[ESHOP launched] Trezor: Bitcoin hardware wallet

[BurtW]

Can i ask you what you think about that cheaper product: https://buy.hardwarewallet.com/hw1shop/#shop

I will get one, test it, and report back.

[1713506650]

1713506650

[1713506650]

1713506650

[1713506650]

1713506650

[btchip]

Can i ask you what you think about that cheaper product: https://buy.hardwarewallet.com/hw1shop/#shop

1) no screen to verify transactions. If the PC fed it incorrect payment info it would sign it - whereas a trezor requires you to confirm the address and amount shown on its screen and click the OK button

Right. If the PC is compromised (which is the only justification to have a hardware wallet), the security of that thing is zero.  Expect sad histories soon...

Please check http://www.reddit.com/r/Bitcoin/comments/2ge6eo/new_usb_hardware_wallet_available_to_buy/ckiojig - also a better place for BTChip questions is here - http://bitcointalk.org/index.php?topic=134999.0

and for a short unbiaised answer comparing Trezor and BTChip : buy both  

[BurtW]

Can i ask you what you think about that cheaper product: https://buy.hardwarewallet.com/hw1shop/#shop

I will get one, test it, and report back.

Ordered.

1) Turns out to not be that much cheaper given the lack of a screen, which I think is a great feature. 
2) I am in the US and they suggested registered mail so I did that - it would have been cheaper with regular mail.

Trezor:  $119 worldwide shipping included
HW-1:   $39 after adding registered shipping *


* Normally this is the cost of one device with registered shipping however they are currently running a special so I got two devices for this price.

I will check them out when I get them and report back here.

[keithers]

Is the metal model still available for purchase?

As is answered twice per page no, and it probably never will be.

I wish they would put them up for sale for a higher price.   I would pay 2x the regular price for a metal one, just because I like the way it looks. 

Early supporters of the project payed 3x the regular price for them. I'd rather not see them on sale like that. That'd be a shot in the back of early supporters.

Yeah you are right. I would still pay 3x for it though...

Buy plastic one and pay somebody to do the case for you. slush mentioned it's mostly manual work anyway and plastic is almost for free...

I already have a plastic one.  I am looking to buy another one as a backup, in case I have issues with the one that I already have.   To be honest, I don't plug it into the computer all that often (I just use it as a watch only wallet), so I hope it just works for a long time.

I always like to have a backup of everything just in case.   I don't want to have an issue and then have to order one and wait...

[LivTru]

I need help getting my wallet working again.

I am having a software bug on multiple windows machines with different browsers (Chrome and Firefox). I have cleared cache and re-downloaded the plugin.

When going to the mytrezor website after having linked the trezor hardware device, java script is locking up when trying to numerate transactions.

I am able to run debug in Firefox and it is pointing to line 7 in the eac5c812.libs.js.

I have tried support@bitcointrezor.com but their bouncing my emails for some reason.

Anyone having issues?

[molecular]

Can i ask you what you think about that cheaper product: https://buy.hardwarewallet.com/hw1shop/#shop
I was buyed Trezor and i'm very happy,but today i saw that decision and i think that this will reflect to your sales becouse of the price.Do ypu think that Trezor is more secured than that piece hardware?Please answer,becouse i try to advertise your product,but peoples look the price on the first time.
Thank you.
If you think that this is not for your thread -just delete it.

it seems to achieve the same thing, but i see a few shortcomings:
1) no screen to verify transactions. If the PC fed it incorrect payment info it would sign it - whereas a trezor requires you to confirm the address and amount shown on its screen and click the OK button
2) I dont see any PIN protection for payments
3) I dont see any password capabilities, or the capability to run multiple totally seperate wallets on it like the trezor can (using a different pw for each)

I have one of these and tested it extensively with electrum.

1.) It has no screen but offers a "hardened mode" which requires you to plug it into another computer (or the same one). It will emulate a keyboard and tell you the transaction info and a one-time PIN which you'll have to enter after re-plugging again into the main computer with the wallet. It's way less elegant than trezor in this regard, but this protects against malware sneaking in attackers address.

2.) The devices requires the user to enter a PIN. If entered wrongly 3 times, device will delete wallet info.

3.) Correct. No "plausible deniability" possible like with trezor. You have one wallet and that only has one account (with unlimited number of addresses, though). I think it's bip32 limited to 1 account.

For the price it offers quite good security. It's a little more cumbersome to use securely than the trezor because of the lacking display (you need a second computer). Also: the tech is closed-source (smart card), so you have to have some additional trust there. All in all a good low cost alternative, though, I would say.

sorry for OT, thanks btchip for linking the thread above.

[klondike_bar]

Can i ask you what you think about that cheaper product: https://buy.hardwarewallet.com/hw1shop/#shop
I was buyed Trezor and i'm very happy,but today i saw that decision and i think that this will reflect to your sales becouse of the price.Do ypu think that Trezor is more secured than that piece hardware?Please answer,becouse i try to advertise your product,but peoples look the price on the first time.
Thank you.
If you think that this is not for your thread -just delete it.

it seems to achieve the same thing, but i see a few shortcomings:
1) no screen to verify transactions. If the PC fed it incorrect payment info it would sign it - whereas a trezor requires you to confirm the address and amount shown on its screen and click the OK button
2) I dont see any PIN protection for payments
3) I dont see any password capabilities, or the capability to run multiple totally seperate wallets on it like the trezor can (using a different pw for each)

I have one of these and tested it extensively with electrum.

1.) It has no screen but offers a "hardened mode" which requires you to plug it into another computer (or the same one). It will emulate a keyboard and tell you the transaction info and a one-time PIN which you'll have to enter after re-plugging again into the main computer with the wallet. It's way less elegant than trezor in this regard, but this protects against malware sneaking in attackers address.

2.) The devices requires the user to enter a PIN. If entered wrongly 3 times, device will delete wallet info.

3.) Correct. No "plausible deniability" possible like with trezor. You have one wallet and that only has one account (with unlimited number of addresses, though). I think it's bip32 limited to 1 account.

For the price it offers quite good security. It's a little more cumbersome to use securely than the trezor because of the lacking display (you need a second computer). Also: the tech is closed-source (smart card), so you have to have some additional trust there. All in all a good low cost alternative, though, I would say.

sorry for OT, thanks btchip for linking the thread above.

1) thats insane. If i want to send a transaction with the same security as a trezor I need to purchase a second computer , then boot it up everytime i want to send a transaction. no thanks.
2) again, this seems like a silly method. trezor's exponentially-increasing time to retry your pin combo is a much better idea. how can you back up and restore your wallet info on these things?

the closed-source hardware is the cherry on top - that device needs some serious improvement and is currently nowhere near the ease and reliability of a trezor

[JorgeStolfi]

1.) It has no screen but offers a "hardened mode" which requires you to plug it into another computer (or the same one). It will emulate a keyboard and tell you the transaction info and a one-time PIN which you'll have to enter after re-plugging again into the main computer with the wallet. It's way less elegant than trezor in this regard, but this protects against malware sneaking in attackers address.

If you plug into the same computer, which is compromised, the malware could intercept the keyboard signals coming from the device and replace the transaction details shown to the user, while retaining the PIN.  Or is there a protection against that?

Hardware wallets are supposed to be most useful when one is traveling and must use a computer provided by the local shop, hotel, guide, cybercafe, etc..  In those scenarios, there is the possiility that the PC has malicious hardware as well as malicious software, that the devce will be stolen after the use, and that there are hidden cameras watching over the user's shoulder.   One should make sure that they are safe in that scenario.

2.) The devices requires the user to enter a PIN. If entered wrongly 3 times, device will delete wallet info.

I understand that it is a fixed PIN that must be entered in "non-hardened mode", or before starting the "hardened mode" procedure; correct?  In that case, if malware on the computer captures that PIN, and the device is stolen some time later, would that captured PIN enable the thief to use the device?

3 times is too few...
1. I forget that I changed the PIN, and I enter the old one.  Rejected.
2. I assume that I mis-typed the PIN, and I enter again the old one, carefully.  Rejected.
Now I have only one chance to remember that I changed the PIN and enter it correctly.  As time goes on, there may well be a half a dozen cases of erased wallets for every 1000 devices sold.

[instagibbs]

http://www.reddit.com/r/Bitcoin/comments/2hxc4p/trezors_bootloader_is_closed_source_please_open/ 

Any responses by the Trezor team out there?

[btchip]

1) thats insane. If i want to send a transaction with the same security as a trezor I need to purchase a second computer , then boot it up everytime i want to send a transaction. no thanks.

works with everything supporting a HID keyboard - so phone, TV box, whatever.

2) again, this seems like a silly method. trezor's exponentially-increasing time to retry your pin combo is a much better idea. how can you back up and restore your wallet info on these things?

you can back up the seed when your start using the device.

the closed-source hardware is the cherry on top - that device needs some serious improvement and is currently nowhere near the ease and reliability of a trezor

please continue discussing BTChip on the proper thread : http://bitcointalk.org/index.php?topic=134999.0

If you plug into the same computer, which is compromised, the malware could intercept the keyboard signals coming from the device and replace the transaction details shown to the user, while retaining the PIN.  Or is there a protection against that?

How could there even be a protection against that ? It just raises the malware complexity from an application malware to a full OS compromise.

Hardware wallets are supposed to be most useful when one is traveling and must use a computer provided by the local shop, hotel, guide, cybercafe, etc..  In those scenarios, there is the possiility that the PC has malicious hardware as well as malicious software, that the devce will be stolen after the use, and that there are hidden cameras watching over the user's shoulder.   One should make sure that they are safe in that scenario.

then just use the next computer sitting nearby to view the second factor. Works well in a cybercafe and a hotel.

I understand that it is a fixed PIN that must be entered in "non-hardened mode", or before starting the "hardened mode" procedure; correct?  In that case, if malware on the computer captures that PIN, and the device is stolen some time later, would that captured PIN enable the thief to use the device?

yes, the PIN is not an anti malware protection, it's an anti theft protection.

3 times is too few...

seems to work ok for the banking card industry.

also please continue discussing BTChip on the proper thread : http://bitcointalk.org/index.php?topic=134999.0

[keithers]

1.) It has no screen but offers a "hardened mode" which requires you to plug it into another computer (or the same one). It will emulate a keyboard and tell you the transaction info and a one-time PIN which you'll have to enter after re-plugging again into the main computer with the wallet. It's way less elegant than trezor in this regard, but this protects against malware sneaking in attackers address.

If you plug into the same computer, which is compromised, the malware could intercept the keyboard signals coming from the device and replace the transaction details shown to the user, while retaining the PIN.  Or is there a protection against that?

Hardware wallets are supposed to be most useful when one is traveling and must use a computer provided by the local shop, hotel, guide, cybercafe, etc..  In those scenarios, there is the possiility that the PC has malicious hardware as well as malicious software, that the devce will be stolen after the use, and that there are hidden cameras watching over the user's shoulder.   One should make sure that they are safe in that scenario.

2.) The devices requires the user to enter a PIN. If entered wrongly 3 times, device will delete wallet info.

I understand that it is a fixed PIN that must be entered in "non-hardened mode", or before starting the "hardened mode" procedure; correct?  In that case, if malware on the computer captures that PIN, and the device is stolen some time later, would that captured PIN enable the thief to use the device?

3 times is too few...
1. I forget that I changed the PIN, and I enter the old one.  Rejected.
2. I assume that I mis-typed the PIN, and I enter again the old one, carefully.  Rejected.
Now I have only one chance to remember that I changed the PIN and enter it correctly.  As time goes on, there may well be a half a dozen cases of erased wallets for every 1000 devices sold.

In the scenario above, how would we go about using our trezor abroad, when we are required to install a browser plug in to use the wallet?   Many public computers do not allow you to install anything on the computer...

