Coauthored by Lixin Liu and Patrick Kim

刘立新 和 帕特里克·金 合着

This article was written before the launch of our second-generation hardware wallets, which we are striving to make as open source as possible for the mass market. Our first-generation Cobo Vault Ultimate had a more specialized design targeted at institutional investors, who have an interest in using closed source hardware under service agreements with liability insurance. For our first generation, we believed the risks of opening the door to hackers outweighed the potential benefits of attracting developers to contribute to making our product more robust.

本文是在第二代硬件钱包发布之前撰写的，我们正在努力为大众市场提供尽可能开放的源代码。 我们的第一代Cobo Vault Ultimate具有针对机构投资者的更加专业化的设计，他们对根据责任保险与服务协议使用封闭源硬件感兴趣。 对于我们的第一代人来说，我们相信向黑客敞开大门的风险远胜于吸引开发人员为使我们的产品更强大做出贡献的潜在好处。

As passionate advocates of open source software, we have deep respect for pioneering developers who made their work available to the world, and it goes without saying that we in the cryptocurrency field owe much to the originators of blockchain technology. It is because Satoshi Nakamoto and other great trailblazers made their work open source that we are all able to share in the benefits brought by amazing innovations such as Linux, Bitcoin, and the booming cryptocurrency market.

作为开源软件的热情拥护者，我们对将其作品推向世界的开拓性开发人员深表敬意，不用说，我们在加密货币领域应归功于区块链技术的发起者。 这是因为中本聪(Satoshi Nakamoto)和其他伟大的开拓者将工作开源了，我们所有人都能分享Linux，比特币和蓬勃发展的加密货币市场等惊人创新所带来的收益。

However, when it comes to the question of whether making source code available is beneficial for the security of hardware wallets, we enter into a wholly new discussion. This article explains our reasons why we believe the nature of open source does not represent an upgrade for hardware wallets, but rather a significant security compromise.

但是，当涉及到使源代码可用对硬件钱包的安全性是否有利时，我们进入了一个全新的讨论。 本文解释了我们为什么认为开放源代码的本质并不代表硬件钱包的升级，而是重大的安全性折衷的原因。

了解上下文中的开源利益 (Understanding Open Source Benefits in Context)

In traditional fields of computing, supporters of open source have consistently emphasized one point — open source is safer because it enables the public to inspect source code and contribute to security by helping fix potential loopholes. Linus’s law (“given enough eyeballs, all bugs are shallow”) is clearly illustrated by the statistic that a zero-day attack on Safari, a closed source, takes an average 9 days to fix, while a zero-day attack on Firefox, an open source, on average only takes a single day to fix.

在传统的计算领域中，开放源代码的支持者一直强调一个观点-开源是更安全的，因为它使公众能够检查源代码并通过帮助修复潜在漏洞来为安全做出贡献。 统计数据清楚地说明了Linus的定律(“给了足够多的眼球，所有bug都是浅薄的”)，对Safari的零日攻击(封闭源)平均需要9天的修复时间，而对Firefox的零日攻击，一个开放源代码，平均只需要一天的时间就可以解决。

However, Linus’s law must be understood in context, namely that of traditional computing fields. When discussing the advantages of open source software in terms of hardware wallets, we must be mindful of the fact that the traditional computing development community is immense compared to that of hardware wallets.

但是，必须在上下文中理解Linus定律，即传统计算领域的定律。 在讨论开源软件在硬件钱包方面的优势时，我们必须注意一个事实，即与硬件钱包相比，传统的计算开发社区规模巨大。

GitHub, the world’s largest host of source code, indicates that there are only around 180 contributors to the open source code of the oldest hardware wallet brand, Trezor. This statistic stands in sharp contrast with the communities of other hardware products such as the Raspberry Pi, whose contributors to its open source firmware number around 9,500.

GitHub是全球最大的源代码托管者，它表明最古老的硬件钱包品牌Trezor的开源代码只有大约180个贡献者。 该统计数字与其他硬件产品(例如Raspberry Pi)的社区形成鲜明对比，Raspberry Pi为其开源固件数量大约为9,500做出了贡献。

No project, no matter how big, is entirely immune to the potential dangers of exposing its code. Take for example Linux Mint, which was hacked in 2016. Although that backdoor issue was fixed within a day, the rapid response time was in no small part due to the size of the Linux open source community.

无论项目多大，都无法完全避免暴露其代码的潜在危险。 以Linux Mint为例，它在2016年被黑客入侵 。 尽管该后门问题在一天内得到解决，但由于Linux开源社区的规模，快速响应时间在很大程度上不容小small。

In the context of our relatively small development community, we need to be especially wary of the fact that sharing source code is a double-edged sword. For hardware wallets, the unfortunate truth is that releasing source code makes it easier for hackers to detect loopholes and carry out attacks. Open source code can even open the door for cybercriminals to produce counterfeit hardware wallets capable of deceiving consumers — a security threat Trezor has already been the victim of.

在我们的开发社区相对较小的情况下，我们尤其要警惕共享源代码是一把双刃剑。 对于硬件钱包而言，不幸的事实是，发布源代码使黑客更容易检测到漏洞并进行攻击。 开源代码甚至可以为网络犯罪分子敞开大门，以生产能够欺骗消费者的假冒硬件钱包-Trezor已经成为安全威胁。

演示地址

零日攻击的风险增加 (Heightened Risk From Zero-Day Attacks)

An aspect of security hardware wallet owners need to be keenly aware of is zero-day attacks. In zero-day attacks, the period of time between when a previously unknown vulnerability is exposed or announced and when it is fixed presents a perfect window of opportunity for a hacker to carry out an attack. Because vulnerabilities in hardware wallets are often resolved through firmware upgrades, it usually takes a while after official security patches have been released for users to actually install them and fix the issue. With some users who, after having set up their hardware wallet, don’t open it for months or even years, exposure to zero-day attacks is dramatically increased. Perhaps counterintuitively for those experienced with open source software development, a black box, or device with a closed source code, is more secure than a white box with an open source code.

安全硬件钱包所有者需要敏锐地意识到零日攻击 。 在零日攻击中，从暴露或宣布先前未知的漏洞到修复漏洞之间的时间段为黑客提供了进行攻击的绝佳机会。 由于通常通过固件升级来解决硬件钱包中的漏洞，因此通常需要一段时间才能发布正式的安全补丁，以便用户实际安装它们并解决问题。 对于某些在设置了硬件钱包后数月甚至数年都无法打开的用户，遭受零日攻击的风险急剧增加。 对于具有开放源代码软件开发经验的人来说，也许有悖常理，黑匣子或具有封闭源代码的设备比具有开放源代码的白箱更安全。

心理上的舒适还是实际的收益？ (Psychological Comfort or Actual Benefit?)

While it is tempting to fall back on our knowledge and appreciation of Bitcoin as a prime example of the security offered by open source code, to assume that all blockchain projects should follow suit and become open source is a logical leap. The security Bitcoin enjoys from its open source development community is a direct result of the scale of its community involvement. Whether it is source code or mining functions, the Bitcoin community has gotten involved in maintaining and protecting the project, with larger numbers of involvement correlating to more secure functionality. However, because there are comparatively so few developers currently involved in hardware wallet security, we can make no assumptions about the benefits of sharing source code carrying over to this space.

虽然倾向于依靠我们对比特币的了解和欣赏作为开放源代码提供的安全性的主要示例，但假设所有区块链项目都应效仿并成为开放源代码是一个合理的飞跃。 比特币从其开源开发社区享有的安全性是其社区参与规模的直接结果。 不管是源代码还是挖掘功能，比特币社区都已参与维护和保护项目，更多的参与与更安全的功能相关。 但是，由于目前涉及硬件钱包安全性的开发人员相对较少，因此我们无法假设共享源代码到此空间的好处。

Apart from vastly increasing the number of reviewers inspecting code, another benefit of open source development in traditional computing fields is enabling anyone to download, install, burn, debug, or even remove certain aspects of the source code themselves.

除了大量增加检查代码的审阅者之外，传统计算领域中开放源代码开发的另一个好处是，任何人都可以自己下载，安装，刻录，调试甚至删除源代码的某些方面。

The security that comes with this level of autonomy is reliant on a foundation of specific technologies. However, even with a solid technological base, there is always the potential for security measures to be outdone. Those in computing fields will be familiar with how the Ken Thompson Hack (KTH) created a backdoor in the C compiler than can conceivably monitor or place controls on any software program in the world. You would have to write your own compiler using binary code or use tools compiled before KTH was installed in order to overcome this security compromise. KTH demonstrates that any system compiled from a source code is always going to be vulnerable to attack.

这种自治级别带来的安全性取决于特定技术的基础。 但是，即使拥有坚实的技术基础，安全措施也总是有可能被淘汰。 计算领域的技术人员会熟悉Ken Thompson Hack(KTH)如何在C编译器中创建后门，而不是可以想象地监视或放置对世界上任何软件程序的控制。 您必须使用二进制代码编写自己的编译器，或者使用在安装KTH之前已编译的工具，才能克服此安全漏洞。 KTH证明，从源代码编译的任何系统始终容易受到攻击。

What OGs like Ken Thompson teach us is that unless you are able to write your own compiler (which excludes all but a very small minority of developers), you’re going to have to put your trust in a third-party. In-depth issues such as having to write your own compiler aside, the majority of hardware wallet users won’t even get their feet wet burning or debugging source code. For this cohort of users, knowing their hardware wallet is open source is more of a psychological comfort than a condition that actually amounts to a measurable improvement in their wallet’s security.

像Ken Thompson这样的OG教给我们的是，除非您能够编写自己的编译器(不包括极少数开发人员，否则就不包括其他所有开发人员)，您将必须信任第三方。 诸如不得不撇开自己的编译器之类的深入问题，大多数硬件钱包用户甚至都不会费力燃烧或调试源代码。 对于这一类用户来说，知道他们的硬件钱包是开源的，与其说是实际可改善其钱包安全性的状况，不如说是心理上的安慰。

QR码签名输出的“可审核性” (The “Auditability” of QR Code Signature Outputs)

In traditional fields of computing, it helps to think of the security brought by open source software as enabling a kind of “audit” on the source code. While the same is not yet true of cold storage cryptocurrency security, what can instead be substituted as a reliable source of “audit” for hardware wallets?

在传统的计算领域，它有助于将开源软件带来的安全性视为对源代码的一种“审核”。 尽管对于冷库加密货币安全性还不是一样，但是可以替代什么作为硬件钱包“可靠”的可靠来源？

Fortunately, signed transaction outputs are not nearly as complicated as the outputs of other types of software. If making source code available is not the most secure option of providing ways to audit hardware wallets, we can instead consider scrutinizing their transaction signing outputs.

幸运的是，已签名的交易输出并不比其他类型的软件输出复杂。 如果提供源代码不是提供审计硬件钱包的方法的最安全选择，我们可以考虑仔细检查其交易签名输出。

People purchase hardware wallets because they know the most secure way to store their private keys is to take them offline into cold storage. All hardware wallet services need a means of communicating between offline storage and online terminals. While the cold end (offline storage) is responsible for storing private keys and signing transactions, a hot end (online terminals) is needed to obtain data from the blockchain, construct transactions for the cold storage end to sign, and broadcast signed transactions to the blockchain.

人们购买硬件钱包是因为他们知道存储私钥最安全的方法是将其离线放入冷存储器。 所有硬件钱包服务都需要一种在离线存储和在线终端之间进行通信的方式。 冷端(离线存储)负责存储私钥和签署交易，而热端(在线终端)则需要从区块链获取数据，构造用于冷存储端进行签名的交易，并将签名的交易广播到区块链

In transmitting signature outputs, the majority of cold storage hardware uses data cables, Bluetooth, or even NFC. Because of the opacity of their data transmission, these methods make signature outputs extremely difficult to audit. An overlooked means of cold storage hardware communication is the QR code, a “what you see is what you get” solution. We believe the QR code is the ideal means of data transmission between cold ends and hot ends because data output by QR codes is transparent. This enables users to easily ensure each unsigned transaction that is transmitted to the cold storage device is valid, as well as ensure signature outputs from the cold end do not reveal private keys or sensitive information in any way.

在传输签名输出时，大多数冷存储硬件都使用数据线，蓝牙甚至NFC。 由于其数据传输的不透明性，这些方法使签名输出极难审核。 冷库硬件通信的一种被忽视的方法是QR码，这是一种“所见即所得”的解决方案。 我们认为QR码是在冷端和热端之间进行数据传输的理想方式，因为QR码输出的数据是透明的。 这使用户可以轻松地确保传输到冷存储设备的每个未签名交易都是有效的，并确保来自冷端的签名输出不会以任何方式泄露私钥或敏感信息。

Our article on Cobo Vault inputs and outputs offers detailed instructions on how QR code signature transmissions can be “audited.”

我们有关Cobo Vault输入和输出的文章提供了有关如何“审核” QR码签名传输的详细说明。

Cobo Vault的安全元素是开源的 (Cobo Vault’s Secure Element IS Open Source)

While Cobo Vault believes that open source does not have much meaning for enhancing the security of hardware wallets, we have still released the firmware code for the Cobo Vault’s Secure Element. In doing so, we enable our users to see that random numbers are generated by a true random number generator (TRNG) and not by a pseudorandom number generator (PRNG). For a detailed explanation of the importance of random numbers, refer to our article on difference between true random numbers and pseudorandom numbers.

尽管Cobo Vault认为开放源代码对于增强硬件钱包的安全性没有多大意义，但我们仍然发布了Cobo Vault安全元素的固件代码 。 这样，我们使用户能够看到随机数是由真正的随机数生成器(TRNG)生成的，而不是由伪随机数生成器(PRNG)生成的。 有关随机数重要性的详细说明，请参阅有关真正随机数和伪随机数之间差异的文章 。