|
People worry unnecessarily if they don't see a quick confirmation. It's only a problem if you have a deadline or a payment window, during which the transaction most be confirmed. Be extra careful about those kind of transactions. In cases where you are sending to yourself, there is no reason to be in a hurry or stress yourself if the transaction will be confirmed in 1 hour or 1 week. It's your money going from one of your wallets to another one. It will will either confirm or be dropped and you can try again.
|
|
|
|
Theoretically, hackers can make a patch for Ledger Live to intercept the encrypted Seed, which is divided into 3 parts. Of course, without the decryption key stored on the Ledger, they can't do anything. How can the encryption key be stored on your Ledger device, if you can recover your crypto on any other Ledger HW of your choosing? The other devices can't hold your encryption key. The original hardware device maybe, but it looks like Ledger gets a copy of it. How else do you explain recovering crypto on Ledger #2 if Ledger #1 that encrypted the shards is no longer working/in your possession? Either Ledger has the keys or the encryption key is also somehow shared among all custodians. To name just a few of them like Passport (around $200), Keystone (around $100), and maybe even others that are cheaper and based on Trezor code but with secure element. A secure element like in the Ledger or a similar chip that relies on whether or not the developers write the necessary code that makes code extraction possible? The one good thing in all this is that Ledger has proven that secure elements are not to be trusted and aren't safe. Not in a Ledger or any other hardware wallet. |
|
|
|
It seems that we can only find RTP in slot games and I have never found RTP in games other than slots. All casino games have payout percentages, house edge, or RTP rates. It's just a matter of how they call it and whether and where they make the data public. In fact, slot games are casino products with the worst odds of winning for the player. The average is between 95-97%. On the other hand, popular card game variants can go above 99%. That's one of the reasons why casino bonuses are tied to slot game wagering and not blackjack, for example. |
|
|
|
Ledger is sacrificing the privacy of all users with updates that no one really needs.
A clear vision and mission for open-source wallets will be a sign of how they will be in the future. The privacy is the smaller of two big problems that Ledger is creating. The second one is the security. You are not only sharing your KYC data with some companies and organizations in the UK, USA, and France, you are sharing shards of your seed as well. As for the vulnerability of their devices, it can probably still be fixed with some further development. That's the thing, it can't. Their hardware vulnerabilities are unfixable for the Model One and Model T.
The Ledger cannot be compromised if, after the update, you did not click "YES" when the question appeared there - "Whether to add a recovery function".
If you clicked NO, then the Ledger remains in the previous state. Without the possibility of remote recovery by other people. In theory, it's you who has to agree with sharding and sharing your seed. In reality, no one knows. It's a matter of trust and this time it's too dangerous. I understand the solution you are suggesting. But how and how can we assemble a hardware wallet for ourselves? How is it that an ordinary person like me, who knows nothing about hardware engineering or basic assembly techniques, can do it on my own? Don't do it yourself if you are not comfortable with it. Building your own HW and signing devices is for the more advanced users. You can always opt for an airgapped solution if you have a spare desktop device somewhere. |
|
|
|
It would be really interesting to get the opinion of an expert in this field. I might send an email to Joe Grand to see what his thoughts on the matter are. The buttons feed in to the MCU, not to the secure element. The MCU is where the firmware is installed. According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU. Furthermore, the Secure Element is also split into two parts: the firmware which is under NDA and is therefore closed-source, and the SDK & application-loaded code which is open source friendly. If Ledger can write firmware which says "Perform action x if confirmed by a button press", then I see no reason they can't write firmware which simply says "Perform action x". Wouldn't the same be true for all other events, like broadcasting/sending transactions? Then we are back to trust where we have to "hope" they won't do it. Is Ledger the only company with such an architecture and how is it handled elsewhere? Based on the info below, the MCU is instrumental for all actions, which makes sense because it's the brains of the whole product. The SE is the safety deposit box. The MCU sends an Event (button press, ticker, USB transfer, …).
The SE responds with a list of zero or more Commands in response to the Event.
