Bitcoin Forum
January 17, 2015, 02:14:21 AM *
News: ♦♦ Users of Bitcoin Core on Linux must not upgrade to the latest OpenSSL. More info.
 
  Home Help Search Donate Login Register  
  Show Posts
Pages: 1 ... 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 [107] 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 ... 272
2121  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 06:56:10 PM
Do you mean that the firmware can be replaced after the device was assembled?  If so, what is the procedure to do that?
The official procedure is rather nicely shown here: http://doc.satoshilabs.com/trezor-user/updatingfirmware.html
Hm... What if someone get holds of your Trezor without your knowledge, installs malicious firmware that saves your passphrase, returns it to you, then steals it again after you have used it, and downloads the pasphrase?  Or whaterver?
your contortions are getting a little contrived ... and a bit funny too.
You don't build confidence on a system by having it examined only by people who want it to be declared safe.  Wink
until you stray into life of the universe type probabilities it makes sense to question ... after that you are being irrationally paranoid or simply trolling.
Are you acquainted with, say, the false fronts for ATM machines that steal card data? 
they're commonly known as "skimmers" in the trade ...
your "Or whaterver?" seems to be the best summary of the thrust and quality of your arguments thus far.
(I though that this thread was about Trezor, not about me.)

When validating a system one MUST be paranoid.  If there is a way to break it, no matter how "unlikely", that is the way that criminals will aim for.  You cannot expect tham to be nice and only try those attacks that you have protected against.

There is nothing paranoid about fake or compromised Trezors being used to steal  passwords and PINs.

The fact that one can upload new firmware does increase the risks.  For one thing, a hacker or a rogue satoshilabs employee could get his malicious firmware signed, and then use it in many ways (besides the one I described).  I hope that you are paranoid enough to imagine some more.

Suppose that one day a client tries to use his Trezor, where he put all his BTC, and it shows "warning, firmware is unsigned,do you want to continue?" What is the probability that he will click "yes" (and then enter his passphrase when the device asks for it), rather than calling the Trezor hotline?


2122  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 05:54:04 PM
Do you mean that the firmware can be replaced after the device was assembled?  If so, what is the procedure to do that?
The official procedure is rather nicely shown here: http://doc.satoshilabs.com/trezor-user/updatingfirmware.html
Hm... What if someone get holds of your Trezor without your knowledge, installs malicious firmware that saves your passphrase, returns it to you, then steals it again after you have used it, and downloads the pasphrase?  Or whaterver?
your contortions are getting a little contrived ... and a bit funny too.
You don't build confidence on a system by having it examined only by people who want it to be declared safe.  Wink
until you stray into life of the universe type probabilities it makes sense to question ... after that you are being irrationally paranoid or simply trolling.
Are you acquainted with, say, the false fronts for ATM machines that steal card data? 
2123  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 05:40:33 PM
Do you mean that the firmware can be replaced after the device was assembled?  If so, what is the procedure to do that?
The official procedure is rather nicely shown here: http://doc.satoshilabs.com/trezor-user/updatingfirmware.html
Hm... What if someone get holds of your Trezor without your knowledge, installs malicious firmware that saves your passphrase, returns it to you, then steals it again after you have used it, and downloads the pasphrase?  Or whaterver?
your contortions are getting a little contrived ... and a bit funny too.
You don't build confidence on a system by having it examined only by people who want it to be declared safe.  Wink
2124  Economy / Securities / Re: [BitFunder] Moving Forward/Resolution Process on: July 28, 2014, 05:35:40 PM
What do you hope to achieve by letting the guy who lost/stole the coins work on mythical projects for months with zero progress?
Its possible that it takes time to reachieve the lost coins. So no need to be hasty. Though in return if sueing really means bankruptcy without the chance to get the original coins back then yes... sueing now would be the most stupid idea. And only because someone thinks he knows what happened and thinks ukyo is lying.
Is there ANY reason to believe that this 'Ukyo' is genunely trying to return the "lost" coins? 
2125  Other / Off-topic / Re: Answer the question above with a question. on: July 28, 2014, 05:29:22 PM
LostDutchman, why are always on the defense?
Why is challenging what are obviously attacks on my person, posts or character considered to be "defensive"?; Are you French?
Have you considered that you are wrong in your assertions and people actually like interacting with you??
Have you ever been as far as even considered go want to do look more like?
Is it wet that green ideas sleep furiously?
I'm sorry but what does that mean?
Have you tried googling 'green ideas sleep'?
Can anyone help and tell me where the letter 'g' is on the keyboard?
Stamped on top of some key, perhaps?
2126  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 04:30:56 PM
Do you mean that the firmware can be replaced after the device was assembled?  If so, what is the procedure to do that?
The official procedure is rather nicely shown here: http://doc.satoshilabs.com/trezor-user/updatingfirmware.html
Hm... What if someone get holds of your Trezor without your knowledge, installs malicious firmware that saves your passphrase, returns it to you, then steals it again after you have used it, and downloads the pasphrase?  Or whaterver?
2127  Economy / Service Discussion / Re: MtGox withdrawal delays [Gathering] on: July 28, 2014, 04:05:02 PM
New announcement: https://www.mtgox.com/img/pdf/20140728_announcement.pdf
Extended until 29th May 2015 for the claims filing, so it's going to take a looong time...
Anyways, how do you actually fill a claim ?

