HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
August 20, 2021, 01:33:07 AM Last edit: November 14, 2023, 11:45:59 PM by HCP |
|
Just found out it comes with an interesting [probably not for everyone out there, but it brings back good old memories] " secret" menu. How did I know it was going to be "Snake" before I even clicked on the link? Probably because the device looks like an old Nokia phone And honestly... I'm kinda proud of myself for NOT having a collection like Jameson... I've been soooo restrained with hardware wallets. I've had shopping carts all loaded up and got to checkout and was like "No! I don't need another one" hahaha.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 20, 2021, 08:53:29 AM |
|
But why? Every extra piece of code has the potential to cause a bug or present a vulnerability. Why add in gimmicks like a snake game which no one is ever going to use?
|
|
|
|
SFR10
Legendary
Offline
Activity: 3192
Merit: 3529
Crypto Swap Exchange
|
|
August 21, 2021, 02:26:53 PM |
|
I think this could be free Bitcoin whitepaper by Satoshi Nakamoto looking like a passport
You were right [it's a nice touch]... Found a podcast [by their CEO - Zach Herbert] that confirms what's actually the surprise gift: ( I hope Faketoshi won't sue them for this ), Yeah, I saw that hidden famous retro game that every old Nokia user knows Why add in gimmicks like a snake game which no one is ever going to use?
There might be more [link], but not sure how reliable it is.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3668
Merit: 6673
Crypto Swap Exchange
|
|
August 21, 2021, 07:48:09 PM |
|
But why? Every extra piece of code has the potential to cause a bug or present a vulnerability. Why add in gimmicks like a snake game which no one is ever going to use? To justify the price tag? Something to do while waiting for your transaction to confirm? It really is an old Nokia under it all? Seriously, in something like this if the code is not needed, you don't put it in. The last thing you want in something that is supposed to be all about security, is stuff that is not related to security. Yes is cool but, so not needed. -Dave
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 21, 2021, 08:00:07 PM Merited by SFR10 (1), ABCbits (1) |
|
There might be more [link], but not sure how reliable it is. That guy says he worked on the project for a while. Don't see what his motivation would be to make something like that up. On further examination, there is indeed an entire page on their GitHub which codes for this Tetris game: https://github.com/Foundation-Devices/passport-firmware/blob/b26d45bdeb240a7f631037b71c149f57f1d8c5fc/ports/stm32/boards/Passport/modules/stacking_sats.pySeriously, in something like this if the code is not needed, you don't put it in. The last thing you want in something that is supposed to be all about security, is stuff that is not related to security.
It also screams of unprofessionalism to me. You want people to store thousands or even millions of dollars worth of cryptocurrency on your device, but then you say "Lol, we made it play Snake and Tetris! Next update we'll add Frogger too!" Get that bloatware off the device, get the code down to the minimum required to function to minimize any attack surface, and focus on developing your security features instead of implementing stupid games. What other stupid "hidden features" have they included?
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 22, 2021, 11:56:42 AM |
|
Idea was probably to hide the fact that you are using hardware wallet, and I actually like the idea of hiding hardware wallet with fake game console or phone device, but maybe they should add two alternative version of firmware, one clean and other with games included. What other stupid "hidden features" have they included?
I know one more hardware wallet called ledger that are adding bunch of shit features with fake dex swap exchanges, supporting bunch of altcoins, they had multiple leaks, they proven their unprofessionalism to everyone, and people still buy that junk. It also screams of unprofessionalism to me. You want people to store thousands or even millions of dollars worth of cryptocurrency on your device, but then you say "Lol, we made it play Snake and Tetris!
I think you know very well that coins are not actually stored on that device, only keys are.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 22, 2021, 12:43:15 PM |
|
Idea was probably to hide the fact that you are using hardware wallet, and I actually like the idea of hiding hardware wallet with fake game console or phone device, but maybe they should add two alternative version of firmware, one clean and other with games included. If the device looked like a Nintendo Switch or a modern phone, then that idea might have some merit. But the device looks nothing like either of them, and says "Foundation" across the back, so any attacker can discover what it really is with 5 seconds and a Google search. I know one more hardware wallet called ledger that are adding bunch of shit features with fake dex swap exchanges, supporting bunch of altcoins Don't know why you are bringing Ledger in to this, but none of that is in any Ledger firmware. Don't want to use any altcoins? Then don't install those apps. Don't want to use their exchanges service? Then don't use Ledger Live. None of that presents an attack surface to their hardware wallets. Hiding "features" on the device is a bad start. Hiding completely pointless features like Tetris on the device is just plain stupid. I think you know very well that coins are not actually stored on that device, only keys are. My point is the same.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 22, 2021, 12:46:59 PM |
|
If the device looked like a Nintendo Switch or a modern phone, then that idea might have some merit. But the device looks nothing like either of them, and says "Foundation" across the back, so any attacker can discover what it really is with 5 seconds and a Google search. I am still using old style phone and it's working perfectly fine, looks similar with Passport wallet. Don't know why you are bringing Ledger in to this, but none of that is in any Ledger firmware. Don't want to use any altcoins? Then don't install those apps. Don't want to use their exchanges service? Then don't use Ledger Live. None of that presents an attack surface to their hardware wallets.
Do you know what exactly is hidden in ledger firmware? Could be backdoor or hidden spyware. You don't know because it is closed source, and I mentioned it as a prime example of unprofessionalism in hardware wallets (1 million leaked customer data).
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 22, 2021, 01:49:08 PM |
|
I am still using old style phone and it's working perfectly fine, looks similar with Passport wallet. Similar, sure, but different enough to arouse suspicion. No phone from that era had a camera, and no phone is powered by 2x AAA batteries. It might pass a cursory glance, but a 5 second inspection will reveal to any thief the device is not a phone. You don't know because it is closed source, and I mentioned it as a prime example of unprofessionalism in hardware wallets (1 million leaked customer data). And I never said otherwise. I've made my feelings regarding Ledger and their database leak well known, but their mistakes don't given other hardware wallet companies a free pass to do what they like. The fact remains that including completely unnecessary code on a hardware wallet device poses unnecessary security risks.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
August 22, 2021, 11:46:50 PM |
|
I concur... you cannot argue the fact that adding unnecessary code means that you are adding unnecessary risk. Sure, hide snake in your graphical calculator or the control panel on your fridge or something... but a device that is meant to be a security device should really include only the bare minimum required to perform the desired tasks. I don't see how hidden games enable one to manage their crypto holdings securely
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 23, 2021, 08:49:34 AM |
|
I don't see how hidden games enable one to manage their crypto holdings securely Nobody said that games make crypto holdings more secure, but adding support for bunch of altcoins in hardware wallet is much worse, especially if you are not using them, because they need to be constantly updated. All hardware wallets that are not proving Bitcoin only firmware are way less secure than having Passport wallet with games, and as far as I know only ColdCard, Trezor, Keystone and Bitbox02 have BTC only firmware available. I remember example of hackers being able to steal your Bitcoin from ledger wallet because of flaw with some of their forked altcoin app isolation bypass: https://monokh.com/posts/ledger-app-isolation-bypass
|
|
|
|
Pmalek
Legendary
Offline
Activity: 2954
Merit: 7565
Playgram - The Telegram Casino
|
|
August 23, 2021, 09:15:25 AM |
|
I remember this issue and it was much more severe than what Ledger was ready to admit. However, if you scroll down on that report you shared to the section that describes the "Attack methods", you will see some examples how that vulnerability could have been used in practice. They say: You are invited to try out a new service with testnet coins, that actually sweeps real Bitcoin out of your wallet. Invited by whom? You shouldn't trust and use dubious services and websites whether it's about crypto or anything else or accept invites and click on links from people you don't know. Unless you fiddle around with such things, you would have been safe from the attack. You swap low value coins on an untrusted exchange. The exchange can read your Bitcoin balances and given a good enough opportunity will take the exit. You wouldn't have applied the same level care with altcoins. I am not sure what exactly is meant with this. Maybe it's about connecting your Ledger hardware to a DEX. This is in my opinion the most dangerous attack method. If you had to connect to an unpopular exchange for whatever reason and they had ways to steal your bitcoin. You could be targeted with a patched version of Ledger Live that sends Bitcoin instead of altcoins. Then prompted to do a P2P trade with altcoins. Whoever is involved in crypto should know by now where and how to download the official software, what phishing is, and how to check the authenticity of what they just downloaded. That's now possible to do with Ledger Live as well. Don't fall for fake apps and your bitcoins will stay safe.
