pull down to refresh

This screenshot was making the rounds on X yesterday:

source

And of course, nvk has something to say about it (or his llm does):

A Clean Phone Is Still a Computer: Why Bitcoin (and crypto) Needs a Hardware WalletA Clean Phone Is Still a Computer: Why Bitcoin (and crypto) Needs a Hardware Wallet

A dedicated phone can be a good hot wallet. It is not a substitute for a good hardware signer protecting long-term Bitcoin savings.

It should be noted at this point that nvk makes his bread by selling "hardware signers for protecting long-term Bitcoin savings." I'll save you the effort so you can skip the 2000 extra words here and get to nvk's main points. Hardware signers are better, he says, because:

1. It keeps the private key inside a dedicated signing device. The phone or desktop can be the coordinator: it tracks balances, chooses UTXOs, and builds a PSBT. The signer receives the transaction, signs internally, and returns a signature. The seed never needs to enter the coordinator’s RAM, filesystem, clipboard, backup service, or crash logs.

2. It independently explains what is being signed. A proper on-device screen derives the destination, amount, change, and fee from the raw transaction. COLDCARD’s verification model explicitly treats the host, coordinator, and network as untrusted. If clipboard malware changes the destination, the hardware screen shows the attacker’s address, not the coordinator’s reassuring fiction.

That only works if you read the screen. Blindly clicking “confirm” turns expensive hardware into a decorative USB key.

3. It narrows the attack surface. A well-designed signer does not need email, push notifications, a browser, social apps, cellular protocols, photo editing, cloud synchronization, advertising frameworks, or thousands of general OS services. Minimal firmware can still contain bugs, but fewer features and restricted interfaces leave fewer places to hide them.

4. It can resist physical attacks deliberately. Secure elements, multi-chip secret splitting, PIN attempt controls, tamper evidence, and purpose-built boot chains raise the cost of stealing a seed from a captured device. Consumer phones prioritize performance, battery life, cameras, connectivity, and app compatibility. Hardware signers can prioritize one narrow secret.

Before looking at these points, let's acknowledge that nvk skips the glaring risk of bitcoin/crypto specific hardware: it's an obvious target -- whether from compromising employees or customer databases or supply chain or the delivery mechanism or the device itself, attackers know exactly where to target. This is not the case with generic devices.

Now to his points:

  1. I don't know what signing model nvk is imagining, but any mobile wallet that supports psbts can achieve this. It would be a less than good idea to keep a seed on a device and then load them all onto the coordinating device at the time of signing, but I don't think that anyone was proposing that. Hardware signers are not the only devices that can work this way.
  2. This i s a good point. Trusting the coordinator is a problem. However, if you use something like Core or Knots as a coordinator on a laptop to create a psbt and then import it into a different provider's software on a mobile device (eg Blue Wallet or Nunchuk) you can achieve the same result of not trusting your coordinating device. I imagine hardware signer's make this easier, but it's not that hard to achieve without one.
  3. I will also grant nvk this point. Keep it simple stupid seems like a really strong way to approach bitcoin signing devices. Smart phones are not simple. By definition any generic device has a wider attack surface than a task specific device like a hardware signer. This is the trade-off I think we should be talking about: am I safer if I try to hide in the huge anonymity set of generic devices or am I safer if I use a highly armored, very simple but very obvious bitcoin signing device?
  4. While a bitcoin/crypto specific signing device may be better able to resist physical attacks, it is much more likely to get you attacked physically. If I buy an old iphone on ebay, it is unlikley that I'm getting added to a wrench attacker's list. But I'd say it's 50-50 odds you get on a list if you buy a hardware signer (do not ship such a device to any address where you physical are). It's worth discussing the merits of this trade-off.

Finally, nvk ends by shitting on SeedSigner again. I really wish he would cut this crap. ColdCard is a cool device, I'm happy that it is available to Bitcoiners. SeedSigner is also cool and I think Bitcoiners are better off having both options. Nvk's whining about SeedSigner is a weak look. He should stop.

What are your thoughts? How do you think about the trade-offs between bitcoin specific hardware devices and generic devices for signing operations?What are your thoughts? How do you think about the trade-offs between bitcoin specific hardware devices and generic devices for signing operations?

125 sats \ 8 replies \ @optimism 22h
any mobile wallet that supports psbts can achieve this.

You missed the point about loading the key into RAM. For example, the Titan M2 on Pixel 8+ are supporting P-256 (secp256r1) but not Bitcoin's Koblitz variant (...k1). So you may generate a key and wrap it, but you'd still have to unwrap it to RAM to use it for an unsupported curve. So no, they cannot achieve it. If your OS is compromised, so is your key.

reply

But if yo use the device only in a non-internet connected manner (ie, keep it in a cabin in the woods), you might still be able to avoid a problem here. The psbt either gets signed or it doesn't. A different device can verify the signature. You just need the phone to import, sign, and export (which I suppose I would do via a usb c cable?

I see your point, though. I don't think I would use a mobile device with a key for a cold storage quorum, but I like that thinking about a mobile phone as a signing device puts me in the mindset of "my device is compromised, how do I proceed?" while the mindset of a hardware signer is: "I need to keep my device from being compromised" -- I much prefer the former.

reply
125 sats \ 6 replies \ @optimism 22h
non-internet connected

Meaning you don't get fixes for exploits?

keep it in a cabin in the woods

Isn't that security through obscurity? [1]

I like that thinking about a mobile phone as a signing device puts me in the mindset of "my device is compromised, how do I proceed?" while the mindset of a hardware signer is: "I need to keep my device from being compromised" -- I much prefer the former.

