Topic: Square is considering making a hardware wallet for Bitcoin - page 5. (Read 3812 times)

The context is:
The government not giving you privacy = bad
The other company not giving you privacy = bad
My company not giving you privacy so we can sell your data = good

See it's simple. 

Makes you wonder how far you would have to keep businesses separate to have the hardware part of the wallet with one, the software part of the wallet with another and any other apps / features with another so you could sell the HW portion as 100% not involved with the others so people who REALLY wanted as much privacy as they can get could then deal with the other aspects only if they wanted to.

I mean, I know you can do it. But at what point can you really legally say hardware business "A" has nothing to do with software business "B".

-Dave

Shit happens!

Still uncomfortable to hear something like this from a somewhat popular figure.
I'm not sure about the whole context, but somehow CoinDebit was able to offer a no-KYC debit card.
And Mallers did speak out in favor of privacy as one of the reasons why he's so involved with Lightning. Now he turns around and shits on it? Again: context may be necessary.

I confused the Jacks. My bad. 

That's from Jack Mallers, though. And I thought he's not involved with Square / Block, but instead Strike. I don't get how it relates to this thread.

Your picture there made me go and check out the Foundation site again to learn about version 2 of the Passport. I've got to say, it looks great. The physical design looks much better than the original, the color screen looks great, and they've fixed the battery issue. Couple all that with them getting rid of the bloat in the software, and if I was in the market for a hardware wallet then I'd probably be picking a Passport. I've got a couple of other questions, but I'll take them over to the thread you linked to stop derailing this one any further.

A quick glance over most hardware wallets to someone unfamiliar with hardware wallets and they would pass as a USB drive, a key fob, or maybe some kind of smart watch or other device. It's the targeted searches you need to be worried about.

"If you want privacy, don't use my fucking app". - Straight from the source: https://open.spotify.com/episode/2kaFrG64SP7EzcCA0EEJEB - at 08:28.

If you don't have Spotify: https://nitter.net/GadSaad/status/1567149412043919360

Regarding 'putting the hardware wallet at risk', I guess something like multiplexing the (already as simple / dumb as possible) I/O and interfacing it by two completely separate PCBs, would probably be needed.
One PCB (half) with all the existing hardware wallet circuitry and another one with typical feature phone hardware.

Triple-A's have already been replaced by Nokia (yes, Nokia actually used or still uses them) Li-Ion rechargeable batteries.



That's a good point. There are lots of good methods, like bringing an encrypted a file, highlighting (seed) words in a book, etc.
You can also append an encrypted wallet file to the end of a JPEG, so if they go open it, it opens normally. Possibilities are endless and have all sorts of up- and downsides.

I can see how in a less critical scenario, where they just quickly glance over the stuff you carry, even the current-gen Passports pass as phones without questions.

It is not necessary to disguise hardware wallet as a phone. Although the idea of ​​making the HW look and function like a full-fledged phone seems like a good idea to me. It would be better than just HW. Not necessarily for crossing the border, but for everyday storage and use in the immediate vicinity. Let's say for everyday tasks. The more ordinary the HW device looks, the calmer the soul. In fact, there is a wide field for creativity and can mask HW under any device. For example, an audio player that is fully functional. In this case, the risk of being identified due to the lack of a network and data transmission is eliminated.

Now that's an interesting idea. It would be difficult to pull off in such a way to either A) not be almost immediately obvious on closer inspection or B) not compromise the integrity of the hardware wallet. For example, a "phone" without any network or data connection whatsoever is highly suspect, but as soon as you add in any kind of network receiver then you put the hardware wallet at risk. A Passport device would certainly be the device to try this on, since it already looks very similar to old Nokia phones, but at the same time there is no phone in existence which runs on 2x AAA batteries.

If I was crossing a border with a lot of bitcoin and was highly suspicious that I would be stopped and searched, then I think some method which includes plausible deniability is better. If such a device was inspected and discovered to be a hidden hardware wallet, then there is no way you can deny that. If you have a seed phrase encoded/hidden in pages of academic notes (for example), then you can easily just pass them off as notes.

