Topic: Fuck you ledger (Read 1022 times)

Everyone uses closed-source chips in their hardware wallets. That includes open-source wallets like Trezor and Foundation Passport or the source-verifiable Coldcard. What they can do is open-source their firmware. That's the issue and biggest part of their ecosystem that is closed-source. Ledger Live, their native, and 3rd-party crypto apps are open-source. That's how they found that tracking code that is posted all over the place.

Because their employee or ex-employee and their code started the shitshow that created the problems and the exploit.

You are not wrong. That's what Ledger's Recover fiasco proved. The companies can, in theory, write code to extract your keys if they wanted to. Ledger did it. The question now is who, if, and when will do it next.

I think the second part is too simple of an explanation. Coins were drained from both Ledger hardware wallets and software/web wallets that used the vulnerable Ledger Connect Kit. For the drainer to work, the user needed to approve and sign the transaction. It should never have happened, but is still a combination of user error and Ledger failing miserably to secure their code and procedures internally. In some way, you can compare the signing of the malicious transactions to sending your coins to the wrong address or the old Electrum phishing scam that required a user mistake for it to work. Those who noticed the fake Wallet Connect pop-up and didn't sign the blind transaction weren't affected. Sadly, many still were.

Then we disagree. Funding blockchain analysis and lying about being open source are not honest and trustworthy actions in my book. And again, I'm not comparing these things to the far worse things Ledger have done, but they are more than enough to mean you shouldn't be using their devices either.

That vulnerability requires the thief to have possession of your physical device along with some very sophisticated equipment in order to hack it, and the hack doesn't affect newer Trezors.

Ledger's key extraction firmware works over the internet, which means a thief doesn't need to steal your physical device.

And Ledger's code was hacked just last week, which is how a hacker stole users coins from their Ledger hardware wallets without needing to steal their physical devices.

It's ridiculous to compare those two things.

The Trezor hack was a proof of concept by white hat hackers who alerted Trezor.

The Ledger hack was proof of incompetence which allowed thieves to steal $600,000 in users coins.

That being said, I'm not saying Trezor, ColdCard, Keystone, etc, are perfect.  I choose not to use them.  But they're not dirty companies.  Ledger has proven themselves to be dishonest and incompetent.  They lie to their users (even their packaging contains a lie right on the box), they leaked their customer database, giving customers names and home addresses to hackers!  And their code has been hacked, allowing thieves to steal $600,000 from users of Ledger hardware.



Yes, they could.  BUT LEDGER DID.

Ledger is dirty.



I do the same thing.

Airgapped.  Stateless.  Open source.  Nothing less, for me.

Ledger are obviously the bottom of the barrel when it comes to hardware wallets, but let's not pretend these other devices are all without flaw. Trezor devices have a seed extraction vulnerability and Trezor cooperates with blockchain analysis. ColdCard and Keystone lie about being open source. Nowhere near as bad as what Ledger have done, but enough to not make me want to use any of their products either.

I am by no means a Ledger fanboy, but it is a simple statement of fact that any other company could try and do the same thing. There is no inherent property in their devices (if they aren't airgapped) stopping them from doing so - only the trust you have in that company and its developers.

This is why I said above I would only ever use open source and permanently airgapped devices. Open source so you know what code is running on your device, and airgapped so that even if the developers wanted to try to extract your seed phrase as Ledger have done then they wouldn't be able to anyway. I would definitely +1 for SeedSigner (and can't wait for this fork to be fully developed: https://monerosigner.com/). Entirely open source so you know exactly what code is running on your device at all times, and even if there was malicious code on there to try and extract your seed phrase, it couldn't achieve anything anyway because it is permanently airgapped. This is what you want from a hardware wallet.

Any car can crash.  But there's a difference between that and a company building software into their cars that forces them to aim for oncoming traffic.

Surely, you understand the difference.

Ledger is the ONLY company to build key extraction into their firmware.  Ledger fanboys are desperately trying to defend Ledger by saying any company could do the same thing.  BUT THEY HAVEN'T.  Only Ledger did.  Ledger fanboys want you to blame every hardware wallet company for what Ledger did.

Have you ever been on a date with a woman whose last boyfriend cheated on her, so she chooses to treat every man like a cheater?  That's crap, right?

Don't hold Ledger's evil and ineptness against other companies who have done nothing wrong, and who go out of their way to keep their users safe.


Wrong.

I mentioned SeedSigner and Krux as two hardware wallets I like.  I use Krux with BlueWallet.

When you use an app like BlueWallet or Sparrow with a hardware wallet, you import your main PUBLIC key.  It's usually a zpub (for older wallets, it'll be an xpub).

A zpub "public key" gives the app all of your addresses, but it doesn't contain any of the keys for those addresses.  This creates what's known as a "watch only wallet," which means it can show you everything, but it can't spend or move anything since it doesn't have any of the private keys.

So, when you try to spend Bitcoin in a watch only wallet, you have to get a signature from your hardware wallet, because the hardware wallet has the private keys.  And the cool thing is, when your hardware wallet creates the signature to authorize the transaction, it does this without ever revealing the private keys to the app.  Even better: the signature is only valid for that one transaction, which means a hacker can't steal it and do anything with it.  That's how hardware wallets keep you safe.

The entire point of a hardware wallet is to provide signatures without ever exposing your keys.  Only Ledger built a backdoor into their wallets.

Not trusting any hardware wallet because Ledger is a sack of trash is like saying "Well, I got food poisoning from that Taco truck.  I guess I can't eat food anymore."  Ledger is a bad company.  Don't trust Ledger.  But don't hold Ledger's malpractice against good companies.  That's just foolish.

I try not to be foolish, but again I'm one of those who don't fully understand what goes on under the hood, if you know what I'm saying.  From what I've heard, any HW wallet with a secure element has the potential for the manufacturer to exfiltrate the private keys--if I'm wrong about that, please educate me.  And all of them have some kind of security element in them as a matter of course, too, right?

Also, given what I've said about my knowledge of the internal workings of these devices, nobody ought to follow my lead anywhere.  I've just found that for what little crypto I have I don't need a HW wallet to manage it, and I'm not comfortable with the level of uncertainty I have about them.

Never heard of Krux, but those last two are SW wallets that can be used with HW wallets--am I right about that or not?  If so, and let's say you're using Sparrow with a Ledger, they can still steal/exfiltrate/whatever your private keys regardless, right?  If I've understood everything correctly, you don't have to be using Ledger Live in order for that to happen (again, correct me if I'm wrong, please).

Don't blame all hardware wallets for one company's evils and ineptness.  That's just foolish.  The issue isn't even the companies that make the wallets.  The issue is the trustworthiness of the people at those companies.

