I have two big concerns about how Dark Skippy Attack could leak your BTC seed phrase. Since Cold Card is the best cold storage, I'm directing it mainly towards this device.
During the 2024 Nashville Shitcoin Conference, the largest vendor was selling ColdCard Qs out of the box. I'm pretty sure they sold a few units, and this would have made a perfect vessel for Dark Skippy. This didn’t surprise me, as almost none of the vendors knew of or used Nostr and were shilling garbage to get sats out of you.
My main concern in making this post is: if I can manage to hijack ColdCard's website and sign mal-firmware with your signing key, not only could I swap the firmware download file, but your PGP keys are on the same website. NVK (npub1az9…m8y8) , you've made it difficult but not impossible for an attacker to ruin the Cold Card brand by injecting Dark Skippy or a form of it into the mix. A really smart attacker would write a variation that allows them to gather enough seed phrases to either strike when they hit a BTC goal or mass dump wallets the moment Cold Card rings the bell of a security breach.
My proposal to fix this is the good old-fashioned Web of Trust. Make an MD5 or SHA1 hash of each new firmware update and share the hash on NOSTR, Twitter, Meta, and other large platforms. There's no possible way someone could compromise all these centralized giants and an NSEC based around posting firmware hashes at the same time, and then all users could easily validate your firmware without fear.
Also, NVK, please advise us/repost with the answer: If Dark Skippy is already installed on a Cold Card and we update the firmware, does that remove all the malware?
I'm well-studied, but I'm not an authority on cybersecurity, so I'm very open to discussion on why this is wrong, but I'm confident this is worth turning into an open discussion for all Bitcoiners to ponder their device's security.
For reference: https://coldcard.com/downloads/q1
Also, there are 25 commas worth of possible NSECs for considering Web of Trust distribution security.
dankswoops /
npub1yr…s77xh
2024-08-09 20:20:08
Author Public Key
npub1yrkexvt88h6cgd32gdcfm55auuz6rw6c70xj478gcz6lstz5czvs9s77xhPublished at
2024-08-09 20:20:08Event JSON
{
"id": "36858dfe4c6d846763aacbf33ffa7a806d94ddcc08863c7c0ab0d5495d4f4b5b",
"pubkey": "20ed9331673df584362a43709dd29de705a1bb58f3cd2af8e8c0b5f82c54c099",
"created_at": 1723234808,
"kind": 1,
"tags": [
[
"p",
"e88a691e98d9987c964521dff60025f60700378a4879180dcbbb4a5027850411",
"",
"mention"
]
],
"content": "I have two big concerns about how Dark Skippy Attack could leak your BTC seed phrase. Since Cold Card is the best cold storage, I'm directing it mainly towards this device.\n\nDuring the 2024 Nashville Shitcoin Conference, the largest vendor was selling ColdCard Qs out of the box. I'm pretty sure they sold a few units, and this would have made a perfect vessel for Dark Skippy. This didn’t surprise me, as almost none of the vendors knew of or used Nostr and were shilling garbage to get sats out of you.\n\nMy main concern in making this post is: if I can manage to hijack ColdCard's website and sign mal-firmware with your signing key, not only could I swap the firmware download file, but your PGP keys are on the same website. nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 , you've made it difficult but not impossible for an attacker to ruin the Cold Card brand by injecting Dark Skippy or a form of it into the mix. A really smart attacker would write a variation that allows them to gather enough seed phrases to either strike when they hit a BTC goal or mass dump wallets the moment Cold Card rings the bell of a security breach.\n\nMy proposal to fix this is the good old-fashioned Web of Trust. Make an MD5 or SHA1 hash of each new firmware update and share the hash on NOSTR, Twitter, Meta, and other large platforms. There's no possible way someone could compromise all these centralized giants and an NSEC based around posting firmware hashes at the same time, and then all users could easily validate your firmware without fear. \n\nAlso, NVK, please advise us/repost with the answer: If Dark Skippy is already installed on a Cold Card and we update the firmware, does that remove all the malware?\n\nI'm well-studied, but I'm not an authority on cybersecurity, so I'm very open to discussion on why this is wrong, but I'm confident this is worth turning into an open discussion for all Bitcoiners to ponder their device's security.\n\n\nFor reference: https://coldcard.com/downloads/q1\nAlso, there are 25 commas worth of possible NSECs for considering Web of Trust distribution security.",
"sig": "d3469c20f84fc454e93603df56836784d2a56e7bdabc5e6da75068350cf470fe37c25c708084e6d792a0f0281181e8da16d72a778d3f13fa4b243d26f63d8762"
}