
Case – Insanely Secure Hardware Bitcoin Wallet - simas
http://techcrunch.com/2015/05/04/case-is-an-insanely-secure-hardware-bitcoin-wallet
======
Nursie
>> The benefit of our device over traditional web wallets is security. Our
devices are embedded. Everything that we wrote lives on the firmware. You
don’t have to trust any app.

Errrr.... 'embedded' does not mean secure. While you may not have the full
software stack of, say, Android or iOS, that doesn't make it secure by
default. There's a network interface, some sort of processor, a variety of
input devices etc.

I would hope that before making claims like "malware/virus proof" they would
get both the hardware and software audited, as credit-card terminals generally
have to be.

------
tinco
Sell me a $100 set of cards, one that's fancy like this, but makes its own
bitcoin transactions, no cooperation with a service provider like Case, and
one less fancy one that just holds bitcoin private keys. You put the less
fancy one in a safe at your bank, and you use the fancy one for your daily
business. If you ever lose the fancy one, simply buy a new one, and load it up
with the backup you keep at the bank.

------
al2o3cr
"You can trust us, sure we do two-signature transactions and hold two of the
keys, but it's TOTES LEGIT GUIZE"

Other fun thought: if Case goes under, your BTC are now unusable. Good thing
hardware startups never fail...

------
CHY872
Doesn't sound particularly secure. Problems include that third key in offline
storage, which sounds vulnerable to social engineering.

~~~
drdeca
Well, the third key is only useful if one has one of the other two.

Though there is the possibility that an adversary could get access to the
third key and the key that they store for being tied to the biometrics?

But I think that that is probably sometimes a lower risk than the risk of
"oops, I lost/forgot my bitcoin key" if one is using single signature?
(depending on the person, and their adversaries)

~~~
Mtinie
I'd prefer the option to generate that third key locally and skip storing it
on their servers.

~~~
lawry
Agreed, this is what some of the new startups that make something "secure" soo
often overlook. They make put UX (if you can call it that), over real
security. It's still possible to deliver a great user experience and backup
solutions without compromising security, it's just not easy.

Companies that do succeed at this however should all receive an award for it,
or at least be listed somewhere, because it's a really hard problem to solve
at times.

I think in certain aspects Apple got this sort of stuff right with the iPhone,
but I'm not sure about that, at least I hope iOS is as restrictive as it is
for a reason.

------
Everhusk
Great presentation. Explaining the value proposition of bitcoin in simple
terms is definitely not an easy thing to do.. and I think she nailed it right
there.

------
kleer001
At least Case is open sourcing their software.

I'll stick with my Tresor thank you. Cheaper, smaller.

~~~
rpcope1
Hopefully Case isn't vulnerable the same way: [http://johoe.mooo.com/trezor-
power-analysis/](http://johoe.mooo.com/trezor-power-analysis/)

~~~
jasonisalive
FYI that vulnerability was fixed already by the time he wrote that post. He
brought it to Trezor's attention, helped update the firmware, and published
the article after the update was pushed.

------
moe
Since fingerprint scanners are very easily fooled I hope an additional pin-
code is required to transfer non-trivial amounts.

------
nnx
"Transactions are only signed by the server if the fingerprint scan matches
your biometric data."

Does this mean biometric data is stored on Case's servers?

------
beachstartup
i would be concerned about a custom ic that simply connects to the closest
wifi on a given 0-day and uploads everyone's btc.

~~~
Gys
I think security in combination with money can only be about preventing a
third party having access to your money.

The banks or any device you give your money to in the first place, you have to
trust.

Otherwise keeping all money with yourself is the only alternative. A sock
below the mattress or buried in the garden.

Don't forget to draw a coded (!) treasure map ;-)

~~~
Nursie
While I appreciate that this is true - this is exactly what a lot of bitcoin
people want - total control over their money without having to place trust in
intermediaries or authorities.

~~~
Gys
I do not know much about bitcoins, but it seems online third-party solutions
like Coinbase, Case, Trezor, Ledger Wallet are needed for posession and
trading ?

So I may conclude bitcoin is not the ultimate answer to distrust and/or in-
dependency ?

~~~
Nursie
For trading them into 'real' currency you would usually use an exchange, yes.
Coinbase (IIRC) simplifies things for merchants by accepting bitcoin and
giving them the currency they want.

But for pure bitcoin transactions, no, you can run all the stuff yourself,
maintain your own wallet and transact with anyone you like, all without
needing anything other than functional bitcoin client software. You need to
trust the bitcoin network as a whole, but not any individual authorities.

I'm really not a fan of BTC, personally, but I have looked into it quite a
lot...

