Topic: Fuck you ledger - page 2. (Read 1115 times)

And how exactly does that spyware phone home from a permanently airgapped device?

I never said anything close to that, but if you think you have any privacy while syncing your device via servers owned and operated by the hardware device manufacturer then you are mistaken.

The ability exist to track you in your airgapped laptop, it has much wider attack surface, and you have confirmed spyware in your bios.
You are bringing more harm than good telling people that all hardware wallets are the same, when in reality you have no idea what you are talking about.

And there is an option of not opting in to Ledger's seed phrase extraction, which we rightly mock as being meaningless.

A yes/no button or "user opt out" means nothing. The ability exists for Trezor to surveil you just the same as Ledger do.

So that is your ''proof'' that Trezor is the same as ledger?  
There is a nice little button that shows up when you open Trezor Suite, than you click No/Reject.
Than you can go in settings, enable Tor, make sure Usage data is disabled, and you are done.
Add your own node, and than you can use os firewall to see what data is Trezor sending.
Everything is open source, so I am waiting for someone to find some similar tracking codes that can't be removed like with ledger.

I quoted the Trezor policy where they state they collect details about your hardware, which parts of the app you interact with, use, click on, etc., just like the claims about Ledger.

Not true, because you still need ledger live to update and start using their device.
Ledger will still track everything else you do like section of the screen movement, same as IP address, only addresses wont be sent back to ledger if you use your own node.
You still didnt provide a single proof for your claims, and I am waiting to see something substantial, not pure speculation.

I don't care about Wasabi at all, but you can use your own coordinator, there is no such option available anywhere for ledger.

Trezor is better in so many way, but let's just start from being open source.
And airgapped device and your own node doesn't mean you are safe, especially for 99% of the normies.

And it's trivial to connect a Ledger device to Electrum or Sparrow via your own node and avoid Ledger Live entirely. But the default position for using both Ledger and Trezor devices is to depend on their respective servers, and therefore they can see all your addresses, balances, and transactions.

From Trezor themselves:

This sounds very similar to what the linked user above is claiming about Ledger. And don't forget Trezor supported AOPP and are still supporting blockchain analysis via Wasabi, so they don't exactly have an amazing reputation when it comes to privacy.

Ledger are obviously a joke now, but that doesn't mean Trezor are automatically much better. If you want actual privacy from your hardware wallet, then you need a permanently airgapped device and your own node. Anything else can be surveilled.

What does all my data means exactly?
And it's trivial to connect your own node with Trezor Suite via Electrum server to gain even more privacy.
Nothing in Trezor is going to track when you view a section of the screen, like it does with ledger live.
I even did a website comparison few years and ledger website was always full of ads and tracking, more than any other hw website.
Please do some research before doing comparisons like this and provide some proof.

PS
$484K  just drained from ledger:
https://cointelegraph.com/news/ledger-blockchain-hack-attacker-drained-484-k

LedgerConnect is the new Bitconnect!

Apart from the fact all Ledger devices are already compromised by their seed extraction "feature".

There is a real risk to the funds stored in the #Ledger if they are connected to a computer, since we might extract your seed phrase. There. Fixed.

None of what you said changes the fact that if you sync your Trezor via Trezor's servers by using Trezor Suite, then of course they can harvest all your data. If you aren't using your own node, then you are using someone else's, and the owner of that node can see every address and transaction you are interested in.

It's not the same as Trezor, because Trezor Suite doesn't have apps, no big commercials ads, and you can enable Tor directly from application.
Trezor device is open source, while ledger is not, and Trezor doesn't have malicious option to export seed words like ledger, for ''protection'' with ledger recover.
Obviously this devices are totally on different levels.

I am seriously thinking of nominating ledger as one of the biggest fail of 2023.
For last few years I knew they are a bad company that makes junk products, but I didn't think they could fall so low.
First someone exposes their spy machine software app, and now someone else found a malicious file in their code that infected everything  

Easy solution for recent ledger (and all other hardware wallets) malicious code is to stop using shitcoins and daps.
Simple.

Lets break this down for Ledger users!

Risk of Funds: There is a potential risk to the funds stored in the #Ledger if they interact with #dApps using this compromised library.

Avoid dApp Interactions: Ledger owners should avoid connecting their Ledger to any dApps until it is confirmed to be safe, as this could trigger the drainer script and lead to loss of funds.

