Ledger hardware wallet offering custody for seed backups

Kryptowerk

legendary

Activity: 2030

Merit: 1401

Disobey.

Quote from: The Sceptical Chymist on May 22, 2023, 03:03:55 PM

I made a post about this in the HW wallet section right after Ledger made this announcement, and since then I've learned a lot more about what kind of clusterfuck this really is and how dangerous Ledger products are for people who value not only their privacy but security. Needless to say, I'm no longer going to put up even a feeble defense for any of their actions as I used to do.

They fucked all of their current customers who likely didn't buy the device they thought they did, i.e., one from which the private keys couldn't be extracted without the owner's consent. Now that they've disclosed that it can be done, I think they've also fucked themselves as a company--but time will tell. One thing is for sure: I'm going to be following this drama very closely.

My personal suspicion is that Ledger is being pressured by government agencies to implement this service, or at least to announce that key exfiltration is possible so as to circumvent whatever illegal surveillance law they'd be violating if they got Ledger to seize users' funds for whatever reason. I didn't come up with that theory, of course, but I believe it fully.

Tbh, I would be suprised if this actually damages their company in the long run.
Just think about what happens to trust towards CEXes after another big one goes down: Short dent, people look for alternatives (DEXes, storing their corns locally etc.) and after a while the majority is back using CEXes.
So yeah, for some period of time it will leave a mark, then a new generation of hardware-wallet-users comes along and everything is back to usual business.
I hope I am wrong, but not too optimistic.

That being said, regarding the real reason why Ledger does this shit... Maybe government pressure, maybe some inside folks are already working for the government, maybe some CEO is best-buddy with an intelligence-exec... who knows.

What I personally hope to see are many more open-source hardware wallet solutions, where some of them manage to become the new industry standards.

dragonvslinux

legendary

Activity: 1652

Merit: 2177

Crypto Swap Exchange

Quote from: The Sceptical Chymist on May 22, 2023, 03:03:55 PM

My personal suspicion is that Ledger is being pressured by government agencies to implement this service, or at least to announce that key exfiltration is possible so as to circumvent whatever illegal surveillance law they'd be violating if they got Ledger to seize users' funds for whatever reason. I didn't come up with that theory, of course, but I believe it fully.

Have also started considering this, especially after they acknowledged that the seed phrase could be subpoenaed. At first I thought it was simply a new revenue stream, as $10 p/m for say thousands of users is a reasonable income, better than say $60 / $140 irregularly per device I imagine. It's a consistent revenue stream at least, probably more profitable than bear market purchases if I had to guess.

But if US government suddenly decided that it's no longer legal to offer physical wallets without the ability to access seed phrases, then Ledger would likely be the first target to comply. We'll know soon enough if other hardware providers such as Trezor follow suit, otherwise this theory is unlikely to be true, and instead just remains a strange decision by Ledger for "on-boarding" more users (who are scared of self-custody).

The Sceptical Chymist

legendary

Activity: 3332

Merit: 6809

Cashback 15%

I made a post about this in the HW wallet section right after Ledger made this announcement, and since then I've learned a lot more about what kind of clusterfuck this really is and how dangerous Ledger products are for people who value not only their privacy but security. Needless to say, I'm no longer going to put up even a feeble defense for any of their actions as I used to do.

They fucked all of their current customers who likely didn't buy the device they thought they did, i.e., one from which the private keys couldn't be extracted without the owner's consent. Now that they've disclosed that it can be done, I think they've also fucked themselves as a company--but time will tell. One thing is for sure: I'm going to be following this drama very closely.

My personal suspicion is that Ledger is being pressured by government agencies to implement this service, or at least to announce that key exfiltration is possible so as to circumvent whatever illegal surveillance law they'd be violating if they got Ledger to seize users' funds for whatever reason. I didn't come up with that theory, of course, but I believe it fully.

WeThePe0ple

member

Activity: 184

Merit: 18

Quote from: cydrix on May 20, 2023, 04:40:30 AM

If it's true, you should take extra precautions with your Bitcoin wallets because your Bitcoin will now only be protected by the honesty of the wallet you're using. And it would unquestionably demonstrate that many alleged hacks in the past when Bitcoins were taken may not have actually been stolen but rather were the result of wallet fraud.

This is very true and there should be a topic dedicated to this. An investigation into this.
How many people inside the Ledger company knew that the seed phrase never really was a secret to the owner? I wonder.
The people who developed this technology must be perfectly capable of stealing from account holders and making it look like a hack.

WeThePe0ple

member

Activity: 184

Merit: 18

Feel free to tell me if this is stupid. But within a decade I believe that any hardware wallet will need to be replaced. Because they device is somehow damaged or because government regulation does not allow people to continue with the original device (updates needed in order to trade..) And when that replacement happens, I don't think there will be any legal way to store crypto without government knowing exactly what we own.

And that was the whole point of BTC. I believe in the technology even though I am not tech savvy.
I believe in it because after its launch in 2009, no government found out who Satoshi Nakamoto is and nobody could stop the technology.

But they can stop the wallets by regulating their developers.
And they can attack the exchanges with harsh regulation and KYC.

Before the Ledger situation I was convinced to invest a significant portion or my savings into BTC as a hedge against inflation, a safe haven.
After the Ledger situation, I no longer believe there is a safe haven. Who knows which backdoors their competitors have left open without the public knowing.

Onset

jr. member

Activity: 56

Merit: 26

Oh, but is this surprising? They’ve been hacked, they were spending large amount of money to place their products in rap music videos, then they f-ed up so many other times and now this. Ledger is just a joke man, they’ve created the perfect device for shitcoins and this is the only thing they’re good at.

It wouldn’t surprise me at all if it was already possible to extract the seed even without the update. They’re a very suspicious company to me and they don’t deserve the recognition they’re getting. Fortunately we aren’t as dumb as they think but unfortunately people’ll continue buying their products due to how many shitcoins they support..

Kryptowerk

legendary

Activity: 2030

Merit: 1401

Disobey.

https://www.youtube.com/watch?v=9scIevuymZM

Andreas Antonopoulos is live just now discussing the ledger f-up.

So far his stance is pretty clear and I am happy to see there is spotlight on all the potential problems a closed-source centralized company such as Ledger poses.
Especially after they have been caught lying about fundamental features of their security-chip on their hardware wallets.

cydrix

full member

Activity: 602

Merit: 129

We initially believed that Bitcoin offered total privacy and anonymity, but later learned that what we believed to be untraceable was actually traceable. I've always questioned whether wallets could honestly claim they did not know your seed phrase when it comes to the seed phrase issue. Even though this is the first I've heard of it, Ledger was giving me headaches before I even read this because of the ordinal consideration. If it's true, you should take extra precautions with your Bitcoin wallets because your Bitcoin will now only be protected by the honesty of the wallet you're using. And it would unquestionably demonstrate that many alleged hacks in the past when Bitcoins were taken may not have actually been stolen but rather were the result of wallet fraud.

Kryptowerk

legendary

Activity: 2030

Merit: 1401

Disobey.

Ledger has a nice track-record of fuck-ups, imho. First they just stopped support for their older hardware wallets. Such as Ledger HW (1) and Ledger Nano (1).
Then they managed to leak their customer database including email, clear name, address etc.

Now openly admitting to lying in regards of the possibility for private-key extraction from their security chip seems like the logical next step. Disgusting but not surprising.
https://www.binance.com/en/feed/post/539103

Quote

"The original tweet from Ledger customer service stated, “Technically speaking, it is and always has been possible to write firmware that facilitates key extraction. You have always trusted Ledger not to deploy such firmware whether you knew it or not.”

And:

Quote

"Critics shared an alleged Ledger post from November that stated, “A firmware update cannot extract the private keys from the Secure Element,” implying that the company contradicted itself."

adaseb

legendary

Activity: 3738

Merit: 1708

Someone asked on Reddit what would happen if some government sent a subpoena to Ledger and asked for a seed of a user, and they basically stated that they would have to provide it to the government. They are basically digging themselves in a larger and larger hole and don’t think they will survive as a company after this incident.

They really should of at least hired some PR instead of having all these amateur responses all over social media. And they definitely shouldn’t of started this recovery program. Most people wouldn’t be ok with it given with how easy it is to get your funds stolen.

taufik123

legendary

Activity: 2520

Merit: 1721

airbet.io

Quote from: Wind_FURY on May 19, 2023, 07:38:44 AM

The same viewpoint! How could we truly trust a company that's suffered a breach before? It's just fair warning for users to be careful, because what Ledger has technically done, is they backdoored their devices. Plus I will say it again like a broken record, "How can we really verify that their ability to backdoor isn't already there"?