|
|
|
|
▄▄███████▄▄███████ ▄███████████████▄▄▄▄▄ ▄████████████████████▀░ ▄█████████████████████▄░ ▄█████████▀▀████████████▄ ██████████████▀▀█████████ █████████████████████████ ██████████████▄▄█████████ ▀█████████▄▄████████████▀ ▀█████████████████████▀░ ▀████████████████████▄░ ▀███████████████▀▀▀▀▀ ▀▀███████▀▀███████ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ Playgram.io ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | ▄▄▄░░ ▀▄ █ █ █ █ █ █ █ ▄▀ ▀▀▀░░
| │ | ▄▄▄███████▄▄▄ ▄▄███████████████▄▄ ▄███████████████████▄ ▄██████████████▀▀█████▄ ▄██████████▀▀███▄██▐████▄ ██████▀▀████▄▄▀▀█████████ ████▄▄███▄██▀█████▐██████ ██████████▀██████████████ ▀███████▌▐██▄████▐██████▀ ▀███████▄▄███▄████████▀ ▀███████████████████▀ ▀▀███████████████▀▀ ▀▀▀███████▀▀▀ | | │ | ██████▄▄███████▄▄████████ ███▄███████████████▄░░▀█▀ ███████████░█████████░░█ ░█████▀██▄▄░▄▄██▀█████░█ █████▄░▄███▄███▄░▄██████ ████████████████████████ ████████████████████████ ██░▄▄▄░██░▄▄▄░██░▄▄▄░███ ██░░░█░██░░░█░██░░░█░████ ██░░█░░██░░█░░██░░█░░████ ██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████ ███████████████████████ ███████████████████████ | | │ | ► | |
[/
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 23, 2021, 11:17:30 AM |
|
Most of those features are part of Ledger Live, not part of the hardware wallet.
It's directly connected with firmware of ledger device, there are even some shitcoins not even supported by ledger live app and you can use them with ledger. Do you use your smartphone that can store bunch of games, applications, maybe crypto wallets, google or iPhone tracking with other stuff, and do you also consider it unprofessional? supporting altcoin is quite different from adding video game.
Yes, it's much more risky and dangerous supporting bunch of shitcoins than adding some game. Please tell me one scenario were someone will use this game to steal your coins or keys, when we know that Passport (like Coldcard) have no cables and it's never connected with your computer or internet in any way.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 23, 2021, 07:06:18 PM |
|
Just wait until someone run DOOM on it Reminds me of when I got a Game Boy emulator running on my 1st or maybe 2nd generation (I can't really remember) iPod back in the day. All hardware wallets that are not proving Bitcoin only firmware are way less secure than having Passport wallet with games The Passport device has not been extensively pen tested like Ledger or Trezor devices have been, so there is no way as of yet of knowing if that is true. Do you use your smartphone that can store bunch of games, applications, maybe crypto wallets, google or iPhone tracking with other stuff, and do you also consider it unprofessional? Because that is what a smartphone is meant to do. The whole point of a smartphone is to be multi-purpose and do near enough anything you want it do. The whole point of a hardware wallet is to do one thing and one thing only. Please tell me one scenario were someone will use this game to steal your coins or keys, when we know that Passport (like Coldcard) have no cables and it's never connected with your computer or internet in any way.
Who knows? The device hasn't been tested yet. Airgapped cold storage is never connected with the internet in any way, and yet it is not invulnerable to attacks.
|
|
|
|
HCP
Legendary
Offline
Activity: 2086
Merit: 4361
<insert witty quote here>
|
|
August 23, 2021, 11:29:06 PM |
|
Yes, it's much more risky and dangerous supporting bunch of shitcoins than adding some game.
