Pages:
Author

Topic: Coinkite ColdCard Mk4 Review (Read 461 times)

copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
June 22, 2023, 01:40:46 PM
#29
For those of you still using the older ColdCards (mk2 and mk3) there's a new firmware update that fixes a bug that appeared when signing transactions. 

https://coldcard.com/docs/upgrade

Quote
Mk3: Version 4.1.8 - Jun 19, 2023
Bugfix: "Validating..." screen would be shown twice in some cases. Improves signing performance.
Bugfix: Reproducible builds corrected.
legendary
Activity: 2212
Merit: 7064
December 14, 2022, 11:06:49 AM
#28
You seem very angry, just don't use CC.
There is no reason for me to be angry for exposing constant lies of  hypocritical egoistic guy who thinks he invented wheel all over again Wink
I sure won't use CC, thank you for your smart suggestion, and I see you know very well how to rename repos and do git trickery cloning  Cheesy Cheesy
nvK
sr. member
Activity: 381
Merit: 259
December 14, 2022, 11:02:46 AM
#27
I've further talked to him and he understood that CC was not a clone, which he thought was at that time.

You seem very angry, just don't use CC.
legendary
Activity: 2212
Merit: 7064
December 14, 2022, 11:00:20 AM
#26
There was not Trezor "clonning", you maybe unware that we also contributed to mod-crypto. That was the only lib shared with trezor, many share that lib few years back. It is the norm in any industry to share the same crypto libs, we have since moved to libsec256k1 maintained by core.
I am really sick of hearing you bitch all the time, but since you want to go this road I promise to dig deep and release everything about this.
First thing I am posting one of Coldcard tweets from 2018 when you released firmware as open source... but you used Trezor GPLv3 code, that you didn't acknowledged.
It's ok to say that I don't know what I am saying (because I am just an amateur) but you claim that Trezor main dev PavolRusnak is lying.






https://nitter.privacydev.net/coldcardwallet/status/1022097582649008128
nvK
sr. member
Activity: 381
Merit: 259
December 14, 2022, 10:42:17 AM
#25
That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  
You cloned and used parts of original Trezor open source code, and that is ok because they are the first original hardware wallet, and now you are bitching that someone else used and changed your open source code.
I found that extremely egoistic and hypocritical, but you can do whatever you want, it's your product.
Passport released everything including hardware as open source, and they used totally different hardware than Coldcard, so you are obviously going in totally different directions.
Good luck to both of you.

There was not Trezor "clonning", you maybe unware that we also contributed to mod-crypto. That was the only lib shared with trezor, many share that lib few years back. It is the norm in any industry to share the same crypto libs, we have since moved to libsec256k1 maintained by core.
legendary
Activity: 2212
Merit: 7064
December 14, 2022, 10:34:53 AM
#24
That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  
You cloned and used parts of original Trezor open source code, and that is ok because they are the first original hardware wallet, and now you are bitching that someone else used and changed your open source code.
I found that extremely egoistic and hypocritical, but you can do whatever you want, it's your product.
Passport released everything including hardware as open source, and they used totally different hardware than Coldcard, so you are obviously going in totally different directions.
Good luck to both of you.
nvK
sr. member
Activity: 381
Merit: 259
December 14, 2022, 09:44:28 AM
#23

Quote
Would you care to elaborate about that cloned product?
I heard rumors about a wallet that I really like, so looked into that, compared code bases and didn't find them to be identical or similar at all.
Also lots of changes and features that ColdCard doesn't even have, so that can't be it. I'm intrigued to see who actually made a CC clone.

Lots of git trickery to confuse the diffs, removal of comments, etc... heck their Ad image is all the code we wrote  Cheesy

Anyways, waste of time. Good luck to them.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
December 13, 2022, 06:31:37 PM
#22
The intention is Commercial Limitation; ie cloning the whole code base and starting a competing product as it was done [emphasis mine].
Would you care to elaborate about that cloned product?
I heard rumors about a wallet that I really like, so looked into that, compared code bases and didn't find them to be identical or similar at all.
Also lots of changes and features that ColdCard doesn't even have, so that can't be it. I'm intrigued to see who actually made a CC clone.

