Richi's blog

Tag: BitCoin

  • prevent or react

    Beginning of this year, there was a very tragic event prominently present in all newspapers across Switzerland. The whole thing was so tragic, that I won’t add a link here. But there is one aspect, that kept me thinking for the last two weeks. Today’s blog post by Bruce Schneier triggered me to write about it. There was a family father who fed his family from selling smart phones on online auction sites without delivering anything. Apparently he did that for years. They couldn’t get hold of him because he moved house every couple of months. In contras to places like Nigeria, I didn’t think this was even possible here in Switzerland.

    First of all, I don’t think that’s the profession he imagined for himself. There must have gone something terribly wrong long before. I think one has to be very desperate to become a professional cheater. Most measures our society has in place against such behaviour are reactive. Bad behaviour is punished, and the prospect of the punishment should keep the hesitant from misbehaving.

    In certain areas of commerce it’s easier. In a brick and mortar store, you get the goods and pay directly. If you take the goods and run out of the store, chances are somebody will follow or somebody will stop you. This kind of theft is also easier for the police to pursue. But there are other areas where you need to bring a certain trust. That’s for example if you order something online and pay upfront. If it is a big name store, you may know it’s reputation. If they wouldn’t deliver, you ‘d tell your friends. This in turn could influence the reputation of the shop. With sites like ebay that have more participants than could any individual keep track of, it doesn’t work as easy. That’s why they have reputation systems built in. There are certain ways how you could trick them. I have no ideas how well that would work out, but the only way to prevent that would be to require for example a social security number instead of just an email address to register. Other countries issued electronic passports for a while which could be used for identification in such cases. Whether this is desired is another question.

    Ebay and ricardo do offer some sort of escrow service. But nobody seems to make use of it. Certainly not the victims of the above mentioned iphone scammer. Some may already know where I’m leading to. That’s an area where BitCoin can shine. With it’s built in, easy (soon) to use  multi signature escrow system, certain types of fraud almost disappear over night. If the system doesn’t allow cheating, there is no need for punishment after somebody was ripped off, or threats against such behaviour. So which is better, prevention or reaction paired with menace?

  • Paying online without a credit card

    I can still remember the times when travelling without a credit card could be really inconvenient. But since Maestro and Cirrus cards work around the globe, it’s fine without. The time where shopping on the internet without a credit card was inconvenient to impossible was not so long ago. In a recent post, I announced that I don’t plan to renew my credit card. So here are some hints on how to get by without. BitCoin is the tool of choice as it has so many advantages.

    On christmas we usually play a game with the familiy of my wife. Everybody gets assigned a random person to make a gift. Beforehand we distribute our wish lists. My stuff is usually from online sites. The problem is, I’m the only one with a credit card in this circle. So what looks easy to me, might be difficult to order for the others. But the democratization of money, which BitCoin is about, is going to make online commerce a lot easier. Soon anybody with a computer or a phone will be allowed to participate.

    Businesses that directly accept BitCoin

    Even though there are thousands of businesses listed in the directories to accept BitCoin worldwide, only a few of them are in Switzerland. Most of them are in niche areas, selling goods that most people rarely need. And usually you search for goods rather than places where you can spend your money. Some of the American giants like dell, overstock, tigerdirect, newegg or adafruit deliver abroad at prohibitive costs, not at all, or only allow BitCoin payments for domestic clients. But sometimes you stumble across a site that accepts BitCoin by pure coincidence like for example nitrokey, spycoins or reelhouse.

    Movies

    Call me old school, but I don’t like subscriptions to watch movies. Yes NetFlix is a lot cheaper than the other options we have in Switzerland, but I just don’t like subscriptions that renew automatically, cost you when you don’t use it, and have notice periods when you want to terminate. Instead I want to select the movie I want to watch, and pay for it. Basta. Why is that so difficult? No wonder movies get pirated all the time. If it were so easy to pay for what you want, and the prices were reasonable, there would be no incentive to download movies from torrents or p2p. The music industry struggled for a while with the same problem. But nowadays you can download music at reasonable prices and it’s not even crippled with DRM anymore. When will the movie industry learn that making interesting offers is better than trying to break the internet? When I bought the movie “The rise and rise of BitCoin” on vimeo, I could pay with BitCoin and download the movie without DRM. The experience was so good, that I started exploring the video on demand section on vimeo. But when I wanted to buy the next movie, there was no BitCoin option, as with the previous one it ran through a voucher code. So I wanted to pay it with PayPal. But it kept failing and asking for a credit card. It just wouldn’t use my balance. It didn’t state it clearly, but somehow vimeo requested the address information associated with a credit card. Why that? Probably because of some area restriction which is almost as stupid as DRM itself. And this type of restriction clearly didn’t apply to the movie I was about to buy. Luckily somebody from “The flying Frenchies” told me that their video is also available from reelhouse. They natively support BitCoin. You can choose to rent and watch in the browser with flash, or buy and download DRM free. That’s exactly how it should be. I found my movie platform, and hope their selection will expand quickly.

