The guide seems reasonable, and nice to see some work being put into this.
Here is my method for secure cold storage:
1) Start with clean, offline computer, with wireless capability disabled
There is no clean pc if the BIOS and CPU firmware is closed source.
The wireless should be detached physically, disabling it in the BIOS is not good enough, a sophisticated malware that is embedded in the CPU can easily send out keys through the wireless port covertly, wtihout the host OS noticing it. It would be totally passive, no way to detect it.
Can't comment on the crypto & key generation part, that is not my area, but it seems flawed to manually mess around with the key.
Yes, absolutely better to physically remove wireless capabilities. Older computers are better for this purpose, with Pentium-era laptops being a more than sufficient. As far as open BIOS and CPU... you have to ask yourself on an isolated machine, what is the 'sophisticated malware' embedded in the BIOS or CPU capable of doing? Exhilarating keys... perhaps, but being aware of the higher level software to the extent of being able to compromise different applications (which most likely didn't even exist at the time the supposed malware was written) in an identical fashion, which in this example would have to mean making the multiples instances give the same incorrect address derivation, I don't think is a plausible vector.
But yes, a modern machine where the wireless capabilities cannot be disabled, that is certainly riskier. One solution is to go somewhere with no surrounding wireless signals, like a cabin in the woods.
6) I archive private keys as appropriate, via encrypted thumb drives and paper backups which I cut (with scissors) into fragments and distributed.
7) The addresses I isolate and make available to online machines.
The nice part about this method is, between modifying the private keys by hand, and cross referencing address generation among different pieces of software, the opportunity for malicious software to compromise funds is severely limited.
A thumb drive can easily have a malware in the MBR sector that can just save your secret key there and wait for the PC to connect to the internet and send it out covertly.
There were actual cases of this happening at some corporation, some corporate secrets leaked this way from a secure offline computer, look it up in the news.
Yeah, my post didn't address a procedure for spending from the secure private keys. You are right that contaminated drives are a risk.
For big balances, I would manually type an archived key into a clean, offline computer that had wallet software capable of generating an offline-transaction. Compare the transaction to one generated by different software. Copy onto a fresh thumb drive, and bring over to an online computer to broadcast the transaction.
For the truly paranoid, use multiple clean intermediary computers, with different operating systems. Copy the transaction onto the intermediary computer, and then copy it onto a clean thumb drive. The more hops, the less likely the private key is secretly getting dragged along with the signed tx.
