An Honest Discussion about Security in Bitcoin
Alright plebs, listen up. The amount of emotionally charged mud slinging surrounding Bitcoin security really boils my blood. I want to start an honest conversation about what personal security models in Bitcoin should look like and share some of my personal thoughts regarding how not every security model is a perfect fit for every participant.
First and foremost, I understand that specialty Bitcoin hardware is the most friction-less path to getting your Bitcoin keys off an exchange. I started my Bitcoin journey in late 2017 and my very first Bitcoin wallet was a Trezor (bonus points, I thought at the time, was that it also supported all of my favorite shitcoins).
I do think this is where a lot of noobs go wrong, however, and fortunately I got lucky in this regard and only ever lost my Bitcoin in sanctioned scams (like cloud mining and shitcoins).
A recent twitter post created some controversy in Bitcoin discussion. The user in question, attempted to move some of his bitcoin from Coinbase (don’t ever use Coinbase by the way, use River) to his trezor. Almost immediately after the funds were confirmed into his trezor, they were swept to another address.
Now a number of factors could be at play here in regards to this user’s lost funds. It could have been a supply chain attack that compromised his device (probably unlikely as long as he purchased his device from the primary vendor). It could have been malware on his PC that prompted him to share his seed phrase (most likely). It could have been malware on his PC that man in the middle attacked his withdrawl (very unlikely since the funds first moved to keys he mistakenly believed only he controlled). His physical trezor OR his seed phrase could have been physically compromised without his knowledge (somewhat unlikely but we cannot rule it out entirely).
As for what actually happened to his funds, its almost entirely irrelevant. Security is a game of cat and mouse. The objective is to not lose ANY of your Bitcoins, and to do that, you must constantly strive to stay at least a step or two ahead of would be fraudsters.
Frankly, I think this could’ve happened to me at some point when I first got started in Bitcoin. Had a screen popped up on my computer asking me to confirm my seed phrase, I may have very likely typed it into the prompt, proceeding none the wiser. Months or years later, finding my funds mysteriously disappearing and having no idea as to why. Fortunately, this never happened to me.
When we think about security, it should be from first principles. Our primary focus when attempting to safely secure our Bitcoin from the sticky fingers of would be thieves, is to minimize our attack surface wherever possible.
If you don’t take the steps to properly minimize your attack surface, you may actually be doing yourself a disservice by moving your Bitcoin off of an exchange preemptively. Consider Gary Leland’s friend from the twitter post above…would he have been better off leaving his Bitcoin with Coinbase as opposed to transferring them to his compromise Trezor? I think just about all of us could agree that he would at least now be more likely to still have access to his Bitcoin if he had.
The point is, he had not taken the proper steps to ensure that his attack surface was atleast if not more, narrow than the potential attack surfaces of keeping his Bitcoin on the exchange. We can argue all day long about how, as a Bitcoiner, he should’ve known to never enter his seed phrase into his computer, but the fact is he didn’t. And now his funds are lost, likely forever.
An expensive lesson.
Where we go wrong here, however, is in our postmortem discussions on how to mitigate these types of problems, not just for ourselves but for newcomers as well. We want newcomers to get into Bitcoin, and we want them to do it safely. The more they invest in their understanding of Bitcoin and proper security protocol up front, the less likely they are to have a bad experience and leave with a bad taste in their mouth. We want to be able to onboard new hodlers into what is fast becoming the future of global money.
So where do we start?
We cannot turn noobs into security experts overnight. We cannot turn sheep into adversarial thinkers with a blog post or a youtube video. We can, however, improve the advice which we give to newcomers which sets them on a path of risk mitigation.
While there is no one size fits all security model, and frankly, varying degrees of risk are going to be acceptable for different people, our core assumptions should be as follows:
-If the value of our Bitcoin holdings exceeds $1,000, we should be ready to spend potentially at least that much securing it. Perhaps if you just got into Bitcoin and you aren’t sure if its for you this won’t hold entirely true, but chances are if you’re at least this deep you should begin thinking about security more (and be a bit more willing to pony up for proper security).
Many Bitcoiners will tell you that the first and most important step to securing your Bitcoin is to immediately get it off of an exchange. But let’s not so quickly forget the painful lesson Buffbill’s learned. Had he left his Bitcoin on the exchange (which was around $50k when he lost it, he would likely still have access to it now.
You don’t think twice about buying insurance for your home or your car (thanks government)…well there is no insurance for lost Bitcoin (at least not yet). Consider proper security, and the costs associated with it, the closest thing you can get for now.
-Generic hardware is a better choice than specialty Bitcoin hardware.
Look I get it. I will never convince everyone that running your full nodes and storing your keys on generic laptops is outright better than specialty bitcoin hardware. Proprietary devices are shiny, in most cases they have excellent UX, and they just make using Bitcoin easier. Maybe if that gap can be closed by open source software (solutions like Yeti Cold) the conversation will become less difficult, but the fact of the matter is that generic hardware will almost always present a far narrower attack surface than specialty hardware. And I’m not the only one saying this. JW Weatherman is not the only one saying this…Greg Maxwell, Giaccomo Zucco, Peter Todd just to name a few.
It will always be far more difficult and far more expensive to compromise generic purpose hardware at the supply chain level than specialty hardware being sold to prospective Bitcoin hodlers.
-You should have a Bitcoin only device. Period.
Whether you decide to go the route of running Bitcoin core on a couple old laptops with a solution like Yeti Cold or if you just ordered a trezor because it sounds easier, you are not taking the proper steps to minimize your attack surface unless you also invest in a single purpose laptop on which you conduct your Bitcoin activities. It can be either a repurposed computer you have laying around the house, a refurbished purchase, or even a new lower end computer. It really doesn’t matter.
But it should be wiped clean, and you should install linux. Once you’ve done that you ONLY EVER use that computer for Bitcoin related activities. You don’t check your email, you don’t browse porn hub, you don’t watch youtube videos. Bitcoin. Only.
And never connect it to a public wifi network. It just isn’t worth the risk. Ideally you have it connected via LAN if its a warm device or a node and needs to be online.
I’m not telling you that if you plug your shiny new trezor into your daily driver computer that you’re going to lose your Bitcoin (I’ve done it many times in the past and its been totally fine). I’m telling you that if you do, you’re not taking the proper steps to minimize your attack surface.
-If you do decide you must buy specialty Bitcoin hardware ONLY buy it directly from the vendor.
This is a tricky one that I catch noobs doing quite often. They finally decided to get into Bitcoin, they checked out a youtube video on how to store it safely, and now they’re off to amazon to purchase a brand new keep key.
Just. Don’t. Your risk of receiving a compromised device goes up astronomically the more steps you add to the supply chain.
-Not your node, not your decentralized ledger.
One of my biggest problems with something like a Trezor out of the box, is that it connects to Trezor’s servers to get all of the necessary block data that tell you when you received your Bitcoin, how much you got, and verifies its authenticity.
This is not Bitcoin. At best, it’s Bitcoin-lite…or Bitcoin according to Satoshi Labs (the company that makes the Trezor). It’s becoming increasingly easy to solve this problem with specialty bitcoin hardware like nodl and software like specter…or using a cold card on wasabi and pointing it to your own node so your blockdata is homegrown…but again, generic hardware is better here.
If you have a dedicated node on a generic device (like an old laptop) you’re already halfway to an ideal set up anyway.
-Bitcoin Core is there for a reason. Use it.
Bitcoin core, at this point, is likely one of the most secure and heavily reviewed pieces of software in existence. It has staying power. In some ways (but not totally) Bitcoin Core is Bitcoin.
One of my personal issues with proprietary Bitcoin hardware is they almost all use BIP 39 Mnemonic seed words and many have unique derivation paths. On the surface, this probably isn’t a big deal. It may never be a problem for anybody. But if Trezor ever goes out of business and you (for whatever reason) don’t know the derivation path used to store your Bitcoin…you’re going to be in a world of hurt.
There was a reason that BIP 39 was never implemented in Core, and while the seed phrases are easy to use and extremely convenient…they are NOT standardized in the protocol.
So what we can draw from all of this? Well if were being honest in our discussion about security (which is all I want to do here) taking the steps to properly minimize our attack surface looks much more akin to something like Yeti Cold than popular security solutions proposed by accepted best practices.
I have my opinions on this, and I’ll say that I believe proprietary hardware is likely one of the best ways to monetize an audience of Bitcoiners (that and maybe conferences). There just isn’t a ton of money to be made in giving solutions away for free, or pointing people towards refurbished generic hardware. Someone once said something about incentives and action *shrug*.
Yeti isn’t there to make money. And frankly, many of the criticisms I’ve seen about it are limp wristed at best. It’s not supposed to be a complex piece of code. It’s a python wrapper that relies on Bitcoin core to do the heavy lifting. The wrapper is designed to improve the UX flow to a Bitcoin security protocol that minimizes attack surface.
But don’t take my word for it, go review the repo for yourself.
Security discussions shouldn’t be about egos or personality cults, at the end of the day this is about safely securing our Bitcoin above all else. So if you have intelligent push back on how the steps I’ve outlined above DO NOT properly minimize attack surface, or some ways in which I’ve missed, please share them so we can keep the conversation productive.