We have added that feature a few updates ago. Have you updated your BitBoxApp?
What is the one feature that a hardware wallet must have?
Simplicity is the key to security. Thrilled to share
nostr:npub1cj8znuztfqkvq89pl8hceph0svvvqk0qay6nydgk9uyq7fhpfsgsqwrz4u's amazing feedback on the BitBox02 from nostr:npub1ryruj25km6k23qct2vl7p96wprl63e5uu5wc65ex3luu62mvy7hsw9yjc6 recent appearance on his podcast! 🎙️ 🎧
Watch our thoughts on why simplicity matters (full video in the comments)
A novel way to securely send large amounts of Bitcoin to an exchange without triple checking bitcoin addresses?
With the BitBox02, you can now use payment requests to ensure your transactions are secure and untampered.
Let’s take a look at how this works:
💡 Reminder: Computers and smartphones are vulnerable to malware. The BitBox02 isolates critical Bitcoin operations, ensuring security even if your host device is compromised.
🔑 If you shouldn’t trust the host device, how can you be sure that the deposit address from an exchange is legitimate?
If your computer is compromised, attackers can easily replace the exchange deposit address that is displayed in your browser with one that is controlled by an attacker!
📱 Verifying the deposit address on a second device can help, but is rarely an option on exchanges and cumbersome to use - especially when you don’t have a second device available.
🔐 Introducing payment requests: Exchanges sign your deposit address with their private key, and the BitBox02 verifies this signature against a public key that is stored within its firmware.
This guarantees that you are sending Bitcoin to an address controlled by the exchange.
If the signature for the address does not match the stored public key for the exchange, the BitBox02 rejects the payment request.
This verification happens in the background. All the user has to do is to make sure the BitBox02 displays the correct exchange or service name on its transaction confirmation screen. No need to even check the bitcoin address! ✨
🏦 Verifying banking details: The exchange or service can also choose to include data in the payment request, such as banking details, which will be displayed on the BitBox02 verification screen!
Our first partner to introduce this feature is Pocket Bitcoin, users will soon be able to sell Bitcoin securely from within the BitBoxApp!
We hope to see many other services introduce this security feature in the future (Kraken? Swan?)!
-
🔄 In summary: the BitBox02’s payment request feature eliminates address spoofing and enhances the user experience, making Bitcoin transactions both easier and safer.
Learn more about this on our blog post: https://bitbox.swiss/blog/using-payment-requests-to-securely-send-bitcoin-to-an-exchange/
We love our Swiss mountains cold, just like our bitcoin wallets! ❄️ (We started September with a new cover image! 👇)
nostr:npub1tg779rlap8t4qm8lpgn89k7mr7pkxpaulupp0nq5faywr8h28llsj3cxmt
I like your idea to send btc to exchanges without the need to trust the device. Can you use a similar feature also for consolidating coins? Receiving in the same wallet you send from without the need to trust the phone?
We have added that feature a few updates ago.
If you send to an address that is controlled by the same BitBox02 (and in the same account) the BitBox display will indicate that you are sending to yourself.
People on Nostr know the difference.
They tell you that Nostr is just a bad copy of Twitter. 🥲 What do you reply?
It looks nice around here. Who is a must-follow account on Nostr?
"If we take care to build good stuff in an honest, transparent way–and this is also why open source is so incredibly important–then we can build a new financial system that actually scales without compromising on the core values"
Thank you nostr:npub1cj8znuztfqkvq89pl8hceph0svvvqk0qay6nydgk9uyq7fhpfsgsqwrz4u for hosting nostr:npub1ryruj25km6k23qct2vl7p96wprl63e5uu5wc65ex3luu62mvy7hsw9yjc6! ❤️
Watch the full video here 👇
RUNNING EVENTS IS EXHAUSTING, EXPENSIVE, AND OFTEN THANKLESS.
