Cyph3rp9nk on Nostr: On the subject of hardware wallets I think you make some misconceptions. Let's go by ...
On the subject of hardware wallets I think you make some misconceptions. Let's go by points, trezor is already open source both the software and the hardware in both models. As the hardware is open source a method was found to extract the seed, but the seed is still encrypted. What is the problem? That as the seed is encrypted in the old days by a maximum 9 digit pin it is very easy to break that encryption by brute force. To mitigate this attack as already discussed with what you use a passphrase enough, but more was done. Subsequently the pin length was increased in both models to 50 digits and in the case of trezor T was added sd-protect that expands to 256 bits pin protection which can not be hacked by brute force even if you extract the seed, the only protection is to hide the sd in another site other than the trezor. All this I say may be a pain for some, but it is the price to pay for your security not to depend on a third party. What I would have done is instead of using a pin, use a startup passphrase forcing you to use the BIP39 and kill two birds with one stone. Is it safe that your disk encryption depends on TPM when we all know that TPM is a backdoor? TPM is analogous to secure elements, no more no less. An example, in LUKS for Linux you can either use a passphrase to unlock the encrypted device or TPM, clearly TPM is for clumsy or lazy users, you gain in user experience, but all your security if you are Snowden goes to shit. Maybe on a PC we don't care if we are a normal user but when we talk about Money...I would never recommend hardware wallets with secure element and I think Trezor is also criticized in a very unfair way when it is the model to follow. Any technology that involves encryption has to be open otherwise we are incurring in the model of TPM or Whatsapp. You can criticize that they support shitcoins and many other things, but their security model has a reason and there is no need to reinvent the wheel, in fact, I am critical of Tropic because the solution already exists, although I understand that they do it for usability.
Published at
2023-01-07 00:28:18Event JSON
{
"id": "84d11fefcacb9cca68ebc4ab270188ac919f9b9d99b8cdb7fc92fdd7a1bda69c",
"pubkey": "fcf70a45cfa817eaa813b9ba8a375d713d3169f4a27f3dcac3d49112df67d37e",
"created_at": 1673051298,
"kind": 1,
"tags": [
[
"e",
"f1ec65c3ed5abcbc47408ed44ccdb576b0bba01370bf2d094b3262dfc4e8a57b"
],
[
"p",
"020f2d21ae09bf35fcdfb65decf1478b846f5f728ab30c5eaabcd6d081a81c3e"
],
[
"p",
"8e60715c5b66ee9ebf3636fd5edcb59dfbffaab6ca9efa59bfb5b0e71bfba03a"
]
],
"content": "On the subject of hardware wallets I think you make some misconceptions. Let's go by points, trezor is already open source both the software and the hardware in both models. As the hardware is open source a method was found to extract the seed, but the seed is still encrypted. What is the problem? That as the seed is encrypted in the old days by a maximum 9 digit pin it is very easy to break that encryption by brute force. To mitigate this attack as already discussed with what you use a passphrase enough, but more was done. Subsequently the pin length was increased in both models to 50 digits and in the case of trezor T was added sd-protect that expands to 256 bits pin protection which can not be hacked by brute force even if you extract the seed, the only protection is to hide the sd in another site other than the trezor. All this I say may be a pain for some, but it is the price to pay for your security not to depend on a third party. What I would have done is instead of using a pin, use a startup passphrase forcing you to use the BIP39 and kill two birds with one stone. Is it safe that your disk encryption depends on TPM when we all know that TPM is a backdoor? TPM is analogous to secure elements, no more no less. An example, in LUKS for Linux you can either use a passphrase to unlock the encrypted device or TPM, clearly TPM is for clumsy or lazy users, you gain in user experience, but all your security if you are Snowden goes to shit. Maybe on a PC we don't care if we are a normal user but when we talk about Money...I would never recommend hardware wallets with secure element and I think Trezor is also criticized in a very unfair way when it is the model to follow. Any technology that involves encryption has to be open otherwise we are incurring in the model of TPM or Whatsapp. You can criticize that they support shitcoins and many other things, but their security model has a reason and there is no need to reinvent the wheel, in fact, I am critical of Tropic because the solution already exists, although I understand that they do it for usability.",
"sig": "b0cdaea2c9bf9e5f11e54280e21d3aed63bf39907727d7c6e688c10be74911e55b5cf72ce07e1fc507bb577240c6b5e6fdef70af262eb96958a15951ef86c76f"
}