It's fine if you want to use Bitcoin only... I can understand that, as I'm not a huge fan of altcoins either. Unfortunately, they're not going to go away... the values on coinmarketcap make that plainly obvious. The top 90+ coins all have marketcaps over $1 Billion dollars. People are going to want to use these coins. So, as a commercial operator, your choices are: 1. Offer support (and hopefully put dev resources into making them secure as opposed to coding up unnecessary games) and potentially gain a customer. or 2. Don't offer support and potentially lose a customer to your competitor. Also, I suspect that the vast majority of altcoins supported are actually just ERC20 tokens anyway. Please tell me one scenario were someone will use this game to steal your coins or keys, when we know that Passport (like Coldcard) have no cables and it's never connected with your computer or internet in any way.
It's entirely plausible that a glitch in the game code (such as entering a specific key combo or achieving a high enough score to cause an overflow etc) could result in an attacker achieving something equivalent to "root" access on the device. Is this actually possible... who knows? The point is, that adding "fun" hidden easter eggs like this, is not necessary... the dev effort would be much better spent ensuring that the "necessary" code is secure.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 24, 2021, 07:25:57 AM |
|
The whole point of a hardware wallet is to do one thing and one thing only.
No they are not meant to be used only for one thing, same like airgapped computers are not meant only for one thing. You can use many hardware wallets as password managers or similar like yubikey device for signing on websites in more secure way. Is this actually possible... who knows? The point is, that adding "fun" hidden easter eggs like this, is not necessary... the dev effort would be much better spent ensuring that the "necessary" code is secure.
They are using well tested mostly Coldcard open source code that is audited, and I think they have bounty reward program for hacking them and finding bugs, so everyone is welcomed to do it. Go for it
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 24, 2021, 07:46:55 AM |
|
the dev effort would be much better spent ensuring that the "necessary" code is secure.
Might also help to get the price down a but if they weren't paying devs to code, test, and implement games. You can use many hardware wallets as password managers or similar like yubikey device for signing on websites in more secure way. Which falls under their one purpose of securely storing and allowing you to safely interact with private keys, passwords, or codes. Not for playing games. I don't disagree that adding altcoin support is risky too. Every new piece of code you put on the device poses a security risk. But altcoin code at least serves a purpose (even if it is a purpose I don't care for), and even better if it is entirely optional to install it in the first place. Pre-installed games are risky bloatware.
|
|
|
|
dkbit98 (OP)
Legendary
Offline
Activity: 2422
Merit: 7590
|
|
August 24, 2021, 08:00:25 AM |
|
Which falls under their one purpose of securely storing and allowing you to safely interact with private keys, passwords, or codes. Not for playing games.
That is not exactly one purpose mixing private keys with password manager and logging on websites, and airgapped computers are by your definition even less secure because they all have games and other ''bloatware'' installed, and smartphone is even less secure so you should never use it again. Anyone can find much more bugs in airgapped linux OS full of all kinds of software, yet people use it all the time with Electrum wallet, and they can play a game if the want. Hardware wallets are just mini computers not some miracle devices with one strict use case.
|
|
|
|
o_e_l_e_o
In memoriam
Legendary
Offline
Activity: 2268
Merit: 18748
|
|
August 24, 2021, 08:26:47 AM |
|
and airgapped computers are by your definition even less secure because they all have games and other ''bloatware'' installed If you choose an OS which is filled with bloatware and start installing games on your airgapped computer, then yes, it is much less secure. and smartphone is even less secure so you should never use it again. Yes, smartphones are far less secure, which is why they are classed as hot wallets. A smartphone is poor benchmark for comparing a hardware wallet to, though. Hardware wallets are just mini computers not some miracle devices with one strict use case.
If you want a wallet which can play games, store arbitrary data, display pictures, whatever, then that's absolutely your choice. There are plenty of devices on the market to choose from. But you can't possibly argue that putting games on a hardware wallet is a good use of time nor that doing so is 100% risk free.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3668
Merit: 6673
Crypto Swap Exchange
|
|
August 24, 2021, 11:05:21 PM |
|
... Anyone can find much more bugs in airgapped linux OS full of all kinds of software, yet people use it all the time with Electrum wallet, and they can play a game if the want. Hardware wallets are just mini computers not some miracle devices with one strict use case.
However, even if the security portion of the discussion is removed, it's still an issue because every time you install something / add something there is another chance for something to go wrong. There may be no security issues with the snake game. But what about an edge case where if you play for longer then 'x' time or have some stupid high score then there is a memory storage issue that can cause data corruption. -Dave
|
|
|
|
|