Coldcard Mk4 NFC Spec for developers

[dkbit98]

Me too, I think the first time I see this! The concept is not new though: when setting up multisig with multiple hardware wallets, it's often recommended to use different wallets with different secure elements, since this is usually the only component not open source, so the one point that requires some trust. The trust is reduced though if ordering from different vendors, different factories and different production locations.

I think that adding two closed source secure elements in hardware wallet is not very smart, or should I say it's stupid decision.
NVK and Coldcard developers are going full crazy mode, first they removed reference about using original Trezor code they forked, than they made up their own changed license and they fake call it ''open source'' that is actually not,
and now they are adding one more trust layer with additional secure element from different manufacturer  
It's worse than Ledger is doing and they are going in opposite direction of open source, plus addition of NFC is making their hardware wallet NOT air-gapped device anymore.
I would much rather use old laptop with Tails OS than Coldcard Mk4 at this point.
Deal with it NVK. it's the truth and everyone knows it.

The developers seem to be telling you that you should make a choice between the two methods of air-gapped communication. You either use NFC functionality or SD card, but not both at the same time because the usage of the latter will likely result in crippling the former. Honestly, I can't think of any other reason why they made that design choice.

They don't give you any choice if they enabled NFC by default.
I can also disable and remove wi-fi in my laptop but it's not because developers made that available, and 99% won't ever do that.
Point is that with NFC Coldcard is not airgapped anymore.
Open Source
Airgapped
Whats next? Maybe going full closed source...

[n0nce]

and now they are adding one more trust layer with additional secure element from different manufacturer 
It's worse than Ledger is doing and they are going in opposite direction of open source, plus addition of NFC is making their hardware wallet NOT air-gapped device anymore.

I'm not sure I'm following.. Wouldn't two (closed source or not) secure elements mean less trust? As in: if one has a backdoor, it only has access to half the seed instead of full seed. Also: if one is vulnerable & an exploit is developed, the other one remains secure & 'half seed' is still protected?
It definitely depends on the implementation; doing half-half might not even be that smart, I think there are cryptographic mechanisms which would be better suited to 'splitting' the seed.

Definitely still a big fan of Trezor without secure element myself, though. This way it's reproducible to build and a truly open source device. The known seed extraction attack admittedly needs quite a bit of advanced tools and knowledge.
Best would be an open-source secure element; I think Trezor is actually working on one, excited to see how it's going to turn out.

Point is that with NFC Coldcard is not airgapped anymore.
Open Source
Airgapped
Whats next? Maybe going full closed source...

You know what? I just checked their GitHub and website again and cannot find mention of exact license used. The GitHub has an empty license file, I mean it just contains:

Code:

COPYING-CC

While in March 2020 it contained GPLv3 license.

Code: (https://github.com/Coldcard/firmware/blob/a5a7f850cabdf0cd4f3988b97e7cf68806e84e0d/LICENSE)

(c) Copyright 2017-2020 by Coinkite Inc.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
in the file COPYING.  If not, see <http://www.gnu.org/licenses/>.

I find it very suspicious though that the builds are not reproducible (https://walletscrutiny.com/hardware/coldcardMk3/).

Regarding airgap, NFC is really a kind of grey line. Similarly to USB cables (maybe even easier) you can interact with the device with very little user intervention, which is marketed as a feature, but poses a large security risk.
Meanwhile, if you need to transfer a micro SD card manually, or scan QR codes with both devices it's hard to see a scenario where someone tricks another person to do that in a malicious way.

However, the definition of air-gap usually refers to something not being physically connected (with a cable), so in that case you could call NFC and even Bluetooth wallets (which we all know is a bad idea, right) 'air-gapped'. It's tricky and I think you will never find a common ground with NVK, but I say: let the market decide.

