diff --git a/.wordlist.txt b/.wordlist.txt index 67d6fa1..45ec079 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -1,5 +1,7 @@ AML Analytics +Andreas +Antonopolous AWG Altcoin BIP diff --git a/README.md b/README.md index 355a414..f3bba94 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ For regular users, just visit to see GitHub Pages --- -For advanced users, you can host this locally with [jekyll](https://jekyllrb.com/) (setup instructions [here](https://jekyllrb.com/docs/installation/ubuntu/)): +For advanced users, you can host this locally with [jekyll](https://jekyllrb.com/) (setup instructions: [Ubuntu](https://jekyllrb.com/docs/installation/ubuntu/); [macOS](https://jekyllrb.com/docs/installation/macos/)): ```bash $ bundle exec jekyll serve ``` diff --git a/_includes/breadcrumbs.html b/_includes/breadcrumbs.html index 402ee25..94a4d9c 100644 --- a/_includes/breadcrumbs.html +++ b/_includes/breadcrumbs.html @@ -4,45 +4,48 @@ {% endcomment %} {% assign crumbs = page.url | remove:'/index.html' | split: '/' %} -Home -{% for crumb in crumbs offset: 1 %} - {% if forloop.last %} - {% if crumb == "advanced" %} - << - Advanced - {% elsif crumb contains "-advanced" %} - << - - {% assign words = crumb | split: "-advanced" | first | replace:'-',' ' | remove:'.html' | split: ' ' %} - {% for word in words %} - {{ word | capitalize }} - {% endfor %} - - << - Advanced - {% else %} - << - {{ page.title }} - {% endif %} - {% else %} - << - {% if crumb == "known-issues" %} - Known Issues - {% elsif crumb == "hosted" %} - Hosted - {% elsif crumb == "hardware" %} - Hardware - {% elsif crumb == "software" %} - Software - {% elsif crumb == "protocols" %} - Protocols - {% else %} - - {% assign words = crumb | replace:'-',' ' | remove:'.html' | split: ' ' %} - {% for word in words %} - {{ word | capitalize }} - {% endfor %} - - {% endif %} - {% endif %} -{% endfor %} + \ No newline at end of file diff --git a/_includes/next_steps.md b/_includes/next_steps.md index f728072..f9cd610 100644 --- a/_includes/next_steps.md +++ b/_includes/next_steps.md @@ -1,13 +1,29 @@ {% unless page.url contains "advanced" or page.no_advanced_link == true %} -## Advanced Configuration -Click -[here]({% if page.url contains "index" %}advanced{% else %}{{ page.url | split: '.' | first }}-advanced{% endif %}) -for advanced details on how to improve your security at this step. + +
+ + +
+

Advanced Considerations

+

+ Comfortable with the concepts in this step? +

+

+ Read the + advanced considerations + that can potentially improve your security here. +

+
+ + + {% endunless %} {% if include.next_url and include.next_name %} + --- -\>\> + +» Next Section: [{{ include.next_name }}]({{ include.next_url }}) {% comment %}TODO: pull-right somehow? {% endcomment %} {% endif %} diff --git a/_layouts/default.html b/_layouts/default.html index 27fd42e..5a0bb2d 100644 --- a/_layouts/default.html +++ b/_layouts/default.html @@ -61,12 +61,16 @@

{% if page.url contains "known-issues/" %}Known Issues:{% endif %} {{page.title}} - {% if page.url == "advanced" or page.url contains "-advanced" %} - Advanced{% endif %} + {% if page.url == "advanced" or page.url contains "-advanced" %} » Advanced Considerations{% endif %}

+
- {{ content }} -

{% comment %}FIXME{% endcomment %} +
+ {{ content }} +
+ +


{% comment %}FIXME{% endcomment %} diff --git a/_pages/backup-wallet/public-keys.md b/_pages/backup-wallet/public-keys.md index 9b74ebf..17d6629 100644 --- a/_pages/backup-wallet/public-keys.md +++ b/_pages/backup-wallet/public-keys.md @@ -12,7 +12,7 @@ Make many copies and store in many locations. We recommend you keep a copy of *all* public keys (and related metadata) with *each* seed. #### Save on Your Computer -TODO: add instructions on how to save this with Specter-Desktop. +On Specter-Desktop, select your multisig wallet (e.g. `Redundant Multisig`) > `Settings` > `Export` > `Save Backup PDF` #### Save Online Save this data to various cloud providers (Dropbox, Google Drive, iCloud) or backup services (Mozy, Carbonite, Backblaze, etc.) that you may already use. diff --git a/_pages/emergency-recovery/advanced.md b/_pages/emergency-recovery/advanced.md index bad49bc..99fda7c 100644 --- a/_pages/emergency-recovery/advanced.md +++ b/_pages/emergency-recovery/advanced.md @@ -18,5 +18,3 @@ Tails strongly recommended. #### Verify Validity of Electrum Software You can read instructions on how to do this [here](https://www.reddit.com/r/Bitcoin/comments/aa3l6n/how_to_check_if_your_electrum_wallet_is_legit/). - -{% include next_steps.md %} diff --git a/_pages/known-issues/hardware/coldcard.md b/_pages/known-issues/hardware/coldcard.md index 7c0f17e..9ce424d 100644 --- a/_pages/known-issues/hardware/coldcard.md +++ b/_pages/known-issues/hardware/coldcard.md @@ -2,19 +2,10 @@ title: Coldcard --- -#### Verifying a Receiving Address Breaks Airgap -[Coldcard doesn't currently support address exploration with an airgap](https://github.com/Coldcard/firmware/pull/25). -In order to verify a receive address on a coldcard you must significantly weaken your airgap and plug the Coldcard into your laptop via USB port! - -We expect they'll release this feature in the future, but the recommendation for now is to use Cobo Vault as the primary device when it comes to [verifying receive addresses](/verify-receive-address/). -Advanced users can pursue [various mitigation strategies](/verify-receive-address/coldcard-advanced). - #### SD Card "Airgap" While better than a USB port, SD cards are not a perfect airgap. [Stuxnet](https://en.wikipedia.org/wiki/Stuxnet) proved that the NSA was capable of jumping a USB-drive airgap to harm the Iranian nuclear reactor program. -{% include hw/wired_airgap.md %}Coldcard requires a USB connection only to perform address verification (see above for related issues). - #### Small Screen This makes it hard to manually verify addresses / public key info, and impossible to display QR codes (to minimize using the SD card). @@ -32,9 +23,6 @@ That said, Coldcard firmware is fully open so users can compile it themselves if This hardware wallet was launched by forking some of Trezor's open-source code. That said, it is very actively maintained and has many new features since then (some that Trezor has not been updated to support). -{% include hw/udev.md %} -Fixing the airgap on receive address verification would eliminate this issue altogether. - {% include hw/python.md %} {% include hw/encouragement.md %} diff --git a/_pages/known-issues/hosted/unchained.md b/_pages/known-issues/hosted/unchained.md index 92134cf..1f986c0 100644 --- a/_pages/known-issues/hosted/unchained.md +++ b/_pages/known-issues/hosted/unchained.md @@ -16,7 +16,7 @@ As Trezor is stateless, these steps will only confirm that `1` of your keys is p [`3-of-5` would be better](/quorum-advanced), especially when using a hosted service that already: * Abstracts away a lot of multisig's complexity -* Holds 1 (or more) of your seeds +* Holds `1` (or more) of your seeds {% include hosted/benefits.md %} Some noteworthy benefits of using Unchained: diff --git a/_pages/known-issues/verify-receive-address.md b/_pages/known-issues/verify-receive-address.md index 3592de0..49e119d 100644 --- a/_pages/known-issues/verify-receive-address.md +++ b/_pages/known-issues/verify-receive-address.md @@ -3,32 +3,43 @@ title: Verifying a Receive Address --- ## Confirm You Control the Wallet -Because multisig schemes require `m-of-n` signatures, you must verify a new receive address on `m-of-n` trusted devices before receiving funds. +Because multisig schemes require `m-of-n` signatures, you must verify a new receive address on **at least** `m` trusted devices before receiving funds. Otherwise, you could fall prey to a clever attack. -#### Example Attack +## Example Attack -Let's say you have a `2-of-3` multisig (with seeds A, B, and C), and your host computer is infected with malware (we always assume this to be true and it's the reason for using hardware wallets in the first place). -Unfortunately for you, one of your hardware wallets is compromised/fake. -Here is how you could be tricked into using an address you don't actually control to receive funds: +Let's say you have a `2-of-3` multisig (with seeds A, B, and C), and your host computer is infected with malware. +Remember that we always assume your host computer running Specter-Desktop is infected with malware as this is the problem hardware wallets exist to solve. + +#### Simple Attack +Unfortunately for you, `1` of your hardware wallets is also compromised/fake. +When you use Specter-Desktop to lookup one of your bitcoin addresses (to receive funds on) a clever attacker could replace it with one that they control. +Here is how the attack work: 1. Specter-Desktop on your host computer (assumed to be malware infected) displays a `2-of-3` receiving address, where *none* of your hardware wallets are actually part of the multisig scheme. -1. You pull out hardware wallet A (also malware infected!) and it (falsely) confirms the same receive address on its trusted display. -1. You then deposit funds to this address, and are confused when they magically vanish :( +1. You pull out hardware wallet A (also malware infected) and it falsely confirms the same receive address on its trusted display. +1. You then deposit funds to this address **without checking on any other hardware wallet displays**. +1. You discover that the bitcoin you thought was sent to you was sent to your attacker :( -A similar attack is possible where < `m` of our keys are part of the multisig, but your attacker still controls at least `m` keys and can steal your funds as soon as they arrive. -For example, you might verify a `3-of-5` address on the trusted display of 2 hardware wallets, but your attacker could still control the other 3 keys and rob you remotely. +#### Complex Attack +A similar attack is possible where < `m` of your seeds are part of the multisig wallet, but your attacker controls `>= m` seeds. +If your hardware wallets are stateless (like Trezor), then this attack is possible even if none of your hardware wallets are compromised! -Smart hardware wallets implement a defense against this where they register all extended public key information when the wallet is setup, which can make this attack **much** harder to pull off. +1. Specter-Desktop on your host computer (assumed to be malware infected) displays a `2-of-3` receiving address, where only `1` of your hardware wallets are actually part of the multisig scheme. +1. You pull out hardware wallet A and it falsely confirms the same receive address on its trusted display, as it really is `1` hardware wallet (seed A) in your `2-of-3` (which also includes B and C). +1. You then deposit funds to this address **without checking on any other hardware wallet displays** (B and C). +1. You discover that the bitcoin you thought was sent to you was sent to your attacker, as they control B and C (which is `2-of-3` of the seeds needed to spend your bitcoin without your permission). -#### How Bad Is This +#### Defense +Smart hardware wallets implement a defense against this where they register all extended public key information when the wallet is setup, which can make this attack **much** harder to pull off. +If you're willing to trust one of those hardware wallets exclusively (potentially creating a single point of failure), you can choose to accept the result on your hardware wallet's trusted display. -The bullet-proof solution is to verify your receive addresses on a quorum of trusted displays. +If you have a large-value transaction, you should always confirm the address on *at least* `m` trusted displays. +If you have a very large-value transaction, you may want to confirm the address on *all* `n` trusted displays. Not only does this eliminate the risk, but it serves as a redundant check when making a deposit. While perhaps a little counter-intuitive, this is an excellent safety feature as redundant verification applies to single-key signature users as well. -Verification in single-key schemes adds new issues due to the inherent single point of failure in single-key signature schemes; -you now have your seed floating around in multiple places for verification, and suffering a breach in any one of these is enough to lose all your funds! +Verification in single-key schemes adds new issues due to the inherent single point of failure in single-key signature schemes; you now have your seed floating around in multiple places for verification, and suffering a breach in any one of these is enough to lose all your funds! #### Potential Mitigation This guide spells out a [less secure approach](/verify-receive-address/advanced) that is available for users who choose to sacrifice some convenience for security. diff --git a/_pages/send-bitcoin/advanced.md b/_pages/send-bitcoin/advanced.md index 56c51b0..a3888dd 100644 --- a/_pages/send-bitcoin/advanced.md +++ b/_pages/send-bitcoin/advanced.md @@ -10,9 +10,15 @@ Fortunately, your wallet software will abstract this away for you. [TODO]: add link with more details explaining this. #### Sign on Coldcard via SD Card -SD Card is a better airgap. - -TODO: add instructions +SD Card is a better airgap, and preferable over signing through USB. + +1. On the previous page, at Step 9, choose "Sign with SD Card file" instead of choosing "Sign with USB" +2. Click Save transaction, and save to your SD card +3. Eject the SD card from computer, and load into Coldcard +4. Click "Ready to sign" on Coldcard and confirm transaction details +5. Coldcard will save the signed transaction back to the SD card, but with the `-part` suffix at the end of the filename +6. Back in Specter, click "Load transaction from file", and choose the file on the SD card with the `part` suffix +7. Broadcast #### Inspect Signed Transactions Before Broadcasting diff --git a/_pages/setup-wallets/coldcard-advanced.md b/_pages/setup-wallets/coldcard-advanced.md index 45afd57..39c33a5 100644 --- a/_pages/setup-wallets/coldcard-advanced.md +++ b/_pages/setup-wallets/coldcard-advanced.md @@ -22,18 +22,7 @@ Note that the whole benefit of this option (vs the previous one) is that you act ## Improve Coldcard Airgap #### Power Source -Instead of connecting the Coldcard to your laptop for power: - -* Use a portable battery pack (best) -* Use a wall outlet -* Use a [charge-only (no-data) USB cable](https://www.amazon.com/PortaPow-Specialised-3-3ft-20AWG-Charge/dp/B00RQ5AZ6Q) -* Use a [USB condom](https://www.amazon.com/PortaPow-3rd-Gen-Data-Blocker/dp/B00QRRZ2QM) on a regular USB cable - -#### Use A Dedicated Device for Address Exploration -[Coldcard doesn't currently support address exploration with an airgap](https://github.com/Coldcard/firmware/pull/25). -In order to verify a receive address on a coldcard you must significantly weaken your airgap and plug the Coldcard into your laptop via USB port. - -For more mitigations see [Coldcard Advanced Address Verification](/verify-receive-address/coldcard-advanced). +If the only available power source is a computer or a [possibly compromised charging port](https://en.wikipedia.org/wiki/Juice_jacking), using a [charge-only (no-data) USB cable](https://www.amazon.com/PortaPow-Specialised-3-3ft-20AWG-Charge/dp/B00RQ5AZ6Q) or a [USB condom](https://www.amazon.com/PortaPow-3rd-Gen-Data-Blocker/dp/B00QRRZ2QM) on a regular USB cable can help mitigate the risk of weakening the airgap. #### SD Card Interactivity Each time an SD card is taken from your computer to your Coldcard it can theoretically introduce malware onto the Coldcard (a failure where the malware is said to have "jumped your airgap"). diff --git a/_pages/setup-wallets/coldcard.md b/_pages/setup-wallets/coldcard.md index e89f428..2274186 100644 --- a/_pages/setup-wallets/coldcard.md +++ b/_pages/setup-wallets/coldcard.md @@ -2,26 +2,30 @@ title: Setup Coldcard --- +We recommend powering your Coldcard using a portable battery pack (best) or a wall outlet, instead of a computer, because we want to maintain as much of an "airgap" as possible. + +Communication between your computer and Coldcard should only happen by manually transferring data over a microSD card. + ## Update Your Firmware -Follow the steps on Coldcard's website: +Follow the steps on Coldcard's website: ## Setup Wallet -Follow the steps on Coldcard's website: +Follow the steps on Coldcard's website: [TODO]: add more instructions for generating seed, setting PIN, etc ## Export Public Key Info to Computer via MicroSD -1. Insert a microSD into Coldcard and then select: `Settings` > `Multisig Wallets` > `Export XPUB`. +1. Insert a microSD into Coldcard and then select: `Settings` > `Multisig Wallets` > `Export XPUB`. ![](/assets/img/setup-coldcard-export-pubkey.jpg){:width="70%" class="border_image"} -1. Remove the microSD card from your Coldcard and put it in your computer's card reader. +1. Remove the microSD card from your Coldcard and put it in your computer's card reader. -1. On Specter-Desktop: Click `+ Add new device` > `Choose files` and select the exported file from the SD card: +1. On Specter-Desktop: Click `+ Add new device` > `Choose files` and select the exported file from the SD card: ![](/assets/img/setup-coldcard-specter-scan.jpg){:width="70%" class="border_image"} -1. Give your device a name (e.g. `Coldcard`) and click `Continue`. +1. Give your device a name (e.g. `Coldcard`) and click `Continue`. ![](/assets/img/setup-coldcard-specter-scanned.jpg){:width="70%" class="border_image"} diff --git a/_pages/setup-wallets/coordinate-multisig-advanced.md b/_pages/setup-wallets/coordinate-multisig-advanced.md index c2b3e64..c90c6e7 100644 --- a/_pages/setup-wallets/coordinate-multisig-advanced.md +++ b/_pages/setup-wallets/coordinate-multisig-advanced.md @@ -13,7 +13,7 @@ You can verify this when [setting up your Cobo](../setup-wallets/cobo), or go to On your Coldcard, go to: `Settings` > `Multisig Wallets` > `Your Wallet Name` > `View Details`: ![](/assets/img/coordinate-multisig-view-policy-coldcard.jpeg){:width="35%" class="border_image"} -Because Coldcard uses `xpub...` while Specter-Desktop/Cobo use the newer `Zpub...` standard, the easiest way to do this in practice is to [verify a single receive address on the Coldcard](../verify-receive-address/coldcard). +Newer Coldcard firmware will display the same `Zpub...` standard that Specter-Desktop/Cobo use. However, older Coldcard firmware only shows `xpub...`, so an alternative is to [verify a single receive address on the Coldcard](../verify-receive-address/coldcard). Expert users may be able to convert between `xpub` and `Zpub` with a tool like [Jameson Lopp's XPub Converter](https://jlopp.github.io/xpub-converter/) to verify extended public keys. RTFM for more info: diff --git a/_pages/verify-receive-address/coldcard-advanced.md b/_pages/verify-receive-address/coldcard-advanced.md index 03fb057..bd090b4 100644 --- a/_pages/verify-receive-address/coldcard-advanced.md +++ b/_pages/verify-receive-address/coldcard-advanced.md @@ -2,18 +2,6 @@ title: Verify Receive Address on Coldcard --- -## Warning -[Coldcard doesn't currently support address exploration with an airgap](https://github.com/Coldcard/firmware/pull/25). -In order to verify a receive address on a Coldcard you must significantly weaken your airgap and plug the Coldcard into your computer via a USB port. - -#### Option A: Offline Address Verification -See [receive address verification advanced section](advanced#redundant_address_verification). -This step doesn't actually use your Coldcard to derive the address, it just uses the extended public key information from your Coldcard. - - -#### Option B: Eternally Quarantine A Dedicated Computer -Similar to the previous step, you can setup an eternally quarantined watch-only machine, but use it to connect to your Coldcard to verify the receive addresses on your Coldcard's display. -Eternally quarantining the machine reduces the risk that it becomes malware infected, to reduce the risk of plugging it into your Coldcard. - +TODO: Consider whether it's worth weakening the airgap and/or taking other measures to verify full (rather than redacted) receive addresses {% include next_steps.md next_url="/backup-wallet" next_name="Backup Wallet" %} diff --git a/_pages/verify-receive-address/coldcard.md b/_pages/verify-receive-address/coldcard.md index d4b0948..acdd507 100644 --- a/_pages/verify-receive-address/coldcard.md +++ b/_pages/verify-receive-address/coldcard.md @@ -1,18 +1,17 @@ --- -title: Verify Receive Address on Coldcard +title: Verify Receive Address on Coldcard --- -## Warning -[Coldcard doesn't currently support address exploration with an airgap](https://github.com/Coldcard/firmware/pull/25). -In order to verify a receive address on a Coldcard you must significantly weaken your airgap and plug the Coldcard into your laptop via a USB port. -We hope that Coldcard will add functionality similar to Cobo Vault soon. -See [advanced section](coldcard-advanced) for mitigations. +As of [Firmware Version 3.2.2](https://coldcardwallet.com/docs/upgrade) (January 14th, 2021) Coldcard's Address Explorer supports multisig, so you can verify (partially redacted) receive addresses while maintaining an airgap! -## Verify via USB -1. On Specter-Desktop: `Your Wallet` > `Receive` > `Display address on device`: -![](/assets/img/verify-receive-address-specter-desktop-coldcard.png){:width="70%" class="border_image"} +1. From the main screen, select `Address Explorer` +![](/assets/img/verify-receive-address-coldcard-1.jpg){:width="35%" class="border_image"} -1. Verify address on your Coldcard: -![](/assets/img/verify-receive-address-coldcard.jpeg){:width="35%" class="border_image"} +1. Scroll to the bottom of the warning message, then press the indicated number to continue + +1. Scroll to the bottom of the options and select the name of your multisig wallet (`btcguide.github.io` in the example): +![](/assets/img/verify-receive-address-coldcard-2.jpg){:width="35%" class="border_image"} + +1. Scroll down to verify the (partially redacted) receive address(es) {% include next_steps.md next_url="/backup-wallet" next_name="Backup Wallet" %} diff --git a/_pages/verify-receive-address/index.md b/_pages/verify-receive-address/index.md index f22089c..5f88547 100644 --- a/_pages/verify-receive-address/index.md +++ b/_pages/verify-receive-address/index.md @@ -6,7 +6,7 @@ It is **essential** to be sure you control a bitcoin address before you use it t **In order to securely receive funds, you must verify a given receive address on at least a quorum (`m` in `m-of-n`) of your trusted displays.** In the default case, this means you would check on **both** your Cobo Vault **and** your Coldcard. -This is both annoying -- the two devices should be kept in different physical locations -- and, in the case of Coldcard, mildly frustrating as [they don't currently support address exploration with an airgap](/known-issues/hardware/coldcard#verifying-a-receiving-address-breaks-airgap). +Unfortunately, this step can be inconvenient, as the two devices should be kept in different physical locations. Once you have verified your address on a quorum of devices, it is safe to give that address out to a payee. Advanced users can mitigate some of these issues by following [these steps](/verify-receive-address/advanced). diff --git a/_pages/why-multisig.md b/_pages/why-multisig.md index 301425b..23666db 100644 --- a/_pages/why-multisig.md +++ b/_pages/why-multisig.md @@ -2,17 +2,20 @@ title: Why Multisig? --- -["Your keys, your bitcoin. Not your keys, not your bitcoin."](https://www.youtube.com/watch?v=vt-zXEsJ61U) -While this is certainly true, managing your own keys is **really** hard. +> "Your keys, your bitcoin. Not your keys, not your bitcoin." +-- [Andreas Antonopolous](https://www.youtube.com/watch?v=vt-zXEsJ61U) + + +This is true, but managing your own keys is **really** hard. The math behind the bitcoin protocol is bulletproof, but being your own bank requires you to be near perfect in your execution. When it comes to cryptography, you are only as strong as your weakest link. For traditional single-key signature schemes, the only thing between your bitcoin and an attacker is a single mistake! Learn more about some of these risks by listening to [SLP Episode 97 with Michael Flaxman](https://stephanlivera.com/episode/97/). -The central principle of the guide is to avoid having any single point of failure. +The central goal of this guide is to help you implement a security scheme with no single points of failure. To accomplish this, you will setup your own multisig wallet using multiple hardware wallets from multiple different vendors. -The goal of this guide is to achieve a basic multisig setup: `2-of-3`signatures from different hardware wallets made by different manufacturers. +The goal of this guide is to achieve a basic multisig setup: `2-of-3` signatures from different hardware wallets made by different manufacturers. In order to compromise your multisig setup an attacker must break multiple redundant systems, which, due to [the additive power of multisig](https://twitter.com/mflaxman/status/1146813775380647937), is _incredibly challenging_. Therefore, your level of caution/paranoia/effort (vs a traditional single-key scheme) can be much lower and still achieve much higher security. @@ -22,7 +25,7 @@ This could include things like: * An exploitable software/firmware bug on your hardware wallet * A pwned (or fake) hardware wallet -* An unscrupulous trusted third party (lawyer/accountant/custodian/etc) with access to a key for recovery +* An unscrupulous trusted third party (lawyer/accountant/custodian/etc.) with access to a key for recovery * A lost/stolen hardware wallet / seed * An upstream supply-channel attack * A forgotten PIN / passphrase @@ -32,13 +35,12 @@ This could include things like: * Malware on your computer * A rogue bank employee snooping in your safe deposit box * An eager heir -* Etc **While this setup is far more secure than a traditional single-key signature scheme (which has little/no fault tolerance), be mindful that the wrong combination of 2+ major mistakes could be enough to lose all of your bitcoin!** Switching to fault-tolerant multisig is the most important thing you can do to improve your security. A lot of people stick with a bad setup -- trusted custody or a single-key setup -- for fear of change. -Don't make ["perfect" the enemy of "good"](https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good); upgrade to multisig today for a solid foundation and continue to learn and iterate over time! +Don't let ["perfect" be the enemy of "good"](https://en.wikipedia.org/wiki/Perfect_is_the_enemy_of_good); upgrade to multisig today for a solid foundation and continue to learn and iterate over time! We support users being as paranoid as they want to be, but think that with proper multisig it is overkill for all but the largest HODLers. At each step, there are recommendations for how you can harden your security, and you alone must decide how much time/money you want to spend on hardening your security. diff --git a/assets/img/verify-receive-address-coldcard-1.jpg b/assets/img/verify-receive-address-coldcard-1.jpg new file mode 100644 index 0000000..52c04b0 Binary files /dev/null and b/assets/img/verify-receive-address-coldcard-1.jpg differ diff --git a/assets/img/verify-receive-address-coldcard-2.jpg b/assets/img/verify-receive-address-coldcard-2.jpg new file mode 100644 index 0000000..b75acfd Binary files /dev/null and b/assets/img/verify-receive-address-coldcard-2.jpg differ