The people at Ledger have proven again and again that they cannot be trusted.  It's the people at Ledger who lied to their customers and their users.  It's the people at Ledger who wrote and added key extraction APIs to the firmware for their devices.  It's the people at Ledger who failed to implement or follow safety procedures, a failure which led to their database getting hacked (customer names, email addresses and home addresses were leaked) and it's a failure which led to their code getting hacked (they blame a former employee for cryin' out loud!).  It's the people at Ledger who failed, lied, and proved they cannot be trusted.

The people at Trezor didn't do those things.  The people at ColdCard didn't do those things.  The people at Keystone didn't do those things.  The people at LEDGER did.

Don't blame all hardware wallets for Ledger's evils and ineptness.

That being said, I'm a big believer in fully open source projects like SeedSigner and Krux.  Krux with BlueWallet or Sparrow is a fantastic combo.

I get your concern, let me break the situation down for you.

Humans make mistakes, like really often. It applies everywhere, including software engineering and designing. If a software is exploited in an Internet connected device, the attacker can steal your keys. Being airgapped grants you this invaluable property that even if things get really fucked up, it is physically incapable of sending anything anywhere.

Trezor is not airgapped. Even if we assume they are coding with the best intentions, there's this chance of an attacker exploiting their software and taking advantage of the fact that the device can communicate with the Internet. And we know they don't have the best intentions when it comes to privacy as they're cooperating with Wasabi (references on why that's a red flag can be found on dozens of topics in this board) and had enforced a dystopian Address Ownership Proof Protocol in the past.

Nobody claimed Trezor is insecure. What is being said is that Trezor has the ability to surveil you, and is definitely less trustworthy than an airgapped device.

I have also said for a while now that I have largely moved away from all hardware wallets and back in favor of self made airgapped cold storage. I sleep easy knowing that my wallet software isn't spying on me, and that there is zero possibility of some company pushing an update to any of my airgapped devices which means my seed phrase can be extracted, or my wallets will start cooperating with blockchain analysis, or so I can start linking my KYC to my wallets' addresses, or some other such nonsense.

The only hardware wallet I would ever consider using again is one which is both open source and permanently airgapped.

The crazy thing is that I know both of you have extensive knowledge of hardware wallets, and if you're both arguing about something so fundamental, can you imagine how confused people like me--who don't have the technical knowledge to evaluate these claim on their own--are, and how jaded some of us are now that it seems like most if not all HW wallets can theoretically extract a user's private keys?

Ledger's lies turned me off of all HW wallets for the time being, even if that might be an extreme response.  I'm waiting for the dust to settle and the experts here to either confirm or disprove these suspicions/fears/whatnot.  And I really wonder what the state of Ledger's business is at the moment.

This is something new (unexpected), but considering all the bad things associated with this company, few will try to improve their reputation by playing the game "the bad ones, the good ones". I hope that there is no catch in everything, let's say some kind of KYC for all those who want a refund, or maybe a mandatory Recovery service lasting at least 1 year

Ledger announced the amount of damage from a recent hack
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024.

But if you apply the same principle to politics, than there wouldn't be any governments as we know them today... so how can we survive without them and without roads  

They can if they want.
Just release new models with different secure elements, don't use same NDAs like with current models, and release code at least source viewable.
It's either that or they will stop existing soon if they continue with the same tempo... that is my prediction ^{from crypto gipsy fortune teller}.

What idiot company would publicly admit this?

If Ledger has never compensated for any user losses in any way before, then why would they do it now?

It’s time to put on the boxes with Ledger wallets the inscription “Dangerous for use, because it poses a direct threat to your cryptoassets. All your further use of this device is at your own peril and risk”.

2 strike? You seem to have lost count.

Looks like it's time to replace it to permanently.

The issue isn't clarity.  The issue is that they lie.


If they say it doesn't, how can you believe them?  They lie.  And even if their firmware doesn't extract your seed without your consent, the fact that THAT capability is now part of their firmware means Ledger hardware is now a honeypot for hackers.  And, oh by the way, Ledger's code was hacked this past week due to a screwup by a former Ledger employee.


Even if they do...  they lie, so how can you trust anything they say?


Again, once they started lying to their users, their word became worthless.


Guaranteed, the answer is no.  Ledger's lawyers protect them, not their users.


Ledger can't go fully open source due to the closed-source chips they use in their hardware.  That's why the value of their word matters so much.  And their word is worthless.

Ledger's word is worthless.

IMHO Ledger has failed terribly and their communications team should be and have been clearer and less technical in their responses to concerns of what is / was their average user.

There are ongoing concerns for many are still out there myself included.

For me a few major topics like:
1. Does the newest firmware pull your private key data without consent? We all know its now capable of this due to their backup offering non-sense.
2. Re-confirm that the end users involved in this latest hack physically had to allow /confirm the transfers on their hardware wallet. Again in plain English.
3. How did an Ex-Employee (or is it just an Ex-Employee now after the hack) retain rights to push code into their GitHub without a secondary signer?
4. Is Ledger going to make the victims of this hack whole? In my mind they need to come up with a gameplan ASAP on how to do this for every coin that was lost.
5. Why haven't they gone fully open source? I get being proprietary but at this point trust is lost as this is now strike 2...

Only time will tell how this pans out but for now I would avoid Ledger until they truly come clean.

A LETTER FROM LEDGER CHAIRMAN & CEO PASCAL GAUTHIER REGARDING LEDGER CONNECT KIT EXPLOIT
Things to know:

– December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a Javascript library to connect Web sites to wallets.

– The industry collaborated with Ledger to neutralize the exploit and try to freeze stolen funds very quickly – the exploit was effectively running for less than two hours.

– This exploit is currently being investigated, Ledger has filed complaints and will help affected individuals try to recover funds.

– This exploit did not and does not affect the integrity of Ledger hardware or Ledger Live.

– The exploit was limited to third party DApps which use the Ledger Connect Kit.

And how exactly does that spyware phone home from a permanently airgapped device?

I never said anything close to that, but if you think you have any privacy while syncing your device via servers owned and operated by the hardware device manufacturer then you are mistaken.

The ability exist to track you in your airgapped laptop, it has much wider attack surface, and you have confirmed spyware in your bios.
You are bringing more harm than good telling people that all hardware wallets are the same, when in reality you have no idea what you are talking about.

And there is an option of not opting in to Ledger's seed phrase extraction, which we rightly mock as being meaningless.

A yes/no button or "user opt out" means nothing. The ability exists for Trezor to surveil you just the same as Ledger do.

So that is your ''proof'' that Trezor is the same as ledger?  
There is a nice little button that shows up when you open Trezor Suite, than you click No/Reject.
Than you can go in settings, enable Tor, make sure Usage data is disabled, and you are done.
Add your own node, and than you can use os firewall to see what data is Trezor sending.
Everything is open source, so I am waiting for someone to find some similar tracking codes that can't be removed like with ledger.

