Topic: Thoughts about Passport hardware wallet - page 7. (Read 2279 times)

I had forgotten all about this wallet, and I thank you for bumping this thread--in particular for showing the image with the "I do not consent to the search of this device" sticker, which I had to look for on EFF's website.  I love that, though I don't know what legal weight, if any, it carries as a statement to LEOs.  I also wasn't aware of the existence of EFF or much about the Free Software Foundation but bookmarked both of their sites to look at later.

But yeah, for as ugly-looking a wallet as this one is (it looks uglier to me than the first time I posted in this thread), the price is just way too steep.  By a factor of around 3, I'd say.  If it was going for $100 or less and I needed a hardware wallet or a crypto collectible, I might consider it if I had the extra money.  But $299?  Hell no.

Passport hardware wallet by Foundation Devices is now one of the five hardware wallets (Trezor One, Trezor Model T, Bitbox02, KeyKey) that are reproducible when tested by WalletScrutiny.
Even Coldcard still isn't reproducible, and Passport code is based on Coldcard firmware but they created new repository and made some code changes (it would be interesting to compare two repositories).
Passport has been audited by Keylabs and there is bug bounty program if you find any bugs in their firmware or software

Latest Passport firmware version is  v1.0.6 and only thing that is stopping me to buy one of this nokia-like devices is price of $299 :/
https://github.com/Foundation-Devices/passport-firmware/releases



You can read full report and analysis in this link:
https://walletscrutiny.com/hardware/passport/

Shipping and customs would be expensive for me, but I would order one of this devices if I lived in United States or Canada, just for testing and comparing with other hardware wallets.
Passport is very similar with Colcard wallet, it uses their modified open source code and they have exact same secure element ATECC608A.
I even heard they gave away some free devices for testing and posting video reviews.

I also don't plan on buying one for $300, but I did see this video a couple weeks back: https://www.youtube.com/watch?v=G2zWGCCF8mo

It's a bit drawn out and could use some much better editing, but it gives you a good idea of how the device works. I quite like the validation process of scanning a QR code from their website with the device and then entering validation words, but I'm not sure how easy something like that would be to spoof or bypass. It has a boot counter, which is cool.

However, I really don't like that its standard back up is to a SD card, with the advice to store the decryption key for this back up in a password manager, all the while saying that writing down your seed phrase is only for "experienced users".

Bit of a necro bump here, but I was looking for another post and saw this one.
Checked the https://foundationdevices.com/ site and saw that they are shipping.
BUT they say ship in 7 - 10 days from order, so they might be 3D printing the cases as needed.

Anybody out there order one? As I said a few post up at $299 I am way to cheap to get one.

-Dave

On the price / quality thing. Yes...with a but or no...with a however.
It's a security device not thing to be displayed. It is probably going to be kept in a safe / locked cabinet / whatever. So is it better then just a cheap ugly piece of plastic?
So yeah the better quality materials have an advantage but it's still more then 2.5X the price.
Made in USA vs. Made is Canada it's all the same more or less. And I say this as an American. It's not like it's coming from the 3rd world.

As for the license, I wonder if you could argue that since the old one is still up there it's still valid.
Would probably be an interesting court case.

-Dave

That is their old license, and now they have new CC Commons Clause license:
https://github.com/Coldcard/firmware/blob/master/COPYING-CC

I agree price is higher, but they use more quality materials than ColdCard and everything is made in US.

As of now it looks like they have not changed their license on the github page: https://github.com/Coldcard/firmware/blob/master/LICENSE
Going with a bit of snark here but if Passport keeps their price @ $299. they probably will not have to worry because they are not going to sell that many.

It's big and expensive. Nice concept but I can't see them moving many at that price. $199 or $149 would be better.

Just my view.

-Dave

Passport wallet release sneak peak unboxing and testing video for their wallet:
https://youtu.be/_PacNqlz2Co?t=153

I am not sure how they are going to work with firmware updates in future, because Colcard wallet is not open source anymore and they switched to Commons license, so nobody can use their code anymore.

Some updates and images from Passport wallet.

Copper-plated interior frame:
https://twitter.com/FOUNDATIONdvcs/status/1319682611384639492

Forged from zinc-alloy:
https://twitter.com/FOUNDATIONdvcs/status/1316750097821114369

Video showing navigation menu:
https://twitter.com/FOUNDATIONdvcs/status/1317142594326040582

What the individual parts are actually worth is a meaningless metric really... Personally, I don't think iPhones and Galaxy S20's are worth USD$1000... and their internal components are definitely not worth that much... but the companies think that enough consumers think they are, and based on the retail sales volumes, enough consumers do think they are!

Is it a "scam"?... no, of course it isn't... Companies are free to charge whatever they like for their products, no one is forcing you to buy it. As long as it is a hardware wallet that delivers all the promised specs/features, then it's not a scam... arguably, it is "over-priced"... but it's not a scam

Having said that, I just don't see enough of a value proposition for this device to be worth $299... especially when you stack it up against competing devices like coldcard, trezor, ledger etc... which are less than half the price.

