A thread of 10 reasons I like @COLDCARDwallet

#10: Tamper evident - Packaging has unique # that you confirm on device. Clear case to see if components have been modified. LED lights confirm flash memory is unaltered.
#9: Time management - Set a delayed start after your PIN is entered, i.g., user must wait 24 hours after correct PIN is entered before access is granted. You can also set it to shut down after a certain idle time like 1 hour.
#8: Secure PIN - PINs can be 12 digits, split into prefix & suffix. The secure element key & prefix create anti-phishing words using HMAC/SHA256 function where the 22 bit HMAC result is converted into two BIP39 English words.
#7: Auxiliary PINs - You can create a decoy wallet that is accessed with a special duress PIN. You can also create a PIN that, when entered, destroys the ColdCard within 50ms. Functionality appears the same to user regardless of PIN used. There are no special warnings.
#6: Custom Seeds - You can literally roll a dice to generate your mnemonic seed phrase. At 2.585 bits per roll, minimum 99 rolls required for 256 bit security.
#5: BIP 174 Support - You can create multi-sig wallets 100% air-gapped by using multiple ColdCards & passing a microSD card between them for the xPUBs. You can also sign a PSBT file on MicroSD, load it into BitcoinCore, & broadcast it from your own node w/o connecting your wallet
#4: BIP 39 Support - Your mnemonic seed is only 24 of 2048 English words. Add a 25th word (passphrase) up to 100 characters in length. Derives your xPRV with a HMAC/SHA512 function for BIP 32 HD wallet address generation.
#3: 100% Air-Gapped - You never have to connect your ColdCard to a computer. You can power it with a wall charger or battery pack and still generate wallet addresses, sign transactions, & update firmware. All offline and with MicroSD card use.
#2: Multiple Address Support - Your ColdCard can generate BIP 43, BIP 44 non-SegWit, BIP 49 SegWit, & BIP 84 Bech32 wallet addresses. You can export 250 addresses at a time in CSV format .txt files onto your MicroSD card. Plus it generates QR codes!
#1: Open Source - You can download the latest firmware .dfu file, verify it with GPG key & sha256 hash, load it on MicroSD card, & don't trust, verify. You can also step through all the code on github.
Bonus: The ATECC608A Chip - Your xPRV is stored here. It has a secure boot feature & was designed to resist advanced aggressive attacks such as: Fault Injection, Timing Analysis, Side Channel Analysis, & Probing. Can store up to 16 keys. Independently bricks itself after 13 tries

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with burn the bridge

burn the bridge Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @econoalchemist

11 Oct
1/19 Importing a BIP85 derived key from @COLDCARDwallet to @SamouraiWallet and then connecting to @RoninDojoUI

A thread on minimizing trust by generating keys offline, compiling an Android app, and using your own node.
2/19 BIP85 enabled wallets can create private keys for many wallets. This way, users only need to secure 1 backup. From there all other wallets can be restored by their index #. See this thread 👇 for setting up a @COLDCARDwallet from scratch & BIP85 uses.
3/19 Securing your master seed phrase in a durable medium like metal is advisable. @bitcoinbackup is awesome and there are many other resourceful solutions.
Read 19 tweets
8 Oct
Succinct recapitulation of the recent DOJ publication from @OxoUtx. Between this, FATF travel rule, SLiC, & J-CODE there have been several noteworthy privacy related headlines recently.
FATF Travel Rule & Bitcoin "industry leaders"
Read 5 tweets
17 Sep
1/56 @SamouraiWallet + @RoninDojoUI

A thread on privacy, anonymity, & options.
-Samourai Mobile Wallet
-Ronin CLI
-Dojo full node
-Ronin UI
-Whirlpool GUI
-Electrum
-Explorer
-OXT
-KYCP
2/56 @SamouraiWallet & @RoninDojoUI are 2 different developer teams. Dojo is meant to be used as your own full node in support of your SW for better privacy & trust mitigation. Ronin is the UI used to interact with your dojo.

samouraiwallet.com

ronindojo.io
3/56 @SamouraiWallet is a #BTC only, mobile wallet for Android. Like any other HD wallet, your xpub is used to display balances & generate addresses. As with any HD wallet, if you’re not running your own node then you’re introducing trust by using someone else’s.
Read 56 tweets
21 Jul
1/17 Having spent the last few days in the front row of a @SamouraiWallet vs. @wasabiwallet debate, it seems like the strongest argument against SW is "they have the users' xpubs & may be compelled to hand them over to law enforcement".

This struck me as a half-baked argument.
2/17 I'm not an attorney, however, I do have experience handling digital evidence in support of litigation. It's been years since I was in that line of work but by all means if you're an attorney and/or Bitcoiner & are so inclined, correct me if I'm wrong...
3/17 First of all let's clear something up. SW needs your xpub in order to display your wallet balance. Your xpub is sensitive in terms of your tx history, balances, & spend tx's. So it makes sense that this may be information that is sought after by law enforcement. However...
Read 17 tweets
18 Jul
1/18 Probably not the best explanation but here's an attempt to highlight what's at stake with Coinbase ("CB") from my point of view.

Call me crazy or paranoid but a company with your personal data & your public data will not resist the temptation to combine them.
2/18 The info transmitted on the #Bitcoin network is public. Meaning anyone in the world can watch the network & see all the addresses/transactions made. This public info is kept in a decentralized database that dates back to the first transaction and catalogs all transactions.
3/18 The public availability of this data isn't concerning to you because your true identity is masked by a pseudonymous address. Even though evidence of every transaction is captured in the database, nobody knows it's you unless you tell them or you leak sensitive information.
Read 18 tweets
3 Jul
1/10 Where do seed backups go when they die?

A thread on various seed destruction methods on the heavy duty, 2mm, 304 stainless steel @bitcoinbackup from @Coinkite
2/10 You drained all your #BTC from an old wallet. Is it safe to just throw the old backup in the trash?

If you had KYC Bitcoin in that wallet then some of those addresses are tied to your name.

How would you feel if someone signed a message from an address tied to your name?
3/10 Properly destroying your seeds is important for preserving privacy even after the wallet is no longer used.

Here is multiple caliber test footage of four @bitcoinbackup plates from @Coinkite starting with .22 caliber.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!