Bitcoin Forum
December 11, 2024, 10:32:42 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 [123] 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 ... 265 »
  Print  
Author Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet  (Read 966225 times)
Valzador
Hero Member
*****
Offline Offline

Activity: 1316
Merit: 503


View Profile
August 20, 2014, 08:09:46 AM
 #2441

Yay I got my Trezor today!!!  Wink Wink

It's sort of scary knowing that your recovery seed holds all your bitcoins.
stick
Sr. Member
****
Offline Offline

Activity: 441
Merit: 268



View Profile
August 20, 2014, 08:49:27 AM
 #2442

but how will the client get the correct hash to compare to, and how will he compute the hash of the downloaded copy, on an untrusted machine (which is the assumption that justifies using a Trezor)?

We'd like to have each firmware release (and its hash) signed by independent set of people. Quite a few people already contacted us wanting to do that, but we are not yet there. The building and signing process is documented here: https://github.com/trezor/trezor-mcu -- but we need to prepare the place, where people will upload their signatures so we can show them in Firmware Update dialog.

myTREZOR and TREZOR already show a hash of uploaded firmware, this signing process is just to justify the hash legitimacy and to prove that the provided firmware was indeed built from the provided sourcecode.

JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
August 20, 2014, 09:22:05 AM
 #2443

A malicious manufacturer can distribute firmware that, instead of using truly random seeds,  chooses seeds from a very small set.

This would be visible in the firmware source. [ ... ] With deterministic build, everybody can check the firmware. That does not mean that everybody HAS to. If 3 of 5 decided to sign something malicious, then the rest of the guys would be whistle-blowing and everybody would know. [ ... ] I was talking about proving that there is a backdoor. As I argued above, if there is one, you should be able to find it in the open-source code. It should be easy to prove.

There is a firmware source posted on github.  There is a firmware binary in each client's Trezor.  Note the indefinite articles.  Can you see the problem now?

Come on guys, this vulnerability not my entry for the Nobel Prize, it is an absolutely trivial and well-known observation.  If someone can get a malicious version of the firmware signed, he can easily trick many clients into installing it.

Hackers can even trick many users into installing an unsigned malicious version of the firmware and re-entering the recovery seeds.  Do I have to spell out the details?

As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin.  I bet that the full source will soon have hundreds of thousands of lines of code.  (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)

Trezor now has 16500 lines of code in *.c files and another 7000 in *.h files. This is a total for bootloader, firmware and I might included some testing and GUI code as well, that is not on the device so it is even less. And this includes many features discussed here that are not yet released. I don't see it getting to 100000 any time soon. Provided that some code is imported from other open source libraries, the Trezor code itself is even smaller.

We will see in a couple of years.   Judging by the mood of this thread, the Trezor will soon be storing your gaming site passwords, your calorie counts, your dog's gym workout schedule, ...

(The Brazilian voting machine software was very small at the beginning, too.)

Meanwhile, how long do you think it would take for one person to review 20'000 lines of code and make sure that it has no weaknesses (like a broken random number generator, or a line somewhere that sticks the private key into the signed transaction that is sent tout to the infected computer)?

I asked earlier whether the hardware has some sort of memory protection that would prevent one function from accessing data areas of an unrelated function, but got no answer.  If it doesn't, the dog workout code will have access to the bitcoin private keys; therefore that code, and every modification to it, must be verified with the same care that is spent on the bitcoin code proper.  Worse still if the firmware can modify itself.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
btchip
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
August 20, 2014, 09:34:31 AM
 #2444

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it  Kiss

(that should be a new meme ...)

klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
August 20, 2014, 09:40:51 AM
 #2445

A malicious manufacturer can distribute firmware that, instead of using truly random seeds,  chooses seeds from a very small set.

This would be visible in the firmware source. [ ... ] With deterministic build, everybody can check the firmware. That does not mean that everybody HAS to. If 3 of 5 decided to sign something malicious, then the rest of the guys would be whistle-blowing and everybody would know. [ ... ] I was talking about proving that there is a backdoor. As I argued above, if there is one, you should be able to find it in the open-source code. It should be easy to prove.

There is a firmware source posted on github.  There is a firmware binary in each client's Trezor.  Note the indefinite articles.  Can you see the problem now?

Come on guys, this vulnerability not my entry for the Nobel Prize, it is an absolutely trivial and well-known observation.  If someone can get a malicious version of the firmware signed, he can easily trick many clients into installing it.

Hackers can even trick many users into installing an unsigned malicious version of the firmware and re-entering the recovery seeds.  Do I have to spell out the details?

As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin.  I bet that the full source will soon have hundreds of thousands of lines of code.  (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)

Trezor now has 16500 lines of code in *.c files and another 7000 in *.h files. This is a total for bootloader, firmware and I might included some testing and GUI code as well, that is not on the device so it is even less. And this includes many features discussed here that are not yet released. I don't see it getting to 100000 any time soon. Provided that some code is imported from other open source libraries, the Trezor code itself is even smaller.