    Amazon and buy by proxy with discount

    No, they still don’t accept BitCoin directly. But you can either buy gift cards from gyft.com or egifter.com, or even better let someone else place the order on your behalf and pay him in BitCoin. That is how purse.io and brawker work. Purse.io is exclusively geared towards amazon. You create a new wish list with amazon, configure your shipping address and populate it. Then you copy the URL of your wish list into purse and select your desired discount. People who want to buy your bitcoins make offers with differing discounts, usually in the range of 7%. You send your coins into escrow and select an offer. Once the goods are delivered, you release the coins from escrow and the buyer gets them. As it is geared towards amazon there are less variables, and thus it runs very smoothly. If your item is listed with amazon, but delivered by a 3rd party seller, purse might have problems processing. That’s when I tried brawker. Here you populate one or more edit fields with URL’s containing direct links to the products you want. They can be on any site. That’s why you also see strange things listed. But the process is otherwise the same as with purse. One thing I noticed is that the escrow BitCoin address is actually a P2SH multisig address. But to release, I didn’t have to sign the transaction with my BitCoin refund address. Thus I don’t really know what this is about. Finally, I sould mention snapcard and bitspend. They offered similar service where they executed the orders and charged in BitCoin. BitSpend closed long ago, and SnapCard changed their business model.

    Donations

    I used to do donations for Mozilla and SeaShepherd through SnapCard, but these days I do direct BitCoin donations only. And in fact many non profit organisations accept direct donations: Apache, Mozilla, LibreOffice, GnuPG (through the Wau Holland foundation), Electronic Frontier Foundation, digitale-nchhaltigkeit.ch, Wikipedia, Gliding Everest, Ebola fighters, Koptimism, BitCoinFoundation, to name just a few.

    Auctions

    There used to be an auction site that ran on BitCoin. It was called BitMit and was very cool. For some reason they closed a while ago. I don’t know of a good alternative at the moment, but there are better things to come. The most prominent being OpenBazaar. The great thing about it ist that it’s not jsut another centralized service, but completely decentralized.

    Food

    In some areas you find lots of restaurants where you can pay with BitCoin. In Switzerland, I know only of Kafi Schoffel in Zürich. But this post is about the internet. You can order food for BirCoin on lieferservice.ch, which for sure has something in your area.

  • Fading out my credit card

    Once upon a time there was no internet. When you went to a restaurant, you had to pay in cash. If you had no cash with you, you might have been lucky if the owner knew you good enough to think you were credit worthy. But what if you were in another city? Then some clever people invented credit cards. What they essentially did was telling the store owner that the person whose name was on the card was trustworthy, and that the credit card company would vouch for that individual. Obviously, owning such a card was quite a privilege. The companies issuing these cards didn’t want to pay the bills for people who would not pay them back, so they looked closely who would get such a card. But sometimes it happened, that the people spent more than they could afford, or they ran off. It also happened that people bought goods with stolen cards. So they introduced the handwritten signature as a security measure. As the fraud became a regular occurrence, the credit card companies, rather than just fight it, started to accept it as an inevitable part of their business. They calculated like insurance companies, and figured out that they could effectively make more money if they lowered the bar to entry. The honest users would just pay the bill for the occasional crook through the higher fees.

    Then came the internet, and people wanted to buy stuff online. Because there was no appropriate payment mechanism, people just used what was available: credit cards. The combination of name, credit card number and expiration date was not sufficient against misuse. This information was on the front of the card, and every store owner where the card was used had the information. So they introduced a three digit number on the back of the card as a security measure. Criminals became cyber-criminals, and they liked this system very much. Now they could steal credit card numbers, and use them to buy stuff that somebody else would have to pay for. Credit card fraud became an even bigger issue. But the credit card companies don’t suffer from that as much as one would think. Customers can complain if something appears on their statement that they didn’t buy. The CC company then issues a chargeback, and demands the money back from the store. In essence, they charge fees for covering the risks, but don’t actually cover it themselves. For some retailers, those fraudulent chargebacks are a real issue.

