you think Trezor is a safe way for bitcoin !

[dbgirl]

For cold storage, a stainless steel wallet is pretty safe.

https://www.indiegogo.com/projects/cryptosteel-the-ultimate-cold-storage-wallet#/

http://themerkle.com/wp-content/uploads/2015/03/crypto-steel-1.jpg

http://res.cloudinary.com/indiegogo-media-prod-cld/image/upload/c_limit,w_620/v1431881959/i0d3x8onbr7ozrz5wjaz.jpg

[1714144363]

1714144363

[1714144363]

1714144363

[1714144363]

1714144363

[1714144363]

1714144363

[1714144363]

1714144363

[1714144363]

1714144363

[dbgirl]

A Panduit MEHT187 could also be used for embossing stainless steel tape.
http://www.panduit.com/heiler/ProductBulletins/SA-SSCB25%20%28Permanent%20id%20solutions%20harsh%20environ.%29%20WEB%2012-3-10.pdf

but it's expensive.
http://www.grainger.com/product/PANDUIT-Handheld-Embossing-Tool-30PR57

[John (John K.)]

If you're willing to spend some time reading code, I highly suggest going to https://github.com/trezor/ to see the sources of the firmware and examples of writing your own webwallet using the trezor. https://github.com/trezor/webwallet shows a working example of a webwallet, and you can clearly see that at no point the wallet sees the private key/pin etc at all.

maybe trezor v2. will have the 'webwallet' on the device next time. that way it can auto run on offline computers without the need of web extensions or communicating to trezor server.

then your free to push the TX to any miner/network user you choose.

i think those believing trezor is infallible have never thought of a hacker tweaking the web extension to do man in the middle attacks..

The trezor basically only generates the tx (by signing it a-la how any bitcoin client works) and the webwallet pushes it. The trezor is basically the 'offline computer' factor in a secure wallet setup. The only 'sensitive' (where anyone with that public key would be able to see your future transactions, but not spend any of your bitcoins) date would be the public key which is transmitted to the 'webwallet' in order to show you the transactions made by the addresses. MiTM attacks are handled by the fact that the actual addresses are shown on the screen before the device signs it, so when the address is different from the one you're planning to send to, you'll know there's something fishy up there. The TX itself is not a valuable information as at worst the attacker can only refuse to broadcast it. Having the tx itself is not beneficial in any way as the hash would be invalid if any changes were made - as in where a PGP signed message cannot be modified without invalidating the signature itself.

Electrum, Multibit and a few others are amongst examples of independent softwares utilizing the fact that you're basically free to push the TX to any miner/network user that you choose. You can run it on any offline computer by utilizing the command line/API that comes with it obviously.

Full disclosure: I recently bought a trezor after using Armory on an offline netbook for a few years (when I escrowed a lot). I've studied the source code and understood how it actually works  before plunking down the cash for it, and I'm currently writing some tools for it.

[Kakmakr]

Do not store large amounts of coins in hardware wallets - Problem solved
The distribution of your total coins should be something like 20% hardware wallet / 80% cold storage
If you go this route, you would effectively manage the risk and prevent huge losses when something might happen.
You never know if some disgruntled employee are in possession of private keys or are aware of some back door and when they might empty your wallet. Take back the control and store most of your coins in cold storage. ^hmf^

[bitbaby]

For cold storage, a stainless steel wallet is pretty safe.

https://www.indiegogo.com/projects/cryptosteel-the-ultimate-cold-storage-wallet#/

CMIIW but don't you have to manually enter your keys in it and if you mess up you might end up losing a lot of coins, I don't think I can trust myself to manually jot in the keys, I'd rather print them directly and then try to keep the paper wallet safe. Or just use the electrum offline with the mnemonic back up, no need for a fancy, expensive device when you can do it for free.

[maku]

I don't like trezor- too many moving parts (led screen) I always feel it could break. I much prefer ledger. Much simpler. Fewer worries. Ledger also costs a lot less. I'm not sure why trezor is so popular, I guess people think more money = better product... Worked out pretty good for Mac (which is garbage, but expensive therefore amaze balls)

My thoughts exactly. I feel like hardware wallets in general are overkill for people who are paranoid about their coins. Same measure of security can be achieved perfectly without it.
I would sleep much better knowing that my coins are stored on paper wallet that on this piece of hardware.

[Soros Shorts]

its just a memor storage device, all transactions need to go through to trezor servers..

It behaves more like a smart card than a dumb memory device. The difference is that the private keys stored inside are protected with a PIN and cannot be retrieved through the USB interface. All sensitive crytographic computing is done on the TREZOR and not the browser. However, it just uses an ARM Cortex processor so unlike a typical smart card the keys are probably not protected from advanced electronic tampering or snooping were the device to fall into unfriendly hands.

