dnaleor
Legendary
 Offline
Activity: 1470
Merit: 1000
Want privacy? Use Monero!
|
 |
December 02, 2014, 09:00:31 PM |
|
Tonight, I was asisting someone with the setup of his Trezor through teamviewer. I found out that I could NOT see the mouse moving when he chose his pin code !! Very good programming  I doubt that's intentional. No need to hide mouse moves anyway because the shuffling of the keyboard is only known to the device and to someone looking at its display at the time. it happened multiple times (2 times when setting the pin and one time when testing his first transaction) |
|
|
|
|
Erdogan
Legendary
Offline
Activity: 1512
Merit: 1005
|
|
December 02, 2014, 09:05:07 PM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. |
|
|
|
|
|
LOBSTER
|
|
December 02, 2014, 09:11:23 PM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). |
|
|
|
|
qawzsx
Sr. Member
Offline
Activity: 280
Merit: 250
NOT FUD! FACTS!
|
|
December 02, 2014, 09:12:10 PM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). Well, since it's offline, OS should not matter that much  |
|
|
|
|
Mr. Spock
Newbie
Offline
Activity: 9
Merit: 0
|
|
December 02, 2014, 09:14:06 PM |
|
There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort? |
|
|
|
|
|
chrisrico
|
|
December 02, 2014, 09:15:54 PM |
|
You should only recover it if it's connected to an offline computer (preferred Ubuntu).
Note that the Trezor asks for the seed words in random order. There are 24! different combinations of the seed words, only one of which is valid. An attacker would still have to try on average half of the 620,448,401,733,239,439,360,000 possible combinations, which would take quite some time (by design). Using an offline computer for recovery is only necessary when you want to keep using the same seed. If you lost your Trezor, you should switch seeds anyway, and using an offline computer to move the funds is perfectly safe. |
|
|
|
|
|
chrisrico
|
|
December 02, 2014, 09:17:16 PM |
|
Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort?
Yes, if the person has access to the Trezor, they can see the extended public keys and calculate the value held by the device. I'm not sure if this is true if a passphrase is used, since it is concatenated with the seed. |
|
|
|
|
Erdogan
Legendary
Offline
Activity: 1512
Merit: 1005
|
|
December 02, 2014, 09:17:21 PM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary. You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security. |
|
|
|
|
|
LOBSTER
|
|
December 02, 2014, 09:28:36 PM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary. You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security. Just chillin in my dark cellar Maybe it's too excessive... |
|
|
|
|
|
|
|
JorgeStolfi
|
|
December 03, 2014, 01:02:43 AM |
|
There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
Can someone estimate how many bitcoins your TREZOR must hold to be worth this immense effort? If the thief were to buy the necessary equipment, I would guess that it would cost at least tens of thousands of dollars, perhaps hundreds of thousands. (For starters, he would have to drill open the processor chip's enclosure without damaging the chip itself. That would require a good microscope, a super-steady drill, micromanipulators...) Therefore, that attack would be profitable only if the expected payoff was in the thousands of BTC. However, the thief may be able to "borrow" the equipment from some physics or microelectronics research lab. In that case, the thief may be willing to attack smaller targets. |
Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
|
|
|
|
|
|
kkurtmann
|
|
December 03, 2014, 04:04:38 AM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's mouse, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. FTFY |
|
|
|
|
kkurtmann
|
|
December 03, 2014, 05:37:06 AM |
|
There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though. Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less. |
|
|
|
|
Mickeyb
|
|
December 03, 2014, 07:46:42 AM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary. You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security. Ha ha a good one!! |
|
|
|
|
|
Mickeyb
|
|
December 03, 2014, 07:52:15 AM |
|
This is freaking awesome!! I will be sharing this!! On a more serious note, you can do as suggested or simply use Trezor!! |
|
|
|
|
Erdogan
Legendary
Offline
Activity: 1512
Merit: 1005
|
|
December 03, 2014, 09:48:25 AM |
|
What are the chances for a malware plugin to extract the private keys from the trezor while using it?
What are the chances for myTrezor.com if hacked to extract the private keys from the trezor while using it?
Can I setup my trezor without using myTrezor.com online wallet?
I don't get this:
"Tamas Blummer, CEO of Bits of Proof (BOP) adds: “I believe TREZOR users will appreciate the fact that their private keys are never transmitted from myTREZOR to the BOP Bitcoin Server. The transactions are signed purely in the TREZOR device. It is finally safe to use a web wallet, thanks to TREZOR and our BOP Bitcoin Server”."
Does this mean that myTREZOR.com have access to the private keys into the TREZOR device?
Is there a way to install the webwallet on a localhost webserver without the need to work on myTrezor.com if the website is down?
Thanks
No chance to steal the funds. The keys never leave the Trezor, only the signed transactions leave the Trezor. The crucial point is the Trezor's screen and its buttons. You see the transaction with the amount and the receiving address on the screen, and accept it with a button on the device. Smart programming from the Trezor's team makes it possible to enter pincode for the Trezor through the PC's keyboard, without revealing to the PC what the pin-code is. Also the seed can be reentered into the Trezor via the PC without revealing the seed to the PC, if there is a need to load the old seed into a backup trezor. Some other information could leak out, your addresses and possibly your xpub keys, to the PC or to the mytrezor website. You should only recover it if it's connected to an offline computer (preferred Ubuntu). Well, the Trezor system protects the seed during recovery, so no, that should not be nezessary. You could look for hidden cameras in the room, or hide yourself and the PC under a blanket, if you want more security. Ha ha a good one!! Yep, the Trezor is that good. It was not a joke anyway, ask Snowden about it. |
|
|
|
|
|
JorgeStolfi
|
|
December 03, 2014, 10:06:11 AM |
|
There are zero chances of anything other than a lot of time with an electron microscope to extract private keys from the device. IIRC.
I don't know about the electron microscope specifically, but surely one can do it with suitable scientific equipment. Not with something that you but at Radio Shack, though. Surely the suitable scientific equipment you are referring to, is the Electron Microscope, and nothing less. I suppose you are right, for the readout. I was thinking of the first step, exposing the chip. |
Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
|
|
|
|
|
|
LOBSTER
|
|
December 03, 2014, 05:09:55 PM |
|
That's great. Will ask my questions there  |
|
|
|
|
|
