S4 E8: Slush on Trezor Hardware Wallets and Security Innovation

Here are two reasons why Slush is a pioneer: his documented involvement in Bitcoin dates back to 2010 when he launched the world’s first BTC mining pool, and he also co-founded Satoshi Labs – that company that developed the first hardware wallet prototype in 2012 and brought Trezor to the masses just a year later.

He wears the badge of honor of having made Satoshi Nakamoto himself respond to his groundbreaking approach to mining, and the industrialization of BTC mining (which deems Satoshi’s “one-CPU-one-vote” idea obsolete) is also owed to his contributions.

In this episode, Slush talks about his sustained efforts to deliver greater Bitcoin security with Trezor. Throughout the interview, the Czech bitcoiner explains why he believes that physical security is an illusion, and makes the case for strong encryption software (passphrase, Shamir Backup) as an alternative to the hardware limitations.

Also, Slush expresses his opinions on Trezor’s main competitors by highlighting a positive part before presenting his criticism. The companies involved in this discussion include Ledger, Coldcard, BitBox, and KeepKey.

Listen to the episode on iTunes & Spotify!

If you’re privacy-cautious and haven’t signed up to iTunes or Spotify, then feel free to use this YouTube video.

Enjoyed the episode? Spread the knowledge!

Time Stamps:

4:03 – Introduction

5:00 – How did Slush come up with the idea of creating a hardware wallet?

6:30 – Meeting Satoshi Labs & Trezor Co-Founder Stick

8:50 – Why the Trezor was designed in line with the Bitcoin philosophy so you can build your own and verify its code

10:30 – Peter Todd and Lazy Ninja liked the Trezor the most

12:25 – Why should bitcoiners use a hardware wallet?

13:00 – Satoshi Labs advised Crypto Steel

14:00 – When you need to do cryptographic operations that are enabled by hardware wallets

15:39 – Why should newcomers buy Trezor hardware wallets?

21:15 – Hardware is broken and lagging behind software

27:10 – The pros of Ledger

27:40 – The issues of Ledger

28:37 – The pros and cons of KeepKey

29:25 – The Coldcard wallet design & why it’s selling snake oil 

30:40 – What can’t be verified about the Coldcard? 

33:23 – Is physical security a marketing trap?

35:56 – What’s to like about the BitBox?

37:30 – What are the tradeoffs of the Trezor?

38:23 – Shamir Backup

45:10 – SLIP doesn’t stand for Stephan Livera Podcast

46:48 – Software before hardware

48:01 – Why is the Trezor so expensive if it’s so basic?

48:55 – Other companies taking Trezor’s open source software to create cheaper hardware wallet clones

54:12 – Is there demand for the BTC-only firmware?

55:33 – Multisig on the Trezor

1:00:39 – Who should use a multisig setup?

1:02:30 – When should you get a hardware wallet?

1:09:10 – Local software application for Trezor

1:12:00 – Running your Trezor with Electrum or Wasabi 

1:13:05 – Does Trezor collect any user data?

1:16:30 – Trezor doesn’t know who you are

1:18:23 – What are Trezor’s future plans?

Special thanks to LXMI and Phemex for sponsoring this episode!


“LXMI is a European Cryptocurrency exchange whose name is inspired by Lakshmi, the Hindu Goddess of Wealth, Good Fortune and Prosperity. It’s one of the regulated and legal Cryptocurrency exchange.

On LXMI you can buy bitcoins with most fiat currencies and you can also do the trading for top Altcoins. 

They follow the “Not your keys not your bitcoins” philosophy with their integrated non-custodial wallet which helps you manage your own private keys. So if you’re into trading, then you don’t have to worry about having your Crypto frozen by whatever political decisions, since you’re empowered to hold and move your coins around whenever you wish. 

It’s great to have new players like LXMI that respect your financial sovereignty.

LXMI is launching in 2020 for more information please check out – www.LXMI.IO/

If you’re not trading, it’s recommended to move your coins to a hardware wallet or some other form of cold storage, and in this episode, you’re about to find why.

Please keep in mind that this is just an ad for a sponsor of this show. It’s not meant to serve as financial advice, and you’re responsible to do your own research before buying anything and act according to your own decisions. Embrace your financial sovereignty with agency and precaution.

Phemex Ad:

“Phemex is a Bitcoin exchange with derivative trading options which focuses on speed, robustness, and maximum uptime. Built by former Morgan Stanley executives, it manages o bring simple and accessible Bitcoin trading. In 2020, Phemex will also add S&P 500 stocks, stock indexes, FOREX, commodities, and more. 

Sign up today at phemex.com/bonus and receive a bonus of up to $72.

Please keep in mind that this is just an ad for a sponsor of this show. It’s not meant to serve as financial advice, and you’re responsible to do your own research before buying anything and act according to your own decisions. Embrace your financial sovereignty with agency and precaution.”

Full Transcript:

Vlad Costea (00:00:11):

Hi there and welcome to Season 4 Episode 8 of the Bitcoin Takeover Podcast. I am Vlad and it’s very hard for me to contain my excitement, but my guest today is Slush, who is responsible for creating the world’s first mining pool for Bitcoin back in 2010, and also he’s a co-founder of SatoshiLabs, which is responsible for developing the Trezor hardware wallet. And it is because of his efforts in this field that we nowadays have this whole industry of private key security and hardware wallets and all these feuds between companies and that all started from him and his ideas. So thank you very much for your efforts, sir. And welcome to the Bitcoin Takeover Podcast.

