I have trust issues with hardware wallets. (And so should you.) \ stacker news ~bitcoin

I have trust issues with hardware wallets. (And so should you.)

4040 sats \ 44 comments \ @The_Daniel 8 Dec 2023 bitcoin

When choosing a hardware wallet (signing device) for your cold storage, it’s really important to find one from a manufacturer that has proven to be trustworthy, and the same goes for the software and the marketing team. You don’t want a setup that collects analytics on your activity, or one that stores your personal information on an insecure database that creates a very attractive honeypot.

The first one I ever used was called a KeepKey, launched in early 2015 by a company led by CEO Darin Stanchfield and CTO (this is his actual name, I shit you not) Ken Hodler. It was a slick-looking device about the size of an Apple TV remote that connected to your computer using a browser extension to view balances and broadcast transactions.

On Christmas Day in 2016, Darin was sim-swapped and hackers compromised his email account, as well as the company’s social media account, and its marketing database, exposing customer data.

In 2017, KeepKey was acquired by ShapeShift, an exchange run by Erik Voorhees, an early pioneer in bitcoin who has since pivoted to shitcoins. Within a short time, they began pushing new updates to KeepKey to turn it into a full “crypto” wallet, and replaced the original browser extension with a new website (that also doubled as an exchange) to manage the device.

By that point, I absolutely knew it was time to move on, and I opted for a new bitcoin-only device. Much to my surprise, when I first attempted to migrate from KeepKey to the new setup, I got an error saying that the transaction could not be broadcasted. I tried in a different browser, and on a different computer, with no luck. Before going into a panic, I sent an email to ShapeShift support. I got the following autoresponse from them:

“I’d like to apologize for the delay in response. As a crypto enthusiast, you must have noticed what a crazy time it has been in our industry! We’ve seen an all-time high in demand, and with it, needs for extra support.” 🤮

A few days later, a reply came, saying that there were “known issues” with the platform that affected certain legacy wallets (i.e., pre-acquisition) and that I should use the device directly with Electrum. I did some research, and after a few more days, was finally successful in getting off of this platform. It was a hair-raising moment that made me realize that even self custody has the potential to get rugged, even if you thought you were making the most informed decisions you could at the time.

Be careful out there!

view all related items

32 sats \ 11 replies \ @DarthCoin 8 Dec 2023

I used a Trezor and a Ledger, long time ago.... for testing mostly. Once I saw that are useless for me, I gave them as a gift to a noob.

I never went to use ANY hardware wallet anymore. I have better ways.

For me... waste your money on them... more sats for me.

190 sats \ 1 reply \ @The_Daniel OP 8 Dec 2023

It's part of the evolution of a bitcoiner.

22 sats \ 0 replies \ @DarthCoin 8 Dec 2023

True

43 sats \ 6 replies \ @aoeu 8 Dec 2023

I wish Trezor had not gone the shitcoin route, but overall feel they are a valuable group to have. Their open source libraries are what is behind a lot of other hardware wallets like Coldcard and Passport. Not sure if Seedsigner uses anything from them. Regardless, I still see value in Trezor, Seedsigner, Passport, and other bitcoin-only hardware wallets as part of a multisig setup to reduce dependency on any one vendor or component.

I haven't gone fully down the paper wallet route.

Stay away from Ledger though!

11 sats \ 5 replies \ @DarthCoin 8 Dec 2023

If you read my guides (no joke or bullshit) you will find out that life is much easier without any hardware wallet.

People are throwing money on them for nothing. But I am totally fine with people buying expensive plastic shit, thinking that are giving them "security".... is like wearing a fucking mask in your car.

MORE SATS FOR ME SUCKERS!

10 sats \ 3 replies \ @Nuttall 8 Dec 2023

I'm going to read All that you have to offer. Right now I'm in two large projects but your next.

