Author

Topic: Which hardware wallets are open source? (Read 494 times)

legendary
Activity: 2730
Merit: 7065
September 27, 2022, 02:27:38 AM
#29
What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?
Everything and nothing. It sounds more like a question of morality and doing the right thing rather than are you allowed to do it. If something is public and free, then that's exactly what it should be so everyone can use it. I understand that's not the case with MIT licenses, I am just saying. A morally corrupted individual will take someone's free work, wrap it up differently, and sell it as their own.       

I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:
...
There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor
Morally corrupted or morally deficient could be some of the ways I would describe such actions.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
September 26, 2022, 02:20:38 PM
#28
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.
Don't know if that's your definition of politics, sure.
I think it's good that corporations can't just take FOSS code that people developed for free or made available free of charge and go sell it to customers for big money.
Keep in mind the 2 definitions of free: free as in freedom (free to use FOSS software, modify etc.) and free as in zero-cost (no licensing fees required).
Just like we value 'free' as in 'freedom' in Bitcoin in general; I believe that FOSS should really be the standard in this space.

What gives anyone the right to 'take software and redistribute it (maybe with some changes)' without 'giving back' as in: allowing others to also take this modified version of the software - either to improve the original codebase or to make another product out of it?

I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software?
Correct; that's pretty much the whole gist of the MIT license.

But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?
I believe it just uses Trezor's crypto library, which is tried and tested, just like most other hardware wallet vendors. Because, well, it's tried and tested. But that requires the new product to be MIT, as well. Trezor just can't be bothered suing the Coinkite dev team, I guess, but they could easily do that, yes.
I do personally believe that Coinkite removed easily indentifiable references of using the Trezor library because of that, compared to Foundation Devices who are clear about it:

  • trezor-firmware Contains a copy of the Trezor source code in order to use Trezor's crypto library. We will likely make this into a git submodule soon to make it even easier to keep the library up to date.

There are still some references in code comments, though...
https://github.com/Coldcard/firmware/search?q=trezor
legendary
Activity: 2730
Merit: 7065
September 26, 2022, 01:58:19 PM
#27
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
That's again political bullshit that doesn't have to be there. I understand why it is done that way. You have put restrains on your software that doesn't allow anyone to change it or redistribute it, and as a punishment, you aren't allowed to use anything we release either. Politics.
 
I didn't know that. So if I have a piece of software, it needs to be released under an MIT license for me to use any code from any other MIT licensed software? But wasn't ColdCard forked from Trezor's source code, which is also released under an MIT license?

Not having an MIT (or similar) license also doesn't permit users to fork the code to add features, fix bugs or continue supporting it after official vendor support ends.
Sadly, that's all true.
legendary
Activity: 1106
Merit: 1372
September 26, 2022, 12:48:24 PM
#26
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

Which of them? You would have name the two types of hardware wallets which you have known for others that do not know would come to know it from you. The senior men have given you links and some of the open source wallets.  If you like to read article, you can read this to learn more [BTCDirect] and also use Google to make more research and read more on it.  

The following are some of the open source Cryptocurrencies wallets. Copay , MyEtherWallet, mSIGNA,  Electrum is one of the best for now. You can read more on https://opensource.com/article/18/7/crypto-wallets they are all well explained there. Since you have not gotten enough experience on wallets please be careful when using open source wallets.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
September 26, 2022, 10:04:20 AM
#25
But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.
You're not wrong, but e.g. their license would not permit them to copy a bug fix from a similar wallet, which is under MIT, due to this clause.
Especially looking at something like the Trezor crypto library, which is shared by a lot of hardware wallets and that is / needs to be updated from time to time, I can see how this may cause security issues.
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.
True; we can donate though, so they can take a bit more time out of their day to do this free service and update wallets more frequently.
legendary
Activity: 2212
Merit: 7064
September 26, 2022, 09:49:57 AM
#24
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I think this is the case with many other wallets listed on WalletScrutiny right now, maybe they need more time to update and test latest released wallet versions.
WalletScrutiny doesn't have big team of people, so we can't expect them to be up to date all the time, but I think they accept help from volunteers.
There is also an option of using alternative to WalletScrutiny, called BitcoinBinary but note that this website is owned by ColdCard Wink
https://bitcoinbinary.org/
legendary
Activity: 2730
Merit: 7065
September 26, 2022, 02:53:15 AM
#23
Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!
I was talking about the Mk4 only. Wallet Scrutiny has still not finalized their review for this device and it's tagged as Under Development right now. I am curious what the final verdict will be like once they do.

