Author

Topic: Trezor hacked (again) (Read 1533 times)

jr. member
Activity: 59
Merit: 30
July 04, 2023, 02:23:22 AM
#99
Quote

@rohanagarwal7 You should also avoid over-shilling your hardware wallet in other people's threads which you have been doing lately. Depending on the situation and/or mod, if those posts were reported, they could be deleted. That isn't something you want to see. 

I will take care about this. Although, I might have posted in 1-2 threads only which were relevant and solving the problems that were being discussed in the post.
jr. member
Activity: 59
Merit: 30
July 04, 2023, 02:17:14 AM
#98
Quote

Open a discussion thread for your Cypherock Wallet where we can dissect it, if you haven't done already. I have taken a short look over your website and there's a lot of eye-candy and fancy claims but getting real hard details seems a bit difficult.

I have already quite some questions how your product would be superior as you claim it to be. I'm not yet at all convinced of your product because showing the usual marketing bullshit doesn't prove any superiority.

I hear your concerns.

Here is the thread we have already opened in the past - https://bitcointalksearch.org/topic/m.61451074

Here is the thread for the 2nd use case of the product - https://bitcointalksearch.org/topic/shamirs-secret-sharing-based-wallet-cypherock-x1-5457147

Here is the link to the technical docs which you might fancy more - https://cypherock.com/docs

Here is the link to the github - https://github.com/cypherock

Happy to answer any questions you might have

legendary
Activity: 2730
Merit: 7065
July 02, 2023, 06:56:24 AM
#97
This makes no sense, since ColdCard is not open source but the code is still public and verifiable. This means you can not use their code for free in your own product, however just like in an open source code you can verify that it is not malicious.

To me that is not the best but acceptable solution.
It terms of code verifiability, there is no difference between Coldcard's code and that of other open-source solutions. If you know how to do it, you can verify both, just like you said. Because of that, saying I don't trust them means very little. You don't have to trust them, verify it. But we all know that verifying isn't possible for the majority of us, so we are back on trusting this or that.

dkbit98 not trusting Coldcard is probably related to the way they acquired the code they now use in their wallets. It's based on open-source code that they modified, and are now preventing other brands from using it. There was even a time when they referred to their code as open-source, when it wasn't. It's verifiable but not open-source. Unethical approach by Coldcard on that front. Their CEO is also a controversial figure that some people don't like.
hero member
Activity: 1064
Merit: 645
Magic
July 02, 2023, 04:07:11 AM
#96
Coldcard sells its wallets with industrial grade SD cards
Colcard is not open source, so I don't trust them very much, and they don't include industrial SD cards for free like Passport does, so you have to pay extra for them  Roll Eyes


This makes no sense, since ColdCard is not open source but the code is still public and verifiable. This means you can not use their code for free in your own product, however just like in an open source code you can verify that it is not malicious.

To me that is not the best but acceptable solution.
legendary
Activity: 2730
Merit: 7065
July 02, 2023, 02:00:22 AM
#95
Open a discussion thread for your Cypherock Wallet where we can dissect it, if you haven't done already.
< This!

@rohanagarwal7 You should also avoid over-shilling your hardware wallet in other people's threads which you have been doing lately. Depending on the situation and/or mod, if those posts were reported, they could be deleted. That isn't something you want to see. 
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
July 01, 2023, 09:11:37 AM
#94


Open a discussion thread for your Cypherock Wallet where we can dissect it, if you haven't done already. I have taken a short look over your website and there's a lot of eye-candy and fancy claims but getting real hard details seems a bit difficult.

I have already quite some questions how your product would be superior as you claim it to be. I'm not yet at all convinced of your product because showing the usual marketing bullshit doesn't prove any superiority.
jr. member
Activity: 59
Merit: 30
June 28, 2023, 03:37:00 PM
#93
Quote
While it's good to remind people now and then about this kind of problems, the overall conclusion has not change:
if the hardware wallet falls into the hands of unknown people, it's safer to assume it's going to get broken into/hacked, hence use the backup seed and move the coins away asap.

I would love to get your thoughts on Cypherock X1 wallet. We are building a new kind of hardware wallet where we never store the private keys in a single place permanently. We use Shamir's Secret Sharing to split the seed into 5 parts stored on 5 tamper-resistent hardware such that the keys do not have a single point of failure like you described.
legendary
Activity: 2730
Merit: 7065
June 28, 2023, 10:30:06 AM
#92
The Trezor Suite Lite is a new piece of software and different from the Trezor Suite client you have on your mac. The app you have is the standard software that works with Trezor hardware wallets. Trezor Suite Lite is a portfolio tracker, where you can import your master public keys on a phone app and keep track of your accounts that way. You can't generate or sign transactions with it, though. Since it holds master public keys, it gives you an option to generate new receiving addresses. It will probably develop into a fully working mobile app with time, which also includes signing capabilities.

Before installing a newer version of the Trezor Suite, ensure you verify the signatures.
legendary
Activity: 3962
Merit: 11519
Self-Custody is a right. Say no to"Non-custodial"
June 28, 2023, 07:13:12 AM
#91
It's gone now. Only the official Trezor Suite Lite is available on the App Store.
I did a quick check on Google's Play Store as well. There is only one Trezor Suite Lite available, and it's the official client you would find if you clicked on the link on Trezor's website.

The one that I have been running on my MacOs is called "Trezor Suite".. and it is version 23.5.2 (23.5.2.28476) -  I update it from time to time when prompted by the App.. which does sometimes make me uncomfortable to be updating it upon prompt.... but I don't recall seeing (or using) a "Trezor Suite Lite" app from them, even though it does seem that they had changed their name - or was it just a change from the bridge extension that previously had run through Chrome OS over to the separate "Trezor Suite" App (which would have been around a year ago)?  There was a point in which you could use either the app or the Chrome extension, but it has probably been around a year since I had even tried to use anything other than the "Trezor Suite" app...
legendary
Activity: 2730
Merit: 7065
June 28, 2023, 03:08:40 AM
#90
It's gone now. Only the official Trezor Suite Lite is available on the App Store.
I did a quick check on Google's Play Store as well. There is only one Trezor Suite Lite available, and it's the official client you would find if you clicked on the link on Trezor's website.
legendary
Activity: 1974
Merit: 1681
Payment Gateway Allows Recurring Payments
June 21, 2023, 10:22:49 AM
#89
There's a Fake Trezor Wallet in the Apple App Store Draining Crypto
"A malicious Trezor app has appeared on the Apple App Store under the fake name "Trezor Wallet Suite."
Downloaded a Trezor app for your Apple iPhone lately? Better double check it.

A malicious Trezor app has appeared on the Apple App Store, potentially putting users at risk danger of losing their crypto. Under the fake name "Trezor Wallet Suite," the app was pointed out on Twitter yesterday as a false version of the hardware wallet provider’s software."
legendary
Activity: 2212
Merit: 7064
June 07, 2023, 05:08:31 PM
#88
Coldcard sells its wallets with industrial grade SD cards
Colcard is not open source, so I don't trust them very much, and they don't include industrial SD cards for free like Passport does, so you have to pay extra for them  Roll Eyes

Comparison with Audi is not appropriate here, since a person paid a lot of money for luxury, and not for reliability. If he had bought a basic Toyota, then he would have had no problems with repairs in the early years.
Excuse me but that is nonsense, I could easily replace word Audi with any other modern car brand or equipment, new stuff is mostly junk full of electronics with intentional bugs.
This can be said for everything, check out the video testing modern vs old bricks and concrete:
https://www.youtube.com/watch?v=6_LgrbAsoME

Now let's get back on topic of Trezor hack.
full member
Activity: 354
Merit: 171
June 07, 2023, 02:54:44 AM
#87
Yeah they are, until they stop working like all new flash storage devices.
Most new stuff made today is trash and it stops working right after warranty expires, happened to me and people I know many times.
One guy purchased brand new luxury Audi in 2021 (with Bitcoin), year after alternator died, and ever since he is going in service each months for electronic issues.
They are making most new electronic stuff shiny from the outside with intentional time-ticking error-bomb.

Coldcard sells its wallets with industrial grade SD cards:
https://store.coinkite.com/store/category/bundles
These wallets are considered one of the most reliable for storing bitcoins.
Comparison with Audi is not appropriate here, since a person paid a lot of money for luxury, and not for reliability. If he had bought a basic Toyota, then he would have had no problems with repairs in the early years.
legendary
Activity: 2212
Merit: 7064
June 06, 2023, 01:58:43 PM
#86
I don't expect something even in 2024. Until then it's vaporware.
It's far from vaporware if they already have new chips ready for testing and they officially said new devices should be released in the time I said.
They recently published information with chip photographs and they started doing internal testing for all people working in Trezor.
It's not like they are inventing wheel all over again, they are just open sourcing the chips from experienced chip manufacturer.

Looking at the steep price jump from Trezor Model One to Model T, I'm not particularly confident that a new Trezor device with secure element will be moderately priced. But we might see maybe some basic SE Model and something as fancy as the Model T, now with SE and maybe camera, too? There is competition in the HW market and that's good.
New-gen Trezor device wont be cheap, that's for sure, but I would be ok with price around $200 to $300.

Industrial SD cards are quite reliable. These cards use pSLC technology rather than the cheap QLC found in conventional cards. Such cards are significantly more expensive, but this can be quite commensurate with your bitcoin investment. In addition, you should not forget about backups by placing them on cards from different manufacturers.
Yeah they are, until they stop working like all new flash storage devices.
Most new stuff made today is trash and it stops working right after warranty expires, happened to me and people I know many times.
One guy purchased brand new luxury Audi in 2021 (with Bitcoin), year after alternator died, and ever since he is going in service each months for electronic issues.
They are making most new electronic stuff shiny from the outside with intentional time-ticking error-bomb.
full member
Activity: 354
Merit: 171
June 04, 2023, 04:00:30 AM
#85

They are really small and indeed easy to loose and also not much space left to label them properly. You have to accomodate for that. And of course I wouldn't rely solely on flash storage. I've seen a few flash storage cards, sticks and drives die all the sudden, I'd be crazy to rely only on such a backup alone. That would be a recipe for desaster and not good Bitcoin safety storage practice.

Industrial SD cards are quite reliable. These cards use pSLC technology rather than the cheap QLC found in conventional cards. Such cards are significantly more expensive, but this can be quite commensurate with your bitcoin investment. In addition, you should not forget about backups by placing them on cards from different manufacturers.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 03, 2023, 09:50:19 AM
#84
It would sound more interesting to me if they added secure element, but I guess we are going to have to wait until they release new Trezor gen device with that, probably in the end of 2023 or in 2024.

I have no idea, when the Tropic Square secure element (SE) will be declared as OK for delivery in real products. Yes, there are real silicon samples but I lost or never really had track of how far is serious testing of this SE. I'd wish we won't have to go through multiple flaws detected, hardware fixes needed cycles. ETA of a future Trezor R or however they want to call it is ... in the future, who knows when, I don't expect something even in 2024. Until then it's vaporware.

Looking at the steep price jump from Trezor Model One to Model T, I'm not particularly confident that a new Trezor device with secure element will be moderately priced. But we might see maybe some basic SE Model and something as fancy as the Model T, now with SE and maybe camera, too? There is competition in the HW market and that's good.


And it's very easy to lose it  Cheesy
I wouldn't count that as only backup option, flash storage can go stupid sometimes (happened to me with flash drives).

They are really small and indeed easy to loose and also not much space left to label them properly. You have to accomodate for that. And of course I wouldn't rely solely on flash storage. I've seen a few flash storage cards, sticks and drives die all the sudden, I'd be crazy to rely only on such a backup alone. That would be a recipe for desaster and not good Bitcoin safety storage practice.
legendary
Activity: 2212
Merit: 7064
June 02, 2023, 02:52:49 PM
#83
True, I find Trezor One quite basic. It offers the bare minimum without bells and whistles. A Trezor T clone sounds like more fun to have.
It would sound more interesting to me if they added secure element, but I guess we are going to have to wait until they release new Trezor gen device with that, probably in the end of 2023 or in 2024.

SeedSigner DIY is definitely an interesting project especially for Multisig. What I didn't like very much, is to constantly have your seed on a QR code paper in use. Without a QR code it will be a constant pain to use.
That is downside only if you are using it daily, but for everything else this is much safer, especially if done as multisig setup.
I think this should be introduced to all hardware wallets as option, if they can verify that erasing everything really means that.

I find a small microSD card as used in a PiTrezor easier to hide and conceal. You can even easily swith wallets nearly instantly with multiple microSD cards.
And it's very easy to lose it  Cheesy
I wouldn't count that as only backup option, flash storage can go stupid sometimes (happened to me with flash drives).
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 01, 2023, 03:03:43 PM
#82
I haven't used my PiTrezor for serious coin storage. I tested it more or less to some extend with Testnet coins and mainly with Electrum, not so much with the Trezor Suite. It's been some months ago, but I don't remember that the warning in Trezor Suite hindered further usage of the PiTrezor. AFAIR you can force to ignore the warning cause, there's an option for that in Trezor Suite and I hope Trezor didn't remove it in more recent versions.


Another problem I have with PiTrezor is that it can only be used to replace Trezor One, not Trezor model T, as far as I know.

True, I find Trezor One quite basic. It offers the bare minimum without bells and whistles. A Trezor T clone sounds like more fun to have.


For people using only Bitcoin I would prefer using RaspberryPi for making SeedSigner DIY device, or something similar that dont keep anything on device and it has camera. 

SeedSigner DIY is definitely an interesting project especially for Multisig. What I didn't like very much, is to constantly have your seed on a QR code paper in use. Without a QR code it will be a constant pain to use.

I find a small microSD card as used in a PiTrezor easier to hide and conceal. You can even easily swith wallets nearly instantly with multiple microSD cards.
legendary
Activity: 2212
Merit: 7064
May 31, 2023, 06:01:49 AM
#81
I can use my DIY PiTrezor without problems with official Trezor Suite. Yes, Trezor Suite detects that the PiTrezor isn't genuine and shows a warning banner, but otherwise works perfectly fine with it.
Is there any way to bypass and skip that warning?
Another problem I have with PiTrezor is that it can only be used to replace Trezor One, not Trezor model T, as far as I know.
For people using only Bitcoin I would prefer using RaspberryPi for making SeedSigner DIY device, or something similar that dont keep anything on device and it has camera. 
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
May 30, 2023, 02:36:24 PM
#80
I can use my DIY PiTrezor without problems with official Trezor Suite. Yes, Trezor Suite detects that the PiTrezor isn't genuine and shows a warning banner, but otherwise works perfectly fine with it.
full member
Activity: 354
Merit: 171
May 30, 2023, 02:46:20 AM
#79
- Only a Trezor with a genuine Trezor-signed firmware can connect and communicate with the official Trezor Suite app. A fake firmware will be detected, and you won't be able to use the Trezor Suite.

Unfortunately no. You can compile your own firmware for Trezor.

Here is how to do it for Trezor One:
https://docs.trezor.io/trezor-firmware/legacy/index.html

For Trezor T:
https://docs.trezor.io/trezor-firmware/core/build/index.html

legendary
Activity: 2212
Merit: 7064
May 29, 2023, 01:28:20 PM
#78
In Russia, I can buy Trezor T for 80-100 dollars.
The wallet will be in its original packaging, but I can refuse the goods if I suspect fraud.
This device is unavailable at the moment on website you posted, but I wouldn't risk buying it because I am sure this is not original Trezor.
Form last reports of hacked modified Trezor T they said that it was packed and it looked exactly identical as original device, and only difference could be noticed when looking inside on the board.
One more difference was skipping the online check to confirm device is authentic.

With all the other mistakes they have made through the years, and all the other issues with their products, do you think their first shot at designing a secure element is going to be good? Companies that have been designing and building SE for years and years still have massive issues now and then. Their first product out of the gate is either going to be perfect or an unmitigated disaster.
Do you know any newly released thing will be good?
With that kind of thinking you shouldn't use or trust anything, but this should be open source and that means everyone will be able to contribute and improve it.
It's silly to compare this with any other closed source chips that exists much longer, and Trezor didn't fall from sky yesterday, they are the first even hardware wallet, so they have some experience.

Trezor sales soar 900% amid Ledger’s seed recovery controversy
Trezor said a remote seed phrase extraction is impossible on its hardware wallets, adding that it would never implemented.
Nice!
I am sure sales jumped a lot for all other hardware wallets like Passport, Keystone, etc, they posted something about all items sold.
They should all thank ledger marketing team for free promotion  Cheesy

legendary
Activity: 2730
Merit: 7065
May 29, 2023, 04:17:20 AM
#77
There are no official sellers in Russia. Intermediary only, and buying for $220 will not guarantee buying an official wallet.
Trezor doesn't have an official reseller in Russia, you are right about that. But they have one in Belarus. Intersafe Trade Ltd (https://satoshi-shop.by).

There are also two in Ukraine:
Lwallet - https://lwallet.com.ua
BITWALLET LLC - https://trezor.io/bitwallet.com.ua

There is one in Georgia.
Ravestag LLC
https://ravestag.app/

I am sure you could order one from Belarus if you want to. The shops in Ukraine might not be willing to ship to Russia due to the ongoing war.
legendary
Activity: 1974
Merit: 1681
Payment Gateway Allows Recurring Payments
May 28, 2023, 10:13:17 AM
#76
I seriously doubt that a device sold for $80-100 can be a genuine Trezor Model T. Unless someone stole them off a truck somewhere.
I wouldn't pay attention to things like packaging, holographic seals, or the content of the box. I think none of that is difficult to fake.

This is what you should be looking for.

- Trezors don't ship with pre-installed firmware. You have to install the firmware the first time you connect it to your computer. You get to choose between a multi-coin or bitcoin-only firmware. If your Trezor already has a firmware on it, it has already been used and/or is fake.
- You have to generate a seed on your own local machine. Never accept a seed that's already entered on your HW or filled out on the seed cards.
- Only a Trezor with a genuine Trezor-signed firmware can connect and communicate with the official Trezor Suite app. A fake firmware will be detected, and you won't be able to use the Trezor Suite.
- Never download Trezor Suite or the firmware from any website mentioned on any notes that are shipped together with your package. Any software must be downloaded and verified from the official website only (https://trezor.io/).  

I was looking for a more serious guide not to buy a modified wallet
Standard recommendations do not save you from a fake wallet
https://forum.trezor.io/t/how-to-verify-the-authenticity-of-trezor-model-t-hardware/4195/2

I was looking for something like this, but it is in Russian
https://slabber.io/posts/2538

We already have a business idea, buy 5 processors for Trezor for $ 115 and solder this cpu



Why don't you buy from an authorized reseller or directly from the manufacturer? I would choose the second option. For peace of mind. Moreover, they periodically have discounts.
There are no official sellers in Russia. Intermediary only, and buying for $220 will not guarantee buying an official wallet.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
May 28, 2023, 09:05:30 AM
#75
In Russia, I can buy Trezor T for 80-100 dollars.
The wallet will be in its original packaging, but I can refuse the goods if I suspect fraud.
https://www.ozon.ru/product/apparatnyy-kriptokoshelek-trezor-model-t-holodnyy-koshelek-dlya-kriptovalyuty-913105391/
How can I check that this wallet has not been modified before selling? It's impossible to tell from the packaging and holograms.
What Trezor utilities can help me with this, so that I can be sure that this is an original wallet from Satoshi Labs?
The desire to save money always goes sideways.

Why don't you buy from an authorized reseller or directly from the manufacturer? I would choose the second option. For peace of mind. Moreover, they periodically have discounts.

The price of the device is lower than the cost of the official manufacturer should already be alarming. Especially if it's 2 times cheaper price.

Do you want to be sure that hardware wallet is from Satoshi Labs? Then order from them. What could be easier to be sure. Sorry for the banality.
legendary
Activity: 2002
Merit: 4743
May 28, 2023, 08:17:20 AM
#74
because according to the agreement with the bank, I am prohibited from trading.
You can always open an account with another bank which has a less draconian view of crypto, or trade with cash. Although as Pmalek rightly points out, any transfers to your bank account come from other individuals, not from Bisq.
The main liquidity in the pair: Monero/Bitcoin, there is no liquidity for other cryptocurrencies.
That's because almost all other cryptocurrencies are trash. I use Bisq mainly for fiat pairs.
The bank will see incomprehensible transfers from unknown people and may block the account and require an explanation of the transactions and their legality.
Bisq reminds me of Localbitcoins, or BitZlato. The first campaign closed on its own, and there is now a criminal case against BitZlato in the United States. BitZlato did not have a KYC, but used the services of a well-known AML provider.

When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe.
I trade through DAI and through other stablecoins, large trades are DAI.

A lot of your questions and concerns regarding various ways to trade (or transact) with others and not to be interrogated or traced in respect to your interactions seem to be legitimate, and surely not Trezor specific kinds of questions - and for sure, I would be interested in following/participating in forum threads related to such topics... even though even on the forum, sometimes we might not even want to be describing too many specifics regarding exactly what we are doing... and for sure, we live in a world that is complicated in terms of trying to attempt to preserve some of the privacies that we might have had in regards to face to face cash transactions in the past and in some ways, some of us may well be trying to apply those kinds of privacies in the digital space

---- and for sure a kind of dynamic that may well always be changing in terms of services that are available, government (and even financial institutional) encroachments and normies trying to exercise certain rights to privacy, autonomy, security and self-sovereignty - and not always knowing the extent to which they might be unwittingly giving up some of their rights, and I am surely not going to claim to know how to employ various technologies without getting trapped at various points.,. who wants to have their funds seized, locked up, frozen, hacked, rug pulled or otherwise removed from their abilities to be able to use them.. or even depleted for penalties, taxes or some other kinds of disputes regarding whether some middle man might say that they have claims against our funds (that we may well dispute).

For sure, not Trezor specific questions.. even though there is some overlap in ways that these kinds of topics can be discussed.
I don't want to digress, but P2P trading in my country will quickly result in a blocked bank account. Therefore, the crypto community needs a decentralized stablecoin.

___
When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe.
Well, if you are trying to conceal your fiat trades, I would suggest not sending such big amounts. They will, of course, sound all kinds of alarms because receiving hundreds of thousands of dollars is not an everyday (normal) transaction. The bank will ask questions and is surely obliged to report to the local taxing authorities.

Regarding Bisq and trading limitations, a new user can only trade up to 0.1 BTC. After your account is signed and you become a more senior user of Bisq, these limits increase. But when fiat is concerned, the trade limits are in many cases 0.25 BTC/trade. For some payment methods, you will see 0.5 or 1 BTC. 

If you look at the trading volumes of Bisq and Uniswap, you will understand what I am talking about. P2P should be avoided for large sums.

this service helps me to trade without registrations and restrictions
https://rango.exchange/

And my topic is about such services
https://bitcointalksearch.org/topic/cross-chain-bridge-aggregators-5389259

Trezor and ledger are perfectly compatible with these services.
legendary
Activity: 2730
Merit: 7065
May 28, 2023, 02:35:26 AM
#73
I seriously doubt that a device sold for $80-100 can be a genuine Trezor Model T. Unless someone stole them off a truck somewhere.
I wouldn't pay attention to things like packaging, holographic seals, or the content of the box. I think none of that is difficult to fake.

This is what you should be looking for.

- Trezors don't ship with pre-installed firmware. You have to install the firmware the first time you connect it to your computer. You get to choose between a multi-coin or bitcoin-only firmware. If your Trezor already has a firmware on it, it has already been used and/or is fake.
- You have to generate a seed on your own local machine. Never accept a seed that's already entered on your HW or filled out on the seed cards.
- Only a Trezor with a genuine Trezor-signed firmware can connect and communicate with the official Trezor Suite app. A fake firmware will be detected, and you won't be able to use the Trezor Suite.
- Never download Trezor Suite or the firmware from any website mentioned on any notes that are shipped together with your package. Any software must be downloaded and verified from the official website only (https://trezor.io/).  
legendary
Activity: 1974
Merit: 1681
Payment Gateway Allows Recurring Payments
May 27, 2023, 12:45:56 PM
#72
In Russia, I can buy Trezor T for 80-100 dollars.
The wallet will be in its original packaging, but I can refuse the goods if I suspect fraud.
https://www.ozon.ru/product/apparatnyy-kriptokoshelek-trezor-model-t-holodnyy-koshelek-dlya-kriptovalyuty-913105391/
How can I check that this wallet has not been modified before selling? It's impossible to tell from the packaging and holograms.
What Trezor utilities can help me with this, so that I can be sure that this is an original wallet from Satoshi Labs?
legendary
Activity: 2730
Merit: 7065
May 27, 2023, 11:12:33 AM
#71
When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe.
Well, if you are trying to conceal your fiat trades, I would suggest not sending such big amounts. They will, of course, sound all kinds of alarms because receiving hundreds of thousands of dollars is not an everyday (normal) transaction. The bank will ask questions and is surely obliged to report to the local taxing authorities.

Regarding Bisq and trading limitations, a new user can only trade up to 0.1 BTC. After your account is signed and you become a more senior user of Bisq, these limits increase. But when fiat is concerned, the trade limits are in many cases 0.25 BTC/trade. For some payment methods, you will see 0.5 or 1 BTC. 
legendary
Activity: 3962
Merit: 11519
Self-Custody is a right. Say no to"Non-custodial"
May 27, 2023, 10:53:47 AM
#70
because according to the agreement with the bank, I am prohibited from trading.
You can always open an account with another bank which has a less draconian view of crypto, or trade with cash. Although as Pmalek rightly points out, any transfers to your bank account come from other individuals, not from Bisq.
The main liquidity in the pair: Monero/Bitcoin, there is no liquidity for other cryptocurrencies.
That's because almost all other cryptocurrencies are trash. I use Bisq mainly for fiat pairs.
The bank will see incomprehensible transfers from unknown people and may block the account and require an explanation of the transactions and their legality.
Bisq reminds me of Localbitcoins, or BitZlato. The first campaign closed on its own, and there is now a criminal case against BitZlato in the United States. BitZlato did not have a KYC, but used the services of a well-known AML provider.

When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe.
I trade through DAI and through other stablecoins, large trades are DAI.

A lot of your questions and concerns regarding various ways to trade (or transact) with others and not to be interrogated or traced in respect to your interactions seem to be legitimate, and surely not Trezor specific kinds of questions - and for sure, I would be interested in following/participating in forum threads related to such topics... even though even on the forum, sometimes we might not even want to be describing too many specifics regarding exactly what we are doing... and for sure, we live in a world that is complicated in terms of trying to attempt to preserve some of the privacies that we might have had in regards to face to face cash transactions in the past and in some ways, some of us may well be trying to apply those kinds of privacies in the digital space

---- and for sure a kind of dynamic that may well always be changing in terms of services that are available, government (and even financial institutional) encroachments and normies trying to exercise certain rights to privacy, autonomy, security and self-sovereignty - and not always knowing the extent to which they might be unwittingly giving up some of their rights, and I am surely not going to claim to know how to employ various technologies without getting trapped at various points.,. who wants to have their funds seized, locked up, frozen, hacked, rug pulled or otherwise removed from their abilities to be able to use them.. or even depleted for penalties, taxes or some other kinds of disputes regarding whether some middle man might say that they have claims against our funds (that we may well dispute).

For sure, not Trezor specific questions.. even though there is some overlap in ways that these kinds of topics can be discussed.
legendary
Activity: 2002
Merit: 4743
May 27, 2023, 05:08:09 AM
#69
because according to the agreement with the bank, I am prohibited from trading.
You can always open an account with another bank which has a less draconian view of crypto, or trade with cash. Although as Pmalek rightly points out, any transfers to your bank account come from other individuals, not from Bisq.

The main liquidity in the pair: Monero/Bitcoin, there is no liquidity for other cryptocurrencies.
That's because almost all other cryptocurrencies are trash. I use Bisq mainly for fiat pairs.

The bank will see incomprehensible transfers from unknown people and may block the account and require an explanation of the transactions and their legality.
Bisq reminds me of Localbitcoins, or BitZlato. The first campaign closed on its own, and there is now a criminal case against BitZlato in the United States. BitZlato did not have a KYC, but used the services of a well-known AML provider.

When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe.
I trade through DAI and through other stablecoins, large trades are DAI.
legendary
Activity: 2268
Merit: 18775
May 27, 2023, 03:53:49 AM
#68
because according to the agreement with the bank, I am prohibited from trading.
You can always open an account with another bank which has a less draconian view of crypto, or trade with cash. Although as Pmalek rightly points out, any transfers to your bank account come from other individuals, not from Bisq.

The main liquidity in the pair: Monero/Bitcoin, there is no liquidity for other cryptocurrencies.
That's because almost all other cryptocurrencies are trash. I use Bisq mainly for fiat pairs.

Trezor sales soar 900% amid Ledger’s seed recovery controversy
Imagine getting rid of your Ledger because you are worried about a seed extraction vulnerability, and buying another hardware wallet with a proven seed extraction vulnerability which is also happily cooperating with government sponsored blockchain analysis. Roll Eyes
legendary
Activity: 2730
Merit: 7065
May 27, 2023, 03:18:41 AM
#67
In addition, in the Trezor suite, when entering a passphrase, a clearly visible window pops up for entering it through a computer, and a link for entering a passphrase through the wallet itself is displayed below in barely noticeable text. From which we can conclude that their priority is not a secure way to enter a passphrase through the wallet itself, but through the application.
 
Naturally, they have access to passphrases entered through the application, while intercepting passphrases through the open source wallet itself would be problematic for them.
Why they do all this can only be guessed, but the conclusions are drawn not in their favor.
Everything about the Trezor is open-source. The native Trezor Suite, the firmware, the software on the device, etc. If such code exists, where are the security experts and code reviewers to point that out? If such code has been out there for years and no one has noticed it or no one wanted to notice it, what does that tell us about the importance of open-source? Open-source is a window, useful if people want to look through it with care and attention for detail. If everyone just walks by it blindly, you can as well pull the blinds down because you aren't using it.

Personally, I don't believe there is such a feature in Trezor. If there was, we could take our open-source recommendations, roll them up in a ball, bend down, and stick them where the sun doesn't shine. There is a saying in Germany that goes something along those lines.    

I love decentralized trading, so I immediately have a lot of questions about fiat transactions and P2P trading. Then my tax office will have a lot of questions for me if my bank does not block the account earlier, because according to the agreement with the bank, I am prohibited from trading.
Your bank and your tax office won't know where the money came from and how you earned it. It's not Bisq that pays you, so banks can't track or reject such transactions. You get paid by the people you trade with. If you buy from me using Bisq, I pay you from my account to yours. Your bank doesn't know you sold bitcoin to get those funds. You can tell them anything you want. They only see one individual transferring X to another individual.

We could be friends, family, colleagues, lovers, brothers... You could have sold me a bike, a sofa, a jacket, your NHL card collection... None of that is taxable.
legendary
Activity: 1974
Merit: 1681
Payment Gateway Allows Recurring Payments
May 26, 2023, 04:02:48 PM
#66
Trezor sales soar 900% amid Ledger’s seed recovery controversy
Trezor said a remote seed phrase extraction is impossible on its hardware wallets, adding that it would never implemented.
https://cryptoslate.com/trezor-sales-soar-900-amid-ledgers-seed-recovery-controversy/

The Trezor T has already become a scarce commodity.
Tell me, does the ledger own all the recovery phrases for the wallet of its clients for a long time, or can it do this after the last firmware of the wallet?
Can the ledger software send company recovery phrases now?
legendary
Activity: 2002
Merit: 4743
May 26, 2023, 12:57:56 PM
#65
One company is passing off CID phrases to other companies, another wallet maker is partnering with Chainalysis albeit saying that "the coordinator simply refuses them". Companies are affected by regulators.
I wouldn't be surprised if they follow the metamask route and add "We reserve the right to withhold taxes where required."
Businesses simply cannot be trusted. Profits trump everything else, always.

It's been obvious for years that you cannot trust any centralized exchange, and that they will scam you, lock accounts, seize funds, gamble your coins, and go bankrupt. It should now be obvious to everyone that you cannot trust hardware wallet manufacturers either. From unfixable bugs, to support for government mandated KYC via AOPP, to directly funding blockchain analysis and spying on their users, to handing your seed phrases to third parties and making it vulnerable to government subpoenas.

The solution is run your own node, trade via Bisq, and as you point out use your own airgapped encrypted cold storage which does not rely on third parties being honest.

strong passphrase solves the hacking problem if hackers manage to get to your Seed.
It doesn't solve it, as the attacker will still have your seed phrase. It mitigates against your coins being stolen if and only if you use a long and random passphrase, but we also know that most people use incredibly weak passphrases.
I love decentralized trading, so I immediately have a lot of questions about fiat transactions and P2P trading. Then my tax office will have a lot of questions for me if my bank does not block the account earlier, because according to the agreement with the bank, I am prohibited from trading.
https://www.coingecko.com/en/exchanges/bisq
The main liquidity in the pair: Monero/Bitcoin, there is no liquidity for other cryptocurrencies.
full member
Activity: 354
Merit: 171
May 26, 2023, 10:27:07 AM
#64

Three years on, and nothing has changed. Their website still makes no mention of the vulnerability. Their new documentation and set up guides are still lacking in any and all information. Nowhere in their "First Steps" or "Trezor 101" are passphrases mentioned at all. If you head in the "Security" section to find a page on passphrases, you'll find it still makes no mention whatsoever of the vulnerability and makes frankly dangerous statements such as calling a passphrase "an extra word" and a graphic showing the passphrase "Martha". If your seed phrase is compromised by this attack, a passphrase of a single word will provide no protection whatsoever and will be bruteforced in a matter of minutes.

They've got their priorities straight though - long before you reach that (completely inadequate) page on passphrases, in the "Trezor Basics" section you get a nice page on how to dox yourself via their built-in KYC trading platform Invity, and a nice page on how to invite blockchain analysis companies to spy on you via their partnership with Wasabi. Roll Eyes Roll Eyes Roll Eyes

In addition, in the Trezor suite, when entering a passphrase, a clearly visible window pops up for entering it through a computer, and a link for entering a passphrase through the wallet itself is displayed below in barely noticeable text. From which we can conclude that their priority is not a secure way to enter a passphrase through the wallet itself, but through the application.
Naturally, they have access to passphrases entered through the application, while intercepting passphrases through the open source wallet itself would be problematic for them.
Why they do all this can only be guessed, but the conclusions are drawn not in their favor.

legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
May 26, 2023, 10:03:29 AM
#63
~snip

This is nothing new for all devices without secure element, but there are few ways people can protect against attacks like this:

1. Use multiple strong passphrases - this is easy and free solution available to anyone, and it makes hackers job much harder.
2. Use Multisig setup with your Trezor wallet - this makes it impossible for anyone to extract keys with this procedure.
3. Use Secret Shamir Sharing with passphrase - this should in theory work in similar way like Mutlisig setup.
4. Don't keep any of your keys inside wallet if you don't use it daily, only import when you need to send transaction and then reset it.
5. Use other open source hardware wallet with secure element.

Trezor is making their own secure element so new generation device will be much better, but knowing all this I was not recommending Trezor wallets for some time.
However, risk of this happening to regular people is very low, especially if you improve security like I mentioned.

~snip
6. Store your trezor device in such a way that no one except you has access to it. In light of the latest news, this will reduce risks and save your nerves. I don't think that even if your hardware wallet ends up in the hands of attackers, this means that they will be able to access the contents of the wallet (they can't do without special skills and knowledge). At the very least, they will have to spend some time on this, and another recommendation follows from this.

7. If the trezor wallet is in the hands of attackers (you are 100% sure of this), then immediately transfer your crypto assets to another wallet (you do have backups, right).

Maybe because the trezor has put all its resources into developing a new wallet (this firm is creating a new wallet) they don't try to patch old holes and improve the security of existing HW devices. In the sense that why try to improve old models if can create a device that is initially superior in safety.

Like it or not, this doesn't justify their actions at all, because it jeopardizes the safety of the assets of their clients, who paid for it.

In fact, whatever it was, they have no excuse.
legendary
Activity: 2268
Merit: 18775
May 26, 2023, 07:45:53 AM
#62
For this hack yes, you need physical access and specialized hardware and specific knowledge, but part of the point of a hardware wallet is is supposed to be idiot proof and secure out of the box. Without putting in an extra password and everything else. The fact that they did not issue a more dire warning about their security vulnerabilities in the past just really puts them in my do not use file.
We discussed exactly this over three years ago when this vulnerability was first demonstrated: https://bitcointalksearch.org/topic/m.53803392

Three years on, and nothing has changed. Their website still makes no mention of the vulnerability. Their new documentation and set up guides are still lacking in any and all information. Nowhere in their "First Steps" or "Trezor 101" are passphrases mentioned at all. If you head in the "Security" section to find a page on passphrases, you'll find it still makes no mention whatsoever of the vulnerability and makes frankly dangerous statements such as calling a passphrase "an extra word" and a graphic showing the passphrase "Martha". If your seed phrase is compromised by this attack, a passphrase of a single word will provide no protection whatsoever and will be bruteforced in a matter of minutes.

They've got their priorities straight though - long before you reach that (completely inadequate) page on passphrases, in the "Trezor Basics" section you get a nice page on how to dox yourself via their built-in KYC trading platform Invity, and a nice page on how to invite blockchain analysis companies to spy on you via their partnership with Wasabi. Roll Eyes Roll Eyes Roll Eyes
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
May 26, 2023, 06:29:19 AM
#61
...Trezor is making their own secure element so new generation device will be much better, but knowing all this I was not recommending Trezor wallets for some time....

With all the other mistakes they have made through the years, and all the other issues with their products, do you think their first shot at designing a secure element is going to be good? Companies that have been designing and building SE for years and years still have massive issues now and then. Their first product out of the gate is either going to be perfect or an unmitigated disaster.

For this hack yes, you need physical access and specialized hardware and specific knowledge, but part of the point of a hardware wallet is is supposed to be idiot proof and secure out of the box. Without putting in an extra password and everything else. The fact that they did not issue a more dire warning about their security vulnerabilities in the past just really puts them in my do not use file.

-Dave
legendary
Activity: 2268
Merit: 18775
May 26, 2023, 05:45:44 AM
#60
One company is passing off CID phrases to other companies, another wallet maker is partnering with Chainalysis albeit saying that "the coordinator simply refuses them". Companies are affected by regulators.
I wouldn't be surprised if they follow the metamask route and add "We reserve the right to withhold taxes where required."
Businesses simply cannot be trusted. Profits trump everything else, always.

It's been obvious for years that you cannot trust any centralized exchange, and that they will scam you, lock accounts, seize funds, gamble your coins, and go bankrupt. It should now be obvious to everyone that you cannot trust hardware wallet manufacturers either. From unfixable bugs, to support for government mandated KYC via AOPP, to directly funding blockchain analysis and spying on their users, to handing your seed phrases to third parties and making it vulnerable to government subpoenas.

The solution is run your own node, trade via Bisq, and as you point out use your own airgapped encrypted cold storage which does not rely on third parties being honest.

strong passphrase solves the hacking problem if hackers manage to get to your Seed.
It doesn't solve it, as the attacker will still have your seed phrase. It mitigates against your coins being stolen if and only if you use a long and random passphrase, but we also know that most people use incredibly weak passphrases.
full member
Activity: 354
Merit: 171
May 26, 2023, 03:58:44 AM
#59
strong passphrase solves the hacking problem if hackers manage to get to your Seed.
I am by no means justifying Trezor, but there are no ideal hardware wallets, and you have to adapt to those wallets that are on the market.

There is something else that worries me about Trezor. I was one of the first to order my Trezor T in 2018.
Then they sent it to me with a faulty USB cable, which upset me a little. A friend of mine also ordered a Trezor T two weeks ago and was also sent a wallet with a faulty cable.
It's been five years and Trezor hasn't been able to fix the problem with the USB cables. It's really a shame.
legendary
Activity: 2002
Merit: 4743
May 26, 2023, 01:40:55 AM
#58
-snip-
I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.
LOL, it seems that Ledger is now regressing and not updating features to make it more secure, but adding features to add new risks that will give Seed Phrase access to third-party companies easily. Is it worth defending such a wallet?
Trezor may have physical bugs but they can be fixed without giving access to third parties.


https://forum.trezor.io/t/trezor-wasabi-cooperation-with-chainalysis/12224
One company is passing off CID phrases to other companies, another wallet maker is partnering with Chainalysis albeit saying that "the coordinator simply refuses them". Companies are affected by regulators.
I wouldn't be surprised if they follow the metamask route and add "We reserve the right to withhold taxes where required."
https://consensys.net/terms-of-use/
We will have to use either paper wallets or make a secure PC for cryptocurrencies.
legendary
Activity: 2730
Merit: 7065
May 25, 2023, 01:50:16 PM
#57
Is it worth defending such a wallet?
Ledger? I didn't get the feeling that zasad@ was trying to defend Ledger in any way. Maybe I misunderstood what you wanted to say.
 
Trezor may have physical bugs but they can be fixed without giving access to third parties.
Actually, Trezor's seed and PIN extraction vulnerabilities can't be fixed and require a complete overhaul of their devices. No firmware upgrades will ever fix Trezor One and Trezor T. The security researcher's in the video mentioned that as well.   


Joe Grand has also provided feedback on Trezor to fix the bug, but he will definitely be looking for other hardware wallet model vulnerabilities.
My gut feeling tells me he is trying to break a hardware wallet with a secure element chip. The future will show if he is successful with it or not. He will obviously never release any information until he has gotten in touch with the responsible parties and given them time to fix the problems. This is all assuming that he was successful in recovering sensitive information. 
legendary
Activity: 2758
Merit: 1888
Rollbit.com | #1 Solana Casino
May 25, 2023, 11:22:14 AM
#56
-snip-
I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.
LOL, it seems that Ledger is now regressing and not updating features to make it more secure, but adding features to add new risks that will give Seed Phrase access to third-party companies easily. Is it worth defending such a wallet?
Trezor may have physical bugs but they can be fixed without giving access to third parties.

-sip-
What they didn't mention in the video is if the success rate depends on the firmware version of the Model T, or if it's equally easy/difficult to obtain the PIN and seed regardless of the firmware.
maybe it won't explain in detail what the percentage of success is in the Firmware Model T version or some other crucial issues.
Some parts must be kept secret because this involves high-security issues.
Joe Grand has also provided feedback on Trezor to fix the bug, but he will definitely be looking for other hardware wallet model vulnerabilities.
legendary
Activity: 2730
Merit: 7065
May 25, 2023, 08:55:39 AM
#55
It's no secret that both Trezor hardware wallets are vulnerable to physical manipulation and it was confirmed with several hacking videos in the past. This is somewhat similar to Joe Grand's video, which involves taking the device apart and doing some soldering and pins connecting work to a custom board. The hack itself uses different software and hardware.

What they didn't mention in the video is if the success rate depends on the firmware version of the Model T, or if it's equally easy/difficult to obtain the PIN and seed regardless of the firmware.
legendary
Activity: 2002
Merit: 4743
May 25, 2023, 07:44:48 AM
#54
This article has a response from Trezor
https://www.theblock.co/post/232085/cybersecurity-firm-claims-it-hacked-private-key-from-a-trezor-t-hardware-wallet

I agree that such a hack requires physical access and good technical knowledge, but it looks more secure than a ledger that online passes the SEED phrase to other companies when it should be protecting it. Other wallets have not yet been verified by specialists.
legendary
Activity: 2212
Merit: 7064
May 24, 2023, 02:45:52 PM
#53
Another day and another hack, this time for Trezor model T hardware wallet, and it was done by Crypto Security Firm Unciphered.
First thing I will say is that it's very strange coincidence for this news to be released in same time when ledger messed up with their Recover disaster news, but whatever.
 
I am not surprised at all about this, we all know that Trezor devices don't have secure element and if it was possible to do this with Trezor One than it was going to happen to Trezor Model T as well.
Maybe this was sponsored by one French company, or Unciphered simply decided to use this opportunity for their own promotion.

Unciphered build a custom board, connected Trezor T to it and they had to wait a long time for extraction of PIN and mneomonic words, but they eventually did it.



This is nothing new for all devices without secure element, but there are few ways people can protect against attacks like this:

1. Use multiple strong passphrases - this is easy and free solution available to anyone, and it makes hackers job much harder.
2. Use Multisig setup with your Trezor wallet - this makes it impossible for anyone to extract keys with this procedure.
3. Use Secret Shamir Sharing with passphrase - this should in theory work in similar way like Mutlisig setup.
4. Don't keep any of your keys inside wallet if you don't use it daily, only import when you need to send transaction and then reset it.
5. Use other open source hardware wallet with secure element.

Trezor is making their own secure element so new generation device will be much better, but knowing all this I was not recommending Trezor wallets for some time.
However, risk of this happening to regular people is very low, especially if you improve security like I mentioned.

Hacking Trezor T video process:
https://www.youtube.com/watch?v=50eiA-75NMY

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
May 18, 2023, 09:36:22 PM
#52


Oh boy, what a bs story to shill something.

1. Why would you have to "punch in" your 24 recovery words again into your Trezor. A Trezor usually doesn't forget the current setup wallet.
2. So, the unauthorized transactions wiped your wallet empty. Deng! And how exactly was magic A. W. able to recover all your coins once they were transfered to the thieves address(es)? Since when are Bitcoin transactions reversible? Did I miss something?

Do you actually believe the bs bingo you wrote? Btw, you missed to mention quantum computers, qbits, Elon and free energy, maybe black holes, too.
legendary
Activity: 2268
Merit: 18775
June 04, 2022, 07:49:47 AM
#51
But example you gave us before had multiple special characters and I wouldn't say this was balance between security and convenience Wink
Well, it depends. Even a long and complex passphrase like the one witcher_sense posted I could enter in no more than 5 minutes. Sure, that's no use for a "daily spending" wallet, but if that's my cold storage wallet and I'm only accessing it wallet once or twice a year, then that is a perfectly acceptable balance of security and convenience.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.
In addition to Cricktor's reply above, if you are already using Ian Coleman safely on an airgapped computer, then it is trivial to use it to also calculate the correct checksum for your resulting XORed entropy.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 03, 2022, 07:55:17 PM
#50
... Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.

Maybe Trezor is not using a checksum at the end of the 24 words and that's why it works well for you.
My terminologie is:
seed = 128, 192 or 256 bits long big number (no checksum here, the bare random big integer) — this can be XORed without 'breaking' something
mnemonic seed = the 12, 18 or 24 words which encode the seed including a checksum and maybe other details, usually according to BIP-39, Electrum or Aezeed standard

Trezor is fully BIP-39 compliant, so its mnemonic seed words contain the defined checksum in the last word.
legendary
Activity: 2212
Merit: 7064
June 03, 2022, 08:55:36 AM
#49
I agree that I wouldn't feel confident in the quality of my wallet seed if I'd need to boost subpar entropy with a freaking complex passphrase. You have to type it from time to time, copy&paste in hot wallet space isn't the best idea for such precious secrets.
I can't even imagine typing all this ''strong long passphrase'' with special characters on hardware wallets like ledger or trezor model T, and you have to do this on devices only.
Since there are no wrong passphrases, a single mistake you make while typing would create new blank wallet with zero balance each time  Cheesy
This would be nominated as most frustrating hardware wallet for sure.

Agreed. There should always be a balance between security and convenience.
But example you gave us before had multiple special characters and I wouldn't say this was balance between security and convenience Wink


legendary
Activity: 2464
Merit: 4419
🔐BitcoinMessage.Tools🔑
June 03, 2022, 12:45:36 AM
#48
I don't think this would work because this scammers also changed passphrase function that is not working correctly in this altered Trezor devices, so you would only have false sense of better security.
Obviously, you should never use a compromised wallet, even for testing purposes, for you don't know in advance how sophisticated hackers are at stealing information. My point was scammers are seemingly into social engineering, psychology, and behavioral psychotherapy, they were trying to outsmart advanced users who are aware of the benefits of adding additional randomness into the initial seed.

Not to mention that using very long passphrase (on normal trezor device) is a bad idea, because you would have to enter this long passphrase every time for each transaction you make Tongue
Agreed. There should always be a balance between security and convenience.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
June 02, 2022, 10:43:02 PM
#47
Well, I assembled a PiTrezor as hardware wallet and as long as I can't fully audit the firmware modification from original Trezor One to PiTrezor, I don't trust the PiTrezor to generate me a wallet seed. Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I don't think you can XOR the seed checksums together without corrupting it, because the checksum function is not commutative.

Maybe Trezor is not using a checksum at the end of the 24 words and that's why it works well for you.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 02, 2022, 07:25:52 PM
#46
Well, I assembled a PiTrezor as hardware wallet and as long as I can't fully audit the firmware modification from original Trezor One to PiTrezor, I don't trust the PiTrezor to generate me a wallet seed. Therefore I throw dice and XOR the dice seed with a seed from RPi's /dev/hwrnd. Good and safe enough for me.

I agree that I wouldn't feel confident in the quality of my wallet seed if I'd need to boost subpar entropy with a freaking complex passphrase. You have to type it from time to time, copy&paste in hot wallet space isn't the best idea for such precious secrets.
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
June 02, 2022, 07:08:50 PM
#45
I'm paranoid enough that I would check proper key derivation of my mnemonic seed passphrase protected wallet(s). On an air-gapped secure computer I check my mnemonic seed with passphrase in iancoleman script; compare derived addresses of hardware wallet with derived addresses in iancoleman script. A rigged device or software wallet that doesn't use my full passphrase wouldn't derive the same keys and addresses as seen in iancoleman script. So I would spot the issue before the wallet gets used.
That's a very good practice, and you're absolutely right that it would protect you against this 'fake passphrase' attack.
However it's still possible that the base seed is created from bad / known entropy; that's something your method wouldn't spot. Though it wouldn't impact the entropy of your passphrase.

In general, I believe people put too much trust in passphrases. Every so often, when something's brought up like a hardware wallet having a bad source of entropy or not having a secure element, I hear something like 'Oh, just slap a passphrase on it' as a universal solution for all problems. If you were to put all your trust on the passphrase and expect the same entropy as the seed phrase itself, it would need to be much longer than what most people normally choose and can reliably remember.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
June 02, 2022, 05:46:27 PM
#44
I'm paranoid enough that I would check proper key derivation of my mnemonic seed passphrase protected wallet(s). On an air-gapped secure computer I check my mnemonic seed with passphrase in iancoleman script; compare derived addresses of hardware wallet with derived addresses in iancoleman script. A rigged device or software wallet that doesn't use my full passphrase wouldn't derive the same keys and addresses as seen in iancoleman script. So I would spot the issue before the wallet gets used.
legendary
Activity: 2212
Merit: 7064
June 02, 2022, 04:00:25 PM
#43
Interestingly, predictable or predefined seed phrases could theoretically have been "strengthened" by users by adding very complex passphrases so that a hacker couldn't get access to funds. However, considering that the passphrase function had also been altered, compromised seed phrases with added passphrases remained vulnerable to attack.
I don't think this would work because this scammers also changed passphrase function that is not working correctly in this altered Trezor devices, so you would only have false sense of better security.
Not to mention that using very long passphrase (on normal trezor device) is a bad idea, because you would have to enter this long passphrase every time for each transaction you make Tongue
legendary
Activity: 2464
Merit: 4419
🔐BitcoinMessage.Tools🔑
June 02, 2022, 10:23:48 AM
#42
Do you have a source for this information, by the way?

I made a post about this issue a month ago: you can find a link to a video (in russian) in a post I quoted: https://bitcointalksearch.org/topic/m.59989300
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
June 02, 2022, 10:01:17 AM
#41
seed words generated by fake devices were predictable or predefined, passphrase function was also modified!

Interestingly, predictable or predefined seed phrases could theoretically have been "strengthened" by users by adding very complex passphrases so that a hacker couldn't get access to funds. However, considering that the passphrase function had also been altered, compromised seed phrases with added passphrases remained vulnerable to attack. The "alteration" consisted of the following: you insert a very long passphrase into your wallet (e.g. "nKa&8k2#49%7^N4w4YJanN"), but the malicious wallet take into account only the very first symbol of the inserted passphrase, which is "n" in our case. Therefore, all addresses (private keys) were derived not from a combination of malicious seed+long passphrase (which is relatively safe) but from malicious seed+malicious passphrase ("n"). Needless to say that passphrases containing only one symbol are easily bruteforceable.
That's interesting! So they did this (instead e.g. of disregarding the passphrase) to prevent people from noticing that something odd is happening.
I wonder if anyone used multiple passphrases that started with the same character though; since that would have been noticed.

Do you have a source for this information, by the way?
legendary
Activity: 2464
Merit: 4419
🔐BitcoinMessage.Tools🔑
June 02, 2022, 08:37:09 AM
#40
seed words generated by fake devices were predictable or predefined, passphrase function was also modified!

Interestingly, predictable or predefined seed phrases could theoretically have been "strengthened" by users by adding very complex passphrases so that a hacker couldn't get access to funds. However, considering that the passphrase function had also been altered, compromised seed phrases with added passphrases remained vulnerable to attack. The "alteration" consisted of the following: you insert a very long passphrase into your wallet (e.g. "nKa&8k2#49%7^N4w4YJanN"), but the malicious wallet take into account only the very first symbol of the inserted passphrase, which is "n" in our case. Therefore, all addresses (private keys) were derived not from a combination of malicious seed+long passphrase (which is relatively safe) but from malicious seed+malicious passphrase ("n"). Needless to say that passphrases containing only one symbol are easily bruteforceable.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
May 23, 2022, 11:08:15 AM
#39
Scammers are probably using current situation that Trezor is not shipping their devices to Russia and Ukraine at the moment. 
~Snipped~
Trezor Model T was mostly affected by this, with some internal components had been replaced by malicious actors.
If the price of Model T continues to go up [like it has in the past couple of years due to chip shortages, inflation and etc...], I wouldn't be surprised to see a sudden rise of fake Trezor devices in other markets with no shipping problems and the scammers would probably use an excuse like, the device they're selling belongs to the last batch that they purchased at lower prices!

legendary
Activity: 2212
Merit: 7064
May 23, 2022, 08:39:16 AM
#38
Warning for everyone that new fake Trezor devices showed up recently in Russian marketplaces, and they should be considered as malicious!
Scammers are probably using current situation that Trezor is not shipping their devices to Russia and Ukraine at the moment. 

Few days ago Trezor released one interesting blog article with recommendations for purchasing hardware wallets, with well known things like detecting tampering, tamper evident seals, firmware checks, device cases inspection, packaging improvements, software improvements, hardware component bonding. etc.
One thing that got my attention was part of the article that mentions new fake and modified Trezor devices appeared recently and they are mostly sold in Russian marketplaces.
This devices had a bootloader that was not released, vendor was unofficial and many devices sold on this marketplaces displayed a message when trying to sign a transaction:
Code:
-26: non-mandatory-script-verify-flag (Signature must be zero for failed CHECK(MULTI)SIG operation)

Firmware updated would show success message, but malicious firmware would remain on device, some functions like Shamir backup were not functioning on this devices, seed words generated by fake devices were predictable or predefined, passphrase function was also modified!
Trezor Model T was mostly affected by this, with some internal components had been replaced by malicious actors.
https://blog.trezor.io/stay-safe-shopping-for-hardware-wallets-543f144e3d24
legendary
Activity: 2464
Merit: 4419
🔐BitcoinMessage.Tools🔑
February 18, 2022, 01:53:07 AM
#37
I didn't even check DIY solutions before buying one, I should... I don't like the changing address of Ledger, don't know if it's a rule for all hardware wallets but I don't really understand the goal.
If by changing address you mean you get a new receiving address every time you want to receive coins, this is called Change Address and it exists for privacy reasons.  If I had your address and you never generate new addresses, I would know that all your incoming and outgoing transactions are received and broadcasted by you.  If you have Change addresses, tracing coins to your identity is getting harder.  Add Coin Control to all of this and you will have significantly increased the privacy of your Bitcoins.

Also, Change Addresses exist on all wallets.  Even on Do It Yourself solutions you still have them.  This does not stop you from using a single address all the time though, but it is at the expense of your privacy.

-
Regards,
PrivacyG

That sounds a bit confusing. The receive address is the address you generate every time you want to receive a payment. Once payment is received, a wallet usually hides that address to protect your privacy and discourage you from reusing it. However, you can reuse it if you want: it is just not advisable but well doable. There is another type of address - change addresses - which more often than not are not visible to the user. These addresses are used to receive a so-called "change." A change is created in case the value of UTXOs you're sending is higher than the payment. The main peculiarity of an UTXO (unspent transaction output) is that it can only be sent in its entirety, that is, it is like a dollar bill that cannot be divided. For example, if your wallet has only one output of 5 btc and you send a payment of 1 btc, you will receive a change of 4 btc (minus transaction fees). A wallet usually generates change addresses automatically, but if you want, you can send a change back to the address you made a payment from. However, it is a bad practice since sending back to the same address exposes which output was a payment and which was a change.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
February 17, 2022, 04:29:16 PM
#36
I didn't even check DIY solutions before buying one, I should... I don't like the changing address of Ledger, don't know if it's a rule for all hardware wallets but I don't really understand the goal.
If by changing address you mean you get a new receiving address every time you want to receive coins, this is called Change Address and it exists for privacy reasons.  If I had your address and you never generate new addresses, I would know that all your incoming and outgoing transactions are received and broadcasted by you.  If you have Change addresses, tracing coins to your identity is getting harder.  Add Coin Control to all of this and you will have significantly increased the privacy of your Bitcoins.

Also, Change Addresses exist on all wallets.  Even on Do It Yourself solutions you still have them.  This does not stop you from using a single address all the time though, but it is at the expense of your privacy.

-
Regards,
PrivacyG
newbie
Activity: 21
Merit: 34
February 17, 2022, 03:35:48 PM
#35
I enjoyed watch this video!

Tension was real with the faulty ground  Shocked



That is why I think that having multiple solution is the best thing you can do, own multiple hardware wallets, own DIY signers like Seesigner or Krux, and own a laptop with sole purpose of being a secure cold storage.
I am so fed up with hardware wallets at the moment, that I'm pretty much exclusively using airgapped encrypted devices and paper wallets for my non-hot wallets. Adding in KYC linked debit cards, supporting KYC and AML requirements from privacy invading centralized exchanges, adding unnecessary features (and therefore vulnerabilities) such as games to the firmware, adding support (and therefore vulnerabilities) for hundreds of useless shitcoins, the list goes on. I don't want to spend money on yet another new hardware wallet for the company to announce in few weeks' time that they are now implementing *stupid feature* and I have yet another device that I don't want to store my coins on. At least with a DIY solution I know it will still work exactly as I want it to in 1, 5, 10 years' time.

Posting this video on Youtube now in 2022 is just a free marketing campaign for Kingpin more than anything else, but it sure hurt Trezor so they even had to comment on that video with explantion.
Lol. People are dumb. They just read the headline about Trezor being hacked and start to panic. No one bothers to actually read the story to see this is a non-issue.

I didn't even check DIY solutions before buying one, I should... I don't like the changing address of Ledger, don't know if it's a rule for all hardware wallets but I don't really understand the goal.
hero member
Activity: 761
Merit: 606
February 08, 2022, 05:28:11 PM
#34
Old news for sure.

I have had my SEED encrypted on my Trezors for well over a year now.  I leave dummy SD's around for decoys.  That combined with very long passphrases is a virtual certainty that I can sleep well every night!  Most won't put in the time to learn how but SEED encryption on a Trezor is solid and the little SD can be kept in a separate location providing "two location" security of sorts.
legendary
Activity: 2730
Merit: 7065
February 06, 2022, 02:38:53 AM
#33
It's possible but he never mentioned exact days in his video and waste majority of viewers are thinking that trezor devices still have this flaw.
I am seeing people posting on reddit and twitter every day asking the same question, that could mean that something was intentially done in this way.
It could also mean that the majority of people asking those questions don't have the mental capacity or willingness to watch a video and understand the content shown in it. Like the fact that Kingpin mentions that he found a vulnerable piece of code that allowed him to retrieve sensitive data from RAM in firmware version 1.6.0, and he also says that line of code was removed in newer versions making that attack scenario unrepeatable. That's just people being people and looking at things in a hasty way without any understanding of the material.   

Even I was not sure about dates when all this happened exactly, and at first I was thinking this is some fresh trezor bug...
Yes, and then you watched the video and you understood it. Those who are crying on Reddit didn't. That's no one's fault but their own. 
legendary
Activity: 2212
Merit: 7064
February 05, 2022, 06:15:17 PM
#32
You're probably right... If Ledger would've exerted the same amount of effort into improving all of those unreliable hardware wallets that they've been selling in the past year or so, they could've restored a portion of their damaged reputation but instead of doing that, they're trying to pull-down their competitors in an unethical way
I like what ledger Donjon team is doing, something similar is done by Kraken team in more neutral way, but so much energy is spent from ledger on saying how all other wallets are unsecure, except their product.
They have better marketing and they sold millions of devices, but I think that quantity doesn't always mean quality.

It's possible that the guy didn't know who to turn to for help. And that 3 months ago, he came across Kingpin and that other group in Switzerland that was mentioned in the video.
It's possible but he never mentioned exact days in his video and waste majority of viewers are thinking that trezor devices still have this flaw.
I am seeing people posting on reddit and twitter every day asking the same question, that could mean that something was intentially done in this way.
Even I was not sure about dates when all this happened exactly, and at first I was thinking this is some fresh trezor bug...

Take a look at the comments under the video on Youtube. Kingpin pinned Trezor's reply in which they wrote that the vulnerability that was found was fixed in 2017. I don't think he would do that if he wanted to throw dirt on Trezor.
You don't have to tell me to look at the comments because I posted that image from trezor reply in my first post in this topic.
Why do oyu think Trezor had to do that?
Because they received huge amount of questions...that is why.
legendary
Activity: 2730
Merit: 7065
February 05, 2022, 04:11:00 AM
#31
I was thinking there is something suspicious with the way how this video was released and especially the timing (after years of waiting), so let me elaborate more on this.
Maybe this is just a coincidence, but Joe Grand (Kingpin) released his video on January 24 (over 2,2M views so far), and he even has dedicated website offspec.io registered in 2021.

On almost exact same day Ledger and their Donjon team started to release similar hacking videos on their channel that are also focused on this event of hacking Trezor device.
Aside from the two videos released by Ledger that shows their Donjon team attacking Trezor and ColdCard wallets, why do you think that Kingpin's video was released after years of waiting? I don't think there is anything in the video that could point to the fact that it was filmed years ago. Is there a specific scene that caught your eye and made you think that? 

It's possible that the guy didn't know who to turn to for help. And that 3 months ago, he came across Kingpin and that other group in Switzerland that was mentioned in the video.

Take a look at the comments under the video on Youtube. Kingpin pinned Trezor's reply in which they wrote that the vulnerability that was found was fixed in 2017. I don't think he would do that if he wanted to throw dirt on Trezor.
legendary
Activity: 2268
Merit: 18775
February 05, 2022, 03:45:46 AM
#30
For instance, there could be a community-made script that fetches the latest Foundation Passport source, removes the games and compiles it.
Even more risk then, since you are trusting the Passport developers not to introduce a vulnerability with their stupid games, and then trusting the community not to introduce a vulnerability with their code to remove said stupid games. And the community driven version won't be pen tested to the same degree as the native version.

It's such a pointless edition, I cannot understand why they implemented it in the first place. It makes them seem very amateurish.

For example, Shift Crypto offers a 'Bitcoin only' firmware that I believe can also be flashed to the 'Multi' edition (irreversibly).
True, but Shift Crypto also developed AOPP, so they are off the table as far as I'm concerned.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
February 04, 2022, 01:09:35 PM
#29
but it sure looks like negative campaign against Trezor for something that was fixed years ago.
You're probably right... If Ledger would've exerted the same amount of effort into improving all of those unreliable hardware wallets that they've been selling in the past year or so, they could've restored a portion of their damaged reputation but instead of doing that, they're trying to pull-down their competitors in an unethical way [I do know Trezor isn't perfect by any means, but I've never seen them do such a thing]...

legendary
Activity: 2212
Merit: 7064
February 03, 2022, 10:56:37 AM
#28
I was thinking there is something suspicious with the way how this video was released and especially the timing (after years of waiting), so let me elaborate more on this.
Maybe this is just a coincidence, but Joe Grand (Kingpin) released his video on January 24 (over 2,2M views so far), and he even has dedicated website offspec.io registered in 2021.

On almost exact same day Ledger and their Donjon team started to release similar hacking videos on their channel that are also focused on this event of hacking Trezor device.
Side-channel attacks | Enter the Donjon video was released on January 21 just few days before Joe Grand video.
Coincidence or maybe Joe Grand is paid and working for ledger team, I don't know... but it sure looks like negative campaign against Trezor for something that was fixed years ago.

On January 31 Donjon released new short video for hacking old Coldcard wallet with Laser fault attacks.

PS
This is just my speculation and I am not accusing anyone for anything here.
legendary
Activity: 2730
Merit: 7065
February 02, 2022, 09:27:14 AM
#27
He is smart guy and I will give him a credit, but correct way would be to mention the years when this happened, if not in video than in descriptions.
I agree with you that he could have mentioned the years. But he does mention at 13:20 in the video that he was going through Trezor's source code and that he found an exploitable vulnerability in firmware version 1.6.0. He then says that line of code was removed in 1.6.1. In some way, he does acknowledge that this particular vulnerability is not there anymore if your firmware is up-to date. 

Most of the people are now thinking that Trezor is still affected by this old bug...
Well it is if you are still using an outdated firmware. And if you forgot your PIN, like the guy in the video, and you can't unlock your device to upgrade the firmware, you are stuck with the old and vulnerable one.
legendary
Activity: 2212
Merit: 7064
February 01, 2022, 11:00:00 AM
#26
Goddamn, this sneaky dude got me as well! It appeared to me that this happened recently - which would mean the firmware would have been seriously outdated - but I reckon it would have been possible: get a ton of coins, forget it for almost 10 years, find it again and need to look for a hacker since you forgot the PIN.
He is smart guy and I will give him a credit, but correct way would be to mention the years when this happened, if not in video than in descriptions.
Most of the people are now thinking that Trezor is still affected by this old bug, they are not doing any research and social media is full with this youtube video  Cheesy

They're not just cutting the antenna, they're removing the chip's power source, so it just can't turn on again.
Yeah I saw that link and procedure is fairly simple for anyone who did some soldering in his life.
No chip = No wi-fi/bt, and this could even make raspberry a bit faster also (version 2.0 is faster than v1.3 even with wifi/bt).

I love DIY and FOSS myself, and do believe it can be more secure in many cases, just due to more eyes looking at the code. It's also great that you can remove a feature and recompile without that, for instance. However this is not limited to DIY wallets, but it's also the case for any other open-source wallet.
Except for coldacrd wallet, because if you fork their code and try to compile it yourself and change some things, you will get a lawsuit from NVK for license violation...
That means their website is lying and misleading people intentionally.
Ask NVK about this and you will get banned, but all his channels... pathetic.  Roll Eyes

Of course, also pressure on the manufacturers helps. For example, Shift Crypto offers a 'Bitcoin only' firmware that I believe can also be flashed to the 'Multi' edition (irreversibly).
You know that Keystone wallet also has this feature?
It's possible to install Bitcoin only firmware and after that it's impossible to switch back to multi-coin edition, so it's permanent and good for security.

I would not immediately update in this case, since the new firmware update may contain fresh critical bugs or vulnerabilities. This problem creates a danger only with physical access to the device. Online, Trezor is still safe, isn't it. Can wait a while, and then update the device.
Hello and wtf?!
I would... It's been more than 3 years since this bug in Trezor and it would be BIG mistake if you don't update now if you have old firmware like that.
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
February 01, 2022, 09:23:01 AM
#25
1) 'they just want to make money' - of course, that's what companies do. They have to pay their employees, their researchers and pay for security audits, for the whole infrastructure and much more. They need to make a profit to survive.
There's a big difference between selling devices to make money and selling out their principles of being in control of your own keys and coins.
That's true, indeed.

2) 'if they add feature X, I need a new wallet' / FOSS solutions keep working the same for years to come - Obviously, you can choose not to update if you don't like a feature. Further, many criticized features are only in the software suite on the host. Good wallets should support usage with Electrum or Sparrow, so by just not using the wallet's 'original' software, you completely avoid the issue.
Choosing not to update leaves you open to security vulnerabilities, and often you have to use the manufacturer's software to update, so there is no avoiding it. And there are plenty of features I can think of being pushed to hardware wallet firmware which I absolutely wouldn't want on my hardware wallet, such as support for various useless altcoins, games, ability to take screenshots, etc.
I guess then we have to make sure when buying new hardware wallets, that both the firmware and the software used for updating are open source, easy to read and modify. For instance, there could be a community-made script that fetches the latest Foundation Passport source, removes the games and compiles it.

Of course, also pressure on the manufacturers helps. For example, Shift Crypto offers a 'Bitcoin only' firmware that I believe can also be flashed to the 'Multi' edition (irreversibly).
legendary
Activity: 2268
Merit: 18775
February 01, 2022, 09:12:50 AM
#24
1) 'they just want to make money' - of course, that's what companies do. They have to pay their employees, their researchers and pay for security audits, for the whole infrastructure and much more. They need to make a profit to survive.
There's a big difference between selling devices to make money and selling out their principles of being in control of your own keys and coins.

2) 'if they add feature X, I need a new wallet' / FOSS solutions keep working the same for years to come - Obviously, you can choose not to update if you don't like a feature. Further, many criticized features are only in the software suite on the host. Good wallets should support usage with Electrum or Sparrow, so by just not using the wallet's 'original' software, you completely avoid the issue.
Choosing not to update leaves you open to security vulnerabilities, and often you have to use the manufacturer's software to update, so there is no avoiding it. And there are plenty of features I can think of being pushed to hardware wallet firmware which I absolutely wouldn't want on my hardware wallet, such as support for various useless altcoins, games, ability to take screenshots, etc.
legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
February 01, 2022, 08:41:57 AM
#23
It might be a good idea to UPDATE your Trezor firmware now.
Latest version for Trezor One is 1.10.5.


I would not immediately update in this case, since the new firmware update may contain fresh critical bugs or vulnerabilities. This problem creates a danger only with physical access to the device. Online, Trezor is still safe, isn't it. Can wait a while, and then update the device.
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
January 31, 2022, 09:36:29 PM
#22
Wasn't the issue even fixed already, but possible due to outdated firmware? Like at the time of attack, he mentions about firmware v1.6.0 and that the attack wasn't gonna be possible in v1.6.1 etc., so he was exploiting the fact that the device was running old software in a way.
He was sort of doing this, but video was recorded somewhere in 2017 I think, and owner couldn't update the device even if he wanted to do it, because he didn't know the password.
Posting this video on Youtube now in 2022 is just a free marketing campaign for Kingpin more than anything else, but it sure hurt Trezor so they even had to comment on that video with explantion.


Goddamn, this sneaky dude got me as well! It appeared to me that this happened recently - which would mean the firmware would have been seriously outdated - but I reckon it would have been possible: get a ton of coins, forget it for almost 10 years, find it again and need to look for a hacker since you forgot the PIN.

Makes me think: in a pinch, you could even just wipe a HW wallet that you have around (of which you have a seed backup handy) and load the stolen wallet's seed onto it. When you're done transferring the funds, reset it again and put in 'its' seed again.
Or just use Seedsigner/Krux that works exactly like that, but it's much more easier to import seed words again (with QR codes) than it is on trezor, ledger and other hardware wallets.
You don't even need secure element or secret NDA's and permission with this.
Correct! On this topic, today I read this tweet by SeedSigner guys.
Periodic reminder for people having trouble sourcing a Raspberry Pi Zero 1.3, it is a relatively simple process to physically disable wireless communication for both the Pi Zero W and Pi Zero 2W. More information here:
Which leads to a GitHub made just about disabling the WiFi / BT combo chip.
https://github.com/DesobedienteTecnologico/rpi_disable_wifi_and_bt_by_hardware

They're not just cutting the antenna, they're removing the chip's power source, so it just can't turn on again.



Some extra thoughts since I saw this mentioned a few times:
1) 'they just want to make money' - of course, that's what companies do. They have to pay their employees, their researchers and pay for security audits, for the whole infrastructure and much more. They need to make a profit to survive.
2) 'if they add feature X, I need a new wallet' / FOSS solutions keep working the same for years to come - Obviously, you can choose not to update if you don't like a feature. Further, many criticized features are only in the software suite on the host. Good wallets should support usage with Electrum or Sparrow, so by just not using the wallet's 'original' software, you completely avoid the issue.
3) 'DIY is more secure' - I love DIY and FOSS myself, and do believe it can be more secure in many cases, just due to more eyes looking at the code. It's also great that you can remove a feature and recompile without that, for instance. However this is not limited to DIY wallets, but it's also the case for any other open-source wallet.
legendary
Activity: 2212
Merit: 7064
January 30, 2022, 07:38:19 AM
#21
I am so fed up with hardware wallets at the moment, that I'm pretty much exclusively using airgapped encrypted devices and paper wallets for my non-hot wallets.
I am not going to recommend anyone to use paper wallets that can create much bigger problems for general population than hardware wallets ever would.
But I agree with you that hardware wallets are a mess now and most of them are living in their closed ecosystem just trying to make some profit from this devices.
DIY might be the best option that is flexible and you will be able to adjust accordingly if something changes in future.
Whatever you choose, best thing is to keep everything simple and don't complicate to much.

You were probably referring to the PIN code, not a password. The guy in the video forgot his PIN. More precisely, his friend, the professional poker player who has a photographic memory, forgot a 5-digit PIN code
Pin code is the password in this case that only contain numbers, and it's tied to specific device.
I was not talking about passphrase that is something totally different from password or pin.
legendary
Activity: 2730
Merit: 7065
January 30, 2022, 03:59:59 AM
#20
He was sort of doing this, but video was recorded somewhere in 2017 I think, and owner couldn't update the device even if he wanted to do it, because he didn't know the password.
You were probably referring to the PIN code, not a password. The guy in the video forgot his PIN. More precisely, his friend, the professional poker player who has a photographic memory, forgot a 5-digit PIN code Roll Eyes.

Posting this video on Youtube now in 2022 is just a free marketing campaign for Kingpin more than anything else...
I agree. He sounds like an interesting guy I would definitely want to talk to. Plus he seems willing to help people who find themselves in a similar situation. He said that at the end.

Not possible for regular humans, but I bet smart guys and hackers like Kingpin, with all their gadgets will find some way to do it again. Wink
If he can make a Trezor glitch and go into debug mode, I am sure he could find a way to trick the device into accepting an older firmware.
legendary
Activity: 2268
Merit: 18775
January 30, 2022, 03:52:06 AM
#19
That is why I think that having multiple solution is the best thing you can do, own multiple hardware wallets, own DIY signers like Seesigner or Krux, and own a laptop with sole purpose of being a secure cold storage.
I am so fed up with hardware wallets at the moment, that I'm pretty much exclusively using airgapped encrypted devices and paper wallets for my non-hot wallets. Adding in KYC linked debit cards, supporting KYC and AML requirements from privacy invading centralized exchanges, adding unnecessary features (and therefore vulnerabilities) such as games to the firmware, adding support (and therefore vulnerabilities) for hundreds of useless shitcoins, the list goes on. I don't want to spend money on yet another new hardware wallet for the company to announce in few weeks' time that they are now implementing *stupid feature* and I have yet another device that I don't want to store my coins on. At least with a DIY solution I know it will still work exactly as I want it to in 1, 5, 10 years' time.

Posting this video on Youtube now in 2022 is just a free marketing campaign for Kingpin more than anything else, but it sure hurt Trezor so they even had to comment on that video with explantion.
Lol. People are dumb. They just read the headline about Trezor being hacked and start to panic. No one bothers to actually read the story to see this is a non-issue.
legendary
Activity: 2212
Merit: 7064
January 29, 2022, 07:14:11 PM
#18
I'd even go as far as saying that you may actually want to have both types for two very different, very specific applications. Cold storage = no S.E., daily driver = with S.E.? Just a thought.
With or without secure elements, it's definitely much safer to have hardware wallet with secure element, than using just regular smartphone for holding smaller amounts of coins you can spend.
After reading all the news that happened in last few days with hardware wallets, I am thinking that regulators will soon try to do something similar like in Switzerland.
That is why I think that having multiple solution is the best thing you can do, own multiple hardware wallets, own DIY signers like Seesigner or Krux, and own a laptop with sole purpose of being a secure cold storage.
Doing this you will most likely be able to survive with bitcoin post 2022  Wink

Wasn't the issue even fixed already, but possible due to outdated firmware? Like at the time of attack, he mentions about firmware v1.6.0 and that the attack wasn't gonna be possible in v1.6.1 etc., so he was exploiting the fact that the device was running old software in a way.
He was sort of doing this, but video was recorded somewhere in 2017 I think, and owner couldn't update the device even if he wanted to do it, because he didn't know the password.
Posting this video on Youtube now in 2022 is just a free marketing campaign for Kingpin more than anything else, but it sure hurt Trezor so they even had to comment on that video with explantion.



Makes me think: in a pinch, you could even just wipe a HW wallet that you have around (of which you have a seed backup handy) and load the stolen wallet's seed onto it. When you're done transferring the funds, reset it again and put in 'its' seed again.
Or just use Seedsigner/Krux that works exactly like that, but it's much more easier to import seed words again (with QR codes) than it is on trezor, ledger and other hardware wallets.
You don't even need secure element or secret NDA's and permission with this.

Not possible. Once you've upgraded to any version beyond version 1.6.0, it is not possible to downgrade back to 1.6.0. See the table here: https://wiki.trezor.io/Firmware_downgrade
Not possible for regular humans, but I bet smart guys and hackers like Kingpin, with all their gadgets will find some way to do it again. Wink
legendary
Activity: 2730
Merit: 7065
January 29, 2022, 11:53:12 AM
#17
You can downgrade it without knowing the PIN? That would mean any security mechanisms implemented through firmware upgrades would be pointless, since an attacker could just downgrade to an older version and exploit the vulnerabilities that were fixed through upgrades; I can't imagine that's possible.
Good point! I forgot about the PIN. I don't own a Trezor device but when you install new firmware updates on Ledger, it does ask you to enter your current PIN. I am sure it wouldn't work on Trezor either. To get the firmware installation files, you would have to connect to the Suite or the wallet.trezor interface. With an unlocked device, that would surely not work. 

If you can downgrade, you will be able to attack like in the video. The update doesn't 'remove' the data permanently from insecure storage or something like that; v1.6.0 copies the secure data into RAM at boot, it will do that no matter if it was updated and downgraded again.
As o_e_l_e_o pointed out, it's not possible to downgrade the firmware if you have anything newer than 1.6.1.
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
January 29, 2022, 07:54:32 AM
#16
The vulnerability existed in the 1.6.0 firmware version of Trezor One’s firmware. With ver. 1.6.1, they fixed it. If someone was facing an issue like a lost PIN but had a newer firmware version, I wonder if it would work if he downgraded to version 1.6.0 and had Kingpin work on the device to extract the seed like he did for the guy in the video? I know that it is possible to downgrade to an older Trezor firmware, but would the data still be extractable from the chip, that’s the question.
You can downgrade it without knowing the PIN? That would mean any security mechanisms implemented through firmware upgrades would be pointless, since an attacker could just downgrade to an older version and exploit the vulnerabilities that were fixed through upgrades; I can't imagine that's possible.
If you can downgrade, you will be able to attack like in the video. The update doesn't 'remove' the data permanently from insecure storage or something like that; v1.6.0 copies the secure data into RAM at boot, it will do that no matter if it was updated and downgraded again.

It also seems like a pretty standard attack / setup (still great, no question!): voltage glitch, automatic reboot and getting serial console, then read RAM. I suspect after this was shown, many will try to replicate it. So maybe update your wallets. Cheesy



Wasn't the issue even fixed already, but possible due to outdated firmware?
Correct. See above:
As far as I can tell, this particular vulnerability was patched in firmware version 1.6.1 which came out in March 2018, 4 years ago.
Okay, so since this is the case, he will not get any bounty from Trezor, obviously and also not listed on the webpage, most probably. Since he used a known, fixed vulnerability. It was still a cool feat that took him a while to perfection, but you typically only get listed and paid if it's something new. @PX-Z
legendary
Activity: 2268
Merit: 18775
January 29, 2022, 07:53:06 AM
#15
Wasn't the issue even fixed already, but possible due to outdated firmware?
Correct. See above:
As far as I can tell, this particular vulnerability was patched in firmware version 1.6.1 which came out in March 2018, 4 years ago.

That's not bad either but its different from what I mentioned in my previous post. I was talking about having a 2nd device, fully functional and set up to be used in your primary device goes missing or malfunctions.
If you are storing enough funds to want them on a hardware wallet, then you should have a secure means of recovering that wallet and a secure place to send the coins in the event your hardware wallet is stolen. Having a second hardware device is a possibility, which you can initialize, back up a seed phrase, and note down a receiving address in advance, and then wipe and use to restore your compromised seed phrase. Using a similar set up but with an airgapped device is also a possibility. If you can't do either of those, then it would worthwhile using your current hardware device to generate a new wallet, either via a brand new seed phrase or an additional strong passphrase on top of your existing seed phrase, and having a receiving address noted down and ready to go. Then, in a pinch, you could sweep everything to that receiving address via a software wallet, accepting of course the increased risk by using a hot software wallet.

If someone was facing an issue like a lost PIN but had a newer firmware version, I wonder if it would work if he downgraded to version 1.6.0 and had Kingpin work on the device to extract the seed like he did for the guy in the video? I know that it is possible to downgrade to an older Trezor firmware, but would the data still be extractable from the chip, that’s the question.
Not possible. Once you've upgraded to any version beyond version 1.6.0, it is not possible to downgrade back to 1.6.0. See the table here: https://wiki.trezor.io/Firmware_downgrade
legendary
Activity: 2730
Merit: 7065
January 29, 2022, 02:26:48 AM
#14
I love that line. Going to be using it a lot.
Sure, enjoy it. Grin

At for the cost of hardware wallets on the secondhand market, leaving one around might not be the worst idea.
If it goes missing you can check you real one to make sure it's safe. But at that point, you know your security has issues because someone got in and got to your hardware wallet. Even if it's not your real one. Someone out there can no longer be trusted.
Are you talking about leaving one somewhere as a trap to be grabbed in case a thief breaks in to your home? That's not bad either but its different from what I mentioned in my previous post. I was talking about having a 2nd device, fully functional and set up to be used in your primary device goes missing or malfunctions.

Makes me think: in a pinch, you could even just wipe a HW wallet that you have around (of which you have a seed backup handy) and load the stolen wallet's seed onto it.
Sure, that would work. But again, you still need a second hardware wallet for this.


Comments about the Trezor attack.

The vulnerability existed in the 1.6.0 firmware version of Trezor One’s firmware. With ver. 1.6.1, they fixed it. If someone was facing an issue like a lost PIN but had a newer firmware version, I wonder if it would work if he downgraded to version 1.6.0 and had Kingpin work on the device to extract the seed like he did for the guy in the video? I know that it is possible to downgrade to an older Trezor firmware, but would the data still be extractable from the chip, that’s the question.

It's funny how they scrambled the seed words at the end of the video. Like it still contains any crypto.  
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
January 28, 2022, 07:19:17 PM
#13
It's worth noting this Trezor model is one of the few wallets which has no dedicated secure element.
Yeah, this is the last days of hardware wallets without secure elements, or maybe not.
To be completely honest, I'd say: it depends. If you trust your ability to keep the device mostly safe and the bigger risk for you is a backdoor in the secure element (also circumstantial: potential of bad actors, legality of BTC in your home country, ...) - then an open source device without such closed element would be beneficial.
On the other hand, if you need to bring your wallet into insecure places like shared offices or something and there is a risk of an 'evil maid' attack, and a comparatively lower risk of backdoors or flaws in the secure element, then this solution is for you.

I'd even go as far as saying that you may actually want to have both types for two very different, very specific applications. Cold storage = no S.E., daily driver = with S.E.? Just a thought.

Bonus task, try to find Kingin in this image (click to enlarge) Smiley

Easy, third one. Grin

I wonder if he get bounty bug reward from trezor considering this is a great find. I see their bounty bug page [1] but seems still outdated https://trezor.io/security/
He was certainly paid by the guy who hired him for this job, and it's possible that Trezor compensated him related with this flaw.
All this happened several months ago and Trezor was well aware of this problem and fixed it right away.
Wasn't the issue even fixed already, but possible due to outdated firmware? Like at the time of attack, he mentions about firmware v1.6.0 and that the attack wasn't gonna be possible in v1.6.1 etc., so he was exploiting the fact that the device was running old software in a way.

It appears that in addition to the pin, he hacked the seed phrases as well [blurred part].
I guess once you have the PIN, you will have the full access to everything including seed words, but this was the case before fix was applied in firmware.
To me it sounded like the PIN and seed were both loaded into RAM at boot, which is also shown in the video where he reads out the RAM to the host machine, then just performs strings. Therefore, he's not using the PIN to retrieve the seed (as you're describing).



It's a good idea to even have such a wallet safely generated and prepared in case something like that happens one day. It will be quicker to just recover an already existing wallet than creating one from scratch and writing down its seed words when you don't know who might be playing around with your lost HW. Imagine being 10 minutes late because you had to make sure your seed is correct and doing all the other steps and verifications according to your personal needs.
Makes me think: in a pinch, you could even just wipe a HW wallet that you have around (of which you have a seed backup handy) and load the stolen wallet's seed onto it. When you're done transferring the funds, reset it again and put in 'its' seed again.
Probably quicker than starting downloading Tails and more secure than importing seed into Electrum.
Note that not all hardware wallets  have this feature.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
January 28, 2022, 04:57:23 PM
#12
I have a question, why is the PIN code sufficient?
It wasn't... The hacker in question "retrieved the seed phrases" as well.

In other words, if a password of sufficient length is inserted, will the hacker easily gain access to the device?
If you were referring to using a passphrase, then even in such cases, hackers can't access it [it's not stored on the hardware wallet].
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 28, 2022, 03:02:33 PM
#11
I look at it the same way as I look at oxygen tanks. They will help me breath and survive under water for a specific amount of time. After that, I will drown if I don't get to the surface in time. As soon as you notice that your hardware wallet is missing, take your recovery seed out from its hiding and transfer your coins somewhere else as soon as you get the opportunity to do it.
I love that line. Going to be using it a lot.
It's also the reason why if you have a lot of BTC / crypto. You really should be using more then 1 wallet.

At for the cost of hardware wallets on the secondhand market, leaving one around might not be the worst idea.

If it goes missing you can check you real one to make sure it's safe. But at that point, you know your security has issues because someone got in and got to your hardware wallet. Even if it's not your real one. Someone out there can no longer be trusted.

-Dave
legendary
Activity: 2730
Merit: 7065
January 27, 2022, 09:04:17 AM
#10
It seems that physical access to the device will mean that the password will be hacked and therefore your coins will be lost.
I look at it the same way as I look at oxygen tanks. They will help me breath and survive under water for a specific amount of time. After that, I will drown if I don't get to the surface in time. As soon as you notice that your hardware wallet is missing, take your recovery seed out from its hiding and transfer your coins somewhere else as soon as you get the opportunity to do it.

This has always been my approach. If I was to lose any device with bitcoin on it - hardware wallet, mobile wallet, encrypted cold storage, whatever - then I would be moving the coins to new wallets as soon as possible. A hardware wallet will buy you time to do this, but it shouldn't be seen as permanently infallible.
+1.
It's a good idea to even have such a wallet safely generated and prepared in case something like that happens one day. It will be quicker to just recover an already existing wallet than creating one from scratch and writing down its seed words when you don't know who might be playing around with your lost HW. Imagine being 10 minutes late because you had to make sure your seed is correct and doing all the other steps and verifications according to your personal needs.
legendary
Activity: 2212
Merit: 7064
January 26, 2022, 11:51:57 AM
#9
It's worth noting this Trezor model is one of the few wallets which has no dedicated secure element.
Yeah, this is the last days of hardware wallets without secure elements, or maybe not.
It's possible to use something that Seedsigner or Krux DIY with non-persistent storage that would delete everything after you shut down power from wallet.
Until I see first opensource secure element, I will not trust any other secure elements and signed NDA's.

Bonus task, try to find Kingin in this image (click to enlarge) Smiley


I wonder if he get bounty bug reward from trezor considering this is a great find. I see their bounty bug page [1] but seems still outdated https://trezor.io/security/
He was certainly paid by the guy who hired him for this job, and it's possible that Trezor compensated him related with this flaw.
All this happened several months ago and Trezor was well aware of this problem and fixed it right away.
I think that Saleem Rashid fixed this issue and he is on top of the bounty list on ledger website with 60.000 points.

It appears that in addition to the pin, he hacked the seed phrases as well [blurred part].
I guess once you have the PIN, you will have the full access to everything including seed words, but this was the case before fix was applied in firmware.
It turned out good for owner of that specific Trezor and I am hearing that many people are now contacting Kingpin with same issues of lost PIN.


legendary
Activity: 1792
Merit: 1296
Playbet.io - Crypto Casino and Sportsbook
January 26, 2022, 11:34:35 AM
#8
Undoubtedly, this event will catch up with fear, but let's look at it from a different angle. The discovery of this vulnerability will push manufacturers to change and the security system of their devices will be improved. So it turns out that a negative event leads to positive changes.

In the future, similar events will happen more than once and you should not panic because of this. What is created by a person can always be hacked by another person. It's just a question of skills and resources.

It is also a great reminder that there are no perfect protection systems and therefore, you need to take this into account and be prepared. "Don't put all your eggs in one basket".


legendary
Activity: 2268
Merit: 18775
January 26, 2022, 06:25:09 AM
#7
I see this as a non-issue compared to what we already know, to be honest.

As far as I can tell, this particular vulnerability was patched in firmware version 1.6.1 which came out in March 2018, 4 years ago. And as we've known for a long time, regardless of what is happening here, seed extraction is still a possibility with Trezor devices for other reasons. Everyone with a Trezor device should be using a long and complex passphrase (or ideally, several different ones), which mitigates the risk of both vulnerabilities.

And as always, the likelihood of your coins being stolen by such a method is minuscule compared to your coins being stolen by user mistake, phishing, etc.

It seems that physical access to the device will mean that the password will be hacked and therefore your coins will be lost.
This has always been my approach. If I was to lose any device with bitcoin on it - hardware wallet, mobile wallet, encrypted cold storage, whatever - then I would be moving the coins to new wallets as soon as possible. A hardware wallet will buy you time to do this, but it shouldn't be seen as permanently infallible.
legendary
Activity: 2758
Merit: 4074
January 26, 2022, 06:02:13 AM
#6
It seems that physical access to the device will mean that the password will be hacked and therefore your coins will be lost.

I have a question, why is the PIN code sufficient? In other words, if a password of sufficient length is inserted, will the hacker easily gain access to the device?

Overall, with the cheap device price, generating seeds, keeping seeds/addresses, and destroying hardware wallet device would be especially convenient for those who hold millions of dollars and don't intend to use them periodically.
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
January 26, 2022, 05:53:38 AM
#5
hacker who hacked and broke Trezor hardware wallet PIN code with wallet worth around $2 million!
It appears that in addition to the pin, he hacked the seed phrases as well [blurred part].

- Always make multiple backups for your wallet
I can't stress this enough... I'd like to add that, it's worth creating those periodically [I'm really great at hiding stuff at home or in other places but that also means, I tend to lose or rather forget where I hid/placed some of them]!

hence use the backup seed and move the coins away asap.
You have a point, but in this case, that information "wasn't available".

As a Trezor user, I'm having mixed feelings in regards to the following parts:

  • But a core issue with the chip that allows fault injection still exists and can only be fixed by the chip maker — which the maker has declined to do — or by using a more secure chip. Rusnak says his team explored the latter, but more secure chips generally require vendors to sign an NDA, something his team opposes. Trezor uses open-source software for transparency, and when Rusnak’s team discovered a flaw in one secure chip they considered using, the chip maker invoked the NDA to prevent them from talking about it.
legendary
Activity: 1554
Merit: 880
Wallet transaction notifier @txnNotifierBot
January 25, 2022, 08:46:25 PM
#4
Wow! Just wow. A huge kudos to this man, imagine if it was held by malicious actor and never shares to this to trezor.

I wonder if he get bounty bug reward from trezor considering this is a great find. I see their bounty bug page [1] but seems still outdated

[1] https://trezor.io/security/
hero member
Activity: 924
Merit: 5950
not your keys, not your coins!
January 25, 2022, 04:34:53 PM
#3
It's worth noting this Trezor model is one of the few wallets which has no dedicated secure element.

Also I had no idea kingpin was doing YouTube videos, that's amazing! Definitely a legend.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
January 25, 2022, 03:54:50 PM
#2
Conclusion:

While it's good to remind people now and then about this kind of problems, the overall conclusion has not change:
if the hardware wallet falls into the hands of unknown people, it's safer to assume it's going to get broken into/hacked, hence use the backup seed and move the coins away asap.
legendary
Activity: 2212
Merit: 7064
January 25, 2022, 03:48:50 PM
#1
Verge article released interesting article about one electrical engineer and hacker who hacked and broke Trezor hardware wallet PIN code with wallet worth around $2 million!
This was all done by Joe Grand and Trezor device was owned by Dan Reich who purchased some coins for $50k back in 2018, and then he withdraw them from exchange to Trezor wallet.
Price of the coins crash (some of us remember that time) and Dan forgot all about PIN code he used on his Trezor, and his friend lost the paper backup with this information.

Joe Grand, better known by his old hacker handle “Kingpin” was a part of L0pht hacker collective that testified to the US Senate back in 1998.
He already helped Mark Frauenfelder recover his coins from Trezor after he forgot his PIN in 2017, so Dan Reich contacted him and asked him for help.
Trezor did some changes and improvements after this, but this was not enough as Grand managed to do it again,and you can watch the procedure below in his youtube channel.

Problem is not only for Trezor but for most hardware wallets and devices that use STM32 microcontrollers and most wallets are using them.
They are used in  billions of devices around the world, not only in hardware wallets and it's scary when you think about it, even without flaws some agencies could add backdoor for spying inside this chips.

Trezor already fixed the issue in latest firmware versions and wallets no longer copy or move the key and PIN into RAM but in protected part of flash that is not affected by firmware upgrades.

Make sure to watch the video below, it does look a bit scripted but it is interesting to watch and fun time to spend 30 minutes.

Conclusion:
- Always make multiple backups for your wallet
- Use Trezor ONLY with passphrase, but back that up also.

Joe Grand video: How I hacked a hardware crypto wallet and recovered $2 million
https://www.youtube.com/watch?v=dT9y-KQbqi4


Full Article: https://www.theverge.com/2022/1/24/22898712/crypto-hardware-wallet-hacking-lost-bitcoin-ethereum-nft

Quote
Hi, we just want to add that the vulnerability was already fixed, and all new devices are shipped with a fixed bootloader.
Thanks to @saleemrash1d for his security audit. Learn more about our Security approach and responsible disclosure program here
https://twitter.com/Trezor/status/1485736962262810626

It might be a good idea to UPDATE your Trezor firmware now.
Latest version for Trezor One is 1.10.5.



NOTE:
This bug happened few years ago in 2017 and Trezor firmware was updated shortly after that.

Jump to: