[HN Gopher] Ledger Stax - Hardware wallet with eInk display for ...
___________________________________________________________________
Ledger Stax - Hardware wallet with eInk display for digital assets
Author : capableweb
Score : 88 points
Date : 2022-12-06 18:03 UTC (4 hours ago)
(HTM) web link (shop.ledger.com)
(TXT) w3m dump (shop.ledger.com)
| [deleted]
| nothasan wrote:
| Off-topic but what do you think they used here to render the UI.
| Qt?
| popol12 wrote:
| home made framework like the previous devices, I'd say. The UI
| is running directly in the secure element (~1.5MB flash, ~50kb
| ram) so it's very memory constrained.
| the__alchemist wrote:
| The correct play is writing to the display buffer directly
| using a thin wrapper that has fonts, drawing primitives etc. I
| hope they don't have a GPOS and Qt on this.
| throwup wrote:
| Sure it looks slick, but I worry about making these kinds of
| devices more complicated than they need to be. Especially if it
| has a battery inside. More complexity = more points of failure.
| [deleted]
| psychphysic wrote:
| Makes sense, they've been emailing me 4 times per week. Clearly
| to get rid of old stock.
|
| Didn't even have the decency to delete my email from their spam
| list after hackers got my name address, phone number and that I
| have a ledger.
|
| No matter how much I unsubscribe from their mailing list.
| skazazes wrote:
| It's my experience that having had any crypto-adjacent accounts
| associated with my main email over the last decade has caused
| the single largest increase in email spam of anything I have
| ever done. I used to engage in the industry (in the mid to late
| 2010's when most trading was done through centralized
| exchanges) and it seems a few of the old platforms have
| leaked/lost/sold their email databases. I get ~2-3 emails daily
| now that I assume are all scams saying various things along the
| lines of "You have n free XYZ token waiting to be collected!"
| and "Ensure you update your ledger for the latest security
| patches! Here is a link to it! Please ignore that its not to an
| official ledger domain!"
|
| A lot of the spam seems to be either proxied through insecure
| wordpress comment plugins or simply signing my email up for
| accounts on random websites and somehow injecting their
| phishing attempts into the account confirmation emails. They
| come from all sorts of domains, most of which having nothing to
| do with crytpo, and nearly all of the messages are embedded in
| some sort of broken HTML email body.
|
| Although I no longer follow or have much interest in the
| industry, I am hesitant to outright blacklist crypto terms. Has
| anyone come up with a good solution to combating crypto email
| spam?
| hanniabu wrote:
| > Has anyone come up with a good solution to combating crypto
| email spam?
|
| Yeah, stop using centralized services
| skazazes wrote:
| Most of these accounts existed before DEFI was a twinkle in
| Vitalik's eye.
|
| That being said if I could go back in time and avoid making
| them, I think I still would....
| hbosch wrote:
| Instructions unclear. I've decentralized my email, and now
| the spam is worse.
| influxmoment wrote:
| Yep there are better wallets
|
| Passport is my recommended bitcoin wallet
| [deleted]
| efitz wrote:
| I trust hardware wallets inversely to the amount of software they
| have on them.
|
| This one looks really cool and I like the features but I will
| never buy one because too many features and too much
| connectivity.
| ferminaut wrote:
| I bought a wallet from Ledger once. Ledger then got hacked & now
| I get texts weekly with different crypto scams targeted at me.
| Never again.
| georgyo wrote:
| I also bought one and never will again.
|
| The USB port and the left button had a short somewhere.
| Everytime you plugged it in, it would rapidly trigger the left
| button.
|
| Two months of support for them and they kept making my jump
| through hoops, including uploading a YouTube video of the
| problem. And still the best the can say is "It's the USB-C
| cable, use a different one." I tried 8 cables, including the
| one that shipped with it, and 4 different computers. Same
| failure every time.
|
| I had to file a claim with my payment processor because they
| would not refund me either. Another month I and finally got
| refunded.
|
| Never ever again.
| olalonde wrote:
| You can buy one through Amazon.
| kube-system wrote:
| I get Ledger phishing all the time and I've never been a
| customer of theirs.
