I am a co-founder of a security company. We did a nice trick showing how to hack airgapped systems on our roadshow. It was an airgapped dam using an industrial controller that is used in dams.
Airgap is placebo security. When you scan the qr code, it's data transfer over well known interface. It might be electrically isolated, but it's not the electrons, but the bits that are used for hacking.
I agree that it's not a silver bullet. But it's a transparent data layer -- that is, you can scan that QR code with another device that is not involves in transacting to see exactly what data it contains. Likewise, you can examine what is on an SD card. Whether you do or not is what will determine your security -- but you get that choice.
When there is a wire connecting devices, it is EXTREMELY difficult for an end user to verify what is or is not going over that wire.
SD card can be quite intelligent in what it shows to who. It's not very different to USB, it can even have a microchip. That's not even an airgap.
A well audited open source cable interface is quite ok. If you rely on user verifying there's no exploit, you've already lost. Security comes from no bugs, auditability of code and hardware, not from user doing bit by bit checks of every tx. They can, but the same way they can check every line of firmware. They won't. But others can check every line of firmware. Others can't check your every qr code (psbt).
Good to know about SD cards.
The problem of audits is knowing who to trust with the audits. And trusting anyone at all runs contrary to the don't trust, verify ethos.
If we trust the cable, what else gets trusted? Should we dispense with a screen, like Bitkey did?
I do want my airgapped system audited, to have the second set of eyes on it. But there's always the question of: who audits the auditor?
The matter of checking QR codes, and the difficulty of doing it manually, does make me wonder if there's room for a device that, also offline, can be used to take translate the QR to de-serialized format to make checking the full psbt an easier process. Probably a niche use case, especially given laziness and quickness to trust, but it could be useful for the truly paranoid.
As for the assumption that 'they can, but they won't' -- this is precisely the sort of presumption I see as common and take issue with. Some people will cut corners either way, but we should be letting them know explicitly they are doing so, rather than operating with rhetoric suggesting that they are using best practices when in actuality there is trust they are extending unwittingly. IF you are not going to verify everything, AND are willing to trust an auditor, it sounds like you're suggesting that you can achieve a better security model without an airgap than if you aren't going to verify everything and use an airgap. No complaint from me there, but those conditions should always be explicit. Users can choose to consent to risk taking, but when suggested to take risks they're not aware of, well, I have a hard time distinguishing that from being intentionally misled. I don't want to quite call it scamming, but it's adjacent especially when there is financial gain from selling these products that require the trust model.
Giving users the responsibility to make any kind of security decision is not a good deal. They should have the ability, but it won't help them much. I know maybe ten people who can do it well (there are maybe 1000-10000 that I don't know). Hiring them to audit everything is much better than relying on a common hodler to audit transactions.
That's why many hw wallet manufacturers contract several independent auditors. You don't need to check the auditors, you just need a few independent ones.
And then you can solve this systematically. If it's really a lot of money, a 3-of-5 multisig with different hw wallets is better than relying on placebo security.
Airgap is a marketing term.
It's interesting that they don't push multisig more in all honesty as a solution to some of the risks, as it would actually push more sales, rather than simply minimizing the corners being cut.
Retail does not need it. They sell to retail. Retail is poor. Any hw wallet is probably ok.
Yea, that's the attitude these marketers appear to take. Which is why I'll happily warn people away from them at every chance.
No really. Multisig is a total overkill for most. It's more probably they lose money if they fuck up the multisig setup than whatever hack with literally any HW wallet they would use.
Multisig is very simple
Until you lose the unlock script.
Which isn't itself inherently sensitive information and is therefore far easier to back up than your xpriv or mnemonic phrase.
It's easy to mess up with inadequate education, sure. As is anything about handling Bitcoin.
Designing custody around what the biggest retards in society will do ensures that you end up with a retarded custody model.
Nope. Retarded people need simple.
I can use whatever design I want.
That's the beauty of bitcoin. You don't design anything for everyone. Everyone can use whatever design they want.
I'm saying this is a non existent problem. Basically any hw wallet will serve 80% of users and the 20% should not design their custody based on podcast ads anyway and will invest time to do it right, because it matters.
What I don't agree with is pushing normies into some hardcore multisig or airgap when a simple Trezor will do a much better job for them. They would for sure not audit transaction psbts, even if there was a tool for it. Whatever is currently out there is good enough.
Being up front about trade offs isn't pushing.
Honestly if not for the lack of screen I'd recommend Bitkey to most novices for the model they have, AND share the drawbacks of it. And share the security model of the Coldcard plus third party multisig, and the fumble risks.
The whole space could use less marketing and more education.
Only reason I'd say Coldcard rather than say, Krux is the convenience factor too. Long term hodling where coins go in but not out much is probably better off on the DIY approach anyway. Spend the saved cash on more sats.
And beyond all that, better if retarded people get less retarded than finding ways to keep them retarded.
People shouldn't learn whatever you consider important. A farmer saving in BTC should not waste time learning to audit psbts, it will literally give them zero value. They should use whatever open source hw wallet, ideally one that will keep stablecoins as well (no coldcard, it also isn't FOSS). He makes steaks and milk and people who are interested and good in computer security make wallets.
No reason for a farmer to make DIY wallets either.
I see this tendency often that people should learn whatever someone considers important. The beauty of Bitcoin is you can go as deep as you want. If people get self custody and non KYC, they're already much better off than most people and that's good enough. Now go make the 🥩.
The farmer's an amusing example given how not specialized they get. They're tractor mechanics, experts on meteorology, botanical wizzes, learned on the life cycle of pests from insects to birds, and successful traders on the futures markets.
They're the last people I'd worry about not being up to a little bit of handling their money to regain sovereignty.
And again, I'm not opposed to there being easier methods that cut corners. I'm opposed to them being positioned as not having any compromises in design. Marketing.
Especially considering that multisig set ups offer solutions to a variety of issues!!!
It’s crazy, wonder where people learn the “create the problem to sell the solution” concept… maybe the government idk
It is wild how little emphasis gets placed on Liana on that point. All but idiot proof multisig which significantly reduces wrenchability when set up thoughtfully.
Side note, even with inflation, there are still $5 wrenches, even big enough to beat keys out of someone with: https://www.harborfreight.com/10-inch-steel-pipe-wrench-39642.html