I quoted the Trezor policy where they state they collect details about your hardware, which parts of the app you interact with, use, click on, etc., just like the claims about Ledger.

Not true, because you still need ledger live to update and start using their device.
Ledger will still track everything else you do like section of the screen movement, same as IP address, only addresses wont be sent back to ledger if you use your own node.
You still didnt provide a single proof for your claims, and I am waiting to see something substantial, not pure speculation.

I don't care about Wasabi at all, but you can use your own coordinator, there is no such option available anywhere for ledger.

Trezor is better in so many way, but let's just start from being open source.
And airgapped device and your own node doesn't mean you are safe, especially for 99% of the normies.

And it's trivial to connect a Ledger device to Electrum or Sparrow via your own node and avoid Ledger Live entirely. But the default position for using both Ledger and Trezor devices is to depend on their respective servers, and therefore they can see all your addresses, balances, and transactions.

From Trezor themselves:

This sounds very similar to what the linked user above is claiming about Ledger. And don't forget Trezor supported AOPP and are still supporting blockchain analysis via Wasabi, so they don't exactly have an amazing reputation when it comes to privacy.

Ledger are obviously a joke now, but that doesn't mean Trezor are automatically much better. If you want actual privacy from your hardware wallet, then you need a permanently airgapped device and your own node. Anything else can be surveilled.

What does all my data means exactly?
And it's trivial to connect your own node with Trezor Suite via Electrum server to gain even more privacy.
Nothing in Trezor is going to track when you view a section of the screen, like it does with ledger live.
I even did a website comparison few years and ledger website was always full of ads and tracking, more than any other hw website.
Please do some research before doing comparisons like this and provide some proof.

PS
$484K  just drained from ledger:
https://cointelegraph.com/news/ledger-blockchain-hack-attacker-drained-484-k

LedgerConnect is the new Bitconnect!

Apart from the fact all Ledger devices are already compromised by their seed extraction "feature".

There is a real risk to the funds stored in the #Ledger if they are connected to a computer, since we might extract your seed phrase. There. Fixed.

None of what you said changes the fact that if you sync your Trezor via Trezor's servers by using Trezor Suite, then of course they can harvest all your data. If you aren't using your own node, then you are using someone else's, and the owner of that node can see every address and transaction you are interested in.

It's not the same as Trezor, because Trezor Suite doesn't have apps, no big commercials ads, and you can enable Tor directly from application.
Trezor device is open source, while ledger is not, and Trezor doesn't have malicious option to export seed words like ledger, for ''protection'' with ledger recover.
Obviously this devices are totally on different levels.

I am seriously thinking of nominating ledger as one of the biggest fail of 2023.
For last few years I knew they are a bad company that makes junk products, but I didn't think they could fall so low.
First someone exposes their spy machine software app, and now someone else found a malicious file in their code that infected everything  

Easy solution for recent ledger (and all other hardware wallets) malicious code is to stop using shitcoins and daps.
Simple.

Lets break this down for Ledger users!

Risk of Funds: There is a potential risk to the funds stored in the #Ledger if they interact with #dApps using this compromised library.

Avoid dApp Interactions: Ledger owners should avoid connecting their Ledger to any dApps until it is confirmed to be safe, as this could trigger the drainer script and lead to loss of funds.

Need for Vigilance: Owners should monitor official channels from Ledger for updates and instructions on how to proceed.

Update and Verification: It may be necessary to update the Ledger firmware or software once a fix is available, ensuring it's downloaded from the official Ledger website.

Security Measures: Users should also consider changing passwords and checking for any unauthorized transactions.

Of course, every crazy person user doesn't read this.

Of course, this is shocking news for Ledger device owners. Firstly, no one reads the user agreement that you talk about above, and secondly, not everyone is able to read the Ledger Live software code.

Has anyone released an article with their shocking revelation yet?
 
Let it be just that way.

Ledger software hack news in twitter :  
"We have identified and removed a malicious version of the Ledger Connect Kit.
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised."

This really shouldn't be news to anyone who owns a Ledger device. The same is true for any hardware wallet which you use through that company's centralized servers.

In order to show your balances, it must query your addresses somewhere. If it isn't using your own node, then it is using someone else's node, and that node runner (in this case Ledger) will know exactly what you are querying, and therefore will know all your addresses, balances, and transactions. The same is true for example Trezor and Trezor Suite.

This is clearly spelled out in their Privacy Policy, which everyone has read, right? Right!?


If you want to avoid this then use a permanently airgapped hardware wallet, and use it with non-proprietary open source software such as Electrum or Sparrow pointed exclusively at your own node.

I think that collecting information looks like an anonymous cryptocurrency wallet is bad. Unfortunately, this is how every product works these days((

this tweet^[1] reports that as soon as you access the Ledger live app, this app retrieves data about assets you hold in your hardware wallet. it also sends a ton of other information about your computer and device.


[1] https://nitter.net/rektbuildr/status/1732541519284900198

https://bitcoinnews.com/ledger-live-app-accused-of-collecting-user-data/

https://crypto.bi/forum/threads/ledger-live-data-collection-is-more-than-a-little-concerning.5/

@m2017, My version is a bit newer (above 2.50), so maybe that's why it still works, but yours is obviously too old and can't be synchronized, considering that Ledger made some significant changes on its end and that old version no longer works. However, as far as I know, it is possible to manually install older versions of LL, and that could be a way to get a functional LL even without installing the latest version.

https://www.ledger.com/ledger-live/lld-signatures

I wrote about this above. I don’t remember the exact version, some of 2.40 or close. An earlier version than 2.42. That's for sure.

I also wrote about this. The Internet is fine. Since the time when this version of LL was installed, practically nothing has changed in this OS. This is a backup / spare PC that I use very rarely. That is why LL remained in the form in which it was installed.

What if this is the same gradually blocking / restriction of users that you are talking about? I assume that there are not so many users with old versions of LL left. Few people were likely to notice these changes (from a big user base).

I wouldn't bring this up for discussion unless it all seemed suspicious to me. This is somehow strange.

@m2017, what exact version of LL do you have? I also have a very old version and I don't have a problem with synchronization (so far), so maybe you should check that maybe your antivirus or firewall doesn't block internet access to LL. It also occurs to me that Ledger may be blocking users gradually so as not to cause panic, and considering their dirty tactics, that would not be a surprise at all.

I'm sure there won't be any problems with the update. As you can see in the picture, version 2.42 is available for update, I’m sure all subsequent versions are included. The problem is that in my opinion, it looks like Ledger is forcing its users to update, even if they don't want to do so. Let's imagine I am a user who is quite happy with version 2.40 and doesn't want to update to later versions due to lack of trust in this company due to their new built-in functions in Ledger Live. But the unpleasant thing is that Ledger infringes on such users by not allowing them to use older versions of LL. Look again at the picture above - it simply gives an error that doesn't even allow you to access LL and the contents inside the wallet. This is simply called discrimination.

The option to update to the latest version is suitable only for idiots very trusting clients of Ledger. Perhaps earlier versions didn't yet have unnecessary functions (which is not a fact), but in later versions this is 100% present. This could still be used as the last loophole, which Ledger seems to have completely covered by introducing a synchronization error. I assume that this was done deliberately, which once again casts a shadow on the reputation of this company.

My conclusions may seem paranoid, but I have said more than once that in the case of any finance (and not just crypto assets), no paranoia is unnecessary. Especially when you use devices from manufacturers who have been f@ck uped more than once, tarnished their reputation and introduced very dubious services.

I also didn't use Ledger Live for a long time because to the shift in multisig (to Passport2 + Sparrow) for securing my stash. After reading your complain I have downloaded the newest version (which is 2.71) from the official site and successfully updated my old version.  Perhaps this could be a suitable option for you as well.

Yeah, good plan.

Another option for any altcoins which don't have their own wallet software which can interact with your Ledger device while bypassing Ledger Live would be any wallet which can run on an airgapped device. You can import your seed phrase to the aigapped wallet (having moved all your bitcoin already!) and use that to sign a transaction which moves your altcoins.

Yet another option would be to export and import individual private keys, but I suspect the vast majority of altcoins don't have wallets which would support this.

That's exactly the way I went - at least for the time being. Some of the coins were still stored there. However I also had a few altcoins, which I mainly managed or stored in Ledger Live.
Call me paranoid, but first I transferred my bitcoins via Electrum. Only after the step was completed, I updated Ledger Live and then also the firmware and various apps. This was necessary to be able to sign some transactions without running into an error. (only for certain coins/tokens)

Don't think about how you have allowed yourself to be limited by a 3rd party for years... 

No, from my research ledger devices are produced in China, maybe by this Flextronics, and than they are assembled in France.
I am not defending ledger in any way, but there is a difference between assembling and producing.
But there is a chance they changed something in last few months to reduce expenses.

Seems like it: https://support.ledger.com/hc/en-us/articles/360012207759-Solve-a-synchronization-error. The first step to solving a sync error is to "update Ledger Live".

For anyone with their coins still on a Ledger who obviously don't want to do this, then you can bypass Ledger Live entirely and simply interact with your Ledger device via either Electrum or Sparrow. Once you've got it connected up, use this set up to transfer all your coins to a better hardware wallet or cold storage solution.

I wanted to check the Ledger Live that was preinstalled a long time ago (some version like 2.40 or so), but when synchronizing it gives an error. Refresh doesn't change anything. The Internet works stably and all other applications that require an Internet connection work as before. Now old versions of Ledger Live can't sync with Ledger servers? Has Ledger really decided to force all users to update Ledger Live? If this is not an isolated case, then congratulations on another surprise from Ledger. Now everyone will be in their complete power without the right to refuse their services, such as the recovery function and other trash.

Tell the title of this topic now or it will be too late.

I don't know whether that is true or not but I came across the mention that Ledger wallets are assembled by Flextronics. This means that Ledger company doesn't have the facilities to produce hardware and rely on 3^rd party which in turn may aper   as    the other potential  "hidden" and weak section in the trust chain.

Thus, the best approach for keeping bitcoin stash safe is to use multisig wallet with HW cosigners from different manufacturers.

In fact, no hardware wallet manufacturer can be trusted 100%. If the partnership with Wasabi was known, then there may be partnerships unknown (secret) to the general public. For example, with the government (this is not necessarily the case). It is unlikely that any of the manufacturers will advertise this, to put it mildly. After all, every hardware wallet manufacturer has a country of jurisdiction, in other words, production workshops, warehouses, work offices, and the like. That is, leverage can always be found to persuade a HW device manufacturer to partner, which means there should always be doubts about the reliability of any of the manufacturers.

It is not necessary to boycott Ledger or Trezor. You just need to be aware of the existing risks and take this into account when storing your crypto assets on these devices. The realization that one day, your money may not be on these hardware wallets. Who even came up with the idea that they (and others) can be blindly trusted?

Maybe the hatred towards Trezor arises because it is the largest competitor (one of the industry leaders) of Ledger. That is, when a company expands very strongly, it ceases to be customer-oriented, switching to money-oriented. And when the main goal is money, then you can expect anything from the manufacturer (being their client).

AFAIK, there is no security threat in the Trezor models but their censorship became questionable when their coinjoin partnership with Wasabi leaked users' addresses and they tried to hide by censoring users on Reddit and other platforms showing that they can't be trusted either.

Also, their hardware malfunctions become issues like LCD screens failing on multiple devices and lack of support from the team to make them be untrustworthy with my Bitcoin.

Related Threads

Coinjoin on Trezor Suite
Trezor problem!

They work with Wasabi, meaning they are pro-censorship, they fund blockchain analysis, and they support government blacklists. They were also a big supporter of AOPP, which was a protocol designed to make you KYC your own addresses to centralized exchanges before being allowed to withdraw. They only pulled their implementation of it after huge community backlash. The argument against these facts is always "Well, you don't have to use these 'features' if you don't want to", but it shows their underlying morals and ethos are very much not what they once were. I don't want my hardware wallet designed by people who are so pro-surveillance.

I also take more issues with their approach to the seed extraction vulnerability rather than the seed extraction vulnerability itself. I explain why here: https://bitcointalksearch.org/topic/m.53803392

I am wondering how long this will take before some body files a lawsuit against Ledger for lying to their customers about the Secure Element and how it was impossible to breach their top notch security.

Will agree with the others here who say the best option is airgapped computer.  While Ledger, Trezor and other Hardware Wallet producers can dispatch a malicious firmware, Bitcoin Core will not get an official malicious version.  If it does get one then we will get a non malicious version right the next minute.

I do get the hate for Ledger but I do not understand why there is some hate here for Trezor too.  Other than their Seed extraction vulnerability and the possibility of pushing a malicious version of firmware or Trezor Suite.  Is there any thing I might have missed?

God.  It is so depressive to look at how things were years ago versus now.  We are looking at every body we used to love jumping in the wagon of Surveillance and lack of Privacy when years ago it was all the love in the world for these people.

Owning Bitcoin means being your own bank.  Only you can decide how important your security is to you.

I'm a firm believer in using a 24 word seed, written on paper and backed up on metal, secured in 2 locations only I have access to, plus an 8 word passphrase also secured twice.

