in the world. You would have to write your own compiler using binary code or use tools compiled before KTH was installed in order to overcome this security compromise. KTH demonstrates that any system compiled from a source code is always going to be vulnerable to attack.
这种自治级别带来的安全性取决于特定技术的基础。 但是安全措施也总是有可能被淘汰。 计算领域的技术人员会熟悉Ken Thompson Hack(KTH)如何在C编译器中创建后门或者使用在安装KTH之前已编译的工具从源代码编译的任何系统始终容易受到攻击。
What OGs like Ken Thompson teach us is that unless you are able to write your own compiler , you’re going to have to put your trust in a third-party. In-depth issues such as having to write your own compiler aside, the majority of hardware wallet users won’t even get their feet wet burning or debugging source code. For this cohort of users, knowing their hardware wallet is open source is more of a psychological comfort than a condition that actually amounts to a measurable improvement in their wallet’s security.
In traditional fields of computing, it helps to think of the security brought by open source software as enabling a kind of “audit” on the source code. While the same is not yet true of cold storage cryptocurrency security, what can instead be substituted as a reliable source of “audit” for hardware wallets?
在传统的计算领域但是可以替代什么作为硬件钱包“可靠”的可靠来源
Fortunately, signed transaction outputs are not nearly as complicated as the outputs of other types of software. If making source code available is not the most secure option of providing ways to audit hardware wallets, we can instead consider scrutinizing their transaction signing outputs.
幸运的是我们可以考虑仔细检查其交易签名输出。
People purchase hardware wallets because they know the most secure way to store their private keys is to take them offline into cold storage. All hardware wallet services need a means of communicating between offline storage and online terminals. While the cold end is responsible for storing private keys and signing transactions, a hot end is needed to obtain data from the blockchain, construct transactions for the cold storage end to sign, and broadcast signed transactions to the blockchain.
人们购买硬件钱包是因为他们知道存储私钥最安全的方法是将其离线放入冷存储器。 所有硬件钱包服务都需要一种在离线存储和在线终端之间进行通信的方式。 冷端(离线存储)负责存储私钥和签署交易构造用于冷存储端进行签名的交易并将签名的交易广播到区块链
In transmitting signature outputs, the majority of cold storage hardware uses data cables, Bluetooth, or even NFC. Because of the opacity of their data transmission, these methods make signature outputs extremely difficult to audit. An overlooked means of cold storage hardware communication is the QR code, a “what you see is what you get” solution. We believe the QR code is the ideal means of data transmission between cold ends and hot ends because data output by QR codes is transparent. This enables users to easily ensure each unsigned transaction that is transmitted to the cold storage device is valid, as well as ensure signature outputs from the cold end do not reveal private keys or sensitive information in any way.
在传输签名输出时蓝牙甚至NFC。 由于其数据传输的不透明性这是一种“所见即所得”的解决方案。 我们认为QR码是在冷端和热端之间进行数据传输的理想方式并确保来自冷端的签名输出不会以任何方式泄露私钥或敏感信息。
Our article onCobo Vault inputs and outputsoffers detailed instructions on how QR code signature transmissions can be “audited.”
我们有关Cobo Vault输入和输出的文章提供了有关如何“审核” QR码签名传输的详细说明。
While Cobo Vault believes that open source does not have much meaning for enhancing the security of hardware wallets, we have still released thefirmware codefor the Cobo Vault’s Secure Element. In doing so, we enable our users to see that random numbers are generated by a true random number generator and not by a pseudorandom number generator . For a detailed explanation of the importance of random numbers, refer to ourarticleon difference between true random numbers and pseudorandom numbers.
