Oddbean new post about | logout
JeffG | 6 months ago (raw) | root | parent | reply | flag +16 
  @NVK has thoughts. 😅

For me personally, after talking to LOTS of bitcoiners who are deeply technical and very committed to open source AND still will only use a Coldcard, I'm never going to use anything else. 

Call it social heuristics if you want, but I guarantee that 99.9% of bitcoiners (me included) have no idea how complicated it is to keep keys properly secure. If "verifiable source" is the tradeoff required, so be it.
urza | 6 months ago (raw) | root | parent | reply | flag +3 
 What? You can use Trezor to secure your keys that is proper open source. No tradeoff is needed in this regard.
kuba_adamczyk | 6 months ago (raw) | root | parent | reply | flag +2 
 It is written there already. Use Trezor, the real open source hw wallet.
btconboard #LNHANCE or #CTV | 6 months ago (raw) | root | parent | reply | flag +2 
 With easily available tools you can extract keys from a trezor one in minutes, this attack has been publicly demonstrated many times. https://m.youtube.com/watch?v=Y1OBIGslgGM
Elephant in the root | 6 months ago (raw) | root | parent | reply | flag +1 
 You can do the same with Coldcard, it's just not published because of NDAs.
ImaginaryEvent | 21 hours ago (raw) | root | parent | reply | flag 
 "I" can't, can you? If yes then how?
TheBitcoinBattery | 15 minutes ago (raw) | root | parent | reply | flag 
 So use passphrases and/or upgrade to a safe 3 or 5.
nik | 6 months ago (raw) | root | parent | reply | flag +1 
 Totally agreed with you! Keys segregation and “almost trusted” hardware are a very complicated topics!
nik | 6 months ago (raw) | root | parent | reply | flag 
 Without the “a” logically 🤣
jesterhodl | 21 hours ago (raw) | root | parent | reply | flag +1 
 I think it is a dick move, which has nothing to do with security.
cavemanf16 | 20 hours ago (raw) | root | parent | reply | flag +7 
 Well, this post of yours will likely start a flamewar, but I’m on the side of you with ColdCard, primarily because it’s Bitcoin-only. “Open Source” means a lot of things, and I think it shouldn’t be exclusive to the GPL3 purist language. But the Bitcoin-only focus of ColdCard means it won’t try catering to the real fraudsters, the cryptobros. Hence, better security, EVEN IF there’s some level of code obscurity with ColdCard.

Besides, ColdCard’s documentation is top notch in my book.
Lostdog | 20 hours ago (raw) | root | parent | reply | flag 
 "Open source" has had a commonly accepted definition since at least the mid 90s when I started working with it. It's mostly non-developers (and NVK) that are confused about this

There are plenty more FOSS licenses than GPL3, which is actually quite unpopular. MIT and Apache are the most used by far and provide users with maximum freedom
xiangcai | 20 hours ago (raw) | root | parent | reply | flag 
 the most secure way is to build a hw wallet by yourself by drawing schematics doing layout writing fw doing tons of debug then you can sleep like a baby. but life is too short. it's impossible for 99.99
sigmund | 20 hours ago (raw) | root | parent | reply | flag 
 I don't care what wallet you use as long as it's a part of a multisig setup where other keys are stored on a different vendor's hw 😉
ChipTuner | 18 hours ago (raw) | root | parent | reply | flag 
 >"If "verifiable source" is the tradeoff required, so be it." 
How are you equating a company telling you, in order to have a secure device we will not be sharing the source code? 

Aren't you just accepting the "trust me bro" attitude, because the company told you it's more secure if they don't share the code?
mleku | 9 hours ago (raw) | root | parent | reply | flag +1 
 yeah, i'm not using a device with closed source to handle my money... none of the rest of my software except my Intellij based IDE is closed source
the axiom | 17 hours ago (raw) | root | parent | reply | flag 
 this comment misses the point entirely