    Then came the internet of money. It is called BitCoin. Just like the internet in 1994, a lot of people are confused, and don’t know what to do with it. Just like the internet liberated and democratized information, BitCoin does the same with finance. The internet didn’t just replace the fax machine, but opened a wealth of possibilities noone had even thought about. BitCoin already now offers a wealth of possibilities not imagined before. And the BitCoin 2.0 space shows even more applications for BlockChain technologies. But for the moment let’s focus on online payment. BitCoin doesn’t need no trusted third parties who could charge disproportionate fees, or could even steal or confiscate the wealth flowing through them. Transactoins are final, so there are no fraudulent chargebacks. For scenarios where both parties don’t know each other and hence don’t necessarily trust each other, there’s an arbitration model already built in, in the form of MultiSig. The arbiter can be freely selected, not like with PayPal for example that always favour the buyer.

    For me, the main difference between BitCoin and cash versus credit- and debit cards is this: Either I give the amount I determine, or I give the information to get from my account the amount they want. You surely saw people hand their open purse to the cashier in a store, so the cashier can take out enough money to pay for the goods. Most often these people are retarded, can not count or read the numbers. Why should we act as retards when we want to buy something online?

    Just this week, I read an article about a couple whose credit card was charged by a hotel with a $156 penalty for a bad review. Even if this is part of their terms, most people (myself included) perceive this as outright theft. Now guess what, with BitCoin they couldn’t steal from their customers at will.

    With all this in mind, and after reading about credit card breaches multiple times a week, I think the time is ripe for a change. For the last two years I frequently ask if I can pay with BitCoin when I buy something online. That is mainly to build awareness, and voice against excuses such as from Amazon stating they didn’t see customer demand for BitCoin payments. I am ready to shift to the next gear. I want to get rid of my credit card in a year. But I won’t just cut it in half, and then regret it. Instead, I give my best to find and use alternatives, that at least involve BitCoin, if it is not direct. I don’t really like buying gift cards for myself, but I’m willing to go that route if I have to, at least temporarily.

    I received a new credit card last month, and my first passive step towards my goal was not to register it with every service where I used the old card. That includes Amazon, PayPal, SBB, SPOT, …

    The first order online after that was with dealextreme. I asked them about BitCoin payments before. In fact many people did, and I had the feeling they started warming up last year. But after the Chinese government crackdown, they said they couldn’t do it. They accept PayPal however, and since I no longer have my card registered, I wired the money to a PayPal account at a Swiss bank in advance. It’s certainly a hit in convenience, but it’s more secure still.

    Then I found out that Amazon doesn’t accept PayPal, but only credit cards. That’s strange, so far, I just assumed they would. So I will have to send some BitCoin to gyft.com or egifter.com when I want to order something from Amazon the next time. I don’t really like this, but well… Ah, there are also services like purse.io where you can submit your amazon wishlist and some BitCoin. Another user who wants to buy BitCoin can then order the items from Amazon and send it to you. This option looks better to me. I’ll try it for sure.

    I’m not a big fan of the security I see with PayPal neither. On this blog I ranted about password based security many times. Unlike with the credit card, at least I can change the security element (the password in this case), If I suspect somebody could have sneaked it. Somewhere I thought I read something about two factor authentication with PayPal, but when I looked for it, I couldn’t find anything.

    Not everything in this post is historically researched. Rather I just tried to outline how the different system work, and how they became how they are.

    Update:

    Here is another story worth reading.

  • MultiSig with HardwareWallets

    2014 is touted as the year of multi-signature for BitCoin. It is being integrated into some wallets and services. But not quite the way I expected.

    • Electrum has an implementation that assumes multiple hierarchical deterministic wallets distributed over different machines, that know the other’s master private keys. -> This should work well for corporate environments or other organizations.
    • GreenAddress has a cool, but for my taste too obscure solution. I would recommend it for new users. But for myself, I want to be fully in control.
    • OpenBazaar, although not fully functional yet, will integrate arbitration with multi-sig.
    • and I hear more announcements almost on a daily basis…

    When I first read into MultiSig, I understood it like I could combine any Bitcoin Addresses of my choosing to create a MultiSig address. If one of the involved addresses was in my wallet, it would automatically display the MultiSig address as well. And I could then partially sign a transaction with the GUI, and magically forward to the other signing parties. Turns out that is not quite how it works. To combine addresses of my choosing into a MultiSig address, I have to resort to the commandline. There are a couple of good tutorials on the net on how to do that, and also on how to spend. But it’s not like executing a few simple commands. It’s quite hardcore. There are wallets where you can add them as view only addresses, but I’m not aware of a wallet where you can partly sign a transaction in such a setting.

    MultiSig brings us escrow services and a load of similar stuff that was not even imaginable before the rise of BitCoin. MultiSig is also good if you want to implement a setting where at least two of your accountants need to sign transaction in a corporate environment. What this adds is security. You surely saw movies where a few generals had to use their physical keys to launch missiles. That’s done to add security. So that the terrorists would have to steal the keys from more than one general, before they could launch a missile. The same works for bank vaults. And the same idea is behind BitCoin MultiSig, only that it goes much further.

    MultiSig is just one facet of pay to script (P2SH). You can implement other rules than just MultiSig. I became only recently aware of that, when GreenAddress gave me a transaction that I could use to get my funds off the MultiSig wallet in case they went out of business. What that means, is that if too many parties loose their keys, funds on a MultiSig address are rendered inaccessible. As a measure against that, they created and signed a transaction with their key to transfer all funds, but with a time restriction. This transaction will only become valid after a certain configurable point in time. BitCoin has a stack based scripting language for expressing such rules. For my taste it’s very complicated at first sight, but it’s cool what you can do with it. That’s actually, where ethereum’s main focus is to improve. That’s all good and nice, but wasn’t it possible to program rules for a long time? Of course, but with BitCoin nobody can cheat, and you have to trust nobody. You cannot just change the system time on your computer, or buy a fake certificate to trick a system into using your timestamp server. BitCoin has a distributed consensus, that is very hard to come by.

    So in essence, MultiSig is about increasing the security. This is mainly against malware that can infect your notebook and steal the files of your wallet software. There is also another cure against the same threat: HardwareWallets. I wrote about the Trezor and HW1 on my blog before. Now how about combining the two measures? That should raise the level of security up to a point equivalent as storing your gold and silver and diamonds inside a bunker in the Swiss mountains, and guard it with a Russian tank, driven by a rogue artificial intelligence. But I can tell you upfront: just like that rogue AI, it’s not going to be user friendly. While user friendliness and security are often opposing, this is an extreme case. After reading this, don’t be tempted to think BitCoin was difficult to use. BitCoin is wonderful and easy – for normal use.

    So let’s begin with the commandline fu. I won’t repeat every step from the gist from atweiden, but concentrate on the special parts:

    You don’t need to create any wallets. I assume, the hardware wallets are initialized and ready to use. (more…)

  • electrum server on a cubox

    I don’t even remember if there were alternative wallets available when I started with BitCoin. I used the reference implementation exclusively for a long time. Now there is a wide variety to choose from. They fall in three main categories: full node, light client and web wallets. They are nicely listed and explained at bitcoin.org

    full node

    Every hardcore bitcoin enthusiast should run at least one full node. That’s how the system was envisioned. It expresses the peer to peer nature. A full node maintains the complete history, and can verify transactions. It has lots of connections to other nodes, and helps propagate the transactions and blocks through the peer to peer network. The downside is that the size of the blockchain has grown so large to make it impractical, especially for mobile devices.

    light client

    Most mobile wallets fall into this category, as well as my favorite: electrum. The main reasons why I prefer electrum are that it has been in the apt repository for a while, and it has good support for hardware wallets. Light clients communicate with servers that in addition to the blockchain of the full node also maintain an additional database. This is required to serve requests for addresses, that the full node doesn’t have in its wallet. The client is responsible for managing the keys, and thus signs the transactions locally before distributing them.

    web wallets

    This is mainly for new users that don’t know how to secure their private keys.

    electrum server

    The main downside of light clients compared to full nodes is that there is a layer between your light client and the peer to peer network. You depend on these servers to be available. The server you connect to, could connect your BitCoin addresses to your IP address. They theoretically could also selectively filter transactions. But what they have no way of doing, is steal from you. As I understand it, electrum talks to multiple servers not only to protect your privacy, but for various reasons. There are about 7’000 publicly reachable full nodes, but only about 20 electrum servers. To protect your privacy, you can run your own electrum server in your basement. That’s what I do, but it’s more to support the system then out of paranoia. There is a strong incentive to mine BitCoin, but the incentive for running a full node or an electrum server is not monetary. Still I think it is very important to have many of these around.

