Topic: Anyone use a COLDCARD hardware wallet? (Read 492 times)

Maybe the following video from Bitcoin Magazine can help you find out how to install a Micro SD Card on a ColdCard:
Bitcoin Magazine Video Walkthrough: Coldcard Micro SD Card Backups, Wallet Recovery And More

 
Image source: https://www.youtube.com/watch?v=i-FEoX_gymA&t=29s

Ok, thank you. I'll try again. I didn't want to push too hard in case I break something. I'll try again.

Any should work in. Try to about-turn it to opposite side

Sorry if this is off topic, but will any MicroSD card work in the coldcard. I'm trying to insert one into the coldcard but it doesn't clip in. Thanks in advance.

The same limitations that exist with the coldcard firmware would exist on the Passport firmware or the DaveF & dkbit98 firmware.
But yes, I have them somewhere and sooner or later will remember to bring them to the e-waste recycling place.

It is what it is, they don't care about old users and just want to sell new HW at full price, that's fine it's their business they can do what they want. I just don't have to give them anymore of my BTC

-Dave

It would be super cool if Passport would somehow add option of loading their source code on older coldcard devices, that would piss off NVK very much  
In reality, you can use mk2 and similar old devices only as collectible items, use them for spare parts, or just recycle.

Oh, I thought we should only care about things we are presented by government, media tv programing, or influencers on social media  



 

That doesn't mean it isn't worthwhile pursuing. The average person does not care about privacy - that does not mean we should abandon privacy tools. Hell, the average person does not care about bitcoin, and is happy just to live in their little mass surveillance bubble, using their government controlled currency which can be censored or seized at any time.

And again, there are plenty of examples of thriving open source projects throughout the bitcoin ecosystem as well as throughout tech in general. The assertion that if you make an open source product it will immediately be cloned and you will put out of business is demonstrably false.

The amount of people who care about the open vs closed-source dilemma outside of this forum and similar online gatherings is surely not that big. Some people I have traded face-to-face with use Binance exchange as a wallet and Trust Wallet. There is nothing I can do to change their mind. Only a negative experience can make them approach this differently. If we agree that the average Joe won't bother using an open-source wallet, when all the ads and Google searches point them towards a closed-sourced one, I don't see them doing any research about who the original creators of the code were. A very small number of people will care about that information.   

If apple made a wallet on the iPhone and a hardware wallet that appeared to be far better than any other wallet. How many btc do you think would sit in it?

10,000 btc
100,000 btc
1,000,000 btc

maybe btc could survive 1,000,000 being stolen from wallets all over the world.

My point is if a wallet can't be cloned or made popular ie closed source it would have added security over a clone able open source. If the actor or developer was honest and did a good job building it.

So some closed source should be floating around along with some open source. The key is that no one hardware wallet model Trezor or passport or what ever  should have 3 or 4 million of all the coins there are.

Because it drives development.

Exactly. So there is far more nuance to it than your initial claim that someone rich can just clone your product and drive you out of business. If that was the case then Trezor wouldn't exist, Passport wouldn't exist, BitBox wouldn't exist. All the best pieces of software for using bitcoin - Electrum, Sparrow, Bisq, Robosats, etc. - are open source, and are yet to be cloned and driven out by a rich competitor. The same is true for bitcoin itself.

Whatever bugs an individual hardware wallet have is irrelevant to bitcoin as a whole. There is no way for a single wallet to crash the network.

hmm I supposed apple could clone trezor and have a bug built in crashing all of btc.

They could work in conjunction with microsoft. That would be quite a shitstorm.

and they would not be able to do it to a cold card correct?

You develop, get copied, develop, get copied, copied copied, what's the point? Especially if your gained advantage is quickly regained by others.

Why doesn't Apple or Microsoft clone them? That's a damn good question. The answer is, these big companies aren't interested in that. But I have a counter question, why doesn't Apple buy a restaurant that's near to your house? Apple is a company that can buy every restaurant located in your city. Yes, I know I speculate but if we keep in mind their value, they'll be able to do that. Then, they can start collecting profit from those restaurants and buy more restaurants in other cities and over time they can conquer the earth, right? But that doesn't happen. There are many reasons why Apple, Microsoft, Alphabet, Nestle, Mars, Pfizer and other big corporations stay in their niche and don't interrupt in small businesses.

Alternatively, if their code can be used by competitors then it incentivizes them to continue to develop and improve.

Then why have we not seen Microsoft Trezor or Apple Passport? These wallets are open source and anyone can clone them. It's not as simple as that. Do you want to buy a wallet from the people who developed and wrote the code themselves, or from the people who copied it verbatim?

I can understand the arguments for source verifiable, but I will still argue that open source is better for the product and for the wider ecosystem, especially when your source verifiable project was built using other people's open source code.

I came to this thread at a good time.

I have Trezor 1
I have Trezor T

I was looking at your passport and I was interested in using it.

Why should I use it?

Is

Trezor to Coldcard to passport simply an evolution of wallet technologies.

Are you accessible in general via pm?

I would like to see how your gear works as compared to my trezors.

ColdCard has a good security, right? And if company profits from their product, they'll have a motivation to improve their product or others will sink them. If company's work will be easily copied and sold better with high budget marketing, then one will rarely bother to create such a good product. Also, I want to emphasize that Coldcard's wallet source code, that is publicly available for everyone to view. Yes, you can't copy their code and build a new product on top of that but if developer wants to know what's happening behind the scenes, to learn what makes ColdCard such a secure wallet, any developer can view it's code and do whatever they want in their computer. It's a great opportunity to learn and enlighten yourself. I genuinely believe, such a publicly available code will help and inspire others to create a better product than ColdCard is.

---

Let's say you are a developer and I am a rich guy. You spent days and night to create a very secure bitcoin wallet, yes, you built it on others work but still you created a new and advanced code. You created a hardware wallet built on your code and started manufacturing and releasing of them. Then I, a rich guy, hired some developers, copied your code and with way bigger marketing budget, released a product built on your code and somehow because of our bigger budget, we managed to become more popular than you and finally took you over. I think this is a very logic scenario. That's why I am more tolerant in this case.

1) Yes they needed to have access and IIRC there was another issue where you could get access as an attacker.
2) Did ping out when the 4th gen came out never heard back.

I like their products, and coinkite even did me a solid when an opendime I had died:
https://bitcointalksearch.org/topic/m.56370760

But for some reason, they seem to just be pushing the 'buy a new one' with the coldcards.

-Dave

The biggest problem would be if there is a flaw with the security of the seed phrases and if they were created with faulty and insufficient entropy. But I don't think that's the case. I think the old Mks use a Secure Element that can be manipulated to reveal secrets if the attacker has them in their possession. But since it's an airgapped device, you aren't affected by anything happening on the internet. Someone correct me if I am wrong.

It doesn't make you look cheap, and in your shoes, I would expect the same thing. Loyalty should be rewarded to a certain degree. Their main developer is active on Bitcointalk. PM him and ask if you don't have issues with privacy.

The old ones work BUT there have been some issues found that have not been fixed. And there have been some things added that could be added to the Mk 1/2 that just have not been. How long till they do the same with the 3. I understand the fact that your can't fix old HW bugs and that the older hardware can't run the newer code.

But, and I know this makes me look cheap, if you bought a Mk1 and a Mk2 and a Mk3 give me some kind of loyalty discount. I know they remove all client info after X days, but there are ways to get around this if you really care enough.

I know a lot of other makers do the same, and that means they will not get my money either.
On the other side keystone spun off from the parent company and still managed to give old users of someone else's wallet a HEFTY discount on their items.


And this is it right there. There are known flaws, fine I don't expect a Mk4 for free to replace my Mk2. Just give me something.

-Dave

But that's what this shitty world we live in has turned into, and it will only keep getting worse. Companies whose profit is generated from selling you hardware will keep coming up with newer and "better" devices while doing everything in their power to make you abandon the old ones. Plus, there are now subscription packages for every little thing, in-app purchases, no ad premium packages, and other nonsense.

Thank you for posting your honest opinion and feedback about this devices.
Coldcard is slowly but steady going the route of ledger with creating graveyard of old hardware wallets that are not supported anymore.
Sure, some of them are discontinued because of big security flaws, that is much better than ledger creating graveyard for fashion purposes.
Meanwhile, first ever hardware wallet Trezor One is still kicking, working and receiving updates... that is simply amazing.
I don't like the stupid trend of changing hardware wallet devices every year like smartphones 

Reproducibility is one segment of open-source code. It's one of the conditions to be considered open-source, but not the only one. In an open-source world, you would be able to take any such code, modify it, better it, change it, put it in your product, and sell that product. If someone finds what you did useful, they could take your code and do the same, or just copy it in its entirety with no or minor changes. Coldcard doesn't allow anyone to use their codebase in the products they will later sell. But the funny part is that they built their own hardware wallets on open-source code written by others.

How many updates are really needed in an airgapped wallet like the Coldcard? It only supports Bitcoin and is a simple signing device of transactions that are later exported and broadcasted elsewhere. Are your devices not working as they should for some reason that would warrant a fix in the form of an update?

I use a ColdCard but am thinking of moving to something else.
They seem to be dropping support for older HW and I really don't like the attitude of 'just buy a new one'
The Mk1 and Mk2 are no longer getting updates and the Mk3 is barley getting any.

So I had a 1 and then a 2 and now a 3. Sorry, you are not getting my money for a 4 or anything else. When it dies I'll move to something else.
Not saying that it would be better, but not even giving a you bought a bunch over the years here is a nice deal on a new one discount, just irks me.

-Dave

Reproducible is far far better than closed source but not quite as optimal as fully open source. Fully open source incentivizes a larger pool of actors to scrutinize the code and build/fix/improve it as needed. Nothing is stopping anybody from examining and playing around with a source verifiable code, but without the financial incentive to use and build upon the code there won't be as many people spending their time.

Even Bitcoin Core has flaws and vulnerabilities which are identified, or even on occasion not identified before they were exploited, despite significantly more pairs of eyes on its code than on the code of an individual wallet. Despite how technically competent an individual reviewer is, more reviewers will always be safer. And you will get more reviewers if your code is open source and those reviewers have an incentive to spend their time examining your code.

I don't disagree with any of that, but their code is still not open source and to call it such is simply incorrect.

Read my previous replies in this thread. The source code is reproducible but it is not open source.

While others already clarify why CC isn't open source, i'd like to mention "Free" in FOSS actually refer to freedom or liberty, not money.

I was thinking Coldcard is open source but it is not. I check this site that says their source code is reproducible: https://walletscrutiny.com/hardware/coldcardMk4/

Is reproducible does not mean it is open source or the site is not correct about it.

A few thoughts. Firstly, no objections to anything in your post. But, Coldcard's license doesn't stop anyone from sharing their ideas or suggesting modifications to Coinkite. What they can't do is create their own products based on that code and sell it. This is a douchebag move by their team , I have no doubt about that. If you don't want to have anything to do with Coinkite or their developers, that's fine. But you could work on the code if you wanted to. And the end-user who is not interested in building and selling software, but verifying it and checking the code, can do that. 

Do you think that ordinary wallet user like, let's say n0nce, requires outside  help to  review the code himself?

Do you think that he will not flag bugs (if any)  in the code  and be silent on his finding?

You don’t need a lot of  skilled wallet users, just a few is enough  to make the presence of  any bugs  available to community.


rather, they will scrutinize the code with alacrity to blow the trumpet of found bugs.

An ordinary wallet user does not have the requisite knowledge or ability to review the code themselves, and thus they rely on the community doing it for them and publicly flagging up any bugs, vulnerabilities, suspicious or malicious code. And code which is not open source and therefore prevents other projects, companies, developers, etc., from using that code in their products means that none of these projects, companies, developers, etc., will bother looking at the code, probing the limits of the code, building on top of the code, and so forth. Why would they waste their time going through the GitHub of a "source verifiable" project knowing they can't do anything with that code, when they could spend their time going through the GitHub of an "open source" project knowing they can use that code for anything they like?

"Source accessible" or "source verifiable" simply means fewer people will be looking at the code than they would if it were open source. And for the ordinary wallet user, this is what matters.

Supporting this point. Consider the perspective of an ordinary wallet user whose sole concern is the availability of  code for scrutiny and verification. To such a user, referring to the Commons Clause attached to the MIT license accompanied CC product appears to be nothing more than a sheer casuistic. From their standpoint, all they seek is open access to the code, making the presence of the Commons Clause seem irrelevant.

Coldcard is an absolute beast of a wallet, definitely one of the best out there but you really need to know what you're doing with it. It's not for beginners - or rather it's not for beginners who don't want to take things slow and patiently and learn. It doesn't hold your hand like Ledger or Trezor and it has so many options and features that if you don't understand what you're doing and just press buttons you can really fuck yourself up.

There was somebody in a Reddit thread the other day that opted not to use Coldcard's TRNG (default option) and instead selected to generate their own entropy via dice rolls. When doing so you must use at least 99 dice rolls to generate sufficient entropy - but this person used ONE roll, and because of this, the entropy was at an absolute minimum which will generate one of only 6 possible seeds which are obviously monitored by bots hoping to catch such a mistake and his funds were swept.

Coldcard does have warnings throughout this process but you still need to be aware of what you're doing. Most people just mash the "ok" button at every prompt and read nothing. There's also another option to let the TRNG generate the seed and then "mix in" dice rolls. So 3 different ways to generate a seed with it and you need to understand each one. Compare this to Ledger where the entire setup process is completely braindead and simple.

Yes. It is source verifiable. It is not open source.

Then you can explain that difference, but calling Coldcard open source when it's not is simply incorrect.

Ledger also claimed that they were moving to open source, and then created a new license for their code called "Source Code Accessibility License" which is also not open source. "Open source doesn’t just mean access to the source code."

And yet, this is exactly what Coldcard did to Trezor code: https://nitter.cz/PavolRusnak/status/1022107617328619520#m. Why is it OK for Coldcard to use other people's code, but its not OK for other people to use Coldcard's code?

They took the code to lower levels.
I don't know how many times I have to repeat this, but Coldcard firmware is NOT open source!
They changed the code to Common Clause, that can be verified, and they only change this on their website after big complains from community members.
Coldcard basically false advertised their product as open source for some time, and I have proofs for that.
I cam not saying they have a bad product, but their owner NVK looks like a ego freak.

Here is Before and After photos:



https://commonsclause.com/

End of story.

Wow, glad to see you here, I didn't know if you were on this forum.
By the way, I have mentioned that your GUI is different from Colcard and I don't say your hardware is copy/paste. You improved GUI side of ColdCard and made your wallet easier to use, what I said above was only about code. Your wallet has camera also, it's good, no one says it's bad. I often recommend your wallet and CC to people.

I just want to explain that ColdCard's source is available for anyone to use and verify, that's all that matters for users. When people simply say ColdCard isn't open source, it looks like ColdCard and Ledger are comperable in terms of status of their code. Both of them are not open source but there is a huge difference. Ledger is closed-source, no one can check what code their Ledger runs but ColdCard is not open source in a sense that they don't allow competitors to simply copy their work, on another hand, anyone can see and verify the code. This doesn't make them bad and doesn't ruin their reputation. In a business where you work days and nights to write a code and there is a danger that rich businessman will copy and paste your code and sell a clone but dive you because of money and better marketing, I think it's okay to protect yourself from this danger.

