BurtW
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
August 02, 2014, 05:59:44 PM |
|
If you loose your device, do you need a new trezor to recover the coins or is there a tool to do so?
The adroid ap wallet32 works great. I have tested it with 12, 18 and 24 words. I still have not gotten around to testing it with a password yet but that is also supposed to work. I: Created a wallet on Trezor Put some BTC in the wallet Pretended to lose it Entered the words into Wallet32 All my BTC and transactions magically appeared on my phone and I could spend them from there Of course then I created a new wallet on the Trezor. If I get time I plan to test it with passwords also.
|
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!
|
|
|
Hawkix
|
|
August 02, 2014, 06:02:30 PM |
|
Any plans to produce Trezor with different color of plastic, namely BLACK one?
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 06:26:46 PM |
|
Any plans to produce Trezor with different color of plastic, namely BLACK one?
Yes, we do plan various colors including black. However it will take some time, for now we're focused to seamless distribution of Trezors and on adding express shipping. Unfortunately there're still places around the world where national posts barely work so DHL or similar are the only choice...
|
|
|
|
P_Shep
Legendary
Online
Activity: 1800
Merit: 1230
This is not OK.
|
|
August 02, 2014, 07:03:43 PM |
|
Love that you can plug it in any computer and use it without having to log in to anything
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 07:38:19 PM |
|
Love that you can plug it in any computer and use it without having to log in to anything We're working on Trezor-backed web password manager with the same feature. You'll be able to reach all of your passwords on any computer (with Trezor connected, of course), without need of typing any "master password" as is common in standard password managers (like Keepass). You'll just choose which password do you want to unlock at the time, so you'll be able to log into any website on friend's computer without a risk of revealing internet banking credentials or other high profile passwords... Edit: Password manager is of course needed for sites which do not offer challenge-response authentication, but I believe that some day at least bitcoin-related sites will implement password-less login into their site like GreenAddress already did: https://twitter.com/GreenAddress/status/479939415088062464
|
|
|
|
dillpicklechips
|
|
August 02, 2014, 07:41:40 PM |
|
Love that you can plug it in any computer and use it without having to log in to anything We're working on Trezor-backed web password manager with the same feature. You'll be able to reach all of your passwords on any computer (with Trezor connected, of course), without need of typing any "master password" as is common in standard password managers (like Keepass). You'll just choose which password do you want to unlock at the time, so you'll be able to log into any website on friend's computer without a risk of revealing internet banking credentials or other high profile passwords... Very cool, I'd love details on how it would work!!!!!
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 02, 2014, 07:41:55 PM |
|
Is there customs fee when shipping to austria?
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 07:45:38 PM |
|
Is there customs fee when shipping to austria?
No, Both Austria and Czech Republic are in Schengen area.
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 02, 2014, 08:02:39 PM |
|
Is there customs fee when shipping to austria?
No, Both Austria and Czech Republic are in Schengen area. Oh, I missed that you are shipping from CZ. I somehow thought this was US/else. Good!
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 02, 2014, 08:12:03 PM |
|
Love that you can plug it in any computer and use it without having to log in to anything We're working on Trezor-backed web password manager with the same feature. You'll be able to reach all of your passwords on any computer (with Trezor connected, of course), without need of typing any "master password" as is common in standard password managers (like Keepass). You'll just choose which password do you want to unlock at the time, so you'll be able to log into any website on friend's computer without a risk of revealing internet banking credentials or other high profile passwords... Edit: Password manager is of course needed for sites which do not offer challenge-response authentication, but I believe that some day at least bitcoin-related sites will implement password-less login into their site like GreenAddress already did: https://twitter.com/GreenAddress/status/479939415088062464You guys are so amazing! How far do you suppose one could take this thing? Do you suppose it will be possible to leverage this technology up to the point of creating a completely secure computing environment? Basically so processes could only be run with a trezor signature. Maybe im just crazy but is it possible to create a situation where even a hardware backdoor on your computer system would have limited to no functionality so long as there were no back-doors in the OS or other software? Of course this all assumes that there is no back door in the trezor, but the hardware there could be simple enough to audit while it may not be practical to do so with a modern computer. Again maybe im crazy. I'm not a computer scientist. Just an enthusiast who is fascinated with this technology.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 08:16:45 PM |
|
So nice, if the feature is good, I can like this even more than wallet function. Can you give us more information on how it will work technically with some details? (His are stored password, where are they decrypted, what is transmitted to website and host computer...)
The specification is to be released, but generally Trezor has currently capability of AES and ECIES, asymetric cipher based on elliptic curves, and feature of encrypting/decrypting key-value structures. Combining this with hierarchical structure of private keys generated from Recovery seed, there's unlimited count of cipher keys (AES) or private/public keypairs for ECIES which can be used to protect user data. Each password is basically key-value pair, where 'key' is some identity (username, site) and value is encrypted password for such login. Computer stores blob of these keypairs (it can be local file or cloud-stored file on dropbox, google drive or anything else). Password manager (website like mytrezor) just renders list of stored keys (services and logins). If you click the key, value is sent to Trezor, it asks you if you really want to reveal such credentials to connected computer and if so, manager unmask your password just for this particular site. The encryption will be protected in the same way as sending bitcoin transaction, so PIN and (optional) passphrase.
|
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 08:24:57 PM |
|
How far do you suppose one could take this thing?
In near future (except improving Trezor for bitcoin signing usage like BIP70 and multisig) we plan to turn Trezor into identity management token, something similar like failed myIDkey. In contrary to megalomaniacal vision of myIDkey, we want to start with low hanging fruit and improve stuff as time go. There's already proof of concept for harddisk encryption protected by Trezor: https://github.com/trezor/python-trezor/blob/master/tools/encfs_aes_getpass.py This works only on Linux, but the concept can be implemented on any OS. There's plenty possibilities how to integrate Trezor with all stuff directly, like PEM modules on Unix (ssh), Windows login, website authentication, email encryption and signatures etc. It's really wide scope. Let's see how much interest of Trezor there'll be in Bitcoin community first :-).
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 02, 2014, 08:31:10 PM |
|
How far do you suppose one could take this thing?
In near future (except improving Trezor for bitcoin signing usage like BIP70 and multisig) we plan to turn Trezor into identity management token, something similar like failed myIDkey. In contrary to megalomaniacal vision of myIDkey, we want to start with low hanging fruit and improve stuff as time go. There's already proof of concept for harddisk encryption protected by Trezor: https://github.com/trezor/python-trezor/blob/master/tools/encfs_aes_getpass.py This works only on Linux, but the concept can be implemented on any OS. There's plenty possibilities how to integrate Trezor with all stuff directly, like PEM modules on Unix (ssh), Windows login, website authentication, email encryption and signatures etc. It's really wide scope. Let's see how much interest of Trezor there'll be in Bitcoin community first :-). this is so cool! you're making the world a safer place ;-)
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 02, 2014, 08:33:35 PM |
|
How far do you suppose one could take this thing?
In near future (except improving Trezor for bitcoin signing usage like BIP70 and multisig) we plan to turn Trezor into identity management token, something similar like failed myIDkey. In contrary to megalomaniacal vision of myIDkey, we want to start with low hanging fruit and improve stuff as time go. There's already proof of concept for harddisk encryption protected by Trezor: https://github.com/trezor/python-trezor/blob/master/tools/encfs_aes_getpass.py This works only on Linux, but the concept can be implemented on any OS. There's plenty possibilities how to integrate Trezor with all stuff directly, like PEM modules on Unix (ssh), Windows login, website authentication, email encryption and signatures etc. It's really wide scope. Let's see how much interest of Trezor there'll be in Bitcoin community first :-). This is so much bigger than bitcoin. Its awesome though that you have bitcoin as a means to get your foot in the door. That will allow you to succeed where myIDkey failed. Technology like this could totally neutralize the surveillance state. You guys are going to change the world.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 08:38:26 PM |
|
Actually I started to worry about passwords and password management since the pool became a real business. Then I realized how weak are all those tools for managing passwords, from security perspective.
Unfortunately even today, most of users don't care about their passwords at all. I see this also on pool which has hundreds of thousands accounts; lots and lots mailboxes get hacked every day. (fortunately pool provides 2FA as well as wallet locking, but those are just workarounds for the fact that all password-based internet infrastructure is extremely weak).
I really hope that if people will have Trezor in their hands already, they'll start using its password management capability, if it will be convenient enough...
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
August 02, 2014, 08:41:45 PM |
|
Actually I started to worry about passwords and password management since the pool became a real business. Then I realized how weak are all those tools for managing passwords, from security perspective.
Unfortunately even today, most of users don't care about their passwords at all. I see this also on pool which has hundreds of thousands accounts; lots and lots mailboxes get hacked every day. (fortunately pool provides 2FA as well as wallet locking, but those are just workarounds for the fact that all password-based internet infrastructure is extremely weak).
I really hope that if people will have Trezor in their hands already, they'll start using its password management capability, if it will be convenient enough...
A bit offtopic, but wouldn't you say that Keepass 2 with all features enabled is good-enough for average private person. (Not talking about multi-million USD/BTC net-worth individuals)
|
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
August 02, 2014, 08:51:22 PM |
|
Actually I started to worry about passwords and password management since the pool became a real business. Then I realized how weak are all those tools for managing passwords, from security perspective.
Unfortunately even today, most of users don't care about their passwords at all. I see this also on pool which has hundreds of thousands accounts; lots and lots mailboxes get hacked every day. (fortunately pool provides 2FA as well as wallet locking, but those are just workarounds for the fact that all password-based internet infrastructure is extremely weak).
I really hope that if people will have Trezor in their hands already, they'll start using its password management capability, if it will be convenient enough...
They don't care because security is hard. If you make it easy enough than they will. If you can make it even easier than actually typing in a password than they certain will. It seems possible to make it easier than typing in a password, there is a certain amount of effort required in doing this. On the trezor all you have to do is press confirm right? You guys have done amazing work so far. At this point i have a great deal of confidence in your team. I really think you guys have a shot at fundamentally changing the way that people think about IT security.
|
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited?
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 08:52:31 PM |
|
If I understand well, that would mean we should use the same seed for bitcoin and password, modified by a different passphrase to separate curves to not mix things. That would be better than my actual password policy.
No need for separate curve. Thanks to BIP32, the room of possible keys from single space is really huge. Of course passwords will use different branch than private keys for bitcoin, for this reason we introduced BIP43/BIP44. I have read that if we leak a single bip32 private key, all other keys can be disclosed. (I don't understand exactly how but it seem to be possible)
This is true, but tranversing works only on the same level of HD tree branch. However, Trezor never leaks private keys to computer. It only uses internal private keys to actually encrypt/decrypt values provided by computer. So this attack vector is not possible in Trezor. This is anyway real attack vector for software which uses HD wallets, but offer importing/exporting private keys. There you must be sure you don't leak master public key AND single private key. Again, this is not a valid case with Trezor. I assume (but maybe i'm wrong) that if a compromised computer can have my encrypted password (blob in password manager), plus the decrypted password (sent by Trezor), it's possible to compute the private key
No, this is not possible.
|
|
|
|
molecular
Donator
Legendary
Offline
Activity: 2772
Merit: 1019
|
|
August 02, 2014, 08:53:21 PM |
|
I really hope that if people will have Trezor in their hands already, they'll start using its password management capability, if it will be convenient enough...
If convenient enough, I will definitely use it. EDIT: I love how Bitcoin (as a side-effect so to say) improves general security practices and raises awareness.
|
PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0 3F39 FC49 2362 F9B7 0769
|
|
|
slush (OP)
Legendary
Offline
Activity: 1386
Merit: 1097
|
|
August 02, 2014, 08:56:06 PM |
|
On the trezor all you have to do is press confirm right?
Yes. Plus entering PIN for first time since you connect Trezor to the computer (it remembers PIN authorization during power up cycle). You guys have done amazing work so far. At this point i have a great deal of confidence in your team. I really think you guys have a shot at fundamentally changing the way that people think about IT security.
Thank you, we're doing our best. Maybe it's because we actually enjoy what we do as well :-). Not to say, this would not be possible without Trezor crowdfunding and I'm really glad that we did not disappoint all of those supporters :-).
|
|
|
|
|