Bitcoin Forum
November 19, 2024, 12:55:20 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
Author Topic: [NOW AVAILABLE] BTChip / Ledger HW1 : Bitcoin Hardware Wallet in a USB smartcard  (Read 62628 times)
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
September 22, 2014, 03:58:26 PM
 #161

I only know that it'll happen shortly. Talking about weeks now, I won't say 2 for obvious reasons  Grin

ruins
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 24, 2014, 06:19:57 AM
 #162

Kick ass! Read half of your post and had to comment  Smiley

(goes back reading...)

same here, a bit complicated.
(goes back reading...)
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
September 24, 2014, 08:42:17 AM
 #163

Kick ass! Read half of your post and had to comment  Smiley

(goes back reading...)

same here, a bit complicated.
(goes back reading...)

good luck, don't forget that everything past the first part of the first post is a bit outdated. Also, videos are coming really soon now Smiley

webbrowser
Full Member
***
Offline Offline

Activity: 215
Merit: 100


View Profile
September 30, 2014, 03:36:04 PM
 #164

I've received my btchip too!

Yeah, a bit complicated.  Need more reading.
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
September 30, 2014, 03:44:32 PM
 #165

I've received my btchip too!

Yeah, a bit complicated.  Need more reading.

we have new videos that might be helpful re GreenAddress setup @ https://hardwarewallet.com/software.html

JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1003



View Profile
October 01, 2014, 08:17:13 PM
 #166

[ Reposting some comments from the Trezor thread, somewhat edited ]

1.) [ The BTCchip]  has no screen but offers a "hardened mode" which requires you to plug it into another computer (or the same one). It will emulate a keyboard and tell you the transaction info and a one-time PIN which you'll have to enter after re-plugging again into the main computer with the wallet. It's way less elegant than trezor in this regard, but this protects against malware sneaking in attackers address.
If you plug it into the same computer, which is compromised, the malware could intercept the keyboard signals coming from the device and replace the transaction details shown to the user, while retaining the PIN.  Or is there a protection against that?
How could there even be a protection against that ? It just raises the malware complexity from an application malware to a full OS compromise.

If you are using someone else's computer, it may easily have a hacked OS.  Ditto if the malware was installed in your computer by someone hacking into it with root access. 

The Trezor seems to protect against that risk, since the transaction details are displayed on the Trezor's screen and confirmed there.

(Neither device will protect against the user copying or scanning the wrong payment address from merchant's homepage that was hacked --- at the server, by IP/URL spoofing, or by a compromised browser.  For that, the user must be careful to get the address from a secure source that cannot be easily hacked.)

Hardware wallets are supposed to be most useful when one is traveling and must use a computer provided by the local shop, hotel, guide, cybercafe, etc..  In those scenarios, there is the possiility that the PC has malicious hardware as well as malicious software, that the devce will be stolen after the use, and that there are hidden cameras watching over the user's shoulder.   One should make sure that they are safe in that scenario.
Then just use the next computer sitting nearby to view the second factor. Works well in a cybercafe and a hotel.

I am not clear yet on how BTCchip works, but if one computer in such a place is compromised, there is a high chance that all of them are.  Especially if (a) the computer was compromised specifically to steal bitcoins from BTCchips (which is the assumption), or (b) the hacker may be an employee of the place.

2.) The device requires the user to enter a PIN. If entered wrongly 3 times, device will delete wallet info.
I understand that it is a fixed PIN that must be entered in "non-hardened mode", or before starting the "hardened mode" procedure; correct?  In that case, if malware on the computer captures that PIN, and the device is stolen some time later, would that captured PIN enable the thief to use the device?
yes, the PIN is not an anti malware protection, it's an anti theft protection.

If a chip-enabled credit/debit card gets stolen, the owner should worry that the PIN was captured visually (by a camera or person looking over his shoulder) or by a physically hacked CC reader at some store.

If a BTCchip gets stolen, the owner should worry that the PIN may have been captured visually as he typed it on the computer's keyboard, OR by a keylogger in the computer.   The latter is much more likely to occur than a hacked CC reader.

If a Trezor gets stolen, the owner should worry only if there is a chance that the PIN scramble matrix was captured visually from the Trezor screen.  Malware alone cannot capture the Trezor PIN.

General comment:

Stealing bitcoins by hacking may become a big issue, if it is not already.  Hardware wallets like Trezor and BTCchip surely improve the security, but substantial risk will remain.  Malicious hackers will be strongly motivated to use all their ingenuity to overcome the device's protections. 

Bitcoin theft seems more tempting than credit/debit card theft, for several reasons.  For one thing, bitcoin transactions are instantaneous (even though confirmation may take 10 minutes on average) and final.  Even if the victim uses Trezor or BTCchip, if the device is stolen after the thief got the PIN, the coins will probably be gone before the user gets the chance to move them, and they cannot be recovered (unless the thief is caught and convinced to return them).   In comparison, when someone's credit/debit card is stolen, the owner can call the company to cancel it, and there is a good chance that it will be canceled before the thief has a chance to get value out of the card.  Moreover, the bitcoin network provides no anti-theft barriers: no one will call the victim to confirm a transaction that moves a million BTC from his account to someone else's account. 

Even if if the probability of success of some hacking attack mode is 0.1% or less, the per-target cost of such an attack is small, thousands of computers can be hacked automatically, and the payoff from one successful attemp may be quite substantial.  See that Australian guy who was recently hacked out of 750 BTC, almost 300'000 USD. Note that the malware may be programmed to act only if the wallet has a large enough sum. 

I do not expect that the manufacturers of hardware wallets will go out of their way to warn users of these remaining risks.   The bitcoin media and the community should do that.  However, manufacturers should put clear disclaimers in their warranties and ads, so that they are not blamed if bitcoins are stolen from clients.

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
October 01, 2014, 10:01:57 PM
 #167

[ Reposting some comments from the Trezor thread, somewhat edited ]

thanks !

If you are using someone else's computer, it may easily have a hacked OS.  Ditto if the malware was installed in your computer by someone hacking into it with root access.  

The Trezor seems to protect against that risk, since the transaction details are displayed on the Trezor's screen and confirmed there.

similar thing here with the keyboard second factor

(Neither device will protect against the user copying or scanning the wrong payment address from merchant's homepage that was hacked --- at the server, by IP/URL spoofing, or by a compromised browser.  For that, the user must be careful to get the address from a secure source that cannot be easily hacked.)

End (server)-to-end (device) BIP 70 will protect against that in the future, providing the trusted CA list is sane - not going to be implementing it in the current device though.

I am not clear yet on how BTCchip works, but if one computer in such a place is compromised, there is a high chance that all of them are.  Especially if (a) the computer was compromised specifically to steal bitcoins from BTCchips (which is the assumption), or (b) the hacker may be an employee of the place.

Computers would have to be all infected and act together in order to exploit both the main client and the client displaying the second factor - highly unlikely in my opinion.

If a chip-enabled credit/debit card gets stolen, the owner should worry that the PIN was captured visually (by a camera or person looking over his shoulder) or by a physically hacked CC reader at some store.

If a BTCchip gets stolen, the owner should worry that the PIN may have been captured visually as he typed it on the computer's keyboard, OR by a keylogger in the computer.   The latter is much more likely to occur than a hacked CC reader.

If a Trezor gets stolen, the owner should worry only if there is a chance that the PIN scramble matrix was captured visually from the Trezor screen.  Malware alone cannot capture the Trezor PIN.

A thief getting access to both the chip and the PIN is not a realistic threat in my opinion as well.

General comment:

Stealing bitcoins by hacking may become a big issue, if it is not already.  Hardware wallets like Trezor and BTCchip surely improve the security, but substantial risk will remain.  Malicious hackers will be strongly motivated to use all their ingenuity to overcome the device's protections.  

sure, security is about balancing risks / convenience / protection / cost, as always.

Bitcoin theft seems more tempting than credit/debit card theft, for several reasons.  For one thing, bitcoin transactions are instantaneous (even though confirmation may take 10 minutes on average) and final.  Even if the victim uses Trezor or BTCchip, if the device is stolen after the thief got the PIN, the coins will probably be gone before the user gets the chance to move them, and they cannot be recovered (unless the thief is caught and convinced to return them).   In comparison, when someone's credit/debit card is stolen, the owner can call the company to cancel it, and there is a good chance that it will be canceled before the thief has a chance to get value out of the card.  Moreover, the bitcoin network provides no anti-theft barriers: no one will call the victim to confirm a transaction that moves a million BTC from his account to someone else's account.  