The SE sends a Status indicating that the Event is fully processed and waits for another Event. If I understand it correctly, the MCU has to ask for the keys, and the SE has to confirm it. The question now is can the optional access by the user be circumvented with the correct code, where their cooperation isn't required? |
|
|
|
And to my knowledge the hardware buttons of a Ledger Nono are completely software controlled. The buttons are not directly wired to the Secure Element where most of Ledger's firmware magic happens. The MCU controls the display and the buttons and proxies user interactions to the Secure Element. It's the firmware that decides what to do when you press a Ledger button. As the firmware is a black box what exactly prevents Ledger to not need your button press? ... Exactly: nothing! It's their secret sauce code... This is the exact point I've been making: Given that a simple software update means the secret element can now export private keys, then a simple software update could make this feature mandatory, or could remove the need for any physical button presses, or could take everyone's private keys without their knowledge or consent. The whole point of the secure element is moot. The entire security of the device hinges on non malicious software. I doubt Ledger would ever admit that they could remove that physical confirmation any time they want, but are you both 100% sure that's how it works? You have no code to back that up, the same way Ledger hasn't made any available to show that they can't. Can the user's confirmation really be worked around that easily, and if they have malicious intentions, why would they simply not do it instead of telling us that they will? |
|
|
|
There are no official sellers in Russia. Intermediary only, and buying for $220 will not guarantee buying an official wallet. Trezor doesn't have an official reseller in Russia, you are right about that. But they have one in Belarus. Intersafe Trade Ltd ( https://satoshi-shop.by). There are also two in Ukraine: Lwallet - https://lwallet.com.uaBITWALLET LLC - https://trezor.io/bitwallet.com.uaThere is one in Georgia. Ravestag LLC https://ravestag.app/I am sure you could order one from Belarus if you want to. The shops in Ukraine might not be willing to ship to Russia due to the ongoing war. |
|
|
|
<Snip> It's interesting. Nevertheless, that's not a hardware wallet. We could refer to them as paper wallets in card format. A type of cold storage maybe, but not a hardware wallet. I would like this thread to be solely about hardware wallets, past and future. Preferably, devices that are still in use by Bitcointalk users. |
|
|
|
Either it's a simple fabrication, or Ledger knows exactly how much someone has on their devices, which means that they log all the data from the device every time such a device is online. It wouldn't be surprising that they did. After all, they want to know how much money their customers trust them with. I am not justifying the action, simply explaining what I believe is happening. If Electrum servers can find out loads of information about connected wallets, there is no reason not to think that Ledger's servers can't as well. That has happened in 2019, do they still suffer from the same problem? Yes, because it's an unfixable hardware defect that can't be ironed out with software patches. It was always there and will always be there for the models One and T in their current forms. Btw they removed the support of AOPP but yeah, what you say about them is true. They removed support following the negative comments surrounding it, but didn't mind signaling support for it. It's interesting to know what you think about Coldcard or do you think that no hardware wallet is trustable and airgapped encrypted devices are the only last and one devices to use. ColdCard is an airgapped wallet. You can work with PSBTs and import/export them with the help of an SD card for example. The device is not open-source but has public and verifiable code. It's better than standard USBconnected hardware wallets. |
|
|
|
Isn't that the same thing? Having an adjustable fee even within a ranging system of 1,2,5,10...300 sat/vbyte. What other customisation can one need than that. Full fee customization means that I can pick any number I want, not the ones the software specifies. If it goes 1, 2, 5..., where is the 3 and 4? Not only that, but maybe I would like to pay 5.5 sat/vByte and not 5 or 6. Electrum mobile doesn't allow me to do that. It's not that important if you are sending a transaction and paying 70 or 70.5 sat/vByte. But back when the fees were low, there was a big difference between 1 and 2 sat/vByte. Even a 1.5 sat/vByte is 50% more expensive than a transaction paying only 1 sat/vByte. On Electrum's desktop version, I could pay 1.1 sat/vByte and have priority over anyone paying only 1 sat, but still save money compared to what I would have spent if I paid 2 sat/vByte. Consolidating inputs can also help to lower the fees. It is always a good idea to regularly consolidate our inputs unless it is a cold wallet. CMIIW. Consolidating is OK when the network conditions allow it. It gets quite expensive in situations like what we have witnessed with the Ordinals. |
|
|
|
|
I like bonuses that aren't tied to unreachable wagering requirements of 40x and more when we are talking about casino games. There seems to be too much focus on bonus offers for slot games (I know why). Still, I would prefer a nice push for live dealer games and offerings with high RTPs.
Because I am a fan of sports betting and not casino games, I like free bets, bet boosters, and cashback on the whole turnover, not just the lost bets.
|
|
|
|
<Snip> I seriously doubt that a device sold for $80-100 can be a genuine Trezor Model T. Unless someone stole them off a truck somewhere. I wouldn't pay attention to things like packaging, holographic seals, or the content of the box. I think none of that is difficult to fake. This is what you should be looking for. - Trezors don't ship with pre-installed firmware. You have to install the firmware the first time you connect it to your computer. You get to choose between a multi-coin or bitcoin-only firmware. If your Trezor already has a firmware on it, it has already been used and/or is fake. - You have to generate a seed on your own local machine. Never accept a seed that's already entered on your HW or filled out on the seed cards. - Only a Trezor with a genuine Trezor-signed firmware can connect and communicate with the official Trezor Suite app. A fake firmware will be detected, and you won't be able to use the Trezor Suite. - Never download Trezor Suite or the firmware from any website mentioned on any notes that are shipped together with your package. Any software must be downloaded and verified from the official website only ( https://trezor.io/). |
|
|
|
What amazes me is the fact that Ledger is totally silent when faced with the fact[1][2][3] - or flaw - that is being able to restore your encrypted shards on any device. Do they consider their clients that ignorant regarding how seed phrases work? But that's the whole point of the service. The ability for mothers and grandmothers to recover their coins on any device even if they lose their seed and misplace the original hardware wallet. Their claim that the decryption key is stored on your Nano's secure element makes no sense. How can the key be in in device A and I still have everything I need to recover my coins on devices B and C? Together with their partners, they store all the essentials for successful recovery. I should also note that Ledger Nano S will eventually[4] receive this "awesome" feature, per reply on their Reddit page. No, not the Ledger Nano S. They aren't selling this model anymore and will eventually drop support for it. The Ledger Nano S Plus will have support for Ledger Recover. So far they haven't mentioned anything about the Ledger Stax. |
|
|
|
<Snip> The pictures say that coinfriend was an exchange that had its own mining farm. They allowed you to purchase crypto and top up a crypto debit card directly. There is no mention of that hardware device, though. Looks like a USB-type of device. Does it even have a screen or buttons? What's the thing called? The two sites in the pictures aren't live any longer. Wayback Machine has no achieves of coinfriend.eu. bitcoinwalletcards.com has been achieved several times. Under the hardware wallet section on one archive, I found two entries. One is called CardwalletBTC – Android App for Bitcoin Hardware Wallet Card and the other Bitcoin Hardware Wallet Card for Android App CardwalletBTC. It seems like the same thing, just called differently. The product descriptions talk about a card and an app you can use at ATMs or to make online transactions. Doesn't help to figure out what that thing is. |
|
|
|
Not in that particular reddit discussion, but that topic is partially covered in the Ledger Recover FAQs. I say partially because they don't go into details how the recovery is supposed to work if the original device is lost. Check the answer to the question " What if I lose my Ledger device that is associated with my Ledger Recover subscription?" o_e_l_e_o is surely on the right track here. |
|
|
|
In addition to what @ Pmalek said, they are planning to also distribute it in their " GitHub repo", so with the necessary tools you can flash it by yourself. If you have the necessary hardware, yes. As their GitHub page mentions, you'll need a flashing device for the job. No idea how much those cost and which ones are compatible. You also need a cartridge. Again, I am not sure if it needs to be an empty cartridge (where would you get one for Gameboy in 2023) or if you can use one you already own with a game on it. If would surely be cheaper to buy the finished product if you stand there without the necessary tools to do the flashing yourself. |
|
|
|
When trading, it is sometimes necessary to receive cash or stablecoins. It is possible to send several thousand dollars to a bank account, but if you send several hundred thousand dollars to a bank account, your bank will have a lot of questions for you, and cash transactions for such amounts are not safe. Well, if you are trying to conceal your fiat trades, I would suggest not sending such big amounts. They will, of course, sound all kinds of alarms because receiving hundreds of thousands of dollars is not an everyday (normal) transaction. The bank will ask questions and is surely obliged to report to the local taxing authorities. Regarding Bisq and trading limitations, a new user can only trade up to 0.1 BTC. After your account is signed and you become a more senior user of Bisq, these limits increase. But when fiat is concerned, the trade limits are in many cases 0.25 BTC/trade. For some payment methods, you will see 0.5 or 1 BTC. |
|
|
|
Since the Nano X is no longer with you, I will add only the Trezor One to your name in the table. This is a temporary solution, but there are various doubts here.