| drexlspivey wrote:
| A way to avoid this is to use your own domain for email and
| signup with a unique email for every site
| MivLives wrote:
| That doesn't work with phone numbers.
| CrackpotGonzo wrote:
| This form factor would be awesome for mini external hard drives!
| zephraph wrote:
| I have no need for this device but it's definitely pretty. I love
| the wrap around e-ink. It looks kind of like an e-ink book cover.
| Cool project, gorgeous design. Would love to see more design
| iteration in different categories like this.
| Ninjinka wrote:
| I have no need for another hardware wallet, but this is a
| beautiful device.
|
| Edit: Ah, Tony Fadell, makes sense.
| gojomo wrote:
| Beautiful, but tip for Ledger team: pics & video should include
| more common items for size reference.
|
| Even placing alongside some-generic-iPhoneish-smartphone isn't a
| great help, as those now vary in size so much.
|
| Here's a thought, given its use: show it alongside some of the
| world's most-recognized fiat monies, like the USD bill or
| quarter, or several EUR bills/coins.
| neilv wrote:
| Banana for scale.
| Etheryte wrote:
| I'm not sure I agree, I think the video's example of it's
| slightly smaller than a phone is more than enough. If I need
| more than that I can look at the specs which are also readily
| available further down the page.
| gojomo wrote:
| Slightly smaller than which of the dozens of phones of
| varying sizes that look like that phone, which only appears
| for ~1 sec, 5/6ths of the way through a video many visitors
| won't play?
|
| Numerical specs are a poor substitute for a visual-intuitive
| sense of something's size, versus common referents.
|
| My suggestion is only if Ledger wants their product to be
| easily understandable to the largest possible audience of
| buyers. If they're only interested in the smaller subset of
| people for spend extra time digging, & can interpret
| numerical dimensions well (perhaps with the aid of
| rulers/etc), then being more obscure about its size makes
| sense.
| hammock wrote:
| Size & Weight
|
| Credit card-sized.
|
| Dimensions: 85mm x 54mm x 6mm
|
| Weight: 45,2g
| SV_BubbleTime wrote:
| Really cool, but $279. That's about double what I would pay.
| woodruffw wrote:
| One of the rules of thumb for long-term key storage (especially
| secure hardware storage) is parsimony: you don't want _any_
| unnecessary hardware or software (both because it makes the
| storage less resilient, and because it introduces additional
| security concerns).
|
| Given that, I'm not sure I understand why you'd put an e-Ink
| display (much less a JPEG parser, presumably, given the NFT
| stuff) on what should really just be an HSM. That seems like
| asking for trouble.
|
| Edit: Not to mention Bluetooth and wireless charging, apparently.
| popol12 wrote:
| Sounds like you have never used hardware wallets, these are not
| just a yubikey with a button to push and a notification diode.
| Having a screen is essential to display information about the
| transactions you're going to sign . Recent blockchains and new
| bitcoin signing schemes tend to have big chunks of data that
| require screen estate to be validated by the signer, so the
| bigger the better. The nano S and nano X screen were a pain to
| use with their super small screens, this improvement is
| welcomed. About Bluetooth, well, that's simply a transport
| layer, like USB. Pretty convenient when you want to trigger a
| transaction from your phone. People don't necessarily use these
| devices with a cable and a laptop.
|
| I don't see a use for wireless charging. Maybe you can charge
| your wallet by placing it over your phone ?
| pclmulqdq wrote:
| Bluetooth is a huge attack surface. Most Bluetooth stacks are
| something like 100k lines of C, written by electrical
| engineers. It's a nest of bugs and vulnerabilities.
|
| There's probably more code in the Bluetooth stack than the
| entire rest of the code on the device.
| leni536 wrote:
| Would putting the bluetooth stack on a dedicated IC be an
| adequate securiry measure?
| friend_and_foe wrote:
| Bluetooth is a _wireless_ technology, and including it
| necessitates an onboard power source, a battery. This changes
| the security model a lot, an attacker now only needs
| proximity to the device, not physical access.
| hdevalence wrote:
| No, the attacker still needs physical access to the device,
| because signing requires on-device approval.