EDITED to add: My view is that I need to secure my Bitcoin as if Bitcoin's price is $1 million, because someday it will be.  The way to make sure I still have coins when that day comes is to have that level of security now.  And since it's so easy to do, I do it.

40 characters minimum is overkill, IMHO. Passphrase is exclusively for saving you stash in the case you SEED comes to the notice of someone else. The length of  passphrase will be irrelevant  If user puts SEED away safely.

However everyone  is free to use the passphrase of any length (ranging from zero to n) which is comfortable for him, thus I don't think that Jade compares poorly Krux in the passphrase regard.

What else?

Krux makes it ridiculously easy to use passphrases.  And when I say "passphrases," I mean strong passphrases.  My passphrases are 40 characters minimum, always using words and spaces with punctuation where appropriate.  I have three passphrases for my seed.  The first is for work.  The second is for personal savings.  The third is for testing.  Krux makes it so easy to use strong passphrases.

I've never found any other hardware wallet that makes entering and using strong passphrases so quick and easy.  You don't have to type them on the device or in a companion app.  You CAN, but you don't have to.  Instead, you can save your passphrase as a QR code to scan.

Here's how quick and easy it is to use Krux:

Turn on the device.
1: I scan the QR code with my seed.
2: My seed's QR is encrypted, so I scan the QR with the decryption password.
3: Scan the QR code with my passphrase.
Done.

Three quick scans.

I love that the device is airgapped and saves none of my info.  When I shut down, my seed & passphrase are erased.  And since the device isn't crypto related (it's a Maix Amigo), it doesn't call attention to itself as a Bitcoin thing.  The UI is really great, and it's a breeze to use on that large touchscreen.

Wallets that make using passphrases inconvenient are one of my major complaints.  So many wallets force you to type the passphrase every time, which encourages people to use terrible passphrases that are short and easy to crack, or worse, they make it so inconvenient that people don't use passphrases at all.  Or even worse than that, they make the process confusing and complicated.  Ugh.  No wonder so few people understand what passphrases are and how to use them properly.  Krux makes it easy.

Little did bitcoiners know which  is the fully creditable wallet,  theywould buy it.

You like Krux, I'm fond of Passport , the others prefer something else but all of us have in common their attitude to Ledger which  has  gained a reputation for being a company which pissed of customers.  

BTW, what advantages u see in Krux  when comparing it , let'us say, with  Jade?

Good for you!  Ledger is a terrible company and their hardware cannot be trusted anymore.  I stopped using mine the day they announced their key extraction firmware.  I didn't move my coins right away though.  I did what you're doing.  I started searching for my next hardware wallet.

In my opinion, there is no such thing as the best hardware wallet.  Which one is the best will come down to your own wants, needs and abilities.  For example, Trezor is great for somebody who wants easy to use hardware with a user friendly companion app.  ColdCard is great for somebody who wants top notch security and is willing to deal with a device that isn't as user friendly.  SeedSigner is a great choice for somebody who is willing to do some DIY and doesn't want to be tied to a company that could go rogue or turn evil, like Ledger did.  SeedSigner is totally open source software that runs on off the shelf parts (a Raspberry Pi Zero).

I'm a huge fan of a project called Krux, which is fully open source.  Here's my review with lots of images.  Krux is like a deluxe SeedSigner that runs on off the shelf hardware.  You can buy a Maix Amigo for less than $60 and install Krux on it.  The Amigo is awesome because it has a camera and a large touchscreen, which makes using it REALLY easy, but even better, it means the device clearly shows you everything, including full addresses, etc, so confirming things is easy.  Krux is particularly good for anyone who uses singlesig with a passphrase, or multisig.  Krux is airgapped, but even better, Krux can save encrypted QR codes, so even if somebody were to find your QR code they wouldn't be able to read it (or even know what it is, other than a QR code).  Seriously, the folks working on Krux are doing amazing things in my opinion, and they're doing all of this while keeping Krux incredibly easy to use with a simple but intuitive UI.  Like I said, I'm a huge fan.

Here's a picture of an Amigo next to an old iPhone 4, for comparison.  To be clear, it doesn't run on an iPhone.  I'm just using an iPhone in this image next to an Amigo so you can see the size of the device:



And here's a pic of the Krux startup screen.  Super-simple and intuitive:



For me, Krux on a Maix Amigo with Sparrow or BlueWallet are a killer combo.

I had been using Ledger for a few years. But due to their FUCKING system, I am going to move to another hardware wallet. Right now, I am searching and comparing the best wallets. I am afraid lately to store a larger amount in the ledger. Even though the community wants open-source software, they still don't care. Rather, they launched a seed recovery service, which is the worst thing in crypto.

That's a mistake. It isn't partial offline signing. It's a normal (full) signature on an offline machine which is later exported as a file or QR code to be broadcasted on a device with internet connection. If the signing keys are exclusive to the offline wallet and we aren't discussing a multi-sig wallet, the whole signing process takes place offline.

Yes, of course. No one is questioning that. But the narrative was that the keys can never leave, aka be exported from the secure element. And turned out to be false.

I don't know about that. I don't remember seeing a discussion with people who knew key extraction was possible before Ledger told us it is. Not on Bitcointalk at least. If such a thread exists, someone please point me to it. 

Exactly. And people that didn't know better believed it. The rest knew that what this really meant was with an asterisk attached: "*so long as no firmware commands it". I don't fault people for taking it verbatim, most users had no reason to question the wording or dig any deeper. But the truth is there was never anything so magical about Ledger hardware which prevented firmware from extracting the seed. So prior to Recover - all you had to do was trust that Ledger wasn't going to maliciously backdoor their firmware to swipe your seed. This is less ideal than an open source or source verifiable hardware wallet - but still within the scope of what many people are willing to tolerate.

When Ledger announced recover, they did 2 things:
1. They alerted people who thought otherwise that this was even possible to begin with. So that was a scare to many but not to others.
2. They alerted people who already knew this would be technically possible (but insane to implement) that they were actually going to do such a thing. This is the bigger red flag. Not that it was possible, but that they were actually building something like this into future firmware.

My main point here is what Ledger is now doing is using this fact (which is now more common knowledge than it was prior to the Recover announcement) to liken trusting their Recover service to trusting any other hardware wallet. "You have to trust any hardware wallet so what's the big deal if we have Recover firmware?" as if trusting Recover is the same as trusting any SE. Levels of trust are not all equal but Ledger is gaslighting people into thinking the recover mechanism requires the same level of trust as any hardware wallet and that's so false. They're using this false equivalence trickery to calm the waters and it seems to be working, sadly.  

Exactly, and it should be completely open-source. It might even work completely airgapped, but if the firmware used is closed-source, then you can't know if the company can access your funds. Flawed RNG or malicious code inside cryptographic libraries can grant them total access, and you can't prove anything.