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.
No arguments there. We agree on the importance of the verifiability of the code. If you want to verify the builds and there is a way to do that, that's what I would focus on. That's where you will see if you are using the real thing or not.

The choice to allow/disallow the redistribution of the code through an open-source license is politics. It doesn't affect the security and verifiability of the hardware wallet (assuming you can build the code from its source). That's why I feel like it's important to distinguish the two. People can consider that to be the wrong approach and I don't disagree. But allowing/not allowing you to use the source code, making something out of it yourself, and redistributing it, doesn't affect your use of the hardware wallet and it's software. Again, assuming you can verify that everything is as it should be.
hero member
Activity: 924
Merit: 5943
not your keys, not your coins!
September 25, 2022, 03:03:41 PM
#22
ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.
I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   
Do keep in mind that if ColdCard were reproducible, there may be a point considering it (even though the non-open source license is like, super fishy and anti-Bitcoin and everything).
However, mk1 to mk3 are not reproducible by WalletScrutiny as of today (09/25/2022)!

https://walletscrutiny.com/hardware/coinkite.coldcard.mk1/
https://walletscrutiny.com/hardware/coinkite.coldcard.mk2/
https://walletscrutiny.com/hardware/coldcardMk3/

This means whatever compiled firmware binary you are installing to your device, may be compiled from entirely different source code!
I can't state this enough: open-source code is nothing without verifiable builds. Do not trust - verify.
WalletScrutiny does verify and find that ColdCard builds are not created from the latest version of the source code CoinKite provides.

Also, do be aware that checksums don't give you a hint about how much has been changed, just that something changed. It can range from a single variable change in the source code to giving you fully NSA-backdoored binaries.
legendary
Activity: 2730
Merit: 7065
September 25, 2022, 10:48:20 AM
#21
ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.
I remember there was some talk about this back when the Mk4 was released and many users were against such a way of licensing. Even though ColdCard's don't qualify to be called open-source, those who want to review it and understand the code can do so. That should be the main focus point if you don't want to use close-source software. Other peculiarities and licensing characteristics that restrict the redistribution of the software shouldn't be something the end-user needs to care about.   
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
September 23, 2022, 12:21:36 PM
#20
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

I, myself had some confusion about this until a few months ago when I was doing some research about Coinkite's ColdCard hardware wallet.  The thing to keep in mind is that the term "open source" specifically applies to the licensing of an application.  There are several licensing structures that qualify as "open source" but one of the most common is the MIT License.  Essentially, open source licensing is very permissive, i.e. one can copy the software, change it, redistribute it, even profit from it without fear of legal repercussions.

ColdCard is a good example of a trusted wallet that does not use open source licensing for it's firmware.  The software is still transparent, allowing for the community to review it.  However, ColdCard's firware licensing prohibits redistribution of the software (or firmware, in this case.)  This is designed to protect Coinkite's intellectual property, while allowing for the community to verify it is safe to use.

Ledger is another example; their firmware is not open source, and as far as I know, it's not available for review.  Ledger uses a secure element, and I assume they are concerned that if they disclose the firmware that someone could use for it malicious purposes.  However, Ledger Live, the desktop application, is open source and adheres to the MIT License.