尽管Cobo Vault认为开放源代码对于增强硬件钱包的安全性没有多大意义但我们仍然发布了Cobo Vault安全元素的固件代码。 这样而不是由伪随机数生成器生成的。 有关随机数重要性的详细说明请参阅有关真正随机数和伪随机数之间差异的文章。
2023年,人们普遍手握空空如也的钱包,形成了一个令人难以置信的现象。这让人不禁思考,为什么现在的人们都没钱花呢?我们的财富去了哪里呢?经济规律的现实告诉我们答案,直截了当地说,这是资本家收割韭菜的结果——再涨一次、再收割一次。首先,资本家开始内卷了。为了刺激消费,他们推出了一系列的宣传手段,通过媒体不断洗脑,将人性玩弄于股掌之间。他们把爱情与钻石绑定,把婚姻与房子绑定,把成功与车子绑定,把身价与昂贵奢侈品绑定。总之,他们通过无处不在的广告告诉人们,如果买不起这些东西,就只能算是废物。然而,普通老百姓早已
LV豆豆钱包是奢侈品销量很火的一个品牌,市面上仿品快比正品多了。今天教大家几点鉴定LV豆豆钱包真假方法,小姐姐们在拿到货的时候就可以自己辨别真假哦!话不多说上干货 1.内部刻印LOGO 3、金属按钮logo刻印:正品:字体与行间距排列整齐,受力均匀无明显外溢,笔画细密自然美观且清晰明了;三排的字体大小不一致,且有明显差别;
bv和gucci哪个档次高 从各大奢侈品来看,lv的耐用度还是比较好的。毕竟经典款是帆布 pvc材质,不是皮革或者天然材质,所以耐磨性、耐用性、耐脏性、防水性还是不错的;古驰经典帆布或尼龙也很耐用,比皮革更省心,更免维护。我扔了一个到洗衣机里卷了出来,但是里面的皮革变形了,就扔了。BV多为羊皮和牛皮,加上编织,看起来不错,但耐用性差,需要保养。普拉达 s经典的十字花纹或者斜纹是麂皮,也就是贴了一层pvc膜的皮革,耐穿性好。费列加莫和芬迪也有相同价位的,但是耐用度差不多。
如果你在梦里梦到了你捡到了钱包,而且里面还有很多钱的话,将会预示着你将有升官发财的好事哦。鱼、龟都金钱、富有、吉祥的象征。如果梦见鱼、龟,可能你暂时还不能脱离困境,但是很快就会出现新的机会,得贵人帮助,步步高升,财源广进,好事临门。如果你是一名已婚妇女的话,在梦中梦到而来鸽子,这说明你可能在不久的将来会怀孕,并且还会是一名男孩。
为更好地满足加油客户的消费需求,中国石化北京石油针对客户带卡、圈存、排队等痛点,于2018年12月底推出了“一键加油”业务。“一键加油”具有加油钱包的充值、消费、开票等功能,实现了从订单下达到加油完成全部环节的线上操作,免卡片、免下车、免开票。同时,“一键加油”在一定程度上提高了加油站现场通过率,缓解了客户高峰期排队拥堵等问题。目前,“一键加油”已在北京石油的全部在营加油站进行推广使用,实现交易用户破百万。
旧钱包最好不要扔掉,从风水学来看,旧钱包与自身的事业和财运息息相干,若是将旧钱包剪烂,就相当于在损坏自身的财运和事业运。建议直接销毁旧钱包,让旧钱包彻底消失,能力避免财运影响。钱包旧了的处理方法多种多样,为了保住自己的财运,有些方面不得不注意,旧钱包是不能随处乱丢的东西,搞不好会让自己失财。包包是我们生活中较为常见的一种物品,因其能让你的穿搭更具亮点,因而每个人的衣柜都少不了它。但由于很多人换包包的频率很高,有时送别人一个钱包也是表达感情的一种方式,那么送钱包可以送红色的吗?钱包旧了如何处理成了很多人比较
