[ESHOP launched] Trezor: Bitcoin hardware wallet

[jago25_98]

hmm...
a great device.

Even better would be the standalone;

same thing with a display that can show QRcodes, a camera and a micro usb port switchable to charge only (no data) mode.

Question folks - which Android app can do offline transactions using QRcodes and a camera?

[felente]

...
Even better would be the standalone
...

yup. but the price would be too high for now i think.
as a second or third stage(generation) - would be very welcome

[caveden]

Trezor uses two-factor authentication - something you have (trezor) and something you know (PIN). If an attacker has physical access to your Trezor and he also controls your computer, you're screwed.

Not wanting to be negative or anything - Trezor is definitely a great improvement on security since our greatest worry right now are malwares - but we should note that its currently configuration makes it vulnerable to the "evil (and tech-savvy) maid attack".
Somebody tech-savvy enough with physical access to your place (a maid, a boyfriend/girlfriend, a roommate etc) could deliberately infect your computer while you're not around to get the PIN. Even a hardware key-logger would suffice. Once with the PIN, s/he only needs to steal the device.

I don't think that's a major risk, in the sense that it won't happen frequently, but it's worth noting anyway. Some people can't afford to fully trust those they share their living space with. Think college students for ex., particularly computer science college students who happen to share their room with people who were just put there by the residency administration. They barely know each other...

[molecular]

hmm...
a great device.

Even better would be the standalone;

same thing with a display that can show QRcodes, a camera and a micro usb port switchable to charge only (no data) mode.

Question folks - which Android app can do offline transactions using QRcodes and a camera?

I guess you could do it with mycelium (successor of bitcoinspinner)

EDIT: wait, what exactly do you mean?

[Mike Hearn]

caveden, it's small enough (physically) to fit on a keyring I guess. So such a person would just carry it with them.

[caveden]

caveden, it's small enough (physically) to fit on a keyring I guess. So such a person would just carry it with them.

Yes, that's reasonable. You can also lock it somewhere etc. I just wonder if concerned people will know about it and take necessary precautions.

[Binford 6100]

http://www.bitcointrezor.com/news/raspberry-pi-shield-developers

no need comment
btw who else is going to ohm2013?

[Anon136]

Trezor uses two-factor authentication - something you have (trezor) and something you know (PIN). If an attacker has physical access to your Trezor and he also controls your computer, you're screwed.

Not wanting to be negative or anything - Trezor is definitely a great improvement on security since our greatest worry right now are malwares - but we should note that its currently configuration makes it vulnerable to the "evil (and tech-savvy) maid attack".
Somebody tech-savvy enough with physical access to your place (a maid, a boyfriend/girlfriend, a roommate etc) could deliberately infect your computer while you're not around to get the PIN. Even a hardware key-logger would suffice. Once with the PIN, s/he only needs to steal the device.

I don't think that's a major risk, in the sense that it won't happen frequently, but it's worth noting anyway. Some people can't afford to fully trust those they share their living space with. Think college students for ex., particularly computer science college students who happen to share their room with people who were just put there by the residency administration. They barely know each other...

Just boot your os from a disk when ever you use your trezor

[neoranga]

hmm...
a great device.

Even better would be the standalone;

same thing with a display that can show QRcodes, a camera and a micro usb port switchable to charge only (no data) mode.

Question folks - which Android app can do offline transactions using QRcodes and a camera?

If by offline transactions with QR codes you meant this below, it has not been implemented yet, neither with QR codes neither with NFC.
https://bitcointalk.org/index.php?topic=230010.msg2424481

[caveden]

Just boot your os from a disk when ever you use your trezor

Encrypted disks (LUKS, Truecrypt...) are also good, but you're still vulnerable to hardware key-loggers.
I think the best is not to let the device accessible as Mike suggests. Either carry it always with you or lock it somewhere.

[drazvan]

hmm...
a great device.

Even better would be the standalone;

same thing with a display that can show QRcodes, a camera and a micro usb port switchable to charge only (no data) mode.

Question folks - which Android app can do offline transactions using QRcodes and a camera?

You mean like this: https://bitcointalk.org/index.php?topic=210371.0 ?

[molecular]

hmm...
a great device.

Even better would be the standalone;

same thing with a display that can show QRcodes, a camera and a micro usb port switchable to charge only (no data) mode.

Question folks - which Android app can do offline transactions using QRcodes and a camera?

You mean like this: https://bitcointalk.org/index.php?topic=210371.0 ?

that's pretty cool.

[AngelSky]

I love the idea and the fact you moved your ass to make something happen Btw, I know it's hard to make a good commercial video but we can see you're reading I think you don't need to make an Apple-like-commercial-things, just try to be yourself!

Good product, will follow and buy.

Wish you the best,
Patrick

[P_Shep]

I was thinking the other day... it's too small to have a whole keyboard in order to type in a pass-phrase etc., but what about tapping in a pass-beat?
When you set it up, you tap in a rhythm, a few time probably to get a good average, then when it come to singing the Tx, you tap out the rhythm again.

[WinTame2012]

I was thinking the other day... it's too small to have a whole keyboard in order to type in a pass-phrase etc., but what about tapping in a pass-beat?
When you set it up, you tap in a rhythm, a few time probably to get a good average, then when it come to singing the Tx, you tap out the rhythm again.

It's even easier to build in a cross-arrows like that founds on the gamepads
  ^
<  >
  v

and then tap a sequence like a good ol' Mortal Kombat fatality combo: >>^>v<<> and voila! You've authenticated TX on the Trezor device. No key-logger fears anymore.

[P_Shep]

It's even easier to build in a cross-arrows like that founds on the gamepads
  ^
<  >
  v

and then tap a sequence like a good ol' Mortal Kombat fatality combo: >>^>v<<> and voila! You've authenticated TX on the Trezor device. No key-logger fears anymore.

I thought about that, but I think I could more consistantly hum a tune, or tap out a beat, than I could remember a set of directions. Plus it uses less buttons. Plus it doesn't depend on the positions of the buttons, should they change or differ between hardware (you know how you muscle memory your PIN)... go compare a phone layout, to a calculator layout

[stick]

Sorry to disappoint you, but the button layout will not change. At least not in the first batch. :-)

[P_Shep]

At least not in the first batch. :-)

Exactly.

[Delver]

Somebody tech-savvy enough with physical access to your place (a maid, a boyfriend/girlfriend, a roommate etc) could deliberately infect your computer while you're not around to get the PIN. Even a hardware key-logger would suffice. Once with the PIN, s/he only needs to steal the device.

This is exactly what I am worried about. I recognize the fact that some people prefer comfort when entering their PIN as opposed to an additional security precaution, but wouldn't it be beneficial to allow both methods of PIN input - on the device and/or the computer keyboard? The button layout of the Trezor makes it clumsy to punch in the PIN, but far from impossible. Many of us would sleep easier knowing our security could not have been compromised because of an infected computer. At the same time, those who prefer the comfort of their keyboards can simply not utilize this feature and enter the PIN as it was originally planned by the developers. It's really just a matter of modifying the software and I urge the developers to at least consider it.

[jackjack]

Somebody tech-savvy enough with physical access to your place (a maid, a boyfriend/girlfriend, a roommate etc) could deliberately infect your computer while you're not around to get the PIN. Even a hardware key-logger would suffice. Once with the PIN, s/he only needs to steal the device.

This is exactly what I am worried about. I recognize the fact that some people prefer comfort when entering their PIN as opposed to an additional security precaution, but wouldn't it be beneficial to allow both methods of PIN input - on the device and/or the computer keyboard? The button layout of the Trezor makes it clumsy to punch in the PIN, but far from impossible. Many of us would sleep easier knowing our security could not have been compromised because of an infected computer. At the same time, those who prefer the comfort of their keyboards can simply not utilize this feature and enter the PIN as it was originally planned by the developers. It's really just a matter of modifying the software and I urge the developers to at least consider it.

But the PIN is one-time