BIG PROPS TO THE RIGA CREW FOR PUTTING TOGETHER AN INCREDIBLE WEEK. 🫡
nostr:npub1y67n93njx27lzmg9ua37ce7csvq4awvl6ynfqffzfssvdn7mq9vqlhq62h nostr:npub1zu5tdnq7w63fgmsfz85te7e6zeg7y2lt8q8r9jp5zcg68jfy73jqraqtgz nostr:npub1797h37mc98f6363m5nysxd0t2swuz7nxq4z83saw77em3czld6xqvuar68 nostr:npub155m2k8ml8sqn8w4dhh689vdv0t2twa8dgvkpnzfggxf4wfughjsq2cdcvg
👏
Primal!
This weekend was a split scene for us: some at the Baltic Honeybadger in Riga, and others at Börsentag Zurich. Our goal in Zurich? To show how Bitcoin is the Trojan horse ready to shake up traditional finance.
The mood was upbeat as we introduced the traditional finance world to Bitcoin. Conversations were eye-opening, and the interest was genuine.
This weekend confirmed it: Bitcoin is here to revolutionize finance. Let’s keep pushing forward, showing the power of Bitcoin to transform the financial landscape. 💪
"Bitcoin doesn't have intrinsic value."
Bitcoin:
#August21 #BitcoinInfinityDay #infinityday
Meet nostr:npub1d9ul75ee7ja8j2n93p0whs67dc8g625fhljk2k60329lnrnmkjvsfpyh73, the dynamic host of the 'Robin Seyr: Daily Bitcoin Podcast'!
🎙️ Every day, he brings fresh insights from different Bitcoiners, driving conversations about Bitcoin's role in reshaping our financial system.
search on YouTube --> @RobinSeyr
It's not that vacations are getting pricier; it's that fiat currency keeps devaluing. 📉💸
In 2014, $1,000 equaled 2 BTC. By 2024, the same vacation costs 0.02 BTC. While dollar prices rose 20% (same vacation today is 1,200$), Bitcoin’s value soared, costing vastly fewer BTC.
#bitcoin
It works with Sparrow as well, as it's part of our HWI integration!
Today we disclose Dark Skippy - a powerful new method for a malicious signing device to leak secret keys.
With a modified signing function, a device can efficiently and covertly exfiltrate a master secret seed by embedding it within transaction signatures
https://darkskippy.com/demo.mp4
If an attacker manages to corrupt a signing device, Dark Skippy can deliberately use weak & low entropy secret nonces to embed chunks of the seed words into transaction signatures.
It takes just two input signatures to leak a 12 word seedphrase onto the Bitcoin blockchain.
The attacker can watch on-chain until they spot an affected transaction, unblind and invert the low entropy nonces using an algorithm like Pollard's Kangaroo algorithm to learn the master secret seed.
Then the attacker can wait and steal the funds whenever they decide best.
Despite this attack vector not being new, we believe that Dark Skippy is now the best-in-class attack for malicious signing devices.
- The attack is impractical to detect
- Requires no additional communication channels
- Effective on stateless devices
- Exfils master secret
Beyond ensuring your device firmware is genuine and honest (opensource), mitigations include anti-exfil signing protocols and we present some new ideas for additions to PSBT specifications to disrupt this attack.
We encourage mitigation discussion and implementation exploration.
This attack highlights the importance of verifying and securing your device's firmware, and the danger of sharing stateless signing devices with other people.
We will be publicly releasing our code later this year.
Authors: nostr:npub1xh897wvhn93tda0zws94mdyc7eagc8qm0798clp7x48zh6kjwazq29gst6 (follow him so he gets onto nostr), Robin Linus, and myself.
If you have any concerns or questions we recommend checking out the FAQ page on our website:
Great work demonstrating this attack!
The BitBox02 was actually the first wallet to fix this:
https://bitbox.swiss/blog/anti-klepto-explained-protection-against-leaking-private-keys/