[Perlover]

Wishes are quite obvious. But we have a limited workforce :-/ So there are two options basically:
* either we sell enough TREZORs so we can fund more developers
* or someone from the community picks up

May be third option:
* Trezor's team opens a bitcoin address for crowdfunding.

I would to send some money for this ;-)

[instagibbs]

Guys let's move the btchip discussion to their thread please.

Far off-topic.

[Perlover]

Hi,

In last time i regulary got from somebody one satoshi (0.00000001 BTC) if i use new address for input bitcoin
I think it's new spam (addresses from bitcoins have a comment at blockchain.info) in bitcoin.
Example of same address (who sends) is:
https://blockchain.info/en/address/16JLbXYe5xmxGNX8hiqooyTUJnhitNNqTh

But problem is that the Trezor doesn't use like these small inputs (0.00000001 BTC) for outputs of new transaction.
I got 2x same 0.00000001 BTC in two other addresses of one BIP44 account in the Trezor. After this i tried to move all money from account but i cannot move all moneys. The maximum allowed sum by myTREZOR.com for money moving from account was "full balance - 2 * 0.00000001" BTC. When i did a payment from account i saw addresses in account where were addresses with one satoshie. It's annoying and can cause problems with people not understanding - "why i cannot use all money?".

Can the Trezor use all inputs for outgoing transactions? I think there (myTREZOR.com) is minimum for transaction inputs.

[cbeast]

To segue the conversation from the btchip, I do like the form factor and cheapness. I could see using them for signing multisig transactions. I would only trust the Trezor for transmitting the transaction to the blockchain. Maybe they could sell a set of the smaller USB chips with a multisig enabled Trezor.

[stick]

Can the Trezor use all inputs for outgoing transactions? I think there (myTREZOR.com) is minimum for transaction inputs.

It's not worth using them. It creates a bigger transaction and you'll end up paying more in the end (because the transaction fee will be higher).

[BurtW]

Hi,

In last time i regulary got from somebody one satoshi (0.00000001 BTC) if i use new address for input bitcoin
I think it's new spam (addresses from bitcoins have a comment at blockchain.info) in bitcoin.
Example of same address (who sends) is:
https://blockchain.info/en/address/16JLbXYe5xmxGNX8hiqooyTUJnhitNNqTh

But problem is that the Trezor doesn't use like these small inputs (0.00000001 BTC) for outputs of new transaction.
I got 2x same 0.00000001 BTC in two other addresses of one BIP44 account in the Trezor. After this i tried to move all money from account but i cannot move all moneys. The maximum allowed sum by myTREZOR.com for money moving from account was "full balance - 2 * 0.00000001" BTC. When i did a payment from account i saw addresses in account where were addresses with one satoshie. It's annoying and can cause problems with people not understanding - "why i cannot use all money?".

Can the Trezor use all inputs for outgoing transactions? I think there (myTREZOR.com) is minimum for transaction inputs.

You should be able to send the entire balance of your Trezor off to another wallet and it should pick up all the small inputs as long as the total you are sending is larger and you pay the fee.  I had a very small amount stuck once so I added 1 BTC to the wallet then sent the entire balance of the wallet (the one BTC I added plus the dust) out to another wallet and was able to "clean up" the entire wallet.  At that point I reinitialized the whole Trezor and started over.

Can the Trezor use all inputs for outgoing transactions? I think there (myTREZOR.com) is minimum for transaction inputs.

It's not worth using them. It creates a bigger transaction and you'll end up paying more in the end (because the transaction fee will be higher).

I know it was silly to pay more than the value of the dust in order to clean it up, but that is what I did.  Probably some sort of weird character flaw.

[JorgeStolfi]

please continue discussing BTChip on the proper thread : http://bitcointalk.org/index.php?topic=134999.0

That thread is moderated by the manufacturer.  Nothing against BTCchip specifically, but product criticisms are often deleted in such threads.  Inasmuch as criticisms of BTCchip are indirect endorsements of Trezor, its seems safer to post them here. 

