Topic: Buy passport or coldcard (Read 295 times)

Passport is better and more mature project than coldcard.
Both devices may share similar code base, but Passport is clearly more quality product and they are keeping it open source.

I think they fixed that issue now, but that is what happens when you have one guy acting as supreme leader and making all decisions in his small eco chamber.

Around that time frame we also had this[1] report where a user lost 1.7 bitcoin while using Coldcard (he eventually was blocked and the thread got locked in r/coldcard). Overall I always seem to bump into shady Coldcard stories, and since I do not know anyone with one, I can't really comment the device itself.

---

[1]https://old.reddit.com/r/coldcard/comments/17fy8cz/17_btc_drained_instantly_using_sparrow_to_cold/

Passport. The thing I don't like about Coldcard is that it is not open-source, whereas they've used Trezor's source code (which is open-source), along with a number of other open-source libraries. No one is allowed to use their code in other products, which provides less incentive for people to examine it. That's bad for the Bitcoin ecosystem.

Also, Coldcard allowed using a single dice result as entropy for a seed, which immediately resulted in loss of funds: https://www.reddit.com/r/coldcard/comments/17epqk8/040_bitcoin_taken_instantly_from_my_coldcard/.

That's correct. If you go to Coinkite's store, and scroll all the way to the bottom, you will see the Glow-in-the-Dark model all the way to the right. The product description explains that it looks white/transparent under normal light. The name tells you that it glows in the dark. The third version from the top is the regular blue-case Coldcard.

One of two things probably happened:
1. You ordered the wrong one.
2. They shipped the wrong one.

The colored versions do exist but there is also a ‘glow in the dark’ variant, which looks clear under normal light, but has some kind of coating to make it look blue under black light. They probably messed up your order and sent the wrong version, or you could’ve mistakenly added it to your cart without reading the description.

It would also help if you bought yourself a pair of special sunglasses that make everything around you look blue.
I am pretty sure they sent you the one with the usual transparent case by mistake or on purpose. You are right when you said that this is the model that appears in most of the YouTube videos, but I managed to find one featuring a pink Coldcard Mk4. I doubt the person in the video uses some special light effects to turn the device pink.

https://youtu.be/IJbog_k5XWE?t=932
You will see it at around 15:32 into the video.

That's hilarious and maybe NVK meant it to be that way, no? You can have your semi-transparent Coldcard appear in any color you want, just shine an appropriately colored light on it!

Sorry, couldn't resist, but the attitude of NVK's business is something special, indeed. I actually like some properties of those Coldcards and also some functions of them are nice to have. But I vote with my money wallet and rather choose not to support him or any such business attitude, thus won't buy a Coldcard, period!

When I bought my Mk4 model last year I ordered it with the blue color directly from Coinkite website but they sent me the plain white version. When I complained about it NVK told me that to see the blue color you have to buy a blacklight. I was like wtf are you kidding me nowhere does it say on Coinkite website that a blacklight is needed to see the color. I told him he was full of shit. I don't know why they would lie about something like this? It makes me wonder what else they could be lying about. NVK is a headcase.

I don't think it is even possible to buy a color version of any Coldcard even though several color choices are offered on their official website. I have never seen anyone on Youtube or anywhere else that actually has a Coldcard that isn't the plain white version. If you order one of the colors offered you will only get the white color. That is fraud.

I hope this is not too much of an off-topic digression. Possible supply-chain attacks and device hardware and software integrity have to be addressed with enough attention. The more Bitcoin's value rises, the more attractive are attacks. I totally agree with you: the less people are involved, the less opportunities to play foul'n'nasty. Anyway, a manufacturer can't or won't control every step up to their customers. They should minimize uncontrolled steps as much as possible or provide foolproof verification of device integrity. Of course, you have to trust this really works as intended. The better, if it were verifiable and trust minimized.

I bought my hardware wallet directly from the manufacturer and they took care themselves of shipping, that's what they say. The sender's address looked pretty innocent to me, packaging and address labels didn't really reveal any hints of the shipped product. That's how it should be and in this case partly also why I felt confident with my choice (BitBox02 from Shift Crypto). But the delivery service likely wouldn't catagorize them as single individuals due to shipping volume, though the sender's address very much looked like this. Anyway, here I have to hope no dedicated intermediates are in play at the parcel delivery service. I accepted this risk.

Technology is advancing. What was good and considered safe enough today, could be easily tricked tomorrow. We know that when a company decides to improve its security, it's usually after something really bad happened. I would rather not be on the end of that as a party who suffered from such an attack or vulnerability. So, the less people have physical access to my bitcoin toys, the better it is. At least for me personally.

