All HWWs that I have come across are turds.

This problem existed before AI slop

3 “do not enter” signs are about as effective as 1 “do not enter” sign. That makes sense when you have good security (3 locks are harder than 1) but if they are flawed in mostly the same ways and are basically a paper tiger then it doesn’t matter.

Coldcard is not a solid HWW at all. I work on secure element design and several other people that also do agree. Don’t use an exchange. SeedSigner so far is the best approach though it needs more code auditing.

Slop definitely existed before AI slop. The problem is now everyone is using AI slop, with or without engineering bkgs. I really, seriously am done trying to clean up AI slop. Its like getting a dog to drive, it can push a button to go forward and get from A->B, sorta. But do you really trust it? I can't wait until someone really hits a wall and crashes hard. Then maybe people will wake up.

tipping point I reported several security vulnerabilities to LNbits and they took months to fix and ignored it. Alby did not follow basic security practices. many HWWs are weak as shit Nostr apps keep leaking nsecs every few months. The reference Cashu mint is poorly designed and had on one case when I operated it duplicated funds.

Well it has already contaminated a monetary system so who knows what’s next. Software development should require a license of competency because it can and will create significant harms. From economic losses to disruption of critical infrastructure.

The SeedSigner model intentionally puts firmware verification responsibility on the user. Of course anyone can create a malicious firmware, for any signing device.

Some clients were designed without XSS protection. I believe Coracle sent nsecs to an analytics providers for a while by accident. And a lot of other stuff.

Unfortunately that’s true for many, and don’t get me started about random web extensions, that store your nsec in plain text in browser storage

I get 404

I am making a highly secure extension addition for the Nostr Build Shack now, should hit public test release this weekend. https://testflight.apple.com/join/qgkAMPgU Nostr Build Shack

Fair game, but it’ll be tough

Similar but not cross compatible (can be in the future)

🤣

Thanks, Love. I'm in. I know Semisol, and I'm with them on this one. Skills matter. AI's a great assistant, but a terrible master.

i stumbled around and eventually landed on and read this post: https://www.vaughnnugent.com/blog/d9ab8a46cfa8d6bd59cf048… 👍👍

you're thinking of @97c70a44…ad98e322

That also is a good option. Smart card as SE works pretty well.

I totally agree with you.

Many people in the space are far too confident about their competency in cyber security. I've worked in it full time for years, I involve myself in lab training and I am still sure I know very little. Cryptocurrencies being associated with hackers in pop culture is to mostly blame for this. Using a couple apps and a HWW gets people over their heads. Growing anti-intellectualism by influencers (grifters offering to teach you better than a degree or an industry vet), unvetted GenAI content and a purity test mindset harms the movement. People are too confident to go against what every major company security team says. Working in technology doesn't immediately qualify someone as cyber security aware, never mind an expert. People always make basic mistakes. Cryptocurrency companies and people get pwned all the time.

2017 culture with the ICO's was so much worse than it is today. 2013 was where it was at.

weak secure elements, bad architecture, UX is suboptimal, the designers of the architecture don’t know much about proper security, and not related but the company behind it has done a lot of shady shit.

That is just the surface. The SEs they have used are in general insecure, lack any security certifications, and the Coldcards are vulnerable to many supply chain attacks that I have not published yet. Modern attacks with the same method you mentioned btw would cost at most $2K with a DIY setup.

Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.

well, an easy example would be NVK squatting domains relating to SeedSigner and lying about it, while also sending a takedown request to @b5127a08…8635c422's FOSS blockclock competitor