20 sats \ 2 replies \ @DarthCoin 8 Dec 2023

start here (I am making your life even easier): https://darthcoin.substack.com/p/bitcoin-be-your-own-bank-think-like

0 sats \ 1 reply \ @Nuttall 8 Dec 2023

Subscribed.

10 sats \ 0 replies \ @DarthCoin 8 Dec 2023

no need to "subscribe" man... it's all free just read them. I do not do this for followers or money. I just want people to use bitcoin and learn more about

0 sats \ 0 replies \ @aoeu 9 Dec 2023

Do you consider Seedsigner in the same category?

0 sats \ 1 reply \ @vindard 9 Dec 2023

Thoughts on how even Luke Dashjr managed to mess up a non-standard cold storage setup and be hacked?

50 sats \ 0 replies \ @DarthCoin 9 Dec 2023

I found quite strange that story. I incline to think it was just another "boating accident" method.

100 sats \ 2 replies \ @inverselarp 8 Dec 2023

You really should not “leave” your keys in the wallet. Generate seed, write it down, wipe. Recover whenever you need to do tx, do the tx, wipe. For the hodl stash it definitelly should not be this easy tho but the wipe step is always mandatory.

50 sats \ 1 reply \ @knorozov 8 Dec 2023

This is the most important function of a hw device, generate a secure seed offline. Why would you leave it on there?

0 sats \ 0 replies \ @inverselarp 8 Dec 2023

Exactly. Daily tipping, small cash in mobile wallet. Mid-size stash for trading / few months of expenses in single sig offline wallet with easy recovery but always wipe. Hodl stash always multisig or whatever treasure hunt scheme.

142 sats \ 3 replies \ @Zepasta 8 Dec 2023

deleted by author

49 sats \ 2 replies \ @Zepasta 8 Dec 2023

deleted by author

6 sats \ 1 reply \ @The_Daniel OP 8 Dec 2023

Very good suggestion, it's something I didn't want to approach until I had done enough research but now it seems like the best time.

21 sats \ 0 replies \ @Zepasta 8 Dec 2023

deleted by author

73 sats \ 1 reply \ @deletedd 8 Dec 2023

deleted by author

51 sats \ 0 replies \ @Zepasta 8 Dec 2023

deleted by author

9 sats \ 6 replies \ @nullcount 8 Dec 2023

Mfers would rather spend hundreds of thousands of sats on an artisan calculator than use TailsOS on a USB or a spare phone from the phone drawer.

31 sats \ 0 replies \ @anon 8 Dec 2023

Hundreds of thousands of sats is nothing when you're trying to secure tens of billions of sats.

19 sats \ 2 replies \ @The_Daniel OP 8 Dec 2023

You're not wrong, but DIY is scary for newcomers. Now I'm building nodes and consider myself experienced enough to do this stuff on my own.

24 sats \ 1 reply \ @nullcount 8 Dec 2023

Its only scary because hardware wallet manufacturers spread fear to sell more ewaste

You'll never hear an influencer read an ad for a DIY solution. That's not because the DIY route is difficult. Its because they won't get paid to shill DIY.

10 sats \ 0 replies \ @Zepasta 8 Dec 2023

deleted by author

0 sats \ 1 reply \ @badabing 8 Dec 2023

What about the "airgap" ?

0 sats \ 0 replies \ @nullcount 8 Dec 2023

Mfers actually think you need to spend hundreds of thousands of sats to airgap

TailsOS starts in offline mode by default and has electrum preinstalled.

https://electrum.readthedocs.io/en/latest/coldstorage.html

Install grapheneOS on an old android and never connect it to WiFi. Sideload Samourai wallet and shuffle PSBTs over USB. .

0 sats \ 1 reply \ @fiatdenier 9 Dec 2023

When did you do this And what did you do to migrate? Do you mean sweep it to another wallet? I have a keepkey also 👀

0 sats \ 0 replies \ @The_Daniel OP 9 Dec 2023

There is a guide here showing how to connect the device using Electrum. https://shapeshift.zendesk.com/hc/en-us/articles/360060952191-Electrum-Integration-with-KeepKey

0 sats \ 0 replies \ @Krv 9 Dec 2023

Ideal: Hodl amounts:

Seed generated randomly with dice, using SeedSigner or Coldcard offline to generate it from your dice. Add a passphrase.
Generate an xpub/ypub/zpub from these, which you can use to add funds in a way that doesn't expose the secrets.
Store the secrets (seed and passphrase) in a secure place using engravings in metal (maybe washers attached to a screw, or plates).

Spendings / amounts you can't stand to lose

any hardware wallets are fine for that purpose
lower risk having the seeds still on the device
can still use passphrases and other security methods
Lightning wallets are for excellent even lesser amounts

0 sats \ 0 replies \ @034b483ee7 9 Dec 2023

Here is how I roll my own cold storage solution. https://yakihonne.com/article/naddr1qqxnzdesxqungdp5xcurwwp4qgsrpwvez6skqp8z8jfuausdqmu9ja8fqsl73z7pklz9qrut8nrw8lsrqsqqqa280024y8

0 sats \ 3 replies \ @CruncherDefi 8 Dec 2023

I share similar sentiment. If hardware wallet contains private key behind some pin number, its always security-by-obscurity.

Obviously it's VERY OBSCURE (like you need research team and some ultra precise laser slicing machine to break it), but still security-by-obscurity. Everything that exists as a physical object in physical reality is breakable somehow.

I lean towards SeedSigner.

0 sats \ 2 replies \ @elysia 8 Dec 2023

How does seedsigner help with that besides privacy and diy?

0 sats \ 1 reply \ @CruncherDefi 11 Dec 2023

Seedsigner is ONLY for signing. It doesn't store seed on-device. If you turn it off memory gets wiped.

It ofc means that storing/securing seed is a separated responsibility in SeedSigner setups. So it's part of a tradeoff here.

I'd say it's suitable for ultra-cold-storage setups where you transfer out funds very rarely. Because it's poor UX to provide seed everytime you make transaction.

0 sats \ 0 replies \ @elysia 11 Dec 2023

Thanks didn’t know memory got wiped after. That’s great.

0 sats \ 0 replies \ @justBrian 8 Dec 2023

An old phone...something with good security like a pixel can be used offline with blue wallet to make a cold storage wallet. Bonus too that it doesnt look like anything special 🤙

0 sats \ 0 replies \ @jakoyoh629 8 Dec 2023

You didn't have the keys on paper ?

0 sats \ 5 replies \ @nerd2ninja 8 Dec 2023

Do you need help? We got a lot of do it yourself guides out there and that practice (even if you don't ultimately use it after setting it up) will help you understand self-custody in a way that you can't be rug pulled (no reliance on customer support, no reliance on company software updates, and full understanding of how to take care of yourself)

0 sats \ 4 replies \ @The_Daniel OP 8 Dec 2023

No, I’m good now. Thanks! But please do link your guides so others can benefit from them.

41 sats \ 3 replies \ @nerd2ninja 8 Dec 2023

https://github.com/nerd2ninja/bitcoin-sop/blob/main/Funds_Management/Stages_of_storage.md

Also, sparrow actually shows you what all the parts of a Bitcoin wallet are (derivation path, xpub, script type, seed phrase) when you create wallets with it.

Also, I need to add this to the repo. We have wallets with bad entropy from time to time: https://armantheparman.com/dicev1/

21 sats \ 2 replies \ @NoStranger 8 Dec 2023

The instructions on GitHub for hardware wallets is fun to read.

The guide goes like: "How to assemble SeedSigner", while any other is: "How to rip off component X from device Y'. 🤣

30 sats \ 1 reply \ @nerd2ninja 8 Dec 2023

Signing device companies keep putting wireless on their devices what else is there to say XD

0 sats \ 0 replies \ @NoStranger 8 Dec 2023

They might be better off making custodial services instead of deceiving people, it would be clear what their true objective is...