If you plug into the same computer, which is compromised, the malware could intercept the keyboard signals coming from the device and replace the transaction details shown to the user, while retaining the PIN.  Or is there a protection against that?

How could there even be a protection against that ? It just raises the malware complexity from an application malware to a full OS compromise.

If you are using someone else's computer, a hacked OS is no big deal.  Ditto if the malware was installed in your computer by someone hacking into it with root access. 

The Trezor seems to protect against that risk, since the transaction details are displayed on the Trezor's screen and confirmed there.

(Neither device will protect against the user copying or scanning the wrong payment address from merchant's homepage that was hacked --- at the server, by IP/URL spoofing, or by a compromised browser.  For that, the user must be careful to get the address from a secure source that cannot be easily hacked.)

Hardware wallets are supposed to be most useful when one is traveling and must use a computer provided by the local shop, hotel, guide, cybercafe, etc..  In those scenarios, there is the possiility that the PC has malicious hardware as well as malicious software, that the devce will be stolen after the use, and that there are hidden cameras watching over the user's shoulder.   One should make sure that they are safe in that scenario.

Then just use the next computer sitting nearby to view the second factor. Works well in a cybercafe and a hotel.

I am not clear yet on how BTCchip works, but if one computer in such a place is compromised, there is a high chance that all of them are.  Especially if (a) the computer was compromised specifically to steal bitcoins from BTCchips (which is the assumption), or (b) the hacker may be an employee of the place.

I understand that it is a fixed PIN that must be entered in "non-hardened mode", or before starting the "hardened mode" procedure; correct?  In that case, if malware on the computer captures that PIN, and the device is stolen some time later, would that captured PIN enable the thief to use the device?

yes, the PIN is not an anti malware protection, it's an anti theft protection.

If someone suspects the theft of his a chip-enabled credit/debit card, he may worry that the PIN was captured visually (by a camera or someone looking over his shoulder) or by a doctored handheld terminal.

If that happens to a Trezor user, he should worry only if there is a chance that the PIN was captured visually from the Trezor screen. 

If that happens to a BTCchip user, he should worry that the PIN may have been captured visually from the computer's keyboard, OR by a keylogger in the computer.

However, the credit/debit card user can call the company to cancel it, and there is a good chance that it will be canceled before the thief has a chance to get value out of the card.    With both the Trezor and the BTCchip, if the device is stolen after the thief got the PIN, the coins will probably be gone before the user gets the chance to move them.

Stealing bitcoins by hacking may become a big issue, if it is not already.  Even if if the probability of success of some hacking attack mode is 0.1% or less, the per-target cost of such an attack is small, thousands of computers can be hacked automatically, and the payoff from one successful attemp may be quite substantial.  See that Australian guy who was recently hacked out of 750 BTC, almost 300'000 USD. Note that the malware may be programmed to act only if the wallet has a large enough sum. 

Hardware wallets surely improve the security, but substantial risk will remain.  Malicious hackers will be strongly motivated to use all their ingenuity to overcome the device's protections. 

[btchip]

please continue discussing BTChip on the proper thread : http://bitcointalk.org/index.php?topic=134999.0

That thread is moderated by the manufacturer.  Nothing against BTCchip specifically, but product criticisms are often deleted in such threads.  Inasmuch as criticisms of BTCchip are indirect endorsements of Trezor, its seems safer to post them here. 

It's not moderated, and your conclusion is wrong. Repost in that thread, I don't bite 

I'll just address the generic part of the post

Hardware wallets surely improve the security, but substantial risk will remain.  Malicious hackers will be strongly motivated to use all their ingenuity to overcome the device's protections. 

your main concern seems to be the non-reversability of a bitcoin transaction, nothing related to hardware wallets.

[DoomDumas]

Wow.. Gratz mr Palatinus...  im proud of your acheivement..  first one to create a pool.. and first really reliable and commercialized hardware wallet...

Thank you very much for all those years of hardwork and for keeping the good work until the end and further more     you're my best..

Have a nice life Slush