So, keeping corn on an exchange is better?
I dont think so.
What's your ideal solution?
Cold card is a solid HWW.
Discussion
Coldcard is not a solid HWW at all. I work on secure element design and several other people that also do agree.
Don’t use an exchange. SeedSigner so far is the best approach though it needs more code auditing.
The entire ecosystem is not slop but a majority is, and especially the ones that push marketing hard. What they can’t do with skills they try to do with deception whether it be false marketing or gold-coating a turd.
Seedsigner only
Omg 😨
What do you think anout Specter DIY?
That also is a good option. Smart card as SE works pretty well.
Are there any good write ups on what the concerns are?
Yes. Do a quick search. It’s well documented
what's the issue though? need to know - was attracted by the PSBT signing
weak secure elements, bad architecture, UX is suboptimal, the designers of the architecture don’t know much about proper security, and not related but the company behind it has done a lot of shady shit.
Thanks I’ll look into further
This statement about Coinkite? If so, can you point me to the shady shit they've done?
well, an easy example would be NVK squatting domains relating to SeedSigner and lying about it, while also sending a takedown request to nostr:npub1k5f85zx0xdskyayqpfpc0zq6n7vwqjuuxugkayk72fgynp34cs3qfcvqg2's FOSS blockclock competitor
Oh yeah thanks for the reminders damn the list is longer than I remembered
Disagree on the “solid HWW”
Ux is difficult. Their Security isn’t secure. And the company is general has a shady past. Sets off entirely too many alarms for me
What's insecure and what have they done in the past? (I'm not trying to defend them, I want to know.)
Same question here. Lots of generalities being being thrown out, but no specifics (no names, no examples, etc.)
It’s all pretty public stuff. Quick search will find it. The shady bits is him forking the trezor code the locking it back down against the open source license. Then took legal action against Foundation for forking CC before he changed the license type.
Seems kinda shitty to do, but does it make it insecure?
That’s a whole other thing. It’s bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.
You mean the stuff about a year ago that someone had managed to extract the secret with some crazy apparatus when having physical access? (can't remember if it was X-ray laser or what it was - expensive thing anyway)
That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet.
Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.
Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.
Thanks for the response and this information. I did a quick search on CC and secure elements, testing, analysis, insecure, etc. but only getting their links and other promo crap...