I don't know Ledger, but I know they were never open-source to begin with. We should trust nobody who claims to be in favor of privacy and security without complete software transparency. Period.

But it's what Ledger had been telling us since day one:







Lies, lies, lies.

Ledger Lies.

Just in the spirit of clarity here, I think while it's important to note that although Ledger's communication has been terrible and their marketing repeated this notion - the belief that a secure element could never reveal private keys in any form regardless of what firmware was thrown at it was and has always been incorrect. This was known long before Recover was ever announced. It's how hardware wallets work. Access to the private keys MUST be granted in order to sign anything. The concept of a HW wallet that can both sign a Tx and have ZERO access to the privkeys ever is possible in theory but not in practice as this would mean you would never realistically be able to update the wallet ever. No bugs could be patched etc. It's not practical. Forgive my inability to explain the technical details of this as I'll leave that to people smarter than me but this is how it was explained to me.

So the fact that your wallet can spit out your keys if the firmware allows it is NOT what the problem here is and I think it's very important to understand this in order to combat the gaslighting coming from Ledger. Coldcard will reveal your keys in plain text on the device as well as export them in encrypted form via SD card for a backup if you like. This in no way makes the secure elements or the wallet less secure, those are simply features of the device that are baked into the firmware. (You can always lock down the seed of you like to remove this feature of course but all of it is locked behind a pincode anyways) The crucial differences here are 1) you know exactly what the device is doing and 2) the keys if revealed are only being shown to you and you alone, they're not being sent anywhere. You can either see them on the device or you can export them encrypted on an SD. And 3) you were never led to believe this was impossible with fancy marketing that led you into a false sense of what the hardware was actually capable of. Ledger was deliberately misleading in their marketing at times even stating that "Not even a firmware update could extract your keys" when this was blatantly false. So when people who didn't know better learned that this was actually technically possible they lost it - but they lost it for the wrong reasons! The REAL reason this should worry people is that the process of extracting keys involves so much 3rd party trust and involves those keys being sent through your computer over the internet. That is what should frighten people, not that a SE can spit out a seed if it's told to.

Impressed... and I 100% agree with you, although I've never used Ledger. However, I've always been skeptical about hardware wallets, especially when they announced changes and narratives regarding private key security.

It's better to be vigilant when it comes to the safety of our online assets.

It's good to hear that you've switched to an offline software wallet. We should too. Also, the approach you've adopted, like partial signing online and then signing offline and broadcasting it, is something I wasn't aware of.

I think I need to explore these concepts too, especially this privacy coinjoin, as it adds an extra layer of privacy to your transactions. It's an excellent way to take control of your online privacy in this crypto world.

I've always believed that offline software wallets are not only secure but also cost-effective. If managed correctly, cold wallets can offer the same level of security, or maybe sometimes even surpass hardware wallets.

Well, thanks for sharing your experience.

There are two possibilities here, both rely on trust. You can either have trust that the old firmware still makes physical button presses mandatory to the process, and that the option to bypass button presses doesn't exist in the old firmware versions. Or you can trust Ledger that their new code changes will never allow for the possibility to bypass button presses. The third option I didn't mention is completely abandoning Ledger HWs. 

Ledger has reveled something we initially thought was impossible because that's what we were told. And that's the way secure element chips function. In earlier years it was said that no sensitive data can even leave the chips. We know now that it isn't true. It can if the software tells it to. 

This is it right here. And the communication from Ledger so far has been particularly gaslighty where as they're trying to (and successfully have done so if you read the Reddit threads) make people equate the level of trust needed to feel safe with Ledger Recover with trusting any other hardware wallet to simply generate and store your seed. It's gaslighting and obfuscation. Trying to make people seem paranoid for questioning this since "every wallet needs trust bro what's the big deal?!"


A hardware wallet doesn't (shouldn't) need to connect to any manufacturer servers in order to work. You can use a Ledger with Electrum as well just as easily. You need to use Ledgers software in order to get coin-specific apps onto the device as well as firmware updates but once that's done there no need to ever touch their software again until it's time to update firmware.

The problem(s) here is that:

1. Their firmware is closed source so nobody has any way of knowing what the firmware is doing.

2. They've introduced a recovery service which places on your device code that makes it possible to extract your seed, shard it and have it sent through your computer to other custodial servers. This is being sold as a feature but is fraught with danger and is an absolutely horrid idea for dozens of reasons that have already been covered.

3. For all we know the actual code that enables this ability could've been rolled into previous firmware versions either as a placeholder or as a test. So it may technically already be there and there's literally no way of knowing because it's closed source. Saying "I just won't update then" isn't enough to be sure.

4. The idea that firmware can allow the secure element to reveal the seed really is a non-issue and is being used to obfuscate the issue by Ledger when they say "any hardware wallet can technically spit the seed out if firmware tells it to" - yes but they're not sending your keys through your PC which may or may not be malware infected, outward across the internet to 3rd parties which you now have to trust. However this did highlight the deep misunderstanding many people had about how hardware wallets actually work - this was due in part to most people being uneducated on the technicalities and also Ledger's fault for constantly using the wording that your seed could never leave the device. Now it's "oh well of course they can you should've known that but only if our firmware allows it which now it does"

5. Another point that has been stated to death but needs to be repeated is that the idea of "if you don't opt in what's the problem?!" is misleading because there is nothing permanent in the hardware that stops the need for a button press to allow key extraction from being removed in a firmware update. So technically - Ledger could force you into this through a firmware update and extract your keys without you doing a single thing. The ability is there. Even if today you had to press buttons to allow the recovery service there's nothing that prevents them from removing that requirement in the future. Or perhaps it's already removed and the button press is just theatre to make you think it's necessary. You can't know because they're closed source. "Trust me bro!".

Nah you are right. Its a hardware wallet which integrates with their software Ledger Live. All firmware updates are handled over Ledger Live. And since its closed-source no one knew that there is or was a "backdoor" to extract the mnemonic phrase of your device.
Yesterday they launched their service called Ledger Recovery which caused the drama. The thread about it was already mentioned here but I recommend reading it: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities

Sorry, but I'm quite confused as I never owned a Ledger. Isn't it a hardware wallet? Doesn't that mean it cannot connect to any network except the computer that you'll plug it into? Doesn't that mean that the only manner to expose your private keys is by establishing a connection with their servers once you plug it into your PC and by sending your private keys to their server?

Does it require downloading closed-source Ledger software as well for it to work? Sounds pretty fucked up situation.

Perhaps there are things in the firmware they don't want anyone to know.  They've been talking about making their code open source, but they're also lying about what "open source" actually means.  In other words, they want to use the phrase Open Source while keeping some of their code closed...  which just raises more questions about what they're hiding.

Ledger is dirty.

Why don't they just open-source their firmware, at least with a restrictive license if they are not comfortable with unlimited freedoms of MIT or GPL or similar. That is the quickest way to dispel any fears that there is a backdoor in Ledger source code. But of course, they won't do that, so it's best to avoid any kind of wallet - hardware or software - where its operation cannot be independently verified.

Compare Ledger - closed source, connects to an internet enabled device, has the ability to send your seed phrase across the internet - to something like a Passport - open source, completely airgapped, communicates with QR codes - and the difference is stark. The difference in the amount of trust required, and the amount of independent verification which is possible, is astronomical.

It's like saying "all software wallets require trust" when comparing something like airgapped open source Sparrow wallet, to hot closed source Trust wallet. There is simply no comparison, and anyone claiming they are in any way similar is either naive or malicious.

The key is common to all Ledger devices, and therefore the encryption is utterly useless: https://bitcointalksearch.org/topic/m.62453002

The key issue here is that even if at this point you do need a physical button press to confirm/deny a Tx or seed sharding, there's is nothing inherent in the architecture of Ledgers hardware that restricts the device to operating this way forever. The required button presses are a firmware update away from not being needed at all. Which means that change could be made with or without your knowledge. "We promise we won't" Back to trust me bro.

Ledger keeps repeating that "all hardware wallets require trust" and people get lost in this because while on one hand it's true to some degree, not every wallet requires as much trust as one that's closed source which also has the ability via firmware to split and send seeds through your USB/Bluetooth connection, through your PC and then stored elsewhere.

"Oh but the shards are encrypted!" This only sounds good until you realize that Ledger themselves say that any device can restore the shards. So the encryption keys are either specific to ledger Hardware (meaning anybody with a Ledger has them) or they're stored at Ledger headquarters (meaning they have them and you have to hope they aren't leaked the way all those addresses and emails were). Any way you slice this it's frightening.

YES.

Anybody who says you have to use the buttons to confirm actions is assuming that to be true.  Since Ledger's code is closed, no one but Ledger knows for sure what their code actually does.  Even Ledger admitted they can't prove their code doesn't have any backdoors.  They lied, saying "...because you can't disprove a negative," but that's nonsense.  Ledger can't prove their code doesn't have backdoors because Ledger's code isn't open.

Anyone who tells you Ledger's code is safe is making assumptions about their code, and that's very dangerous.

First off, one aspect of this entire thing that seems to barely ever be discussed which bothers me far more than the concept of a recover feature is the fact that Ledger seems to be quite comfortable attending WEF retreats and rubbing elbows with the same people who want us to own nothing and be happy. I don't feel safe leaving my keys in the hands of a "trust me bro" CEO who attends WEF conferences and refuses to fully open source firmware that's possible of extracting keys from their devices via USB cable through a PC and over the internet.

Secondly, they keep beating the drum about how these shards are encrypted, but if anybody can restore their keys on a brand new ledger than clearly the encryption keys to these shards reside somewhere within Ledger. Where? Who has them? If any device can restore with 2/3 shards then that means it only takes collusion from 2 of these companies that store the shards to have access to every single key out there.

Thirdly, the idea of "just don't use it" may not be that simple as I recall seeing somewhere (I think within the other large thread on this topic) that the claim that you always have to physically press the buttons on a ledger to initiate an operation like sharding and sending your keys via recovery service is actually false, as the device can be updated via firmware to drop this necessity with ease. Somebody (sorry I can't remember who or where) posted evidence that proves the physical button press is not technically required for such an action to be engaged. If anybody knows the technicalities of this or can prove it true or false please reply with such info.

Edit I think it was this post I'm referencing.


So really the fact that its technically possible for Ledger to do this - that isn't the real issue (although their communication and prior marketing was abysmal) - any HW wallet can technically access the priv key if firmware demands it. The real issue is that there are a million things that haven't been answered on a technical level in the excruciating detail necessary for anyone to be able to feel good about this.

Yeah, this doesn't sound right. Could you tell us a bit more about how you created your offline wallet, and what you did with the OS before you generated your keys on it? To make sure you are doing it properly, how are you signing those transactions?

Is this a serious question? Do you expect a company that relies on the sale of hardware wallets to tell you not to use hardware wallets because you can get the job done with airgapped cold wallets? Even the marketing geniuses at Ledger wouldn't do that.

They also claim that keys can't leave the SE enclosure without your permission, meaning physical confirmation on your hardware wallet with the button presses. I have no idea if that is true or not, and even if it is, there is no publicly verifiable code for them to back up their words. And finally, even if there is, I wouldn't know how to read it and can only hope that those who know take the time to study it properly. Basically, it's a carrousel of fuckery. 

Ledger Live is open-source and the crypto applications you install on your wallet are open-source. Some of them are created by third-party developers, some by Ledger in-house. The firmware and hardware isn't open source. You have no way of knowing what the software on your hardware wallet does.

Using that same analogy, it would then be even easier to extract keys that aren't protected by a secure element chip. One example is Trezor's unfixable seed extraction vulnerability.

They exposed themselves. All everyone had to do was listen.

This is easily explained - their marketing department doesn't know what the engineering (development) department  does. The marketing department wanted to present this information as an innovation and as a cool feature for users, but it turned out that this contradicts the very concept of device security and previous public statements by past employees of the marketing department. In general, this “paradox” is a demonstration that ledger simply screwed up.

Any company sets itself up for failure the moment it thinks it knows what its customers want. Completely forgetting to ask them about it.


There is nothing more valuable than the trust of your clients and customers. It is necessary to satisfy their needs, and not pursue their hidden mercantile interests.

For some average user who can hardly understand the risks of such a feature, perhaps such a feature is even positive in the sense that they will feel safer if they lose their device or backup. There should be no doubt that it will be a salvation for some users, but the whole thing should not have been done in such a way as to cast doubt on the company's reputation (or what is left of it).

If they already wanted to do that, they could offer a firmware that would enable such an option and one that would not have such an option, or even better, a completely new device. What they managed to do is that I now feel safer having my private keys in Electrum than in their HW.

Ledger uses Secure Element chip. This is the chip that is used in passports and credit cards. Ledger uses Secure Chip to generate and store your private keys. In past, Ledger has said that your private keys never leave the Secure Element chip, that means, it's almost impossible to extract private keys from your wallet. Then they appeared with Ledger Recover news and this is the moment when everyone understood that ledger has been lying about its claims that keys never leave secure chip.
If you read Ledger Recover FAQ, you'll find paradox:
Claim 1 - No access to your private key was made to enable Ledger Recover to work.
Claim 2 - Ledger's Operating System allows access to the private key stored within the Secure Element, but only after you manually approve and confirm it.

My logical question is, how is that? Answer is, Ledger is a liar.

