You can't prove the device wasn't tampered with.  Eventually, scammers are going to start adding a chip inside used devices with code to give the scammer the coins.

Flashing firmware isn't going to be enough of a way to truly prove the device is safe.

I'll say it again:  anyone who cares more about saving a few dollars by buying a used device rather than guaranteeing the security of their Bitcoin by buying a new one...  they shouldn't be buying Bitcoin in the first place.  They're not ready.  And they're certainly not ready for self custody.  I say this as a huge advocate for Bitcoin and self custody.

Self custody isn't hard, but it needs to be done right.

Anybody who thinks they can cut corners shouldn't be buying Bitcoin.  They should buy an ETF instead.

With all due respect, anyone who cares more about saving a few dollars by buying a used device rather than guaranteeing the security of their Bitcoin by buying a new one...  they shouldn't be buying Bitcoin in the first place.  They're not ready.  And they're certainly not ready for self custody.  I say this as a huge advocate for Bitcoin and self custody.

Self custody isn't hard, but it needs to be done right.  Buying a used hardware wallet is proof that somebody isn't serious about the responsibility that comes with doing self custody.

What gave you that idea?  SeedSigner is fantastic for daily transactions.  Pair it up with Sparrow Wallet for desktop or BlueWallet for mobile.  I find it quicker and easier than using something clunky like a Ledger Nano or even a Trezor (though I am a fan of Trezor, overall).

SeedSigner does support using a passphrase, but it makes entering a passphrase cumbersome because you have to do it character by character using a joystick to pick each character.  This clunky way of entering passphrases encourages the use of very weak passphrases which can easily be cracked.

This fork solves that problem too.  This fork includes passphrase QR, which makes using very strong passphrases easy.


Right.  The seed QR code can be made by hand using a grid on paper (it's easier to do than it sounds), but I use a thermal printer camera to take a pic of my encrypted seed QRs.  The thermal printer camera is actually a child's toy, but it's perfect for this use because it has no wifi, no bluetooth, and no way to connect it to a computer.  It's totally airgapped.  So, my encrypted seed QR is saved on paper.  If somebody finds my encrypted seed QR, no worries.  It's uncrackable.

Here's an example of an encrypted seed QR I made for showing how easy this stuff is to use.  Got a SeedSigner or Krux?  Load it:

Here's the key to decrypt it:

With Krux or this SeedSigner fork, you can even make a QR for your passphrase.  So, to load your seed, scan the encrypted seed QR and scan the decryption key.  Then scan the passphrase QR to load your passphrase.  Easy.

There's a huge difference though.  With other wallets, you don't need your paper backup every time you use your wallet.  With SeedSigner, you need your seed QR every time.  With other wallets, you can (and should!) keep your paper backup somewhere secure that only you have access to.  With SeedSigner, you have to keep your seed QR where you can access it every time you use your wallet.



100%.

I don't recommend the standard SeedSigner.  It requires unencrypted seed QR codes to load the seed every time the user uses it.  Loading the seed every time is good.  The device is stateless.  But using unencrypted seed QRs is a huge security risk.  Because the user needs to keep an unencrypted version of their seed QR on hand every time they want to use their wallet, it means they need to keep that QR somewhere easily accessible, because they need it every time.  Anyone who finds that QR can steal the user's wallet.  That's dangerous.

This fork solves that.

This fork adds the ability to use encrypted seed QR codes or encrypted smart cards.

I'm using this fork and it's awesome.  I'm a huge fan of this fork and also Krux.

Here's the youtube channel for the main dev for this SeedSigner fork.  Very highly recommended.

https://www.youtube.com/@CryptoGuide

I didn't say using a VPN is a threat.  I said needing to use one.  In other words, if Ledger's code is so unsafe that one needs to use a VPN because of it, that's proof Ledger's code shouldn't be used in the first place.  Ledger's code is poison.

Needing to use a VPN because Ledger can't be trusted is the real threat.

That's CryptoGuide's SeedSigner fork.  It is phenomenal.

I don't recommend the standard SeedSigner because it requires scanning an unencrypted QR to load your seed.  Anyone who finds your QR can steal your coins.

CryptoGuide's SeedSigner fork solves this by adding the ability to encrypt your seed QR, just like Krux's encrypted QRs.  In fact, CryptoGuide's SeedSigner fork can read Krux encrypted seed QRs.

If you have a SeedSigner, I highly recommend CryptoGuide's SeedSigner fork.  It's awesome.  And, of course, it's fully open source.  CryptoGuide has been adding lots of great features to his SeedSigner fork.

THIS.

Get a small safe and some simple home automation sensors.  Aqara stuff is cheap and works well.

Use a pair of sensors on your safe.
If the safe gets opened, you get an instant text alert on all your devices.
If the safe gets moved, you get an instant text alert on all your devices.

Add a tiny camera and you can have a picture texted to you too.  And the cost for this kind of home automation setup is less than $100 if you DIY.

Home automation is useful for all kinds of things.  Nobody but you will know part of your setup is for protecting your seed phrase (and whatever else you keep in the safe).

If their code is closed source, they can do what Ledger did and worse.  Then again, we don't know if Ledger's code contains capabilities that are even worse.  That's the problem with closed source code.

Bitcoin is fully open source.  Your wallet should be too.

Let's talk about that.

Here are some quotes on the subject, taken from a Youtube video interview with Ledger CEO Pascal Gauthier:


"So?" makes it very clear that Ledger either doesn't understand how dangerous this is, or Ledger doesn't care.

Ledger's CEO even said, if you care about your privacy, don't use Ledger Recover:


...but here's what he didn't say:  The code required for key extraction from Ledger devices is part of Ledger's firmware.  It's baked in.  And the firmware is closed source, so there's no way to prove it can't be accessed remotely by Ledger, their partner companies, or hackers.

Can't prove it?

Can't trust it.

One of Ledger's founders even said:


He can't prove it because their code is closed source.  Trezor, ColdCard, Jade, Seedsigner, and Krux can all prove what their code does, because every line of their code is published and verifiable.  Ledger can't because theirs isn't.

It gets worse though.

Ledger Recover involves other companies.  What happens if those companies are asked by a government to give access to your keys?  Here's what Ledger's CEO says:


The more you think about it, the more you'll realize that Ledger's key extraction scheme is poison.  And since Recover is baked into their closed source firmware, it means Ledger's firmware is poison.

Here's a question I have yet to see anybody ask:  What if a government asks Ledger to use Recover to extract the keys of a Ledger user who doesn't subscribe to Recover?  The capability is on their Ledger device whether they subscribe to Recover or not.


...but, again, I need to point out that the capability is built into the firmware regardless of whether or not the user subscribes to Recover.  I see no reason why a government can't force access to a user's device, since remote access to the device is baked into Ledger's firmware.

This goes back to what you said:


Absolutely.  Ledger's closed source code is very dangerous.

Most people haven't even begun to think through the implications of having remote access to the user's keys baked into the firmware on the hardware wallet.

I wish you were right, but there are faaaaaaar more crypto-bros than there are educated Bitcoin holders.  Crypto-bros only care about moonz and gainz.  They care far more about trendy gadgets than they care about security.  They don't even understand the basics.  Ledger realized those guys were easy targets sometime around 2020 and they started aggressively marketing to them.  Interestingly, that's when Ledger's marketing color scheme went from white to black.  Ironic, eh?  No, not at all.  Ledger went to the dark side.

The most low-information Bitcoiners use hot wallets.  The next-lowest-information Bitcoiners use Ledger (and Tangem).

As proof of what I mean, go on any Ledger forum.  You'll find idiots who praise Ledger for being closed source.  Yikes.

Bitcoin ownership hasn't gone mainstream yet, so Ledger will have no shortage of low-information people to market their trash to.

Ledger is poison.

Using closed source code to secure your Bitcoin is making a deal with the devil.  It's dangerous.  Bitcoin is open source.  Your wallet should be too.

We were warned about all of this long ago:


Note: Even if you don't use Recover, the code required to enable key extraction is on your Ledger device.  Don't be surprised if Ledger announces compliance for government access to that API.

Ledger is poison.

I think "seedless" is reckless.

A seed is your backup.  Let's say your hardware wallet gets destroyed somehow.  No worries.  Buy a new one and enter your seed phrase to restore your wallet on the new device.

Many years ago, I had a hard drive failure.  It took me a long time to rescue my data.  Ever since then, I've had a backup hard drive that powers on in the middle of the night to back everything up.  And I have a Time Machine backup too.  It's just smart to have backups.

Your seed phrase is your Bitcoin wallet backup.

Remember: Your coins aren't in your wallet.  They're on the blockchain.  Your wallet is the collection of your addresses and keys (and other seed-generated data).  That's why a seed phrase is so important.  If anything goes wrong, no worries.  You can get it all back by using your seed phrase (and passphrase, if you use one).  That's why your seed phrase is so versatile.  If anything goes wrong, you don't even need to buy the same kind of wallet.  Any wallet that uses seed phrases will generate your exact same wallet.  It's such a brilliant system.

I see Tangem promoting seedless wallets, and I think they're insane.  That's like saying "Get where you're going faster in our brakeless cars!  Genius, right?"  YIKES!  OK, maybe it's not quite that bad, but still... I'd never use a wallet that isn't 100% open source and uses seed phrases.

If you're going to do self custody, your backups are the most important thing you'll have.

I know, I know...  Tangem does their own card-backup scheme.  There have already been cases where people lost their cards.  A seed phrase is a much better form of backup.

You can't prove the Ledger Nano doesn't have any of the code that gives Ledger and their partner companies (and potential hackers) the ability to access to your seed.

I know some would respond by saying "But it's not compatible with Ledger Recover" as if that means it doesn't still have any of the code even if it doesn't use that code.

I wouldn't use a Ledger even if I got one free.  Not even if they paid me to use the thing.  Short term, it's probably...  fine.  Long term?  Are you kidding???

The only provably safe use for a Ledger device is as a decoy wallet.

Never trust your coins to closed source code.  That defeats the entire purpose of Bitcoin.

I say this with all due respect.

I think Bitcoin has too many gadget guys and not enough people who care about Bitcoin security or even fully understand how to secure their Bitcoin in the first place.

Cool gadget?  No thanks.  I don't even need something built tough.  I'll never use a hardware wallet in public.  Never.  That's how you set yourself up to get robbed.

My hardware wallet is ugly and cheap, and it's also the most secure option available at any price.

I use Krux running on a Max Amigo, but you can get the same level of security with SeedSigner if you use the CryptoGuide fork (Airgapped. Stateless.  Encrypted seed QR).  More attractive options exist for both Krux and SeedSigner, but I don't even care.  Better than best in class security.  That's what matters.

A phone needs to be tough, because it gets taken everywhere and used constantly on the go.  If you're using Bitcoin everywhere on the go with a hardware wallet?  That's crazy.  Put a little Bitcoin on a hot wallet for your general on the go stuff.  You wouldn't put your entire nest egg in cash in your leather wallet, right?  Why would you do that with your day to day spending Bitcoin wallet?

This.

Teaching is the answer.  We all need to become better teachers, because none of the companies selling hardware wallets do a great job of that.  Some barely even try.

Too many people don't understand the basics.  Even people in a forum like this!  That's why they don't understand how to protect themselves against disaster.  And, yeah, some people are just lazy.

I'm always shocked by how many Bitcoiners don't realize seed words represent numbers (used as entropy) for the math that generates their wallet.  The moment I understood that, I understood the importance of backing up my seed words offline, in human readable form.  I say "in human readable form," because I also have an encrypted seed QR made using my hardware wallet (Krux), but I would never rely on an encrypted backup as my only backup.  It's essential to have a human readable backup as the ultimate backup.

I do think hardware wallets should warn users before doing a firmware update to make sure they have a backup of their seed phrase, just in case.  But no amount of nagging is going to make lazy people less lazy.  And nagging doesn't teach those who don't understand.

In the end, teaching is the answer.  The more we help people understand how this stuff works, the more they'll be able to stay safe.

We all have to become better teachers.  Myself included.

Adding to what you said:  Ledger also pays bounties to hackers while making them sign nondisclosure agreements in exchange for the funds.  Bounties are a common practice, not just for Ledger.  But Ledger forces nondisclosure agreements and then lies, saying they've never been hacked.  For example:


Some things never change.  Ledger can't be trusted.

It's open source!  ...except for the part that isn't, which means you can add that lie to the long list of Ledger lies.

Any closed source code means the code isn't open source, because the code contains code that isn't published and thus cannot be verified to be safe.

That, right there.  That's exactly it.

The code for this stuff is beyond my abilities, so I stick to hardware wallets that are open source and whose code is used by experts I trust.  It's even better if their code is added to or improved by experts I trust.