[dkbit98]

I'm not sure I'm following.. Wouldn't two (closed source or not) secure elements mean less trust? As in: if one has a backdoor, it only has access to half the seed instead of full seed. Also: if one is vulnerable & an exploit is developed, the other one remains secure & 'half seed' is still protected?
It definitely depends on the implementation; doing half-half might not even be that smart, I think there are cryptographic mechanisms which would be better suited to 'splitting' the seed.

It means that instead of you having to trust one secure element, now you have to trust two secure elements and I don0t think that is good.
My guess is they will use standard ATECC608A (or ATECC608B) like now, in addition with NXP secure element that is often used in in smart cards that use NFC feature.
So now you understand why they have two secure elements, it's only because of their NFC chip  

Definitely still a big fan of Trezor without secure element myself, though. This way it's reproducible to build and a truly open source device. The known seed extraction attack admittedly needs quite a bit of advanced tools and knowledge.
Best would be an open-source secure element; I think Trezor is actually working on one, excited to see how it's going to turn out.

Until Trezor release this, it's probably best to have old Thinkpad laptop with live linux OS and Electrum wallet.
Use dices to generate seed words, and this will your best hardware wallet.

I find it very suspicious though that the builds are not reproducible (https://walletscrutiny.com/hardware/coldcardMk3/).

That is why they made their own version of website and made is sort of reproducible, but it's still not open source
They should remove open source (and soon Air-gapped) claims from their website.

However, the definition of air-gap usually refers to something being physically connected (with a cable), so in that case you could call NFC and even Bluetooth wallets (which we all know is a bad idea, right) 'air-gapped'. It's tricky and I think you will never find a common ground with NVK, but I say: let the market decide.

It's not just physically, it's all connection with other devices, including wi-fi and bluetooth, NFC only has lower range than wi-fi
NFC = Near-field communication

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (11⁄2 in) or less.

https://en.wikipedia.org/wiki/Near-field_communication

[n0nce]

I'm not sure I'm following.. Wouldn't two (closed source or not) secure elements mean less trust? As in: if one has a backdoor, it only has access to half the seed instead of full seed. Also: if one is vulnerable & an exploit is developed, the other one remains secure & 'half seed' is still protected?
It definitely depends on the implementation; doing half-half might not even be that smart, I think there are cryptographic mechanisms which would be better suited to 'splitting' the seed.

It means that instead of you having to trust one secure element, now you have to trust two secure elements and I don0t think that is good.

It depends on the implementation. If both elements have full access to the seed, then you have to trust twice, that's correct. If you do it right and split the seed or maybe have 2 different seeds that make a 2-out-of-2 multisig internally, it would be less trust than a single chip. Not sure how exactly they will implement though, for sure. For now, just marketing claims and no code as proof.

My guess is they will use standard ATECC608A (or ATECC608B) like now, in addition with NXP secure element that is often used in in smart cards that use NFC feature.
So now you understand why they have two secure elements, it's only because of their NFC chip 

Oh, that's interesting. The NFC chip has a built-in secure element... then let's see if it even works as suggested with something like 2-out-of-2 or if the second chip is maybe simply used for NFC functionality..

Until Trezor release this, it's probably best to have old Thinkpad laptop with live linux OS and Electrum wallet.
Use dices to generate seed words, and this will your best hardware wallet.

We talk about fully cold storage and paper wallets a lot here; it's possible and made a bit more user-friendly by the SeedSigner project. That's basically it: a linux computer, booted with live OS and without persistent storage, importing seed every time you want to sign a transaction. Just in a more practical package than 'old thinkpad'. But none of these are as practical.

However, the definition of air-gap usually refers to something being physically connected (with a cable), so in that case you could call NFC and even Bluetooth wallets (which we all know is a bad idea, right) 'air-gapped'. It's tricky and I think you will never find a common ground with NVK, but I say: let the market decide.

It's not just physically, it's all connection with other devices, including wi-fi and bluetooth, NFC only has lower range than wi-fi
NFC = Near-field communication

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (11⁄2 in) or less.

https://en.wikipedia.org/wiki/Near-field_communication

I mean, 'manually plugging in a microSD card' can also be seen as a kind of protocol that enables communication between devices. But due to the need of heavy user interaction (except the virus attack explained earlier), you need to physically steal the microSD and replace it without user noticing for example, to make them sign a bad PSBT. Even harder with QR codes since a QR code on the screen is less easy to extract / modify than a file on an external storage medium.