Slush (00:04:52):

Hello Vlad. Thank you for introducing me and for inviting me to your podcast.

Vlad Costea (00:04:59):

It’s an honor. So before I proceed with the questions that I sent you via email—and that was standard procedure for all of the guests this season—let me just ask you, how did you first come up with the idea of creating the hardware wallet?

Slush (00:05:19):

Yeah. When I started with Bitcoin in 2010 I spoke to many people who was also considering getting into the Bitcoin and analyze it. It’s harder and harder to explain—for them—how to do proper security setup because most of the people connect to Windows or they are not tech savvy at all. And I found out that the Bitcoin is not ready for mainstream because it’s too technical to do this properly. So I am thinking how to solve this issue and bring some solution—not necessarily the hardware—but some solution which could solve this and give these people easy way for managing the lifecycle of managing private keys—so-called Bitcoins. So we are thinking about this with Stick (@pavolrusnak), we met already in one Bitcoin meet-up here in Prague, and we are thinking that some hardware device like we know it now, but we really didn’t want to start hardware startup because it’s just too hard to do hardware properly. So we were waiting, if somebody else will come with something like this, and in 2011 there was I think the first conference in Prague. It was 2011 Bitcoin conference and there was some guy talking about the hardware Blackberry I think on Arduino or something like this. And we were like, Okay, so he’s going to do this—we are not interested anymore. And actually one year later we met again and we both realize that his project failed—he isn’t going to make this happen. So we were like, Okay, let’s do it. We took some points, like we decided to use HD like BIP32 wallets instead of importing separate private keys and so on, which was the best standard BIP in these days. And long story short, we are here with some product which created a whole industry.

Vlad Costea (00:08:24):

Yeah. And that’s very admirable. What’s interesting about the Trezor in itself is that it uses very common parts that you can outsource by yourself. If you find yourself in a country that cannot receive shipments from outside and you just want to create a hardware wallet for yourself, you can just build it from common parts that you find in electronic stores or various places where you find chips, right?

Slush (00:08:54):

When we were thinking about the Trezor design, we were considering all the options like general MCUs, secure elements, and so on. Our idea or our mission was to bring some solutions which are really in line with the Bitcoin philosophy, which is built on open source and auditable codebase. No gatekeepers. You know, Satoshi pulled himself out of the project, eventually. So this is our really strong thesis, really strong philosophical motives, and we wanted to be as close to these motives as possible. So we end up with the parts which are not bound with any secure element agreements and so on. And yes, you can buy your own parts and put your own Trezor together and audit all the code from our GitHub and then run it on your device and you are completely independent to us.

Vlad Costea (00:10:12):

Yeah, that’s really admirable. And before I move on and ask you the questions that I sent you—and there’s 10 of them—I just want to make a remark that’s based on my experience doing this Season 4 podcast that has been entirely about hardware wallets and cold storage. And I have spoken to Peter Todd and also LazyNinja, who is a guy who attacks hardware wallets, and they both said that if they were to choose just one hardware wallet to use then it would be Trezor because it’s the most transparent, it has been around for the longest time, and it has been the most tried and tested all these years.

Slush (00:10:57):

Yeah, that’s great to hear. I also know that Peter Todd is not using hardware wallets and it makes complete sense for a person like him because he knows so much about the security and about his threat model and about the programming and so on. Maybe he can secure himself even without consumer products like hardware wallets. I completely get it. And as I told just before, the aim is basically to pack all this knowledge, all this security into the device which can be used by people without all these skills. Still there is a long mission of educating the users how to do this properly. Like all the phishing techniques and so on. They are mostly nontechnical issues, they are why people have to understand how Bitcoin works. And they still need to know what’s the private key and what’s the recovery seed and that they shouldn’t write down the recovery seed into Messenger and send it to anybody. There’s still so many things to do, but at least there are hardware wallets which can make it much easier even for the masses, for everybody.

Vlad Costea (00:12:24):

Yeah. So this leads me to my next question, which is why should Bitcoiners use a hardware wallet and not resort to something like cold storage on a paper wallet or a steel plate or a brain wallet or something?

Slush (00:12:40):

Yeah. I think paper wallets and things like Coldcards are a great thing, but they don’t solve the whole lifecycle of the product or of the private key. Like, SatoshiLabs, or Trezor, assisted and gave feedback to CryptoSteel, how to design the steel backup for the recovery seed but still it’s just a device for preserving the recovery seed. But the lifecycle of the recovery seed is much more complex. At first you need to create the recovery seed in this safe place in [inaudible] that way the entropy is not broken. It’s actually a really hard thing and there are even issues with some Android phones and with some desktop computers which had broken hardware random number generator. So even this part may be tricky and even if you have a paper wallet or you created your CryptoSteel with that, at some point of time you will want to spend these Bitcoins.

New Speaker (00:14:10):

And this is also really tricky, because you can be safe all the time, but once you need to sign a transaction or even discover the UTXO from the blockchain which are yours, you need to do cryptographic operations and you are likely going to do them in your head. So the hardware wallet itself, complete lifecycle of private key and also the hardware wallet itself is designed in the way that it has as much a small an attack vector as possible. Like the codebase is open source, so it’s auditable. It’s actually pretty short. It’s really possible for a single researcher or a single guy to read through all the source code and verify that it does exactly what it should, which is quite popular. We have so many contributors and external security researchers doing this and helping us to make the code stronger and remove all potential doors for any attackers and so on. So the hardware, what makes all of this, are the users.

Vlad Costea (00:15:38):

All right. So let’s say that I just got into Bitcoin because I saw the price increase and I think that this is the future of money or something. And I want to buy a hardware wallet to secure the $500 of Bitcoin that I just bought. And why should that device be a Trezor and what makes it special compared to the competition? Because if you go on Twitter right now, it gets very confusing for newcomers.

Slush (00:16:05):

Yeah. I think it’s pretty easy, but even for me, it took me quite a long time to realize—how to say this in an easy way? For me the main difference between Trezor and basically any other hardware wallet is the parts which we are using. And actually, using secure elements—I will answer this later—is so tempting, because you can just buy some chip which manufacturers tell you is secure. You put it into your hardware and tell to your customers, Okay, we use secure elements so our solution is secure. So you can rely on it with your security. And that’s basically what people want when they are finding out the proper solution. But there’s so many things in the middle of lines and it’s necessary to understand better how all the chip industry works.

New Speaker (00:17:29):

And what I want to say, all the difference is called NDA. NDA means nondisclosure agreement. And this is some sort of contract in between the chip manufacturer and the company using these chips in their product. And the main difference is that Trezor doesn’t use any parts which use any NDA-covered chips. You can have full data sheets. You can buy these chips freely and also the most important part, you are not, you are not to bound with the manufacturer in any way that you can’t tell about what you know about the security of the given chip.

New Speaker (00:18:29):

So when I explain this from another side, if I build, if a solution with an NDA-protected chip, close agreements with the manufacture which prohibits me to talking even if I realize that there are some particular issues with the chip, talking about this publicly to the parties which do not sign this NDA, this is a huge failure for this industry. Like, so far and we use this many times, when some researchers reveal there’s some issue with the Trezor, we are free to talk about this on our blog and we do, we did this many times. It’s all about the incentives of us as the manufacturers because as we don’t know any venture capitalists and nothing like this behind the Trezor. Our customers are, we want to make a product which is absolutely in line with the interest of our customers so it’s a very difficult question, if we can tell them how they should improve their security. But if you sign the NDA and you get to know about something, you are on the opposite side, you must comply with the manufacturer. And this is something which we don’t want to do.

Vlad Costea (00:20:40):

Yeah, that’s definitely a plus for the Trezor because everything transparent and you can even build one yourself and it’s very easy to audit and to tell if there is a security issue and it’s also faster to fix issues if you find them.

Slush (00:21:01):

Yeah. There’s so many details or answers to this, like we started to work on Trezor with the understanding that the hardware itself, like any hardware, is broken. The industry works in general in a non-transparent way. The hardware industry is like 20 or maybe 30 years behind the software industry with all the open source companies and all the open standards, which we see in the software industry. This is nothing what you can follow in the hardware industry itself, it’s all banged together with intellectual properties, all with the contracts. It has, so it’s very non-transparent itself and we just refuse to bind ourself into all this industry which we don’t simply agree with. So we actually know, once you understand that the chip itself is broken and we never promised any physical security of this particular chip because even the manufacturer never promised this, we built the threat model around the Trezor in the way that if you care about the physical security, if you can solve it and do not rely on the promises of the vendor, or the other hardware wallets, basically saying, We use secure elements and you can rely on some level to this security promise, but they don’t give you any advice.

New Speaker (00:23:19):

They don’t give you any tool how to evaluate this promise. So me as a user, when I’m modeling my threat model, I really don’t know if I can rely on the secure element for $1,000, $100,000, $1 million? I really didn’t know how to evaluate it. So if I care about the physical security and I see that I can’t audit the chip, when nobody can audit the chip, I had to have some other solution to protect myself from possible insecurities or possible backdoors in the chip. And this answer to all these questions since the beginning, since we designed the Trezor, was passphrase. And what is changing is our understanding about the chip security. Like 10 years ago, there were no specific ways how to read out some chips and they are here now. So this changed, but the original philosophy is still staying strong because with the passphrase you actually can calculate the attack cost of your device because you can calculate the price of the brute forcing the passphrase itself. You cannot do this with secure elements, and it’s just about your trust into all this supply chain to what level you believe all of their marketing claims. And in the extreme philosophical case, you are in Bitcoin, which is strongly anti-government, and these cypherpunk concepts which happened to be a reality. And then you are buying the device which is certified by a government agency that it’s secure? That’s my concern. So I don’t want the trust, I want to verify and secure elements, or all the chips, not only the secure elements, all the chips are, from my perspective, broken by design. You can’t verify this. So let’s build the security with this in mind and provide a solution which don’t promise what you can’t prove, basically.

Vlad Costea (00:26:22):

Yeah, that’s definitely an interesting point of view. This leads me to my next quasi-question because it’s a series of questions and all the guests from hardware wallet manufacturers have been asked to say something nice and something terrible about their competition. So do you have any preference regards to the company with which we should start?

Slush (00:26:48):

Well, I usually don’t speak about the competition unless they speak about me and I have to somehow defend my objectives and my sense. So I don’t know where to start basically.

Vlad Costea (00:27:09):

Let’s start with Ledger because they were the first ones that came after Trezor.

Slush (00:27:13):

Yeah. So I think their approach is great for the masses, they have a perfect product designed for masses. There’s everything as it should be when you are buying into the product. From this perspective, it’s okay. The bad stuff is that philosophically I don’t think it’s aligned with Bitcoin. And that’s the point. This is a point which everybody has to answer by himself: why I am here, and if I am here for trusting somebody else. You see, it’s my point. As I said, with all these NDA secure elements, I simply don’t get that the Ledger is using “Don’t trust, Verify” motto together with using NDA secure element chips audited by government agency. I would rather see any way than this.

Vlad Costea (00:28:37):

Okay. Well, what about to KeepKey because it’s kind of a clone of the Trezor and that doesn’t have a secure element, but at the same time it’s owned by Shapeshift and I think nowadays it doesn’t even have a proprietary software of itself and you connect directly to their platform and you KYC and I gave away some details but can you say something nice and something bad about KeepKey?

Slush (00:29:02):

Honestly, I don’t think that KeepKey is a serious player or a legit player in the field anymore as they are [INAUDIBLE] development on the fundamental development for years. So I don’t consider this as a serious player.

Vlad Costea (00:29:21):

Okay, well let’s move on. What about the Coldcard?

Slush (00:29:27):

Yeah, the BitBox and the Coldcard use basically say, physical, like the same design, security design. And I think this design is quite good, but it’s still selling the snake oil. When you check the Coldcard homepage they are promising the security that they can’t prove it, period. So a Coldcard with the form factor is a great story for geeks. I think they have many interesting features which are available for advanced users and so on. So I think there’s space for this and a BitBox is much more mainstream. I think they are in this way. So, so far, so good. I still have a issue that they are promising what they can’t prove.

Vlad Costea (00:30:37):

Okay, that’s interesting because when I was at Bitcoin Magazine, I wrote an article about Coldcard open sourcing their designs so that you can build your own from parts. So I guess they took some inspiration from Trezor from this point of view and they want to look more transparent. But what is it about the Coldcard that you cannot verify?

Slush (00:30:59):

Yeah, there’s the secure element chip which is used for physical storage, storage of the seed, and basically this chip is free for sale. And the short data sheet is public but still for getting the full data sheet, which has some useful information for integrators, you still need to sign NDA. And this is all about the same. Also they are claiming that it has this chip, this secure element, and it has some specific parameters that they can’t out of this, it’s still a blackbox, and this is an important part. I admit that even if the chip is [INAUDIBLE] then the security is as strong as a Trezor. Like if you consider the secret element [INAUDIBLE], then the physical security falls back to the Trezor. The difference there is a huge difference because we admit that this is a possibility, that the hardware is hacked. So we build the user experience around this and we had the passphrase support and we speak about this quite openly. Now if you are considering physical threat as an issue for you, you should use the passphrase. On the other side Coldcard is not saying this, and they are relying on the security of this chip. And so this can create false sense of security, which is really, which may be turned to be provable.

Vlad Costea (00:33:22):

Okay. So I got to ask you, because I also saw some tweets about this from you and you think that this part about physical security is just marketing crap because I remember somebody from Ledger once said that their devices are so safe that you can buy them from eBay and are going to work. But it doesn’t really work like that

Slush (00:33:44):

Yeah. Oh, well nobody really knows if it is safe. That’s the point. And yeah, I feel like I’m repeating myself. I hope I was clear what’s my attitude and in recent days I read it. Okay, you should stop talking about secure elements [INAUDIBLE] because you are really like 7 years with the product, the Walkman, behind others, which already has secure elements. This is complete misunderstanding of our concept. Like I have Trezor with secure elements on my table. We have R&D in this area. But we still don’t think any of these solutions is strong enough to really deliver this product and say to people: you can trust this. So even if we will deliver some solution with secure elements, we’ll be talking about the passphrase, educating about physical threats in the secure element. And in the end I think it’s pointless to add secure elements at this stage of the chip industry because if you add this into the hardware design and don’t promote it as a, as a solution for physical security, why even bother to put it into the Trezor. Yeah, I mean we really made our homework, we are in the in the business for many years and we made our homework and a lack of secure elements in the Trezor is not the result of our inability. It was our decision.

Vlad Costea (00:35:53):

Right. Let me just get back to the BitBox because I feel like you left them behind a bit and you just put them in the same basket as Coldcard. And when I had Jonas Schnelli and also ??????, they spoke very nicely of Trezor. So I feel like you should at least, even though you’re going to be critical, just say something specific about what you think about BitBox

Slush (00:36:19):

I think that BitBox is doing it well, like I think they are recognized players on the market and that they were so far very cooperative so this is what I like. I like the product. Yup.

Vlad Costea (00:36:39):

But you don’t like the secure elements just like the Coldcard?

Slush (00:36:43):

Yeah, of course the story is, it’s still the same. I understand why they put it there. I understand that it’s easy marketing to just check. Secure element: Yeah, yes we have. You are safe. But that’s the point of the [INAUDIBLE] Unless you can audit it, not necessarily you, but unless anybody can audit it and unless anybody can calculate the attack into this stuff, I don’t think the secure element is [INAUDIBLE].

Vlad Costea (00:37:22):

Okay. Let’s move on and talk about something that people usually point out when they talk about hardware wallets and this is trade-offs. And do you think that the Trezor in its design has any kind of trade-offs?

Slush (00:37:37):

Of course. I would like to have impenetrable hardware because it will give you much better user experience and your user experiences is something we take really seriously. And of course the passphrase itself is making the experience much worse. But yeah, we know the reality. So I think we will need to live with passphrase for many years unless something magically changed in the hardware industry. And this is a downside of our design. Yeah.

Vlad Costea (00:38:23):

What about Shamir backup? I remembered that was a very big improvements when it first came out and it was a massive discussion that was started in the community and I think, up to this point, Trezor is still the only company that has that implemented.

