reply on: How And Why We Hacked Cypherock Hardware Wallet: The Full Story \ stacker news

pull down to refresh

173 sats \ 2 replies \ @optimism 20 Jan \ parent \ on: How And Why We Hacked Cypherock Hardware Wallet: The Full Story bitcoin

Thanks.

The problem with Ledger is that keys can be extracted from the device, so that's a (very expensive) testnet-only device. Maybe I should spend some time on Coldcard.

100 sats \ 1 reply \ @Scoresby OP 20 Jan

I've not personally used a Ledger, but Salvatore seems to keep them on the cutting edge.

The larger question of using purpose-specific signing device is very interesting to me. I still feel a little that it is a bigger target than the safety it provides. I know lots of people use them with no problem, but I still get nervous about the idea of a device that has no other purpose than to sign bitcoin transactions -- how are they not massive honey pots?

I guess the solution is multi-vendor multisig.

0 sats \ 0 replies \ @optimism 20 Jan

how are they not massive honey pots?

In the case of Ledger... they are. This was a whole scandal a few years back and it made me regret using that (and telling others to use it).

It all comes down to the secure element being sufficiently hard to extract data from (and arguably since any ledger app can extract a key, that isn't "hard", it's trustmebro). Hardware security buys you time to move funds; that's really all it does.