    I had a cubox small quad core arm box around that already ran a BitCoin full node and p2pool as well as some smaller stuff. It had some more capacity, but I didn’t know if it was enough to run electrum server. As it is not really apt-get installable, I didn’t want it on my main server. Electrum server uses a leveldb to keep track of all the information that it needs in addition to bitcoind. At the moment this database has about 11GB. Building it from scratch can take a long time, so they advice to download it form the foundary, and grow it from there. It didn’t work out initially, so I tried to build it from scratch. After computing for a week it slowed down too much at the blocks of mid 2012. So I downloaded from the foundry again, and this time it worked. For about two weeks I tested it in private. Then I had to enable IRC to make it public. You find the public servers in the #electrum IRC channel,  they start with E_. My electrum server is probably one of the slower ones. The cubox is a cool device, but not a typical server. It has performance comparable to a smartphone. Sometimes it lags a few blocks, but in general it keeps up quite well. I can see hundreds of clients connect to it.

  • HW1 tiny BitCoin hardware wallet

    While the trezor is certainly a great device for securing BitCoins, I’m also interested in alternative hardware wallets. Even in my very first discussions about increasing the scurity of BitCoin we talked about SmartCard solutions. After all, that’s also how I secure my GPG keys. But a regular SmartCard alone only protects the keys. If the computer is malware infected, it could sign another transaction than the one you initiated, and thus spend all your coins at once. The trezor solves this problem nicely with displaying the transaction details on the screen, waiting for a button press to confirm. Then came the HW1, a tiny BitCoin hardware wallet, based on smartcard technology with some extras. Since it has no display nor buttons, I was ready to get somewhat reduced security compared to the trezor. But in fact they are also very clever, and it turns out the security is just as high at the cost of a bit of convenience. But as I understand it, that level is configurable. I just opted for the more secure option.

    So, If I want to spend some Coins from my HW1, I plug the dongle which is smaller than a regular key on my keychain into an USB port on my computer. Then I start up electrum, and send the coins. Now the HW1 has to sign the transaction. It asks me to remove the dongle and plug it into another computer, that is preferably not connected to the internet. If I don’t have too much funds on this wallet, I can also plug it into the same one again. A text editor should be opened beforehand, and it should have focus. The dongle then acts as a keyboard, typing the transaction details along with a TAN code to validate the transaction. Next I remove the HW1 again, and plug it into the former computer. I type the TAN code, HW1 signs the transaction, and electrum distributes it to the BitCoin network. That’s it: simple and secure.

    Just as electrum itself and trezor, the HW1 uses a deterministic hierarchical wallet. To be sure I can trust the device and the method in general, it was not enough for me to test that I can spend from it. I wanted to also be sure I keep my coins in case the device gets damaged or lost. That means I have to be able to restore it from a seed. The seed is generated when I first initialize the dongle. And like the TAN code it is printed out in HID keyboard mode. If you have it print it on a machine that could be compromised, there would be no point in using a hardware walled in the first place. So have it print the seed to an air-gapped secure computer. If you already initialized your HW1, you can’t restore another seed onto it, unless you reset it first. I couldn’t find any documentation on how to reset it though. A developer told me to enter a wrong PIN three times to reset it. After that, don’t choose restore, but initialize. In the BTChip personalization manager that follows, you choose restore. I did this on a machine where I removed the harddisk, and booted from a fresh USB stick. Getting electrum usable with all the required plugins and libraries was the most work. Before typing in the seed, unplug the network cable and disable WiFi. After the seed was typed in, and the dongle restored, I issued “sudo dd if=/dev/random of=/dev/sda” and waited for the kernel to go belly up. That’s for making sure no sensitive information remained on the USB dongle. Don’t do this on your regular computer.

    In conclusion, I can say that:

    1. The security is just as high as with the trezor, if you let it type the TAN on a computer that is temporarily offline. But the convenience obviously suffers.
    2. If you only use it to store medium value funds, you can have it type on the same device, at reduced security. In that setting the convenience is about the same as with the trezor.
    3. Where the biggest difference lies for me, is restoring the device from a seed. Preparing a fully equipped air-gapped computer to securely restore the dongle from a seed proved to be quite some work. While with the trezor, you don’t need an additional computer. Luckily that’s a task that is required infrequently.

    While the experience with the trezor was smooth from the beginning, I tested a lot with the HW1 to gain confidence with it. I found some minor bugs. I had the computer freeze a couple of times. I saw lots of messages about dongles not found. I had to reconnect and start over many many times. Some things were not documented or not obvious. All these problems became lesser the more I tested it. I can only explain it that way that I grew a sense for the correct timings and steps required. In the meantime I use it without problems, but I have the feeling that it is not as robust as the trezor. It will work in the end, but you might have to try a few times before it does.

    I packaged the python library that is needed for the plugin for ubuntu. Once all parts and dependend libraries are out of beta, I will also try to get it into debian. On ubuntu, you can install it like this:

    sudo apt-add-repository ppa:richi-paraeasy/bitcoin
sudo apt-get update
sudo apt-get install python-btchip

    Ah yes, and there’s the price difference. A trezor costs $119 while a HW1 is just $20. At the moment they have a 2 for 1 offer, so go hurry.

  • What could go wrong when ordering pizza?

    For some months now it was possible to order pizza for BitCoin in our area. I wanted to give it a try since it was announced. But only last Thursday, I proposed to my coworkers to order pizza. And that I would pay with BitCoin. It was meant as a demonstration how cool the virtual currency is, and that it is actually useful in the real world. I was going to take pictures and blog about it. After all, a pizza deal was the first real use and most famous BitCoin transaction in history.

    So I placed the order with lieferservice.ch for pizza’s from Angolo, where we used to go for lunch before. The website was really cool, we could order extra ingredients on top of the regular pizza. Payment was a breeze, as always with BitCoin. It was 11:25 when I placed the order, and I picked 12:30 for the delivery. The email confirmation from lieferservice.ch followed immediately. But when we all grew more and more hungry, I tried to call Angolo at 12:45 to ask where our food was. Nobody answered the phone. I tried again, and again, and again. Nothing, not even an answering machine. After 13:00 we decided we would drive to Angolo with the confirmation email, and eat our pizza in the restaurant. When we arrived, it was closed for holiday.

    This is clearly not how this is supposed to work. The guy from lieferservice appologized, and told me their contractors are ment to tell them when they change opening hours. He couldn’t refund me in BitCoin, and asked for my IBAN instead. One of my colleagues was so pissed off, he said he wouldn’t go to Angolo ever again.

  • The Rise and Rise of BitCoin

    As part of the Zürich Film Festival last week, they presented “The Rise and Rise of Bitcoin“. I couldn’t make it to one of the screenings where the director and the main actor were present. The room was fully booked, which I noticed with delight. I didn’t learn too much from the film on the technical side, as I’ve been involved with the topic for some years. But it was interesting to get to know some of the famous players a bit better. The movie was not very technical, and that’s on purpose. It does a great job in explaining BitCoin to the average people, and maybe get them interested in the future of money.

    To test my knowledge in the area of BitCoin and crypto currencies in general, I recently took the test for “Certified BitCoin Professional“. While most of the question are not that hard if you’ve been involved in BitCoin for some time, the time to answer is limited. You have to answer 75 questions in 20 minutes. So I forced myself into flow mode and gave the answers swiftly. After 16 minutes I hit submit on the last one, and was presented with “73 correct out of 75”. They won’t tell which ones were not correct, nor do they specify how many you need to get the certificate. Only the fee stops you from trying it over and over again. I’d be interested in your scores.

  • Trezor BitCoin HardwareWallet

    Today I received my Trezor BitCoin HardwareWallet. When I ordered it in June 2013, the expected delivery Date was October. But as it happens all that often with BitCoin related hardware, the dates get pushed back. They offered a device with plastic case for XBT 1 and one with an alloy case for XBT 3. After the Bitcoin price skyrocketed end of last year, they stopped taking pre-orders. The devices we early backers received, have a nice “First Edition” label at the back.

