-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Jan 16, 2017 at 04:39:04PM -0500, [email protected] wrote: > On 01/16/2017 07:45 AM, Franz wrote: > > > On Mon, Jan 16, 2017 at 4:08 AM, [email protected] <[email protected]> wrote: > > > > > On 01/16/2017 12:37 AM, Franz wrote: > > > > > > On Sat, Jan 14, 2017 at 10:39 PM, Marek Marczykowski-Górecki < > > > > [email protected]> wrote: > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA256 > > > > > > > > > > On Sat, Jan 14, 2017 at 09:17:32PM +0100, Maksymilian Skica wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > Does anyone actually make Qubes OS working with some bitcoin > > > > > > hardware > > > > > > wallet? I want to buy one now and my first requirement is that it > > > > > > will > > > > > > work with Qubes. > > > > > > > > > > > Yes, it should work using qvm-usb. At least Trezor do work. > > > > > > > > > > > > > > > Also assigning to a Trezor-VM the USB controller of a USB expresscard > > > > dedicated to Trezor, it works perfectly. > > > > > > > > Best > > > > Fran > > > > > > > > - -- > > > > > Best Regards, > > > > > Marek Marczykowski-Górecki > > > > > Invisible Things Lab > > > > > A: Because it messes up the order in which people normally read text. > > > > > Q: Why is top-posting such a bad thing? > > > > > -----BEGIN PGP SIGNATURE----- > > > > > Version: GnuPG v2 > > > > > > > > > > iQEcBAEBCAAGBQJYetLfAAoJENuP0xzK19csHIMH/ihx8tx2LUGlVgvUSptwa52h > > > > > Oor7Y/zeaDbeZzDsFCXwca2XVtfhm+idkqehmk6VamYeVRAeVg9iBYGlLWG4sC8M > > > > > hBsIiz4ZOWBqWokBSRFO72PZDqbwkz6E2cCuWXFanRkPrWfTNFGruf3OjYN52fCC > > > > > gCLpLWgsAMVEQH4OunrQJSDkBgcIfEobtDwFqxckdGVen/pos+C0sI0DBO8WVQiK > > > > > y3rw7MRp5X0brRycbVJ531TRsFVK+nZCcFdO4x/aSQDaXIQlm+RfxR6VQQzIjC+c > > > > > qP3vxy1IbNOGQYPmhQTVIU0BHysT6cJBt58GdUEiLz3u7RYCjMuQvjXPYnfE+P8= > > > > > =8Z0H > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > > > > Groups > > > > > "qubes-users" group. > > > > > To unsubscribe from this group and stop receiving emails from it, > > > > > send an > > > > > email to [email protected]. > > > > > To post to this group, send email to [email protected]. > > > > > To view this discussion on the web visit https://groups.google.com/d/ > > > > > msgid/qubes-users/20170115013942.GB3974%40mail-itl. > > > > > For more options, visit https://groups.google.com/d/optout. > > > > > > > > > > Am I the only one who thinks it is a horrible idea to use a closed > > > source hardware device designed by a bunch of kids and probably made in > > > china to manage lots of money? > > > > > > Hardware crypto sucks because it can't be verified without a team of PhD's > > > and millions of dollars in equipment. > > > > > Well, every way has its own problems. We have seen that even using a cold > > VM with Qubes may fail because of a Xen bug, so the most reasonable with > > money is to share the risk among different and independent routes, so if > > one fails you'll not loose everything. So Trezor may well be one of them. > > > > That said, isn't this https://github.com/trezor/ some indication that we > > may trust Trezor a little bit? > > Best > > Fran > > > That repo doesn't have the source for the device, nor the > compilation/flashing instructions (tivo'ized!) and the firmware and hardware > isn't open source either.
I think you've missed the second repo on this page: https://github.com/trezor/trezor-mcu and here: http://doc.satoshilabs.com/trezor-tech/hardware.html Just out of curiosity - I've compiled it (very simple instructions) and the resulted binary have exactly the same hash as the binary firmware downloadable from their website. > It also needs a web-app and a browser plugin on chrome of all things to > properly function. Or a simple python tool (https://github.com/trezor/python-trezor). Or electrum wallet (also open source). And probably many more have support for it. > It hasn't been audited by an outside firm for security I don't know any, but as none of your other asserts are true, I will assume the same here. > and it uses the > insecure USB bus which can easily be fucked around with. Yes, USB is quite complex, especially on the host side. On the device side there is also some complexity, but much less. Especially when you implement only serial-like link (disguised as HID device). Actually in case of Trezor, I'd be more concerned about adding too much functionality (gpg, ssh-agent, u2f and more...). > If you have that much money in bitcoin maybe you should simply buy and carry > around a novena or an old coreboot compatible small laptop, you could have > them talk to eachother via rs-232 serial which is very safe much safer than > black box crypto. Of course you can do whatever you like. Some consider hardware wallets secure enough, some do not. But lets use facts when taking such decision. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYfUtWAAoJENuP0xzK19cs7EsH/1iEeEppkVsRJRV1Q2Hs54BP S2ed5UKM+Vj1sug7FFAG42q8kWhIljB9AguueObVuew0qf63QqGidB0xzO9urRYi Oye6N9w3grNZ10MEJc3gsDpm7sZwNJEIh9ZL/xrd/OiYY0CFbTelhQ0yawSVwoO7 BEIw02Ui3cIFV82da4vv9vxFGcSb4f0UcQEROUuo2CXSu8uHZh408W6L3v+YhmKI prTYBGLQjBfjrJVAdnmqycaCAFS2/diSAcesTnEz4kIeYcJHhPE13r9Q/ntyvY9j 9Zuc9/qA24Z3h3L16YHd4Z8bHoNj//8q4u+w51udZiyHe5tb/GpK8g957fd16NA= =0WJy -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170116223814.GH5268%40mail-itl. For more options, visit https://groups.google.com/d/optout.
