Nostr Web Client

Trezor is so aware that secure elements are an element of trust that it has kept the secure sd function in its Trezor 5 model with secure element.

When someone doesn't talk about this transparently it just comes across to me as a scammer.

There are also many critics of Jade because they call their virtual protection secure element mocking that it does not have secure element when it is one of the most elegant solutions in the industry for this problem.

Jade simply uses a multi-signature model to protect the seed (Local + remote server), thus avoiding having to use a secure element.

I never listen to this discussion on podcast.

nostr:nevent1qvzqqqqqqypzpl8hpfzul2qha25p8wd63gm46ufax95lfgnl8h9v84y3zt0k05m7qy88wumn8ghj7mn0wvhxcmmv9uq3xamnwvaz7tmsw4e8qmr9wpskwtn9wvhsqg9c42zd0a49el902gm99u9797dpa5e6wkqmdhh52yc47kknw9lhusu2uaaq

Cyph3rp9nk 9mo ago

Imagine the Nazis with their enigma machine, and the cryptographer tells you, look, you have to trust this black box that is inside, it was given to me by a third party and I don't know how it works, I have to trust its specifications, our encryption security depends on it.

In cryptography you cannot depend on the trust of a third party, otherwise what is the point of cryptography?

You can spin it as much as you want to try to sell your crappy product but no security agency would trust these security schemes, in fact these security schemes are used to attack the enemy through backdoors (bugs), you have many examples like TPM, Intel ME, PSP, Dual_EC_DRBG, Apple T2, Google Titan, Qualcomm TrustZone, etc, do you think that your cheap chip (secure element) of your hardware wallet protects you?

nostr:nevent1qvzqqqqqqypzpl8hpfzul2qha25p8wd63gm46ufax95lfgnl8h9v84y3zt0k05m7qyfhwumn8ghj7ur4wfcxcetsv9njuetn9uqsuamnwvaz7tmwdaejumr0dshsqgp4qhmd32yhnxz6uy9rf5sr8z2cchtv64sgswwyhfud3n3vs44n55hjqjkq

Reply to this note

Please Login to reply.

Discussion

Ryan 9mo ago

I've been into modifying video game consoles since the PS1 days. If you think hardware is actually secure I've got a bridge to sell ya 😅

Cyph3rp9nk 9mo ago

Where have I said that the hardware is safe? I am precisely saying the opposite....

Ryan 9mo ago

I'm agreeing with you 🤙

Cyph3rp9nk 9mo ago

Sorry, I misunderstood your comment 😂

Tauri 9mo ago

I used Jade for years. It’s still my main HW. I recently became a fan of Keystone for their Bitcoin only air gapped solution. But they claim that they use 3 secure elements. Is this a bad thing?

cadayton 9mo ago

Roger that. It is possible to have a secure setup without a HW but this requires having some technical skills. Ultimately though we are all putting our trust into mobile and desktop devices.

cozzy 9mo ago

Yea exactly. What is the most secure setup in your estimation nostr:npub1lnms53w04qt742qnhxag5d6awy7nz6055flnmjkr6jg39hm86dlq7arrnt

cadayton 9mo ago

If one is going full anal on security, the device would never have access to the internet.

The next step up/down would be the device has a dedicated mission and is only brought online to perform a single task and then powered off again.

For the 24/7 devices, all sensitive data needs to be encrypted and stored locally and accessed on a on-demand basis.

cozzy 9mo ago

So the first one is doing PSTB on a dedicated machine using Ubuntu or some other distro? This is where you’d keep most of your bitcoin?

The second is the same as above but you don’t have to use PSTB.

But can’t hardware wallets be used in place of a dedicated machine? And don’t machines themselves even offline have certain attack vectors and vulnerabilities? (Though highly unlikely)

For the 3rd what’s your assessment of startOS? Thanks.

cozzy 9mo ago

Sorry I forgot for this bit:

‘And don’t machines themselves even offline have certain attack vectors and vulnerabilities? (Though highly unlikely)’ you already spoke to in your earlier comment above, to which I was responding.

cadayton 9mo ago

I'd recommend using a Linux distro but really any OS would work though. In my way of thinking the HODL wallet should always be offline with very few exceptions.

For me if I can minimize my dependency on hardware devices, that is where I want to be.

There isn't a 100% risk fee method that I'm aware of. It's game of reducing exposure.

I've not used startOS or similar software-in-a-box solutions. By using them your are trusting they covered all the bases in terms of securing the device.

cozzy 9mo ago

It what’s the difference in putting your trust in an offline device and a hw wallet, that’s technically not online either right? Or, you don’t need the device you connect it to to be online when you do the business or use a camera on the device to do a PSTB?

cadayton 9mo ago

A HW wallet is just protecting your seed phrase. I have many things that need protecting that are not seed phrases. I like one solution to rule them all.