nostr:npub15c88nc8d44gsp4658dnfu5fahswzzu8gaxm5lkuwjud068swdqfspxssvx I listened to a #ungovernablemisfits episode recently where you commented on #coldcard vs #passport.
Your main critique was coldcard not being FOSS. As and end user, I really dont see why this is such a big deal as long as the code is verifiable. I don't really care that nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 wants to make sure people dont steal his codebase and profits from it. All I care about is my sleep at night, really.
As an example, iMessage is closed source obviously, so thats why I dont use it as a messaging service, I prefer Signal. On a graphene phone, preferably. But say I was invited into Apple to verify the code and it turns out I can personally verify that its end to end encrypted and no backdoors yada yada.
In that case, I might use it to send my mom a txt saying I'll be over for dinner. Even though its fully closed source! All I care about is making sure only my mom can read that highly confidential message.
Taking the #FOSS argument away, would you say Coinkite has done an impressive job at thinking adversarially enough when creating the Coldcard? To an extent that it would be recommendable?
And second question, what would you say nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8s critique of Passport would be, if any, and what makes those points irrelevant enough to make you highly recommend Passport?
Looking forward to learning a bit here and maybe help others who see this post in choosing good #multi-sig vendors.
As a final note, I could go for a coldcard Q4, a passport and a #seedsigner for a multi sig setup.
Thoughts?
NVK will probably critizise the rpi, I hope you'll pitch in with knowledge on this to switch the seedsigner out with something else, Nvk, if you think its unsafe.
I don't understand your question about do I think CK did an impressive job thinking adversarially when creating CC? Are you asking if I think the device is secure?
For the second question, I don't know who you're tagging. It's just a random npub that doesn't come back with anything when I search.
Thoughts on those three devices in a multisig? Probably great, but never used the Q4, so I cannot speak from experience. Passport + SS are excellent.
1. Yes, lol, "is it secure" is a simpler way to ask.
2. I tagged NVK, founder of coinkite.
3. Thanks, do you think NVKs critique of broadcom chips on raspberry pi have any merit, and is it a valid argument against Seedsigner?
and hey, thanks for taking time to reply. 🙏
1. Yes.
2. I've no idea on his thoughts. He has a 🐱 habit of blocking all his competitors so they can't call him out his intellectual dishonesty. If I was a betting man, the criticism would likely involve the word 'cloner' at least once.
3. He has me blocked, so I've no idea what his critiques are, but I do know that Keith Mukai recently posted a Gist as rebuttal (of sorts). I haven't read it.
Just to add, the code on a CC is not truly verifiable without destroying the unit
2. No.
All chips have some sort of hardware boot ROM, from your CPU to a Raspberry Pi to the STM32s used in a lot of HWWs including CC.
RPi boot ROM cannot be modified and such an attack would need to target your Pi specifically, which is impossible, and then somehow figure out a way to detect SS code and add a backdoor.
3.*
Look how a typo got you two zaps. Thanks 😁
nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 what do you think?
nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 thanks for a generous zap, but more interested in your answer 😁