[Mickeyb]

If you're willing to spend some time reading code, I highly suggest going to https://github.com/trezor/ to see the sources of the firmware and examples of writing your own webwallet using the trezor. https://github.com/trezor/webwallet shows a working example of a webwallet, and you can clearly see that at no point the wallet sees the private key/pin etc at all.

maybe trezor v2. will have the 'webwallet' on the device next time. that way it can auto run on offline computers without the need of web extensions or communicating to trezor server.

then your free to push the TX to any miner/network user you choose.

i think those believing trezor is infallible have never thought of a hacker tweaking the web extension to do man in the middle attacks..

The trezor basically only generates the tx (by signing it a-la how any bitcoin client works) and the webwallet pushes it. The trezor is basically the 'offline computer' factor in a secure wallet setup. The only 'sensitive' (where anyone with that public key would be able to see your future transactions, but not spend any of your bitcoins) date would be the public key which is transmitted to the 'webwallet' in order to show you the transactions made by the addresses. MiTM attacks are handled by the fact that the actual addresses are shown on the screen before the device signs it, so when the address is different from the one you're planning to send to, you'll know there's something fishy up there. The TX itself is not a valuable information as at worst the attacker can only refuse to broadcast it. Having the tx itself is not beneficial in any way as the hash would be invalid if any changes were made - as in where a PGP signed message cannot be modified without invalidating the signature itself.

Electrum, Multibit and a few others are amongst examples of independent softwares utilizing the fact that you're basically free to push the TX to any miner/network user that you choose. You can run it on any offline computer by utilizing the command line/API that comes with it obviously.

Full disclosure: I recently bought a trezor after using Armory on an offline netbook for a few years (when I escrowed a lot). I've studied the source code and understood how it actually works  before plunking down the cash for it, and I'm currently writing some tools for it.

Thanks for explaining in depth! I didn't want to quote franky1 posts above (I don't agree with his explanations) as you have already explained everything and with the knowledge that I would never be able to explain with.

In lamest terms, when I was buying a Trezor and did a research and decided to put my savings on it, I understood that this device is the safest way out there to store my bitcoins and that even if Trezor company ceases to exist I will be able to recover my coins and also that it's not that easy to insert a malicious code in it. To some extent you still have to trust them as you trust Electrum developers out there with every new release for example!

[tinadrake]

A wallet that uses audio to send the private key.

http://thesoundkey.com/
https://www.indiegogo.com/projects/the-sound-key-encrypt-digitally-sign-in-safety#/

[Blue_Tiger73]

No. I don't think that it is safe to put your Bitcoin into any company. Believe in yourself and make the Bitcoin yourself. Those big companies can always go bankrupt at any time or just decide to shut down their company and run away with your coins.

[Corvet]

No. I don't think that it is safe to put your Bitcoin into any company. Believe in yourself and make the Bitcoin yourself. Those big companies can always go bankrupt at any time or just decide to shut down their company and run away with your coins.

what is the best way then for 50 btc + , most of people saying paper wallet some saying no ...

[BitcoinNewsMagazine]

No. I don't think that it is safe to put your Bitcoin into any company. Believe in yourself and make the Bitcoin yourself. Those big companies can always go bankrupt at any time or just decide to shut down their company and run away with your coins.

what is the best way then for 50 btc + , most of people saying paper wallet some saying no ...

Paper wallets are OK just inconvenient. Forget 50 bitcoin minimum, you need cold storage if you own any bitcoin in my opinion. It is too easy for malware to steal bitcoin from a password protected local bitcoin wallet. It happens all the time.

Cold storage means you have sole possession of the private keys of your bitcoin addresses and the keys are always kept safe offline. You can do it with Armory or Electrum using two computers or just buy a hardware wallet like Trezor or Ledger. I have used all of the current options. Armory and Electrum are no more secure than Trezor or Ledger. The only advantage is privacy, since Armory uses a full node.

Anyone can afford Ledger. Trezor is more expensive at $100 but I think it is worth it for the screen. You also have to use a Ledger Starter to initialize your Ledger as the seed is shown on your computer screen, possibly can be stolen by a keylogger. Trezor does not have that limitation.

[Corvet]

about paper wallet ! do you think that the website you use for generating the wallets can't get your money ? for exemple : if you use a website that generate wallets papper then i got the privat key and public key and put 40 btc on it , i think there is someway for the website who offer the generator to get your privat key , maybe if they save the keys which generated and later the owner of site will check the wallets which generated and see if there is money on them then he will use the privat key and get ur money since he have the privat key and public key becasue you used his website for generrating , correct me if am wrong !