Make it for 10 bucks like you said you can.  

I learned math in school so I can count.
Coldcard wallet, as original product is also not so cheap like Trezor or Ledger.
Old calculator style is also not modern and attractive, and it's current price for Coldcard™ Mk3 is $119.97
Is that also a scam?  

It's easy to say imagination price for any product including Passport, but real facts are different.


I would not buy it even if they drop the price, but my prediction is that price can only rise, as presale prices are often lower then regular price.

Ye.. that's a scam.
This device isn't even close to being worth 100$. That's a rip-off.




Not really.
It is more like: We have well known brands having flag ship smartphones for 500$, then a new brand no one knows brings out a new smartphone with the same specs and an outdated appearance, demanding 2000$.
That's an absolutely exorbitant price.

Making it worse is that most of the OS is coming from ColdCard and so is a large amount of the hardware design. Yes, they still have to do a lot of work / tweaks but they already know what and how things work, they just have to tweak it to what they want.

Hoping the price drops before release.

-Dave

Research, development... production costs of making what will no doubt be a limited run of essentially bespoke devices (even if they are built using "open" hardware).

There is always a fairly significant amount of time, effort and money spent on bringing a product to market... My guess is that they're just trying to recover these costs. Sadly, in a market that has two well established leaders which are already at significantly lower price points, it is going to be difficult for them to sell many units.

Imagine if Apple/Samsung were selling $500 flagship smartphones... and Google/OnePlus showed up with a $1000 smartphone... because that's pretty much what the Passport folks are attempting to do here

That's... a deal breaker.  Especially considering this is supposed to be open hardware that you can build yourself, then what justifies the big price tag?

Nice find. They hide it deep in FAQ page.
I would never pay this much for any hardware wallet, especially something new like Passport,
but maybe other smarter members will take a challenge and make it 10 times cheaper, and I may buy from them,
but they probably never held soldering iron in their hands.

FAQ says it will be $299

https://foundationdevices.com/faqs/?v=7516fd43adaa

I'm guessing the microSD card can be taken out and replaced, although I don't see a practical reason for doing that unless the entire hardware wallet state is stored on it. It could also be that the whole wallet OS is stored on it too, no details about that were given by the website however. They say the hardware is open but what really defines open hardware? An open hardware device sounds like skilled people will be able to reverse engineer the software running it, for the software must also be open for some open hardware to run on it, because by reason software that is proprietary and closed to the vendors making the hardware wallet can't be ran on open hardware.

All that sounds needlessly abstract and there has to be a standard to measure open hardware by. At least to me, someone showcasing open hardware feels like end users can build their own device with similar components from scratch, or at least having the ability to replace every single part inside (like software). No obscure screws or gluing that is not available in retail markets.

What I'm trying to say is, I don't think open hardware is inherently safer than conventional hardware, if someone can figure out all the signals sent to pins that make the device do different internal functions. Specifically, someone could build an SD card that sends a different encrypted private key belonging to a hacker when a read for that private key file is queued by the OS, and that's doable since the SD card ultimately handles reading and writing data.

It wouldn't be able to silently replace the private key file at write time with its own (stealing private keys) because the encryption happens in the memory module not in the SD card, so some attack vectors are thwarted but only as long as you can't control the piece of hardware that's responsible for the operation you want to tamper with. Now if someone also replaced the memory in open hardware with a malicious one that retains the private keys unencrypted when the device is trying to encrypt them to save to disk, then stealing the private key becomes possible, just take out the SD card and connect it somewhere else to copy the private key.

And that's just one of several attack vectors that open up by controlling a second component. So eventually, again assuming "open hardware" means people can build a lookalike or replace parts inside, the more components you can replace, the more parts of the device you control which means more security holes pop up, and thinking about security holes in the sense of real holes in a wall, if you keep drilling holes in the wall the whole wall will be gone, and if you have control of replacing over all hardware parts, the entire security system collapses.

Same thing applies to the camera, or any other hardware part for that matter, if someone can replace the camera with one that's programmed to change all QR codes into a set of predefined QR codes corresponding to hacker addresses and transactions.

Without going off topic I'll also mention that both an open CPU architecture, ARM cortex, and closed ones, Intel and AMD, were all vulnerable to a hardware flaw called Spectre that controls hardware how I described it above. And nobody even had to replace hardware parts for the flaw to get in, it was accidentally included in the hardware design. So both "open hardware" and closed hardware are both vulnerable to design errors.

---

The Passport doesn't feel like open hardware at all, because all we can see right now are a list of parts inside and some specifications. Every device has those.

Make it for $10 bucks, maybe you get rich.
We can also make a bet and see who will predict correct price for this device.

Trezor is also cheap to make, but they sell it for higher value because they want to make profit and not charity.


Nope.