Hard pass on Coinkite’s products.
It’s all advertising.. what software supports Tapsigner that was launched 3 years ago?
Q is a huge fail:
Discussion
I have done an analysis.
It would cost about $5000 to perform a supply chain on a Coldcard at most, and that is the fixed cost. The per device cost is something like $25.
There are multiple vectors to conduct a supply chain attack on a Coldcard and there are no defenses possible against it.
The secure elements used have been proven over and over again to be vulnerable to 2-decade old attacks.
I may publish a proof of concept once I have time to waste on this crap and I am done with nostr.land and a few other projects.
Disclosure: I am working on my own HWW product and may have some conflict of interest.
This uses a proper SE with customized firmware and a chip that has security certification.
I may be able to open source the SE software.
What better alternatives for Coldcard are there at this moment in your opinion?
There are none.
Passport I feel like is a gimmick that isn’t worth it.
Passport Prime even more so.
Jade Plus seems reasonable to some extent. Original Jade is trash.
BitBox has weak SEs.
Trezor is problematic in other ways.
Ledger is Ledger and anything that is not the Nano S should not be trusted
Thanks! Didnt know about the weak SE on Bitbox. I reckoned the old Nano S with Sparrow Wallet (not ledger live obv) might actually be allright to continue to use (even tho it doenst get any further updates anymore) considering the Nano S doesnt have the 'seed recovery firmware'.
Im curious to your HW project! :)
There are a lot more things that go into security than just your hardware wallet. It's just one component, and managing who has physical access to it and always using it in a private location with airgapping features go a long way imo. And that's just with a single sig wallet. Two wallets from different brands and a remote key from someone like Nunchuk is also an option.
People are good at scaring folks into thinking their hardware wallet is a single point of failure when it doesn't have to be. If you're losing your Bitcoin, it's probably not because of the wallet you chose. Unless it was a ledger, lol.
I haven't heard stories about people losing funds on Ledger tho , only some defi breach last year.
Me too, actually. I just heard the news of the private key allegedly being accessible remotely or something. Maybe it was just FUD.
I had a ledger once and it bricked itself. So there's also that. I don't recommend them.
Where did you see or heard that news about private keys being accessible if I may ask?
I do know the Ledger Live software was data harvesting, which is a big issue.
The company doesnt seem to be trusted but until now, to much intertwined with shitcoins
Seems like it was two years back. I would hear news about how Ledger introduced some kind of recovery service for private keys. But looking into it now, they rolled it back and just recently came out with an offline recovery card of sorts.
https://crypto.news/ledger-delays-release-of-private-key-recovery-service/
Yeah that's right. That was the moment a lot of the more hardcore customers left (rightfully so I think). Ledger is clearly focusing on less tech savvy general population, which makes sense from their perspective ( a lot of people actually like the opportunity for a recovery service). Still I dont think their hardware or firmware ever gave an hacker or another actor the opportunity to steal the seed phrase (besides obv risky behavior by wallet owners). The company has been in this space for quite a long time. Still I wouldn't buy from Ledger anymore
i had one of these. only worked with nunchuk wallet.
the whole industry of security hardware devices is pretty piss poor. i have a couple of yubikeys but they are, quite frankly, trash. useful but most of the functionality i can't use, or it just isn't actually secure.
So a hard pass because of politics or because of product?