Topic: Trezor Security Seal (Read 2528 times)

Good point.   I may have to wait and see.   

The way this was run (specifically the attitude of the team towards its customer [excuse me the investor] base) I don't have much faith.  My gut tells me in a year there will be no place to use the Trezor, or the adoption will be dead to some other device.  I hope I'm wrong, we need something.


Are you going to the party?  They are throwing a part, but it's in Prague.  It's a customer appreciation party.  Seems more like a Trezor team party, come celebrate [the Trezor team] greatness.  If it was a customer party maybe they'd consider something that customers could actually participate in. 

I hear ya on that for sure.   It is super frustrating when you order something that you are looking forward to, and then it gets super delayed.   Believe it or not, I ordered custom knives for my partner at my company (for Xmas last year), and the damn thing has yet to arrive.   I keep getting the run-around from the company about production delays, etc.   It's almost a joke at this point because it could be used for an Xmas present the following year.

I will let you know what I think after I receive it.   If I were you, if you want to use one...maybe just purchase another, and keep the first edition in the box (unopened).

I look forward to your review.  I have not opened mine yet.  Still trying to determine if I want to.  I may just leave in box, if Trezor proves to be a valuable and trusted piece of Bitcoin then maybe holding a First Edition new in box will be valuable.  The fact that I paid for it a year an half a go, and was berated by the staff for daring to ask for a refund after they were 6 months late and could provide no real date for delivery, I simply do not want to partake, nor do I trust them.  Call it a gut feeling based on the context of my interaction with them.

I just purchased one a few days back, so I obviously don't have it yet.   I will report back on what I think about it.   I definitely think there will be a lot of competitors for these coming out in the future...

They were exactly like BFL in so much as after missing their published delivery date they refused to give refunds.  They claimed in emails that we invested in them not purchased so they didn't have to abide by US law for US customers.  Yet the process of ordering was clear it was an order, the emails sent confirming stated order and before they took down the order site my order was listed as an order.

I recieved no dividends, I could not sell my investment.  Basically in their eyes I just gave them money to allow them to work.  I'm not sure they would do the same for the rest of us.

Haha, I don't blame the Trezor people by being a bit offended when being compared to BFL.

I think that was a bit of a low blow, no?

I think it looks like an excellent product. Something I would love to have when the cost of production comes down and it's mass produced cheaply.

Here's interesting presentation of working Trezor at Security Sesssion http://imgur.com/ZCMkgk1

0.2 x $587 = $117.4
It is interesting you are glad to pay more for it.

almost bought a treznor for 1 btc, when bitcoins were around $100
im glad i didnt
treznors are going for .2 btc now from their site

I will.  I already have five of them but I am planning on giving them away as Christmas presents.  How much?

ok, someone might upload a changed firmware.. but trezor will show a warning (every time you run it) that there is an unofficial firmware. You should flash one that is signed by satoshilabs. we have a strict procedure of signing the firmware.
the bootloader is locked.

another scenario is that someone would send you a perfect copy of trezor. well then it is advised to buy from the official place and mind details like our hologram and if you have any doubt then contact our support. we have ways to see if your device is genuine. edit: without privacy intrusion of course

myTREZOR requires no usernames and passwords.

as said here http://satoshilabs.com/news/2014-01-20-mytrezor-web-wallet-coming-soon/

No registration and logins
No registration means that there is no profile to be hacked, no passwords to be stolen. No sensitive information are stored on MyTREZOR servers. All authentication is done exclusively by your TREZOR device.

Hi, Im from the TREZOR Team.


the original plan was to have a box that would only have one side opening (the bottom some x-crossed-over system that closes when folded). But the results were not good for the small size so our producer came up with THAT glue that forces you to practically destroy the box in order to access its contents. we've had the holograms produced, the printing of boxes with that text was running so we decided to use them anyway, at least as a "geniune Trezor" sticker. I hope you're not that much bothered by it.
also, the plastic cases are molded together with ultrasound technology. if someone wanted to open and replace internals  and put together - impossible without noticing. we could go more into other scenarios but they have been largely discussed in the TREZOR forum



- Their ability to deliver (they did but 10 months late)

that's true. but this was not caused by our greed, wanting to screw people or our laziness. we've had issues with our first supplier + our developers did a HUGE stack of work on top of the original plans. Work that is PUBLIC, OPENSOURCE, that the entire (and not only) bitcoin world will profit from.

We are working on making bitcoin secure for everybody. BFL collected money, mined on other people's hw and then shipped it when it was not profitable for the client anymore. Can you see ANY similarity between the two except for the delay?

- Originally we were told it would interface with existing wallets, but in the end it only interfaces with their online wallet.


copypasted from somewhere else:

What wallets support Trezor?
myTREZOR (our login-free web wallet)
Electrum (currently there's Electrum fork, but devs confirmed that they'll accept it to Electrum's mainline).
Multibit HD confirmed their work, they already have some integration done.
Armory devs confirmed their work on Trezor integration
GreenAddress.it has already some integration done (see https://twitter.com/GreenAddress/status/479939415088062464)
Wallet32 Andoid app confirmed their work on Trezor integration
Blockchain.info raised their interest in Trezor as well, although we're in early stage there.


- That is has not been tampered with, and to that end they put a hologram sticker on the box, only on one end.

the security of TREZOR does not rely on a sticker, as explained above
 + http://doc.satoshilabs.com/trezor-user/basicsecurtyphilosophy.html
 + http://doc.satoshilabs.com/trezor-user/advanced_settings.html
 + http://doc.satoshilabs.com/trezor-tech/cryptography.html

 

Bold mine.

If you are relying on a third-party website, why not just have a blockchain.info wallet?

Unless I misunderstood the comment.

Actually, blockchain.info may be superior, in that you don't need the website if you find a wallet that will still import their keys.

Here's the real deal.  I don't care that much.  I certainly am not worried that mine was tampered with, that was never a concern.  The thought the NSA interfering is hog wash, they have already backed doored AES  why do they need to do anything more.

However, anyone buying one online from someone that states still sealed, is putting their BTC at risk.  If there was no security seal then I would be warning people to not buy them from someone other than Trezor.

I like the idea of a hardware wallet, but I'm under impressed with the execution.  I'm less impressed with the fact that I have to use their site.  This means I have to recall a user name and password in order to use it anywhere else.  That renders it useless for someone who maintains a list of complex passwords.  So paying 1 BTC even at $130 is more costly than simply using MFA. 

They Over promised and under delivered.

I agree...that makes it seem sketchy.   It would have been better for peace of mind for the one to not have been there at all, because then you probably wouldn't have even been thinking about that...

Right on my friend.  You nailed it and then you expanded on it. 

When they are ready do know what the price will be?

As a pen tester I find I look at everything, looking for the vulnerabilities.  I guess what I need to do is open it up and explore a little bit.  Lets see what we can find.  :-)

my theory and i think what mjc is saying is that although the seal is not much security. but the lack of smarts to seal both ends for 'authenticity' or the 'perception' of security's sake, is a lapse of judgement or laziness, which can lead many to wonder what other lapses of judgement they may have had.

for instance having a web broswer plugin, i see possible flaws. having the trezor USB linked to the computer, i can see flaws. the communications between the two i can see flaws.

so a well made trojan "could" (i said could meaning not impossible just improbable, but still could happen) .. could exploit one of the flaws.

As a person who is developing a coldstorage device (www.aeternum.in have a look it's the most beautiful bitcoin device ever!) I have to say that holograms aren't really any sort of security, at least a hologram of this level. Any holographic printer will print them up for you that look 'good enough' for cheap. If you're paranoid about the sticker- think about this: any attacker could have just torn the box open, reprinted a new one and glued you back together an entirely remade case. You would be no the wiser. Remember the CIA/NSA actually intercepts your new computer while being shipped to remanufacture it with spy chips inside.

That said, the glue on the box is nasty strong and it's hard to open without ripping it up. So just hopefor an attacker clever enough to roll their own firmware yet not so smart as to go to a print shop centerum and have them just print up a new box and order a hollogram online. :-)