How can we trust them that these messes with seeds were not implemented earlier, do we have any reliable info about it? No, we don't. All we know is that they decided to tell us about the feature for the latest Nano X firmware upgrade, and that such information was never announced before. What can also be a concern, earlier they showed some very bad tendencies when it comes to the firmware update. I remember a case where at some point it was no longer possible to update the firmware from a certain version, Can we count on them that they will be more considerate in the future? The newest Nano X firmware is 2.2.1, and that should be the one the introduces the code for Ledger Recover. If you don't want that code on your device, don't upgrade the firmware and keep using the one you have now. The same applies to any further firmware upgrades. You can no longer upgrade your Nano X ever. Each future update will install that code. You'll have to make do with the firmware version you have now, and hope it will remain functional for as long as possible. You won't benefit from any future bug/vulnerability fixes, improvements, or new features either.
Why useless toy. I suppose if you already have this device, then you can continue to use it. But with reservations, like keeping only small amounts for the same small expenses. Of course, any long-term cypto hold is out of the question. Even Andreas said he would continue to use his Ledger in the latest video where he discusses Ledger Recover with Jameson Lopp. I think he said he uses it for "operational costs". |
|
|
|
Despite all the risks, I wouldn't say having your seed phrase sharded to three companies is higher risk than simply having Ledger "look after it" for you. I wasn't asking about the seed and storing the seed this time. I meant who stores the KYC data (the IDs and selfies). Your link confirms that Onfido is their partner for that which answers my question. They do claim the seed can only be decrypted with the same Ledger that created it, but I imagine with any Ledger there would be a simple workaround for this, such as spoofing the device's log number in order for the encrypted shard to think it's the same one. I have heard the opposite. You don't need the original device you used for Ledger Recover and seed sharding. Since the shards are connected to your identity (the ID and selfie you provide), the hardware wallet device is of secondary importance here. |
|
|
|
In addition, in the Trezor suite, when entering a passphrase, a clearly visible window pops up for entering it through a computer, and a link for entering a passphrase through the wallet itself is displayed below in barely noticeable text. From which we can conclude that their priority is not a secure way to enter a passphrase through the wallet itself, but through the application.
Naturally, they have access to passphrases entered through the application, while intercepting passphrases through the open source wallet itself would be problematic for them.
Why they do all this can only be guessed, but the conclusions are drawn not in their favor. Everything about the Trezor is open-source. The native Trezor Suite, the firmware, the software on the device, etc. If such code exists, where are the security experts and code reviewers to point that out? If such code has been out there for years and no one has noticed it or no one wanted to notice it, what does that tell us about the importance of open-source? Open-source is a window, useful if people want to look through it with care and attention for detail. If everyone just walks by it blindly, you can as well pull the blinds down because you aren't using it. Personally, I don't believe there is such a feature in Trezor. If there was, we could take our open-source recommendations, roll them up in a ball, bend down, and stick them where the sun doesn't shine. There is a saying in Germany that goes something along those lines. I love decentralized trading, so I immediately have a lot of questions about fiat transactions and P2P trading. Then my tax office will have a lot of questions for me if my bank does not block the account earlier, because according to the agreement with the bank, I am prohibited from trading. Your bank and your tax office won't know where the money came from and how you earned it. It's not Bisq that pays you, so banks can't track or reject such transactions. You get paid by the people you trade with. If you buy from me using Bisq, I pay you from my account to yours. Your bank doesn't know you sold bitcoin to get those funds. You can tell them anything you want. They only see one individual transferring X to another individual. We could be friends, family, colleagues, lovers, brothers... You could have sold me a bike, a sofa, a jacket, your NHL card collection... None of that is taxable. |
|
|
|
|
Show Posts
