All HWWs that I have come across are turds.
Multiple turds make it more difficult so im told.
3 βdo not enterβ signs are about as effective as 1 βdo not enterβ sign.
That makes sense when you have good security (3 locks are harder than 1) but if they are flawed in mostly the same ways and are basically a paper tiger then it doesnβt matter.
So, keeping corn on an exchange is better?
I dont think so.
What's your ideal solution?
Cold card is a solid HWW.
Coldcard is not a solid HWW at all. I work on secure element design and several other people that also do agree.
Donβt use an exchange. SeedSigner so far is the best approach though it needs more code auditing.
The entire ecosystem is not slop but a majority is, and especially the ones that push marketing hard. What they canβt do with skills they try to do with deception whether it be false marketing or gold-coating a turd.
Omg π¨
steel plates, bombproof safes, landmines, walls
What do you think anout Specter DIY?
That also is a good option. Smart card as SE works pretty well.
Are there any good write ups on what the concerns are?
what's the issue though? need to know - was attracted by the PSBT signing
weak secure elements, bad architecture, UX is suboptimal, the designers of the architecture donβt know much about proper security, and not related but the company behind it has done a lot of shady shit.
Disagree on the βsolid HWWβ
Ux is difficult. Their Security isnβt secure. And the company is general has a shady past. Sets off entirely too many alarms for me
Yes. Do a quick search. Itβs well documented
Thanks Iβll look into further
What's insecure and what have they done in the past? (I'm not trying to defend them, I want to know.)
This statement about Coinkite? If so, can you point me to the shady shit they've done?
Same question here. Lots of generalities being being thrown out, but no specifics (no names, no examples, etc.)
Itβs all pretty public stuff. Quick search will find it. The shady bits is him forking the trezor code the locking it back down against the open source license. Then took legal action against Foundation for forking CC before he changed the license type.
Seems kinda shitty to do, but does it make it insecure?
Thatβs a whole other thing. Itβs bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.
You mean the stuff about a year ago that someone had managed to extract the secret with some crazy apparatus when having physical access? (can't remember if it was X-ray laser or what it was - expensive thing anyway)
That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet.
Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.
Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.
well, an easy example would be NVK squatting domains relating to SeedSigner and lying about it, while also sending a takedown request to
@Djuri's FOSS blockclock competitor
Oh yeah thanks for the reminders damn the list is longer than I remembered
Thanks for the response and this information. I did a quick search on CC and secure elements, testing, analysis, insecure, etc. but only getting their links and other promo crap...