Need for Vigilance: Owners should monitor official channels from Ledger for updates and instructions on how to proceed.

Update and Verification: It may be necessary to update the Ledger firmware or software once a fix is available, ensuring it's downloaded from the official Ledger website.

Security Measures: Users should also consider changing passwords and checking for any unauthorized transactions.

Of course, every crazy person user doesn't read this.

Of course, this is shocking news for Ledger device owners. Firstly, no one reads the user agreement that you talk about above, and secondly, not everyone is able to read the Ledger Live software code.

Has anyone released an article with their shocking revelation yet?
 
Let it be just that way.

Ledger software hack news in twitter :  
"We have identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised."

This really shouldn't be news to anyone who owns a Ledger device. The same is true for any hardware wallet which you use through that company's centralized servers.

In order to show your balances, it must query your addresses somewhere. If it isn't using your own node, then it is using someone else's node, and that node runner (in this case Ledger) will know exactly what you are querying, and therefore will know all your addresses, balances, and transactions. The same is true for example Trezor and Trezor Suite.

This is clearly spelled out in their Privacy Policy, which everyone has read, right? Right!?


If you want to avoid this then use a permanently airgapped hardware wallet, and use it with non-proprietary open source software such as Electrum or Sparrow pointed exclusively at your own node.

I think that collecting information looks like an anonymous cryptocurrency wallet is bad. Unfortunately, this is how every product works these days((

this tweet^[1] reports that as soon as you access the Ledger live app, this app retrieves data about assets you hold in your hardware wallet. it also sends a ton of other information about your computer and device.


[1] https://nitter.net/rektbuildr/status/1732541519284900198

https://bitcoinnews.com/ledger-live-app-accused-of-collecting-user-data/

https://crypto.bi/forum/threads/ledger-live-data-collection-is-more-than-a-little-concerning.5/

@m2017, My version is a bit newer (above 2.50), so maybe that's why it still works, but yours is obviously too old and can't be synchronized, considering that Ledger made some significant changes on its end and that old version no longer works. However, as far as I know, it is possible to manually install older versions of LL, and that could be a way to get a functional LL even without installing the latest version.

https://www.ledger.com/ledger-live/lld-signatures

I wrote about this above. I don’t remember the exact version, some of 2.40 or close. An earlier version than 2.42. That's for sure.

I also wrote about this. The Internet is fine. Since the time when this version of LL was installed, practically nothing has changed in this OS. This is a backup / spare PC that I use very rarely. That is why LL remained in the form in which it was installed.

What if this is the same gradually blocking / restriction of users that you are talking about? I assume that there are not so many users with old versions of LL left. Few people were likely to notice these changes (from a big user base).

I wouldn't bring this up for discussion unless it all seemed suspicious to me. This is somehow strange.

@m2017, what exact version of LL do you have? I also have a very old version and I don't have a problem with synchronization (so far), so maybe you should check that maybe your antivirus or firewall doesn't block internet access to LL. It also occurs to me that Ledger may be blocking users gradually so as not to cause panic, and considering their dirty tactics, that would not be a surprise at all.

I'm sure there won't be any problems with the update. As you can see in the picture, version 2.42 is available for update, I’m sure all subsequent versions are included. The problem is that in my opinion, it looks like Ledger is forcing its users to update, even if they don't want to do so. Let's imagine I am a user who is quite happy with version 2.40 and doesn't want to update to later versions due to lack of trust in this company due to their new built-in functions in Ledger Live. But the unpleasant thing is that Ledger infringes on such users by not allowing them to use older versions of LL. Look again at the picture above - it simply gives an error that doesn't even allow you to access LL and the contents inside the wallet. This is simply called discrimination.

The option to update to the latest version is suitable only for idiots very trusting clients of Ledger. Perhaps earlier versions didn't yet have unnecessary functions (which is not a fact), but in later versions this is 100% present. This could still be used as the last loophole, which Ledger seems to have completely covered by introducing a synchronization error. I assume that this was done deliberately, which once again casts a shadow on the reputation of this company.

My conclusions may seem paranoid, but I have said more than once that in the case of any finance (and not just crypto assets), no paranoia is unnecessary. Especially when you use devices from manufacturers who have been f@ck uped more than once, tarnished their reputation and introduced very dubious services.