I think that that thought is deceptive. You still need to keep your device from being compromised. Even more so than with a proper for-purpose hardware signer, because how do you even know that your device isn't compromised when you kept it in a cabin in the woods, while you're not at said cabin in the woods?

  1. See NIST 800-123, pdf page 15: "System security should not depend on the secrecy of the implementation or its components."

reply

This is helpful. And I hope I don't tax your patience too much with my ignorance.

don't get fixes or exploits?

If it's truly not connected to the internet, this seems like less of a concern. It just needs to be able to sign and import/export. I'm sure there are fixes to elaborate side channel attacks, but I don't see those as a problem for this threat model (if someone gets access to the device, game is over).

security through obscurity

It may be, but I think most normie Bitcoin security comes down to this: you have a seed/private key. Keeping this on a device alone is dangerous (devices do break), so you have a physical backup of some kind. This backup is likely finders keepers -- meaning, the only way to keep it safe is to keep it hidden.

I could encrypt my key, but then I've just transferred my security to the encryption password.

I could split the key up into shares or something, and this may be better, but if I'm going to do that, I'd rather do a multisig because then there never is a single key that can spend them all (however temporarily).

In the case of multisig, I gain security from having keys in different places and using different devices (also hopefully some redundancy from a threshold wallet), but each key itself is mostly secure because I hide it.

Yes I can lock it away in a safe or something, but that's like encrypting it -- I transfer the security to the key for the lock. Perhaps it makes sense to say that in that case attackers must compromise two pieces of information (key to lock/encryption and location of actual key to bitcoin) but this feels like the same as multisig: i'm spreading out the pieces, but each piece is ultimatley secured by being hidden.

I am willing to believe that all of this collapses in the face of a highly resourced and motivated state attacker, but if my threat model is thieves and petty state officials, I think security through obscurity may suffice.

How do you see this?

reply
125 sats \ 4 replies \ @optimism 21h
If it's truly not connected to the internet, this seems like less of a concern

Okay, so I have 2 offline devices that I never update:

Device 1: Commodity device, OTA updates with frequent release process, has a massive attack surface, now static because we never connect it.
Device 2: For-purpose device, air-gapped driven updates with less frequent release process, with small attack surface, also static because we forgot to install firmware updates.

I'd take device 2 over device 1. (and then update it, haha) Even the shitcoin hardware wallets have far less critical exploits than iPhone/iOS or Pixel/Android.

I can lock it away in a safe or something, but that's like encrypting it

Digital encrypted secrets can be copied and captured with little trace and decrypted elsewhere and later. Physical things like a safe are more obvious when compromised but easier to break. They're not equivalent at all. Treat them as additive.

if my threat model is thieves and petty state officials, I think security through obscurity may suffice.

There are current threats that come from opportunity. All it takes is the wrong data breach and you go from low to high threat, and often you'll not be alerted timely. Don't model your security on subjective, perceived threats only. The bulk should be defined by what's at risk: you don't secure 500k sats with a 300k sats hardware wallet, but you don't hold the keys to your retirement fund on an offline old iPhone in a cabin either.

How do you see this?

I think that it's all about process in the end because the #1 cause is loss. Coldcard does provide a great base for this, given that you have something at stake (whatever the replacement cost of your cold stored sats are for you, measured in years.)

reply

I had to look back at my post, because I do have a distaste for nvk, but the only thing close to an ad hominem in there is that I say he should stop shitting on seed signer (i believe I called it "whining" as well -- in another comment, I suggested that he felt Coinkite was challenged by Seedsigner, but again, I don't think that's an ad hominem).

In the land of bitcoin, the overwhelming message I hear is that "good bitcoiners use hardware signers." I think it's okay to point out that there are flaws in that approach -- just as it is helpful that you are pointing out the flaws in my approach.

I also think that my other criticisms of his article are fair. He doesn't acknowledge the supply chain, evil employee, honeypot, and man in the middle risks of hardware signers. I have tried to point out risks in Bitkey and other hardware signers as well in other posts.

reply
71 sats \ 2 replies \ @k00b 19h
PS: I think crapping on nvk is popular on SN, because of emotional reasons.

I've seen you say this a few times. Do you know where you got that impression?

People crap on many people here (as they do elsewhere), but it sounds like stackers may have a special hate-boner for NVK. The best I can recall is the thread where he was talking trash about SN and folks talked trash back.

reply

my buddy claims to have been defrauded by nvk. I tell him to take his licks and move on.

reply
205 sats \ 0 replies \ @optimism 18h

I do think that it started since the trash talking. Since then, I felt that there's a lot of negative sentiment towards the personality, and that that reflects on how what gets said, even when not only perfectly valid, but standard, gets pulled into doubt. The danger in it is that good security practices can get replaced with mediocre ones - like anti-education. It doesn't help that nvk isn't a broadly liked or easy to interact with figure, of course, but I feel we must take care to separate the merit of the message with the likability of the messenger.

Maybe I am confirming my own bias and I am seeing sentiment that isn't there, though? Always possible. I'll take some time this weekend to go over it and re-assess.

reply
104 sats \ 1 reply \ @DarrelXero 22h

I know he has a boner for SeedSigner. Any insight into what that's about? I guess since it is based on a raspi board he considers it a computer and not a secure device?

reply

I don't know too much of the history. It feels like nvk wants to be the cypherpunk solution for bitcoiners and things like seedsigner challenge that. We could ask him, but I've got the impression he doesn't much care for SN.

reply