Actually, Ledger thinks that they didn't make a mistake by implementing Ledger Recover. They think that positive side of Ledger Recover will outweigh the negative sides and it's only a matter of time to see the success of this implementation.

/sign.


There was a big drama because of that a few months ago. That is the big disadvantage of closed-source projects like Ledger. 

They always said that there was no way to get the keys. So users could not do more than believe all that. Then in May they introduced a new feature: Ledger Recover.
The feature allows you to share the seed phrase with a cloud provider by storing a backup there. This is all optional but raises many questions, so sensitive data like the mnemonic phrase can be extracted from the ledger - so you have been lied to by Ledger for years.

Absolute no-go and another reason why you should never trust Ledger anymore. They make one fatal mistake after another, proving that nothing beats open source!

Nobody should be using Ledger to begin with.

- Closed-source.
- Their email database was leaked in the past, and phishing emails were sent across the globe.
- They support centralized shitcoins.

Recipe for disaster. Now I'm reading they can access private keys? Is that confirmed? Hopefully not. Otherwise, it is officially the worst piece of Bitcoin hardware you can get.

Ledger is not open source and it wasn't possible to know it was a lie that your seed phrase cannot leave the secure element, that was until they launched the Ledger recovery service, then their lies were exposed as well as many other flaws in the Ledger hardware wallet. Self custodial doesn't automatically mean safe, you have to also make sure the wallet is open source and the code has been widely reviewed, Ledger isn't a recommended hardware wallet and if you have their device, you should switch to other good alternatives.

I think instead of giving a fuck, you should say thank you Ledger LOL. If they were not offering this revolutionary key recovery feature then you would not want to find an alternative and try to learn all these new skills.

Ah, thank you!  You all know I just drive the bitcoin automobile without knowing how most things work under the hood, so I can't say I'd know how to do what you described--but it doesn't sound like something I couldn't easily learn, and I appreciate that explanation. 

Yeah....take a look at the links Findingnemo provided.  This was pretty big news, and I know it caused me to not trust Ledger anymore and left me questioning whether it's worth it to use any HW wallet.  Part of that could be my ignorance of what's under the hood of these devices, but I do believe I read a post by a member whose knowledge I respect saying that in theory private keys could be extracted from any device with a secure element.  It's just not worth it for me (even though I don't exactly have a large amount of crypto to lose).  In any case, most of my bubbling bile was caused by Ledger's treachery.  They are truly scumbags and are likely in bed with multiple government agencies--you could almost call it a governmental gangbang, but I'm just speculating.

I assume this is simply a translation error. Your transaction should not be "partially signed" online. Indeed, transactions can only be partially signed if you are using a multi-sig set up. With a standard single-sig cold wallet, the only thing that happens on your online machine is you create an unsigned transaction. That unsigned transaction is moved to your cold device to be signed, and then moved back again to be broadcast.

If you simply install Electrum on an internet connected device and use it as a hot wallet, then yes, it will not be as secure as a (good) hardware wallet. But you can also use Electrum as a cold wallet. What this means is that Electrum is installed on a computer which is permanently disconnected (airgapped) from the internet, meaning the device can never download malware and never be attacked via the internet since it is never connected to the internet. This airgapped computer stores your private keys, and your private keys never leave this airgapped computer so are never at risk of being exposed to the internet. You create unsigned transactions on your usual internet connected computer, move the unsigned transaction via a USB drive or QR code to your airgapped computer to be signed with your private keys, and then move the signed transaction back to your usual computer to be broadcast to the network.

It's proven that Ledger Live has the ability to extract the recovery seeds from the Hardware wallet also they admitted that they share the details with the third party which isn't right when you expect complete security for your crypto assets.

Discussion : Ledger Recovery Service.

Also, they lied about their status being open source : Ledger Open Source Fakery?!

So whoever wants to keep their crypto now should boycott Ledger as well as Trezor.

Did they admit that? If so, how can this be seen as a secured wallet? If I am not wrong, Ledger claims, "Here at Ledger we strongly believe in open source. It's one of our core values, a great philosophy that advocates openness, and verifiability. Open source allows developers and security experts to review the code and ensure it is secure and not malicious. Open source means you don't need to trust" ^[1]

If they are open source, can't developers verify that the Ledger has a chance to steal users' private keys? Did nobody try it? Now, I am curious about it. Do you remember the recent hack of Atomic Wallet, where thousands of users reported that their wallet was hacked and they did not use any phishing? If users did not use phishing, how was their wallet hacked? These wallets are not non-custodial anymore.

I hope you know how to make a cold wallet aka air-gapped wallet using electrum on a completely offline device so that you never ever have to come online from the device where seeds are stored which makes it invulnerable to potential attacks.

I wrote how to do it, so take a look at it and see if you did everything right

If you're referring to the firmware update that allowed the Recover "option" to work, it doesn't matter if you sign up for it or not; Ledger admitted they can pinch your private keys out of the secure element at any time, which they had previously said wasn't possible (and someone please correct me if I've got any of that wrong, but what I wrote is my understanding of what Ledger did and how it works).

OP, good for you for dumping Ledger.  I am curious as to what you did exactly with Electrum, because I don't understand based on what you wrote.  I've been wondering myself why hardware wallets are necessary, and the impression I get is that simply using Electrum leaves you vulnerable to getting hacked, which wouldn't be possible when using a HW wallet (or at least much harder if you're paying attention when doing transactions).  If you could elaborate, I'd appreciate it.  If not, I still like to hear "fuck Ledger" as many times as I can.  I'm rooting for them to swirl down the toilet and go bust, because they're just plain dishonest.

Yes it's electrum , l learned lot of stuff here and about cold wallet , really very cool

Nice to know that you have learned many things about cold wallet. But I am unsure if you are talking about Electrum or not. Or how Electrum is related in your post. Because you have created this thread in the Electrum wallet section. Many have a bad impression of Ledger since the last changes. But it's not mandatory anyway. Still, it questions the legitimacy of their honesty and how concerned they are about users' security. I don't know if they think it's a smart move from them or a dumb move from them. I don't know many things about wallets yet. But since I learned about Electrum, I have been using it and I am satisfied with it. I had a plan to buy a hardware wallet but unfortunately, I am unable to buy from my location and they do not deliver to my country as well.

I really concerned from the last changes oof ledger and their narratives about they can get your private key  , in addition to they always update software because of their shitcoins ,I finally  moved my fund from ledger wallet to software  cold wallet and learned how to deal with cold wallet and transfer  transactions  partial signing  online and then signing offline and broadcast it 😏 , and   learned some coin control and going to learn some privacy coinjoin , it work so  great , why they don't tell us about cold wallet from begining instead of wasting our money on a fucking signing device ,really I enjoyed the experiment and fuck you ledger ,🖕,, and I want to thank you Gus because you helped me so match