|
| The security model already assumes that the entity
| requesting authorization is untrusted, so the security
| model is basically unchanged. An attacker who can forge BT
| packets to submit bad data for approval is not really
| different from an attacker who compromises the
| laptop/phone/etc to submit bad data for approval.
| maxbond wrote:
| > No, the attacker still needs physical access to the
| device, because signing requires on-device approval.
|
| You're assuming that the Bluetooth implementation does
| not introduce vulnerabilities that thwart this
| assumption; GP & GGGP are suggesting that you shouldn't
| _have_ to make this assumption in a hardware wallet (or
| hardware that requires this very high level of
| assurance), by not including it at all. The same goes
| for, say, an attacker who 's able to swap your wireless
| charger for a malicious one, and potentially execute a
| power usage-based side channel if you access the device
| while it's charging, or who's able to extract some useful
| information from the RF noise produced by the monitor.
|
| The counterargument to this, in my mind, would be that
| you plan to use these features of the wallet regularly,
| and that they provide sufficient benefit to justify the
| risk (which you may argue is quite modest), and perhaps
| that you've implemented additional mitigations against
| them (like never using it while it's charging). Your
| argument about a monitor adding additional assurance in a
| sibling thread was quite good I thought, and a tact I
| didn't anticipate in this list originally.
| hdevalence wrote:
| Yes, but for this reason, the Bluetooth implementation is
| on physically separate, untrusted hardware that has no
| access to the buttons or screen other than by
| communication with the secure element (see [0] for the
| Nano X; I'm assuming the Stax will be basically similar).
|
| So this isn't really different from having a USB cable:
| in either case, some untrusted messages arrive at the
| secure element over some wires, and get processed there.
| The only difference is that the wires come from another
| chip on-device rather than from an external cable.
|
| [0]: https://www.ledger.com/ledger-nano-x-bluetooth-
| security-mode...
| hdevalence wrote:
| If your secure hardware doesn't have a display, how do you know
| what you're signing?
|
| You can't, so you're forced to trust that the software talking
| to the HSM isn't lying to you about what data it's asking to be
| signed, and at that point you're only marginally more secure
| than not using an HSM at all. (Sure, it's harder to steal the
| long-term key material, but if I compromise your software, I
| get a signing oracle, and that might be good enough.)
|
| This is actually something that the blockchain ecosystem gets
| right: every hardware wallet has a secure display of some kind,
| to avoid blind signing, because it's a context where security
| actually matters (unlike, e.g., "signing git commits with a
| yubikey", which nobody cares enough about to attack).
| woodruffw wrote:
| > If your secure hardware doesn't have a display, how do you
| know what you're signing?
|
| I might be missing what you mean, but with a normal security
| module I control the inputs and outputs: the device only
| signs what I tell it to sign, and I can test it for honesty
| by verifying that any signature(s) I get back are actually
| signatures over the inputs I put in. That still requires me
| to trust that my interface to the hardware is the only
| interface, but that's the point of the parsimony (no
| bluetooth to worry about!).
|
| HSMs have plenty of problems (and I've encountered a good
| share of them from designing trust ceremonies), but I don't
| think adding a screen addresses any of them. If I was an
| attacker, the pins on an e-ink display would probably be much
| easier to tamper with than the secure hardware itself.
| kiratp wrote:
| The only way to be sure that your HSM is about to sign what
| you told it to is if it shows you what was sent to it to
| sign. Otherwise you're trusting that something didn't MITM
| between your computer and the HSM (eg: driver) such that
| you see one thing but end up signing something else.
| bonestamp2 wrote:
| Not to mention, you already trust github if your code is
| there, and you can typically get that code back from the git
| history, so it's not usually a big risk to authenticate with
| a yubikey.
| schmuelio wrote:
| > unlike, e.g., "signing git commits with a yubikey", which
| nobody cares enough about to attack
|
| I'm not so sure about this one, there's plenty of damage you
| could do if you were a malicious actor who could send trusted
| commits to a git repo. Especially if said repo were for some
| important software (like Linux, wget, glibc, etc. I know
| they're not necessarily on public repos but we're assuming at
| least somewhat targeted attacks here).
| josteink wrote:
| If I were into crypto, this might have been neat.
|
| But you know... if these guys thinks that crypto is a real
| currency and think you should use it for trade...
|
| Why do I have to pay for it using "real" money? They don't really
| seem to be fully invested in what they're selling.
| PretzelPirate wrote:
| You have multiple crypto payment options at check out.
| josteink wrote:
| Not any options other than local currency offered when I
| checked earlier, nor when I checked again now.
|
| A crypto-wallet vendor is literally blocking crypto payments,
| even when they (according to you) support it (for some
| users)?
|
| I mean come on. That's ridiculous?
| Kiro wrote:
| According to your other comment you haven't even seen the
| payment page. If you had you would indeed see that you can
| pay with crypto even from Norway. You're conflating payment
| options with the display price.
| ChrisClark wrote:
| You can pay for it with many types of crypto. Not sure why
| you'd say this without checking first.
| josteink wrote:
| > You can pay for it with many types of crypto. Not sure why
| you'd say this without checking first.
|
| I've added one to the cart and gone to checkout and literally
| gone all the way until I'm required to enter a shipping
| address and register an account.
|
| At no point yet have I been offered the option to pay in
| anything except local currency (NOK).
|
| If crypto payment is an option they are doing _everything
| they can_ to keep it secret.
| nihilius wrote:
| Right in the footer on the left side are all the payment
| options. https://i.imgur.com/RvBDaw2.png
| Kiro wrote:
| In what stores do you pay before you enter your shipping
| address? You haven't even gotten to the payment page yet so
| how can you say there is no such option?
| achow wrote:
| Wired's coverage on this.
|
| Tony Fadell Is Trying to Build the iPod of Crypto
|
| https://www.wired.com/story/tony-fadell-is-trying-to-build-t...
|
| _In his (Tony Fadell 's) mind, the wallet should be about the
| size of a credit card and have a touchscreen. ...envisioned
| people owning several wallets, one for each category of digital
| collecting or banking. He liked the concept of stacking them on
| top of each other, like a cash bundle of $100 bills. He came up
| with the idea of having magnets to snap the units into a tidy
| stack. That feature provided the name for the device: Stax._
| egypturnash wrote:
| So don't keep this anywhere near your actual wallet unless you
| are 100% sure your life is 100% free of any need to ever swipe
| a magstrip from anything else that lives in your wallet, then?
| Awesome.
| [deleted]
| krono wrote:
| Maybe they can manage to not leak all their customer data for a
| third time!
| capableweb wrote:
| Not sure I missed some leak, but if you're referring to what I
| think you're referring to, it was a marketing newsletter email
| list that got leaked/hacked, not the customer shipping database
| or who owns a wallet. I for one doesn't see my email listed in
| the leak, I'm not subscribed to the newsletter but I do own a
| Ledger ordered directly from their website.
| krono wrote:
| Yes you missed two leaks, here are just some random articles
| about them:
|
| https://web.archive.org/web/20221030030843/https://cointeleg.
| ..
|
| https://web.archive.org/web/20220901153130/https://www.coind.
| ..
|
| https://old.reddit.com/r/ledgerwalletleak/comments/ki1nsz/re.
| ..
|
| https://old.reddit.com/r/CryptoCurrency/comments/rts1w2/got_.
| ..
|
| https://twitter.com/yeolddoc/status/1353139243548364805
| jmathai wrote:
| I have the ledger nano.
|
| Turns out that I don't have a compelling use case for it even
| though I own some crypto.
|
| If I wanted liquidity in my crypto (to transfer or buy stuff)
| then I would just store my keys in my password manager which I
| seem to trust with the rest of my assets (I get crypto
| transactions are non-reversible).
|
| If I do not want liquidity then I really am better off
| writing/engraving my keys on something and into a safe.
|
| A combination of these two make the most sense for me.
| olalonde wrote:
| The compelling use case is not having to store your private
| keys on your computer, even momentarily. Of course, if you
| don't deem that too risky, a hardware wallet will do nothing
| for you.