Slush (00:38:42):

Yeah, this is a really good point. I think that current situation of hardware wallets, it’s stuck on the discussion about the secure element itself. If a full secure element certified by foreign government agency is the best solution or if the physical storage is the best solution or if the general MCU is the best solution. Generally I think this is very minor. This Shamir has a small place in the overall threat model. And I understand this is a topic because it’s quite easy to communicate to users. That some hardware wallet has something better than others. So it’s easy to talk about this, but I think that overall threat model is much more complicated. And what’s not discussed enough in my opinion, is the lifecycle of the recovery seed itself. Like why do you talk all the time about the secure elements when the hardware wallet print out or generates for you, the recovery seed, which you have in your pocket and it’s not covered by secure element, you’re not covered by the passphrase. It’s just a piece of the paper which holds all your millions in Bitcoin.

New Speaker (00:40:17):

So I think the security of recovery seed is a second part of the story of hardware wallets. You know, hardware wallets, or Trezor, solves the biggest issue of these things, like moving the private keys from ordinary environment to the secure hardware with limited attack vector, with auditable code with all this research on the on the hardware possible and so on. But it’s not the end of the story. You still have to put private keys somewhere because the hardware itself, like the standard consumer electronics is really unreliable and you can’t count on the faith that it will survive like 10 or 20 years. It’s clearly possible that in 10 years if you turn on your hardware wallet, it will be just blank, it won’t boot up. So we move the private keys from the online world to the really limited hardware and yeah, we are discussing all the security issues with the chips and so on.

New Speaker (00:41:46):

But the next part of the story is to solve what to do with the recovery part itself because that’s the most vulnerable in the whole story. And our answer to this complex topic is the Shamir backup, because until now, until we release the Shamir backup, users were really creative about what would do with the recovery seeds. Somebody just doesn’t care, which is probably not great, but somebody even, and that’s the worst when the user thinks that he is a power user and he’s going to create some custom security setup, which I never recommend, they like shuffled the words in the, in the order they want to remember. And when they forgot the pattern, how they shuffled the words they are screwed or they will try to split the recovery seed into two or three parts, hiding the parts on different places. But they usually don’t understand that it may be possible to calculate like those last few words.

New Speaker (00:43:14):

So we introduced the Shamir backup to improve the situation and give another tool to the users how to manage the recovery seed. And basically it allows a cryptographic soundwave to split the recovery seed into more chunks, more shares, in the way you can customize how many shares you need to recover and how many shares is in total. So it allows [INAUDIBLE] and it also allow geographic backups. Like you can split your seed and have all your share in other city or even country. And even if somebody’s steal a small portion of small portion that is defined [inaudible], they can’t go or anything from this share which can help them brute force the rest of the shares. So I think this is really important. I explained it. Other wallets will somehow implement this or some similar [INAUDIBLE] in the future. I know that there are some [INAUDIBLE] working on support of SLIP39 into their solutions and I think it makes complete sense. And for that reason we make it, again, for the open source because we really want to encourage the industry to [INAUDIBLE] the standard because we believes it’s another important step in the development and evolution of the [INAUDIBLE] security.

Vlad Costea (00:45:11):

Yeah. And for the people who are not aware of slip doesn’t stand for Stefan Livera Podcast. It’s actually Satoshi Lab’s improvement proposal. I feel like sometimes you get lost in explanations and maybe that the average user will not be aware that there is a huge development laboratory that you have with SatoshiLabs and you’re trying to constantly find new ways to improve security for hardware wallets.

Slush (00:45:42):

Yeah, we are spending quite a lot of time, uh, researching all these standards. Like we back in days we created BIP39, which is now used by absolute majority of all the wallets. It’s like a widely used standard, and also standards for derivation paths for Bitcoin or altcoins [INAUDIBLE] and so on. So this is where we really want to move the industry forward and actually we are living from selling the hardware, but if we see the hardware itself just as a piece of the much bigger picture and we are spending a lot of time thinking through all the cycle, how to improve all the industry and we just don’t want to insist on fighting over the details in the hardware itself.

Vlad Costea (00:46:48):

Yeah. Because you have said it from the beginning, when you first started with the Trezor, you’re actually thinking in terms of software and you were reluctant into getting into hardware because it’s complicated.

Slush (00:47:00):

Yes. In this big picture, it makes sense to make a limited hardware, as cheap hardware, with no special inside, because it will make work. Basically Trezor is a reference diagram of the microchip—MCU with two buttons—and the display—there’s no magic in it. All the magic is the software and the security design in this software, which cover all the attack vectors, including the physical attack vectors. There is no magic soup in the Trezor.

Vlad Costea (00:48:01):

Yeah, and some people will look at the Trezor and they will say, Okay, so if it has this cheap microcontroller unit and it just has buttons on the screen, then why does it cost €120 or something for the Model T? The answer is that they pay for customer support and development and research and all that stuff, right?

Slush (00:48:22):

Yeah, exactly. The other one cost I think $49. So it’s not $100 anymore, but people underestimate the effort in R&D which we put into the software part. I always say that SatoshiLabs is software company. The hardware for us is just a tool. It just needs to do the thing. But all the magic is in software, which is for everybody.

Speaker 6 (00:48:55):

And also the software is fully open source. So other companies just take your research software and create new products for cheaper prices.