[saturn643]

about paper wallet ! do you think that the website you use for generating the wallets can't get your money ? for exemple : if you use a website that generate wallets papper then i got the privat key and public key and put 40 btc on it , i think there is someway for the website who offer the generator to get your privat key , maybe if they save the keys which generated and later the owner of site will check the wallets which generated and see if there is money on them then he will use the privat key and get ur money since he have the privat key and public key becasue you used his website for generrating , correct me if am wrong !

Many wallets allow you to generate paper wallets locally. Also, most websites which let you generate paper wallets are open source. The idea is that you download the code for the website. Then you take that code and go to an offline computer and generate the address there. That way there is no way that the owners of the website could ever know the private keys and the private keys are never exposed to the internet.

[franky1]

In lamest terms, when I was buying a Trezor and did a research and decided to put my savings on it, I understood that this device is the safest way out there to store my bitcoins and that even if Trezor company ceases to exist I will be able to recover my coins and also that it's not that easy to insert a malicious code in it. To some extent you still have to trust them as you trust Electrum developers out there with every new release for example!

1. is trazor ceases.. yea you can recover coins.. but not because of any function of the plastic gadget. not because of code stored on the gadget.. but because of writing on paper..
again if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

2. ignoring the paper seed as the backup.. lets keep on the subject of the HARDWARE WALLET and its function.. firstly i see 3 weaknesses.
a) i can create a website that say's
"sorry there seems to be an error, please type in your seed"
b) i could create a browser extension that says
"invalid device installed. please reset device and then type in your seed"
c) even if the data is encrypted.. i can clone said data, and then on my own computer with my own cloned trezor. can simply try the pin number 9999 times until im then using your 'account'.

the funny thing is that trezor is safer than storing on coinbase, safer than storing on electrum.. but its not infallible. and anyone who thinks it's the 100% solution needs to take a step back and give honest advice that its not perfect..

the other part i laugh about.. is when people see the paper seed backup as a feature specific to trezor.. seriously..
for long term storage where you are not spending.. paper is best.. as then you wont get phished.. and paper doesnt need a battery

[saturn643]

In lamest terms, when I was buying a Trezor and did a research and decided to put my savings on it, I understood that this device is the safest way out there to store my bitcoins and that even if Trezor company ceases to exist I will be able to recover my coins and also that it's not that easy to insert a malicious code in it. To some extent you still have to trust them as you trust Electrum developers out there with every new release for example!

1. is trazor ceases.. yea you can recover coins.. but not because of any function of the plastic gadget. not because of code stored on the gadget.. but because of writing on paper..
again if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

It is not, where are you getting that information. The PIN is stored on the device itself. It would be stupid to store it on Trezor's servers. Again, why do you keep saying that it won't work? Trezor keeps the important data on the device itself, not someone else's servers.

[John (John K.)]

In lamest terms, when I was buying a Trezor and did a research and decided to put my savings on it, I understood that this device is the safest way out there to store my bitcoins and that even if Trezor company ceases to exist I will be able to recover my coins and also that it's not that easy to insert a malicious code in it. To some extent you still have to trust them as you trust Electrum developers out there with every new release for example!

1. is trazor ceases.. yea you can recover coins.. but not because of any function of the plastic gadget. not because of code stored on the gadget.. but because of writing on paper..
again if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

2. ignoring the paper seed as the backup.. lets keep on the subject of the HARDWARE WALLET and its function.. firstly i see 3 weaknesses.
a) i can create a website that say's
"sorry there seems to be an error, please type in your seed"
b) i could create a browser extension that says
"invalid device installed. please reset device and then type in your seed"
c) even if the data is encrypted.. i can clone said data, and then on my own computer with my own cloned trezor. can simply try the pin number 9999 times until im then using your 'account'.

the funny thing is that trezor is safer than storing on coinbase, safer than storing on electrum.. but its not infallible. and anyone who thinks it's the 100% solution needs to take a step back and give honest advice that its not perfect..

the other part i laugh about.. is when people see the paper seed backup as a feature specific to trezor.. seriously..
for long term storage where you are not spending.. paper is best.. as then you wont get phished.. and paper doesnt need a battery

OK, seeing that I'm still not sleepy enough yet...

1. is trazor ceases.. yea you can recover coins.. but not because of any function of the plastic gadget. not because of code stored on the gadget.. but because of writing on paper..
again

Yes, that's correct. Nothing is infallible, not even a steel card that holds my current seed, not even Fort Knox. Always keep multiple secure paper/metal/etching/<insert permanent storage here> backups, and check on them often. ALWAYS. I used to even keep the Armory seed for my escrow wallet with my lawyer, with instructions to distribute them accordingly should anything happen to me and my next of kin.

if trezor website ceases.. the HARDWARE WALLET is useless... which is the point.. the device is not infallible..

I'm not going to repeat myself, but trezor is not dependent on the website or anything proprietary. Already I've been using the trezor with other open source software out there. I've not really used the site except to try it out. Please read my former posts. *facepalm*

2. ignoring the paper seed as the backup.. lets keep on the subject of the HARDWARE WALLET and its function..

Awesome - we have another agreement here.

a) i can create a website that say's
"sorry there seems to be an error, please type in your seed"

If anyone falls for that, it would be the equivalent of someone making a site that says 'Secure Bitcoin Storage with 10000% Interest rate - Send to this address!' and someone actually falling for it. There are multiple warnings that state that your seed is basically your bitcoins, and should you leak it it's your own fault for doing that.

b) i could create a browser extension that says
"invalid device installed. please reset device and then type in your seed"

See a) for the equivalent - would you download anything that's closed source and new? Any reputable software that works with bitcoin is open source - anything that's closed should be taken with a grain of salt and be avoided in secure environments. Also, in an actual situation where someone uses a hijacked system, and is gullible enough to trust the software to type in his seed (and the software succeeds in resetting the trezor), the trezor actually requests the seeds at a randomized order, and all 24 seeds have to be in a specific order to actually compute the private keys needed. The order is only shown on the trezor, and the software would have no idea of the order of the key requested. Unless I'm much wrong (it's 4am and I just had my nightcap after all) , there's exactly 24 permutate 24 possible combinations here, which gives me 620448401733239439360000 probabilities using a random webpage calculator. That's no small number to bruteforce and to check for the coins, right.  

c) even if the data is encrypted.. i can clone said data, and then on my own computer with my own cloned trezor. can simply try the pin number 9999 times until im then using your 'account'.

How would you propose 'cloning said data'? The bootloader fuse is blown, and therefore the security logic part of the firmware is rendered unflashable. If said attacker tries to load a malicious firmware on it in order to clone the seed, there would be an invalid signature shown, and the seed is removed if the user decides to load it anyway.
one particular source: http://bitcoin.stackexchange.com/questions/32544/how-can-trezor-update-firmware-but-never-receive-malware

the funny thing is that trezor is safer than storing on coinbase, safer than storing on electrum.. but its not infallible. and anyone who thinks it's the 100% solution needs to take a step back and give honest advice that its not perfect..

Yep, I still agree with you that it's infallible - but similar hardware wallets like this is the best bet of a hot/semi hot wallet at the moment. And no, there's no 100% solution as of now. Nothing is perfect and nothing is 100%.

he other part i laugh about.. is when people see the paper seed backup as a feature specific to trezor.. seriously..
for long term storage where you are not spending.. paper is best.. as then you wont get phished.. and paper doesnt need a battery

Agreed. Just make sure you have adequate security practices (new airgapped pristine operating system installed, fully random RNG's using casino dices etc) and you're willing to go through all of this if you're planning use your cold wallet often.

[Fityan]

I think it safe,depending how secure your password and how often you check you wallet

[anonymousx]

Technically Trezor is safe, with the huge number of possible addresses, it signs the transactions almost offline and than pass to the computer, on it's internal open source chip and software, you can modify the software to fit your needs, you can even build your own with raspberry pie, but it wont take long until someone figure out away to sniff it out through the USB port with a malware, so never trust anything no matter how impossible it seems, I heard it's isolated inside so private keys are in a different unreachable part, but still to trust them or not that's your personal choice, the entropy is a different story, how you generated your keys is very important, weak ECDSA can result in weak signing of hashes, if only two transactions are signed with same output "first half of the signature is the same" than all you need is to figure out the rest of the key which can be easily brute forced given that the public key is already known as the output, so using Trezor with a key generated from the word hello world of course can be hacked.

http://conference.hitb.org/hitbsecconf2014kul/materials/D1T1%20-%20Filippo%20Valsorda%20-%20Exploiting%20ECDSA%20Failures%20in%20the%20Bitcoin%20Blockchain.pdf

So don't have fake feeling of security using Trezor if your key is being exploited online, once you send few transactions you are exposed, blockchain might have the necessary info to sweep your wallet even if your Trezor is offline at your wallet.

[bearex]

Everything is possible. Thats why the more Bitcoins you have, the less people you want between you and them, hence the paper wallet is the best solution.