But you're also right. Everyone is making the issue bigger than what it is. Anyone who doesn't like Ledger's update should buy a Trezor.

Even users have lost trust in Ledger. Wallet hardware does not really protect when Phrase can be extracted from the device and this is like a wide backdoor that can be an easy gap for hackers to take advantage of.

They even used the help of a third party, Coincover, to do identity verification so that they could easily restore Phrase using their own identity.

This is also an issue of privacy, users have to give up their personal data to use recover.
No more Ledge Non-Custodial, no more Ledger for the best wallet Security.
We no longer have full control, and now starting to leave Ledger and move to Trezor is the right choice.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: Kakmakr on May 18, 2023, 01:13:19 PM

People are making a huge deal about something that is not nearly as big as it is being sold to the misinformed. This added recovery feature, come as a subscription option and you have to pay for that, so not a lot of people are going to opt-in for that extra feature.

We know Ledger were hacked a few years ago.... and a lot of people's information were stolen.. then criminals used that data to launch targeted Phishing attacks on those clients.... so why will people trust them now? Roll Eyes

The same viewpoint! How could we truly trust a company that's suffered a breach before? It's just fair warning for users to be careful, because what Ledger has technically done, is they backdoored their devices. Plus I will say it again like a broken record, "How can we really verify that their ability to backdoor isn't already there"?

But you're also right. Everyone is making the issue bigger than what it is. Anyone who doesn't like Ledger's update should buy a Trezor.

Z-tight

hero member

Activity: 854

Merit: 1031

Only BTC

Quote from: JamesDaniel90 on May 19, 2023, 06:48:07 AM

At the moment it only affects those who have a ledger nano x and you also have to opt into it.

If you do not have a nano x and don't opt into it then I would worry too much about it for now.

Ledger is no longer a recommended hardware wallet only because this option is available, it doesn't matter if you have to have to opt into it or not, the option is terribly flawed, and a bad option that should not be available, because people with bad operational security may opt into it and lose their funds in the future. E.G there are software wallets like coinbase wallet that gives their users the option to back up seed phrase to cloud, and that is one of the many reasons why this wallet isn't recommended.

yudi09

hero member

Activity: 1120

Merit: 741

Rollbit - Crypto Futures

Quote from: DexHaer on May 19, 2023, 06:37:34 AM

What if crypto gets banned or makes huge lawsuit for LEDGER and government intercepts these companies assets and gets all the assets. Gold was confiscated too, who knows what happens in future.

Those of us who act as asset owners who store in hardware wallets only need to store seed phrases as securely as possible. What is it for, to ensure that one day we can recover assets to another hardware wallet.
Isn't it that Bitcoin asset owners who store in Ledger can still ignore the Recover feature.

Quote from: DexHaer on May 19, 2023, 06:37:34 AM

Also what if btc you own is from some illegal activity? FBI or other agency will come and Ledger will have to cooperate, like all companies have to cooperate with law enforcement. Will be bye bye your holdings and will be tied to your identity.

I think move away as quick as possible and never look back to it.

IMO, thinking as fast as possible can sometimes be useful and sometimes not. But the over-concern about Bitcoin because of this problem in my opinion needs to slow down a bit to be able to compartmentalize the problem.

JamesDaniel90

member

Activity: 614

Merit: 25

Quote from: DexHaer on May 19, 2023, 06:51:48 AM

Quote from: JamesDaniel90 on May 19, 2023, 06:48:07 AM

At the moment it only affects those who have a ledger nano x and you also have to opt into it.

If you do not have a nano x and don't opt into it then I would worry too much about it for now.

How do you know that? Because Ledger said so?

Well yes that is what they say it is exclusively for nano x.

It is not good news for anyone holding a ledger but I wouldn't stress about it too much just yet.

DexHaer

newbie

Activity: 5

Merit: 0

Quote from: JamesDaniel90 on May 19, 2023, 06:48:07 AM

At the moment it only affects those who have a ledger nano x and you also have to opt into it.

If you do not have a nano x and don't opt into it then I would worry too much about it for now.

How do you know that? Because Ledger said so?

JamesDaniel90

member

Activity: 614

Merit: 25

At the moment it only affects those who have a ledger nano x and you also have to opt into it.

If you do not have a nano x and don't opt into it then I would worry too much about it for now.

Z-tight

hero member

Activity: 854

Merit: 1031

Only BTC

Quote from: WeThePe0ple on May 19, 2023, 05:57:58 AM

- Prison sentences for known holders of BTC. There are many varieties to this. For example my EU citizens now have to declare BTC holdings on their tax declaration forms. Not declaring this could have prison sentence as a consequence in the future. Or confiscation of other assets

I don't live in the EU and i don't know about their tax laws, but i know governments cannot sanction, confiscate assets or require information from users who trade on decentralized platforms and use self custody wallets. Centralized exchanges and services are data farms, and the government can require any information from them or from their users or confiscate assets kept in them.

Quote from: WeThePe0ple on May 19, 2023, 05:57:58 AM

- Taking down exchanges (lawsuits against Binance and Coinbase now happening)

Governments don't have to "track" centralized exchanges, they comply with them, the charges you read against Binance and a few others is because of how shady they are and how they want to make profit at all cost.

Quote from: WeThePe0ple on May 19, 2023, 05:57:58 AM

- Attacking hardware wallet companies. We all thought this was impossible. Now we witness that it is not.

I don't think the issue with Ledger has anything to do with the government attacking them, this was their decision because they want to make money or because they have forgotten the basic operational security of BTC assets, both Ledger and Trezor are now bad recommendations, there are better alternatives, or just set up your own air-gapped or cold storage wallet.

DexHaer

newbie

Activity: 5

Merit: 0

The thing is, its not open source and nobody knows if getting the costumer seed will be available from the firmware update when it comes out or our seeds is already in ledger company possession for years.
I dont think people who will keep using ledger are smart people.
What if crypto gets banned or makes huge lawsuit for LEDGER and government intercepts these companies assets and gets all the assets. Gold was confiscated too, who knows what happens in future.
Also what if btc you own is from some illegal activity? FBI or other agency will come and Ledger will have to cooperate, like all companies have to cooperate with law enforcement. Will be bye bye your holdings and will be tied to your identity.

I think move away as quick as possible and never look back to it.

Synchronice

hero member

Activity: 854

Merit: 772

Watch Bitcoin Documentary - https://t.ly/v0Nim

Quote from: Cryptomultiplier on May 18, 2023, 06:23:57 AM

Quote from: Synchronice on May 18, 2023, 06:04:01 AM

The more I think about this announcement, the more shocked I get. This literally means that Ledger, its partner companies and governments will know the identity of hardware wallet owners and in case there is a need, they can seize funds of any of their user.
This move can change the situation for whole crypto market, I'm happy that critics come from every corner towards Ledger, wonder if there is a statement about this from Trezor and other companies in near future.

Every Ledger owner should immediately change their hardware wallet or find a different way to store their coins. I genuinely believe that there is a high chance that planned or accidental data breach may happen and everyone will lose their coins, nothing to say about compromising of your identity.

I'm finally confident to say that when it comes to bitcoin wallet creation, I prefer to stick with my very old computer than with any modern hardware.

What will be the assurance that the change to another hardware wallet won't make same announcement later?
I think this is a more penetrative means by government to get to the root of identifying every individual portfolio and wallets.
One thing that never fails to beat my imagination is that new wallets would be created by genius minds who have come to embrace the anonymity that crypto currency has offered.
Unless, no one is made an example of by the hardware wallet's new policy, then persons would opt for means to prevent their seed from being backed up by the wallet, as a prerequisite for limited storage of their coins.

At least it's a better idea to move from them as soon as possible, what other options do you have? Stay with them? Ledger has said that it's designed in a way that it's impossible for the seed phrase to leave device but as you see, it doesn't work like that.
You'll never be 100% sure whom to trust but when something becomes clear, you should act accordingly.
Btw this Ledger accident can become a good opportunity for others to start a bitcoin hardware wallet business and increase the competitiveness and this is a perfect time for someone to come up with better security and with more proofs.

Am I the only one who feels a little confused? They say that they backup your seeds but at the same time they say that they don't backup your seeds

https://twitter.com/Ledger_Support/status/1658824402694283267?cxt=HHwWhoC9tayAqoUuAAAA

Quote

If you choose to pay for a subscription of Ledger Recover, you will need to consent on your Ledger authorizing the duplication, encryption, sharding of your SRP.

Quote

Ledger acts as backup provider for only one encrypted fragment, and a single fragment doesn't allow the SRP to be recovered.

Ledger cannot access any user’s SRPs, nor will it be able to do so at any point in the future.

Topic: Ledger hardware wallet offering custody for seed backups (Read 344 times)