[HN Gopher] Ledger Stax - Hardware wallet with eInk display for ... ___________________________________________________________________ Ledger Stax - Hardware wallet with eInk display for digital assets Author : capableweb Score : 88 points Date : 2022-12-06 18:03 UTC (4 hours ago) (HTM) web link (shop.ledger.com) (TXT) w3m dump (shop.ledger.com) | [deleted] | nothasan wrote: | Off-topic but what do you think they used here to render the UI. | Qt? | popol12 wrote: | home made framework like the previous devices, I'd say. The UI | is running directly in the secure element (~1.5MB flash, ~50kb | ram) so it's very memory constrained. | the__alchemist wrote: | The correct play is writing to the display buffer directly | using a thin wrapper that has fonts, drawing primitives etc. I | hope they don't have a GPOS and Qt on this. | throwup wrote: | Sure it looks slick, but I worry about making these kinds of | devices more complicated than they need to be. Especially if it | has a battery inside. More complexity = more points of failure. | [deleted] | psychphysic wrote: | Makes sense, they've been emailing me 4 times per week. Clearly | to get rid of old stock. | | Didn't even have the decency to delete my email from their spam | list after hackers got my name address, phone number and that I | have a ledger. | | No matter how much I unsubscribe from their mailing list. | skazazes wrote: | It's my experience that having had any crypto-adjacent accounts | associated with my main email over the last decade has caused | the single largest increase in email spam of anything I have | ever done. I used to engage in the industry (in the mid to late | 2010's when most trading was done through centralized | exchanges) and it seems a few of the old platforms have | leaked/lost/sold their email databases. I get ~2-3 emails daily | now that I assume are all scams saying various things along the | lines of "You have n free XYZ token waiting to be collected!" | and "Ensure you update your ledger for the latest security | patches! Here is a link to it! Please ignore that its not to an | official ledger domain!" | | A lot of the spam seems to be either proxied through insecure | wordpress comment plugins or simply signing my email up for | accounts on random websites and somehow injecting their | phishing attempts into the account confirmation emails. They | come from all sorts of domains, most of which having nothing to | do with crytpo, and nearly all of the messages are embedded in | some sort of broken HTML email body. | | Although I no longer follow or have much interest in the | industry, I am hesitant to outright blacklist crypto terms. Has | anyone come up with a good solution to combating crypto email | spam? | hanniabu wrote: | > Has anyone come up with a good solution to combating crypto | email spam? | | Yeah, stop using centralized services | skazazes wrote: | Most of these accounts existed before DEFI was a twinkle in | Vitalik's eye. | | That being said if I could go back in time and avoid making | them, I think I still would.... | hbosch wrote: | Instructions unclear. I've decentralized my email, and now | the spam is worse. | influxmoment wrote: | Yep there are better wallets | | Passport is my recommended bitcoin wallet | [deleted] | efitz wrote: | I trust hardware wallets inversely to the amount of software they | have on them. | | This one looks really cool and I like the features but I will | never buy one because too many features and too much | connectivity. | ferminaut wrote: | I bought a wallet from Ledger once. Ledger then got hacked & now | I get texts weekly with different crypto scams targeted at me. | Never again. | georgyo wrote: | I also bought one and never will again. | | The USB port and the left button had a short somewhere. | Everytime you plugged it in, it would rapidly trigger the left | button. | | Two months of support for them and they kept making my jump | through hoops, including uploading a YouTube video of the | problem. And still the best the can say is "It's the USB-C | cable, use a different one." I tried 8 cables, including the | one that shipped with it, and 4 different computers. Same | failure every time. | | I had to file a claim with my payment processor because they | would not refund me either. Another month I and finally got | refunded. | | Never ever again. | olalonde wrote: | You can buy one through Amazon. | kube-system wrote: | I get Ledger phishing all the time and I've never been a | customer of theirs. | drexlspivey wrote: | A way to avoid this is to use your own domain for email and | signup with a unique email for every site | MivLives wrote: | That doesn't work with phone numbers. | CrackpotGonzo wrote: | This form factor would be awesome for mini external hard drives! | zephraph wrote: | I have no need for this device but it's definitely pretty. I love | the wrap around e-ink. It looks kind of like an e-ink book cover. | Cool project, gorgeous design. Would love to see more design | iteration in different categories like this. | Ninjinka wrote: | I have no need for another hardware wallet, but this is a | beautiful device. | | Edit: Ah, Tony Fadell, makes sense. | gojomo wrote: | Beautiful, but tip for Ledger team: pics & video should include | more common items for size reference. | | Even placing alongside some-generic-iPhoneish-smartphone isn't a | great help, as those now vary in size so much. | | Here's a thought, given its use: show it alongside some of the | world's most-recognized fiat monies, like the USD bill or | quarter, or several EUR bills/coins. | neilv wrote: | Banana for scale. | Etheryte wrote: | I'm not sure I agree, I think the video's example