Slush (00:49:05):

This was a topic few years ago when KeepKey started when all the Chinese clones started—that’s interesting—I didn’t know, but my colleague told me two days ago that they made research and there’s around 40 clones of Trezor, like some international vendor doing hardware wallet based on the Trezor scheme and so on. I didn’t know this. I suppose this is part of the open source and all the standards and all the code and all the electronics—which is open source—and back in years we were worried about this a bit—if we can do sustainable business on fully open source everything. And I think the conclusion is that, yes, because in the security industry you probably don’t want to save 10 bucks on the knock-off hardware, like clone of the hardware, when you are going to put thousands and more dollars of Bitcoin into the device. So we were a bit afraid of this, but it turned out that the people care about this.

New Speaker (00:50:33):

They listen about the possible security issues which comes with buying cheap clones and in the end I think this was a winning strategy. I really believe in open source. Contrary to what @BTChip from Ledger told you that he doesn’t think that open source solves all the issues, I think the opposite. Let me explain. We have so many people watching our hands and doing the security research and even breaking the Trezor and they are all the white hat hackers which are then reporting issues to the product and if you check our security page, there’s a lot of reports which we responded to with some fixes in the software. I believe that this is the result of the open source, because without this, with any obstacles in this, dissuaded hackers won’t do this.

New Speaker (00:51:56):

The activity of the researchers is a indicator of the living community, and we were asking a few of them why they spend so many time on the Trezor—and actually not on the competition—and answer was quite interesting for us because to really innovate the chip, or hold the solution which includes the NDA chip, they would need to sign the NDA with the manufacturer, which means that if they will find out something they wouldn’t be able to tell it publicly which won’t give them the social credit which is usually why they are into the research in the first place. For me this was eye-opening moment and I realize that, Okay this is interesting. Most likely the Trezor is most attacked hardware wallet on the market, just because we are basically transparent and it attracts the researchers to do the job.

Vlad Costea (00:53:25):

Yeah, and also LazyNinja—who was the only hacker that I was able to get on the show—also said that he did spend some time on the Trezor, but it takes a lot of time to find some kind of vulnerability because there are too many people doing this and there are lots of eyes on the software and on the device itself and that’s why possibly it’s the most secure of all hardware wallets.

Slush (00:53:54):

In my opinion, this proves the open source actually works because if it attracts white hat hackers which are then reinforcing the product, it makes the whole industry much stronger and much better.

Vlad Costea (00:54:12):

Now there is one marketing point from which sometimes Coldcard attacks you for example, because you support lots of altcoins and you add them to the software implementation. And you also have a Trezor Model T that is Bitcoin-only and I have to ask: is there demand for that, is it sold just as well as the other models?

Slush (00:54:36):

The BTC-only software? To my knowledge, it’s supported also for Trezor One and Trezor Model T. We are Bitcoiners in heart so this was a natural thing to do when there was a request from our users. And I completely agree with this, but if you are asking me about the sales numbers, I don’t think it’s measurable or it made any impact. I believe this is important for this small portion of the user base, but it’s not like mainstream requested feature.

Vlad Costea (00:55:26):

Yeah, sometimes people can be mean on Twitter. And that’s why I raised this specifically. So I saw a presentation last year with Stick (@pavolrusnak), who is the co-founder of SatoshiLabs and I think he was in Malta—Tone Vay’s conference. And he showed how you can set up a Multisig where the Trezor and the Electrum software and that was so fast and so simple, but at the same time there are people who criticize the security model and say that the average user should not do that, and Multisig is only for people who require it and not just something that individuals who don’t hold too many Bitcoins should pursue. So what is your stance on Multisig?

Slush (00:56:15):

Multisig it’s great tool for the multi-user funds. Like if you’re a company, you need to hold some Bitcoins, then it’s great for have co-signers which are different parties, different people, and it’s perfectly fit for this purpose. I think that many people who are using Multisig in the way that they are the only co-signer and they have only multiple devices and so on, I think it’s a bit overkill, and all this is about usability, and so in the increasing complexity of the setup it’s so easy to shoot yourself in the foot with the Multisig. I don’t think it’s necessary for the single user to use Multisig because I saw this from the perspective: if you are user and you want to use these accounts daily then you have proper [INAUDIBLE] backup, distribution of these units.

New Speaker (00:57:43):

Plus, of course you still need to care about the backup because I would never rely with my Bitcoins which have private keys stored on the devices, because I understand how bad these devices are in remembering any data, like flash memory can fail at any time. So it’s much more complex and downgrades the user experience because if you use this daily, you need to use multiple devices and do this ceremony all the time you are going to send Bitcoins. And on other side, if you are HODLer like longtime HODLer, you don’t need Multisig either because in this case you probably don’t want to even have the seed loaded in the hardware wallet. What I would recommend for a longtime HODLer is to do the Shamir setup or even Super Shamir setup, which is even more complicated like you can have Shamir out of the Shamir shares itself. So you can have really crazy stuffs here which are really for many advanced users only.

New Speaker (00:59:09):

But this isn’t the point. Let’s go back to the story. If you want to HODL Bitcoins, then just generate the Shamir backup, store the seeds properly with the CryptoSteel, taking on the safe place, or give it as a social backup for people you really trust—two people which actually didn’t even know each other or something like this—and then you can wipe the hardware wallet, which will be completely empty and you don’t need to care about all the firmware updates and all the hacks—all these things which we were talking all the time in this podcast—anymore, because you have the metal backup which can survive centuries and software security is not in your threat model anymore. So this is all about not making the setup complex but actually about limiting the attack surface to the state that not only do you don’t have Multisig setup but you don’t even need the hardware wallet at all. And I think this is much, much better solution.

