Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Speculation
Merits 1 from 1 user
Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
by
Gachapin
on 28/12/2024, 05:25:17 UTC
⭐ Merited by JayJuanGee (1)
Quote from: JayJuanGee on Today at 03:17:56 AM
Quote from: Gachapin on Today at 02:30:05 AM
Quote from: JayJuanGee on December 27, 2024, 07:23:10 PM
Quote from: Gachapin on December 27, 2024, 07:27:30 AM
Quote from: JayJuanGee on December 27, 2024, 12:33:06 AM
Quote from: Gachapin on December 25, 2024, 10:22:16 AM
Quote from: JayJuanGee on December 24, 2024, 07:32:40 PM
....At the same time, I would suggest that you are wrong in regards to your description of the vulnerability being ameliorated by having a stronger pin number, which I believe hardly does shit if someone has  physical access to the device with a non-secure element.  
....
no no JJG .... The PIN is used to encrypt the seed on your device. A strong (long) PIN cannot be cracked via brute force, so it's not possible to decrypt your seed when someone gets hold of your device.
That's why Trezor enabled PINs with 50 digit length (maybe longer), when they fixed the vulnerability of physical access a few years ago.  

Means, if your PIN is long enough (has enough entropy) nobody can get the seed out of your device.
No (un)secure element needed !
I recall that the security breach of having physical access to the Trezor was from several years ago, and I thought that the ONLY remedies was avoiding physical access to the Trezor and/or having a passphrase, as is stated in this Kraken Blog article.  The Article describes brute forcing the pin too, yet I cannot recall the pin being less vulnerable based on length and complication, even though what you say makes sense if they have to brute-force the pin, too.

Until I see something more clear, I will have to take what you are saying about the creation of a more robust pin (as the solution to the problem) with a grain of salt.
haha no need to trust me.... that the PIN protects your Trezor against physical attacks by encrypting the seed is written in the adtual article you posted yourself...  

Quote
We then crack the encrypted seed, which is protected by a 1-9 digit PIN, but is trivial to brute force.
https://blog.kraken.com/product/security/kraken-identifies-critical-flaw-in-trezor-hardware-wallets

Again, that's why Trezor upped the possible PIN length to 50 digits (166 Bits), so there is no possibility to brute force anymore.
If that 2020 article is proclaiming that changing the pin number protects you from attack, then why did they not list such protection in their suggestions? Here's what the article says:

Maybe there is a newer article going into such details that describe how making a more sophisticated pin code helps?  or prevents hack-ability, as you seem to want to proclaim.
...because at that time the Trezor didn't offer the possibility of a longer PIN yet  Roll Eyes

c'mon JJG it can't be that hard to understand!

You think I am playing with you? 

I am not.  I am giving my own understanding of the matter, and I don't claim to be a technical genius, yet I have been pointing out some technical pieces to support the assertions that I have been making...and to show my understanding of the matter.  I doubt that what I have been saying is outside of the sphere of what some other guys might think about various Trezor weaknesses, and/or vulnerabilities.  And, by the way, I find Trezor's usability to be quite friendly and easy.

From my understanding, frequently Trezor is still being criticized because of its physical access vulnerability, and sure that could merely be competitors who are making those kinds of proclamations, yet Trezor does not seem to be countering those claims.

If the longer pin were to be removing such physical access vulnerabilities (or greatly diminishing such vulnerabilities) then I would have had thought that there would be some kind of a counter-marketing campaign coming out of Trezor's camp and/or one of their supporting camps rather than their seeming to want to cave in and to move over towards providing secure elements in their newer products, which yeah so far many of us recognize that the secure element is not completely open sourced, so the Trezor with the secure element remains problematic.

No, I absolutely don't think you are playing me!  I just thought the issue must be quite easy to understand for an AI  Cheesy

Joke aside, I thought with the quote of the article it should be obvious, as everything is in that short sentence. But maybe I'm just a bit too used to the topic as I once researched the shit out of it, after they changed the PIN length.

Indeed, Trezor really lacked an adequate counter-campaign. I remember some article(s) on the PIN (don't make me search...).
But Trezor surely fell short of educating their users. At least they should have more on their website...

I guess since they went the SE route it's not so important for them anymore..