Quote
Imagine Bitcoin developers started changing BTC open source code to CC after first shitcoin forks showed up  Roll Eyes
That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  
When altcoins started popping up, there were no thousands of contributors yet, though.
nvK
sr. member
Activity: 381
Merit: 259
December 13, 2022, 04:40:07 PM
#21
Quote
Imagine Bitcoin developers started changing BTC open source code to CC after first shitcoin forks showed up  Roll Eyes

That wouldn't be possible there are thousands of contributors, all would have to agree. CC is largely single source (us), the very few external contributors had no objection.  

The cloners were very careful with their github tricks, but regardless think what you want.

Quote
Someone could correct me if I am wrong, but I think that you also didn't release your Seed XOR (version of Shamir Secret Sharing) as open source, just showing how wrong your thinking is.
But hey, do whatever you think is best for your product, if you are selling better than ever like you say, you have nothing to complain about.

We have a ton of FOSS work done, funded and contributed, under many different licenses.

Regarding the SeedXOR, XOR is standard computer operation not much to license not license. Within 2 minutes I was able to find implementations on github https://github.com/Marcaday/SeedXOR (did not review or recommend)

All the instructions for you to implement are here https://raw.githubusercontent.com/Coldcard/firmware/master/docs/seed-xor.md

You and I are free to choose our licenses for our project.
legendary
Activity: 2212
Merit: 7064
December 13, 2022, 04:20:36 PM
#20
We found a balance with MIT+CC, you can indeed fork, change it, sell it, the intention is Commercial Limitation; ie cloning the whole code base and starting a competing product as it was done. Funny enough little on the hard stuff we built that was clone has changed on the fork.
Imagine Bitcoin developers started changing BTC open source code to CC after first shitcoin forks showed up  Roll Eyes
Lame excuse from you nvK and I don't agree with you that nothing or little was changed in Passport wallet, but it's not very hard to compare two github repositories to see the difference, so I don't have to trust your words.
Someone could correct me if I am wrong, but I think that you also didn't release your Seed XOR (version of Shamir Secret Sharing) as open source, just showing how wrong your thinking is.
But hey, do whatever you think is best for your product, if you are selling better than ever like you say, you have nothing to complain about.
nvK
sr. member
Activity: 381
Merit: 259
December 13, 2022, 08:44:08 AM
#19


Quote
I don't presume to speak for Nvk, but I doubt he would get bent out of shape over forking for personal use or in an attempt to improve the code; i.e. add features or enhance security.  Sure, there's no financial incentive to do so, but that doesn't stop people from donating their time for open-source projects that also don't offer incentives.  I'm not a coder, but if someone were to fork the firmware to include support for XMR, I'd be all over that.  Grin

We found a balance with MIT+CC, you can indeed fork, change it, sell it, the intention is Commercial Limitation; ie cloning the whole code base and starting a competing product as it was done. Funny enough little on the hard stuff we built that was clone has changed on the fork.


Quote
I've been reading up on Common Clause licensing, and it seems many knowledgeable folks are predicting it's days are numbered.  I still don't know how it differs from Creative Commons, but one article suggested that'll be the preferred licensing in the near future for developers that want to be transparent, but restrict the competition from monetizing their work.

If that came to be (which I don't), we would seek a different license or write a new one with strong user rights and creators protections against fiat maxis.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
August 04, 2022, 01:38:09 PM
#18
Let's fork the damn thing and see what happens.
I remember someone was saying last year that NVK and his legal team has lawsuits ready for anyone that tries to fork coldcard again, so good luck with that.

I don't presume to speak for Nvk, but I doubt he would get bent out of shape over forking for personal use or in an attempt to improve the code; i.e. add features or enhance security.  Sure, there's no financial incentive to do so, but that doesn't stop people from donating their time for open-source projects that also don't offer incentives.  I'm not a coder, but if someone were to fork the firmware to include support for XMR, I'd be all over that.  Grin


For Coldcard it's not Creative Commons, it's Common Clause license, there is a difference, and I don't see anything good about that, except ego of single developer being blown up.

