An unexpected backup system suggestion

[apogio]

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Yeah I don't even doubt that. I totally agree. Here is the discussion we had in the forum last year: https://bitcointalk.org/index.php?topic=5432665.0
I am just pointing out for newer members or members who may have missed it. It's a good reading.

[1714678851]

1714678851

[1714678851]

1714678851

[1714678851]

1714678851

[1714678851]

1714678851

[ranochigo]

The aim of a deterministic keys wallet is easy backup and recovery while still maintaining good security. Address re-use should by default be minimized. I don't want to deal with when to use new keys and manage change. I expect the wallet to do this for me properly.

Legacy wallets that used a key pool of unrelated random private keys had their particular issues. Only file backup was possible. Restore of an older version of a wallet could lead to loss of funds if the key pool missmatched from latest to restored version. Usage of signing devices like hardware wallets or air-gapped setups aren't easy if not impossible with a key pool of random private keys.

FWIW, hierarchical deterministic wallets like Bitcoin Core requires a new backup given a password change. Certain activities to the wallet will result in a refresh of the HD seed and thereby requiring a new backup. Mnemonics are designed to make it easier for people to write them down and read them.

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Not saying that I agree with him but there are merits to this arguments. It's not a matter of inspecting the entire PCB with your naked eye or reading the codes. There's no way of knowing what exactly each chip is for and the entire design and layout of PCB, because certain components are designed to be a blackbox for security. In fact, it would be difficult to tell if your firmware is indeed flashed to the one that you've uploaded to the device.

Ok, yeah, Luke is a controversial figure, having stated that he doesn't trust hardware devices etc, but in my opinion, it's a good example of the "don't reinvent the wheel" narrative.

I think the issue is less about reinventing the wheel and more about knowing what you're doing and guarding against potential attack vectors. If you thoroughly understand and guard against what's potentially a threat, then I don't see how it would be bad since majority of them are a direct result of human error. Not trusting BIP39 is okay, or using GPG to encrypt every single WIF private key is fine too, but it's just a less efficient way and one that doesn't make much sense given the alternatives that we have.

[NotATether]

What is there to not trust about a hardware wallet whose schemata, PCB designs and firmware are all publicly available and open source? That would be equivalent to a software wallet being open source in terms of checking the code.

It does require you to go out and learn a few things about circuit board design, but isn't that the case with learning a new programming language as well? In my opinion, it is worth going out to learn about those things since a special-purpose hardware wallet is more secure than even a secure software running on a generic computer.

Not saying that I agree with him but there are merits to this arguments. It's not a matter of inspecting the entire PCB with your naked eye or reading the codes. There's no way of knowing what exactly each chip is for and the entire design and layout of PCB, because certain components are designed to be a blackbox for security. In fact, it would be difficult to tell if your firmware is indeed flashed to the one that you've uploaded to the device.

I'm quite ignorant about hardware wallet design so pardon me, but can you give me some examples of some components that are completely proprietary? I'm guessing whatever HSM (hardware security module) is used in there firstly. But then again, if a module could be demonstrated to be provably secure - at least against modern-day attacks - what exactly is the point of not making all the parts deterministic like a software wallet?

Just like how I would be uncomfortable using a closed source wallet like Coinomi, similarly I would not be comfortable using a hardware device to store my life savings unless I know exactly how it works.

[ranochigo]

I'm quite ignorant about hardware wallet design so pardon me, but can you give me some examples of some components that are completely proprietary? I'm guessing whatever HSM (hardware security module) is used in there firstly. But then again, if a module could be demonstrated to be provably secure - at least against modern-day attacks - what exactly is the point of not making all the parts deterministic like a software wallet?

HSM is probably one of the most notable one, but I think MCUs are generally not as guarded though I wouldn't doubt if they aren't willing to release schematics on these. These are deterministic (similar design and components are on every device), but given the obscure nature of it, you wouldn't know if any backdoors are already in the chip if you have zero access to the internals.

Hardware wallets are generally tamperproof which means that it would be difficult to exactly inspect each and every component in the device. Let's say you know exactly which components are on the device, which isn't quite difficult (a quick visual scan will do, xray can be used if you really want to be sure), then I don't see how this still wouldn't require the user trusting the manufacturer.

[NotATether]

HSM is probably one of the most notable one, but I think MCUs are generally not as guarded though I wouldn't doubt if they aren't willing to release schematics on these. These are deterministic (similar design and components are on every device), but given the obscure nature of it, you wouldn't know if any backdoors are already in the chip if you have zero access to the internals.

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Hardware wallets are generally tamperproof which means that it would be difficult to exactly inspect each and every component in the device. Let's say you know exactly which components are on the device, which isn't quite difficult (a quick visual scan will do, xray can be used if you really want to be sure), then I don't see how this still wouldn't require the user trusting the manufacturer.

You are right that it is quite infeasible to open a hardware wallet and inspect the parts one by one before you use it. Nobody does that with software wallets either. But if this is only done occasionally, by a few enthusiasts, as opposed to every time you get a new hardware wallet, it would decentralize a lot of that trust that people are putting on the manufacturer to not have a compromised supply chain.

[ranochigo]

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Quite significant, I would expect. HSMs are very specialized chips and they are required to withstand various attacks from sidechannels, fault injections, tampering etc. Most of them are certified and hardware wallet manufacturers are generally more keen to use those that are available on the market, which is often proprietary and closed source as compared to open source ones, likely due to the track record and stuff.

They are obscure for a reason, which likely allows it to benefit from security from obscurity, which is especially important for devices which are required to be secure. You don't want people trying to probe around to see what makes it tick.

[NotATether]

What do you think it would take for a bunch of people or a consortium to come together to make a widely used open-source HSM specification?

I mean, I am aware of HSMs costing literally thousands of dollars to buy, the stand-alone devices at least. So there must be some sort of vested interest even for the corporations using these things to eliminate the costs, right?

Quite significant, I would expect. HSMs are very specialized chips and they are required to withstand various attacks from sidechannels, fault injections, tampering etc. Most of them are certified and hardware wallet manufacturers are generally more keen to use those that are available on the market, which is often proprietary and closed source as compared to open source ones, likely due to the track record and stuff.

They are obscure for a reason, which likely allows it to benefit from security from obscurity, which is especially important for devices which are required to be secure. You don't want people trying to probe around to see what makes it tick.

I dunno - the whole thing about security through obscurity is very fragile and it just takes one vulnerability to knock out the parts that you are using, whether it's by migrating to newer or different parts with a mitigation, or by a cyberattack in case you are not so lucky.

I feel like after seeing all these unpatchable hardware-level vulnerabilities such as Spectre and DMP (and to some extent the RowHammer family of exploits), we need to have more eyeballs looking at the design so that these kind of things are less likely to go unnoticed. Of course the examples I mention affecting CPUs that have no chance of getting open-sourced at all, but I really do think there's a chance for HSMs.

Just some food for thought.

[ranochigo]

I dunno - the whole thing about security through obscurity is very fragile and it just takes one vulnerability to knock out the parts that you are using, whether it's by migrating to newer or different parts with a mitigation, or by a cyberattack in case you are not so lucky.

I feel like after seeing all these unpatchable hardware-level vulnerabilities such as Spectre and DMP (and to some extent the RowHammer family of exploits), we need to have more eyeballs looking at the design so that these kind of things are less likely to go unnoticed. Of course the examples I mention affecting CPUs that have no chance of getting open-sourced at all, but I really do think there's a chance for HSMs.

Just some food for thought.

CPUs don't really benefit that much from the entire concept of security by obscurity but they are proprietary because of the significant R&D and stuff that is going into the chips. Asking them to open source their chips would be quite unreasonable from a business perspective and probably would never happen.

I've got no doubt that HSMs already have their inhouse red team to try to attack and crack their own chips and it is unlikely for an adversary, say a state sponsored attacker at worst to be able to understand the inner-workings thoroughly enough to break the HSM. My take is that security by obscurity works, and that open sourcing stuff doesn't exactly benefit manufacturers from a business perspective, considering the amount of money on R&D and certifications as well as the potential threats by doing so. We've had plenty of vulnerabilities from open source codes and notably some of the more serious ones were not disclosed and secretly used to develop their own exploits. I have no doubt that this could happen if given the chance.

[apogio]

I think the issue is less about reinventing the wheel and more about knowing what you're doing and guarding against potential attack vectors. If you thoroughly understand and guard against what's potentially a threat, then I don't see how it would be bad since majority of them are a direct result of human error. Not trusting BIP39 is okay, or using GPG to encrypt every single WIF private key is fine too, but it's just a less efficient way and one that doesn't make much sense given the alternatives that we have.

The main issue is that it's very difficult to use the keys if you need to.
Theoretically, if you have X key-pairs, you need to have X separate files.
So, if you needed to decrypt one private key and spend from it, the other ones wouldn't be decrypted.

I don't think it comes too handy though. Imagine that you need to:
1. plug in the external HDD.
2. transfer the encrypted file to your machine.
3. gpg decrypt the file. (if your GPG keys aren't on the machine, then it requires more steps).
4. open the file in a notepad and copy the WIF.
5. open electrum or sparrow and sweep the private key to a wallet.

I dislike this approach.

[Pmalek]

The reasoning was that he didn't feel safe storing a seed phrase ( in any storage medium ) without it being encrypted.
He was anxious that whatever location he chose, the possibility of someone finding the words would lead to a complete loss of funds, whereas the system he chose gives him the ability to add an extra layer of security.
He also said he doesn't want to use multisig or passphrase, because this is what I suggested as a measure of extra protection.

All that isn't an argument against BIP39 seeds. His paranoia level is at a point where he believes his coins will be lost because someone out there will find them and empty his wallets. To be honest, I don't think it's healthy.

Finally, he uses these encrypted keys as paper wallets.

To me, something that is digitally backed up and saved on a computer isn't a paper wallet, regardless if it's encrypted or not. The keys (better yet, seeds) are supposed to be on a physical medium.

When we are on the subject of paranoia, why is he only afraid of someone finding his physical backups? Why not be afraid of someone very knowledgeable getting physical access to your computer? Sure, they would have to break all the encryption, but still. Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

[Forsyth Jones]

Regarding the components of hardware wallets being obscure, such as the HSM and the Secure Element available in HW such as Ledger, it's difficult to trust completely, since these parts have an NDA agreement that these manufacturers that sell HW are obliged to comply with. i.e at the moment we don't have open source SE, but according to Trezor, this will be possible in the future as they are working on it.

I don't fully trust HW, but I know that at the moment they are the best options for beginners who don't understand anything about air-gapped storing coins safely.

I think this deserves a topic just for these hardware wallet dilemmas (if we don't have one), so I'll return to the subject of this thread.

All that isn't an argument against BIP39 seeds. His paranoia level is at a point where he believes his coins will be lost because someone out there will find them and empty his wallets. To be honest, I don't think it's healthy.

Agree, worrying too much about one thing and ignoring another is not a good thing, as it opens the door to online vulnerabilities.

When we are on the subject of paranoia, why is he only afraid of someone finding his physical backups? Why not be afraid of someone very knowledgeable getting physical access to your computer? Sure, they would have to break all the encryption, but still. Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

One of the best ways to protect your coins is really not to tell anyone that you have bitcoin, at least not unnecessarily, you can take every precaution to protect your wallets and backups, but not take care of privacy and go around telling friends that have bitcoin and making a lot of profit from is a decoy for physical attacks such as the wrench scam. Of course, most people you talk to with Bitcoin won't do this, but I feel uncomfortable when close family members ask me how much Bitcoin I have or tell others that I have it, as if I own a large amount, rather than to discuss the fundamentals and potential of bitcoin as a tool to improve our lives as well as protection against inflation and privacy against crooks and governments.

Whenever they start asking personal questions, I tend to deviate from the subject, as one of my mistakes was having said too much in an attempt to show what bitcoin is and how it works.

[apogio]

Or even worse, why wouldn't that someone tie him up and torture him until he gives them what they want? At that point, it doesn't really matter what you used for your backups.

One of the best ways to protect your coins is really not to tell anyone that you have bitcoin, at least not unnecessarily

Guys, I completely agree with these comments.
Jameson Lopp has a great resource on github where he keeps a list of all the physical bitcoin attacks. Just read it and you will notice that there have been many "torture / threat" stories. This is a huge threat that people seem to ignore.