But I get what you're saying. Especially since you can wormhole NFC. You can also increase the range simply using high-power antennas; it's just radio-waves, not much unlike WiFi, Bluetooth or 4G and 5G networks after all.

[dkbit98]

Oh, that's interesting. The NFC chip has a built-in secure element... then let's see if it even works as suggested with something like 2-out-of-2 or if the second chip is maybe simply used for NFC functionality..

Exactly.
Two secure elements is just a side effect, and not by design of NKV or smart coldcard developers, and I am sure about this.
I recently revised the list of secure elements used in hardware wallets, and you can see that most wallets use same STM32 chips (this is security risk), but some of them use NXP chips and it's mostly with NFC cards format (Satochip/Satodime, CoolWallet, KeyPal, Opolo, D'CENT).

We talk about fully cold storage and paper wallets a lot here; it's possible and made a bit more user-friendly by the SeedSigner project.

I like the idea of Seedsigner, but you know that cost of purchasing and assembling it now is around $80, and for that money you can buy used old but still good Thinkpad laptop.
That is if you managed to buy it anywhere, I looked all over the internet and Raspberry Pi Zero is mostly out of stock.
Seedsigner is also loading and starting very slow... no wonder when it has linux os in that small device

[n0nce]

Oh, that's interesting. The NFC chip has a built-in secure element... then let's see if it even works as suggested with something like 2-out-of-2 or if the second chip is maybe simply used for NFC functionality..

Exactly.
Two secure elements is just a side effect, and not by design of NKV or smart coldcard developers, and I am sure about this.
I recently revised the list of secure elements used in hardware wallets, and you can see that most wallets use same STM32 chips (this is security risk), but some of them use NXP chips and it's mostly with NFC cards format (Satochip/Satodime, CoolWallet, KeyPal, Opolo, D'CENT).

Wait, STM32 are the microcontrollers, not the secure element chips. But from your list, it seems some are like combo-chips, especially the NXP ones. I don't think an STM32 has a built-in security chip or similar. But it does seem likely that MK4 will use NXP chip for NFC, which as a side effect has a builtin second secure element.

We talk about fully cold storage and paper wallets a lot here; it's possible and made a bit more user-friendly by the SeedSigner project.

I like the idea of Seedsigner, but you know that cost of purchasing and assembling it now is around $80, and for that money you can buy used old but still good Thinkpad laptop.
That is if you managed to buy it anywhere, I looked all over the internet and Raspberry Pi Zero is mostly out of stock.
Seedsigner is also loading and starting very slow... no wonder when it has linux os in that small device

I saw the kits go for pretty high prices, yes! But that's with profit. When I first looked into it, sourcing materials myself would have been more like 50 bucks. If you go for budget though, sure, there are many options. I'm generally a friend of reusing old hardware rather than throwing it away (as seen in my $50 full node guide). It's just less convenient really.

[witcher_sense]

Great discussion, guys! I learned a lot, and also I am very disappointed in Coldcard. It seems to me that Coldcard devices are becoming more and more unsuitable for securing large amounts of money. Closed-source secure elements, non-reproducibility of builds, adding more layers of trust, decreasing the air-gapness of devices and increasing the attack surface due to implementing questionable features, and also controversial marketing are the reasons I wouldn't switch from my Trezor to a Coldcard device. They are now more oriented towards people who wish to make everyday small transactions with their mobile phones rather than those who care about the security of their holdings. That is not to say that there is something wrong with using mobile wallets in combination with hardware wallets, but if I were to choose, I would consider fully open-source and more cheap devices.

