Replying to Avatar +rapidlab309

Hard pass on Coinkite’s products.

It’s all advertising.. what software supports Tapsigner that was launched 3 years ago?

Q is a huge fail:

https://x.com/rapidlab309/status/1775372186196279539

Avatar
semisol 5mo ago

I have done an analysis.

It would cost about $5000 to perform a supply chain on a Coldcard at most, and that is the fixed cost. The per device cost is something like $25.

There are multiple vectors to conduct a supply chain attack on a Coldcard and there are no defenses possible against it.

The secure elements used have been proven over and over again to be vulnerable to 2-decade old attacks.

I may publish a proof of concept once I have time to waste on this crap and I am done with nostr.land and a few other projects.

Reply to this note

Please Login to reply.

Discussion

Avatar
semisol 5mo ago

Disclosure: I am working on my own HWW product and may have some conflict of interest.

This uses a proper SE with customized firmware and a chip that has security certification.

I may be able to open source the SE software.

Avatar
REUZ 5mo ago

What better alternatives for Coldcard are there at this moment in your opinion?

Avatar
semisol 5mo ago

There are none.

Passport I feel like is a gimmick that isn’t worth it.

Passport Prime even more so.

Jade Plus seems reasonable to some extent. Original Jade is trash.

BitBox has weak SEs.

Trezor is problematic in other ways.

Ledger is Ledger and anything that is not the Nano S should not be trusted

Avatar
REUZ 5mo ago

Thanks! Didnt know about the weak SE on Bitbox. I reckoned the old Nano S with Sparrow Wallet (not ledger live obv) might actually be allright to continue to use (even tho it doenst get any further updates anymore) considering the Nano S doesnt have the 'seed recovery firmware'.

Im curious to your HW project! :)

80
szarka 5mo ago

Ledger Live: The limited memory of your Nano S restricts access to the latest shitcoin features. Upgrade to a newer Ledger device.

Me: No, thank you.

Avatar
Jay 5mo ago

There are a lot more things that go into security than just your hardware wallet. It's just one component, and managing who has physical access to it and always using it in a private location with airgapping features go a long way imo. And that's just with a single sig wallet. Two wallets from different brands and a remote key from someone like Nunchuk is also an option.

People are good at scaring folks into thinking their hardware wallet is a single point of failure when it doesn't have to be. If you're losing your Bitcoin, it's probably not because of the wallet you chose. Unless it was a ledger, lol.

Avatar
REUZ 5mo ago

I haven't heard stories about people losing funds on Ledger tho , only some defi breach last year.

Avatar
Jay 5mo ago

Me too, actually. I just heard the news of the private key allegedly being accessible remotely or something. Maybe it was just FUD.

I had a ledger once and it bricked itself. So there's also that. I don't recommend them.

Avatar
REUZ 5mo ago

Where did you see or heard that news about private keys being accessible if I may ask?

I do know the Ledger Live software was data harvesting, which is a big issue.

The company doesnt seem to be trusted but until now, to much intertwined with shitcoins

Avatar
Jay 5mo ago

Seems like it was two years back. I would hear news about how Ledger introduced some kind of recovery service for private keys. But looking into it now, they rolled it back and just recently came out with an offline recovery card of sorts.

https://crypto.news/ledger-delays-release-of-private-key-recovery-service/

https://shop.ledger.com/pages/start-recovery-key

Avatar
REUZ 5mo ago

Yeah that's right. That was the moment a lot of the more hardcore customers left (rightfully so I think). Ledger is clearly focusing on less tech savvy general population, which makes sense from their perspective ( a lot of people actually like the opportunity for a recovery service). Still I dont think their hardware or firmware ever gave an hacker or another actor the opportunity to steal the seed phrase (besides obv risky behavior by wallet owners). The company has been in this space for quite a long time. Still I wouldn't buy from Ledger anymore