    The trezor is the first hardware wallet for BitCoin that is mass produced. It has a small screen, two buttons and a microUSB connector. So it is actually a lot more secure than if you just stored the private key on a SmartCard, as could be done with a HW1 or a YubiKey NEO if the software was finally released. You can see the balances on the different addresses in the client on the computer. When you want to send some coins, you see the receiving address and the ammount on the small screen of the trezor. Once you confirm using two button presses, the trezor signs the transaction, and the client on the computer propagates it to the BitCoin network.

    Build quality and form factor look quite nice. It is actually a bit smaller than I expected, which is a good thing. Fifteen Swiss Francs in Coins would require about the same space. I guess it helps in that regard that it doesn’t require a battery, but is powered from USB.

    The first thing I did was setting it up with the browser plugin from https://mytrezor.com. It’s an easy process where you have to write down the seed which consists of 24 words. Then I sent a small amount back and forth. Only after seeing this succeed, I transferred bigger amounts to the addresses of the device.
    Then I wanted to test the electrum plugin that slush recently noted, would be merged soon. I found it in a pull request on github. It didn’t work initially, but several people were quick to help. After all issues were sorted out, also sending with the trezor from electrum works fine.

    It wouldn’t be a security device if it worked without entering some kind of secret. Entering the secret on the computer would make it less secure, as some malicious software could record it. Entering it on the device with only two buttons would be cumbersome, as not that many people these days are fluent in morse code. So, I was curious, how they solved that problem. The solution they came up with is actually quite nice. They display a 3×3 grid of buttons with question marks on the cumputer, while the trezor shows a 3×3 grid with digits 1 to 9 in random positions. That way, you enter your pin on the computer using a mouse or touch screen, using the positions found on the trezor screen. Even after playing with the trezor for only some hours, it’s evident that a lot of thought went into it.

    I wonder what will happen next in that space.
    I was not fully convinced by the HardBit. Indeed it turned out, somebody found out how to activate WiFi and bluetooth of the repurposed SmartPhone. That makes it way less secure. The developers seem eager and friendly, but it might be just not the most secure platform to begin with.
    Recently I backed an interesting project called PRISMicide on Indiegogo, but with only 8% funding after half the time, it looks as if they won’t make it.
    The picture and description of the BitSave from ButterflyLabs look really slick. But they have a history of overpromising and delivering late.
    And finally, I’m sure SatishiLabs, the creators of trezor, will work on a follow up device that is even smaller and communicates with SmartPhones.

  • sweet dreams

    For my last army service, I was ordered to Eschenbach SG near Rapperswil to help in an arsenal. It’s actually a long story, how it came to that. Compared to a regular service, it was very much relaxed. I could go home every night, which is quite nice, especially if you have a young family. So, every morning when I walked from the train station to the arsenal, I passed a carpenter which had a gorgeous beam bed on display. The beams had crack, and looked really old, but perfectly restored. It didn’t have a price tag, so I assumed it was expensive. And I was not in need of a new bed anyway, so I just remembered it, for when I would need one. That was three and a half years ago.

    Our bed recently broke. No, it’s not because I grew so fat. People say, that the mattress and the slatted frame should be replaced after ten years. So it was almost in time. And now I remembered the bed frame from Eschenbach. They did not respond to my eMail, so I had a look around other stores and websites. I found out that these beam beds with cracks are trendy, and that they are mostly made of swamp oak. Finally I found what I was looking for at Möbel Riesen in Brunnen.

    They didn’t accept BitCoin directly, so I had to convert the funds first. At the time, the excange rate on MtGox was a steady ten percent higher than with other exchanges. This was quite tempting, even though most people suspected liquidity problems behind the long delays since last summer. So I split the risk, and traded half through BitStamp, and the other half through mtgox. BitStamp was quick and reliable as always, while I still wait for the money from MtGox. Meanwhile MtGox filed for bankruptcy, and I might have to write that money off.

    The bed frame arrived earlier than expected, while we had some trouble getting the mattresses and slatted frames in time. So we had to sleep in a funny arrangement for a few days. But now finally, everything is in place. The beams are actually quite heavy, adding up to about 250kg.

    As I work in the development of the PointLine CAD, naturally, I was interested in a CAD drawing for the bed frame. The guy from Sprenger Möbel was very friendly, and sent me a jpg, telling me there are no CAD files, as he draws everything by hand.