I've been reading up on Common Clause licensing, and it seems many knowledgeable folks are predicting it's days are numbered.  I still don't know how it differs from Creative Commons, but one article suggested that'll be the preferred licensing in the near future for developers that want to be transparent, but restrict the competition from monetizing their work.
legendary
Activity: 2212
Merit: 7064
August 02, 2022, 05:05:15 PM
#17
Yes you can, I can, DireWolfM14 can anyone can fork it, clone it and do just about whatever you want with it.
You just can't do it for commercial reasons.
Let's fork the damn thing and see what happens.
I remember someone was saying last year that NVK and his legal team has lawsuits ready for anyone that tries to fork coldcard again, so good luck with that.
Common Clause license is not allowing to sell software, but you wouldn't do that anyway, you would just sell device that uses this software, same thing like I could sell you smartphone that uses open source vanilla Android OS.
Funny thing they didn't mind forking Trezor wallet when they first started making ColdCard  Cheesy

Side note, over the last 6 months or so I am really starting to see a greater use for the CreativeCommons license.
For Coldcard it's not Creative Commons, it's Common Clause license, there is a difference, and I don't see anything good about that, except ego of single developer being blown up.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
July 30, 2022, 06:18:05 AM
#16
I am a bitcoin maximalist and the ColdCard is a Bitcoin Only hardware wallet, but I do wish they would integrate support for Monero's official wallet.
You will never have this for ColdCard wallet now after they changed their source code license so you can only view it and not fork it.

Yes you can, I can, DireWolfM14 can anyone can fork it, clone it and do just about whatever you want with it.
You just can't do it for commercial reasons.

With that being said, it still goes back to what I mentioned earlier this week.

-->This is not just about Coldcard, but all hardware wallets. Keep adding bloat and stuff will go wrong.<--

Evey time you add a coin, a feature, anything it's one more point of failure and vulnerability.
Adding XMR fine, do it yourself. Want to add another feature go ahead. But don't have it in there out of the box (plastic bag)
I still plan on getting a mk4 if my mk3 ever gives me any issues, no real point in replacing something that works.

It's only 4MB of memory, but that's plenty for PSBT or wallet files.  And, it's a whole 10% of the HUGE hard drive I bought back in 1989.

The 1st web server my company put together had a massive 4GB drive back in 1998. Now I have a magnitude more of RAM just on the caching controller that the drives are hooked up to.

-Dave

Side note, over the last 6 months or so I am really starting to see a greater use for the CreativeCommons license. Dealing with some things I have seen some pretty good pieces of open source software being run on shit sub standard hardware. And because this piece of shit CNC machine is running (not the real name) UltraMill 4 software. Then UltraMill CNC machines must all suck. To the extent that the UltraMill company is actually changing it name and all the new machines are running closed source dongle locked code.
Not saying that this is the case here, but I am starting to see why it's needed now and then.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 29, 2022, 06:50:25 PM
#15
I am starting to think they could made all this fuss and fix just to promote this new Virtual Disk feature, because they are very excited about this.

The VirtDisk is actually a pretty cool feature.  It automates signing PSBTs to some extent, i.e. as soon as you save a PSBT onto the VirtDisk the ColdCard automatically recognizes it and asks if you want to sign the transaction.  With the VirtDisk feature enabled you don't need a mSD card at all.  The other neat thing about it is that it's volatile memory, so once you log off the ColdCard or disconnect it from power the memory is purged.  It's only 4MB of memory, but that's plenty for PSBT or wallet files.  And, it's a whole 10% of the HUGE hard drive I bought back in 1989.
legendary
Activity: 2212
Merit: 7064
July 29, 2022, 02:56:00 PM
#14
@DireWolfM14 and everyone else who owns ColdCard mk4 hardware wallet should update asap to the latest firmware version 5.0.6, that should fix recent Virtual Disk bug.
They explain more about this fix in their new blog article released today, but I am starting to think they could made all this fuss and fix just to promote this new Virtual Disk feature, because they are very excited about this.