Personally, I'm partial to open source hardware wallets and I also recommend the Trezor, which I own and use regularly.  I do also own and use a ColdCard.  The important thing is to know what you're dealing with and assess your own comfort level with the device you choose.
hero member
Activity: 686
Merit: 403
WOLFBET.COM - Exclusive VIP Rewards
September 23, 2022, 10:38:20 AM
#19
Look like targeted ads Cheesy


What do you mean by targeted ads?
full member
Activity: 310
Merit: 151
Hardware and open source software solutions.
Look like a targeted ads  Cheesy

legendary
Activity: 2730
Merit: 7065
March 26, 2022, 03:59:51 AM
#17
They have shipping facility for the world but there is policy differentiation depending on the country you want to order for the bitbox02

Quote
The majority of our orders are shipped 'Duties & Taxes Paid (DDP)', which means we pay your country's import taxes & duties for you.

If DDP isn't available for your destination country, the order will be shipped DDU which means you will have to pay any applicable import duties & taxes to your local authorities.

During checkout, on the page where you choose your shipping method, our webshop will show you if DDP is available for your destination country.

Check here for your country: shipping policy for Bitbox02
The shipping information section isn't exactly helpful. Judging by the information they provided, they pay for the duties and taxes if the HW is shipped to the European Union, United States, and the rest of the world. One might think it's all DDP. You have to pay close attention to what it says during checkout so you don't get a surprise call from a customs officer.

Their shipping fees aren't expensive. Depending on where you are in the EU, the standard fees are €4-9.   
legendary
Activity: 1974
Merit: 2124
March 22, 2022, 07:20:50 AM
#16
Where I live, the BitBox02 is available on Amazon trough the official store of the producer.
I am not sure this is the case worldwide.
They have shipping facility for the world but there is policy differentiation depending on the country you want to order for the bitbox02

Quote
The majority of our orders are shipped 'Duties & Taxes Paid (DDP)', which means we pay your country's import taxes & duties for you.

If DDP isn't available for your destination country, the order will be shipped DDU which means you will have to pay any applicable import duties & taxes to your local authorities.

During checkout, on the page where you choose your shipping method, our webshop will show you if DDP is available for your destination country.

Check here for your country: shipping policy for Bitbox02

You can have the bitcoin edition or multi edition supporting ETH,litecoin and ERC-20 tokens at the price of €119 if you have no tax duties to be paid for.

The additional combo bundle of protection like stellwallets and backup cards can also be of use in case you need to store your seed phrases but there are much better options to backup them safely.So do the full research for you first of all.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
March 22, 2022, 02:00:30 AM
#15
Can one purchase this hardware wallet on Amazon store or Newegg? Also can you drop me the official link to this wallet website thank you.
BitBox02 official website: https://shiftcrypto.ch/bitbox02/. You can also buy directly from the official website.
legendary
Activity: 2380
Merit: 17063
Fully fledged Merit Cycler - Golden Feather 22-23
March 21, 2022, 02:11:32 PM
#14
Where I live, the BitBox02 is available on Amazon trough the official store of the producer.
I am not sure this is the case worldwide.

The link is literally on my previous post.

hero member
Activity: 686
Merit: 403
WOLFBET.COM - Exclusive VIP Rewards
March 21, 2022, 01:04:05 PM
#13
Bitbox02 by ShiftCrypto is open source:
/cut/

Yes, the Bitbox hardware wallet is already on the [ LIST] Open Source Hardware Wallets compiled by dkbit98. According to their official website, the BitBox02 firmware was audited by Census Labs along with consulting done by multiple third-party security firms.

Can one purchase this hardware wallet on Amazon store or Newegg? Also can you drop me the official link to this wallet website thank you.
full member
Activity: 1008
Merit: 139
★Bitvest.io★ Play Plinko or Invest!
March 18, 2022, 06:18:19 AM
#12
Bitbox02 by ShiftCrypto is open source:
/cut/

Yes, the Bitbox hardware wallet is already on the [ LIST] Open Source Hardware Wallets compiled by dkbit98. According to their official website, the BitBox02 firmware was audited by Census Labs along with consulting done by multiple third-party security firms.
legendary
Activity: 2380
Merit: 17063
Fully fledged Merit Cycler - Golden Feather 22-23
March 17, 2022, 05:26:12 PM
#11
Bitbox02 by ShiftCrypto is open source:

https://shiftcrypto.ch/bitbox02/security-features/

Quote
Open-source
Hide nothing by open sourcing everything, including the firmware on the BitBox02, the BitBoxApp, and x rays of the hardware, schematics.

Link to GitHub Repository:
https://github.com/digitalbitbox/

legendary
Activity: 2744
Merit: 4065
March 17, 2022, 06:14:47 AM
#10
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?
The fact that the wallet is fully open source will not benefit you as a newbie coder, but rather the number of people who have reviewed it and whether you trust their feedback or not, otherwise you will need to do it yourself.

So make sure that the wallet uses the same source code, look for people who review those codes or choose someone you trust otherwise, being an open or closed wallet is one thing for you.

If you don't want to bother your head, follow the tips above, but knowing more things won't hurt you.
legendary
Activity: 2730
Merit: 7065
March 17, 2022, 04:09:51 AM
#9
Is open source software synonymous with security and reliability?
No. It's synonymous with transparency and verifiability. Open-source software can still be malicious, badly written, and full of bugs. It just comes down to when those issues will be discovered, reported, and/or fixed. 

Why is there such 100% trust in the open source?
Only because you can check what you are running and what the software does. In reality, most people don't check the code, but they like that others can.

Could it be that Trezor or other HW brand puts one piece of software on public display, but installs a completely different one on their devices? Is it possible to implement it in such a way that it cann't be verified?
You could have the users install one piece of software but make something else public. But if you compared those two codebases and tried to reproduce it, you wouldn't be able to do that. Therefore, it's not the same software. If you are really unlucky, you could install a malicious update and face the consequences before the issues are found and corrected. But the advantage of open-source over closed-source is that experts can find those problems by looking at the code. With closed-source, there is nothing to look for because it's not made public. 
hero member
Activity: 686
Merit: 403
WOLFBET.COM - Exclusive VIP Rewards
March 16, 2022, 09:49:58 AM
#8
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

I believe Trezor hardware wallet is 100% open source and highly secure, with a similar level of security to hardware wallets such as the Ledger Nano S and other commercial devices. The Trezor Wallet has also been around for years and already has an excellent reputation.

For a complete list, you can check out the post that OmegaStarScream has already recommended:
[ LIST ] Open Source Hardware Wallets

Do open source devices give you the feeling that your funds will be safe? Is open source software synonymous with security and reliability? Why is there such 100% trust in the open source?

Could it be that Trezor or other HW brand puts one piece of software on public display, but installs a completely different one on their devices? Is it possible to implement it in such a way that it cann't be verified?
It all comes down to one thing though, whichever crypto wallet you decide to use you need to store your recovery phrase in a safe location yourself, no wallet can keep it safe for you not even a hardware wallet.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
March 14, 2022, 01:16:55 PM
#7
two types just like every other PC and mobile wallets,
Technically, there are also custodial and non-custodial variations... Depending on how you use/keep your funds with certain apps [in HW], the former could also apply to your HW [e.g. staking]!

I believe Trezor hardware wallet is 100% open source and highly secure, with a similar level of security to hardware wallets such as the Ledger Nano S
It's worth noting that both Trezor models don't have "secure elements" while Ledger models aren't "fully" open-source.

Could it be that Trezor or other HW brand puts one piece of software on public display, but installs a completely different one on their devices? Is it possible to implement it in such a way that it cann't be verified?
In addition to @witcher_sense's comment, we have multiple sources that check if they're reproducible or not [SS of the HW section]:
Note: It doesn't mean they're 100% safe, but it's a good start!

legendary
Activity: 2464
Merit: 4419
🔐BitcoinMessage.Tools🔑
March 14, 2022, 03:44:18 AM
#6
Do open source devices give you the feeling that your funds will be safe? Is open source software synonymous with security and reliability? Why is there such 100% trust in the open source?

