Bitcoin Forum
December 11, 2018, 06:18:12 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Do you REALLY trust hardware wallets?  (Read 470 times)
gentlemand
Legendary
*
Offline Offline

Activity: 1848
Merit: 1332


Always remember - I love you


View Profile
March 06, 2018, 04:04:45 PM
 #1

So Ledger are releasing a soon to be mandatory update for the Nano S.

The reason is hinted at here - https://twitter.com/spudowiar/status/970977060134023168

I've read elsewhere that physical access is required for any issues so everyone should be fine.

However I can only imagine the amount of problems that pop up will increase as the amount of money lurking on hardware wallets accelerates. The incentives are just too enormous.

I'm nowhere near savvy enough to know whether something is coded well but I have faith in the creators and coders to do their best to stay on top of things, however there's no shortage of dodgy people with matching skills who'll go all out to beat them and it could a finely balanced race.

Will you choose to keep the faith no matter what happens or regress to things like paper wallets if more weirdness emerges?

1544509092
Hero Member
*
Offline Offline

Posts: 1544509092

View Profile Personal Message (Offline)

Ignore
1544509092
Reply with quote  #2

1544509092
Report to moderator
1544509092
Hero Member
*
Offline Offline

Posts: 1544509092

View Profile Personal Message (Offline)

Ignore
1544509092
Reply with quote  #2

1544509092
Report to moderator
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1544509092
Hero Member
*
Offline Offline

Posts: 1544509092

View Profile Personal Message (Offline)

Ignore
1544509092
Reply with quote  #2

1544509092
Report to moderator
1544509092
Hero Member
*
Offline Offline

Posts: 1544509092

View Profile Personal Message (Offline)

Ignore
1544509092
Reply with quote  #2

1544509092
Report to moderator
Xynerise
Sr. Member
****
Offline Offline

Activity: 280
Merit: 281

39twH4PSYgDSzU7sLnRoDfthR6gWYrrPoD


View Profile
March 06, 2018, 07:33:35 PM
 #2

You can check the source code of the hardware wallet applications for the Ledger, and inspect the firmware source code of the Trezor.
Also you are in possession of the hardware itself so you can break it down and tinker with it to your satisfaction to check if it's broken or not.
gentlemand
Legendary
*
Offline Offline

Activity: 1848
Merit: 1332


Always remember - I love you


View Profile
March 06, 2018, 07:38:37 PM
 #3

You can check the source code of the hardware wallet applications for the Ledger, and inspect the firmware source code of the Trezor.
Also you are in possession of the hardware itself so you can break it down and tinker with it to your satisfaction to check if it's broken or not.

It's a wonderful idea but most people, including myself, are clueless about this stuff.

And the thing that worries me a tad are all of the yet to be discovered issues waiting to be uncovered, not the existing integrity of their setups. Nothing is 100% and eternally foolproof. If there's some complexity it's likely there's something in there waiting to be exploited that hasn't been accounted for.

BitCryptex
Sr. Member
****
Offline Offline

Activity: 420
Merit: 385


Write @BitCryptex or quote my post to notify me


View Profile WWW
March 06, 2018, 07:44:45 PM
 #4

I have used Ledger Nano S for quite a long time but I decided to sell due to some technical problems and their Secure Element started to bother me. Security by obscurity is not necessarily the best idea. Even though, I can't read most of TREZOR's firmware code, I trust people in the industry who had checked the code to see whether or not there are any backdoors or simple security holes.

And the thing that worries me a tad are all of the yet to be discovered issues waiting to be uncovered, not the existing integrity of their setups. Nothing is 100% and eternally foolproof. If there's some complexity it's likely there's something in there waiting to be exploited that hasn't been accounted for.

What do you think is better? Less chances for critical vulnerability to exist and nobody can check the code to detect it or being able to see the code and eventually discover the vulnerability after some time.

jossiel
Hero Member
*****
Online Online

Activity: 1008
Merit: 513



View Profile
March 06, 2018, 08:03:58 PM
 #5

Great! I've been looking for this type of thread as I've posted a thread about the update of firmware of nano s. ( Ledger Nano S firmware update 1.4.1 )

This guy gained a lot of attention and it made me paranoid after someone shared his tweet about nano s.

