Topic: Foundation Passport Official Thread - page 14. (Read 6045 times)

Interesting news... when can we expect this new devices to come out in public?

I think I saw better deals in one more seller from Europe that was giving nice discounts if paid with Bitcoin, but I can't find it right.
They are registered in forum and I think their shop is located in Poland, but last time I checked they offered other hardware wallets also, not just Passport.
It's a good idea to find coupons and discounts if you can.

EDIT: It's shopinbit.com, they have 3% discount but Passport is currently unavailable.

Yeah, it is generally assumed that new device will beat the old one  but one should always remember that user needs not just newest model  but the battle-tested device. It takes some time to verify that new  model meets all requirement you put on it. That said, it is personal thing whether to wait for new model or buy the current one which is already tested by many users.

As to how many they sold already. Hard quantity is not publicly available but a few days ago they declared

@RickDeckard, It just seemed to me that such a small number of units could be a problem in the future with regard to firmware updates, because the user base is very small and it is easy to abandon the product without making too much noise. However, the link you posted states that even the first version will continue to receive updates on a regular basis.


However, as for the new device, it seems that it will be even better than the previous two, so the question arises, is it worth waiting for it to become available or buying the current version? Is there somewhere an official counter of how many units have been sold so far, or how many are still available in total?

I think the 2400 units mostly has to due with scaling their business. If you look at Founder's edition, they started out with 1000 devices which sold out in November of the same year[1]. In that same page you can read that the initial order for Passport Batch 2 was 2500 units. I vaguely remember that they planned to ship this new device in April, but I believe that clients only started receiving their orders around July-August, so if we assume that they got the units around August, it took them around ~9 months to end that round of supply.

Considering that they are still a young company and need to take the best decisions that they can regarding inventory management (stock in their warehouse is just money waiting to be sold), I suppose that they felt safer recreating the same number of devices that their last order was made of. I also assume that their manufacturing capacity also played a role in this decision (since they not only depend on that but also on their suppliers...). Perhaps to get a better pricing for their components they would have to invest a larger sum of money (economy of scales) and it wouldn't be beneficial to them as well.

Regarding the new device - you probably have read about it right here[2] in this thread.

---

[1]https://foundationdevices.com/2021/11/passport-founders-edition-is-sold-out/
[2]https://bitcointalksearch.org/topic/m.62326900

Is there a special reason why they decided to produce only 2400 units? This does not seem logical to me from a business perspective, especially if the demand is increased, as is the case now. Although it seems to me that I read that some new device is being prepared, so that might be the reason.

Looks like the cheapest reseller in EU is BitcoinBrabant  which offers it for € 329,95 € 259,95, the fair price as to me (I have paid ~ €80 more at time of purchase). You should hurry up if your intention is serious as "Batch 2 is limited to 2400 units."

after the disaster of a very well known hardware wallet manufacturer i am now looking for a new hw-wallet...
play now with the idea to buy me the passport batch 2. but since the price is already in a very high category, i wanted to ask politely if there are perhaps also current vouchers that reduce the price a little - because the shipping to the eu is then certainly also in the double-digit dollar range

Passport/2 can not be paired and communicate with Electrum via QR. (The limitation is due to Electrum itself. ) This HW does it via json file. Just have checked it using  my Passport 2.

But why bother yourself with Electrum?

Sparrow is much better in term of privacy. It is capable to connect to BitcoinCore and communicate with Passport via QR.

But if you prefer public Electrum servers Sparrow is capable to work with them as well.

Can someone confirm if this HW works in combination with Electrum with the help of QR codes or only as described on the official website with the help of a microSD card? https://docs.foundationdevices.com/connect/electrum

Thanks for response.

Could you show here the  p-values (relevant to Passport's TRNG) for each test from NIST suite?

Alternatively, refer me  to relevant Foundation's official  source if any.

That is incredible to hear, congratulations to the team over @Foundation. I wonder, do many clients sign up for the Concierge Setup? Or out of all your orders this service represents only a fraction of your income?

Not a re-write, a completely new piece of software/firmware is necessary for the next device, will be very clear why when we announce it

And yes, absolutely will as both devices will be offered in tandem when it's released!


Absolutely, we're leaning towards an audit on the current code base now, will update when we have more firm details.

Another re-write? Just now when you finally got passport2 running on FE.. Hopefully the gen 1 and 2 devices will continue to be supported.

Do consider a more thorough audit though, as I mentioned, where they actually try to execute supposed security flaws. I believe this gives us consumers a better picture as to how realistic / possible certain attacks are. For security-conscious buyers, this is very helpful information that most manufacturers can't actually provide.

Here is a quote from our CTO, Ken, on the question you raised here:


Oh my, by far the craziest week in the history of the company! Not only did we have the biggest firmware and software releases yet planned (Envoy full mobile wallet and Passport v2.1.0 with Key Manager and much more), but the price drop perfectly coincided with Ledger's fiasco and made for a powerful duo. We sold 6wks worth of units in 36h, if that tells you anything, and the rush has barely slowed down even after going out of stock due to the craziness.

Fantastic to see people rushing to safety in truly open-source software and hardware and finally understanding the risks inherent with introducing trust back into the system with closed-source code.


As of now there are no plans to do another security audit on the current code-base, but we will absolutely be having an audit done on the next device we're working on now, as that will be a complete rewrite from the ground up. I will, however, prompt the Wallet Scrutiny guys again to try and get them to update their tests as our code is absolutely still reproducible so I'd love to have their tests inline with our current codebase/version.

I'll re-raise the idea of an audit on the current code-base internally, though, and report back here if that changes at all.

and, for good measure,  the reminder of my hard-nose question


resulted from the fact that

Hey @foundationdvcs I just realized your last professional security audit was in [1] Q2 2021. Are there any plans for a fresh one any time soon? Maybe you could also try to get the WalletScrutiny guys to re-run their script which checks the latest firmware version for reproducibility.

I also believe that the audit you got was purely a software review and didn't actually attempt to execute the attacks they describe. That's especially evident from your response where you were able to refute many of the 'potential risks' that they had claimed existed.

Nevertheless, the audit also seems to only have covered the FE branch of the Passport firmware, and I know how much code changed from FE to Batch 2. So I do believe a new audit would be good, maybe this time from someone who also actually tries to exploit what he believes could be vulnerabilities.

[1] https://foundationdevices.com/security/

Could you also share with us how was this week for you? If I were to guess this surely has to be one of the best periods of Foundation ever since the creation of the company, or am I wrong saying this? The price reduction just in time to reap the burning house that was/is Ledger has had to be a wombo-combo for your company (and rightfully so).

Will get back to you ASAP, just getting caught up on this thread after a crazy week for the company!

OK, then it seems Passport generates SEED's entropy solely from random physical process.

However,  response from foundationdvc   would  be appreciated as their statement "TRNG on SE" is slightly misleading -  Avalanche diode is not on SE.


Just my curiosity

They said TRNG on secure element, but Avalanche diode is not on SE.

At the same time

output from BRNG  (that might  be hardware based and implemented on SE) seeded by "white noise" would be very close to being truly random .

Some manufacturers call BRNG seeded by randomness from physical process as TRNG.

---

UPD. @foundationdvcs, please, don't be silent, waiting for your response.

I'm not sure about that; from what I can tell, the noise_get_random_uint16 function returns one byte by xor'ing the two analog outputs of the avalanche circuit, four times.


I can't find a function that feeds this to a PRNG (pseudo RNG); the result just gets used by different functions that e.g. fill buffers with multiple random bytes (acquired by repeatedly calling noise_get_random_uint16).

But maybe @foundationdvcs can give a more definitive answer on that.

I'm curious how you got the idea that they would feed the avalanche entropy into a PRNG..