of it's | slightly smaller than a phone is more than enough. If I need | more than that I can look at the specs which are also readily | available further down the page. | gojomo wrote: | Slightly smaller than which of the dozens of phones of | varying sizes that look like that phone, which only appears | for ~1 sec, 5/6ths of the way through a video many visitors | won't play? | | Numerical specs are a poor substitute for a visual-intuitive | sense of something's size, versus common referents. | | My suggestion is only if Ledger wants their product to be | easily understandable to the largest possible audience of | buyers. If they're only interested in the smaller subset of | people for spend extra time digging, & can interpret | numerical dimensions well (perhaps with the aid of | rulers/etc), then being more obscure about its size makes | sense. | hammock wrote: | Size & Weight | | Credit card-sized. | | Dimensions: 85mm x 54mm x 6mm | | Weight: 45,2g | SV_BubbleTime wrote: | Really cool, but $279. That's about double what I would pay. | woodruffw wrote: | One of the rules of thumb for long-term key storage (especially | secure hardware storage) is parsimony: you don't want _any_ | unnecessary hardware or software (both because it makes the | storage less resilient, and because it introduces additional | security concerns). | | Given that, I'm not sure I understand why you'd put an e-Ink | display (much less a JPEG parser, presumably, given the NFT | stuff) on what should really just be an HSM. That seems like | asking for trouble. | | Edit: Not to mention Bluetooth and wireless charging, apparently. | popol12 wrote: | Sounds like you have never used hardware wallets, these are not | just a yubikey with a button to push and a notification diode. | Having a screen is essential to display information about the | transactions you're going to sign . Recent blockchains and new | bitcoin signing schemes tend to have big chunks of data that | require screen estate to be validated by the signer, so the | bigger the better. The nano S and nano X screen were a pain to | use with their super small screens, this improvement is | welcomed. About Bluetooth, well, that's simply a transport | layer, like USB. Pretty convenient when you want to trigger a | transaction from your phone. People don't necessarily use these | devices with a cable and a laptop. | | I don't see a use for wireless charging. Maybe you can charge | your wallet by placing it over your phone ? | pclmulqdq wrote: | Bluetooth is a huge attack surface. Most Bluetooth stacks are | something like 100k lines of C, written by electrical | engineers. It's a nest of bugs and vulnerabilities. | | There's probably more code in the Bluetooth stack than the | entire rest of the code on the device. | leni536 wrote: | Would putting the bluetooth stack on a dedicated IC be an | adequate securiry measure? | friend_and_foe wrote: | Bluetooth is a _wireless_ technology, and including it | necessitates an onboard power source, a battery. This changes | the security model a lot, an attacker now only needs | proximity to the device, not physical access. | hdevalence wrote: | No, the attacker still needs physical access to the device, | because signing requires on-device approval. | | The security model already assumes that the entity | requesting authorization is untrusted, so the security | model is basically unchanged. An attacker who can forge BT | packets to submit bad data for approval is not really | different from an attacker who compromises the | laptop/phone/etc to submit bad data for approval. | maxbond wrote: | > No, the attacker still needs physical access to the | device, because signing requires on-device approval. | | You're assuming that the Bluetooth implementation does | not introduce vulnerabilities that thwart this | assumption; GP & GGGP are suggesting that you shouldn't | _have_ to make this assumption in a hardware wallet (or | hardware that requires this very high level of | assurance), by not including it at all. The same goes | for, say, an attacker who 's able to swap your wireless | charger for a malicious one, and potentially execute a | power usage-based side channel if you access the device | while it's charging, or who's able to extract some useful | information from the RF noise produced by the monitor. | | The counterargument to this, in my mind, would be that | you plan to use these features of the wallet regularly, | and that they provide sufficient benefit to justify the | risk (which you may argue is quite modest), and perhaps | that you've implemented additional mitigations against | them (like never using it while it's charging). Your | argument about a monitor adding additional assurance in a | sibling thread was quite good I thought, and a tact I | didn't anticipate in this list originally. | hdevalence wrote: | Yes, but for this reason, the Bluetooth implementation is | on physically separate, untrusted hardware that has no | access to the buttons or screen other than by | communication with the secure element (see [0] for the | Nano X; I'm assuming the Stax will be basically similar). | | So this isn't really different from having a USB cable: | in either case, some untrusted messages arrive at the | secure element over some wires, and get processed there. | The only difference is that the wires come from another | chip on-device rather than from an external cable. | | [0]: https://www.ledger.com/ledger-nano-x-bluetooth- | security-mode... | hdevalence wrote: | If your secure hardware doesn't have a display, how do you know | what you're signing? | | You can't, so you're forced to trust that the software talking | to the HSM isn't lying to you about what data it's asking to be | signed, and at that point you're only marginally more secure | than not using an HSM at all. (Sure, it's harder to steal the | long-term key material, but if I compromise your software, I | get a signing oracle, and that might be good enough.) | | This is actually something that the blockchain ecosystem gets | right: every hardware wallet has a secure display of some kind, | to avoid blind signing, because it's a context where security | actually matters (unlike, e.g., "signing git commits with a | yubikey", which nobody cares enough about to attack). | woodruffw wrote: | > If your secure hardware doesn't have a display, how do you | know what you're signing? | | I might be missing what you mean, but with a normal security | module I control the inputs and outputs: the device only | signs what I tell it to sign, and I can test it for honesty | by verifying that any signature(s) I get back are actually | signatures over the inputs I put in. That still requires me | to trust that my interface to the hardware is the only | interface, but that's the point of the parsimony (no | bluetooth to worry about!). | | HSMs have plenty of problems (and I've encountered a good | share of them from designing trust ceremonies), but I don't | think adding a screen addresses any of them. If I was an | attacker, the pins on an e-ink display would probably be much | easier to tamper with than the secure hardware itself. | kiratp wrote: | The only way to be sure that your HSM is about to sign what | you told it to is if it shows you what was sent to it to | sign. Otherwise you're trusting that something didn't MITM | between your computer and the HSM (eg: driver) such that | you see one thing but end up signing something else. | bonestamp2 wrote: | Not to mention, you already trust github if your code is | there, and you can typically get that code back from the git | history, so it's not usually a big risk to authenticate with | a yubikey. | schmuelio wrote: | > unlike, e.g., "signing git commits with a yubikey", which | nobody cares enough about to attack | | I'm not so sure about this one, there's plenty of damage you | could do if you were a malicious actor who could send trusted | commits to a git repo. Especially if said repo were for some | important software (like Linux, wget, glibc, etc. I know | they're not necessarily on public repos but we're assuming at | least somewhat targeted attacks here). | josteink wrote: | If I were into crypto, this might have been neat. | | But you know... if these guys thinks that crypto is a real | currency and think you should use it for trade... | | Why do I have to pay for it using "real" money? They don't really | seem to be fully invested in what they're selling. | PretzelPirate wrote: | You have multiple crypto payment options at check out. | josteink wrote: | Not any options other than local currency offered when I | checked earlier, nor when I checked again now. | | A crypto-wallet vendor is literally blocking crypto payments, | even when they (according to you) support it (for some | users)? | | I mean come on. That's ridiculous? | Kiro wrote: | According to your other comment you haven't even seen the | payment page. If you had you would indeed see that you can | pay with crypto even from Norway. You're conflating payment | options with the display price. | ChrisClark wrote: | You can pay for it with many types of crypto. Not sure why | you'd say this without checking first. | josteink wrote: | > You can pay for it with many types of crypto. Not sure why | you'd say this without checking first. | | I've added one to the cart and gone to checkout and literally | gone all the way until I'm required to enter a shipping | address and register an account. | | At no point yet have I been offered the option to pay in | anything except local currency (NOK). | | If crypto payment is an option they are doing _everything | they can_ to keep it secret. | nihilius wrote: | Right in the footer on the left side are all the payment | options. https://i.imgur.com/RvBDaw2.png | Kiro wrote: | In what stores do you pay before you enter your shipping | address? You haven't even gotten to the payment page yet so | how can you say there is no such option? | achow wrote: | Wired's coverage on this. | | Tony Fadell Is Trying to Build the iPod of Crypto | | https://www.wired.com/story/tony-fadell-is-trying-to-build-t... | | _In his (Tony Fadell 's) mind, the wallet should be about the | size of a credit card and have a touchscreen. ...envisioned | people owning several wallets, one for each category of digital | collecting or banking. He liked the concept of stacking them on | top of each other, like a cash bundle of $100 bills. He came up | with the idea of having magnets to snap the units into a tidy | stack. That feature provided the name for the device: Stax._ | egypturnash wrote: | So don't keep this anywhere near your actual wallet unless you | are 100% sure your life is 100% free of any need to ever swipe | a magstrip from anything else that lives in your wallet, then? | Awesome. | [deleted] | krono wrote: | Maybe they can manage to not leak all their customer data for a | third time! | capableweb wrote: | Not sure I missed some leak, but if you're referring to what I | think you're referring to, it was a marketing newsletter email | list that got leaked/hacked, not the customer shipping database | or who owns a wallet. I for one doesn't see my email listed in | the leak, I'm not subscribed to the newsletter but I do own a | Ledger ordered directly from their website. | krono wrote: | Yes you missed two leaks, here are just some random articles | about