Bitcoin Forum

Trezor's new update requires users to confirm their password on the device screen after entering it.  I downloaded the new bitcoin-only firmware and its slick!

Paste from Trezor's site:

We have just launched our latest firmware updates for the Trezor Model T (firmware 2.3.3) and the Trezor Model One (firmware version 1.9.3). These updates are not mandatory but it is still recommended that you update your device, as the latest updates contain a security improvement related to how you use your passphrase. Read on for more information about this and other enhancements.

Passphrase

For both Trezor device models, we have improved the passphrase feature to take advantage of Trezor’s on-device confirmation. This offsets a previously known issue, reducing the chance of a host substituting a different
passphrase.

In such a hypothetical scenario, malware could direct you to a wallet obscured by a passphrase that you don’t actually know, and lock your funds there until you pay a ransom.

Now instead, you will be prompted by a warning on your Trezor screen that your passphrase will be shown, so you can make sure no-one is looking over your shoulder before you display it. Afterward, you will be able to check your passphrase on the screen of the device.

End of Paste

It seems like Trezor is bringing out one hotfix after another.
To me, it seems like the device is broken itself, but kept together with patches.

I mean.. it works.. but it's not how it is supposed to be. A new generation device is needed IMO.

It's like anything... OSes, applications, even hardware... people keep poking at them, sooner or later, someone will find a "hole"... At least Trezor are actively working to fix issues as they are notified. I hope they are also actively working on finding the issues themselves, rather than relying on "responsible disclosure"...

But I get what you're saying... that lucky coin and some waterproof paper are starting to look better and better again ;)

Are such easy solutions considered final solutions to the problem or do they have a long-term plan for such problems? Many times they resort to the easy solution.
Also, I think that there have been a lot of updates recently, the many updates are good, but they give a negative indication that the system is incomplete and it is possible to find many loopholes.

It is better for them to wait and launch a new generation or integrated updates, especially as the confidence index continues to decline.

I see all the attention with numerous updates as a good thing.  In my world "open source" tools are the way to go in the long run.  Examining this last update as an example.  This "attack" was a theory only, never even noticed/tried in the wild, not ever against any hardware wallet.  When you hear about this and don't think it through, it appears that the Trezor device is being bombarded.  That is GOOD because millions of the best coders hammering away on every little aspect of the device is FAR FAR better than a closed source device where users simply have to trust the maker of the device.  Those too have the best coders hammering away on them but that may just be for nefarious reasons, we will never know.  If a hole is found (trust me there are holes) the white hat community may never learn of it until its wayyyyyyy too late and coins go missing from many wallets.  None of the recent updates had any impact on me or on my operations with coins.  I cannot state more strongly how OPPOSED to closed source I will forever be.

That goes both ways brother. There are people working on correcting the code and bugs to make it better, while others are working on solutions to empty our wallets. If/when a major vulnerability is found it's all down to luck: Will that vulnerability be found by a hacker or someone with good intentions?

That is both a pro and a con of open-source software. I agree, of course, that open-source is much better than closed-source, but it still a point worth remembering.