I'm not also savvy at all with these things but the Ledger's Ceo has spoken https://www.reddit.com/r/ledgerwallet/comments/82fndi/psa_dont_panic_but_assume_the_device_is/dv9wnlb/ this helped me and I can sleep well tonight.

We'll see where this goes.

Will you choose to keep the faith no matter what happens or regress to things like paper wallets if more weirdness emerges?
If something went wrong and there will be reports that their funds are stolen after this update, I'll jump to paper wallet or back to desktop wallet.

.BitDice.               ▄▄███▄▄
           ▄▄██▀▀ ▄ ▀▀██▄▄
      ▄▄█ ▀▀  ▄▄█████▄▄  ▀▀ █▄▄
  ▄▄██▀▀     ▀▀ █████ ▀▀     ▀▀██▄▄
██▀▀ ▄▄██▀      ▀███▀      ▀██▄▄ ▀▀██
██  ████▄▄       ███       ▄▄████  ██
██  █▀▀████▄▄  ▄█████▄  ▄▄████▀▀█  ██
██  ▀     ▀▀▀███████████▀▀▀     ▀  ██
             ███████████
██  ▄     ▄▄▄███████████▄▄▄     ▄  ██
██  █▄▄████▀▀  ▀█████▀  ▀▀████▄▄█  ██
██  ████▀▀       ███       ▀▀████  ██
██▄▄ ▀▀██▄      ▄███▄      ▄██▀▀ ▄▄██
  ▀▀██▄▄     ▄▄ █████ ▄▄     ▄▄██▀▀
      ▀▀█ ▄▄  ▀▀█████▀▀  ▄▄ █▀▀
           ▀▀██▄▄ ▀ ▄▄██▀▀
               ▀▀███▀▀
        ▄▄███████▄▄
     ▄███████████████▄
    ████▀▀       ▀▀████
   ████▀           ▀████
   ████             ████
   ████ ▄▄▄▄▄▄▄▄▄▄▄ ████
▄█████████████████████████▄
██████████▀▀▀▀▀▀▀██████████
████                   ████
████                   ████
████                   ████
████                   ████
████                   ████
████▄                 ▄████
████████▄▄▄     ▄▄▄████████
  ▀▀▀█████████████████▀▀▀
        ▀▀▀█████▀▀▀
▄▄████████████████████████████████▄▄
██████████████████████████████████████
█████                            █████
█████                            █████
█████                            █████
█████                            █████
█████                     ▄▄▄▄▄▄▄▄▄▄
█████                   ▄█▀▀▀▀▀▀▀▀▀▀█▄
█████                   ██          ██
█████                   ██          ██
█████                   ██          ██
██████████████████▀▀███ ██          ██
 ████████████████▄  ▄██ ██          ██
   ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ██          ██
             ██████████ ██          ██
           ▄███████████ ██████▀▀██████
          █████████████  ▀████▄▄████▀
[/]
ThePunisher49X
Member
**
Offline Offline

Activity: 343
Merit: 15


View Profile WWW
March 06, 2018, 08:28:09 PM
 #6

I have used Ledger Nano S for quite a long time but I decided to sell due to some technical problems and their Secure Element started to bother me. Security by obscurity is not necessarily the best idea. Even though, I can't read most of TREZOR's firmware code, I trust people in the industry who had checked the code to see whether or not there are any backdoors or simple security holes.

And the thing that worries me a tad are all of the yet to be discovered issues waiting to be uncovered, not the existing integrity of their setups. Nothing is 100% and eternally foolproof. If there's some complexity it's likely there's something in there waiting to be exploited that hasn't been accounted for.

What do you think is better? Less chances for critical vulnerability to exist and nobody can check the code to detect it or being able to see the code and eventually discover the vulnerability after some time.
So you are essentially saying to put more trust into Trezor than this one from their issues with security audits in the past?
CryptoKr
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile WWW
March 07, 2018, 07:45:21 PM
 #7

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?
gentlemand
Legendary
*
Offline Offline

Activity: 1848
Merit: 1332


Always remember - I love you


View Profile
March 07, 2018, 08:24:30 PM
 #8

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?

I'm certainly not qualified to say which is the best. I prefer using the Trezor. It seems a lot more user friendly to me. Others may disagree. Much may depend on which coins you want to store. Ledger currently stores plenty more.

CryptoKr
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile WWW
March 07, 2018, 09:22:26 PM
 #9

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?

I'm certainly not qualified to say which is the best. I prefer using the Trezor. It seems a lot more user friendly to me. Others may disagree. Much may depend on which coins you want to store. Ledger currently stores plenty more.

Thanks gentlemand,

I have just found this, which seems a brilliant idea and good solution:

https://bitcointalk.org/index.php?topic=3070336.0

but this is in the ico stage now, so will have to wait for the product Sad
RGBKey
Hero Member
*****
Offline Offline

Activity: 840
Merit: 628


rgbkey.github.io/pgp.txt


View Profile WWW
March 07, 2018, 09:27:10 PM
 #10

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?

I'm certainly not qualified to say which is the best. I prefer using the Trezor. It seems a lot more user friendly to me. Others may disagree. Much may depend on which coins you want to store. Ledger currently stores plenty more.

Thanks gentlemand,

I have just found this, which seems a brilliant idea and good solution:

https://bitcointalk.org/index.php?topic=3070336.0

but this is in the ico stage now, so will have to wait for the product Sad


That looks like a terrible hardware wallet that is only in concept stage with many design flaws thought up only to find a bullshit reason to have an "ICO" and make money. I would not trust a cent with a "hardware wallet" that can connect to the internet and has a built-in GPS.

dillpicklechips
Hero Member
*****
Offline Offline

Activity: 896
Merit: 502



View Profile
March 08, 2018, 03:44:27 AM
 #11

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?

I'm certainly not qualified to say which is the best. I prefer using the Trezor. It seems a lot more user friendly to me. Others may disagree. Much may depend on which coins you want to store. Ledger currently stores plenty more.

Thanks gentlemand,

I have just found this, which seems a brilliant idea and good solution:

https://bitcointalk.org/index.php?topic=3070336.0

but this is in the ico stage now, so will have to wait for the product Sad


That looks like a terrible hardware wallet that is only in concept stage with many design flaws thought up only to find a bullshit reason to have an "ICO" and make money. I would not trust a cent with a "hardware wallet" that can connect to the internet and has a built-in GPS.
Agree. I read a little bit in that thread. I see how LoyceV and DarkStar_ point the flaws. I stopped reading since I think it is clear enough. Glad that we have these guys in the forum.

I also think that this is an ICO that wishes to gather a lot of money, launch it in an exchange. Until they dried it up, they will leave the project behind or if they really are serious then they are not knowledgeable enough to do this.

@CryptoKr You better rethink it, carefully.

CryptoKr
Newbie
*
Offline Offline

Activity: 6
Merit: 0


View Profile WWW
March 08, 2018, 09:28:34 AM
 #12

Hi there,

I am quite new to this forum and crypto world. I have so far invested a smaller amount of money but would like to go bit further. My big concern however is the security. After watching several videos on youtube of guys telling how their lost their money I am a bit petrified. I am not a geek so I am not sure what to do in order to protect my funds.

Are you guys saying Trezor is the best?

I'm certainly not qualified to say which is the best. I prefer using the Trezor. It seems a lot more user friendly to me. Others may disagree. Much may depend on which coins you want to store. Ledger currently stores plenty more.

Thanks gentlemand,

I have just found this, which seems a brilliant idea and good solution:

https://bitcointalk.org/index.php?topic=3070336.0

but this is in the ico stage now, so will have to wait for the product Sad


That looks like a terrible hardware wallet that is only in concept stage with many design flaws thought up only to find a bullshit reason to have an "ICO" and make money. I would not trust a cent with a "hardware wallet" that can connect to the internet and has a built-in GPS.
Agree. I read a little bit in that thread. I see how LoyceV and DarkStar_ point the flaws. I stopped reading since I think it is clear enough. Glad that we have these guys in the forum.