[DaveF]

I like the idea of Seedsigner, but you know that cost of purchasing and assembling it now is around $80, and for that money you can buy used old but still good Thinkpad laptop.
That is if you managed to buy it anywhere, I looked all over the internet and Raspberry Pi Zero is mostly out of stock.
Seedsigner is also loading and starting very slow... no wonder when it has linux os in that small device

Sadly I think the $5 zero is not coming back soon. I see the W and the 2W at a lot of places but no longer the original zero.
Could just be that a lot of retailers are looking at the small amount they can make on it and just not ordering.

Not sure where you got the $80 price
But is you can find it, the PI is $5 but lets say you get the $15 2W
The GPIO pins are $2
The camera is $10
The LCD is $12
So $40 and it is good to go.

But....
The case becomes the problem, If you can find an original zero you can get the 3D printed case from them for $35 or you can just print your own or find someone to print it for you for a lot less: https://github.com/SeedSigner/seedsigner/tree/main/enclosures/open_pill

Back to the coldcard, I think more and more we are seeing tons of things being added to HW wallets more for marketing and to justify price.
Not saying it's good. Just that it is.

-Dave

[n0nce]

I like the idea of Seedsigner, but you know that cost of purchasing and assembling it now is around $80, and for that money you can buy used old but still good Thinkpad laptop.
That is if you managed to buy it anywhere, I looked all over the internet and Raspberry Pi Zero is mostly out of stock.
Seedsigner is also loading and starting very slow... no wonder when it has linux os in that small device

Sadly I think the $5 zero is not coming back soon. I see the W and the 2W at a lot of places but no longer the original zero.
Could just be that a lot of retailers are looking at the small amount they can make on it and just not ordering.

Interestingly, official Raspberry seller says it's discontinued:
https://thepihut.com/products/raspberry-pi-zero-1-3-with-pre-soldered-header-no-wifi-or-bluetooth
However, the SeedSigner guys seem to be able to get their hands on a lot of 1.3's, so maybe they order in bulk directly from Raspberry.

Not sure where you got the $80 price

From here: https://btc-hardware-solutions.square.site/product/orange_pill_kit/

The case becomes the problem, If you can find an original zero you can get the 3D printed case from them for $35 or you can just print your own or find someone to print it for you for a lot less: https://github.com/SeedSigner/seedsigner/tree/main/enclosures/open_pill

$35 is a lot for this. Material cost on the 3D printer (FDM) is in the low single-digits.

Back to the coldcard, I think more and more we are seeing tons of things being added to HW wallets more for marketing and to justify price.
Not saying it's good. Just that it is.

To be honest, I see more variety in the interfaces, for example SatoChip with smart card chip and interface, we see Bluetooth for a few years being around and lately NFC. A few years back, the only option was really USB and to this date many still only have USB.

It's necessary to have a variety on the market, because some people may be fine with a less secure but more practical device, while others want only one interface. The choice there differs again. Some will prefer a device with only microSD, some want only USB or some would prefer only QR codes.
In general, it would be preferable that devices aren't a 'jack of all trades, master of none'. Hence, I tend to agree that it's best to have a device with only one means of communication for higher security (alone by shrinking the codebase).

[dkbit98]

Great discussion, guys! I learned a lot, and also I am very disappointed in Coldcard. It seems to me that Coldcard devices are becoming more and more unsuitable for securing large amounts of money. Closed-source secure elements, non-reproducibility of builds, adding more layers of trust, decreasing the air-gapness of devices and increasing the attack surface due to implementing questionable features, and also controversial marketing are the reasons I wouldn't switch from my Trezor to a Coldcard device. They are now more oriented towards people who wish to make everyday small transactions with their mobile phones rather than those who care about the security of their holdings. That is not to say that there is something wrong with using mobile wallets in combination with hardware wallets, but if I were to choose, I would consider fully open-source and more cheap devices.

I think that Coldcard created some weird eco chamber and they started with all this crazy decision making, but some people may like this idk, but they are looking more and more like ledger every day.
Thing is that more I learn about hardware wallets in general, less I have trust in them, and I more thinking of going back using air-gapped laptop.
There is still place for using hardware wallets but you really need to think good about security, and look inside all of this devices... I mean they all use same microchips and ''secure'' elements.

Sadly I think the $5 zero is not coming back soon. I see the W and the 2W at a lot of places but no longer the original zero.
Could just be that a lot of retailers are looking at the small amount they can make on it and just not ordering.

That is probably true, and if it is than I would like to have Raspberry Pi Zeor 2 without wi-fi connection, I see some people are removing in manually on hardware level.

Not sure where you got the $80 price

I did simple math, all those prices you wrote are just in theory, in real life Pi zero was recently around $20 and I can find it now locally for more than $30 , same as Rpi 2 W (that is also out of stock in many places).
Some dedicated stores stocked up and they are selling all parts for around $80, and they can even send you pre-assembled version:

- https://www.gobrrr.me/produkt-kategorie/kits/
- https://btc-hardware-solutions.square.site/product/orange_pill_kit/6?cs=true&cst=custom
- https://diynodes.com/product/preassembled-seedsigner-in-open-pill-case/

And yes I know that case be printed locally with .STL files

Interestingly, official Raspberry seller says it's discontinued

That is only for version with pre soldered header, and official Rasberry website didn't say anything about this.
Like I said, I canstill find them in local shops with 6 or 7 times higher price.

[n0nce]

Thing is that more I learn about hardware wallets in general, less I have trust in them, and I more thinking of going back using air-gapped laptop.
There is still place for using hardware wallets but you really need to think good about security, and look inside all of this devices... I mean they all use same microchips and ''secure'' elements.

You're meant not to trust them! You're meant to verify..
That's why for me and my loved ones personally, I consider only open-source (hardware + software) wallets with reproducible builds. That's like the #1 requirement. But not the only one.
Since I don't have the time to go through the whole code of every new wallet, I am delighted when trusted and verified codebase is used (in true open-source spirit) just as Foundation did it and improved upon.

Interestingly, official Raspberry seller says it's discontinued

That is only for version with pre soldered header, and official Rasberry website didn't say anything about this.
Like I said, I canstill find them in local shops with 6 or 7 times higher price.

I don't think that's allowed in 'official stores'. What you're seeing are extortionist prices from scalpers (can even be private people on eBay) that similarly to the GPU market, scoop up everything from the official stores and then resell anywhere.
This happens any time a product is highly sought after and production can't keep up.

[dkbit98]

I don't think that's allowed in 'official stores'. What you're seeing are extortionist prices from scalpers (can even be private people on eBay) that similarly to the GPU market, scoop up everything from the official stores and then resell anywhere.
This happens any time a product is highly sought after and production can't keep up.

Well of course it's not official stores but nobody can prevent them to make their own prices as they like, same thing I saw in official resellers, very much different prices from one store to another.

Back on Coldcard topic,I have to say that I am amazed by crazy behavior of NKV coldcard developer, he is blocking and banning people all over, ranting against Foundation Passport and all other hardware wallets.
He is spending way to much time on twitter, and he is still making fake claims on their website that coldcard is open source (I will write big report about that in future).

He is now claiming that Foundation violated their license that is not open source (he indirectly admitted)
https://twitter.com/nvk/status/1486063736247001090

Foundation replied later:
https://twitter.com/FOUNDATIONdvcs/status/1486085925885161480

Here is Vlad Costea saying that he submitted a pull request to Coldcard's repo to suggest them to change the product's description from "Open Source" to "Source Available".
The PR was taken down in 5 minutes.
If you read connected tweets you will see why Coldcard is not open source, and why you will get sued if you use their code.
https://twitter.com/TheVladCostea/status/1486135832641744898?s=20


https://commonsclause.com/


https://coldcard.com/

All in all I would stay away from coldcard mambo jumbo wallet and their egoistic freak NVK.
I am thinking of tagging NVK for making repeated fake claims on their website and everywhere online.
It's decision tactics used only by scammers.