Edit : From one of their documents (https://www.mtgox.com/img/pdf/20140723_report_en.pdf)
Quote
1. Filing of proof of bankruptcy claims
With respect to filing of proofs of bankruptcy claims in this case, since extremely large number of creditors exist all over the world, I am considering to implement a reasonable and smooth method of filing. For such purposes, it is necessary
(i) to sufficiently confirm, with the cooperation of professionals, the details and method of use of data regarding the business of the bankrupt entity, which I preserved, and
(ii) to consider the situation of the investigation of the background behind the disappearance of BTC. Accordingly, it is expected to take a few months to determine the filing method. In light of this, although the deadline for filing the proof of claims of bankruptcy in these bankruptcy proceedings is set as November 28, 2014, I consider it is necessary and reasonable to postpone the date to reasonable timing.

2. Provision of information on WebSite
Since extremely large number of creditors exist all over the world in this case, I plan to disclose information, etc., necessary for creditors regarding this case on the WebSite (https://www.mtgox.com), which I manage as such as possible from time to time.
This text is written by Mark. It is surprising that he is allowed to have any voice about (or control of) the proceedings at all...
2128  Other / Off-topic / Re: Answer the question above with a question. on: July 28, 2014, 03:58:47 PM
LostDutchman, why are always on the defense?
Why is challenging what are obviously attacks on my person, posts or character considered to be "defensive"?; Are you French?
Have you considered that you are wrong in your assertions and people actually like interacting with you??
Have you ever been as far as even considered go want to do look more like?
Is it wet that green ideas sleep furiously?
I'm sorry but what does that mean?
Have you tried googling 'green ideas sleep'?
2129  Other / Off-topic / Re: Answer the question above with a question. on: July 28, 2014, 02:31:56 PM
LostDutchman, why are always on the defense?
Why is challenging what are obviously attacks on my person, posts or character considered to be "defensive"?; Are you French?
Have you considered that you are wrong in your assertions and people actually like interacting with you??
Have you ever been as far as even considered go want to do look more like?
Is it wet that green ideas sleep furiously?
2130  Alternate cryptocurrencies / Altcoin Discussion / Re: rpietila Altcoin Observer on: July 28, 2014, 02:30:39 PM
Personally, I do not see transaction fees as a problem. I believe that fees should be enforced in every single coin. No fees = bloating attack vector open = coin is DOA
Indeed, I got this suspicion that most of the traffic in the Bitcoin blockchain (~70'000 BTC/day currently) is "fake", namely coins being moved between addresses that belong to the same owner.   Could it be all generated by a single person, from a single laptop, moving 500 bitcoins (possibly in many different addresses) every 10 minutes or so?  Perhaps someone is trying to wash stolen coins, or torture-test some wallet software...
https://blockchain.info/charts/estimated-transaction-volume 

The number of new addresses used per day may be bloated for the same reason.  Since new addresses are free, why not...?
2131  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 02:09:34 PM
I'm not sure whether you can verify the firmware running on the device, but you can always flash it with the latest firmware from the website or your own build. That said, there is still bootloader that might be hacked, but that would have to happen in production because it cannot be overwritten. That would be equivalent to having a fake one.
Wait, I am confused.  Do you mean that the firmware can be replaced after the device was assembled?  If so, what is the procedure to do that?


2132  Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion on: July 28, 2014, 02:06:05 PM
There is no real reason to go down other than people's expections not happening.
That is almost certainly true -- but whose expectations? 

Some say that it was the "next bubble" predicted by exponential extrapolation, which did not happen when predicted, and instead the price broke out through the bottom of some channel that was supposed to contain it.

However, that explanation is not very convincing because the interval between bubbles has been quite variable, so no one should have expected the "next bubble" to happen in a particular month.   As for the channel breakout, that could be easily "fixed"  by redrawing the channel.

I still prefer my "Chinese" explanation.  Namely, the price went up in late May because some Chinese traders got advance info about the "offshore" branches of Huobi and OKCoin, and stocked on bitcoins expecting the price to shoot up when they opened.  The price is now dropping because the "offshore" exchanges finally opened, those traders were disappointed, and they are unloading their coins back on the Mainland exchanges.
2133  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 12:05:07 PM
If there are hidden cameras everywhere, all hardware is NSA hacked and user is not looking at the screen before sending all his money to thief, then the user probably cannot do safe transaction with credit card either. [ ... ] So what can be done that would in your opinion make this safer than your credit card? If I have hacked computer, then thief can steal my money from my bank account. If I have cameras in my appartment, then he might steal from me as well. I have received my computer, credit cards and bank details by post and if NSA or goverment wanted they can block and empty my bank account whenever they wanted.

As I wrote, using a Trezor is surely safer than entering or storing keys in your PC or laptop, and you may even dare to use it on a random cybercafe computer (which you should never entrust with your keys).

However, users must be aware that the risk of theft is still not negligible, and they must still be very careful when using the Trezor -- even more than when using credit cards or home banking.

Consider the entire process of stealing money from your account or credit card, including what the thief needs to do to get the cash in hand once he has stolen the PIN or passwords, and what you can do once you discover the theft.  Bitcoin makes the theft much simpler and safer for the thief, and he can effectively collect bicoins stolen from thousands of wallets on the same day, without even being logged in at the time.  Bitcoin thefts have proven to be nearly impossible to solve; the stolen coins cannot be blocked or seized, and are easily laundered with little risk.

For those reasons, and more, bitcoin is extremely attractive to professional cybercriminals.  It is no wonder that there are already more bitcoin thefts than credit card thefts, in proportion to the total e-payments.  

Quote
I think that it is important to talk about these risks and educate users. But if there is nothing what can be done, then engaging in such discussion is useless.

Of course it is very important to discuss these issues.  I don't know the details of the hardware & software, but I am sure that its safety can be improved in many ways.

For example, it is still not clear to me whether there is any practical way to check that the firmware that is loaded in a particular Trezor device is the official one.  (This is the fundamental fatal flaw of every all-digital voting machine design, and there is still no known solution for it.)
2134  Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion on: July 28, 2014, 11:28:17 AM
woah look at that million dollar buy wall on stamp
I'm more interested in the $3m buywall on Huobi @ 3400
woah that is even bigger than the one on bitstamp
But Huobi's traders like to play the catch-my-wall-if-you-can game, more than other traders it seems...
2135  Bitcoin / Project Development / Re: Trezor: Bitcoin hardware wallet on: July 28, 2014, 03:45:03 AM
If you use your Trezor anywhere outside your home,  whatever you do to unlock it (passwords, PIN, voiceprints, secret handshakes...) can be recorded and used by someone who later steals the device.
PIN - can't be logged, please search for the Trezor PIN matrix.

By "recording" I do not mean just keylogging, but (e.g.) placing a hidden hi-res camera in the right spot.

Quote
passphrase - best practice  when you need to use a public computer, just have a small spending amount without a passphrase
One may have to use a public computer for realtively large sums, e.g. pay a hotel bill or run a business remotely while on vacation in a remote place.

Quote
security researchers that tested Trezor were a bit disappointed that they couldnt trick Trezor with  buffer overflow
I did not mean bufer overflow explicitly (no programmer should make that mistake any more) but some other subtle bug that can be exploited to breach the security.