Even if if the probability of success of some hacking attack mode is 0.1% or less, the per-target cost of such an attack is small, thousands of computers can be hacked automatically, and the payoff from one successful attemp may be quite substantial.  See that Australian guy who was recently hacked out of 750 BTC, almost 300'000 USD. Note that the malware may be programmed to act only if the wallet has a large enough sum.  

I have a different opinion about that - credit/debit card theft today comes mostly from exploitation of different security levels (copy the magnetic track of a chip card, clone it and use it in a country not using chip cards), or identity theft (order a real fake card from stolen credentials). Recovering from such thefts which cannot be identified easily before they happen takes quite a long time (talking about months here).

With Bitcoin everyone plays on the same security level (which is already a nice improvement), and you can already have a second factor confirmation in multisignature wallets (GreenAddress is a good example - confirming each transaction using SMS to a feature phone is quite nice, even without a hardware wallet)

I do not expect that the manufacturers of hardware wallets will go out of their way to warn users of these remaining risks.

I believe that the threat matrix should be clearly provided so that people can know what they're buying

The bitcoin media and the community should do that.

I'd actually feel better if an independent security audit group was formed to specifically do that. That would keep the signal to noise ratio higher.

However, manufacturers should put clear disclaimers in their warranties and ads, so that they are not blamed if bitcoins are stolen from clients.

Quote from: our terms and conditions that nobody reads anyway
No warranty claim can be placed for an amount greater than the price paid in Euros for the product –
the Buyer acknowledges that while the best care has been applied to design a product suitable to
store crypto currency assets securely, no warranty is made by the Seller that the product is free from
software or hardware defects that could cause a loss of a part or the full assets stored on the
products. The Buyer is advised to keep a safe backup of each asset stored in the product.

good enough ?

Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 509


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 06, 2014, 07:58:32 AM
 #168

Still hasn't received my BTCChip. Sad Any idea WHY? Was there any technical issues on the service you used to ship? OR will it receive soon? I had hope that it will but now it is approximately 1 month, my hope has gone. I have no complains on this company. Take that 0.05 BTC as my donation. Grin Smiley Best Of Luck!

  ~~MZ~~

btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
October 06, 2014, 08:01:46 AM
 #169

Still hasn't received my BTCChip. Sad Any idea WHY? Was there any technical issues on the service you used to ship? OR will it receive soon? I had hope that it will but now it is approximately 1 month, my hope has gone. I have no complains on this company. Take that 0.05 BTC as my donation. Grin Smiley Best Of Luck!

  ~~MZ~~

yeah, I'm afraid it looks like I'm beta testing the post office delivery to non European / US countries. I'll resend it tomorrow using a different service, sorry for the delay.

Muhammed Zakir
Hero Member
*****
Offline Offline

Activity: 560
Merit: 509


I prefer Zakir over Muhammed when mentioning me!


View Profile WWW
October 06, 2014, 08:54:06 AM
 #170

Still hasn't received my BTCChip. Sad Any idea WHY? Was there any technical issues on the service you used to ship? OR will it receive soon? I had hope that it will but now it is approximately 1 month, my hope has gone. I have no complains on this company. Take that 0.05 BTC as my donation. Grin Smiley Best Of Luck!

  ~~MZ~~

yeah, I'm afraid it looks like I'm beta testing the post office delivery to non European / US countries. I'll resend it tomorrow using a different service, sorry for the delay.


So haven't you sent it? According to earlier post you said, it was shipped, so if you ship again and somehow both arrives, then won't you lose some money? Should I need to pay again if both arrives? Huh Smiley

  ~~MZ~~

btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
October 06, 2014, 09:24:59 AM
 #171

yes I already shipped it. Of course you'll only pay once, I won't charge you for supporting my trial & error scheme Smiley

btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
October 27, 2014, 08:05:19 AM
 #172

Firmware version 1.4.11 is now available, with quite impressive speed optimizations - upgrade now @ https://firmwareupdate.hardwarewallet.com

AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
October 27, 2014, 09:19:35 AM
 #173

Are we supposed to have received email confirmation for a completed order ? I made payment 7 days ago, and never received email confirmation. I made payment with electrum immediately, before the countdown timer expired. The browser screen never updated to say payment confirmed.

I don't have a screenshot of that browser window, I don't have a transaction ID and you use some strange BitID without the manual login option so I cannot BitID login from my address to check the order.
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
October 27, 2014, 09:27:05 AM
 #174

Are we supposed to have received email confirmation for a completed order ?

No

I made payment 7 days ago, and never received email confirmation. I made payment with electrum immediately, before the countdown timer expired. The browser screen never updated to say payment confirmed.

This happens sometimes. The best thing to do is to let me know immediately - but no order is lost.

I don't have a screenshot of that browser window, I don't have a transaction ID and you use some strange BitID without the manual login option so I cannot BitID login from my address to check the order.

That wouldn't help if you didn't register it anyway, so you can PM me your payment address,  and I can tell you your order reference.

AussieHash
Hero Member
*****
Offline Offline

Activity: 692
Merit: 500



View Profile
October 27, 2014, 01:53:17 PM
Last edit: November 05, 2014, 04:51:51 AM by AussieHash
 #175

Thanks for the quick reply to my PM, I see it has been posted.

Edit : Order arrived safely today, thank you very much  Cheesy
Edit 2 : works perfectly with greenaddress and with Trezor 2.0beta (requiring a wipe when switching from one to the other)
Edit 3 : using /python-trezor/mnemonic_check.py to generate a 24 word mnemonic, then loading it on Trezor (./cmdtr.py load_device) and btchip (electrum 2.0 beta).  Both devices generate the same HD address tree.
Edit 4 : Make sure you are running Chrome 38 or above for Greenaddress.
jackbox
Legendary
*
Offline Offline

Activity: 1246
Merit: 1024



View Profile
November 04, 2014, 01:43:42 PM
 #176

Can I use HW1 on multiple computers and devices using the same wallet balances, etc? Or can it only be used on one computer or device at a time?

Buy a Trezor and Protect your BTC, BCH, BTG, DASH, LTC, DGB, ZEC, ETH and ETC from hackers.
If I was helpful please buy me a coffee BTC: 1DWK7vBaxcTC5Wd2nQwLGEoy8xdFVzGKLK  BTG: AWvN1iBqCUqG2tEh3XoVvRbdcGrAzfBBpW
If I was helpful please buy me a burger DGB: DLASV6CUQpGtGSyaVz5FYuu5YxZ17MoGQz
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
November 04, 2014, 10:33:24 PM
 #177

Can I use HW1 on multiple computers and devices using the same wallet balances, etc?

yes. It only holds the private keys and the associated balances are synchronized by the host computer.

Tafelpoot
Full Member
***
Offline Offline

Activity: 191
Merit: 100


View Profile
November 13, 2014, 12:38:29 PM
 #178

Is the following correct?
- you can write a seed towards the btchip
- you cannot read a seed from the btchip.
- signing the tx is done on the chip.

Thanks in advance
btchip (OP)
Hero Member
*****
Offline Offline

Activity: 623
Merit: 500

CTO, Ledger


View Profile WWW
November 13, 2014, 01:40:11 PM
 #179

Is the following correct?
- you can write a seed towards the btchip
- you cannot read a seed from the btchip.
- signing the tx is done on the chip.

Thanks in advance

yes exactly

jackbox
Legendary
*
Offline Offline

Activity: 1246
Merit: 1024



View Profile
November 13, 2014, 02:36:07 PM
 #180

When I put the key into a USB port on my Windows 8.1 machine I hear the computer beep but I cannot find the device in device manager and it is not on the list for the hardware ejector. Is it listed somewhere and possible to eject? Or is it just okay to remove it without being able to stop it first?

Buy a Trezor and Protect your BTC, BCH, BTG, DASH, LTC, DGB, ZEC, ETH and ETC from hackers.
If I was helpful please buy me a coffee BTC: 1DWK7vBaxcTC5Wd2nQwLGEoy8xdFVzGKLK  BTG: AWvN1iBqCUqG2tEh3XoVvRbdcGrAzfBBpW
If I was helpful please buy me a burger DGB: DLASV6CUQpGtGSyaVz5FYuu5YxZ17MoGQz
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!