Bitcoin Forum
November 01, 2024, 04:30:12 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 [168] 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 ... 265 »
  Print  
Author Topic: [ESHOP launched] Trezor: Bitcoin hardware wallet  (Read 966156 times)
dnaleor
Legendary
*
Offline Offline

Activity: 1470
Merit: 1000


Want privacy? Use Monero!


View Profile
December 02, 2014, 09:00:31 PM
 #3341

Tonight, I was asisting someone with the setup of his Trezor through teamviewer.

I found out that I could NOT see the mouse moving when he chose his pin code !!

Very good programming  Cheesy

I doubt that's intentional.

No need to hide mouse moves anyway because the shuffling of the keyboard is only known to the device and to someone looking at its display at the time.


it happened multiple times
(2 times when setting the pin and one time when testing his first transaction)
Erdogan
Legendary
*
Offline Offline

Activity: 1512
Merit: 1005



View Profile
December 02, 2014, 09:05:07 PM
 #3342

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.

LOBSTER
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


View Profile
December 02, 2014, 09:11:23 PM
 #3343

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).
qawzsx
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250

NOT FUD! FACTS!


View Profile
December 02, 2014, 09:12:10 PM
 #3344

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, since it's offline, OS should not matter that much Smiley
Mr. Spock
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
December 02, 2014, 09:14:06 PM
 #3345

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
December 02, 2014, 09:15:54 PM
 #3346

You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Note that the Trezor asks for the seed words in random order. There are 24! different combinations of the seed words, only one of which is valid. An attacker would still have to try on average half of the 620,448,401,733,239,439,360,000 possible combinations, which would take quite some time (by design). Using an offline computer for recovery is only necessary when you want to keep using the same seed. If you lost your Trezor, you should switch seeds anyway, and using an offline computer to move the funds is perfectly safe.
chrisrico
Hero Member
*****
Offline Offline

Activity: 496
Merit: 500


View Profile
December 02, 2014, 09:17:16 PM
 #3347

Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?

Yes, if the person has access to the Trezor, they can see the extended public keys and calculate the value held by the device. I'm not sure if this is true if a passphrase is used, since it is concatenated with the seed.
Erdogan
Legendary
*
Offline Offline

Activity: 1512
Merit: 1005



View Profile
December 02, 2014, 09:17:21 PM
 #3348

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.
LOBSTER
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


View Profile
December 02, 2014, 09:28:36 PM
 #3349

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.


Just chillin in my dark cellar Cheesy Maybe it's too excessive...
AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
December 02, 2014, 09:54:21 PM
 #3350

Just chillin in my dark cellar Cheesy Maybe it's too excessive...

I hope you remembered step 6
 http://www.reddit.com/r/Bitcoin/comments/1e4b9s/the_only_truly_secure_way_to_use_bitcoin_from_a/
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 03, 2014, 01:02:43 AM
 #3351

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?

If the thief were to buy the necessary equipment, I would guess that it would cost at least tens of thousands of dollars, perhaps hundreds of thousands. (For starters, he would have to drill open the processor chip's enclosure without damaging the chip itself. That would require a good microscope, a super-steady drill, micromanipulators...)  Therefore, that attack would be profitable only if the expected payoff was in the thousands of BTC.

However, the thief may be able to "borrow" the equipment from some physics or microelectronics research lab.  In that case, the thief may be willing to attack smaller targets.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
December 03, 2014, 01:32:48 AM
Last edit: December 03, 2014, 01:54:02 AM by AussieHash
 #3352

The hardware attack has been discussed by stick and slush
http://www.reddit.com/r/Bitcoin/comments/2cj620/trezor_is_an_isolated_environment_for_offline/cjg04wz

As well as addressed in their FAQ
http://doc.satoshilabs.com/trezor-faq/threats.html

Btchip references in the "physical security" popup a 30c3 presentation on extracting private data from FPGAs
https://hardwarewallet.com

Your attacker needs to have the skill of chipworks
http://www.chipworks.com/en/technical-competitive-analysis/resources/blog/inside-the-a7/

There were others who tried to deroof Apple CPUs which looked more like Apple Maps satellite imagery (blurry)
Edit : I can't find the old links now, but there were far less skillful CPU dissections than these at the time.
http://www.eetimes.com/document.asp?doc_id=1256680
kkurtmann
Sr. Member
****
Offline Offline

Activity: 475
Merit: 250



View Profile WWW
December 03, 2014, 04:04:38 AM
 #3353

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's mouse, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



FTFY

https://www.buytrezor.com?a=55c37b866c11   well sir, I like it!
kkurtmann
Sr. Member
****
Offline Offline

Activity: 475
Merit: 250



View Profile WWW
December 03, 2014, 05:37:06 AM
 #3354

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.

I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though.

Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less.

https://www.buytrezor.com?a=55c37b866c11   well sir, I like it!
Mickeyb
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000

Move On !!!!!!


View Profile
December 03, 2014, 07:46:42 AM
 #3355

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.


Ha ha a good one!!  Smiley
Mickeyb
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000

Move On !!!!!!


View Profile
December 03, 2014, 07:52:15 AM
 #3356


This is freaking awesome!! I will be sharing this!! Smiley

On a more serious note, you can do as suggested or simply use Trezor!! Smiley
Erdogan
Legendary
*
Offline Offline

Activity: 1512
Merit: 1005



View Profile
December 03, 2014, 09:48:25 AM
 #3357

What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?

Can I setup my trezor without using myTrezor.com online wallet?

I don't get this:

"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."


Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?

Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?

Thanks

No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor.

Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website.



You should only recover it if it's connected to an offline computer (preferred Ubuntu).

Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary.

You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security.


Ha ha a good one!!  Smiley

Yep, the Trezor is that good.

It was not a joke anyway, ask Snowden about it.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
December 03, 2014, 10:06:11 AM
 #3358

There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.

I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though.

Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less.

I suppose you are right, for the readout.  I was thinking of the first step, exposing the chip.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
cor
Full Member
***
Offline Offline

Activity: 121
Merit: 100



View Profile WWW
December 03, 2014, 05:02:26 PM
 #3359

new link to our AMA: http://bit.ly/1FMZYO2

LOBSTER
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


View Profile
December 03, 2014, 05:09:55 PM
 #3360

new link to our AMA: http://bit.ly/1FMZYO2

That's great. Will ask my questions there Wink
Pages: « 1 ... 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 [168] 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 ... 265 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!