Bitcoin Forum

I just received my Trezor in the mail. To their credit they beat BFL by about 30-60 days in length of delay (slightly shorter than BFL).  That's not really what I'm wanting to write about.

I noticed that the box has a security seal on it, with a warning to not open unless the sticker is intact.  So it must be a problem is someone else has opened the box and reviewed the contents, tampered with the device, or what ever.  

So I noticed that the bottom of the box doesn't have a seal on it.  So if someone opened the bottom and looked at the device, it is OK?  Maybe there is something magical about the top of the box versus the bottom.

Look I realize this is just oversight and I'm having a little fun at their expense.  But, we have been asked to trust this team with the following:
- Their ability to deliver (they did but 10 months late)
- Originally we were told it would interface with existing wallets, but in the end it only interfaces with their online wallet.
- That is has not been tampered with, and to that end they put a hologram sticker on the box, only on one end.
- That this thing will keep our Bitcoins safe

Anyone want to buy an unopened Trezor?

from the videos i seen there is only one security seal which is only at one end, so i would deem it safe.

its glued together anyways. and if there was a deal that had been removed it would have left a VOID partial sticker there.

Is that sarcasm?  that's like saying the front door of my house is locked, has video cameras and security guard.  The back door is shut (but not guarded or locked).  so its safe.

Glue on a box is easy to by pass.  Hair dryer or steam should work.  Then apply a little back, re shrink wrap it.

all i mean was for the OP to not expect there to have been a second seal.. and to not fear that it HAD been compromised by there not being a seal... again there is only suppose to be one seal (nothing is missing) so it does not mean for sure that it has been compromised. though i agree, i think its stupid to only seal one end..

That was my point.  It was stupid to only one seal on it.  It was an over sight and not well thought out.   As a software developer / designer and now Pen Tester, I'm concerned when I see a series of oversights.  It usually means there are flaws in the software.  just my personal observation from hundreds of application reviews.

Is this why other wallets cannot, will not or chose not to integrate?  All speculation.  

You will see this one on eBay shortly.  Or if anyone here wants let me know.  I'm sure my sales pitch is doing the price wonders.

As a person who is developing a coldstorage device (www.aeternum.in have a look it's the most beautiful bitcoin device ever!) I have to say that holograms aren't really any sort of security, at least a hologram of this level. Any holographic printer will print them up for you that look 'good enough' for cheap. If you're paranoid about the sticker- think about this: any attacker could have just torn the box open, reprinted a new one and glued you back together an entirely remade case. You would be no the wiser. Remember the CIA/NSA actually intercepts your new computer while being shipped to remanufacture it with spy chips inside.

That said, the glue on the box is nasty strong and it's hard to open without ripping it up. So just hopefor an attacker clever enough to roll their own firmware yet not so smart as to go to a print shop centerum and have them just print up a new box and order a hollogram online. :-)

my theory and i think what mjc is saying is that although the seal is not much security. but the lack of smarts to seal both ends for 'authenticity' or the 'perception' of security's sake, is a lapse of judgement or laziness, which can lead many to wonder what other lapses of judgement they may have had.

for instance having a web broswer plugin, i see possible flaws. having the trezor USB linked to the computer, i can see flaws. the communications between the two i can see flaws.

so a well made trojan "could" (i said could meaning not impossible just improbable, but still could happen) .. could exploit one of the flaws.

When they are ready do know what the price will be?

As a pen tester I find I look at everything, looking for the vulnerabilities.  I guess what I need to do is open it up and explore a little bit.  Lets see what we can find.  :-)

Right on my friend.  You nailed it and then you expanded on it. 

I agree...that makes it seem sketchy.   It would have been better for peace of mind for the one to not have been there at all, because then you probably wouldn't have even been thinking about that...

Here's the real deal.  I don't care that much.  I certainly am not worried that mine was tampered with, that was never a concern.  The thought the NSA interfering is hog wash, they have already backed doored AES  why do they need to do anything more<grin/>.

However, anyone buying one online from someone that states still sealed, is putting their BTC at risk.  If there was no security seal then I would be warning people to not buy them from someone other than Trezor.

I like the idea of a hardware wallet, but I'm under impressed with the execution.  I'm less impressed with the fact that I have to use their site.  This means I have to recall a user name and password in order to use it anywhere else.  That renders it useless for someone who maintains a list of complex passwords.  So paying 1 BTC even at $130 is more costly than simply using MFA. 

They Over promised and under delivered.

Bold mine.

If you are relying on a third-party website, why not just have a blockchain.info wallet?

Unless I misunderstood the comment.

Actually, blockchain.info may be superior, in that you don't need the website if you find a wallet that will still import their keys.

Hi, Im from the TREZOR Team.


the original plan was to have a box that would only have one side opening (the bottom some x-crossed-over system that closes when folded). But the results were not good for the small size so our producer came up with THAT glue that forces you to practically destroy the box in order to access its contents. we've had the holograms produced, the printing of boxes with that text was running so we decided to use them anyway, at least as a "geniune Trezor" sticker. I hope you're not that much bothered by it.
also, the plastic cases are molded together with ultrasound technology. if someone wanted to open and replace internals  and put together - impossible without noticing. we could go more into other scenarios but they have been largely discussed in the TREZOR forum



- Their ability to deliver (they did but 10 months late)

that's true. but this was not caused by our greed, wanting to screw people or our laziness. we've had issues with our first supplier + our developers did a HUGE stack of work on top of the original plans. Work that is PUBLIC, OPENSOURCE, that the entire (and not only) bitcoin world will profit from.

We are working on making bitcoin secure for everybody. BFL collected money, mined on other people's hw and then shipped it when it was not profitable for the client anymore. Can you see ANY similarity between the two except for the delay?

- Originally we were told it would interface with existing wallets, but in the end it only interfaces with their online wallet.


copypasted from somewhere else:

What wallets support Trezor?
myTREZOR (our login-free web wallet)
Electrum (currently there's Electrum fork, but devs confirmed that they'll accept it to Electrum's mainline).
Multibit HD confirmed their work, they already have some integration done.
Armory devs confirmed their work on Trezor integration
GreenAddress.it has already some integration done (see https://twitter.com/GreenAddress/status/479939415088062464)
Wallet32 Andoid app confirmed their work on Trezor integration
Blockchain.info raised their interest in Trezor as well, although we're in early stage there.


- That is has not been tampered with, and to that end they put a hologram sticker on the box, only on one end.

the security of TREZOR does not rely on a sticker, as explained above
 + http://doc.satoshilabs.com/trezor-user/basicsecurtyphilosophy.html
 + http://doc.satoshilabs.com/trezor-user/advanced_settings.html
 + http://doc.satoshilabs.com/trezor-tech/cryptography.html

 

myTREZOR requires no usernames and passwords.

as said here http://satoshilabs.com/news/2014-01-20-mytrezor-web-wallet-coming-soon/

No registration and logins
No registration means that there is no profile to be hacked, no passwords to be stolen. No sensitive information are stored on MyTREZOR servers. All authentication is done exclusively by your TREZOR device.

ok, someone might upload a changed firmware.. but trezor will show a warning (every time you run it) that there is an unofficial firmware. You should flash one that is signed by satoshilabs. we have a strict procedure of signing the firmware.
the bootloader is locked.

another scenario is that someone would send you a perfect copy of trezor. well then it is advised to buy from the official place and mind details like our hologram and if you have any doubt then contact our support. we have ways to see if your device is genuine. edit: without privacy intrusion of course

I will.  I already have five of them but I am planning on giving them away as Christmas presents.  How much?

almost bought a treznor for 1 btc, when bitcoins were around $100
im glad i didnt
treznors are going for .2 btc now from their site

0.2 x $587 = $117.4
It is interesting you are glad to pay more for it.

Here's interesting presentation of working Trezor at Security Sesssion http://imgur.com/ZCMkgk1

Haha, I don't blame the Trezor people by being a bit offended when being compared to BFL. :P

I think that was a bit of a low blow, no?

I think it looks like an excellent product. Something I would love to have when the cost of production comes down and it's mass produced cheaply.

They were exactly like BFL in so much as after missing their published delivery date they refused to give refunds.  They claimed in emails that we invested in them not purchased so they didn't have to abide by US law for US customers.  Yet the process of ordering was clear it was an order, the emails sent confirming stated order and before they took down the order site my order was listed as an order.

I recieved no dividends, I could not sell my investment.  Basically in their eyes I just gave them money to allow them to work.  I'm not sure they would do the same for the rest of us.

I just purchased one a few days back, so I obviously don't have it yet.   I will report back on what I think about it.   I definitely think there will be a lot of competitors for these coming out in the future...

I look forward to your review.  I have not opened mine yet.  Still trying to determine if I want to.  I may just leave in box, if Trezor proves to be a valuable and trusted piece of Bitcoin then maybe holding a First Edition new in box will be valuable.  The fact that I paid for it a year an half a go, and was berated by the staff for daring to ask for a refund after they were 6 months late and could provide no real date for delivery, I simply do not want to partake, nor do I trust them.  Call it a gut feeling based on the context of my interaction with them.

I hear ya on that for sure.   It is super frustrating when you order something that you are looking forward to, and then it gets super delayed.   Believe it or not, I ordered custom knives for my partner at my company (for Xmas last year), and the damn thing has yet to arrive.   I keep getting the run-around from the company about production delays, etc.   It's almost a joke at this point because it could be used for an Xmas present the following year.

I will let you know what I think after I receive it.   If I were you, if you want to use one...maybe just purchase another, and keep the first edition in the box (unopened).

Good point.   I may have to wait and see.   

The way this was run (specifically the attitude of the team towards its customer [excuse me the investor] base) I don't have much faith.  My gut tells me in a year there will be no place to use the Trezor, or the adoption will be dead to some other device.  I hope I'm wrong, we need something.


Are you going to the party?  They are throwing a part, but it's in Prague.  It's a customer appreciation party.  Seems more like a Trezor team party, come celebrate [the Trezor team] greatness.  If it was a customer party maybe they'd consider something that customers could actually participate in.