Right; got you. I guess then it's especially good to see that instead of adding more such 'bloat' in batch 2, they reduced it by removing that gimmicky game menu altogether, instead. Seems like they took the right direction.

Of course! Even though just adding Snake is far from it, I had thought about a full-on 'alibi mode' that makes it look and function like an actual mobile phone (e.g. for border controls and whatnot). That could have actually been a useful feature for some users, however I do prefer simplifying the device to its essentials, instead.

Maybe not, but with pretty much every vulnerability to affect a hardware wallet, the developers and users didn't know it was possible, otherwise the vulnerability wouldn't exist. The fact remains that including any extraneous code, even if we all think it is safe, still poses a security risk. And even if it was 100% safe, I still disagree on principle. If they are willing to include this completely pointless code for no good reason, then what other meaningless "features" will they include in the future? This is the amateurish approach I was referring to. If you are creating and manufacturing a device which will be responsible for securing and protecting large amounts of money, then I expect you to take that seriously. Programming snake on to that device is not taking it seriously.

We criticize other hardware wallets for adding unnecessary features, like support for shitcoins, or a flashlight, or a fingerprint scanner. I don't see this as being any different.

Glad to hear it. Maybe I'll take another look at their devices.

Are you referring to the Passport's hidden game menu?
I understand that and brought it up myself in my review, but it's on a whole different level than adding support for one more coin.
The codebase for those games is relatively tiny, and has no access to the secure element / any interaction with the Bitcoin-related stuff whatsoever. I don't see an obvious way to mount a meaningful exploit from a bug in one of those games; the attack surface there doesn't seem very promising.

But of course, it's unnecessary and just the idea of adding 'bloat' of any kind is already wrong in the first place.
Gladly, batch 2 doesn't have games:
https://github.com/Foundation-Devices/passport-firmware/search?q=snake
https://github.com/Foundation-Devices/passport2/search?q=snake

Amateurish approach to security in general or just related to that hidden game menu?
Because general security-wise, everything seems very thought through and openly explained.
https://github.com/Foundation-Devices/passport-firmware/blob/main/SECURITY/SECURITY.md

I especially love that the open-source hardware can actually be verified for integrity through different means; if it wasn't, the benefit of open-source hardware would be somewhat limited for most users, especially when talking about security, supply chains and various types of hardware attack vectors.

That may be so, but the fact remains that it was designed by a blockchain analysis company to help promote government regulations. If random members of the community can see the inherent problems with that, then Trezor (and all the other wallets which initially signaled support) should have known better too.

But they still have a bunch of completely unnecessary code on their device. The entire point of wanting bitcoin only firmware is to minimize the attack surface. Throwing in a bunch of unnecessary code (for games, no less!) completely defeats that purpose, not to mention shows a very amateurish approach to security, and is one I simply cannot get behind, which is a shame because I do like the look of the Passport device otherwise.

Yeah. I own both Ledger and Trezor devices, although I haven't used either of them for serious amounts of coins in a long time now. More than happy with my various cold, airgapped, and paper wallets.

I would be careful with block/square in near future, because based on their history they have plan to sell this hardware wallets in big packages to various companies and bussiness, not so much directly to individuals.
Than this companies would offer Block wallets to people who work for them or their partners, along with other Point of Sale devices they offer.

I think Ledger is mostly targeting shitcoiners
All updates on their ledger live application is mostly altcoin related, adding and updating bunch of worthless tokens all the time.

I would say that Passport and Trezor are still on top, especially with upcoming Trezor device with new secure element and bitcoin only firmware.
Good alternative option is to step away from all manufacturers and make your own DIY devices with rapsberry pi zero and similar devices (seedsigner and krux).
I am saying anything is perfect, and there are always pros and cons for everything you choose.

To be fair, I personally believe the AOPP thing was 'easier to miss' - compared to integrating KYC - as it was disguised as 'well it's just simplifying message signing for users' (something that's always been possible and enforced by some exchanges).
So, a bunch of wallets I like and still use till today, just went with it and added AOPP support. Fortunately, they realized their mistake when the community pointed it out and reverted it in days, if not hours.