第二、钱包的款式很重要。通常来说朋友们要注意一定要选择扣式钱包,最好不能选择拉链式钱包。否则不仅不会增财反会漏财,除非你是公司老板或者是偏财居多者。现在大多数人都有自己的钱包,有些钱包是为了追求时尚,有些为了实用。但从风水学方面来说,谁都希望自己的钱包是聚财。下面就来看看钱包风水旺财指南。第三、钱包的形状很重要,通常钱包是长方形为多,我们要尽量避开圆形或者不规则的钱包。
不管是通过纳音计算,还是三元命理,如同五行生克关系一样,要让钱包生自己最好。您总看我们发的每日穿衣指南,不知道您看出点门道没有?其实那很简单,只要看看黄历,知道今天是什么日子,就立马明白应该穿什么颜色的衣服。每一款钱包都会有不同的外观与颜色,有几种颜色的钱包一般是不选的,因为它不太利于存钱与招财。4.黄色:最为好。黄色五行为土,土生金,另外黄色同黄金、金钱,代表财气,是最好的钱包颜色了。其次白色、粉色、米色也不错,尤其适合女性使用,都有纳财的作用。
A、白色代表干净,是一种不太适合钱包的颜色,对财运帮助不大,反而容易花钱,如果你命中五行喜用白色的话,则不会出现上述情况,反而越用越旺。C、梅红色、桃红色梅红色和桃红色这两种颜色都代表桃花运的意思,因此你想行桃花运的话,多用这两种颜色钱包啦,不过聚财能力有点弱。E、红色代表红红火火,是最能招财的颜色,但同样也表示花钱爽快。也有一种说法,红色代表赤字,因此很多人不喜欢买红色银包,其实这是一种误解。
蓝色也存不住钱,因为蓝色代表水,意思是钱会像流水一样的流掉,也不适合钱包的颜色。红色,五行属火。虽是最能招财的颜色,但同样也表示花钱爽快,钱财无积蓄,而且红色代表赤字,故红色钱包不推荐(很多内行人都避免红色钱包)。运气不好的时候,可以选用红色的钱包,它具有退财消灾,逢凶化吉的寓意。蓝色,五行属水,钱财会如水般流去,竹篮打水一场空,故蓝色钱包也不宜用;白色,很干净的颜色,如果说脸上干净是好事,那么钱包干净,就很难看了,因此白色钱包更不推荐。知道这些颜色代表的含义,您可以选择适合自己的钱包了吧!希望您选对钱包
gopay钱包在中国合法吗?首先,我们需要明确的是,gopay钱包在中国是依法合规运营的。早在2017年,中国人民银行就发布了《关于依法合规开展第三方支付业务的通知》,明确规定了第三方支付机构需要经过严格审批和监管,获得合法牌照方可开展业务。gopay钱包是一家经过审批,并取得支付业务许可证的第三方支付机构,因此在中国是合法合规运营的。
1. 云南公投网点办理的:请到各网点充值,面额必须是100的倍数。可现金或者刷卡。 2. 建设银行办理的:到各网点充值,面额必须是100的倍数,现金或者刷卡。与银行信用卡绑... 1. 云南公投网点办理的:请到各网点充值,面额必须是100的倍数。可现金或者刷卡。 2. 建设银行办理的:到各网点充值,面额必须是100的倍数,现金或者刷卡。
可以通过OPPO钱包APP存储公交卡。因为OPPO R17内置自带的NFC芯片,可以支持NFC快速支付,而OPPO钱包APP支持存储各种类型的公交卡。只需打开APP,选择“添加公交卡”,根据... 可以通过OPPO钱包APP存储公交卡。因为OPPO R17内置自带的NFC芯片,可以支持NFC快速支付,而OPPO钱包APP支持存储各种类型的公交卡。
送钱包的祝福语简短 9.祝你钱包里财运旺,福禄两旺幸福家;10.祝你钱包里财源滚滚,财运亨通,福禄寿全。1.祝你新钱包里一路发,财源滚滚进你家;2.祝你钱包里财源滚滚,红红财运进你家;3.祝你钱包里财源滚滚,财运亨通永不断;4.祝你钱包里财源滚滚,家里财源滚滚来;5.祝你钱包里钞票滚滚,家庭财源永不断;