Could it be that Trezor or other HW brand puts one piece of software on public display, but installs a completely different one on their devices? Is it possible to implement it in such a way that it cann't be verified?
Being open-source by itself doesn't guarantee perfect security or safety of your funds. Moreover, when it comes to less popular hardware wallets, where code is not well-reviewed and tested, the chances that there are vulnerabilities sitting somewhere are very high. So, it is not recommended to use hardware wallets no one knows about even if open-source is their selling point. Also, there is no such thing as "100% trust in the open-source" unless you're not capable of verifying and testing everything yourself. Then the only option you would have is to trust someone else. Skilled programmers don't trust, they test and verify. Trezor can potentially publish for download the malicious versions of their software, but they can't do that without publishing the source code for this software. A skilled programmer can build software from published source code and compare it to what has been presented for download by Trezor. If it doesn't match the source, then Trezor went closed-source or malicious and therefore cannot be trusted anymore.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
March 14, 2022, 03:04:20 AM
#5
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

I believe Trezor hardware wallet is 100% open source and highly secure, with a similar level of security to hardware wallets such as the Ledger Nano S and other commercial devices. The Trezor Wallet has also been around for years and already has an excellent reputation.

For a complete list, you can check out the post that OmegaStarScream has already recommended:
[ LIST ] Open Source Hardware Wallets

Do open source devices give you the feeling that your funds will be safe? Is open source software synonymous with security and reliability? Why is there such 100% trust in the open source?

Could it be that Trezor or other HW brand puts one piece of software on public display, but installs a completely different one on their devices? Is it possible to implement it in such a way that it cann't be verified?
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
March 13, 2022, 02:12:58 PM
#4
OmegaStarScream has already provided a link which would be highly helpful.

I believe Trezor hardware wallet is 100% open source and highly secure, with a similar level of security to hardware wallets such as the Ledger Nano S and other commercial devices. The Trezor Wallet has also been around for years and already has an excellent reputation.
Trezor is completely open source but people should be careful of a physical attack that can be used to reveal the seed phrase of Trezor wallet, so people should protect their Trezor wallet from even offline attackers which is very necessary. Using passphrase can be very helpful because different keys and addresses will be generated entirely if passphrase is used while generating keys and addresses. The passphrase is not stored on Trezor, it will only be known to owner, backup the seed phrase and the passphrase differently in different locations.

But for wallet recovery, both seed phrase and passphrase are needed, if the seed phrase or the passphrase is lost, then the coin is lost.
full member
Activity: 1008
Merit: 139
★Bitvest.io★ Play Plinko or Invest!
March 13, 2022, 01:19:06 PM
#3
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?

I believe Trezor hardware wallet is 100% open source and highly secure, with a similar level of security to hardware wallets such as the Ledger Nano S and other commercial devices. The Trezor Wallet has also been around for years and already has an excellent reputation.

For a complete list, you can check out the post that OmegaStarScream has already recommended:
[ LIST ] Open Source Hardware Wallets
staff
Activity: 3500
Merit: 6152
March 13, 2022, 12:18:15 PM
#2
Here's a list made by dkbit: https://bitcointalksearch.org/topic/list-open-source-hardware-wallets-5288971

If you're looking to buy one, then I would recommend you go with Trezor. It's the most reputable one.
hero member
Activity: 686
Merit: 403
WOLFBET.COM - Exclusive VIP Rewards
March 13, 2022, 12:08:14 PM
#1
It's really shocking that I'm just knowing that hardware wallets are of two types just like every other PC and mobile wallets, my thought was every hardware wallets are fully open source until a day ago thanks to this forum still but now which hardware wallet is open source?
Jump to: