You shouldn't give people ideas like that.
I was just using an example to show why the logic of the poster was flawed. :-)
Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet - page 236. (Read 966173 times)
I was just using an example to show why the logic of the poster was flawed. :-)
For buying things from a merchant, just plugging a trezor into your smartphone is probably good enough if you want that level of security.
Has any of the smartphone app devs commited to supporting trezor? I think it might be an especially good fit for BitcoinSpinner, because of the aim for simplicity.
Of course the phone needs to support USB OTG for that to work.
I think Mike was talking about an app that is based off the trezor code.
I'd rather have it work over NFC, that's a much better idea.
using the same logic as yours: what if i use NFC antenna and pour 500 V into it? it will create quite strong EMP field effectively destroying the device you put close to it :-)
You shouldn't give people ideas like that.
For buying things from a merchant, just plugging a trezor into your smartphone is probably good enough if you want that level of security.
Has any of the smartphone app devs commited to supporting trezor? I think it might be an especially good fit for BitcoinSpinner, because of the aim for simplicity.
Of course the phone needs to support USB OTG for that to work.
I'd rather have it work over NFC, that's a much better idea.
using the same logic as yours: what if i use NFC antenna and pour 500 V into it? it will create quite strong EMP field effectively destroying the device you put close to it :-)
If I buy a 100% bullet proof vest, I don't go to Compton holding a sign saying Ni**er to test it. Why? It may be bullet proof but what about rockets? flame throwers to cook you in it? Etc. You haven't thought of future attacks.
Use it at home and don't put it into an attack.
Use it at home and don't put it into an attack.
I see the Trezor as mostly useful like a Yubikey with thousands of keys stored. Social networks can use them to securely identify logins and also offer micro payments to play with farm animals.
*edit* maybe the next step for you guys is a hardware devise for merchants which they can use to protect them selves from devises that look like trezors but are actually not.
It would be a second computer, with a limited interface to the main/cash/online computer. This second computer does nothing than create a transaction, let the Trezor sign it, verifies the signature, and sends it to the main computer.
Sounds totally 'spy vs spy', and indeed makes sense! Could be a tablet phone/computer with USB-OTG, and a softwaresolution.
Throw NFC and a QR-receipt-printer at it for good measure.
I like!
Ente
bitpop: You are spreading FUD.
Ok, so now the merchant needs a second computer, with a secure interface to the main computer / cash register, with Internet access (since it needs to see the blockchain) and software developed for both the main computer and this computer. Yup, that will work ...
Also, you keep saying that the Trezor doesn't have to trust the computer - you keep forgetting that they have an electrical connection - what if a merchant decides to apply let's say 500V on the +5V line of the USB connector. Poof goes your 1 BTC (or 3 BTC) wallet (unless it has some sort of discharge protection - does it?). The same works in reverse, what if I make a Trezor lookalike with a supercapacitor that discharges over the USB port of whatever I plug it into. Poof goes the super-secure second computer / cash register.
I'd rather have it work over NFC, that's a much better idea.
*edit* maybe the next step for you guys is a hardware devise for merchants which they can use to protect them selves from devises that look like trezors but are actually not.
It would be a second computer, with a limited interface to the main/cash/online computer. This second computer does nothing than create a transaction, let the Trezor sign it, verifies the signature, and sends it to the main computer.
Sounds totally 'spy vs spy', and indeed makes sense! Could be a tablet phone/computer with USB-OTG, and a softwaresolution.
Throw NFC and a QR-receipt-printer at it for good measure.
I like!
Ente
bitpop: You are spreading FUD.
i was thinking that it would look like a usb cable punctuated with a small box with a small screen and that little box would be an application specific computer sort of like a trezor.
*edit* maybe the next step for you guys is a hardware devise for merchants which they can use to protect them selves from devises that look like trezors but are actually not.
It would be a second computer, with a limited interface to the main/cash/online computer. This second computer does nothing than create a transaction, let the Trezor sign it, verifies the signature, and sends it to the main computer.
Sounds totally 'spy vs spy', and indeed makes sense! Could be a tablet phone/computer with USB-OTG, and a softwaresolution.
Throw NFC and a QR-receipt-printer at it for good measure.
I like!
Ente
bitpop: You are spreading FUD.
For buying things from a merchant, just plugging a trezor into your smartphone is probably good enough if you want that level of security. You could keep your trezor in your bag or purse, and just move move money into the software-only wallet on your phone from time to time to keep things convenient.
grandma isnt going to do that. grandma might however plug it into a usb slot at the check out counter and press ok.
yep. i don't really see why people think that phone is required in that scenario :-) the point of trezor is that you don't have to trust the computer at all.
For buying things from a merchant, just plugging a trezor into your smartphone is probably good enough if you want that level of security. You could keep your trezor in your bag or purse, and just move move money into the software-only wallet on your phone from time to time to keep things convenient.
grandma isnt going to do that. grandma might however plug it into a usb slot at the check out counter and press ok.
For buying things from a merchant, just plugging a trezor into your smartphone is probably good enough if you want that level of security. You could keep your trezor in your bag or purse, and just move move money into the software-only wallet on your phone from time to time to keep things convenient.
There is absolutely no reason why TREZOR can not be used at merchant (and his from costumer-side untrusted terminal).
thanks for clearing that up. this is REALLY big. just plug it into the usb hub at the merchants and click ok. now people with 0 computer literacy will be able to participate in the bitcoin economy.
maybe though the merchant would have to be worried that your trezor wasn't really a trezor and was actually designed to infect their system with malware?
*edit* maybe the next step for you guys is a hardware devise for merchants which they can use to protect them selves from devises that look like trezors but are actually not.
Ok well I've already bought one. I don't intend using it like that and I'm sure it's safe. I just don't think it's good to get comfortable sharing usb devices. As said earlier, you can quickly infect your computer or the merchant with a fake device.
Even if this device is bullet proof which I don't think anything can be when you have physically possession, I can quickly infect a merchant using a fake usb device and a 0 day.
It will be hacked
http://www.securitydirectornews.com/commercial-and-enterprise/researchers-hack-popular-smartcard-used-access-control
http://m.slashdot.org/story/131116
Tpm had been too and that's identical to this. But they need physical access and you're giving it to them. Without physical access, you're safe.
Buy one! I did! Just use it responsibly! The network is a condom, be safe. There's no reason to be transferring keys.
Even if this device is bullet proof which I don't think anything can be when you have physically possession, I can quickly infect a merchant using a fake usb device and a 0 day.
It will be hacked
http://www.securitydirectornews.com/commercial-and-enterprise/researchers-hack-popular-smartcard-used-access-control
http://m.slashdot.org/story/131116
Tpm had been too and that's identical to this. But they need physical access and you're giving it to them. Without physical access, you're safe.
Buy one! I did! Just use it responsibly! The network is a condom, be safe. There's no reason to be transferring keys.
If we could rely upon our personal computers not having malicious software, then the Trezor would be pointless. If the Trezor cannot protect against malicious software running on your (or a merchant's computer), then it is also pointless. If a merchant could target the Trezor, then so could malicious software running on your own computer.
I'll give you that a merchant probably won't let people plug random USB devices into their computer system. So, nobody will probably have the opportunity to use the Trezor in this way, but if it is unsafe for the user to do so, then it is unsafe to plug it in to your (potentially infected) personal computer.
Ok well I've already bought one. I don't intend using it like that and I'm sure it's safe. I just don't think it's good to get comfortable sharing usb devices. As said earlier, you can quickly infect your computer or the merchant with a fake device.
Even if this device is bullet proof which I don't think anything can be when you have physically possession, I can quickly infect a merchant using a fake usb device and a 0 day.
It will be hacked
http://www.securitydirectornews.com/commercial-and-enterprise/researchers-hack-popular-smartcard-used-access-control
http://m.slashdot.org/story/131116
Tpm had been too and that's identical to this. But they need physical access and you're giving it to them. Without physical access, you're safe.
Buy one! I did! Just use it responsibly! The network is a condom, be safe. There's no reason to be transferring keys.
Even if this device is bullet proof which I don't think anything can be when you have physically possession, I can quickly infect a merchant using a fake usb device and a 0 day.
It will be hacked
http://www.securitydirectornews.com/commercial-and-enterprise/researchers-hack-popular-smartcard-used-access-control
http://m.slashdot.org/story/131116
Tpm had been too and that's identical to this. But they need physical access and you're giving it to them. Without physical access, you're safe.
Buy one! I did! Just use it responsibly! The network is a condom, be safe. There's no reason to be transferring keys.
There is absolutely no reason why TREZOR can not be used at merchant (and his from costumer-side untrusted terminal).
Those accusing bitpop of being malicious:
He's not. He is simply informing you all with perfectly accurate information. Hardware wallets are the next step in securing our coins, but they are certainly not bulletproof and (as with anything) should still be treated with care and without negligence.
He's not. He is simply informing you all with perfectly accurate information. Hardware wallets are the next step in securing our coins, but they are certainly not bulletproof and (as with anything) should still be treated with care and without negligence.
Stop trying to get customers and merchants hacked.
you could use it at a merchant with no worries
What he's saying is that the device could be attacked - obviously not by design, it's designed to not allow the private key to be read by issuing commands to the Trezor. But depending on the chip they've chosen, physical possession of the Trezor by an attacker would allow him to run other types of attacks (power analysis, etc.) to extract the private keys from the memory.
I don't really expect any merchant to allow you to just randomly walk in and plug a device (_any_ device) into an USB port on their computer. Especially one that implements the HID protocol (presents itself as a keyboard). See http://hakshop.myshopify.com/products/usb-rubber-ducky for an example of what I mean.
As far as I understand, the Trezor is meant to keep your private keys secure in case your computer is infected with malware. It's not something you would use at a merchant.
I don't really expect any merchant to allow you to just randomly walk in and plug a device (_any_ device) into an USB port on their computer. Especially one that implements the HID protocol (presents itself as a keyboard). See http://hakshop.myshopify.com/products/usb-rubber-ducky for an example of what I mean.
As far as I understand, the Trezor is meant to keep your private keys secure in case your computer is infected with malware. It's not something you would use at a merchant.
you could use it at a merchant with no worries
This isn't even advertised to MOVE private keys, they are supposed to stay. You can give a hint about your seed that way. I'm not spreading fud. Either you don't understand what this device is or you want to hack people.
Jump to: