1841
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 21, 2014, 01:48:11 AM
|
My lawyer has an International Business & Economic Law degree, so I think he knows a little more than you.
$330 is insulting for my device, not only is the device rare as well as it is limited, and first edition. The device is probably worth more than 3 bitcoins and for sure in a couple of years I could probably get a good price for it.
The refund is usually what you paid, not what you dream that the device is worth. If you paid in BTC, the amount to be refunded is the (amount of BTC you paid) x (BTC price at the time you paid). Besides, if the Trezor it is worth more than 330$, then you should pay the difference to satoshilabs. That said, a company that sets prices and does its accounting in BTC knows nothing about marketing and even less about accounting.
|
|
|
1842
|
Economy / Speculation / Re: SecondMarket Bitcoin Investment Trust Observer
|
on: August 20, 2014, 05:08:07 PM
|
Of course FINCEN will issue an advisory warning against Bitcoin. Anything the government cannot control they will advise against, its fairly simple.
Well, maybe, but there is also the little matter that bitcoin is a highly uncertain investment that has attracted an army of scammers and thieves. FINCEN's mission includes warning people about those risks. I didn't see anything wrong with that report.
|
|
|
1843
|
Economy / Speculation / Re: SecondMarket Bitcoin Investment Trust Observer
|
on: August 20, 2014, 05:01:55 PM
|
Jorge, I've followed your posts on several different topics here. Curious on your thoughts on the stock market in general? Not if it's going up or down, just overall thoughts? For example, do you have your retirement savings in a well balanced portfolio, stocks, bonds, real assets, alternative assets etc?
I am not a sophisticated investor, never gave a thought to the stock market. My savings are in some investment fund offered by my bank. If I save enough, I may put it in real estate. I do not believe in the apocalyptic scenarios that some paint, they are obviously used to market alternative investments like gold or bitcoin, and funds thereof. There will be crises, of course, but I am sure that stocks and the dollar will suffer less than bitcoin. People will continue to work,d buy things, and pay taxes. The companies that make those things will continue doing so, and the governments will continue to function.
|
|
|
1845
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 20, 2014, 10:07:45 AM
|
I'm not saying malicious firmware cannot be signed. I'm saying it cannot be signed without people knowing.
Just to give one example, three of the 5 key holders at Trezor conspire and sign a malicious version of the firmware that is given to a hacker. The hacker unleashes a virus with a malicious plug-in or standalone MyTrezor bridge, that instructs clients to download and install the "latest version" of the firmware, which is of course the malicious version above. You are exaggerating with the other "use cases". It's not going to happen.
Well, I hope that manufacturers can resist that temptation. 20000 lines of code can be verified in a month or two for backdoors. To fully understand all of it, it takes more time. The point is, it's possible for a single person and people did it.
You mean, someone already checked it, and did not see the backdoor?
|
|
|
1847
|
Other / Off-topic / Re: Answer the question above with a question.
|
on: August 20, 2014, 09:41:21 AM
|
Why can't the History of Dance dude not do the Can-Can?
Are we actually talking about "History of dance dude" , or just a can-can dancer? The History of Dance dude can do the can-can, did you mean the History of Dunce daddy? Why are proper nouns supposed to be capitalized, and are there many languages where there is no lowercase? You mean like the scripts of Chinese, Japanese, Arabic, Hebrew, and of most languages in India?
|
|
|
1848
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 20, 2014, 09:22:05 AM
|
A malicious manufacturer can distribute firmware that, instead of using truly random seeds, chooses seeds from a very small set.
This would be visible in the firmware source. [ ... ] With deterministic build, everybody can check the firmware. That does not mean that everybody HAS to. If 3 of 5 decided to sign something malicious, then the rest of the guys would be whistle-blowing and everybody would know. [ ... ] I was talking about proving that there is a backdoor. As I argued above, if there is one, you should be able to find it in the open-source code. It should be easy to prove. There is a firmware source posted on github. There is a firmware binary in each client's Trezor. Note the indefinite articles. Can you see the problem now? Come on guys, this vulnerability not my entry for the Nobel Prize, it is an absolutely trivial and well-known observation. If someone can get a malicious version of the firmware signed, he can easily trick many clients into installing it. Hackers can even trick many users into installing an unsigned malicious version of the firmware and re-entering the recovery seeds. Do I have to spell out the details? As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin. I bet that the full source will soon have hundreds of thousands of lines of code. (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)
Trezor now has 16500 lines of code in *.c files and another 7000 in *.h files. This is a total for bootloader, firmware and I might included some testing and GUI code as well, that is not on the device so it is even less. And this includes many features discussed here that are not yet released. I don't see it getting to 100000 any time soon. Provided that some code is imported from other open source libraries, the Trezor code itself is even smaller. We will see in a couple of years. Judging by the mood of this thread, the Trezor will soon be storing your gaming site passwords, your calorie counts, your dog's gym workout schedule, ... (The Brazilian voting machine software was very small at the beginning, too.) Meanwhile, how long do you think it would take for one person to review 20'000 lines of code and make sure that it has no weaknesses (like a broken random number generator, or a line somewhere that sticks the private key into the signed transaction that is sent tout to the infected computer)? I asked earlier whether the hardware has some sort of memory protection that would prevent one function from accessing data areas of an unrelated function, but got no answer. If it doesn't, the dog workout code will have access to the bitcoin private keys; therefore that code, and every modification to it, must be verified with the same care that is spent on the bitcoin code proper. Worse still if the firmware can modify itself.
|
|
|
1849
|
Other / Off-topic / Re: Answer the question above with a question.
|
on: August 20, 2014, 08:26:26 AM
|
Why can't the History of Dance dude not do the Can-Can?
Are we actually talking about "History of dance dude" , or just a can-can dancer? The History of Dance dude can do the can-can, did you mean the History of Dunce daddy?
|
|
|
1850
|
Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
|
on: August 20, 2014, 04:18:38 AM
|
GABI wants a run up starting 9/1.
At the end of September, they want to be able to tell potential investors that their fund had a 30% return in 30 days. Would put us back at 630 or so.
If they had $30mm or so to play around with, it would be easy. And even if they lost 10% of that $30mm, they make it back by charging their investors.
Not saying it's what is happening, but if you want to know a potential reason why price and value have diverged...
I don't think that potential GABI clients would be impressed by a 30% run-up following a 30% nearly vertical drop. But maybe there are enough such suckers out there. By the way, has there been any professional review of bitcoin funds (SMBIT, PBP, and the new ones) in financial media -- apart from paid "adnews"?
|
|
|
1852
|
Economy / Speculation / Re: SecondMarket Bitcoin Investment Trust Observer
|
on: August 20, 2014, 03:39:26 AM
|
Isn't this a good time for a massive buy from SecondMarket?
The price is still falling, they will buy at a better situation. Well, SMBIT should buy BTC only when someone buys fund shares from them. And they should sell BTC when, and only when, some client liquidates his shares (sells them back to SecondMarket). -- 10 shares = 1 BTC. So the question is, why aren't people buying more SMBIT shares? Well, the value of 1 share (which is 1/10 of btcoin's market price, by definition) fell ~25% over the past month, and is again near the lowest it has been since November. Clients who buy fund shares now will be chained to them for six months. What will happen to the BTC price (and hence to the value of their investment) in those six months? Add to that the FINCEN advisory ... And then there is the matter that the BTC price is being determined by thousands of amateur day-traders in China. Would you trust your savings to them? I wonder if prospective clients are aware of this .
|
|
|
1854
|
Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
|
on: August 20, 2014, 02:08:56 AM
|
I demand respect and adoration from every bull in this thread. A brief statement about how awesome I am will suffice for now.
I am only half bull, half bear, and half indifferent, but nevertheless admit my admiration for your awesomeness. You've got to be kidding me. half bull, half bear, half indifferent.. 150% a bitcoiner! Jorge O_o you didnt?!? Sorry to disappoint, but I didn't.
|
|
|
1856
|
Economy / Speculation / Re: Bitcoin will plummet to $10 by first half of 2014
|
on: August 20, 2014, 12:47:50 AM
|
Quick question. Are 400 and 10 the same number?
Nope. I don't even know why this thread hasn't been locked and committed to forum history. It's not relevant anymore. Suppose that the price drops to 15$ next Monday. Will you still laugh at that "totally wrong" prediction?
|
|
|
1857
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 20, 2014, 12:17:39 AM
|
"requires you the manufacturer to actually have access to the private keys" This statement is dead wrong.
Indeed, and that is why I never wrote that. A malicious manufacturer can distribute firmware that, instead of using truly random seeds, chooses seeds from a very small set. Then the manufacturer can generate the private keys for all those seeds and find the one that matches the client's blockchain address. This attack can be performed by the manufacturers, or by any individual or gang who can get hold of 3 of the 5 firmware signing keys. Or by someone who can plant the weakness in the firmware before it gets signed. Or by anyone who can replace the Trezor by a counterfeit one during shipment to the client. Or any shop that sells Trezors to walk-in clients. I can think of a few other variants on this attack. Surely criminals can think of dozens more. Without the physical access to the hardware, there is only a single way manufacturer could get your keys: backdoor. There is a catch though. If your bitcoins are stolen by a malware or a hacker, then you are just screwed. If your btc is stolen by an open software, open hardware backdoored device, then you can sue somebody. [ ... ] Their liability for a money stealing backdoors [ is ] fraud and you can sue it everywhere in the world.
If the manufacturers do steal your coins, in order to accuse them of deliberate theft you will have to prove, first, that the the source address of the fatal transaction was under your control at the time, and that the destination address was not. Perhaps you can do that with witnesses, or internet access logs, but it seems quite hard. (But,ok, that is a problem of bitcoin itself, not of Trezor.) Then you have to prove that you did not leak the recovery key words inadvertently. And then you have to prove that the destination address is under their control. I assume their liability for a software bug is at the zero level.
On the contrary, a client who loses the coins that he kept in a Trezor may be able to sue the manufacturers for misleading advertising, even if they are innocent and the theft did not involve them directly. (I haven't seen the Trezor warranty; I hope that they got the help of some smart lawyers, and thoroughly protected themselves from that risk.) Of course the client would still face the problem of proving that the theft really occurred, as above. Also, your statement that checking the software is not viable in practice is wrong. They use deterministic build so everybody can check that the software is what it is supposed to be. Also, the software is single purpose, thus small, thus verifiable for backdoors.
As or checking the software, see my previous reply to another post. As for it being single-purpose hence simple, I have seen several posts here requesting all sorts of features and support for things other than bitcoin. I bet that the full source will soon have hundreds of thousands of lines of code. (The Brazilian electronic voting machine, which does not even connect to the internet, has over a million lines of C/C++ source code, not counting the operating system.)
|
|
|
1858
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 19, 2014, 11:41:49 PM
|
Checking the hardware is viable only with sophisticated lab equipment. To check the software, someone whould have to carefully check the source code (at every release) for malicious backdoors or weaknesses, and then the client would have to check that the compiled firmware that he is loading, duly signed by the manufacturer, matches that source code. Obviously neither is viable in practice, except after the fact.
The hardware can be checked by feeding it known inputs and checking that the output matches what's expected. It is easier to find the private key of a bitcoin address by trial and error than to check all possible inputs of such a device. (Translation, just to avoid misunderstandings: it is totally inviable.) Their build process is deterministic, so you can in fact check that the signed binary matches the open source code. It is also not true that every individual has to check the code every time there is a release, it can be done on an ongoing basis by a community of semi-trusted individuals.
Each client will have to download and install a copy of the firmware at every update, so each client would have to check that his copy matches the copy that the community has verified by compiling the source code. That can be done by comparing the hashes of the firmware only; but how will the client get the correct hash to compare to, and how will he compute the hash of the downloaded copy, on an untrusted machine (which is the assumption that justifies using a Trezor)? You're really reaching, aren't you? What's your angle here exactly?
I am merely pointing out a fact that should be obvious to anyone who really tries to evaluate the security of the system. Just because something is "bitcoin" it does not mean that it is perfect. While trusting a Trezor is certainly better than trusting a random PC or smartphone, clients still must trust the manufacturers (their honesty, and their zeal in keeping intruders off the manufacturing and shipping process).
|
|
|
1859
|
Bitcoin / Project Development / Re: [ESHOP launched] Trezor: Bitcoin hardware wallet
|
on: August 19, 2014, 09:38:42 PM
|
Is this just as secure as a paper wallet? I should imagine it isn't because it requires you the manufacturer to actually have access to the private keys?
The keys are generated using entropy from the trezor plus entropy from the computer you plug into. There's no way for the manufacturer to know your keys. Well, if the manufacturer of a hardware wanted to get the client's keys, they could do it very easily. If you use a special-purpose hardware to store your keys, you have to trust the manufacturer. I see no way around it. The hardware can be checked and the software is open source. Checking the hardware is viable only with sophisticated lab equipment. To check the software, someone whould have to carefully check the source code (at every release) for malicious backdoors or weaknesses, and then the client would have to check that the compiled firmware that he is loading, duly signed by the manufacturer, matches that source code. Obviously neither is viable in practice, except after the fact.
|
|
|
1860
|
Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
|
on: August 19, 2014, 09:23:44 PM
|
HELLO!!!! At one minute, you seem to be defending Coinbase's business practices as ordinary and regular, and then you put these little digs of corruption to suggest that all businesses have corruption.. WTF? Businesses are composed of individuals, and some individuals are corrupt, but NOT everyone is corrupt. GET a grip!! I did not say either of those things. I did not accuse or defend Coinbase about anything, just pointed out what would obviously be their interest and need. I did not say that middlemen taking a slice of the profit is corruption. Obviously, if they did not do that, there would be no middlemen. And of course they try to take as much profit as they can, like everybody else. Pretty sure this entire thread is just Adam talking to himself with alt accounts.
I swear by God, by God, by God, creator of heaven and of Earth, and by His manifestations visible and invisible, and by my Prophet Mohammed Al-Mustafa who taught and confirmed and showed the Faith that we Moors and Suleimans believe, and by the Quran in which it is written in Arabic the Faith that we have, and by the Psalter of David and by the Gospels of Jesus Christ and by the hundred and twenty four Prophets of God of which Adam was the first, and by the soul of the blessed my Father, and by the life of my children, and by my head, and by the sword that I carry that JayJuanGee is not a sockpuppet account that I created for the sole purpose of inflating the count of posts about my person.
|
|
|
|