[ESHOP launched] Trezor: Bitcoin hardware wallet

[guitarplinker]

Is MyTrezor down for anyone else right now? I can't seem to load up the site right now. :/

[gweedo]

Is MyTrezor down for anyone else right now? I can't seem to load up the site right now. :/

Confirmed, cloudfare says it is down.

[windpath]

Is MyTrezor down for anyone else right now? I can't seem to load up the site right now. :/

Confirmed, cloudfare says it is down.

Working fine for me...

[guitarplinker]

Yeah, it seems to be back up for me as well now.

[Italone100]

Error!
Failed to send transaction: Encountered invalid prevhash.

why?

[rammy2k2]

Error!
Failed to send transaction: Encountered invalid prevhash.

why?

keep us updated on this one, i just got my trezor too

[nelisky]

Error!
Failed to send transaction: Encountered invalid prevhash.

why?

I'm trying to send a Litecoin transaction using python-trezor and I'm getting the exact same error. Looking at the trezor-mcu code I find that it is sent here: https://github.com/trezor/trezor-mcu/blob/master/firmware/signing.c#L349 but I didn't debug it to understand what is going on. Could be a byte order thing or I just didn't put the right prev_hash to start with, not sure.

For reference I'm sending the only output of this tx: https://bchain.info/LTC/tx/3635c6b4ddb52a669a5db11e1a599d9149f18e803c178653c05d9e804afa4f57

So I do a TxInputType(address_n=client.expand_path(path to LS7CBRe81UbZJLjMG5p7gLB3DbgV2rNZ5q), prev_hash=binascii.unhexlify('3635c6b4ddb52a669a5db11e1a599d9149f18e803c178653c05d9e804afa4f57'), prev_index=0) which I guess is what I'm supposed to provide, but in my obvious diagonal reading of both python-trezor and trezor-mcu, it looks like the comparison is being make with the txhash of the first input of that transaction (though I may be completely off-base here, I'll have to compile trezor-mcu myself to add some debugging if no help comes my way)

Any clues or pointers?

EDIT: I finally found the problem I was having and it goes down to a bug in python-trezor's tx_api.insight_url. Well, maybe it doesn't reflect on every OS the same way but doing Decimal(value_as_float) is very dangerous and error prone in python, so I'll be getting a pull request ready.

[cypherdoc]

Does myTrezor.com  identify the specific unit that connects to it thus deanonymizing the owner that it was shipped to?

Also, I've not heard of any hacking incidents to date of the Trezor. Anyone else? 

[cypherdoc]

Also, I've not heard of any hacking incidents to date of the Trezor. Anyone else? 

Some exploits have been found and patched

even better.  the power of open source.

[cor]

Does myTrezor.com  identify the specific unit that connects to it thus deanonymizing the owner that it was shipped to?

Also, I've not heard of any hacking incidents to date of the Trezor. Anyone else? 

No, there is nothing in the device neither the code that we could use to link a specific person with a device.

[2112]

No, there is nothing in the device neither the code that we could use to link a specific person with a device.

I easily believe that there's nothing in your code that would be designed for tracking. But do I think that NXP doesn't leave something traceable in the device itself? Do they document every bit of the JTAG state? Is there any open, published source that would confirm that their SoC devices aren't traceable?

[cor]

No, there is nothing in the device neither the code that we could use to link a specific person with a device.

I easily believe that there's nothing in your code that would be designed for tracking. But do I think that NXP doesn't leave something traceable in the device itself? Do they document every bit of the JTAG state? Is there any open, published source that would confirm that their SoC devices aren't traceable?

The devices are produced and packed in batches. Even if there was some unique code embeded on the hardware,  we would need to have a unique number on the package associated with it. there is no such code on the package of Trezor.

[cor]

No, there is nothing in the device neither the code that we could use to link a specific person with a device.

I easily believe that there's nothing in your code that would be designed for tracking. But do I think that NXP doesn't leave something traceable in the device itself? Do they document every bit of the JTAG state? Is there any open, published source that would confirm that their SoC devices aren't traceable?

The devices are produced and packed in batches. Even if there was some unique code embeded on the hardware,  we would need to have a unique number on the package associated with it. there is no such code on the package of Trezor.

just to add there is a small QR code on the internals that identifies the production batch so we know which components and processes were used to produce it. For RMA processing.

[2112]

The devices are produced and packed in batches. Even if there was some unique code embeded on the hardware,  we would need to have a unique number on the package associated with it. there is no such code on the package of Trezor.

I trust you and I'm not claiming that you are trying to track the users of Trezor. (Plural "you", meaning "your company and associates", not "you personally"). I'm more interested on the possibility of correlation attacks done by somebody else on the users of Trezors, especially those users willing to connect the Trezor to a non-trusted and not-verified computer.

I'll repeat my question:

Is there any publicly available information or speculation about the SoC chips you use that would either exclude or confirm the presence of undocumented storage? IIRC the devices you use support "USB on-the-go" which is a fairly complex protocol. Do you even heard any substantiated rumors about the undocumented features of your chips. I've worked with some much older SoC chips where it turned out that OTPROM and ROM memory was in reality just EEPROM protected against write by convoluted trickery in the software drivers (can't recall the exact manufacturer at this time, later acquired by Rainbow Technologies).

[Italone100]

please process my ticket for invalid prev hash

[BitcoinIsLiberty]

Does myTrezor.com  identify the specific unit that connects to it thus deanonymizing the owner that it was shipped to?

Also, I've not heard of any hacking incidents to date of the Trezor. Anyone else? 

No, there is nothing in the device neither the code that we could use to link a specific person with a device.

Is the public key protected by PIN or confirmation preventing rogue websites from stealing it? Having your public key leaked would link all your transactions for the life of the seed.

[World]

Do you store device_ID and shipping info somewhere?

In TechCrunch podcast was little conversation about Trezor at 00:04:38
http://techcrunch.com/2015/03/05/this-week-on-the-techcrunch-bitcoin-podcast-do-you-even-invest/

[jackbox]

Do you store device_ID and shipping info somewhere?

In TechCrunch podcast was little conversation about Trezor at 00:04:38
http://techcrunch.com/2015/03/05/this-week-on-the-techcrunch-bitcoin-podcast-do-you-even-invest/

They already answered this. If there is an device id (such as cpu serial number) they do not store it anywhere. The Trezors are shipped blind. They put them in the box and glue them like fantatics and there is nothing on the box to indicate which Trezor is inside except a sticker denoting the color of the unit's plastic case. The cannot track you by any Trezor they sent you as they do not know who got sent which device. They only now how many physical units they have shipped to you.

[lyth0s]

So I tried the Trezor with the Electrum 2.0 wallet today and it worked like a charm. Glad to see another wallet service that has implemented the Trezor successfully. I'd like to see if you guys could make any progress with getting Mycelium or Wallet32 to implement it next

[molecular]

So I tried the Trezor with the Electrum 2.0 wallet today and it worked like a charm. Glad to see another wallet service that has implemented the Trezor successfully. I'd like to see if you guys could make any progress with getting Mycelium or Wallet32 to implement it next

you should probably ask mycelium and wallet32 devs.