I am not going to tolerate anyone saying Passport is a "copy-paste"; at this point it is a ridiculous statement. As we've said many times before, we ported parts of the codebase to a fresh MicroPython repo.

It is impossible for Passport to be a copy-paste because it's completely different hardware with different hardware features. We have an entire GUI as well. Take 5 minutes to do a diff between our repos and you will quickly see that it's a load of nonsense. It's blatant slander by NVK and team.

You cannot seriously try to compare Coldcard to Nikola Tesla when they simply started a MicroPython project, pulled in Trezor's crypto libraries, added a secure element, and wrote some PSBT code. Everyone is building on top of everyone else; that is how open source is supposed to work.

Yes, we discussed it before and I remember it very well, I read all of your posted sources too.
Yes, they used but Coldcard is not a Trezor's copy/paste while Passport is CC's copy/paste. Passport is the reason why CC is not open-source.

You put endless work to improve your product, then Passport copy/pastes it and both of you are on the same level. The difference is, you do the work and they gain the benefits. We can compare CC and Passport to Nikola Tesla and Thomas Edison.

Bitcoin is not the first cryptocurrency but somehow it become massively popular and none copy/pasted altcoins or even improved altcoins took it over and it's a little strage for me. Bitcoin users usually say that what they love about bitcoin is its decentralized nature and anonymity (it's not) and then my question is, why choose Bitcoin when you have Monero?
By the way Satoshi has mined lots of bitcoins for himself, so, what he has to worry about?

---

My point is that the fact that ColdCard is a source verifiable doesn't make it any bad, I would use this wallet at any time because it's superior compared to other mainstream wallets.
Will Coldcard improve its product if they gain financial profit? Sure. Is the source open and can anyone read it and verify? Yes, that's what's important for me, as a wallet owner. Do you want to learn more about bitcoin hardware wallet softwares? You can read every single line of their source code anytime you wish, so, you can learn from them and come up with your product if it's better and not totally based on their source code.

No, they don't. A quote from their license, with emphasis added:

How about the source of the people who wrote the Commons Clause license Coldcard use in the first place:

MIT with Commons Clause attached, which makes it not open source.

Very reasonable that they forbid to sell purely  their  code, but they allow to use it in any other commercial product and sell  those products based on their software. Again, according to the   definition of  MIT-licence the software which is liable to it  is open source. I have never encountered the contradictions to this coming  from reputable sources.

FOSS and open source are two different things.


Code clearly states: MIT licence.

We discussed this before, and my point remains the same: Coldcard used a huge variety of open source libraries and code when they built their device. To turn around and prevent people doing the same for their code is hypocrisy.

If you are worried about someone building on top of your code and making a better product, the solution is to improve your own product, not stifle development and innovation, which is bad for everyone.

Where would bitcoin be now if Satoshi had released bitcoin under a "source verifiable" license but prevented other people from developing on top of it?

It categorically isn't. They add the "Commons Clause" license, meaning they are not open source. Even the Coldcard website doesn't claim they are open source - they are source verifiable.

License: MIT


Being under MIT licence ColsCard code is allowed to be used virtually with no restriction.  According to fossa.com  MIT-licence-code can be used in any software, including commercial one, can be   modified and redistributed. Two miserable restrictions:  "you can’t hold the code author(s) legally liable for any reason. You also can’t delete the copyright notice and original license from your version of the code".

What is your problem with MIT licence?


I have the opposite view. Being under MIT licence it's open source.

When coldcard was created, they came up with an unmatched security, right? It's true that they copied others and use their work but Coldcard still came up with more unique product that no one has created before. At the same time, we have to keep in mind that bitcoin hardware wallet is a business. When ColdCard left their code open-source, The Passport Foundation copied them, improved some UI details if I am not wrong and become a Coldcard's competitor. This means loss of customers, loss of sales and all these because someone copied your code and put it in a new design.
Let's say ColdCard left their code open-source and there comes someone with ten times more money for marketing, manufacturing and so on. They take ColdCard's open-source wallet, create a new hardware wallet, spend ten times more in marketing than coldcard and will build a great business on ColdCard's work.

I don't see anything wrong with Verifiable Source Code. It's a business, I think it will even demotivate people to start a business if their work might be copied super easily. I don't think anyone shares the belief of Nikola Tesla in a modern capitalism where you are nothing without money.

This is not correct. Coldcard is not open source, but rather, it is "source verifiable".

You can see their license here: https://github.com/Coldcard/firmware/blob/master/COPYING-CC
You can understand why this distinction is important here: https://nitter.cz/sethforprivacy/status/1651039483419058177

Code that is not actually open source is bad for the product and bad for the ecosystem. If no one is actually allowed to use their code in other products, then you are going to have far fewer sets of eyes on the code since there is far less incentive for people to spend their time examining it. Open source code encourages competition which furthers development, which ultimately is good for bitcoin.

I'm getting fed up of various projects claiming to be open source when they aren't, or claiming their not-open-source license is just as good as open source when it isn't. Open source has a very specific meaning and is very important to the ecosystem. Coldcard is not open source.

Never heard of the Q model before. The secure camera for QR codes is the best new feature. I guess that's what the Q refers to.

Sounds interesting but has no release date. The company says they hope to put it out Quarter 1 2024.

 Not to take anything away from the latest  available ColdCard model, i.e. MK4,  I should mention that it lacks camera . That is why I have acquired Passport 2 which allows to be paired with software wallets  via QR code. The coming ColdCard Q1 is equipped with  camera which will secure  communication with software wallets via optical channel. Thus I would wait for Q1 model.  

Coldcard is definitely a great hardware wallet, their hardware's security is a gamechanger in bitcoin wallets. Coldcard and The Passport Foundation are both great wallets. TPF is built on Coldcard's code.

There is nothing wrong with supporting altcoins. Personally, I will be more than glad to purchase a wallet that offers as much security as ColdCard and also offers altcoins. But still, I like that they only focus on Bitcoin, their message is clear.

By the way, main difference between Trezor and Coldcard is that Coldcard is a superior wallet when it comes to security and features, overall, it is an ideal wallet, both, CC and Passport are great choices! 

I always thought the Coldcard was a great hardware wallet, but never knew the head-spinning amount of security features it has on it, because I never looked at it before in much detail.

It blows away every other hardware wallet in terms of sheer amount of features, almost too many to list.
Many of them appear to be unique to the Coldcard, and doesn't cost much for what you are getting.
The Trezor Model T doesn't have a fraction of the features but cost $60 more.

And unlike Trezor the Coldcard is bitcoin-only so no shitcoins supported. It also seems to be built like a tank.
I will be getting one next time they have their 20% off Black Friday sale.  

https://coldcard.com/


Some of the features:

* Supports Bitcoin only.

* Dual Secure Element chips

* Takes open source to the next level: The open source code can be viewed, verified and compiled directly from the device itself.
  
* True Air-gap - Only signing device (hardware wallet) with option to avoid ever being connected to a computer, for its full life cycle: from seed generation,
   to transaction signing. Uses PSBT (BIP174) natively.

* MicroSD Back-up - allows truly offline signing by transferring unsigned/signed transactions  sneakernet

* NFC tap for all data types, PSBT, address, etc.

* USB virtual disk mode

* Extensive duress PIN features

* AirGap SneakerNET - maximum security when transferring data between devices

* BIP39 passphrase supports multiple hidden wallets

* Anti-phishing words

* Genuine vs. Caution lights

* Clear see thru case design so you can see if wallet has been physically tampered

* Dice roll and provable bitcoin seed generation