Quote
While optimizing performance, we noticed a math bug in the way disk size was calculated. A value was 8196 which should have been 8192. The result is four blocks (512 bytes each) past the end of the “virtual” disk were accessible. Due to the design of our hardware, this is an isolated area in a memory chip called the PSRAM. The extra 2k bytes of accessible memory wrap around to the bottom of the PSRAM, where we store the PSBT during the signing process. No other part of the address map is exposed by this bug.

We were not able to find a means to exploit this bug. The 2k of memory already is available for read/write over the USB port. We allow uploads (and downloads) of PSBT into exactly that area.

Further into the audit, we examined the related subsystems for other issues. We found a few, very-limited logic bugs in the in the Micropython and ST Microsystems open-source code that is related to disk emulation. Our conclusion was those were of no impact, but important to improve the overall hardening in this release. In our experience this class of bugs could lead to vulnerabilities, and should be fixed.

We are still very excited about the Virtual Disk as a means for people using the device without computers (phone-first world). As you know we are a paranoid user-first, so any USB feature should always be disabled by default. And air-gap hardware wallet operation—as we pioneered—is still king.

Although this was an internal discovery, we still like to practice Responsible Disclosure.
https://blog.coinkite.com/5.0.6-released/
legendary
Activity: 2212
Merit: 7064
July 20, 2022, 11:24:14 AM
#13
It still means it's open-source then.
Coldcard firmware is NOT open source, because there is a clear definition what Open Source software is, and Commons Clause is NOT Open Source.
Speaking about hardware parts of device, they have two secure elements that are closed source I believe, but most hardware wallets have similar license for their secure elements.
To be fair, ATECC608B is probably most open secure element so far, and it is part of Coldcadrd Mk4 along with Maxim DS28C36B.

Note that Coldcard just releases new firmware v5.0.5 with some bug fixes and improvements, so you might want to update your device DireWolfM14:

Quote
- BIP85 derived passwords+NFC
- Sign txn w/ missing foreign UTXOs
- Easier QRs scan in bright light
- Fix:Multisig registration order does NOT matter
- Add:importing multisig f/ descriptor
- Add:Addr explorer shows "change"
...
https://coldcard.com/docs/upgrade


legendary
Activity: 2730
Merit: 7065
July 20, 2022, 08:35:16 AM
#12
It's hard for me to comment on that. I am not a software developer, so I can't imagine what it means creating and releasing a software or piece of code without making any profit from it. Making it a proprietary piece of software would mean that it does not fulfill all the conditions to be called open-source, but I was only referring to the publicly or not publicly available code. I think it's morally wrong to take an already open-source codebase, change it, perfect it, and then make it proprietary and call it your own. It can't be your own if someone else already laid the foundations. If ColdCard did that, then it's a pretty shitty thing to do. But that's just an opinion not based on any knowledge of what it takes to create a piece of software. 
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 20, 2022, 08:02:18 AM
#11
Oh, I get it. So the code is publicly available and you can inspect and verify it if you want. But you are not allowed to use their code for your own software needs and forks. That's OK. It still means it's open-source then. It's an unorthodox way to go about things, but that's their decision.

License used by Mk4 firmware ("Commons Clause") is quite controversial. Few people/group say it's harmful for open source ecosystem[1-2]. The creator also agree it's not really open source either[3]. I'm not fan of this license either since AFAIK it's quite restrictive on practice.

[1] https://drewdevault.com/2018/08/22/Commons-clause-will-destroy-open-source.html
[2] https://www.gnu.org/licenses/license-list.html#comclause
[3] https://commonsclause.com/
legendary
Activity: 2730
Merit: 7065
July 20, 2022, 04:38:40 AM
#10
Oh, I get it. So the code is publicly available and you can inspect and verify it if you want. But you are not allowed to use their code for your own software needs and forks. That's OK. It still means it's open-source then. It's an unorthodox way to go about things, but that's their decision.

WalletScrutiny has tagged all other ColdCard Mks as unreproducible, but the Mk4 has not been reviewed yet. I am looking forward to what they have to say.
Pages:
Jump to: