Topic: It is NOT secure to use hardware wallets (and it never was) - page 6. (Read 2133 times)

I agree with all of your points, and I personally own a ledger nano device but I also think that the Ledger team understated how vulnerable the device can be, especially once it is in the physical possession of someone else. I will probably continue to use it, as I think it's still got a very good security to usability ratio, but I think that it might have been advertised a bit as something it probably is not.

The important things to note from this entire episode are:

1. The recently exposed vulnerabilities in Ledger and Trezor have been patched - Update your devices!
2. NO wallet can be proven to be 100% secure and NO wallet should be treated as such
3. Despite our best efforts, there will always be a certain level of "trust" involved somewhere in the chain (hardware and/or software level)

As with a lot of things in life, it comes down to risk management and how much risk is "acceptable" in your specific situation - "Minimise the risk"™ 

I have also met with an opinion that you should use a computer which has never been connected to the Internet. I have no idea why would it be important beside potential malware being downloaded earlier. Your solution is definitely safe and recommended by many people but still, it isn't really convenient and portable. I guess it's the best choice for people who were thinking of using hardware wallets as their main "purse". I will personally stick to them since I send my coins often in many different places.

I wasn't too comfortable with the hardware being "out of my control" during shipping etc., so I used other hardware wallet solution - simple, cheap/free and extremely safe:

Everyone has old unused laptops laying around. I took two laptops. On both I formatted hard drives and did clean reinstall of the system. 1 of these laptops will never be connected online, network adapters are disabled. On the other laptop, go straight to download section of electrum wallet. Download wallet and verify the authenticity. Take clean USB stick, format it and put downloaded electrum wallet there. Take the usb stick and insert it into the first laptop (the one without internet connection). Create wallet. This laptop will NEVER go online. If you are totally paranoid you can destroy the USB stick

The laptop with the internet active is used for Electrum - watch only wallet. This type of wallet has no access to your private keys, yet you can see your balances and iniciate transactions (these have to be confirmed via confirm file, created on the laptop with the original wallet).

This process should be reasonably safe.

And here I am thinking that using a ledger ware is the best safe place to store my bitcoin as sometimes I travel a lot. I have been meaning to buy one since it's easily portable but seeing that article, I am quite confused.
I am always skeptical of storing my bitcoin in my laptops cause most times, I change laptops alot and I fear selling my used laptop to to stranger might leave a trace of my wallet.dat.  So is there any portable means of storing bitcoin that is not paper wallet?

I know about Intel's ME, but I was just asking OP whether he is mentioning it or what?

As of Intel's ME, there are solutions to  neutralize or disable it people even suggest not to use Intel processors made since 2008 and AMDs since 2013.

But I think it is not just about foolish architectures like this and even a system built around an 'innocent' 80386 cpu is susceptible not because of its bios or any other hardware potential backdoor but for a more inherent characteristic of our contemporary technological paradigm that allows machines to be dominated by attackers without disclosure.

By 'attackers' I don't just refer to crackers or state agents I am mentioning the owners, legitimate owners as well!
Imagine some black hat cracker who goes to the market buys a laptop, installs some evil software on it, plugs it to the internet and participates maliciously in some public protocol, trying to take advantage of its security holes while it is pretending to be a fair player, it is a hijacked laptop in my terminology!

Our current state in computing technology, gives unlimited access to the owner (and the army of crackers, hardware manufacturers, state organisations, ...) to install whatever s/he wants without disclosure.

This way people have access to 'things' that can be 'anything' and pretend to be 'something' else! This is totally a mess which security experts, cryptographers, ... are trying to cover it up, both desperately and inefficiently.

Hardware wallets might be not a best choice for cold storage, but they are still a good choice if you want to access your bitcoins on many different computers which might be compromised. I used to encrypt my Electrum seed using VeraCrypt but I was too scared of keyloggers and other malware. Right now I don't have to worry about it since my TREZOR has a touchscreen to input everything on the device. It is still possible that this model might get hacked anytime soon, time will show us.

There's more to a computer than just the OS. A lot of firmware such as processor microcode are closed source. So it doesn't matter whether the OS you use is open source; if the firmware for your hardware and the hardware itself is closed source, then you are at risk of that closed source being malicious or containing something that can be exploited. One example of this is the Intel Management Engine which could allow someone to remotely access and control your computer and there's no way to disable it because it is baked into the hardware and firmware, both of which are also closed source.

I'm not objecting just confused: Is it about firmware, BIOS, fucking NVIDIA device drivers or what? We have Linux and Free BSD, don't we? Is it impossible to have Core's wallet running on top of a clean installed Linux?

I'm seriously interested in your term 'closed source computer', actually it is my main research topic for the last couple of years, I'm just wondering how deep is your interpretation of this concept and whether you have developed any idea as an alternative?

 

As much as I hate McAfee, you can't argue with what he said: As long as there is technology in our daily lives, there will be hackers there, waiting on the sidelines, to break inside it. [Paraphrase]

As long as companies like Ledger and Trezor work quickly to patch any security vulnerabilities, we should be fine.

That's too extreme. In most cases, use Bitkey https://bitkey.io/.

It would take someone familiar with Linux to use it, but all the information needed on how to make a bootable USB, use, and configure it are available online. There is no excuse for a newbie Bitcoiner not to learn.

Nothing is perfect. With the recent Ledger vulnerability the devs response and transparency was good. The security might not be perfect, but it will improve overtime.

All Digital assets are unsecure in some way or another. Blockchain can't be hacked but cryptocurrency can be stolen from wallets, exchange etc. If you have large asset then don't store all of it in one medium like wallet, exchange etc.

Then he's an innocent babe and wrong, or a liar.

On second thought maybe he's qualified his statements some kind of way, but that's really beside the point.

What happens if you buy "A Ledger" on eBay is that you get something that might look like a Ledger, and it might act like a Ledger, but it might actually be something very different.

There was a con recently on eBay concerning Trezor IIRC which involved "last minute instructions" included with the package shipped to the gullible mark. Several people lost their funds on that.

Pretty impressive for a 15 year old kid to find an exploit like this.

This kid was briliant 

In the end it comes down to ease of use and convenience and also flexibility. You do not want to install Bitcoin Core on every

computer, wherever you go. It is quite handy to have a secure hardware wallet in your pocket, when you move around a lot.

I can quickly pop in my hardware wallet at a friends house {non-bitcoiner} and have access to my coins to do a transaction

or to show him/her how it works. It is more secure than online wallets and more convenient than paper wallets. 

I also agree that it is not safe to use hardware wallets. Several methods of protection are needed, combined protection against new threats that hackers from all over the world come up with.