[ESHOP launched] Trezor: Bitcoin hardware wallet - page 142.

klondike_bar

legendary

Activity: 2128

Merit: 1005

ASIC Wannabe

So you can expose unencrypted wallet.dat on USB key connected to online computer, because the key don't have network and will not send the wallet to the host ?

I know offline devices won't expose keys, for connected devices, I can't tell.

Let me be clear, I think trezor is nice, convenient and more secure than past hot wallets, but clearly not as secure as offline devices or paper (I only consider online threats there)

the trezor does not have a wallet.dat that is exposed - and applying a password further removes the issue. Its more secure than printing paper wallets or creating a USB key

novusordo

sr. member

Activity: 800

Merit: 250

Quote from: ?? on ??

Quote from: stick on August 20, 2014, 03:05:14 PM

Quote from: ?? on ??

Trezor ils not really offline, if you look carefully, you will see a cable Wink

offline != cableless

Wifi is without a cable and is online.
Trezor has a cable and is offline.

I Never said offline = cable less

But you have an USB cable, plugged to a computer, connected to internet...
With data going in and out of Trezor, from and to internet and you say it's offline ? Really ?

I don't think so.

Taking into consideration that the Trezor exposes no keys to the host computer and has no networking capabilities, I do think so.

BurtW

legendary

Activity: 2646

Merit: 1137

All paid signature campaigns should be banned.

Quote from: gweedo on August 20, 2014, 03:10:43 PM

The device is probably worth more than 3 bitcoins and for sure in a couple of years I could probably get a good price for it.

Sounds like you have a plan.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: tynt on August 20, 2014, 01:45:23 PM

mytrezor website is unusable. It freezes and few moments later browser tells me that trezor plugin is not responding. I can't even click on the "Support" link. Both firefox and chrome act the same way. Both trezor plugged in and plugged out.

I've had this problem, too. Can't click support link unless the plugin is working (which can't because my chrome is too new). The popup telling me to dl the plugin is modal and blocking everything else it seems. Can't be closed either.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: klokan on August 20, 2014, 10:37:04 AM

Quote from: gweedo on August 20, 2014, 09:50:09 AM

Well they need to say that on their website and they don't so I expect 3 BTC which is what I paid. Do you have a law degree?

I don't have a law degree, but I was recently reimbursed by my Swiss employer for my expenses abroad. They paid me Swiss Francs with the rate on the day of the expense. I'm pretty sure it is legal and I'm also pretty sure you are getting Czech Crowns if you ever get a refund. Does your lawyer has a Czech law degree?

That said, I'm still willing to pay you 330USD for the device.

My lawyer has an International Business & Economic Law degree, so I think he knows a little more than you.

$330 is insulting for my device, not only is the device rare as well as it is limited, and first edition. The device is probably worth more than 3 bitcoins and for sure in a couple of years I could probably get a good price for it.

stick

sr. member

Activity: 441

Merit: 268

Quote from: ?? on ??

Trezor ils not really offline, if you look carefully, you will see a cable Wink

offline != cableless

Wifi is without a cable and is online.
Trezor has a cable and is offline.

shadallion

full member

Activity: 304

Merit: 102

Quote from: chrisrico on August 20, 2014, 01:46:05 PM

Quote from: ?? on ??

Yes and no

You can use a new stick on a fresh offline computer

Or simply plug nothing, forge and sign transaction on offline computer, convert signed transaction to qr code.

Flash it and broadcast it with online computer.

I won't bother doing this with little money (that's why I own a trezor), but if you move a big amount it can be worth the pain.

Even if you move a USB stick from online and offline computer, exploit is possible but you will be harder to target than if you connect to trezor related website.

If you have to have an offline computer in order to safely spend a paper wallet, why not have *just* an offline computer. Then, why not make it a single purpose computer that does nothing but securely store keys and sign data? That's what the Trezor is.

Boom, nailed it

stick

sr. member

Activity: 441

Merit: 268

Quote from: tynt on August 20, 2014, 01:45:23 PM

mytrezor website is unusable. It freezes and few moments later browser tells me that trezor plugin is not responding. I can't even click on the "Support" link. Both firefox and chrome act the same way. Both trezor plugged in and plugged out.

write a support ticket to [email protected]

chrisrico

hero member

Activity: 496

Merit: 500

Quote from: ?? on ??

Yes and no

You can use a new stick on a fresh offline computer

Or simply plug nothing, forge and sign transaction on offline computer, convert signed transaction to qr code.

Flash it and broadcast it with online computer.

I won't bother doing this with little money (that's why I own a trezor), but if you move a big amount it can be worth the pain.

Even if you move a USB stick from online and offline computer, exploit is possible but you will be harder to target than if you connect to trezor related website.

If you have to have an offline computer in order to safely spend a paper wallet, why not have *just* an offline computer. Then, why not make it a single purpose computer that does nothing but securely store keys and sign data? That's what the Trezor is.

tynt

member

Activity: 61

Merit: 10

mytrezor website is unusable. It freezes and few moments later browser tells me that trezor plugin is not responding. I can't even click on the "Support" link. Both firefox and chrome act the same way. Both trezor plugged in and plugged out.

bitpop

legendary

Activity: 2912

Merit: 1060

Quote from: RedDiamond on August 20, 2014, 11:47:48 AM

Quote from: thewayshegoes on August 20, 2014, 11:10:47 AM

Quote from: ?? on ??

Quote from: btchip on August 20, 2014, 04:34:31 AM

Quote from: ?? on ??

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it Kiss

(that should be a new meme ...)

Create a transaction offline, sign offline, broadcast

Over Wink

But in real life, I have used your solution to sweep a private key Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?

Correct. A malware can change the firmware of the stick in such way that it do nasty things when connected to another computer. For more detailed technical explanation please see https://srlabs.de/badusb/

No they must be signed. Those usb disks accept any firmware

RedDiamond

sr. member

Activity: 294

Merit: 250

Quote from: thewayshegoes on August 20, 2014, 11:10:47 AM

Quote from: ?? on ??

Quote from: btchip on August 20, 2014, 04:34:31 AM

Quote from: ?? on ??

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it Kiss

(that should be a new meme ...)

Create a transaction offline, sign offline, broadcast

Over Wink

But in real life, I have used your solution to sweep a private key Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?

Correct. A malware can change the firmware of the stick in such way that it do nasty things when connected to another computer. For more detailed technical explanation please see https://srlabs.de/badusb/

thewayshegoes

newbie

Activity: 44

Merit: 0

Quote from: ?? on ??

Quote from: btchip on August 20, 2014, 04:34:31 AM

Quote from: ?? on ??

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it Kiss

(that should be a new meme ...)

Create a transaction offline, sign offline, broadcast

Over Wink

But in real life, I have used your solution to sweep a private key Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?

klokan

full member

Activity: 120

Merit: 100

Quote from: gweedo on August 20, 2014, 09:50:09 AM

Well they need to say that on their website and they don't so I expect 3 BTC which is what I paid. Do you have a law degree?

I don't have a law degree, but I was recently reimbursed by my Swiss employer for my expenses abroad. They paid me Swiss Francs with the rate on the day of the expense. I'm pretty sure it is legal and I'm also pretty sure you are getting Czech Crowns if you ever get a refund. Does your lawyer has a Czech law degree?

That said, I'm still willing to pay you 330USD for the device.

gweedo

legendary

Activity: 1498

Merit: 1000

Quote from: klokan on August 20, 2014, 01:50:32 AM

Quote from: gweedo on August 19, 2014, 08:09:31 PM

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

The guy who paid 10000BTC for the pizza back in the day would like to refund as well. If that guy would be refunded, he would probably get 10USD back (provided he will return the pizza). BTC is deflation currency and the refunds don't work with those. Your lawyer should learn some basic rules of economy.