I also think that this is an ICO that wishes to gather a lot of money, launch it in an exchange. Until they dried it up, they will leave the project behind or if they really are serious then they are not knowledgeable enough to do this.

@CryptoKr You better rethink it, carefully.

Thanks gentlemand again. The guys you have mentioned just attacked me in the other topic, so it is good to know that not everyone is like them. I will get Trezor for now and hope that something better will show up on the market soon.
Lucius
Legendary
*
Offline Offline

Activity: 1260
Merit: 1075


Fortis Fortuna Adiuvat


View Profile WWW
March 08, 2018, 10:53:33 AM
 #13

So Ledger are releasing a soon to be mandatory update for the Nano S.

The reason is hinted at here - https://twitter.com/spudowiar/status/970977060134023168

I've read elsewhere that physical access is required for any issues so everyone should be fine.

However I can only imagine the amount of problems that pop up will increase as the amount of money lurking on hardware wallets accelerates. The incentives are just too enormous.

I'm nowhere near savvy enough to know whether something is coded well but I have faith in the creators and coders to do their best to stay on top of things, however there's no shortage of dodgy people with matching skills who'll go all out to beat them and it could a finely balanced race.

Will you choose to keep the faith no matter what happens or regress to things like paper wallets if more weirdness emerges?

As can be read in this tweet,spudowiar has been discovered a potential issues in Ledger which may couse "compromised recovery seed generation or private key extraction".He claim this is a serious issue and that he will reveal full technical data on 20 March in order ti give users time to update.

I think that he found something pretty seriously,and proof is that Ledger is released new firmware after that.So we need to wait till 20 March and hope to get full information about this safety problem.

When it comes to safety of my coins I can say I do not trust anyone or anything,nothing is 100% safe.But it is much easier to lose coins in online wallets/exchanges or even desktop wallet,so best way to keep them safe is hardware wallet or for long term holding paper wallet which must be made in 100% safe environment and stored in extra safe place.

HCP
Hero Member
*****
Offline Offline

Activity: 812
Merit: 989

<insert witty quote here>


View Profile
March 08, 2018, 11:37:12 PM
 #14

There seems to have been quite a lot of "back and forth" between Saleem (@spudowiar) and Ledger...

Ledger claiming he has blown everything out of proportion... Saleem claiming Ledger didn't take things seriously enough... Ledger claim that a very particular set of circumstances needed to have occurred for the vulnerability to be exploited (physical access BEFORE seed generation, custom MCU, malware on PC etc)... Saleem seems to indicate otherwise but offers no details due to "responsible disclosure".

I guess we wait until March 20th for the full technical details to be released. Undecided

In the meantime, I guess the message is "update to firmware 1.4.1"

pooya87
Legendary
*
Offline Offline

Activity: 1484
Merit: 1278


Buy bitcoin they said... who listened?


View Profile
March 09, 2018, 04:17:16 AM
 #15

~ Nothing is 100% and eternally foolproof. ~

you said it yourself Tongue
nothing, and that means literary nothing is 100% foolproof. even bitcoin isn't. maybe some day people could find a way to reverse ECDSA and when you put your public key on the blockchain inside of your transaction they could figure out your private key in reverse. (it is not possible and the math says it won't happen but you know...).

so in the end it all comes down to risk management in my opinion.
this, for me, means how much i am willing to risk in that particular thing. for example how much money i am willing to invest in bitcoin. then how much of that bitcoin i am willing to put in my hot wallet, in my hardware wallet, in a paper wallet, in my exchange account for trading, in an altcoin, ...

