Share this page!

JW Weatherman | mathbot.com Profile picture
Twitter logo
19 Nov, 24 tweets, 4 min read
Why Greg Maxwell thinks #bircoin hardware wallets are a bad idea (even for noobs).

Greg is a legend that, among many other heroic accomplishments, discovered covert

ASIC boost - arguably the worst security flaw ever found with bitcoin.

...
“I don't think very highly of hardware wallets. They're opaque, largely unauditable. Most are crapped up with sketchy altcoin support that forces them into objectively less secure cryptographic code and makes them harder to review.”

...
“They're an extremely attractive target for supply chain attacks. An old laptop that never goes on-line is a lot better IMO, except where space/portability are a concern...”

...
“and can also be less expensive (you may already own one, or a linux compatible laptop can be obtained surplus extremely in expensively: I have a tall stack of thinkpads that I bought for ~$10 each, that I use as essentially disposable offline computers)”

...
(Skipping some comments not directly criticisms of hardware wallets)

Next we see a typical talking point for selling hardware wallets from another Redditor:

“unless you consider yourself a true Bitcoin wizard you will be better of with a Bitcoin-only hardware wallet.”

...
Greg

"I wrote a paragraph expressing that kind of sentiment, saying that as a casual user who otherwise runs windows and isn't going to do those advanced things that the HW wallet might still be better. But I scrapped it because couldn't bring myself to do it in good faith:

...
"The badness of the supply chain vulnerability is so severe that I just cannot recommend a hardware wallet except for casual low/moderate value use where it doesn't really matter what security properties you use."

...
"For the moment the situation isn't quite dire because the thieves are busy with low hanging fruit, and haven't started e.g. flooding ebay/amazon with nearly indistinguishable backdoored clones. Yet."

...
"(or maybe they have, and Jan 1st, everyone with one is going to have their funds taken all at the same time. :( )."

...
(someone says there are bitcoin only hww and Greg replies)

I'm not sure that this is really true. For example, coldcard is marketed this way-- but its software uses trezor-crypto, so it's still obfuscated up by altcoin support..."

...
"I'm not sure that this is really true. For example, coldcard is marketed this way- but its software uses trezor-crypto, so its still obfuscated up by altcoin support and still uses crypto code that isn't even constant time much less hardened otherwise against sidechannels."

...
"The fact that they don't support altcoins means they're more likely to improve in the future than others... but even without the altcoin security distraction supply chain security is just exceptionally hard..."

...
" and a cryptocurrency-only device is always going to be an exceptionally hot target.

At the moment I think the best option at the intersection of security and usability may be a linux laptop/desktop that never runs any software other than your wallet."

...
"This doesn't require being a super-security wizard, as an airgapped setup does, ....

Of course, it's also a question of how much value you're securing. Both this solution and hardware wallets have the problem of being too expensive to be justified for tiny values."

...
(anther redditor rolls out the same tripe about hww reducing user errors)

Greg:

"It's more common for people to forget their passphrases or fail to backup their wallets than to lose them to theft, by a wide margin."

...
"The attacker stuffs a piece of paper in the box to give the user a pre-selected wallet seed. This attack doesn't sound especially frightening because it's easily thwarted, but the reason more sophisticated attacks aren't happening is because the piece of paper is so effective."
(more tripe about it being hard to setup without a hww)

Greg:

"A stock OS install, of e.g. Fedora, has absolutely nothing else that talks on the network. If you don't launch a web browser or similar its extremely unlikely to get compromised."

...
(someone says Greg Maxwell can't possibly claim Linux is more auditable because it is so big compared to hww)

Greg:

"I can and I do. You have to also factor in the number of reviewers, ease of review, and targetedness of the attack."

...
"So for example: Standard hardware wallets leak secret material via timing sidechannels pretty much universally (there are a couple that probably don't, but most do), even though it is not hard to avoid this. Why? Because there is essentially no effective review."

...
"The software running on these devices ends up being created by one or two person teams, and copy and pasted all over the place."

...
(tripe about a secure chip being awesome in hww)

Greg Maxwell:

"Secure chip" also means you cannot confirm what the device is actually running."

...
"You can build all you want, and compare that this matches the firmware signed by the maker but you have no idea if that is what is actually running on the device, only that the device claims that its running that."

...
"Moreover, under your theory that all linux kernels are vulnerable to network attacks even on locked down machines, the HW wallets still end up compromised: because the vulnerable hosts can be used to compromise the HW firmware, or cause the user to purchase a compromised/device.
(end of Greg Maxwell's epic takedown of every single selling point for hardware wallets)

Here is the thread on Reddit:

old.reddit.com/r/Bitcoin/comm…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with JW Weatherman | mathbot.com

JW Weatherman | mathbot.com Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JWWeatherman_

JW Weatherman | mathbot.com Profile picture
18 Nov
#Bitcoin is pumping because the Maximalist are correct. Here is what they know:

Economics

-We are cypherpunks. We are anarcho-capitalists.

-Monopolies can’t exist unless they are supported by governments that protect them from competition.

...

...
-Monopolies in security and defense services have the same type of effects as other monopolies - poor quality products with high prices.

-Governments particularly enjoy monopolies on security services because it prevents citizens from being protected from the government.

...
- One of the most effective ways that corrupt governments steal from their people is through printing money after they establish a monopoly on money.

- A side effect of money printing is the boom and bust cycle that results in massive bad investment and great destruction.

...
Read 12 tweets
JW Weatherman | mathbot.com Profile picture
16 Nov
I know things seem hopeless right now.

We appear on a fast track to global socialism and we are living through the most destructive economic policies conceivable.

Truth has become a joke and almost everyone is participating in a cult of lies and government power

...
And I must admit that I am not sure we can get out of this. I am hopeful bitcoin will survive this and be the tool that helps us escape future attempts to destroy the productivity of the world, but an Internet shutdown or global censorship of it is no longer insane.

...
However this is not the first time things have been near or completely hopeless.

In fact one of the earliest stories that humans posses is of a centralized government established through violence that created a powerful cult based on epic propaganda and a false religion.

...
Read 13 tweets
JW Weatherman | mathbot.com Profile picture
15 Nov
Damn it Greg Maxwell, Adam Back, Nick Szabo and Tim May!

Can't you let me have one original idea that I'm not accidentally stealing credit for?

Hardware wallets r dumb.

old.reddit.com/r/Bitcoin/comm…
"The badness of the supply chain vulnerability is so severe that I just cannot recommend a hardware wallet except for casual low/moderate value use where it doesn't really matter what security properties you use."

-Greg Maxwell
"At the moment I think the best option at the intersection of security and usability may be a linux laptop/desktop that never runs any software other than your wallet. This doesn't require being a super-security wizard..."

-Greg Maxwell
Read 4 tweets
JW Weatherman | mathbot.com Profile picture
22 Mar
Simplest explanation for #COVID19

1. China is primed to over react by SARS and their central planning, “big project” mindset.

2. They identify and label a virus - doesn’t matter if it’s months or years old or new.

3. Between distrust for China and China’s response ....
3. Between distrust for China and China’s response media companies dying for clicks cause people to freak out.

This happens every year with typical hurricanes, floods and other disasters.

4. Politicians, even this like Trump that resisted the panic realize...
4. Politicians, even those like Trump that resisted the panic, realize it’s not worth the popularity points required to resist.

5. Social media sites are effectively mob ruled and can’t afford the political capital to do anything unpopular so they silence those pushing back.
Read 8 tweets
JW Weatherman | mathbot.com Profile picture
17 Nov 19
If you have a teenager and you proud he can read you are 100 years behind.

He needs to learn to code. Here is how to get it done and change his future.

...
1. Have him complete all the levels on mathbot.com

He will learn most of the difficult concepts in programming, like recursion, in a couple week.
2. Have him complete the JavaScript track on freecodecamp.org

This will take a month or two and he will be ready to write code for a real project. Not a lot of code, but this is the single most important milestone in his career - solving real problems.
Read 9 tweets
JW Weatherman | mathbot.com Profile picture
15 Oct 19
Quick guide for running a bitcoin full node with mobile wallet interface for less than $130 bucks.

(and if you get stuck I'll help)
1.
Buy a cheap laptop like this one:
amzn.to/2BfG6Ku

It needs to have 500 GB of storage space.
2.
Install Ubuntu. I know this sounds intimidating, but it's very easy and if you get stuck I can easily get you unstuck.

tutorials.ubuntu.com/tutorial/tutor…
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @JWWeatherman_