We will see in a couple of years.   Judging by the mood of this thread, the Trezor will soon be storing your gaming site passwords, your calorie counts, your dog's gym workout schedule, ...

(The Brazilian voting machine software was very small at the beginning, too.)

Meanwhile, how long do you think it would take for one person to review 20'000 lines of code and make sure that it has no weaknesses (like a broken random number generator, or a line somewhere that sticks the private key into the signed transaction that is sent tout to the infected computer)?

I asked earlier whether the hardware has some sort of memory protection that would prevent one function from accessing data areas of an unrelated function, but got no answer.  If it doesn't, the dog workout code will have access to the bitcoin private keys; therefore that code, and every modification to it, must be verified with the same care that is spent on the bitcoin code proper.  Worse still if the firmware can modify itself.

I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing. And installing the unsigned one is of course possible as well, but that cannot be done without user knowing it. If user is warned and decides to install it anyway then it is his problem. I did not say it is impossible though.

The Trezor may store your game passwords and other passwords, provided they are derived from the same seed. In fact it can do it already with it's 20000 lines of code. You are exaggerating with the other "use cases". It's not going to happen.

20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
August 20, 2014, 09:54:50 AM
 #2446

Yup, clearly, a connected device will never reach paper wallet security
If the computer is not secure (the premise of Trezor), the Trezor has some risks, but the paper wallet is not safe at all.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
August 20, 2014, 10:07:45 AM
 #2447

I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing.

Just to give one example, three of the 5 key holders at Trezor conspire and sign a malicious version of the firmware that is given to a hacker.  The hacker unleashes a virus with a malicious plug-in or standalone MyTrezor bridge, that instructs clients to download and install the "latest version" of the firmware, which is of course the malicious version above. 

You are exaggerating with the other "use cases". It's not going to happen.

Well, I hope that manufacturers can resist that temptation.

20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.

You mean, someone already checked it, and did not see the backdoor?  Wink

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
stick
Sr. Member
****
Offline Offline

Activity: 441
Merit: 268



View Profile
August 20, 2014, 10:11:31 AM
 #2448

And why would a paper wallet created with respect of best practices be not safe ?

Paper wallet IS safe. But spending it is not. (If you are using "sweep private key" and not an offline signing which is very cumbersome).

dnaleor
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Want privacy? Use Monero!


View Profile
August 20, 2014, 12:16:44 PM
 #2449

And why would a paper wallet created with respect of best practices be not safe ?

Paper wallet IS safe. But spending it is not. (If you are using "sweep private key" and not an offline signing which is very cumbersome).

Indeed. Yesterday I've send my large stash offline with armoury to my Trezor. Took a lot of time on my raspberry, but I couldn't take the risk of just sweeping the keys at blockchain.info

I only use the Trezor now (and a few mBTC on MyCelium). I've imported the old keys from my QT in a blockchain.info wallet (you never now if you receive a donation from some old image/post/...)
klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
August 20, 2014, 12:41:13 PM
 #2450

I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing.

Just to give one example, three of the 5 key holders at Trezor conspire and sign a malicious version of the firmware that is given to a hacker.  The hacker unleashes a virus with a malicious plug-in or standalone MyTrezor bridge, that instructs clients to download and install the "latest version" of the firmware, which is of course the malicious version above. 

You are exaggerating with the other "use cases". It's not going to happen.

Well, I hope that manufacturers can resist that temptation.

20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.

You mean, someone already checked it, and did not see the backdoor?  Wink

Yes, IF they were malicious, they can sign non-git version of the firmware that can have money stealing interface. If such a firmware would be flashed onto the device on a hacked computer (by the hacked computer) then your BTC would be stolen. You would still need to confirm that you want this firmware flashed on the device. Also, you would now have a signed malicious firmware and you could sue them with it, because its digitally signed with their signatures. They would probably get away with it, claiming all their keys were stolen. But the company would go bancrupt.

But again, this kind of attack is not specific to this company. If five bank employees agree to forge a withdrawal from your bank account, how would you protect against such inside-job attack?
gweedo
Legendary
*
Offline Offline

Activity: 1498
Merit: 1000


View Profile
August 20, 2014, 02:50:09 PM
 #2451

I would like to return my trezor and get a refund of my 3 BTCs how can I do this? Obviously they aren't going to fix the mytrezor web wallet and I want my money back.

Edit: Talked to my lawyer about this, and he said there should be no reason that a refund should be an issue. I would also like to use escrow to make sure they don't stiff me.

The guy who paid 10000BTC for the pizza back in the day would like to refund as well.  If that guy would be refunded, he would probably get 10USD back (provided he will return the pizza). BTC is deflation currency and the refunds don't work with those. Your lawyer should learn some basic rules of economy.

You can still get refunded though, because there are people willing to pay the amount of money you paid for this one. BTC was worth 80-120USD during the preorder period. I would pay you 330USD for it myself.

Well they need to say that on their website and they don't so I expect 3 BTC which is what I paid. Do you have a law degree?


Don't kid yourself gweedo, you are an asshole

How am I am that? Because I expect something to work in a reasonable time? Because I paid money for it to work in reasonable time? By the way it still doesn't work so when should I expect it to work, and not be considered that? I can't wait until you other people have an issue with trezor and then you will be in my position. When you are I will sit back and just laugh at you guys.
klokan
Full Member
***
Offline Offline

Activity: 120
Merit: 100


View Profile
August 20, 2014, 03:37:04 PM
Last edit: August 20, 2014, 05:46:16 PM by klokan
 #2452


Well they need to say that on their website and they don't so I expect 3 BTC which is what I paid. Do you have a law degree?


I don't have a law degree, but I was recently reimbursed by my Swiss employer for my expenses abroad. They paid me Swiss Francs with the rate on the day of the expense. I'm pretty sure it is legal and I'm also pretty sure you are getting Czech Crowns if you ever get a refund. Does your lawyer has a Czech law degree?

That said, I'm still willing to pay you 330USD for the device.
thewayshegoes
Newbie
*
Offline Offline

Activity: 44
Merit: 0



View Profile
August 20, 2014, 04:10:47 PM
 #2453

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it  Kiss

(that should be a new meme ...)


Create a transaction offline, sign offline, broadcast

Over  Wink

But in real life, I have used your solution to sweep a private key  Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?
RedDiamond
Sr. Member
****
Offline Offline

Activity: 294
Merit: 250


View Profile
August 20, 2014, 04:47:48 PM
Last edit: August 20, 2014, 05:04:33 PM by RedDiamond
 #2454

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it  Kiss

(that should be a new meme ...)


Create a transaction offline, sign offline, broadcast

Over  Wink

But in real life, I have used your solution to sweep a private key  Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?

Correct. A malware can change the firmware of the stick in such way that it do nasty things when connected to another computer. For more detailed technical explanation please see https://srlabs.de/badusb/
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
August 20, 2014, 05:47:49 PM
 #2455

Yup, clearly, a connected device will never reach paper wallet security

until you want to spend it  Kiss

(that should be a new meme ...)


Create a transaction offline, sign offline, broadcast

Over  Wink

But in real life, I have used your solution to sweep a private key  Wink

Even with offline transactions though, you have to move a USB stick between offline and online computers, creating a possible vulnerability, correct?

Correct. A malware can change the firmware of the stick in such way that it do nasty things when connected to another computer. For more detailed technical explanation please see https://srlabs.de/badusb/


No they must be signed. Those usb disks accept any firmware

tynt
Member
**
Offline Offline

Activity: 61
Merit: 10



View Profile
August 20, 2014, 06:45:23 PM
 #2456

mytrezor website is unusable. It freezes and few moments later browser tells me that trezor plugin is not responding. I can't even click on the "Support" link. Both firefox and chrome act the same way. Both trezor plugged in and plugged out.

5830 mining for life
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
August 20, 2014, 06:46:05 PM
 #2457

Yes and no

You can use a new stick on a fresh offline computer

Or simply plug nothing, forge and sign transaction on offline computer, convert signed transaction to qr code.

Flash it and broadcast it with online computer.

I won't bother doing this with little money (that's why I own a trezor), but if you move a big amount it can be worth the pain.

Even if you move a USB stick from online and offline computer, exploit is possible but you will be harder to target than if you connect to trezor related website.

If you have to have an offline computer in order to safely spend a paper wallet, why not have *just* an offline computer. Then, why not make it a single purpose computer that does nothing but securely store keys and sign data? That's what the Trezor is.
stick
Sr. Member
****
Offline Offline

Activity: 441
Merit: 268



View Profile
August 20, 2014, 07:34:22 PM
 #2458

mytrezor website is unusable. It freezes and few moments later browser tells me that trezor plugin is not responding. I can't even click on the "Support" link. Both firefox and chrome act the same way. Both trezor plugged in and plugged out.

write a support ticket to support@bitcointrezor.com

shadallion
Full Member
***
Offline Offline

Activity: 304
Merit: 102


View Profile
August 20, 2014, 07:55:08 PM
 #2459

Yes and no

You can use a new stick on a fresh offline computer

Or simply plug nothing, forge and sign transaction on offline computer, convert signed transaction to qr code.

Flash it and broadcast it with online computer.

I won't bother doing this with little money (that's why I own a trezor), but if you move a big amount it can be worth the pain.

Even if you move a USB stick from online and offline computer, exploit is possible but you will be harder to target than if you connect to trezor related website.

If you have to have an offline computer in order to safely spend a paper wallet, why not have *just* an offline computer. Then, why not make it a single purpose computer that does nothing but securely store keys and sign data? That's what the Trezor is.

Boom, nailed it
stick
Sr. Member
****
Offline Offline

Activity: 441
Merit: 268



View Profile
August 20, 2014, 08:05:14 PM
 #2460

Trezor ils not really offline, if you look carefully, you will see a cable Wink

offline != cableless

Wifi is without a cable and is online.
Trezor has a cable and is offline.

Pages: « 1 ... 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 [123] 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 ... 265 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!