Trezor One Attacked by NPM Vulnerabilities? Time to Ditch It? \ stacker news ~bitcoin

pull down to refresh

Trezor One Attacked by NPM Vulnerabilities? Time to Ditch It?

0 sats \ 9 comments \ @spiderman 9 Sep bitcoin

Just read about the NPM supply chain attack on Bitcoin wallets, and unfortunately, I have the bulk of my coins in a Trezor one (whose accompanying suite uses Javascript).

I assume so long as my trezor one is not connected to the internet, it is safe? But, is the company (Trezor) likely to upgrade its suite and firmware to solve the problem? Or is it wise to ditch my Trezor and move on to a different cold wallet (and what would your recommendation be)?

view all related items

0 sats \ 8 replies \ @DarthCoin 9 Sep

If you use it with sparrow and not with their shity software you are ok.

IMHO all hardware wallets are just useless fancy toys. You better make your own: https://darth-coin.github.io/wallets/tails-hodl-cold-wallet-en.html

10 sats \ 1 reply \ @spiderman OP 9 Sep

Hey, I was going through this.

You know what? I have a HODL wallet (Trezor), a cache (on-chain Blockstream green, which I also use to swap in to Lightning) and a Spending wallet (Lightning, Blockstream green).

Does it make sense?

0 sats \ 0 replies \ @DarthCoin 9 Sep

yes 👍

0 sats \ 5 replies \ @spiderman OP 9 Sep

This method IT IS NOT for those very new to this technology and are not so techy. For those I recommend to just buy a hardware wallet and forget about this method.

Your own post says it.

0 sats \ 4 replies \ @DarthCoin 9 Sep

yes, "for those non-techy", that means they have less neurons...

0 sats \ 3 replies \ @spiderman OP 9 Sep

You are really entertaining, LoL

0 sats \ 2 replies \ @DarthCoin 9 Sep

sometimes you have to tell the truth in a funny way so people will get it more easily

0 sats \ 1 reply \ @spiderman OP 10 Sep

I went to your post on the DIY wallet. As someone who is familiar with multiple Debian based distros on Raspberry pi's (and other edge devices), I think I can grasp the concept, and pull if off if I give it a bit more thought and time.

It is an interesting learning experience, but does not seem like the best of idea to me. It is great as a general purpose clean computer that I can plug in somewhere, but precisely for that reason, I would not use it as my Bitcoin wallet.

A wallet is meant to hold the master private key, and sign transactions, that is it. Beyond that, any other functionality (for general computing or running other apps) is just an attack surface. That is why good wallet manufacturers limit the functionality at a chip level, and do not allow any general computing task on the same hardware.

So yeah, the DIY stack must start from hardware level, if you are so inclined.

0 sats \ 0 replies \ @DarthCoin 10 Sep

Here it is another example of how I keep the keys to a wallet

This procedure is based on steganography.

Totally offline and chip to "control" the access. There's no way that sonebody else could compromise my wallet. And to manage that wallet (only as watch-only and deposits) I use its xpub key in any other wallet app as I described in another guide

https://darth-coin.github.io/wallets/deposit-only-btc-wallets-en.html