Pages:
Author

Topic: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities - page 8. (Read 5399 times)

legendary
Activity: 3304
Merit: 8633
icarus-cards.eu
Nicolas Bacca cio and co-founder of Ledger, will leave the company following the recent recover scandal. he follows former ceo and co-founder Eric Larchevêque, who stepped down in 2019.
ceo Pascal Gauthier blamed an 'unintentional communication mistake' for the Recover melee, but also stressed the importance of key recovery for users who feel overwhelmed by key management.

https://en.thebigwhale.io/article-en/EXCLUSIVE-Nicolas-Bacca-leaves-Ledger
https://cryptomode.com/co-founder-nicolas-bacca-to-exit-ledger-amidst-recover-feature-controversy/
full member
Activity: 1750
Merit: 186
Haven't updated ledger live in a while.  Still using version 2.57 and current version is now 2.66. 


Am using a nano ledger s plus.


Any issue doing the ledger live update directly from the ledger live app on the top right though?  Reason is because it's been a long time since I did an update so would it not work and it require me to do update directly from ledger site?  Also, does the ledger live update do the ledger recovery?  Do you need to not allow it or what happens here?
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
I feel the answer is becoming repeated. I already answered it many times but anyway here it is again. It's completely possible to hire an embedded programmer and change the functionality of any device. Leger is close source, you as an end user can not verify anything if anyone do any trick.

It would be interesting if the Betnomi scammers were able to find some experienced blackhat willing to do that for them, but in reality I can't consider that possibility to be an accurate one unless they've spent too long organizing and shipping the hardware wallets from the giveaway (so unfortunately I think it might be credible... in any case just throw it out and don't trust hardware wallets from giveaways).
I would prefer not to trust any device not purchased from an official manufacturer at all. Even if the betnomi had not done an exit scam, I would have thought 10 times before using such a wallet to store major cryptocurrencies. Why create unnecessary risks for yourself? I admit the possibility that on hardware wallets received at various raffles and other contests (that is, not purchased directly from the manufacturer) you can store only a small amount of money, which is not a pity to lose.

I don’t know about throwing out betnomi's ledger, but you definitely shouldn’t trust 100%. You can 100% trust only those devices that were purchased directly by you directly from the manufacturer, preferably without intermediary stores.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I feel the answer is becoming repeated. I already answered it many times but anyway here it is again. It's completely possible to hire an embedded programmer and change the functionality of any device. Leger is close source, you as an end user can not verify anything if anyone do any trick.

It would be interesting if the Betnomi scammers were able to find some experienced blackhat willing to do that for them, but in reality I can't consider that possibility to be an accurate one unless they've spent too long organizing and shipping the hardware wallets from the giveaway (so unfortunately I think it might be credible... in any case just throw it out and don't trust hardware wallets from giveaways).
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
It took some time to get it, but it finally came last week.
I had no time to post about it because I spent the whole month traveling, but here goes:



Thanks Betnomi! ❤️️
Too late, they are long gone LOL
The story of Betnomi.com (Exit Scam) : This is something fresh for you to study.

By the way, don't cry later if the ledger wallet steal your crypto, who knows may be Betnomi created a backdoor in that device and when you will store something they will steal it. Are you not aware of Ledger recent update 😉?

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?
I feel the answer is becoming repeated. I already answered it many times but anyway here it is again. It's completely possible to hire an embedded programmer and change the functionality of any device. Leger is close source, you as an end user can not verify anything if anyone do any trick.
legendary
Activity: 1148
Merit: 3117
Did you maybe link to the wrong sources? Your sources [3] and [4] are exactly the same. Source [5] refers to the old and discontinued Ledger Blue.
I totally did, thank you for alerting me (I've edited my previous post). Regarding the linked [5] source, Ledger has placed within that folder recover's scripts (within the last month). I don't know why they particularly chose to place them in their discontinued product however.
legendary
Activity: 2730
Merit: 7065
Yes i think in the same way, with the exit scam they surely make good money and this hardware wallets and others promotions they do were only a hook to gain the trust of the community.
The thing is, Betnomi can't know how much crypto the winners of those hardware wallet have. Thus, it could prove unprofitable and a waste of time to acquire such devices with the hope that it might be worth it in the future. Regular people won't know how to modify such hardware wallets and make them malicious. So the only option for most fraudsters is to purchase such fake devices from someone that knows. It's an investment, regardless of how much it initially costs.

It would be in a scammer's interest to target people they know own enough crypto with such modified HWs. Then it might be worth the invested money and time. But sending out blindly, not so much.
sr. member
Activity: 616
Merit: 314
CONTEST ORGANIZER
Thanks for your answer guys, i amde the question to maybe help he one who have the Betnomi Ledger in his hand and prevent them to being in high risk. But as far as i understand based on yours answers it can be "safe".

Yes i think in the same way, with the exit scam they surely make good money and this hardware wallets and others promotions they do were only a hook to gain the trust of the community.
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?
Despite their recent history, they can still turn things around and advertise this upcoming Recover feature as something extraordinary and worth using for newbies. We will see how that goes. Going down the road that you proposed is sure death to Ledger and I don't think they are that stupid.
The path that the ledger has chosen with all these recovery functions and storage of private keys (parts) with third-party companies, automatic ledger live app, release of devices that have not been fully tested and have physical flaws and defects, with leaks of their customers' data (still, they don't were able to prevent this) without any compensation can hardly be called reasonable. This company has too many actions that can only be called stupid (or maybe just negligence, greed and irresponsibility?).

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?
Fake Ledger devices do exist, and we even had cases where individuals whose data got leaked had such devices shipped to them to their home addresses. But everything about those HWs was fake. If you opened them up, they had different hardware components compared to the examples Ledger has on its website. They also instructed the users to download and install fake Ledger Live software and not the official versions. Fake firmware was also part of the game.

- A genuine Ledger HW looks as shown on the pictures above.
- Only a genuine Ledger HW works and can connect to the official Ledger Live software.
- Only a genuine Ledger HW can connect to Ledger servers and install official apps or firmware from the LL App Manager.

If Betnomi modified their Ledger devices, you should notice that the things I mentioned above won't work.  
And I also dreamed of winning one of these devices in the raffle of betnomi Smiley As a memento. After their exit scam, this little thing became really memorable. For their former clients.

In theory, it is possible that the HW devices sent by the betnomi may be modified. But in practice, they would hardly bother (although who knows). I think that the betnomi has already made good money with their exit scam that they don’t need to take extra actions with devices, and this would require bothering with modification (mind, of each hardware wallet). As far as I understand, there were not so many such devices (for raffles), which means that it was not so much possible to earn in such a fraudulent way (compared to an exit scam gambling platform). That is, the ratio of time / resource costs with possible profitability is incommensurable.
legendary
Activity: 2730
Merit: 7065
Did you maybe link to the wrong sources? Your sources [3] and [4] are exactly the same. Source [5] refers to the old and discontinued Ledger Blue.

And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?
Despite their recent history, they can still turn things around and advertise this upcoming Recover feature as something extraordinary and worth using for newbies. We will see how that goes. Going down the road that you proposed is sure death to Ledger and I don't think they are that stupid.

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?
Fake Ledger devices do exist, and we even had cases where individuals whose data got leaked had such devices shipped to them to their home addresses. But everything about those HWs was fake. If you opened them up, they had different hardware components compared to the examples Ledger has on its website. They also instructed the users to download and install fake Ledger Live software and not the official versions. Fake firmware was also part of the game.

- A genuine Ledger HW looks as shown on the pictures above.
- Only a genuine Ledger HW works and can connect to the official Ledger Live software.
- Only a genuine Ledger HW can connect to Ledger servers and install official apps or firmware from the LL App Manager.

If Betnomi modified their Ledger devices, you should notice that the things I mentioned above won't work. 
sr. member
Activity: 616
Merit: 314
CONTEST ORGANIZER
I just see this because you already bump the thread, its something related but for all of you, that are not nearby gambling threads, we ahve here, a very rare exit scam made by Betnomi.

THe thing is they send some ledger to some users in some predictions made by them.

It took some time to get it, but it finally came last week.
I had no time to post about it because I spent the whole month traveling, but here goes:



Thanks Betnomi! ❤️️
Too late, they are long gone LOL
The story of Betnomi.com (Exit Scam) : This is something fresh for you to study.

By the way, don't cry later if the ledger wallet steal your crypto, who knows may be Betnomi created a backdoor in that device and when you will store something they will steal it. Are you not aware of Ledger recent update 😉?

The question to all of your is, do you think that ledgers can be modified by them so they can acces and steal al your coins?
legendary
Activity: 1792
Merit: 1296
Crypto Casino and Sportsbook
~snip
Perhaps this information is not important enough to create a new topic, as you claim, but it is still a very important detail for ledger users.

I think in the future they will make it so that the old versions of ledger live will not work and their users will have no choice but to install the latest versions of this application, which, as you noticed, will already have an automatic update function built in.

And in the future, this "improvement" of theirs will automatically send the contents of users wallets to wherever they want in ledger?

It feels like the ledger live - ledger hardware wallet ecosystem is gradually becoming totally centralized.
legendary
Activity: 1148
Merit: 3117
(...)
My current Ledger Live version is a few months old, so I checked the release notes of the versions that the company released after the one I currently have installed. I wanted to see if there is anything there that would warrant an update. Turns out that the brainiacs behind Ledger made a change starting with version 2.64.1. They call it an improvement. This "improvement" of theirs automatically downloads (and surely installs) new versions of Ledger Live in the background without asking the user or requiring that the user does it.
(...)
Can't say that I'm surprised as we've talked about this moves in the past - Ledger would silently start implementing procedures that would make the users inevitably update to newer software updates (either their Ledger Live app or their Firmware).

On similar news, Ledger has also recently advanced in their "open source" roadmap[1] - starting from August 7th[2] - they have open sourced their dashboard which supposedly plays a key role in their "recover" feature.They also shared some tools that allow to implement our own shard backup provider. Here[3] is the specific repository within Ledger GitHub page, along with documentation[4] and scripts[5]. We all know that this "open source" is very limited, but suffice to say that will surely trick some users out there thinking that Ledger went "open source"...

Is anyone able to find the "open source" of their dashboard?

EDIT: Corrected some links. Thank you @Pmalek

[1]https://github.com/LedgerHQ/recover-whitepaper
[2]https://support.ledger.com/hc/en-us/articles/360014980580-Ledger-Nano-X-firmware-release-notes
[3]https://github.com/LedgerHQ/blue-loader-python
[4]https://github.com/LedgerHQ/blue-loader-python/blob/master/README.md
[5]https://github.com/LedgerHQ/blue-loader-python/tree/master/ledgerblue
legendary
Activity: 2730
Merit: 7065
This isn't related to the Ledger Recover feature but also isn't significant enough for me to create a new thread about it. So I will just post it here.

My current Ledger Live version is a few months old, so I checked the release notes of the versions that the company released after the one I currently have installed. I wanted to see if there is anything there that would warrant an update. Turns out that the brainiacs behind Ledger made a change starting with version 2.64.1. They call it an improvement. This "improvement" of theirs automatically downloads (and surely installs) new versions of Ledger Live in the background without asking the user or requiring that the user does it.

So, if you prefer verifying the signatures of your downloads before installing them, the nice folks of Ledger have now made that impossible. You will first get the new update and after that revert back to an older version or do what you want with it. Maybe in the future they can install our firmware updates automatically as well, without us knowing.

Quote
When the latest version of the Ledger Live desktop app is available, it will now be automatically downloaded, same as the current experience on your Ledger Live mobile app, so the update will not interrupt you while using the app. You can revert to the previous setting by using older versions of the Ledger Live desktop app.
https://support.ledger.com/hc/en-us/articles/360020773319-What-s-new-in-Ledger-Live-?docs=true
legendary
Activity: 2730
Merit: 7065
Why would I bother when I can't do anything with it?

That's the point I'm making - not that I can't review the code, only that far fewer people will bother to do so since they can't use that code themselves.
That's totally subjective I think. In that case, the problem is in the people not wanting to do it, and not the license that hinders you. If you want to, you have what you need to fork the code and use it on your own software. But do it privately and for your own benefit without making anything public. Who is going to stop you? 
legendary
Activity: 2268
Merit: 18748
Why exactly can't you analyze every line of it if it pleases you?
Why would I bother when I can't do anything with it?

That's the point I'm making - not that I can't review the code, only that far fewer people will bother to do so since they can't use that code themselves.
legendary
Activity: 2730
Merit: 7065
But it is equally fine for people like me to point out that doing so means fewer eyes on the code therefore less security...
...Coinkite locking down their code so it cannot be used by anyone else.
I think these two parts of your post mean totally different things. Please tell me how you or anyone else can't scrutinize the Coldcard code and find issues with it if they exist?
Yes, you can't use the code in your own software, sell it, releases it with such code, etc. Why exactly can't you analyze every line of it if it pleases you?
legendary
Activity: 2268
Merit: 18748
If they're building on other GPL software, they have to keep the same license for their own software:
According to their changelog, they first applied MIT-CC on everything that wasn't under GPL, and then worked to remove all GPL code so everything could be under MIT-CC.

If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.
It is of course fine if he wants to do that. But it is equally fine for people like me to point out that doing so means fewer eyes on the code therefore less security, as well as pointing out it is bad for the space in general. Bitcoin is about freedom. If I'm buying a hardware wallet, I'm picking a company which aligns with that ethos, not Trezor paying blockchain analysis to spy on you, and not Coinkite locking down their code so it cannot be used by anyone else.
legendary
Activity: 2730
Merit: 7065
I'm no expert on the code, the licensing, or where the code originated, but having included features like (for example,) Bip85 (deterministic seed phrases that are backed up by the primary seed, which is a pretty slick feature,) could justify changing the licensing due to those features.  If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.
I understand the reasoning of both camps. Those who say it's unethical to use open-source code to inspire you to build your own software, only to prevent others from doing the same and using your code in their products are right. It is. But if his product is superior in any ways, or he thinks it is, I understand why he would want to protect it. Business is cold, emotionless, and sometimes doesn't know logic and reasoning. If someone feels there is a breach of licensing agreements, sue him. Can it even be done?   
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
Coldcard also built on many open source libraries (not just Trezor's) when they designed their product. For them to start whining about people building up their open source library is just pure hypocrisy.
Are they even allowed to change from GPL to MIT license?
If they're building on other GPL software, they have to keep the same license for their own software:
GNU General Public License (GPL): The GPL is one of the most well-known open source licenses. It is considered a restrictive license, as it requires that any changes made to the code must be released under the same GPL license, and any software that uses the code must also be released under the same GPL license. Additionally, if a user distributes the software, they must also provide the source code and any changes they made to it.

I think that's true, but the ColdCard offers more features than any other hardware wallet I've used.  I'm no expert on the code, the licensing, or where the code originated, but having included features like (for example,) Bip85 (deterministic seed phrases that are backed up by the primary seed, which is a pretty slick feature,) could justify changing the licensing due to those features.  If nvK wants to protect his intellectual property by protecting unique snippets, I don't see a problem with it as long as it's available to the public for scrutiny.
Pages:
Jump to: