Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 6. (Read 4819 times)

Haven't updated ledger live in a while.  Still using version 2.57 and current version is now 2.66. 


Am using a nano ledger s plus.


Any issue doing the ledger live update directly from the ledger live app on the top right though?  Reason is because it's been a long time since I did an update so would it not work and it require me to do update directly from ledger site?  Also, does the ledger live update do the ledger recovery?  Do you need to not allow it or what happens here?

I would prefer not to trust any device not purchased from an official manufacturer at all. Even if the betnomi had not done an exit scam, I would have thought 10 times before using such a wallet to store major cryptocurrencies. Why create unnecessary risks for yourself? I admit the possibility that on hardware wallets received at various raffles and other contests (that is, not purchased directly from the manufacturer) you can store only a small amount of money, which is not a pity to lose.

I don’t know about throwing out betnomi's ledger, but you definitely shouldn’t trust 100%. You can 100% trust only those devices that were purchased directly by you directly from the manufacturer, preferably without intermediary stores.

It would be interesting if the Betnomi scammers were able to find some experienced blackhat willing to do that for them, but in reality I can't consider that possibility to be an accurate one unless they've spent too long organizing and shipping the hardware wallets from the giveaway (so unfortunately I think it might be credible... in any case just throw it out and don't trust hardware wallets from giveaways).

I feel the answer is becoming repeated. I already answered it many times but anyway here it is again. It's completely possible to hire an embedded programmer and change the functionality of any device. Leger is close source, you as an end user can not verify anything if anyone do any trick.

I totally did, thank you for alerting me (I've edited my previous post). Regarding the linked [5] source, Ledger has placed within that folder recover's scripts (within the last month). I don't know why they particularly chose to place them in their discontinued product however.

The thing is, Betnomi can't know how much crypto the winners of those hardware wallet have. Thus, it could prove unprofitable and a waste of time to acquire such devices with the hope that it might be worth it in the future. Regular people won't know how to modify such hardware wallets and make them malicious. So the only option for most fraudsters is to purchase such fake devices from someone that knows. It's an investment, regardless of how much it initially costs.

It would be in a scammer's interest to target people they know own enough crypto with such modified HWs. Then it might be worth the invested money and time. But sending out blindly, not so much.

Thanks for your answer guys, i amde the question to maybe help he one who have the Betnomi Ledger in his hand and prevent them to being in high risk. But as far as i understand based on yours answers it can be "safe".

Yes i think in the same way, with the exit scam they surely make good money and this hardware wallets and others promotions they do were only a hook to gain the trust of the community.

The path that the ledger has chosen with all these recovery functions and storage of private keys (parts) with third-party companies, automatic ledger live app, release of devices that have not been fully tested and have physical flaws and defects, with leaks of their customers' data (still, they don't were able to prevent this) without any compensation can hardly be called reasonable. This company has too many actions that can only be called stupid (or maybe just negligence, greed and irresponsibility?).

And I also dreamed of winning one of these devices in the raffle of betnomi As a memento. After their exit scam, this little thing became really memorable. For their former clients.

In theory, it is possible that the HW devices sent by the betnomi may be modified. But in practice, they would hardly bother (although who knows). I think that the betnomi has already made good money with their exit scam that they don’t need to take extra actions with devices, and this would require bothering with modification (mind, of each hardware wallet). As far as I understand, there were not so many such devices (for raffles), which means that it was not so much possible to earn in such a fraudulent way (compared to an exit scam gambling platform). That is, the ratio of time / resource costs with possible profitability is incommensurable.

Did you maybe link to the wrong sources? Your sources [3] and [4] are exactly the same. Source [5] refers to the old and discontinued Ledger Blue.

Despite their recent history, they can still turn things around and advertise this upcoming Recover feature as something extraordinary and worth using for newbies. We will see how that goes. Going down the road that you proposed is sure death to Ledger and I don't think they are that stupid.

Fake Ledger devices do exist, and we even had cases where individuals whose data got leaked had such devices shipped to them to their home addresses. But everything about those HWs was fake. If you opened them up, they had different hardware components compared to the examples Ledger has on its website. They also instructed the users to download and install fake Ledger Live software and not the official versions. Fake firmware was also part of the game.

- A genuine Ledger HW looks as shown on the pictures above.
- Only a genuine Ledger HW works and can connect to the official Ledger Live software.
- Only a genuine Ledger HW can connect to Ledger servers and install official apps or firmware from the LL App Manager.

If Betnomi modified their Ledger devices, you should notice that the things I mentioned above won't work. 

I just see this because you already bump the thread, its something related but for all of you, that are not nearby gambling threads, we ahve here, a very rare exit scam made by Betnomi.

THe thing is they send some ledger to some users in some predictions made by them.


The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?

Perhaps this information is not important enough to create a new topic, as you claim, but it is still a very important detail for ledger users.

I think in the future they will make it so that the old versions of ledger live will not work and their users will have no choice but to install the latest versions of this application, which, as you noticed, will already have an automatic update function built in.

And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?

It feels like the ledger live - ledger hardware wallet ecosystem is gradually becoming totally centralized.

Can't say that I'm surprised as we've talked about this moves in the past - Ledger would silently start implementing procedures that would make the users inevitably update to newer software updates (either their Ledger Live app or their Firmware).

---

On similar news, Ledger has also recently advanced in their "open source" roadmap[1] - starting from August 7th[2] - they have open sourced their dashboard which supposedly plays a key role in their "recover" feature.They also shared some tools that allow to implement our own shard backup provider. Here[3] is the specific repository within Ledger GitHub page, along with documentation[4] and scripts[5]. We all know that this "open source" is very limited, but suffice to say that will surely trick some users out there thinking that Ledger went "open source"...

Is anyone able to find the "open source" of their dashboard?

EDIT: Corrected some links. Thank you @Pmalek

---

[1]https://github.com/LedgerHQ/recover-whitepaper
[2]https://support.ledger.com/hc/en-us/articles/360014980580-Ledger-Nano-X-firmware-release-notes
[3]https://github.com/LedgerHQ/blue-loader-python
[4]https://github.com/LedgerHQ/blue-loader-python/blob/master/README.md
[5]https://github.com/LedgerHQ/blue-loader-python/tree/master/ledgerblue

This isn't related to the Ledger Recover feature but also isn't significant enough for me to create a new thread about it. So I will just post it here.

My current Ledger Live version is a few months old, so I checked the release notes of the versions that the company released after the one I currently have installed. I wanted to see if there is anything there that would warrant an update. Turns out that the brainiacs behind Ledger made a change starting with version 2.64.1. They call it an improvement. This "improvement" of theirs automatically downloads (and surely installs) new versions of Ledger Live in the background without asking the user or requiring that the user does it.

So, if you prefer verifying the signatures of your downloads before installing them, the nice folks of Ledger have now made that impossible. You will first get the new update and after that revert back to an older version or do what you want with it. Maybe in the future they can install our firmware updates automatically as well, without us knowing.

https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true

That's totally subjective I think. In that case, the problem is in the people not wanting to do it, and not the license that hinders you. If you want to, you have what you need to fork the code and use it on your own software. But do it privately and for your own benefit without making anything public. Who is going to stop you? 

Why would I bother when I can't do anything with it?

That's the point I'm making - not that I can't review the code, only that far fewer people will bother to do so since they can't use that code themselves.

I think these two parts of your post mean totally different things. Please tell me how you or anyone else can't scrutinize the Coldcard code and find issues with it if they exist?
Yes, you can't use the code in your own software, sell it, releases it with such code, etc. Why exactly can't you analyze every line of it if it pleases you?

According to their changelog, they first applied MIT-CC on everything that wasn't under GPL, and then worked to remove all GPL code so everything could be under MIT-CC.

It is of course fine if he wants to do that. But it is equally fine for people like me to point out that doing so means fewer eyes on the code therefore less security, as well as pointing out it is bad for the space in general. Bitcoin is about freedom. If I'm buying a hardware wallet, I'm picking a company which aligns with that ethos, not Trezor paying blockchain analysis to spy on you, and not Coinkite locking down their code so it cannot be used by anyone else.

I understand the reasoning of both camps. Those who say it's unethical to use open-source code to inspire you to build your own software, only to prevent others from doing the same and using your code in their products are right. It is. But if his product is superior in any ways, or he thinks it is, I understand why he would want to protect it. Business is cold, emotionless, and sometimes doesn't know logic and reasoning. If someone feels there is a breach of licensing agreements, sue him. Can it even be done?   

I think that's true, but the ColdCard offers more features than any other hardware wallet I've used.  I'm no expert on the code, the licensing, or where the code originated, but having included features like (for example,) Bip85 (deterministic seed phrases that are backed up by the primary seed, which is a pretty slick feature,) could justify changing the licensing due to those features.  If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.

No one can prevent you from looking at the code and testing it for security vulnerabilities. It's public, go ahead. But you can't use it as a base to build your own software. Whether the code is open-source or not and someone finds bugs or vulnerabilities in it, you can only do one thing. You open an issue about it on GitHub and inform the team. It's the devs who need to patch it up, change it, or get rid of the faulty code. You might say, the software is open-source, I can do it myself. In that case we are going back to the verifiability dilemma. The most important thing is that the necessary code is public so you can go through it and change it according to your needs. In case of the Coldcard, it's equally public as Trezor or Passport. nvK doesn't know what is running on your local machine.