"It is easy to write correct software, you just have to remove all its bugs. And it is easy to remove all bugs, you just have to remove the last one."  Wink
 
Quote
Perhaps the designers left a secret backdoor
it's opensource, everybody can check and believe me they are doing that..
But there is no easy way to make sure that the software that they are checking is what is stored in the device, is there?

Quote
1. check the integrity of the package before you use the device
A criminal who sets out to physically hack a rich man's Trezor during delivery will surely be able to provide a neatly sealed package that will fool him.

Quote
2. only buy it from official/trusted shops 3. the casing cannot be opened without damaging it so replacing internals won't be easy
Most devices will be bought via internet and delivered by UPS or the like.  International purchases will be particularly risky since the packages may sit to weeks at customs and be opened by them.

The Trezor's exterior is quite simple, so it seems relatively easy to make a fake one that looks and feels like the original.  The copy can be swapped for the original, without the owner noticing, and can be designed to steal the PIN and/or passphrase and transmit it to the thief, e.g. by bluetooth. (This attack would be similar to the "chupa-cabra" that thieves attach to ATMs to steal card data and PINs).
2136  Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion on: July 28, 2014, 03:06:10 AM
Hm? Dump started on BFX
It seems to have started around 2:00 UTC on Huobi and OKCoin, and at about 2:12 on Bitfinex.  At 2:12 the Chinese exchanges were already halfway through it.

I cannot prove that the late May pump and the recent dumps have Chinese causes, but at least there are some relevant events and vaguely possible explanations in that bucket, but none in the "Western thing" bucket.


2137  Other / Off-topic / Re: Answer the question above with a question. on: July 28, 2014, 02:55:35 AM
Wait... the matrix isn't real?
Isn't the blockchain the embryo of the Matrix, where every human being will eventually have no other choice but to be perpetually plugged in, and to it surrender all its worth?
2138  Bitcoin / Hardware / Re: New Official AMT Thread on: July 28, 2014, 02:47:52 AM
Not publicly providing tracking numbers is a good idea that isn't information any company should release, but the excuse of not providing it directly to each client because of "potential trouble makers" seems somewhat bizarre to say the least.
Indeed the UPS tracking number should be sent privately to the client as soon as the package is shipped.  Thre is no excuse for not doing so.

I intended to suggest that they publish only

  "order #, model, quantity, date order received, date(s) product(s) shipped/refunded"

for all orders, so that each client can verify not only his status but also how it stands in relation to the other clients.

In normal circumstances a company would not publish such data, but given the persistent (and, I would think, justified) suspicions that this company is being quite unfair in the scheduling of shipments/refunds, publising that information would do more good than harm, IMHO.

Bitcoin-related businesses in general are risky because they are not regulated, and, being private companies rather than public, they are not required to submit to independent audit every quarter.  One way to reduce that risk and increase customer confidence is to be more transparent than a normal corporation would.
2139  Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion on: July 28, 2014, 02:27:15 AM
Why is this sudden dump?
Apparently it started in China, several minutes before Bitstamp/Bitfinex.

The bitcoin press should be trying to understand and report on the situation in China.  Are the Huobi and OKCoin.CN clients migrating to the new offshore sites BitVC and OKCoin.COM?  Is BitVC going to trade in USD too, or only in CNY? (Or is that CNH?) Is OKCoin.COM going to be competitive to Bitstamp etc?  And so on...

Reporting on bitcoin without looking at China is like reporting on casinos without considering Las Vegas...
2140  Economy / Speculation / Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion on: July 28, 2014, 02:17:48 AM
[ ANOTHER CHARITABLE CONTRIBUTION TO THE PAGE COUNT ]

I am thinking of starting a Wall Observer Backed Investment Thread (WOBIT).

Each post on the WOBIT thread will be guaranteed to be a quote of 1/10 of the text of some post in this thread.  Posts to WOBIT will be illiquid; authors will not be able to delete them for the first six months, and cannot be re-quoted by other users  except by special authorization of the WOBIT managing moderator.

Only accredited posters will be allowed at first, but there are plans for Q4/2014 to create an exchange where WOBIT posts can be openly traded for ChartBuddy plots or dinosaur images.
Pages: 1 ... 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 [107] 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 ... 272
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!