[n0nce]

Back on Coldcard topic,I have to say that I am amazed by crazy behavior of NKV coldcard developer, he is blocking and banning people all over, ranting against Foundation Passport and all other hardware wallets.
He is spending way to much time on twitter, and he is still making fake claims on their website that coldcard is open source (I will write big report about that in future).

He is now claiming that Foundation violated their license that is not open source (he indirectly admitted)
https://twitter.com/nvk/status/1486063736247001090

Dang, even deleted it! Fortunately, someone archived it. Maybe someone could create a NVK archive.org bot for the future.. Should be a few lines of code in Python.

All in all I would stay away from coldcard mambo jumbo wallet and their egoistic freak NVK.
I am thinking of tagging NVK for making repeated fake claims on their website and everywhere online.
It's decision tactics used only by scammers.

I find it just a bit sad. Coinkite started to build a pretty good reputation from what I was seeing, also with very popular OpenDime and everything; and then we see them starting to fight with other companies over FOSS codebase. This shows they haven't understood anything about open source. Open source is not about grabbing free code, then changing the license to disallow anyone to benefit from your changes. Instead, it's more about working together on one codebase to make it as good as possible.

I would have really liked to see them actually collaborate. While making two pretty different devices they could have basically doubled the size of the software team. By working on the same codebase, there was a chance to maybe create the next-gen 'state-of-the-art' go-to Bitcoin hardware wallet firmware that then others could also use and also help improve.

[dkbit98]

I find it just a bit sad. Coinkite started to build a pretty good reputation from what I was seeing, also with very popular OpenDime and everything; and then we see them starting to fight with other companies over FOSS codebase.

Finally I see some changes today on ColdCard wallet website after they confirmed they are NOT open source anymore, but they switched to Commons Clause Verifiable Source Code.
Maybe they cracked in last few days after Luke Dashjr said that verifiable source does not mean that code is open source at all, but we already knew that.
You can clearly see on their website how they made changes, but maybe they are preparing some public apology because they lied everyone for months.

Latest screenshot from Coldcard website:


https://coldcard.com/
(archive)

You can check older version of their website in my previous post of this topic above, and there is also saved archived version from yesterday.

I would conclude and say that this was a good decision from NVK, and even if it's not open source it is better than being closed source enigma like Safepal or Ledger.
However, reputation is lost with this changes and lies so I won't recommend Coldcard devices to anyone, not only because of this childish behavior but because they are adding NFC chips in their new devices.
Maybe they will have to remove True Air-Gap statement as well soon.

[witcher_sense]

Just to clarify, the Commons Clause license means you can freely access, modify and distribute modified and original software on which this license applies, but you cannot sell it or use this software for commercial purposes. If you are using licensed software, you must include a copyright notice, retain the original copyright and also include the "NOTICE" text file which usually contains some attribution notes. Interestingly, on the page describing what the Commons Clause license is, it is said that "when the Commons Clause is applied to an existing open-source project, it only affects code moving forward -- meaning no existing users are immediately affected. Licenses applied to previous versions are not revoked, so the Clause will only apply to future releases." Does it mean I can take previous versions of ColdCard source code, fork or modify them and then sell to whoever I want?

[DaveF]

Just to clarify, the Commons Clause license means you can freely access, modify and distribute modified and original software on which this license applies, but you cannot sell it or use this software for commercial purposes. If you are using licensed software, you must include a copyright notice, retain the original copyright and also include the "NOTICE" text file which usually contains some attribution notes. Interestingly, on the page describing what the Commons Clause license is, it is said that "when the Commons Clause is applied to an existing open-source project, it only affects code moving forward -- meaning no existing users are immediately affected. Licenses applied to previous versions are not revoked, so the Clause will only apply to future releases." Does it mean I can take previous versions of ColdCard source code, fork or modify them and then sell to whoever I want?

Yes. But it's a fine line to walk.
You take their old code and produce something.

They make an update to the code to do something / fix something.
You want to do / fix the same thing, but the way they did it was the best way and through your testing you came up with the same code to do it.

Can you prove that you did not take their code from ColcCardfile.py and just copy it to witcher_sensefile.py to fix an issue but developed it on your own?
Might me a rabbit hole you don't want to go down.

-Dave

[dkbit98]

Does it mean I can take previous versions of ColdCard source code, fork or modify them and then sell to whoever I want?

You can fork latest open source version released by coldcard, but why would you want to sell something that is free already, and nobody would buy that shit anyway.
Forking their new common clause license you could get sued by one and only developer they have, but you could just use Passport wallet code by Foundation that continued using open source code.
For me coldcard is now dead and stuck in the mud, and Passport moved on in right direction.

[witcher_sense]

You can fork latest open source version released by coldcard, but why would you want to sell something that is free already, and nobody would buy that shit anyway.
Forking their new common clause license you could get sued by one and only developer they have, but you could just use Passport wallet code by Foundation that continued using open source code.
For me coldcard is now dead and stuck in the mud, and Passport moved on in right direction.

Of course, I wouldn't try to sell something that is available for free because it'd be rather a scammy behavior than a good business strategy, but... I could, for example, improve the original non-licensed source code, add the features Coldcard wallets lack, or remove features that annoy people and make them think Coldcard is no longer a good choice. Maybe I would fix some bugs and patch different vulnerabilities, I'd make it more air-gapped or more friendly to bitcoin and open source principles. I don't know... If I made my version of source code that attractive, Coldcard developers could take it (because it is FOSS), commercialize it, sell it as their own.

Bitcoin Magazine has obtained "exclusive access" to the details of the new version of ColdCard hardware wallet, and made a small review, which can be found here: https://bitcoinmagazine.com/business/inside-the-new-coldcard-mk4

Frankly speaking, I learned nothing new from the details they provided, except for this part:

An attacker would need to fully compromise the two secure elements and the main microcontroller (MCU) before being able to extract seed words from the COLDCARD Mk4 as the device now distributes the encryption key among the three components. Additionally, even if all three components are compromised, the device’s PIN code would still be required.

Sounds kinda cool.

[n0nce]

If I made my version of source code that attractive, Coldcard developers could take it (because it is FOSS), commercialize it, sell it as their own.

That's not entirely correct. They would have to keep your license and also reference to your source. They would be allowed to sell it, but that's normal.
For instance, they started with a Trezor codebase and then sold their own modified version of it; similarly, Foundation sell devices running modified Coldcard software. That's all fine.

If Coldcard were to understand open source properly, they would look into working together with Foundation, sharing bug fixes and improvements amongst each other; that's how open source usually works - everyone benefits. Unfortunately, Coldcard doesn't want anything to do with this. It's their decision, but it's not very logical, to be honest.

An attacker would need to fully compromise the two secure elements and the main microcontroller (MCU) before being able to extract seed words from the COLDCARD Mk4 as the device now distributes the encryption key among the three components. Additionally, even if all three components are compromised, the device’s PIN code would still be required.

Sounds kinda cool.

Interesting; when we first heard about this '2 secure elements' idea, there were two options: they are storing the secret key material twice (hence 'halving' security - have to trust 2 manufacturers) or they are splitting it; in this case you could say the security is 'doubled', because both manufacturers would need to be malicious and build backdoors into their secure chips.
Now, it does sound cool to hear they went for the second method, but I'm interested to see if that's true (through code) and how the two pieces are combined. Lots of implementations are possible for this; some could be extremely insecure (such as loading both keys into memory and combining them) - potentially less secure than a single secure element that doesn't need to combine its key material with another one.

It's also worth remembering that the code means nothing if something else is running on the device. Last I checked, the firmware builds that Coldcard offers to flash to your devices, don't match the source code they publish. In that case, it's easily possible that the wallet is less secure than what the code makes you believe.

[hZti]

Are there any news regarding the security concerns of the software, now that the MK4 is released?