Vlad Costea (01:00:36):

Okay. So at the end of the day, who should use a Multisig? Like should somebody who owns $500 of Bitcoin set up a Multisig or is it for companies that have multiple parties?

Slush (01:00:49):

Yeah, it’s mostly for companies for use-cases where more users need to co-sign the specific transactions, and I don’t see such a big use-case for single individuals. Of course, there’s so many projects that will co-sign or keep some of your shares for you and ultimately they will co-sign or they will authorize you and so on. But it actually makes the threat model much more complicated and much more foggy than doing this on your own because when you create your wallet with some other party, even if it’s an established player in the field, still they have to know about your—you wrote something, maybe they need to know stuff, so they know you most likely and they know how much money you had, which may or may be not a problem for a threat model—depends on how rich you are and how paranoid are you. But I just want to say that every time you add the Multisig into your setup, it solves some kind of issues, but in my opinion it adds much bigger complexity than the normal user can really evaluate and evaluate the risk.

Vlad Costea (01:02:44):

Now here’s an interesting question that usually pops out, especially when it comes to newbies who get into the space because nowadays it seems like hardware wallets and nodes in a box and all these products are kind of part of the lifestyle of a Bitcoiner, and if you want to be a true community member you have to get one of these, and sometimes you see these small groups of people—I think one is established with Casa and one is established with Coldcard and you see them on Twitter all the time. And when is the point when you should be considering buying a hardware wallet? Let’s say that you have your coins on Coinbase and you’re thinking about getting a Trezor, but is there a specific amount or a specific moment when you learn more about Bitcoin, when you should get a hardware wallet?

Slush (01:03:40):

I understand that most of the people get into the Bitcoin in the way that they buy something on the exchange and it lies there for some time. And many of people ends there, like the journey ends here for them because they have Bitcoin and they speculate on this or whatever. I think it requires some kind of personality to really want to dig more into what the Bitcoin is. And at this point—when the curiosity starts to appear—then the hardware wallets, the Trezor, is here for them. It’s really convenient and mainstream to just buy Bitcoin on the exchange and leave it there, but you know, Not your keys, not your Bitcoins. So I don’t consider these people Bitcoiners really, they just have another bank account which is denominated in Bitcoin.

New Speaker (01:04:55):

And as I said, I’m quite a cypherpunk. I like cypherpunk philosophy and I build everything around this. I think the Bitcoin is changing for the 10 years since I’m in the project. I think it’s becoming more obvious that the privacy is an issue. I honestly don’t think that this was always like this. Like of course there were all the time people paranoid about their privacy, but I didn’t think it was mainstream in the terms of the Bitcoin a few years ago—the mainstream concern. Because the Bitcoin was so small. Even for governments, for everybody. So people didn’t feel threat from this side. Now governments and states are recognizing Bitcoin more and more and it’s getting more probably that there will be some actions like, “Now all the government stuff, IRS and all the American agencies and so on—are we going after the Bitcoiners to tax everything properly and so on?” And I think it makes much more sense to think about the privacy and I think the Bitcoin mainstream is going to realize this more than before. So for this I think it’s also bigger challenge for the Trezor because so far we have been solely on the security part. The security and privacy are two completely different things. Like you can be secure. You can have the private keys but your xPubs may be completely public and you are still secure, from some perspective. Of course you are not secure from the social attack vector and so on, but let’s consider that definite possibility. And to be honest, years ago we are focused mainly on bringing the security to the Bitcoin mainstream user.

New Speaker (01:07:40):

So we built the wallet as a web application because it was the easiest way of on-boarding the users because they are used to use a web browser and so on. But as the industry is changing—and we see this—we are developing for one year intensive for last one year we are working complete new solution for the application—frontend—for the Trezor which will sit on the user computer or mobile phone, and eventually use local or remote users on a Bitcoin node. So I think this is the next part of the mission, of self-sovereignty of the user. So far the users can’t buy Trezor from the security perspective—like everything was open source and it was all auditable, but still the user was open to use Electrum or now Wasabi and so on. But still it was not the main application, like main user experience from the Trezor, and now we are working on a solution that this will come out of the box with the Trezor. So we want to give first person experience with software for every user.

Speaker 6 (01:09:24):

Speaking of this, when I wrote that long three-part review of hardware wallets in November for Bitcoin Magazine, I was not able to find a software application that is installed locally and does not that browser extension that is usually the most popular way of interacting with your Trezor device. And I was unaware of the software that you released in 2016. I don’t know why I didn’t find it, but I also know that right now you are working on another piece of software that gets installed on your computer and it’s supposed to provide more financial privacy.

Slush (01:10:02):

I think you are talking about the [INAUDIBLE], which we maybe started in 2016. I’m not sure on which part of the software you are pointing to?

Vlad Costea (01:10:17):

So the client that you were using to interact with your Trezor and it was something that you would install on your computer and you would generate the addresses and keep your transaction history on your hard drive. Just like a full node.

Slush (01:10:31):

Yeah. Definitely is, we have our backends fully open source, even backends for other coins and Bitcoin, all the altcoins which Trezor supports are fully open source and you can download and install on your computer so you can—even now—be completely independent to SatoshiLabs, which to be honest is quite different story than with, for example—Ledger—has these backends closed source. So if you have some coin there which doesn’t have alternative clients, which just support for the hardware wallet, you can be easily locked out of your money once the Ledger shut down their backends, but Trezor has all this completely open source. But on the other hand, I have to admit that it’s not for normal users. Like you need some little skills to start this and sync it with the network and so on. So our focus is to do this in a way which is suitable for every Trezor user to actually install on the computer with backend of his choice to be completely independent of anybody else.

Vlad Costea (01:11:57):

So what do you think about people who run their Trezor through Electrum or through Wasabi or some other third party wallet?

Slush (01:12:07):

I’m completely fine with this as no solution fits all. Actually I’m big fan of both Electrum and Wasabi, because Electrum was a huge inspiration for us when we started with Trezor, we learned so many things, how wallets work inside. So I love both products and so I have no problem with people using Trezor with other clients. But on the other hand, I think the user experience is not so great. Of course normal Linux user or power user can do this, but it’s not the user experience which we would like to see when you invest $100 for your security setup.

Vlad Costea (01:13:05):

Now I’m going to have to ask you about privacy and the growing market for user data, because the companies like Chainalysis getting bigger and even though they laid off some employees they get contracts with governments and the IRS and the United States. And when you use a Trezor by default with the browser plugin that you have to install, does Trezor collect any kind of data regarding to your IP address, e-mail address, stuff like that, metadata about your transactions? Can Trezor see how many Bitcoins are owned by the users and stuff like that?

Slush (01:13:51):

The important thing on the Trezor design is that we can’t distinguish devices each to other when we are shipping them. Like there’s no technical way how we can join the order with the specific device when you connect it to the computer. So at no specific time we knew your real identity even if you buy the device from us. I don’t think—and I think I already explained part of this—is if a typical user is connecting the device to our web application, which is using our backends, which are open source but still they are run by us, so technically we may know balances of the users, [INAUDIBLE] of the users and so on, but on the other side, we don’t do this—it’s our social contact—I think that we have this even on our somewhere, but we don’t do this, it’s not here for us [INAUDIBLE] your metadata, but it’s for the people to have the easy onboarding experience. But we are, as I said already, we are actively working on the solution where you don’t want me to connect the Trezor to our servers at any point of time. So this is to prove that we are quite serious in this and so we don’t want to be the gatekeepers and we don’t want to know anything about you.

Vlad Costea (01:15:47):

That’s fair. Because when I look at the KeepKey right now it costs about $20 and it was $200 like 3 years ago or something, and their business model is to sell in large numbers but you also have to KYC with them. So you sign up with your data when you order and they probably find a way to sell that data. I’m just assuming here, I don’t know if they do that but there is probably a market for that kind of data that they’re collecting and it’s reassuring to know that Trezor cannot associate the order number or the device production number with the user. It’s reassuring to know that Trezor doesn’t know who bought what device. You cannot associate a serial number for one device with the user who ordered it.

Slush (01:16:48):

Exactly. This is the [INAUDIBLE] part, like you can check the software that it’s not really relaying any serial number or anything over the protocol so we can’t link the specific device with your order. Actually, there is generated some ID which is in the protocol because in the application you need to identify with it, you need when you connect it for quick [INAUDIBLE] details but this ID is generated again every time you generate the wallet. So it’s generated once you connect it the first time into your computer. So we cannot know this prior the shipment. So this is the part we can prove because it’s baked in the open source software, another part which we can’t prove— yet—is that we don’t collect any financial data from our Bitcoins. It’s just our promise. I’m quite open about this, but we are working on this to solve so we can be able to tell that you can verify it’s yours.

Speaker 6 (01:18:09):

All right. So Mr. Slush, We have been speaking for nearly 2 hours and I am just going to ask you one last question and that’s it. And it’s also very general. So what is Trezor planning for the hardware wallet market in the future and what should we expect in the coming months or years?

Slush (01:18:31):

It’s quite a wide question and I will try to summarize. I think that I already said this during the interview. The remaining remaining topic is the usability of the products and the usability of the whole concept, so it will be more available for bigger parts of the Bitcoiners because it’s our mission to secure as much people as possible. So the usability part is still a remaining issue which we don’t think it’s solved yet. Another big topic which we are working on is the privacy and self-sovereignty, which comes out-of-the-box. So no crazy setups with some Linux boxes and so on because we think this can be, this can go out of the box with Trezor itself. And the last part is that, we didn’t hang up with the hardware security. As we spent the first half of the interview talking about the hardware, I think currently there is no better solution, which can be provable better than Trezor on the market from the chip perspective. And still we are not satisfied with the current situation. We are working on some specific projects which could make this better because we think that Bitcoin deserves more transparency on all layers of the software and hardware stack. And I think I will be talking about this on Bitcoin 2020 in March, so if you are an interest this part, you should follow all my speech.

Vlad Costea (01:20:43):

Yes. And even if you’re not able to come to San Francisco—and I will not be able to come to San Francisco because it’s very expensive—you can still watch that on livestream I think.

Slush (01:20:55):

Yeah. It will be definitely on YouTube eventually. So no need to go to San Francisco. It will be public available.

Vlad Costea (01:21:08):

So thank you very much. Mr Slush. I don’t have any more questions for you at this time.

Slush (01:21:15):

Thank you, Vlad, for the space in your podcast and thank you for your interest.

Vlad Costea (01:21:23):

Yeah. You can’t have a discussion about hardware wallets without including Trezor.

Slush (01:21:41):

Of course. You can’t, and we are here to stay for some time still.

Vlad Costea

I'm here for the freedom, censorship-resistance, and unconfiscatability. What about you?

So, what do you think?

Follow Me