Oddbean new post about login | logout #asknostr #askstr Addresses, utxos, balances, and even screens hots are not a security risk so long as a wallets seed phrase is secure/air gapped. Is this correct?
Doesn't have to be air gapped..the word secure, is very subjective. There are air gapped hardware wallets with proprietary components. Don't get cucked. I'd rather have a wired open source hardware wallet that can be audited.
…and for this reason I only recommend the Jade wallet and Cold card wallets.
cold card is not open source. Jade is.
I went to their website coinkite.com and it does not say “open source.” In 2020 or 2021 I don’t know if it said open source then, but they did publish a manual on how to build your own cold card with firmware and hardware or something similar. (So at one point they didn’t mind giving out everything.) I hope this is correct but I heard someone say that the “passport wallet” took that Cold card diy manual and copied it then started selling their own wallet. So maybe Coinkite took steps to protect people from knowing how to break the Cold card (which I respect and support.) If any of this is incorrect please forgive me. It’s only hearsay. In this video I have attached, NVK says just after 7:50 that the cold card “source code fully open verifiable.” Which signals that the code is open for anyone to view, check, and verify, but there might be something that is private and not shared. I would hope this is the secure element that holds your keys, codes, pins and access parameters. Since I “air gap” and don’t plug the cold card into a computer then there is no reason to not trust the secure element for my purposes. (Plus no one is calling them out like they are Pascal the Ledger CEO.) This video was made just after Ledger had their tweet debacle that made a lot of people ditch ledger because they were changing. 1. Not open nor verifiable code. 2. They made an update that could send your private keys over the internet if you approved the send. (Not something I am willing to compromise on. No way no how! Not worth the risk. I think this is a must watch video from begging to end. https://youtu.be/M3VjQUcyZSY?si=VX20qG7FtGTaHS6_
Yes all of these are not a security risk except wallet seed phrase. I would also add the “private key, secret key, or Xprv.” They all define the same thing. I want to explain more but it will be a longer post.
What is Xprv?
Xprv = extended private key. Our hardware wallets use that abbreviation instead of spelling it out. Xprv, extended private key, private key, secret key, etc are ways to say the same thing.
Ok, it doesn’t feel like a complete answer without context. You can go to the website “mempool.space” and click on any transaction that has ever been sent on the bitcoin blockchain. It will give you the date and time of the transaction, transaction id number, the amount of Satoshi that we’re sent, the to address, the from address, the uxto and if there is still a balance there, where the change went to etc. so all of this info is public knowledge. What we need to keep private are the private keys, and wallet seed phrase. Think of the private keys as a long string of numbers and or characters that is in a computer readable format. Humans can read it but it is so many digits that it would be too easy to make a mistake when reading it and or transposing it. In contrast, your wallet seed phrase which is human readable and shorter in length. Think of it as common words that we use daily. Private keys and wallet seed phrase have the same function just different names and methods to access the same information.
Thanks for the zap @Lucid ! Much appreciated.
So only private keys need to really be hidden for sure