|
| That being said, I believe storing private keys on a general
| computing device is very foolish and you will likely find out
| the hard way. I wouldn't store any more in a hot wallet than
| the amount of cash I'd be comfortable walking around with in my
| pocket.
| bioemerl wrote:
| > I would just store my keys in my password manager
|
| The trouble here is the transfer of assets from the manager
| into your apps. Lots of opportunity for thefts or screw up.
| Imagine you use the clipboard and some random app happens to be
| scanning it.
| abdullahkhalids wrote:
| Modern password managers don't use the clipboard any more.
| They register a virtual keyboard and use it it to type into
| the user/password box.
| bioemerl wrote:
| That requires a level of software support that, coming from
| the side of refusing to use non open source software, I
| simply haven't seen yet.
|
| Android does well, but my experience with Windows has
| remained copy paste
| jmathai wrote:
| Valid. I've accepted much larger risk by storing all of my
| other sensitive information in my password manager though.
| What crypto needs is a form of 2FA - turns out I don't care
| enough to have another factor that's only useful for crypto.
| capableweb wrote:
| Just as a FYI, Ledger also has a FIDO U2F application that
| I found useful for some things.
| capableweb wrote:
| I mostly use it for two purposes. 3rd factor for using my phone
| for cryptocurrency transactions and for a second validation of
| that the address, amount and data is correct, on a second
| device that is (theoretically) impossible to compromise and
| show something else.
| ilaksh wrote:
| Looks really cool. Too bad you can't read HN on it though.
|
| Just kidding.
| rahen wrote:
| Previous submission (Wired):
| https://news.ycombinator.com/item?id=33884793
|
| The Stax is designed by Tony Fadell, creator of the iPod.
| friend_and_foe wrote:
| What in the fuck is this company doing? They're supposed to be
| marketing security oriented hardware, not hype and flash and
| accessories. Their app is full of all sorts of affiliate
| nonsense, they're bloating coin specific applications to
| deliberately make their original product obsolete, now they have
| a good idea, an e-ink display, and they're packaging it like
| this? Marketing it like this? They must be desperate for money.
| szastamasta wrote:
| I'm not really a crypto fan. But it's a really neat device. A
| cool tech that has a creative use of e-ink. Something I wouldn't
| mind keeping in my pocket.
| anonporridge wrote:
| The neat thing about crypto hardware wallets, is that they're
| essentially just private key storage and signing devices. Even
| if you never want to touch any cryptocurrency, the ubiquity of
| these devices could be a huge enabler for expanded use of end
| to end encryption like PGP or for simple second factor
| authentication like yubikeys.
|
| Of course, when you lock real money with it, the average person
| puts _much_ more energy into ensuring good passcodes and
| backups.
| dennyabraham wrote:
| Aside from their use with crypto, these are just nice looking
| pieces of hardware. Is there any word on whether you'll be able
| to run custom code on these?
| olalonde wrote:
| Yes it's possible: https://developers.ledger.com/
| brink wrote:
| I was thinking the same thing. Someone please make similar
| hardware as an open platform.
| bioemerl wrote:
| I really want one of these with random games and little fun apps
| instead of crypto. It looks like an awesome PDA.
| zoklet-enjoyer wrote:
| I just upgraded my Ledger. This is so much cooler but I can't
| justify buying it right now. I love e-ink and crypto
| SpaceManNabs wrote:
| I wish this website would make the case for what it offers beyond
| the Ledger Nano X as easily as they did previously. From what I
| can tell, I am just staying to my ledger nano x because I am not
| interested in NFTs yet (or ever if they never become useful
| beyond gaming).
| pclmulqdq wrote:
| I'm not sure they're even useful in gaming. The NFT games of
| 2020 have all collapsed, and there was huge backlash among
| gamers against normal games incorporating NFTs.
| bonestamp2 wrote:
| This looks neat, but even after reading their FAQ I don't
| understand the namesake feature -- why or when would I need more
| than one; and in that case, why is it a benefit that they snap
| together? I mean, is it just because it looks tidy/neat or is
| there a user story where this has additional value?
___________________________________________________________________
(page generated 2022-12-06 23:00 UTC)