you could DM instead 🤷🏽‍♂️😂

Security convo matrix is roughly 1. publicly discuss risk, private clarification 2. publicly discuss risk, public clarification 3. privately discuss risk, private clarification 4. privately discuss risk, public clarification The problem with 1.) is that even if those risks can be fully dispelled as nothings, if that clarification is done in private, everyone else is still freaked out and might think they're in danger. Therefore since the RHR criticism was so public, so should be the clarification, thus 2.). 3.) and 4.) aren't relevant here, but for completion: 3.) is fine if there was never any real risk (e.g. someone asking, "Hey, can X happen?" "No, it can't because blah." "Ah, okay, cool"). No harm, no foul. But not great if there is a real risk and it's quietly fixed and never publicly disclosed. 4.) is pretty common: "We get this question a lot so let's discuss this concern...". Or it's a real risk that's fixed and then publicly disclosed.

What he said about seedsigner security ? A bitcoiner told me he will never use a seedsigner because it doesn't have any secure element and you have to trust raspberry or the reseller. For what i've understand seedsigner doesn't need a secure element because they doesn't store private keys + when the key is created or load in the device, he's never connected to internet.

The specific thing I'm referencing / responding to is included in the writeup linked in the original post. As for what you said, you're correct: there's no attempt to store any secrets in a SeedSigner so it's irrelevant that there's no secure element. The device is never connected to the internet (there is no wifi or bluetooth hardware onboard) and, ideally, it's only ever powered via a usb battery. So no physical connection ever to any internet-connected device.

The GitHub link was very informative. Seems to me it clarifies the pros and cons in no uncertain terms Look forward to the response from Odell. Wether he modifies his opinion or remains steadfast Thanks for your work in the space mate. It’s appreciated

@Guy Swann when read?

1) Wholesale Replacement If the total amount being secured by all users of the device is significant *to the attacker* wholesale replacement is a real risk. This doesn’t require a malicious party within the intended sharing group, just for someone to make an undetected substitution while the device is not in use. 2) Shared Access “done right” Shared access “done right” requires the device to be kept secure at all times, requires each user to verify software signatures and have access to a computer to reflash their SD prior to each use. If the amount being secured is small a mobile wallet sufficient IMO. For larger amounts the users should use their own devices.

This is a well-written response to what I think is a pathetic controversy. Frankly, it seems to be mostly driven by investors and company owners feeling threatened by SeedSigner. Of course, I haven't seen every interaction between those involved, so my impression could be wrong. I don't really see the threat, as SeedSigner is a somewhat niche device that I don't recommend for MOST people I talk to about Bitcoin. I use them and have built them for others for educational purposes. I've had nothing but wonderful interactions with the SeedSigner project leader, but I'm sure he has communicated negatively with someone. So have I. Of course SeedSigner could reduce its current attack surface, but that's true of all devices and software I know of. Everything has some tradeoff. Ultimately, I think security models and related products will improve to the point that average people simply don't have to worry about stuff like this. In the meantime, I'd prefer that we all work together to mitigate risks and educate newcomers without exposing them to stuff like this. I feel better about this approach than when I participate in drama or see it happening. @npub17tyk...3mgl

Thank you very much for the detailed explanations. The fact that the Pi Zero has no exchangeable firmware / BIOS was new and informative for me.

Thanks for your explanation. I learnt new stuff and now i Love my seedsigner even more.

Thanks for your explanation. Now I Love my seedsigner even more.

Updated to add more detail around the risks at each layer of our Linux-based stack and crucial differences in how retail hwws work. See the notes at the end for ongoing summary of edits.

Thought experiment: All of the devices have a zero-day from the factory. We won't learn about them until it's too late; nobody will/can prove or disprove it. * Stay updated on current attacks. Get comfortable remaining at a heightened alert-level; everyone wants your bag. * Don't keep all of your eggs in the same basket(s). * Don't trust, verify. But also, maybe remember that more of us are good actors than bad ones, we are making individuals and the collective stronger. We ARE on the same team.

Multivendor multisig ftw. Build a SeedSigner. Buy a Coldcard. Pick whatever other hwws you want in the mix. Then level up to multiple multisigs (within reason). Maybe consider a modest slice in a collaborative multisig (ala Unchained). Eliminate single points of failure! But balance against creating so much complexity that you f it all up.

Great write-up, Keith! Especially appreciate the distinction between EEPROM and ROM here.

Really good explanation of the Seedsigner risk model. View quoted note →

Great article, Keith. I think your link to adafruit is malformed; it appears to be a relative link, missing the https:// protocol, so it comes up as a 404 in GitHub.

Thanks for letting me know!

ODELL is a programmer? He should understand this as a specialist? If so, why does he speak not as a specialist, but as a child? There are only 2 options. 1. You do not know what he knows. He understands engineering and programming better. 2. He talks nonsense because he carries out someone's order to discredit npub17tyke9lkgxd98ruyeul6wt3pj3s9uxzgp9hxu5tsenjmweue6sqq4y3mgl.

I read your post on github, very interesting and educational.