Jett and I discuss 1 year anniversary, Kim Dotcom failing to deliver K.im, Tesla accepting #Doge, surviving a bear market
Price: 1mBCH. Free in a week.
Contrary to popular belief, Trezor no longer has the oft-mentioned seed extraction vulnerability, which was discovered by Ledger and confirmed by Kraken. SatoshiLabs fixed it in mid 2021 (June for Model T in firmware version 2.4.0 and May for Model One in firmware version 1.10.0).
The seed phrase is encrypted before stored in Trezor. The encryption algorithm used is ChaCha20, which is known to be secure. Data encrypted with ChaCha20 is uncrackable if done right. ChaCha20, or any other secure encryption algorithm for that matter, can be breakable if the encryption key is too weak. It needs 128 bits of entropy to be absolutely unbreakable. With a weak key, decryption may be successfully performed in a bruteforce manner.
Trezor uses the PIN as the encryption key. Before mid 2021, the PIN was up to 9 digits. There is less than 30 bits of entropy in a 9-digit PIN. Because of the low entropy, the extracted encrypted data could be easily decrypted with bruteforce and the seed could be extracted.
For a PIN to be absolutely secure, namely it has 128 or more bits of entropy, it needs at least 39 digits. Trezor's firmwares released in mid 2021 increased the upper limit of the PIN length to 50. A randomly generated PIN of 39 or more digits can guarantee absolute security of the seed even if an adversary gains the physical access to the device and successfully performs the data extraction trick. The seed can no longer be extracted.
 |
Jerry Brito: Included in the America COMPETES Act just introduced in the House, and which will very likely pass in some form, is a provision that would be disastrous not just for bitcoin but for privacy and due process generally. The so-called "special measures" provision would essentially give the Treasury Secretary unchecked and unilateral power to ban exchanges and other financial institutions from engaging in cryptocurrency transactions. How would it do this? Bank Secrecy Act §5318A allows the Secretary to identify a "primary money laundering concern" and take "special measures" to (1) require financial institutions to report information on the concern, and/or (2) prohibit FIs from maintaining accounts related to the concern. "Special measures" authority is vast power that the Secretary of the Treasury has today, so in the current statute there are checks on that power. First, the law requires that Treasury engage in a public rulemaking before instituting a prohibition. Second, the secretary can impose a surveillance special measure through a simple order, but its duration is limited to 120 days and must be accompanied by a public rulemaking. While not full due process, these limitations at least alert the public and gives the public some opportunity to comment on a special measure's merit or constitutionality. The new provision would do three things: -Add "certain transmittal of funds" to the list of things that can be banned by the Secretary -Eliminate all public notice and comment requirements -Eliminate the 120-day limitation for measures imposed without regulation If adopted into law, this provision would be disaster not just for crypto but for privacy and democratic public process related to *all* types of financial transactions. It empowers the Secretary to prohibit any (or indeed all) cryptocurrency transactions (or any other kind of transaction) without any process, rulemaking, or limitation on the duration of the prohibition. This provision was first introduced as an amendment to the national Defense Authorization Act last year After alerting folks in the House and Senate of that amendment's unintended consequences, it was removed from the final bill that passed. Unfortunately it's back verbatim without any improvements. It still strips out *all* administrative process and duration limitations on the Secretary’s power to condition or prohibit transactions at financial institutions associated with primary money laundering concerns. It's time to call your member of Congress and ask that they take action to make sure that notice and comment and duration limitations are not removed from 31 U.S.C. § 5318A as the America COMPETES Act would do. [link] [comments] |
![[link]](https://i.redd.it/x0ce1i5x78e81.jpg){kind=link}
![[link]](https://i.redd.it/v7es0ejpq9e81.jpg){kind=link}
![[link]](https://i.redd.it/jshlw4doo2e81.jpg){kind=link}