A decent hardware wallet should allow the user to verify that it's firmware is genuine and the device hasn't been tampered with. Only properly signed firmware should be allowed to be loaded or the device should clearly indicate if you load debug firmware or own builds.
Yes, I know, tampered devices could pretend to be genuine, but there are solutions for that as far as I remember vaguely.

Case design should make tampering not easy, though this is likely hard to achieve.

I'm not totally up-to-date with Coldcard (not interested in this device as I don't want to support how NVK runs his business) and Foundation Passport and what their security model implements to mitigate risks of tampering. Clearly any fancy packaging seals are no suitable line of defense against tampering as they are easy to replicate for dedicated fakers.

It depends how the company sends the package and if you have an option to choose between regular post and some type of express delivery. The cheapest post deliveries might not be delivered to your home in cases where you are required to pay import tax and customs duties. You might just receive a letter with instructions where to pick up your shipment and how much you owe.

That protects you from the possibility of suffering from data leaks, as seen with Ledger and Trezor. But it introduces slightly greater risks that someone manipulated the devices physically.

I personally have nothing against official resellers, so although it is always better to buy directly from the manufacturer, in this particular case it is much easier and faster to buy from an official reseller. Those resellers have already paid the customs duty and all the costs, and that's another plus because it's better if they did it in a foreign country than for your customs to do it - the less people know that you're buying such a device, the better, right?

As for receiving the package, in my case, everything is delivered to the doorstep, and all costs are paid to the delivery person (cash/card), although previously it was necessary to receive appropriate notification from the customs administration and then take a picture and send all the information so that they could issue a delivery authorization with an invoice for tax payment.

Considering everything, the best option is to have a physical store that sells HW and where you can simply pay with cash.

The price is a big factor when you buy anything. Especially when you are just starting out, investing around $100 or €250 is very different. One should never cheap out on security, but there are always good alternatives. I am not a fan of buying from resellers and particularly not from non-official shops. If I were to order the Passport from the US, I would be looking at an expensive shipping fee + import tax and custom duties when it arrives in the EU. On top of that, I will probably have to go and pick it up at a post office somewhere because they will want the fees paid before I get my hands on it. It all depends on what they use for shipping.

My first choice would be Passport because it is one of the HW that inspires the most confidence at the moment because of everything they do and the way they do it. However, there are people who will never consider buying such a device for the reason that it only supports Bitcoin, and on top of that, it costs a minimum of $200 for those in the US, and a minimum of EUR 250 for those of us in Europe.

For many, the price comes first, then the appearance, and only at the end the technical details.

I recommend Foundation Passport over a Coldcard. I don't have this device myself, I use a BitBox02, but would get one if I had to buy a hardware wallet.

Even if a Passport were inferior to a Coldcard, it isn't, I'd rather choose it because Foundation Devices as company does a great job with their products. The firmware is open-source, the hardware is open-source, you get the plans and schematics all published. That's true open-source spirit and something that customers should support. Show your appreciation to such a policy.

And no, I'm not paid to sing their song...

I couldn't find any warranty information on Jade's website either. I did find this Jade review from January 2024, and there is a section that discusses the warranty.

The reviewer said they spoke to the Blockstream team who told them that if the Jade has any issues within the first year that can't be solved remotely or with a software update, you'll get a replacement device or a refund. They cover the return shipping within the US. For orders from outside the States, the buyer covers the shipping fees.

Similar to a very recent reply of mine in another thread regarding a similar subject[1], even if NVK doesn't offer warranty on their devices, I saw that they have some resellers that have their operations in EU countries (Portugal, Germany,Netherlands)[2] and since they are in the EU, they are obliged to provide warranty for any product for 2 years[3]. I suppose this may be different in the US, but even so I can't say that I like the fact that a company openly denies warranty to their product...

---

[1]https://bitcointalksearch.org/topic/m.63870617
[2]https://coinkite.com/resellers
[3]https://www.eccnet.eu/consumer-rights/what-are-my-consumer-rights/shopping-rights/guarantees-and-warranties

Yeah, and if you complain to NVK about anything he will just block you everywhere 
As far as I know only Coldcard and Blockstream Jade are not offering any warranty at all for their hardware wallets, that is a big minus for both of them.
It's not like other hardware wallets are offering very long warranty, but having one or two year warranty means peace of mind.
Than also consider how long they have firmware update support, Coldcard is not doing good with that also with many discontinued devices.

Both Passport and the Coldcard are bitcoin-only wallets and offline signers.

To me, they both have an appeal. The Passport looks like an old Nokia phone, the Coldcard looks like a big calculator.

A new user should definitely read and watch all the official tutorials before they start using a Coldcard. There are also many reviews and how-to-use videos on YouTube for everything you need.

That's really messed up. I didn't know that. That's the first popular HW brand I hear that offers no warranty for their physical devices.