Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 6. (Read 4624 times)

The thing is, Betnomi can't know how much crypto the winners of those hardware wallet have. Thus, it could prove unprofitable and a waste of time to acquire such devices with the hope that it might be worth it in the future. Regular people won't know how to modify such hardware wallets and make them malicious. So the only option for most fraudsters is to purchase such fake devices from someone that knows. It's an investment, regardless of how much it initially costs.

It would be in a scammer's interest to target people they know own enough crypto with such modified HWs. Then it might be worth the invested money and time. But sending out blindly, not so much.

Thanks for your answer guys, i amde the question to maybe help he one who have the Betnomi Ledger in his hand and prevent them to being in high risk. But as far as i understand based on yours answers it can be "safe".

Yes i think in the same way, with the exit scam they surely make good money and this hardware wallets and others promotions they do were only a hook to gain the trust of the community.

The path that the ledger has chosen with all these recovery functions and storage of private keys (parts) with third-party companies, automatic ledger live app, release of devices that have not been fully tested and have physical flaws and defects, with leaks of their customers' data (still, they don't were able to prevent this) without any compensation can hardly be called reasonable. This company has too many actions that can only be called stupid (or maybe just negligence, greed and irresponsibility?).

And I also dreamed of winning one of these devices in the raffle of betnomi As a memento. After their exit scam, this little thing became really memorable. For their former clients.

In theory, it is possible that the HW devices sent by the betnomi may be modified. But in practice, they would hardly bother (although who knows). I think that the betnomi has already made good money with their exit scam that they don’t need to take extra actions with devices, and this would require bothering with modification (mind, of each hardware wallet). As far as I understand, there were not so many such devices (for raffles), which means that it was not so much possible to earn in such a fraudulent way (compared to an exit scam gambling platform). That is, the ratio of time / resource costs with possible profitability is incommensurable.

Did you maybe link to the wrong sources? Your sources [3] and [4] are exactly the same. Source [5] refers to the old and discontinued Ledger Blue.

Despite their recent history, they can still turn things around and advertise this upcoming Recover feature as something extraordinary and worth using for newbies. We will see how that goes. Going down the road that you proposed is sure death to Ledger and I don't think they are that stupid.

Fake Ledger devices do exist, and we even had cases where individuals whose data got leaked had such devices shipped to them to their home addresses. But everything about those HWs was fake. If you opened them up, they had different hardware components compared to the examples Ledger has on its website. They also instructed the users to download and install fake Ledger Live software and not the official versions. Fake firmware was also part of the game.

- A genuine Ledger HW looks as shown on the pictures above.
- Only a genuine Ledger HW works and can connect to the official Ledger Live software.
- Only a genuine Ledger HW can connect to Ledger servers and install official apps or firmware from the LL App Manager.

If Betnomi modified their Ledger devices, you should notice that the things I mentioned above won't work. 

I just see this because you already bump the thread, its something related but for all of you, that are not nearby gambling threads, we ahve here, a very rare exit scam made by Betnomi.

THe thing is they send some ledger to some users in some predictions made by them.


The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?

Perhaps this information is not important enough to create a new topic, as you claim, but it is still a very important detail for ledger users.

I think in the future they will make it so that the old versions of ledger live will not work and their users will have no choice but to install the latest versions of this application, which, as you noticed, will already have an automatic update function built in.

And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?

It feels like the ledger live - ledger hardware wallet ecosystem is gradually becoming totally centralized.

Can't say that I'm surprised as we've talked about this moves in the past - Ledger would silently start implementing procedures that would make the users inevitably update to newer software updates (either their Ledger Live app or their Firmware).

---

On similar news, Ledger has also recently advanced in their "open source" roadmap[1] - starting from August 7th[2] - they have open sourced their dashboard which supposedly plays a key role in their "recover" feature.They also shared some tools that allow to implement our own shard backup provider. Here[3] is the specific repository within Ledger GitHub page, along with documentation[4] and scripts[5]. We all know that this "open source" is very limited, but suffice to say that will surely trick some users out there thinking that Ledger went "open source"...

Is anyone able to find the "open source" of their dashboard?

EDIT: Corrected some links. Thank you @Pmalek

---

[1]https://github.com/LedgerHQ/recover-whitepaper
[2]https://support.ledger.com/hc/en-us/articles/360014980580-Ledger-Nano-X-firmware-release-notes
[3]https://github.com/LedgerHQ/blue-loader-python
[4]https://github.com/LedgerHQ/blue-loader-python/blob/master/README.md
[5]https://github.com/LedgerHQ/blue-loader-python/tree/master/ledgerblue

This isn't related to the Ledger Recover feature but also isn't significant enough for me to create a new thread about it. So I will just post it here.

My current Ledger Live version is a few months old, so I checked the release notes of the versions that the company released after the one I currently have installed. I wanted to see if there is anything there that would warrant an update. Turns out that the brainiacs behind Ledger made a change starting with version 2.64.1. They call it an improvement. This "improvement" of theirs automatically downloads (and surely installs) new versions of Ledger Live in the background without asking the user or requiring that the user does it.

So, if you prefer verifying the signatures of your downloads before installing them, the nice folks of Ledger have now made that impossible. You will first get the new update and after that revert back to an older version or do what you want with it. Maybe in the future they can install our firmware updates automatically as well, without us knowing.

https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true

That's totally subjective I think. In that case, the problem is in the people not wanting to do it, and not the license that hinders you. If you want to, you have what you need to fork the code and use it on your own software. But do it privately and for your own benefit without making anything public. Who is going to stop you? 

Why would I bother when I can't do anything with it?

That's the point I'm making - not that I can't review the code, only that far fewer people will bother to do so since they can't use that code themselves.

I think these two parts of your post mean totally different things. Please tell me how you or anyone else can't scrutinize the Coldcard code and find issues with it if they exist?
Yes, you can't use the code in your own software, sell it, releases it with such code, etc. Why exactly can't you analyze every line of it if it pleases you?

According to their changelog, they first applied MIT-CC on everything that wasn't under GPL, and then worked to remove all GPL code so everything could be under MIT-CC.

It is of course fine if he wants to do that. But it is equally fine for people like me to point out that doing so means fewer eyes on the code therefore less security, as well as pointing out it is bad for the space in general. Bitcoin is about freedom. If I'm buying a hardware wallet, I'm picking a company which aligns with that ethos, not Trezor paying blockchain analysis to spy on you, and not Coinkite locking down their code so it cannot be used by anyone else.

I understand the reasoning of both camps. Those who say it's unethical to use open-source code to inspire you to build your own software, only to prevent others from doing the same and using your code in their products are right. It is. But if his product is superior in any ways, or he thinks it is, I understand why he would want to protect it. Business is cold, emotionless, and sometimes doesn't know logic and reasoning. If someone feels there is a breach of licensing agreements, sue him. Can it even be done?   

I think that's true, but the ColdCard offers more features than any other hardware wallet I've used.  I'm no expert on the code, the licensing, or where the code originated, but having included features like (for example,) Bip85 (deterministic seed phrases that are backed up by the primary seed, which is a pretty slick feature,) could justify changing the licensing due to those features.  If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.

No one can prevent you from looking at the code and testing it for security vulnerabilities. It's public, go ahead. But you can't use it as a base to build your own software. Whether the code is open-source or not and someone finds bugs or vulnerabilities in it, you can only do one thing. You open an issue about it on GitHub and inform the team. It's the devs who need to patch it up, change it, or get rid of the faulty code. You might say, the software is open-source, I can do it myself. In that case we are going back to the verifiability dilemma. The most important thing is that the necessary code is public so you can go through it and change it according to your needs. In case of the Coldcard, it's equally public as Trezor or Passport. nvK doesn't know what is running on your local machine.    

I have been asking this myself almost all the time when the drama with nvK and his policies came up. I didn't want to follow it closely, therefore I don't know much about the details of licenses of the source code nvK's company used when they built ColdCard firmware.

In my opinion it's a shitshow and an embarrassingly bad one, too. You simply can't argue that you have heavily modified the original code and made your version much much better. It still originates from some license and you have to follow that. It defies the purpose of open-source if you change the license at your personal ego will.

But frankly I lack the knowledge of all the shitshow's details as I don't want to devote time of my life to it.

Are they even allowed to change from GPL to MIT license?
If they're building on other GPL software, they have to keep the same license for their own software:

It is hypocritical and dishonest at best, and dangerous at worst. If no one is allowed to build on your code or use your code for anything, then you are going to have far fewer people looking at it, examining it, testing it, using it. As you say, few people can actually interrogate the code themselves, and most users rely on independent developers or power users examining the code of open source projects on their behalf. If you aren't actually allowed to do anything with the code, then there is far less incentive to spend your time going through it.

If I was looking exclusively for open-source products, I wouldn't let Coldcard's change of license stop me from purchasing their hardware wallet. I called it politics in the past, and I am not interested in it. I certainly don't agree with their development team building on freely available code only to make it unavailable to others once they considered it a finished product. A bitch move! But when people preach the importance of open-source, it's mostly about being able to verify that everything functions as advertised. Even that's something that most people can't do, let alone build upon the code.    

That's right, they took an advantage of someone else's work, then built a better one but now they don't want others to take an advantage of their work. Definitely, that's not an ethical way to act.

I think that's what matters the most, well, at least for me.
By the way, I am slightly out of smerits, so can't reward you but I want to say that you truly are one of the best user on this forum. Thank you for all the effort you put on this forum!

That's the reason why I have never look at Pinterest but I have twitter account
Idk if I am late there but you can view Twitter tweets without registration if you see them through google cache.