I can't really say for sure; there's no perfect device. But most focused, probably Foundation Passport, yes.

First criterion would be Bitcoin-only (at very least the option to get a Bitcoin-only firmware); that already eliminates a lot of hardware wallets.
My list after that criterion would be:

• Foundation Passport
• Trezor Model One & Model T
• Keystone Pro
• BitBox02 Bitcoin-only
• Coinkite ColdCard

Then, Bitcoin for me is synonymous with open-source and verifiability - hardware and software. This removes a few again, leaving us with the following (to the best of my knowledge).

• Foundation Passport
• Trezor Model One & Model T
• BitBox02 Bitcoin-only

It's worth keeping in mind that only the first of these 3 has no option for altcoins whatsoever (you fund altcoin support development by buying a device that can support alts).

I know I really sound like a Passport shill in threads, but I encourage anyone to read my honest, unsponsored review in which I point out all of its flaws and issues and I think I'm vocal enough about them. It's just that for me, as of now, it's the only device that ticks all the 'essential' boxes, even though it does have its flaws.

It is optional. The option is not to buy this custodial, impossible to properly back up, product and to buy a real hardware wallet or use an airgapped computer instead.

I do think dkbit98 has a point here. Even the two biggest "classic" hardware wallet manufacturers - Ledger and Trezor - have made a bunch of questionable decisions recently, such as Ledger integrating a KYC dedit card in to Ledger Live, and Trezor implementing AOPP before having to 180 and remove it after community backlash. It's quite clear that neither company is solely focused on a "commitment to Bitcoin ideals".

Which hardware wallet manufacturer would people say is the most focused in this regard? Passport?

The problem with making it optional is that it lacks the basic features required to use it standalone, that I listed above.

Honestly, I don't see this happening. I've yet to encounter anyone who likes the idea of such a device and Bitcoiners in general seem to get more educated and more cypherpunk - thus committed and usually able to handle their seeds themselves - by the day.
At most, a company like Ledger that is targeting non-Bitcoiners (watch their music video advertisements, NFT and Altcoin focus), may start rolling out something similar.

But fortunately, there are enough competent companies that I'm confident won't lose their focus on sovereignty and commitment to the Bitcoin ideals.

This is not their own invention by any means, I think that Blockstream (and maybe some other manufacturer) is using very similar strategy with their Jade hardware wallet for years.
I have nothing against people who want to use this babysitter approach, but make it optional and give people a choice to not use it if they want to take the risk.
Problem with this approach is that it could happen something similar like with iPhones, they remove chargers from box and next year everyone removes charger from packaging.
In scenario with Block hardware wallet taking big market share, other brands (like ledger) could easily follow to make similar change.

That's all well and good, but their idea of having a 2-out-of-3 multisig that can be restored through their servers after losing 2 user keys is privacy-infringing at best and insecure & unreliable / not resilient at worst.
I sincerely hope they strip that and make it just a hardware wallet with (obviously) the option of doing plain old, regular multisig. Offering users the option to give them one of the 3 keys, would still be possible.
But a few things are just needed for any good hardware wallet (non-exhaustive, just stuff that this current device is missing in its current form):

• Seed phrase backup / export
• Restorability without aid of external server
• Possible to use without external server
• Screen to verify transaction details

Block (ex Square) developers decided to reveal more information about their upcoming hardware wallet device, and this time they talked more about processors.
They first considered making their own open source ASIC processor but that would prolong release date, and have other complications along the road.
This is why they decided to choose one of three models, Secure Element (SE), System on Chip (SoC), and Microcontroller (MCU).
Final choice was Silicon Labs EFR32MG24 secure MCU  that is based on the ARM Cortex-M33 architecture, and they plan to release firmware and hardware design open source as much is possible.

Looking at their release design we can see device with usb-c connection, Li-Po battery, fingerprint sensor, nfc coil and rgb led.
In heart of everything is Silicon Labs EFR32MG24:


https://wallet.build/processing-our-processor-choice/
https://www.silabs.com/wireless/zigbee/efr32mg24-series-2-socs