them: | | https://web.archive.org/web/20221030030843/https://cointeleg. | .. | | https://web.archive.org/web/20220901153130/https://www.coind. | .. | | https://old.reddit.com/r/ledgerwalletleak/comments/ki1nsz/re. | .. | | https://old.reddit.com/r/CryptoCurrency/comments/rts1w2/got_. | .. | | https://twitter.com/yeolddoc/status/1353139243548364805 | jmathai wrote: | I have the ledger nano. | | Turns out that I don't have a compelling use case for it even | though I own some crypto. | | If I wanted liquidity in my crypto (to transfer or buy stuff) | then I would just store my keys in my password manager which I | seem to trust with the rest of my assets (I get crypto | transactions are non-reversible). | | If I do not want liquidity then I really am better off | writing/engraving my keys on something and into a safe. | | A combination of these two make the most sense for me. | olalonde wrote: | The compelling use case is not having to store your private | keys on your computer, even momentarily. Of course, if you | don't deem that too risky, a hardware wallet will do nothing | for you. | | That being said, I believe storing private keys on a general | computing device is very foolish and you will likely find out | the hard way. I wouldn't store any more in a hot wallet than | the amount of cash I'd be comfortable walking around with in my | pocket. | bioemerl wrote: | > I would just store my keys in my password manager | | The trouble here is the transfer of assets from the manager | into your apps. Lots of opportunity for thefts or screw up. | Imagine you use the clipboard and some random app happens to be | scanning it. | abdullahkhalids wrote: | Modern password managers don't use the clipboard any more. | They register a virtual keyboard and use it it to type into | the user/password box. | bioemerl wrote: | That requires a level of software support that, coming from | the side of refusing to use non open source software, I | simply haven't seen yet. | | Android does well, but my experience with Windows has | remained copy paste | jmathai wrote: | Valid. I've accepted much larger risk by storing all of my | other sensitive information in my password manager though. | What crypto needs is a form of 2FA - turns out I don't care | enough to have another factor that's only useful for crypto. | capableweb wrote: | Just as a FYI, Ledger also has a FIDO U2F application that | I found useful for some things. | capableweb wrote: | I mostly use it for two purposes. 3rd factor for using my phone | for cryptocurrency transactions and for a second validation of | that the address, amount and data is correct, on a second | device that is (theoretically) impossible to compromise and | show something else. | ilaksh wrote: | Looks really cool. Too bad you can't read HN on it though. | | Just kidding. | rahen wrote: | Previous submission (Wired): | https://news.ycombinator.com/item?id=33884793 | | The Stax is designed by Tony Fadell, creator of the iPod. | friend_and_foe wrote: | What in the fuck is this company doing? They're supposed to be | marketing security oriented hardware, not hype and flash and | accessories. Their app is full of all sorts of affiliate | nonsense, they're bloating coin specific applications to | deliberately make their original product obsolete, now they have | a good idea, an e-ink display, and they're packaging it like | this? Marketing it like this? They must be desperate for money. | szastamasta wrote: | I'm not really a crypto fan. But it's a really neat device. A | cool tech that has a creative use of e-ink. Something I wouldn't | mind keeping in my pocket. | anonporridge wrote: | The neat thing about crypto hardware wallets, is that they're | essentially just private key storage and signing devices. Even | if you never want to touch any cryptocurrency, the ubiquity of | these devices could be a huge enabler for expanded use of end | to end encryption like PGP or for simple second factor | authentication like yubikeys. | | Of course, when you lock real money with it, the average person | puts _much_ more energy into ensuring good passcodes and | backups. | dennyabraham wrote: | Aside from their use with crypto, these are just nice looking | pieces of hardware. Is there any word on whether you'll be able | to run custom code on these? | olalonde wrote: | Yes it's possible: https://developers.ledger.com/ | brink wrote: | I was thinking the same thing. Someone please make similar | hardware as an open platform. | bioemerl wrote: | I really want one of these with random games and little fun apps | instead of crypto. It looks like an awesome PDA. | zoklet-enjoyer wrote: | I just upgraded my Ledger. This is so much cooler but I can't | justify buying it right now. I love e-ink and crypto | SpaceManNabs wrote: | I wish this website would make the case for what it offers beyond | the Ledger Nano X as easily as they did previously. From what I | can tell, I am just staying to my ledger nano x because I am not | interested in NFTs yet (or ever if they never become useful | beyond gaming). | pclmulqdq wrote: | I'm not sure they're even useful in gaming. The NFT games of | 2020 have all collapsed, and there was huge backlash among | gamers against normal games incorporating NFTs. | bonestamp2 wrote: | This looks neat, but even after reading their FAQ I don't | understand the namesake feature -- why or when would I need more | than one; and in that case, why is it a benefit that they snap | together? I mean, is it just because it looks tidy/neat or is | there a user story where this has additional value? ___________________________________________________________________ (page generated 2022-12-06 23:00 UTC)