You can still get refunded though, because there are people willing to pay the amount of money you paid for this one. BTC was worth 80-120USD during the preorder period. I would pay you 330USD for it myself.

Well they need to say that on their website and they don't so I expect 3 BTC which is what I paid. Do you have a law degree?

Quote from: AussieHash on August 20, 2014, 01:19:40 AM

Don't kid yourself gweedo, you are an asshole

How am I am that? Because I expect something to work in a reasonable time? Because I paid money for it to work in reasonable time? By the way it still doesn't work so when should I expect it to work, and not be considered that? I can't wait until you other people have an issue with trezor and then you will be in my position. When you are I will sit back and just laugh at you guys.

klokan

full member

Activity: 120

Merit: 100

Quote from: JorgeStolfi on August 20, 2014, 05:07:45 AM

Quote from: klokan on August 20, 2014, 04:40:51 AM

I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing.

Just to give one example, three of the 5 key holders at Trezor conspire and sign a malicious version of the firmware that is given to a hacker. The hacker unleashes a virus with a malicious plug-in or standalone MyTrezor bridge, that instructs clients to download and install the "latest version" of the firmware, which is of course the malicious version above.

Quote from: klokan on August 20, 2014, 04:40:51 AM

You are exaggerating with the other "use cases". It's not going to happen.

Well, I hope that manufacturers can resist that temptation.

Quote from: klokan on August 20, 2014, 04:40:51 AM

20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.

You mean, someone already checked it, and did not see the backdoor? Wink

Yes, IF they were malicious, they can sign non-git version of the firmware that can have money stealing interface. If such a firmware would be flashed onto the device on a hacked computer (by the hacked computer) then your BTC would be stolen. You would still need to confirm that you want this firmware flashed on the device. Also, you would now have a signed malicious firmware and you could sue them with it, because its digitally signed with their signatures. They would probably get away with it, claiming all their keys were stolen. But the company would go bancrupt.

But again, this kind of attack is not specific to this company. If five bank employees agree to forge a withdrawal from your bank account, how would you protect against such inside-job attack?

dnaleor

legendary

Activity: 1470

Merit: 1000

Want privacy? Use Monero!

Quote from: stick on August 20, 2014, 05:11:31 AM

Quote from: ?? on ??

And why would a paper wallet created with respect of best practices be not safe ?

Paper wallet IS safe. But spending it is not. (If you are using "sweep private key" and not an offline signing which is very cumbersome).

Indeed. Yesterday I've send my large stash offline with armoury to my Trezor. Took a lot of time on my raspberry, but I couldn't take the risk of just sweeping the keys at blockchain.info

I only use the Trezor now (and a few mBTC on MyCelium). I've imported the old keys from my QT in a blockchain.info wallet (you never now if you receive a donation from some old image/post/...)

stick

sr. member

Activity: 441

Merit: 268

Quote from: ?? on ??

And why would a paper wallet created with respect of best practices be not safe ?

Paper wallet IS safe. But spending it is not. (If you are using "sweep private key" and not an offline signing which is very cumbersome).

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: klokan on August 20, 2014, 04:40:51 AM

I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing.

Just to give one example, three of the 5 key holders at Trezor conspire and sign a malicious version of the firmware that is given to a hacker. The hacker unleashes a virus with a malicious plug-in or standalone MyTrezor bridge, that instructs clients to download and install the "latest version" of the firmware, which is of course the malicious version above.

Quote from: klokan on August 20, 2014, 04:40:51 AM

You are exaggerating with the other "use cases". It's not going to happen.

Well, I hope that manufacturers can resist that temptation.

Quote from: klokan on August 20, 2014, 04:40:51 AM

20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.

You mean, someone already checked it, and did not see the backdoor? Wink

JorgeStolfi

hero member

Activity: 910

Merit: 1003

Quote from: ?? on ??

Yup, clearly, a connected device will never reach paper wallet security

If the computer is not secure (the premise of Trezor), the Trezor has some risks, but the paper wallet is not safe at all.

Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 142. (Read 966173 times)