[ESHOP launched] Trezor: Bitcoin hardware wallet

[SgtSpike]

I'm really not a big fan of paper backups. There are so many ways paper could be destroyed/lost, and there's no way to encrypt paper and send it safely to remote backup servers distributed all over the globe. Plus, if you consider an attacker gaining physical access to the device, you should consider him getting physical access to the paper backup too.

I'd strongly suggest an alternative: allow the user to type a passphrase during initialization. Use this passphrase to encrypt the seed and save only the encrypted copy outside the device via USB. Obviously, instruct the user to use a strong passphrase and to back up the file as much as he can.

I realize that I can scan the paper backup, encrypt it and do it myself. But then again, I would need a safe device just for this task...

Why not just type the paper backup into a .txt file, and encrypt that?

Honestly, asking people to type a passphrase and expecting them to make it complicated enough that it cannot be hacked in any reasonable number of years (at least until well past the time they die) as well as not forget it is just as impractical as a piece of paper.  Guess how they are going to remember their complex decades-future-proofed password? 

And that's even assuming they choose a password strong enough!  Anyone who doesn't would have a good chance of their coins being stolen from their "ultra secure" device, and sudden, that device gets a bad rap from it.

No, slush is making a very wise choice in only supporting paper/manual backups.  It puts all the blame unquestionably on the user if anything bad happens.  People put all kinds of valuables in safes and fire safes in their homes - why would this need be any different?  Write down the seed, put it in the safe, and it's there along with other things like jewelry, gold, and social security cards.  I would hope people aren't storing paper backups just any old place in their house...!

[2weiX]

I'm really not a big fan of paper backups. There are so many ways paper could be destroyed/lost, and there's no way to encrypt paper and send it safely to remote backup servers distributed all over the globe. Plus, if you consider an attacker gaining physical access to the device, you should consider him getting physical access to the paper backup too.

I'd strongly suggest an alternative: allow the user to type a passphrase during initialization. Use this passphrase to encrypt the seed and save only the encrypted copy outside the device via USB. Obviously, instruct the user to use a strong passphrase and to back up the file as much as he can.

I realize that I can scan the paper backup, encrypt it and do it myself. But then again, I would need a safe device just for this task...

Why not just type the paper backup into a .txt file, and encrypt that?

Honestly, asking people to type a passphrase and expecting them to make it complicated enough that it cannot be hacked in any reasonable number of years (at least until well past the time they die) as well as not forget it is just as impractical as a piece of paper.  Guess how they are going to remember their complex decades-future-proofed password? 

And that's even assuming they choose a password strong enough!  Anyone who doesn't would have a good chance of their coins being stolen from their "ultra secure" device, and sudden, that device gets a bad rap from it.

No, slush is making a very wise choice in only supporting paper/manual backups.  It puts all the blame unquestionably on the user if anything bad happens.  People put all kinds of valuables in safes and fire safes in their homes - why would this need be any different?  Write down the seed, put it in the safe, and it's there along with other things like jewelry, gold, and social security cards.  I would hope people aren't storing paper backups just any old place in their house...!

Dere ya go:

[caveden]

Why not just type the paper backup into a .txt file, and encrypt that?

Fine enough, as long as the passphrase is typed only in the secure device, which will be the one encrypting it. I shouldn't need another secure device only to backup. Actually, I wouldn't bother if the paper backup is already printed encrypted. This way I can safely scan the paper in a unsecured device and back it up.

Honestly, asking people to type a passphrase and expecting them to make it complicated enough that it cannot be hacked in any reasonable number of years (at least until well past the time they die) as well as not forget it is just as impractical as a piece of paper.  Guess how they are going to remember their complex decades-future-proofed password? 

And that's even assuming they choose a password strong enough!  Anyone who doesn't would have a good chance of their coins being stolen from their "ultra secure" device, and sudden, that device gets a bad rap from it.

A passphrase need not to be super complex, it only need to be long. The device could display a strength meter. And, again, this doesn't need to be the sole option, it could still have a printer.
Plus, I hardly think people would store the value for decades and never reopen the wallet in between. This is more like your "bank account", the place where you store your salary for instance. You take some money out with the same frequency you go to an ATM. People normally don't put their life savings in "money", it's usually in the form of financial assets. (it's true that if this device supports OT, perhaps one day people could actually have their life savings in it... but still, they would open the wallet once in a while)

No, slush is making a very wise choice in only supporting paper/manual backups. 

I respectfully disagree - unless the content printed is encrypted.

It puts all the blame unquestionably on the user if anything bad happens.

If you want the user to be fully responsible of his security, why even bother with this project? We should help them, and I honestly believe an encrypted backup on the cloud is safer than a piece of paper.

People put all kinds of valuables in safes and fire safes in their homes - why would this need be any different? 

I only know one person who has a safe at home - and that's because he's a gun owner, legally required to keep his gun in a safe. I actually have never seen a home with a safe. But anyway, that's just me. It's possible to please everyone here.

[slush]

I'm really not a big fan of paper backups. There are so many ways paper could be destroyed/lost, and there's no way to encrypt paper and send it safely to remote backup servers distributed all over the globe. Plus, if you consider an attacker gaining physical access to the device, you should consider him getting physical access to the paper backup too.

For average user, keeping piece of paper in secret is much easier than to store piece of digital information for long enough time (for years). Don't forget that most of users don't do backups and if so, they do it in wrong way.

Actually Bitcoins are usually the only case why people must care about security of their computers. Except of bitcoins, users stores on their computers mostly photos from their holiday, which are uploaded on Facebook anyway, so data loss isn't so big issue there.

In the opposite of digital information, people are used to store physical things safely as all of them are doing so for some important documents or money. Purpose of this project is to make Bitcoin as much physical as possible, so people don't need to change their habits.

I'd strongly suggest an alternative: allow the user to type a passphrase during initialization. Use this passphrase to encrypt the seed and save only the encrypted copy outside the device via USB. Obviously, instruct the user to use a strong passphrase and to back up the file as much as he can.

This device won't have a physical keyboard. It is expensive and makes the design much bigger. Without physical keyboard, it is impossible to type password safely without the computer, which makes encrypted backup to that computer impossible.

I realize that I can scan the paper backup, encrypt it and do it myself. But then again, I would need a safe device just for this task...

Maybe you would be surprised, but you're not an average user ;-). For most people, writing down few words to the piece of paper, putting it to the safe will be the best solution.

The only potential protection I can think of against $5 wrench attacks is plausible deniability (hidden volumes) - and even that will not protect you if the attacker knows how much money you've got.

We considered multi-wallet support like this and it would be possible, but it goes against of our motto - make it now and make it easy. All of these ideas are making the device more complicated even for usage (wallet won't be recognized automatically when plugged into computer). However I might consider this in the future for "advanced" product version.

[slush]

I respectfully disagree - unless the content printed is encrypted.

We're targeting to average users, for common usage. But security freaks are free to boot live distro from trusted source, write down the seed to text file, encrypt that and do with it whatever they want. Actually if you know what you're doing, you'll make encrypted backup of the seed in less than 10 minutes.

However, as I said, it is almost impossible to encrypt the seed while initializing the device on untrusted machine, so encrypting seed during this process would be false promise.

[caveden]

I respectfully disagree - unless the content printed is encrypted.

We're targeting to average users, for common usage. But security freaks ...

IMHO, an impossible to re-flash hardware is much more "security freakishness" than password-protected files...

And, why making an impossible to re-flash or read keys hardware if the whole wallet will likely be stored unencrypted on paper in the same physical building than the device? Somebody with physical access to the device will likely have physical access to the paper backup.

Finally, if you don't consider encrypting the keys in the device, then you're not considering plausible deniability. Somebody willing to physically steal the device is much more likely to simply physically force the user to give him the money ($5 wrench attack). If you don't have multiple encrypted volumes, and you're not some sort of Rambo capable of counter-attack in meatspace, then you lose.

are free to boot live distro from trusted source, write down the seed to text file, encrypt that and do with it whatever they want. Actually if you know what you're doing, you'll make encrypted backup of the seed in less than 10 minutes.

I know. I just think it'd be nice if everybody could easily have the option of having the same level of safety and security as well, including people who don't know what the heck a "live distro" is.

However, as I said, it is almost impossible to encrypt the seed while initializing the device on untrusted machine, so encrypting seed during this process would be false promise.

Pardon my ignorance, but why does it need to be initialized on an unsecured machine?


PS; Please don't take what I say here as bashing criticism. Even if this device is not "physically safe/secure" at all, it would still be awesome as a protection against hackers, which are the real danger most bitcoin users face today - and will remain the sole sensible danger for years. So, just want to make sure you understand I fully support your initiative either way. I'd just like it more if it had these encryption features, that's all.


EDIT: Sorry, I had not seen the previous message:

For average user, keeping piece of paper in secret is much easier than to store piece of digital information for long enough time (for years). Don't forget that most of users don't do backups and if so, they do it in wrong way.

Again I respectfully disagree. Most young people at least would likely find it easier to store things on their google accounts than to physically store paper in an organized and safe manner. But anyway, that's now pointless, since...

This device won't have a physical keyboard. It is expensive and makes the design much bigger.

If that's the case, then yeah, there's no way to encrypt things on the device.

Even small keybords like those in some cellphones are that expensive? I'm really ignorant on this.

We considered multi-wallet support like this and it would be possible, but it goes against of our motto - make it now and make it easy. All of these ideas are making the device more complicated even for usage (wallet won't be recognized automatically when plugged into computer). However I might consider this in the future for "advanced" product version.

If it's cheap enough, different people could have their different devices anyway. It's definitely not a showstopper not to be multiuser.

[slush]

IMHO, an impossible to re-flash hardware is much more "security freakishness" than password-protected files...

Actually this solves (at least partially) the problem with wallet distribution. With easy option for reflashing the device, wallet distributor would modify the firmware and make there some backdoor quite easily... ...although the real attack would be still pretty difficult, as user would need to have also compromised machine which will misuse that modified token.

And, why making an impossible to re-flash or read keys hardware if the whole wallet will likely be stored unencrypted on paper in the same physical building than the device? Somebody with physical access to the device will likely have physical access to the paper backup.

Both digital wallet and paper backup have different purpose. Having paper backup is the easiest way for disaster recovery for *all* people. More skilled people can choose how they store the "paper backup", if they store it just in envelope into their safe or if they underline these words in their favourite book in their home library, put it into encrypted file to Google docs, memorize it or so. Actually forcing people to do electronic backup is the limitation for many people. Having the easy possibility to export seed directly from the device and not over (potentially hacked) computer is bulletproof and far simplest to understand for everybody.

Finally, if you don't consider encrypting the keys in the device, then you're not considering plausible deniability. Somebody willing to physically steal the device is much more likely to simply physically force the user to give him the money ($5 wrench attack). If you don't have multiple encrypted volumes, and you're not some sort of Rambo capable of counter-attack in meatspace, then you lose.

We're targeting to common users, not mafia.

I know. I just think it'd be nice if everybody could easily have the option of having the same level of safety and security as well, including people who don't know what the heck a "live distro" is.

As I said, displaying the seed on the device during the initialization is the most easier and flexible solution. Do whatever you want and whatever fits your needs with it. Actually "paper backup" or "mnemonic seed" is considered as the most safe way of storing bitcoins, so I'm a bit surprised that you're trying to said that it's not safe enough :-).

Pardon my ignorance, but why does it need to be initialized on an unsecured machine?

This is chicken and egg problem. If you already have secure machine, why do you need to export already encrypted backup to it? If this computer is not *so* secured, how you can put passphrase over it?

PS; Please don't take what I say here as bashing criticism. Even if this device is not "physically safe/secure" at all, it would still be awesome as a protection against hackers, which are the real danger most bitcoin users face today

At this date, there have been many of successful hacker attacks (I personally lost 3100 BTC during that one), but not a single known issue of $5 wreck attack against bitcoin wallet owner. Let's do solve real issues and don't try to solve something what's not the real problem.

Again I respectfully disagree. Most young people at least would likely find it easier to store things on their google accounts than to physically store paper in an organized and safe manner.

You cannot expect that other people are like you. No, young people don't backup more often than old people. I bet the exact oposite, from what I see around me.

Even small keybords like those in some cellphones are that expensive? I'm really ignorant on this.

This goes completely against the initial idea, to have simple, small and cheap device. And there's no major improvement while having physical keyboard on the device. Use it for encrypting the initial backup won't justify it...

[caveden]

We're targeting to common users, not mafia.

haha, well.. if one day bitcoin becomes as widely known as gold, you could certainly expect burglars to attempt to force people to give their bitcoins.
But yeah, there's quite some time until that happens.

Pardon my ignorance, but why does it need to be initialized on an unsecured machine?

This is chicken and egg problem. If you already have secure machine, why do you need to export already encrypted backup to it? If this computer is not *so* secured, how you can put passphrase over it?

Never mind, I hadn't yet read that it will not have a keyboard when I first wrote that.

At this date, there have been many of successful hacker attacks (I personally lost 3100 BTC during that one), but not a single known issue of $5 wreck attack against bitcoin wallet owner. Let's do solve real issues and don't try to solve something what's not the real problem.

Definitely. One step at a time.

[molecular]

slush, stick: I think you got it exactly right

[Mushroomized]

slush, stick: I think you got it exactly right

After reading this, I just thought of the name Popsicle

1) its slush (ice) on a stick
2) its a tiny device that connects to USB sticks
3) you get the cold storage connotation from the name

[allten]

Would have been nice if you made a post a few weeks ago.

I'm a few weeks away from having an actual PCB!
Do you have anyone working on a PCB?
Might as well group our efforts. Like you, it is meant to be open source.
We are all on the same team.

[Mushroomized]

Would have been nice if you made a post a few weeks ago.

I'm a few weeks away from having an actual PCB!
Do you have anyone working on a PCB?
Might as well group our efforts. Like you, it is meant to be open source.
We are all on the same team.

This is the kind of attitude that really is great to see. 

[eldentyrell]

I'll buy quite a few if you sell a version in which the reprogramming fuse has not been blown out.  I need a device like this for GPG signing and other non-Bitcoin cryptography.

Feel free to charge more for the reprogrammable version and emblazon it with a "firmware not certified by manufacturer"; I'm sure those of us who want this don't mind.

[slush]

I'll buy quite a few if you sell a version in which the reprogramming fuse has not been blown out.  I need a device like this for GPG signing and other non-Bitcoin cryptography.
Feel free to charge more for the reprogrammable version and emblazon it with a "firmware not certified by manufacturer"; I'm sure those of us who want this don't mind.

I understand that the hardware itself may be very useful for other applications as well. So for now I see this quite possible. However, as you said, the casing should be modified somehow, so it won't look like official product.

[molecular]

I'll buy quite a few if you sell a version in which the reprogramming fuse has not been blown out.  I need a device like this for GPG signing and other non-Bitcoin cryptography.
Feel free to charge more for the reprogrammable version and emblazon it with a "firmware not certified by manufacturer"; I'm sure those of us who want this don't mind.

I understand that the hardware itself may be very useful for other applications as well. So for now I see this quite possible. However, as you said, the casing should be modified somehow, so it won't look like official product.

How can we be sure that some reseller isn't slipping us a modified version and what could he potentially do with that approach?

[Ente]

Great project!
It doesn't matter much if it'll be ellet, bitcoincard or 'popsicle', but we surely can use a tiny, secure, easy [cheap? choose three out of four] Bitcoin wallet for the average user! At least as an alternative to smartphone wallets, which I won't fully trust ever.

I had similar plans, for a Bitcoin "vault". It was more aimed at companies, for automatic tx signing. With focus on hardware security (IDS, heartbeat, key purging etc). Heavy use of PKI. With a custom ruleset for automatic signing, manual approval and selfdestruction.
I didn't work on it lately, the current state is a concept on paper.

Interested in a "corporate version"? I bet a lot of the hardware and software could be used for both!

Ente

[slush]

How can we be sure that some reseller isn't slipping us a modified version and what could he potentially do with that approach?

Yes, this may be possible issue. Malicious distributor can buy few devices, make alternative PCB, use modified firmware and pack it with "official" casings. There's just a small chance that customers will notice the difference. Buying the device from trusted distributor would be better choice than ordering it from random guy on Silk Road.

Technically this is not a big problem as device itself cannot communicate with the world on its own. So as far as user will connect that hacked stick into official release of Bitcoin wallet (Electrum, Multibit), the chance of a theft is minimal (as far as official clients will cross check signed transaction if it has not been modified by the stick itself).

By the way, there has been successful hacks with modified USB mouses (given to company employees as a gift). Mouse acting as mass device with autorun file and 90% of Windows users are screwed. This is a problem of "universal serial bus", unfortunately using USB is the only reasonable choice if we target to common users.

That's also the reason why we're building Raspberry Pi shield for hardcore geeks; it is much easier to recompile everything from sources to be sure there isn't any malicious code.

[slush]

I had similar plans, for a Bitcoin "vault". It was more aimed at companies, for automatic tx signing. With focus on hardware security (IDS, heartbeat, key purging etc). Heavy use of PKI. With a custom ruleset for automatic signing, manual approval and selfdestruction.
Interested in a "corporate version"? I bet a lot of the hardware and software could be used for both!

I've been thinking about such boxes after I've been hacked on Linode. It may be standard computer with minimal linux distro and custom software with extremely limited interface to the rest of the world and with possibility to define own rulesets will make attacks much harder. At this stage we're working on standard wallet which hopefully fit needs of the most users, but later we can think about other related projects as well...

[CIYAM]

Is it still the case that if you hold down the shift key whilst plugging in a USB that no autorun stuff will occur (in Windows)?

[molecular]

Is it still the case that if you hold down the shift key whilst plugging in a USB that no autorun stuff will occur (in Windows)?

I'm not a windows user, but can't one just turn this off completely?