Author

Topic: @theymos - Time to update the current Ledger situaion @ Important Announcements? (Read 641 times)

legendary
Activity: 2394
Merit: 1216
The revolution will be digital
I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?

Ledger compromised again. Embarrassed

https://twitter.com/Ledger/status/1735291427100455293
legendary
Activity: 1162
Merit: 2025
Leading Crypto Sports Betting & Casino Platform
I am in favor of this proposal brought onto the table by OP. Not only because it is a measure by Ledger that goes against everything Bitcoin and decentralization stand for. But also because the magnitude and the size of Ledger as provider of Hardware wallets.

This is not a small independent provider which had this nefarious idea, Ledger is allegedly the biggest maker of those "security devices".

The more people we can make aware of the oxymoron they try to push down our throats, the better. And important announce should help enough. Sushi sad days for enthusiasts of HW.  Sad
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
I found a great post on Reddit that effectively summarizes the current state of affairs regarding the Ledger devices. All the points mentioned in the post appear to be factually correct, as far as I can tell:

Q: Am I dumb to stay with ledger?

A: YES.

This isn't just about typical pros and cons of this wallet or that wallet.

Ledger told us our keys never leave the secure element of our hardware wallets. They assured us no firmware update would enable our keys to be extracted from our hardware wallets.

Here's the promise they made, again and again, for years.

    
Quote
Hi - your private keys never leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards. A firmware update cannot extract the private keys from the Secure Element.
   SOURCE: @Ledger 8:12 AM · Nov 15, 2022

Now, they admit that was a lie:

    
Quote
yes a firmware update can extract the seed
   SOURCE: u/murzika, Ledger Co-Founder, Former CEO, and Former Chairman

And because their firmware isn't fully open, we have no way of knowing if there's a backdoor to enable key extraction even if we don't opt in to their new key extraction service:

    
Quote
There's no backdoor and I obviously can't prove it
   SOURCE: u/btchip, Ledger owner & co-founder

And it's not like we can trust their security.

    
Quote
Ledger wallet users face mounting home invasion and other scareware threats as hacker dumps private customer information online.
   SOURCE: Cointelegraph, December 24th, 2020

What's the worst that could happen, aside from a hacker getting access to your keys due to another Ledger security breach?

    
Quote
If you are a Recover user and have your shard into safeguarded by third parties, then yes, a government could subpoeana them and get access to your funds. Using Recover gives you an easy recovery option and mitigates backup loss, but your assets could get frozen by the government
   SOURCE: u/murzika, Ledger Co-Founder, Former CEO, and Former Chairman

Your assets could get frozen by the government. He said it.

    
Quote
As I said above, if you are referring to Ledger Recover, I said government could get access to the backups of a user, as it's only a matter of law and is about one user
   SOURCE: u/murzika, Ledger Co-Founder, Former CEO, and Former Chairman

The government could get access to the backups of a user. He said it.

    
Quote
If you are referring to Ledger Recover, a joint government task force could access a user's recovery backup. I mean it's just a question of law, two shards could be subpoaned even if they are each in a different jurisdiction.
   SOURCE: u/murzika, Ledger Co-Founder, Former CEO, and Former Chairman

So, to answer your question: Are you dumb to just stick with ledger through this whole mess?

YES.

Source: https://www.reddit.com/r/ledgerwallet/comments/13m77q2/comment/jkucji0/
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~

Bitcointalk has no direct connection with Electrum either, but a warning to all users was still issued when a vulnerability was discovered that proved fatal for many. Although this is not an identical situation, people should be warned about the potential risk that comes with using hardware wallets given the new information that has come to light recently.
legendary
Activity: 1722
Merit: 2213
Ultimately bitcointalk has no relationship, partnership or otherwise with Ledger. Therefore there is no reason for this to be an important announcement from bitcointalk, even if it is indeed an important announcement for Bitcoiners. The only announcements that are important for the forum directly are those related to it, such as Bitcoin Core updates (as this remains the official forum) or otherwise forum-based news.
legendary
Activity: 2212
Merit: 7064
Can we ever trust what people from Ledger say anymore?
Only a few months ago, they claimed something completely different.
I never trusted them after many fiascos they had, leaking customer information multiple times, low quality check of their devices, battery issues, short support for older devices, closed source, etc...
That being said, we should be very careful with all other hardware wallet manufacturers, they can turn on users and make deals with devil in a same way like ledger.
Big red flag should be when manufacturers start to collect millions and billions of dollars from different campanies.

I hadn't seen this before, and it makes me wondering: if Bob would get their hands on Alice's Ledger, would it be possible to upgrade the firmware and upload it online? I always thought the whole point of a hardware wallet is to make it impossible for private keys to touch the internet, but now it's starting to look like an expensive hot wallet.
This is what ledger claimed before, but now they are changing tune with different ''song''.
They turned impossibility into new feature  Roll Eyes

It strikes me as very unlikely that anything related to this is going to cause widespread losses anytime soon, so I don't think that an Important Announcement is necessary.
Probably, but many people could still lose privacy, and mystery sharding encryption was never verified by anyone.

I edited Ledger out of my "do not keep your money in online accounts" post. I still want to recommend some hardware wallet which is fairly easy-to-use, so I left Trezor in, even if it may not be perfect.
I think currently best open source wallet could be Passport by Foundation.
They are 100% Bitcoin only device with open source code and reasonable price compared to Trezor Model T.
No shitcoins liste there (unless someone makes community project support), and it's quality device assembled in US.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
I edited Ledger out of my "do not keep your money in online accounts" post. I still want to recommend some hardware wallet which is fairly easy-to-use, so I left Trezor in, even if it may not be perfect.
It was the right move. We don't need anything that could create controversy.

I'm not as bothered by the whole idea of an opt-in centralized recovery thing as a lot of people seem to be, but this quote in particular is pretty damning because it shows that Ledger was/is either incompetent or lying.

Unfortunately, they are both, there is no need to doubt that because their actions speak for themselves. Although it seems to me that there is something else, and that is the possibility that both companies that have positioned themselves as leading manufacturers of hardware devices suddenly make very strange decisions, possibly under someone's pressure. The US is waging its own battle against "cryptocurrencies", and it seems that the EU is not sitting idly by on this issue either.
I guessed it when I first discovered the discussion.

Let me guess, it's those who are printing notes and doing everything from the tax payers money.
US, EU, Middle East, Australia, East Africa all are same. If EU was sitting idly then how would we see Chipmixer were down?
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
I'm not as bothered by the whole idea of an opt-in centralized recovery thing as a lot of people seem to be, but this quote in particular is pretty damning because it shows that Ledger was/is either incompetent or lying.

Unfortunately, they are both, there is no need to doubt that because their actions speak for themselves. Although it seems to me that there is something else, and that is the possibility that both companies that have positioned themselves as leading manufacturers of hardware devices suddenly make very strange decisions, possibly under someone's pressure. The US is waging its own battle against "cryptocurrencies", and it seems that the EU is not sitting idly by on this issue either.
EU is doing worse than any union or country alone, next direction is North Korea, see this Chat Control by the EU.

You know, a fortress can only be destroyed from the inside, this has been a strategy, a long-term strategy. Hardware wallets are a giant wooden horses, The Trojan Horses!
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I'm not as bothered by the whole idea of an opt-in centralized recovery thing as a lot of people seem to be, but this quote in particular is pretty damning because it shows that Ledger was/is either incompetent or lying.

Unfortunately, they are both, there is no need to doubt that because their actions speak for themselves. Although it seems to me that there is something else, and that is the possibility that both companies that have positioned themselves as leading manufacturers of hardware devices suddenly make very strange decisions, possibly under someone's pressure. The US is waging its own battle against "cryptocurrencies", and it seems that the EU is not sitting idly by on this issue either.
administrator
Activity: 5222
Merit: 13032
It strikes me as very unlikely that anything related to this is going to cause widespread losses anytime soon, so I don't think that an Important Announcement is necessary.

Tweet by Ledger from 6 months ago:

Hi - your private keys never leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards. A firmware update cannot extract the private keys from the Secure Element.

I'm not as bothered by the whole idea of an opt-in centralized recovery thing as a lot of people seem to be, but this quote in particular is pretty damning because it shows that Ledger was/is either incompetent or lying.

I edited Ledger out of my "do not keep your money in online accounts" post. I still want to recommend some hardware wallet which is fairly easy-to-use, so I left Trezor in, even if it may not be perfect.
legendary
Activity: 2268
Merit: 18748
I think we all know about the Wasabi debacle, but my goodness, Trezor is surveilling stuff too?
They have partnered with Wasabi and implemented Wasabi's permissioned and censored coinjoins directly in to Trezor suite.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Why no important announcement about Trezor/Wasabi's government sanctioned surveillance and censorship?

I think we all know about the Wasabi debacle, but my goodness, Trezor is surveilling stuff too?
legendary
Activity: 2268
Merit: 18748
I'm not going to rehash my statements from the main thread about this, as I've been pretty clear over there what a complete disaster this is and how Ledger have obviously been blatantly lying in the past. In my opinion no one should ever touch another Ledger device again.

However, why are we singling out this even for an important announcement? Why no important announcement about Trezor's unfixable seed extraction vulnerability? Why no important announcement about Trezor/Wasabi's government sanctioned surveillance and censorship? Why no important announcement about Coinomi sending seed phrases to Google servers? What about Block's hardware wallet which is specifically built on this exact idea of sending your seed phrase to a bunch of third parties? And if people are so concerned about the fact your private keys can be extracted from the secure element in Ledger wallets, then what about all the hardware wallets which don't even have a secure element in the first place? They are just as risky.

There are a plethora of critical vulnerabilities and horrible business decisions out there that we don't have announcements about. Why do we need an announcement about this one specifically?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?

A rouge insider might publish a signed malicious firmware and Ledger Live app that simply extracts the seeds from the Secure Chip and sends them to their private server.

Quote
An even safer option, which you should definitely consider if you have a lot of crypto assets, is to use a hardware wallet such as Trezor or Ledger.

I'm starting to regret having this published in the latest bulletin and would rather have the bolded part deleted entirely.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?
I hadn't seen this before, and it makes me wondering: if Bob would get their hands on Alice's Ledger, would it be possible to upgrade the firmware and upload it online? I always thought the whole point of a hardware wallet is to make it impossible for private keys to touch the internet, but now it's starting to look like an expensive hot wallet.
legendary
Activity: 1596
Merit: 1288
Wait what? isn't a hard wallet self custody one? I never used one but if a third party has any control over the funds or their safety, people should dump them into trashcan. KYC for bitcoin wallet? Seems they are moving towards Eth foundation mindset.

There are many who think of bitcoin as an investment and are afraid even to keep the seeds, they think it is a big risk and therefore the idea of having a third party that enables you to get your money back will be attractive to many of these beginners.
It seems that most of the buyers of this HW are from these people, unfortunately the market is what moves these companies and not what you want.

KYC for bitcoin wallet? Seems they are moving towards Eth foundation mindset.

Ledger Recovery will contain a form of identity verification
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
They are also forcing firmware update that includes this ''feature'' so you can't escape this if you are using ledger nano X (for now).

This is what ledger co-founder aka reddit moderator btchip said:

Can we ever trust what people from Ledger say anymore?
Only a few months ago, they claimed something completely different.

Tweet by Ledger from 6 months ago:

Hi - your private keys never leave the Secure Element chip, which has never been hacked. The Secure Element is 3rd party certified, and is the same technology as used in passports and credit cards. A firmware update cannot extract the private keys from the Secure Element.
copper member
Activity: 1330
Merit: 899
🖤😏
Wait what? isn't a hard wallet self custody one? I never used one but if a third party has any control over the funds or their safety, people should dump them into trashcan. KYC for bitcoin wallet? Seems they are moving towards Eth foundation mindset.

Never ever vouch for third party service providers, especially if they are involved with wallets!
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
~snip~
May be someone can link us the topic. Sorry I am not good at searching forum stuffs.

The link to the board is in the OP, and the topic you are referring to is at the very top -> Reminder: do not keep your money in online accounts
Thanks Lucius.

Quote
[...] if you have a lot of crypto assets, is to use a hardware wallet such as Trezor or Ledger.
https://bitcointalksearch.org/topic/reminder-do-not-keep-your-money-in-online-accounts-5421039
I would suggest theymos to edit the Ledger part. We don't want anything that is highly skeptical to trust. Not after what is happening right now surrounding the update from these scammers. I feel like they betrayed us all. We have no idea what they have in those close source codes. They can not be trusted anymore.
legendary
Activity: 2212
Merit: 7064
I guess, it would be worthwhile to give an update in Important Announcements and link it below the forum menu as Important Announcement for Ledger Users.
I don't think we need to have any ann in forum for that, everyone already knows what happened with ledger, and I was spreading truth about ledger for years  Cheesy

I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?
Nobody knows what the heck is going on in that closed source black box, and they publicly admitted that encrypted shards will be sent to different companies (read partners) but people can choose to opt out.
Problem is that we don't know how all this crap works, since everything is closed sourced, so we have to trust their hidden encryption, and people will have to perform some kind of KYC and send personal documents.
They are also forcing firmware update that includes this ''feature'' so you can't escape this if you are using ledger nano X (for now).

This is what ledger co-founder aka reddit moderator btchip said:


legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~
May be someone can link us the topic. Sorry I am not good at searching forum stuffs.

The link to the board is in the OP, and the topic you are referring to is at the very top -> Reminder: do not keep your money in online accounts



I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?

Ledger claims that it is exactly so, but my opinion (as well as many others) is that this company can no longer be trusted - because what they do is the complete opposite of what every hardware wallet represents, which is that seed can never leave the device in such a way that it can be sent electronically, regardless of whether it is a voluntary consent or the possibility that someone inside the company or some hacker can use it.

The risk definitely exists, even for those who decide to use this service, because regardless of the way to protect such sensitive information (seed), it is just an additional risk that is also paid $9.99 per month, and requires KYC. We can only guess what the possible implications are for those who will use the new firmware without this option, but I think that people should be warned about what is happening.
administrator
Activity: 5222
Merit: 13032
I didn't look into this deeply, but my understanding is that it's opt-in. Do we know that people using Ledger are being put at significant additional risk just by upgrading their firmware, if they don't opt into any backup stuff?
legendary
Activity: 1372
Merit: 2017
I tend to agree with OP on this one, given how popular Ledger wallets are and how big this story is. 

For me it was more important the Ledger Database Leak, twice at least, and I don't see anything in that section although there is a thread about the MtGox database leak. At the end of the day this is a voluntary thing.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
@theymos In the above situation, I guess, it would be worthwhile to give an update in Important Announcements and link it below the forum menu as Important Announcement for Ledger Users.
If I am not wrong there is a topic for Newbie created by theymos where he recommended Ledger to have for better security of the funds. I think that post or topic need an update too.

May be someone can link us the topic. Sorry I am not good at searching forum stuffs.
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
I tend to agree with OP on this one, given how popular Ledger wallets are and how big this story is.  There might be people who aren't members of the forum doing google searches about this unholy debacle and who might find their way here for some good discussion about it--and guaranteed it'll be better than Reddit.

There have been a lot of important things that have happened in the world of bitcoin that don't warrant mention in the important announcements section, but man....I seriously think this ought to be one of them.  This whole situation is fucked, and I really should have listened to dkbit98 a long time ago.
legendary
Activity: 1596
Merit: 1288
@theymos In the above situation, I guess, it would be worthwhile to give an update in Important Announcements and link it below the forum menu as Important Announcement for Ledger Users.

I think that board is like other boards except only donors/VIP/Staff can post, and it is not a bug/backdoor related to the open source Bitcoin wallet in the first place.
And if we go back to the number of views, it is the lowest compared to any other board. only 4004 views for last topic.
Posting there will not increase the awareness campaign for all.
legendary
Activity: 1372
Merit: 2017
What would be the important announcement then? That Ledger is a shitty company that has not only been so careless that it has let its customers' data be stolen several times but is also going to implement a program that goes against the principles of bitcoin and what a HW should be?

It's a topic worthy of debate but they're not going to send anyone's seeds if they don't pay, at least in theory.

This is a paid feature so it's not sending your seed phrase anywhere unless you pay $9.99 per month for it (which is a dumb subscription).

Seeing that the last thread in Important Announcements was: Reminder: do not keep your money in online accounts and that the previous ones were 4 years before that, I don't see the issue as important, but maybe theymos does.
legendary
Activity: 2394
Merit: 1216
The revolution will be digital
Jump to: