Re: NEWS FLASH! Hardware wallets still aren't secure, and they never will be.
⭐ Merited by ETFbitcoin (1)
My opinion is that you sound very arrogant, and are unwilling to admit that you are wrong, or that you can even learn something. This is a very dangerious way to handle the security of your coin.
I'm not turning my wifi off on windows 10 and hoping for the best. I'm using an air-gapped system.Your private keys will be in your RAM, and may be on your HDD, depending on your specific method of generating your private keys.
Even if you are using an air-gapped computer, someone with physical access to the computer may be able to obtain any remnants of your private key that remain. This is the same threat model as what is being described with HW wallets, however a HW wallet is easier to secure/hide than a computer.
Again, sounds like you don't understand what an air-gapped system is. Also, who the hell is generating private keys in a public park where a stranger can take a picture of their screen? Wtf? Go in the corner of your house if you're really paranoid (which of course I am).I am comparing the threat model of a paper wallet to that of a HW wallet.
If you take a paper wallet out of your safe to spend some of your coin, someone could take a picture of your paper wallet to compromise the seed, minus your passphrase. If you are using a HW wallet, an attacker taking a picture of your HW wallet would provide nothing to the attacker. The attacker would need physical access to the HW wallet for an extended period of time to compromise the seed in a similar way.
How did said attacker guess my BIP38 passphrase so quickly? They must have seen when I typed it out at the public park I generated my keys at I guess.
Again, I am comparing the threat model of a HW wallet to that of a paper wallet. See my above response.
When using a paper wallet:
Please tell me what part of the computer these "portions of private keys" remain on. <>- You must use a(n) (offline) computer to generate the private key to a paper wallet, and the portions of the private key may remain on the computer long after the fact.
I'm not turning my wifi off on windows 10 and hoping for the best. I'm using an air-gapped system.
Even if you are using an air-gapped computer, someone with physical access to the computer may be able to obtain any remnants of your private key that remain. This is the same threat model as what is being described with HW wallets, however a HW wallet is easier to secure/hide than a computer.
- You must transfer the private key of your paper wallet onto a(n) (offline) computer to spend any of your coin, risking the private key remains on your computer long after the fact, and risking that someone will take a picture of your private key/paper wallet. Neither of these are a risk with a HW wallet
Again, sounds like you don't understand what an air-gapped system is. Also, who the hell is generating private keys in a public park where a stranger can take a picture of their screen? Wtf? Go in the corner of your house if you're really paranoid (which of course I am).
If you take a paper wallet out of your safe to spend some of your coin, someone could take a picture of your paper wallet to compromise the seed, minus your passphrase. If you are using a HW wallet, an attacker taking a picture of your HW wallet would provide nothing to the attacker. The attacker would need physical access to the HW wallet for an extended period of time to compromise the seed in a similar way.
- An attacker may be able to compromise your paper wallet by being in possession of it temporarily for only a few seconds via taking a picture of your paper wallet. For a HW wallet to be compromised, the attacker must be in continuous possession of your HW wallet for a longer time, and must be in proximity of special electronic equipment. An attacker could stumble across a paper wallet, and compromise it without your knowledge, while a HW wallet being compromised without your knowledge would require a more targeted attack.
How did said attacker guess my BIP38 passphrase so quickly? They must have seen when I typed it out at the public park I generated my keys at I guess.
Again, user error is not a vulnerability.
I am going to disagree with this statement. If a process is so complex that the average user is going to make a mistake, this is a vulnerability. [/list]