Aura
Sr. Member
****
Offline Offline

Activity: 518
Merit: 266


View Profile
March 10, 2018, 06:35:08 PM
 #16

I don't really trust hardware wallets, that's why I don't own one. My main reason is the lack of open-source for example, Ledger wallet is only partial open-source. That means that there is still some code running on the hardware that you can't verify. Besides that, they are quite expensive compared to air-gapped machines that only require an old PC. I have more fate in a computer, without internet capability running a wallet compiled from source (Armory) than pre-configured hardware. Armory allows you to sign transactions on your air-gapped machine and managing your wallet on an online PC without sign access (watching-only).
RGBKey
Hero Member
*****
Offline Offline

Activity: 840
Merit: 628


rgbkey.github.io/pgp.txt


View Profile WWW
March 10, 2018, 07:41:20 PM
 #17

I don't really trust hardware wallets, that's why I don't own one. My main reason is the lack of open-source for example, Ledger wallet is only partial open-source. That means that there is still some code running on the hardware that you can't verify. Besides that, they are quite expensive compared to air-gapped machines that only require an old PC. I have more fate in a computer, without internet capability running a wallet compiled from source (Armory) than pre-configured hardware. Armory allows you to sign transactions on your air-gapped machine and managing your wallet on an online PC without sign access (watching-only).

Hardware wallets are somewhere between airgapped computers and encrypted wallet files. They certainly add a level of convenience, especially for all of the coins the support.

Also, a ledger nano s for example is much cheaper than any laptop/very cheap desktop you'd find, I don't think it's fair to assume that everybody would have an old computer lying around.

Coin-Keeper
Hero Member
*****
Offline Offline

Activity: 577
Merit: 502



View Profile
March 10, 2018, 07:52:18 PM
 #18

For me a "no brainer" while we all have a watch and wait attitude on hardware wallets, to make sure and use BIP extensions/passwords on all your hardware wallets.  Remember that NO hardware wallet can store passphrases so even if they "fall" in the future your coins would still be safe.  I still trust my Trezors but have always decided to use long and strong passphrases on all my wallets in addition.  Recommend you all do the same!

BTC: 1PYSBbuKM3kW19xe9TXJQfq64rPhd8XorF
Staked and Verified: https://bitcointalk.org/index.php?topic=996318.msg17102755#msg17102755
Aura
Sr. Member
****
Offline Offline

Activity: 518
Merit: 266


View Profile
March 11, 2018, 06:17:48 PM
 #19

I don't really trust hardware wallets, that's why I don't own one. My main reason is the lack of open-source for example, Ledger wallet is only partial open-source. That means that there is still some code running on the hardware that you can't verify. Besides that, they are quite expensive compared to air-gapped machines that only require an old PC. I have more fate in a computer, without internet capability running a wallet compiled from source (Armory) than pre-configured hardware. Armory allows you to sign transactions on your air-gapped machine and managing your wallet on an online PC without sign access (watching-only).
They certainly add a level of convenience, especially for all of the coins the support.
That's is certainly a benefit for people who store altcoins. But for my personal situation not, as I only store Bitcoin and some Litecoin.

Also, a ledger nano s for example is much cheaper than any laptop/very cheap desktop you'd find, I don't think it's fair to assume that everybody would have an old computer lying around.
Even the old computers that schools have, will run an offline version of Armory. I bet you can get these for less than 10 bucks on a flea market or elsewhere. Also Armory has support for single board computers like the Raspberry Pi, that can be bought for $25. It's a hardware wallet with even better security and validity, but at a fraction of the cost.

Hardware wallets are somewhere between airgapped computers and encrypted wallet files.
It definitely is, but I don't trust it as much as a self-compiled software.


HCP
Hero Member
*****
Offline Offline

Activity: 812
Merit: 989

<insert witty quote here>


View Profile
March 11, 2018, 09:25:37 PM
 #20

... Armory+cheapo computer...

It's a hardware wallet with even better security and validity, but at a fraction of the cost.
Until you factor in the need for a (non-pruned) full node required for the online portion of your Armory setup and the space/bandwidth requirements that involves.

As opposed to plugging a HW wallet into your cheapo computer (or even your mobile phone with a $2 OTG cable).

There are pros/cons to both setups... but honestly, I believe HW wallets made air-gapped offline/online two computer setups pretty much obsolete.

Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!