Fuck you ledger

[dkbit98]

The same is true for example Trezor and Trezor Suite.

It's not the same as Trezor, because Trezor Suite doesn't have apps, no big commercials ads, and you can enable Tor directly from application.
Trezor device is open source, while ledger is not, and Trezor doesn't have malicious option to export seed words like ledger, for ''protection'' with ledger recover.
Obviously this devices are totally on different levels.

I am seriously thinking of nominating ledger as one of the biggest fail of 2023.
For last few years I knew they are a bad company that makes junk products, but I didn't think they could fall so low.
First someone exposes their spy machine software app, and now someone else found a malicious file in their code that infected everything  

Easy solution for recent ledger (and all other hardware wallets) malicious code is to stop using shitcoins and daps.
Simple.

[o_e_l_e_o]

Your Ledger device and Ledger Live were not compromised.

Apart from the fact all Ledger devices are already compromised by their seed extraction "feature".

There is a potential risk to the funds stored in the #Ledger if they interact with #dApps using this compromised library.

There is a real risk to the funds stored in the #Ledger if they are connected to a computer, since we might extract your seed phrase. There. Fixed.

Obviously this devices are totally on different levels.

None of what you said changes the fact that if you sync your Trezor via Trezor's servers by using Trezor Suite, then of course they can harvest all your data. If you aren't using your own node, then you are using someone else's, and the owner of that node can see every address and transaction you are interested in.

[dkbit98]

None of what you said changes the fact that if you sync your Trezor via Trezor's servers by using Trezor Suite, then of course they can harvest all your data. If you aren't using your own node, then you are using someone else's, and the owner of that node can see every address and transaction you are interested in.

What does all my data means exactly?
And it's trivial to connect your own node with Trezor Suite via Electrum server to gain even more privacy.
Nothing in Trezor is going to track when you view a section of the screen, like it does with ledger live.
I even did a website comparison few years and ledger website was always full of ads and tracking, more than any other hw website.
Please do some research before doing comparisons like this and provide some proof.

PS
$484K  just drained from ledger:
https://cointelegraph.com/news/ledger-blockchain-hack-attacker-drained-484-k

LedgerConnect is the new Bitconnect!

[o_e_l_e_o]

And it's trivial to connect your own node with Trezor Suite via Electrum server to gain even more privacy.

And it's trivial to connect a Ledger device to Electrum or Sparrow via your own node and avoid Ledger Live entirely. But the default position for using both Ledger and Trezor devices is to depend on their respective servers, and therefore they can see all your addresses, balances, and transactions.

Nothing in Trezor is going to track when you view a section of the screen, like it does with ledger live.

From Trezor themselves:

When enabled, purely functional data about how the app is used will be collected and analyzed to find defects and inefficiencies. With explicit consent, both web and desktop applications may collect anonymous data such as user interactions with app functions, errors, hardware specifications and app response times.

This sounds very similar to what the linked user above is claiming about Ledger. And don't forget Trezor supported AOPP and are still supporting blockchain analysis via Wasabi, so they don't exactly have an amazing reputation when it comes to privacy.

Ledger are obviously a joke now, but that doesn't mean Trezor are automatically much better. If you want actual privacy from your hardware wallet, then you need a permanently airgapped device and your own node. Anything else can be surveilled.

[dkbit98]

And it's trivial to connect a Ledger device to Electrum or Sparrow via your own node and avoid Ledger Live entirely. But the default position for using both Ledger and Trezor devices is to depend on their respective servers, and therefore they can see all your addresses, balances, and transactions.

Not true, because you still need ledger live to update and start using their device.
Ledger will still track everything else you do like section of the screen movement, same as IP address, only addresses wont be sent back to ledger if you use your own node.
You still didnt provide a single proof for your claims, and I am waiting to see something substantial, not pure speculation.

This sounds very similar to what the linked user above is claiming about Ledger. And don't forget Trezor supported AOPP and are still supporting blockchain analysis via Wasabi, so they don't exactly have an amazing reputation when it comes to privacy.

I don't care about Wasabi at all, but you can use your own coordinator, there is no such option available anywhere for ledger.

Ledger are obviously a joke now, but that doesn't mean Trezor are automatically much better. If you want actual privacy from your hardware wallet, then you need a permanently airgapped device and your own node. Anything else can be surveilled.

Trezor is better in so many way, but let's just start from being open source.
And airgapped device and your own node doesn't mean you are safe, especially for 99% of the normies.

[o_e_l_e_o]

You still didnt provide a single proof for your claims, and I am waiting to see something substantial, not pure speculation.

I quoted the Trezor policy where they state they collect details about your hardware, which parts of the app you interact with, use, click on, etc., just like the claims about Ledger.

[dkbit98]

I quoted the Trezor policy where they state they collect details about your hardware, which parts of the app you interact with, use, click on, etc., just like the claims about Ledger.

So that is your ''proof'' that Trezor is the same as ledger?  
There is a nice little button that shows up when you open Trezor Suite, than you click No/Reject.
Than you can go in settings, enable Tor, make sure Usage data is disabled, and you are done.
Add your own node, and than you can use os firewall to see what data is Trezor sending.
Everything is open source, so I am waiting for someone to find some similar tracking codes that can't be removed like with ledger.

[o_e_l_e_o]

There is a nice little button that shows up when you open Trezor Suite, than you click No/Reject.

And there is an option of not opting in to Ledger's seed phrase extraction, which we rightly mock as being meaningless.

A yes/no button or "user opt out" means nothing. The ability exists for Trezor to surveil you just the same as Ledger do.

[dkbit98]

A yes/no button or "user opt out" means nothing. The ability exists for Trezor to surveil you just the same as Ledger do.

The ability exist to track you in your airgapped laptop, it has much wider attack surface, and you have confirmed spyware in your bios.
You are bringing more harm than good telling people that all hardware wallets are the same, when in reality you have no idea what you are talking about.

[o_e_l_e_o]

The ability exist to track you in your airgapped laptop, it has much wider attack surface, and you have confirmed spyware in your bios.

And how exactly does that spyware phone home from a permanently airgapped device?

You are bringing more harm than good telling people that all hardware wallets are the same

I never said anything close to that, but if you think you have any privacy while syncing your device via servers owned and operated by the hardware device manufacturer then you are mistaken.

[safar1980]

A LETTER FROM LEDGER CHAIRMAN & CEO PASCAL GAUTHIER REGARDING LEDGER CONNECT KIT EXPLOIT
Things to know:

– December 14th, 2023, Ledger experienced an exploit on Ledger Connect Kit, a Javascript library to connect Web sites to wallets.

– The industry collaborated with Ledger to neutralize the exploit and try to freeze stolen funds very quickly – the exploit was effectively running for less than two hours.

– This exploit is currently being investigated, Ledger has filed complaints and will help affected individuals try to recover funds.

– This exploit did not and does not affect the integrity of Ledger hardware or Ledger Live.

– The exploit was limited to third party DApps which use the Ledger Connect Kit.

[Sledge0001]

IMHO Ledger has failed terribly and their communications team should be and have been clearer and less technical in their responses to concerns of what is / was their average user.

There are ongoing concerns for many are still out there myself included.

For me a few major topics like:
1. Does the newest firmware pull your private key data without consent? We all know its now capable of this due to their backup offering non-sense.
2. Re-confirm that the end users involved in this latest hack physically had to allow /confirm the transfers on their hardware wallet. Again in plain English.
3. How did an Ex-Employee (or is it just an Ex-Employee now after the hack) retain rights to push code into their GitHub without a secondary signer?
4. Is Ledger going to make the victims of this hack whole? In my mind they need to come up with a gameplan ASAP on how to do this for every coin that was lost.
5. Why haven't they gone fully open source? I get being proprietary but at this point trust is lost as this is now strike 2...

Only time will tell how this pans out but for now I would avoid Ledger until they truly come clean.

[Meuserna]

IMHO Ledger has failed terribly and their communications team should be and have been clearer and less technical in their responses to concerns of what is / was their average user.

The issue isn't clarity.  The issue is that they lie.

1. Does the newest firmware pull your private key data without consent? We all know its now capable of this due to their backup offering non-sense.

If they say it doesn't, how can you believe them?  They lie.  And even if their firmware doesn't extract your seed without your consent, the fact that THAT capability is now part of their firmware means Ledger hardware is now a honeypot for hackers.  And, oh by the way, Ledger's code was hacked this past week due to a screwup by a former Ledger employee.

2. Re-confirm that the end users involved in this latest hack physically had to allow /confirm the transfers on their hardware wallet. Again in plain English.

Even if they do...  they lie, so how can you trust anything they say?

3. How did an Ex-Employee (or is it just an Ex-Employee now after the hack) retain rights to push code into their GitHub without a secondary signer?

Again, once they started lying to their users, their word became worthless.

4. Is Ledger going to make the victims of this hack whole? In my mind they need to come up with a gameplan ASAP on how to do this for every coin that was lost.

Guaranteed, the answer is no.  Ledger's lawyers protect them, not their users.

5. Why haven't they gone fully open source? I get being proprietary but at this point trust is lost as this is now strike 2...

Ledger can't go fully open source due to the closed-source chips they use in their hardware.  That's why the value of their word matters so much.  And their word is worthless.

Ledger's word is worthless.

[m2017]

1. Does the newest firmware pull your private key data without consent? We all know its now capable of this due to their backup offering non-sense.

What idiot company would publicly admit this?

4. Is Ledger going to make the victims of this hack whole? In my mind they need to come up with a gameplan ASAP on how to do this for every coin that was lost.

If Ledger has never compensated for any user losses in any way before, then why would they do it now?

It’s time to put on the boxes with Ledger wallets the inscription “Dangerous for use, because it poses a direct threat to your cryptoassets. All your further use of this device is at your own peril and risk”.

5. Why haven't they gone fully open source? I get being proprietary but at this point trust is lost as this is now strike 2...

2 strike? You seem to have lost count.

Only time will tell how this pans out but for now I would avoid Ledger until they truly come clean.

Looks like it's time to replace it to permanently.

[dkbit98]

Again, once they started lying to their users, their word became worthless.

But if you apply the same principle to politics, than there wouldn't be any governments as we know them today... so how can we survive without them and without roads  

Ledger can't go fully open source due to the closed-source chips they use in their hardware.  That's why the value of their word matters so much.  And their word is worthless.

They can if they want.
Just release new models with different secure elements, don't use same NDAs like with current models, and release code at least source viewable.
It's either that or they will stop existing soon if they continue with the same tempo... that is my prediction ^{from crypto gipsy fortune teller}.

[safar1980]

Ledger announced the amount of damage from a recent hack
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024.

[Lucius]

~snip~
Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024.

This is something new (unexpected), but considering all the bad things associated with this company, few will try to improve their reputation by playing the game "the bad ones, the good ones". I hope that there is no catch in everything, let's say some kind of KYC for all those who want a refund, or maybe a mandatory Recovery service lasting at least 1 year

[The Sceptical Chymist]

A yes/no button or "user opt out" means nothing. The ability exists for Trezor to surveil you just the same as Ledger do.

The ability exist to track you in your airgapped laptop, it has much wider attack surface, and you have confirmed spyware in your bios.
You are bringing more harm than good telling people that all hardware wallets are the same, when in reality you have no idea what you are talking about.

The crazy thing is that I know both of you have extensive knowledge of hardware wallets, and if you're both arguing about something so fundamental, can you imagine how confused people like me--who don't have the technical knowledge to evaluate these claim on their own--are, and how jaded some of us are now that it seems like most if not all HW wallets can theoretically extract a user's private keys?

Ledger's lies turned me off of all HW wallets for the time being, even if that might be an extreme response.  I'm waiting for the dust to settle and the experts here to either confirm or disprove these suspicions/fears/whatnot.  And I really wonder what the state of Ledger's business is at the moment.

[o_e_l_e_o]

Ledger's lies turned me off of all HW wallets for the time being, even if that might be an extreme response.  I'm waiting for the dust to settle and the experts here to either confirm or disprove these suspicions/fears/whatnot.

I have also said for a while now that I have largely moved away from all hardware wallets and back in favor of self made airgapped cold storage. I sleep easy knowing that my wallet software isn't spying on me, and that there is zero possibility of some company pushing an update to any of my airgapped devices which means my seed phrase can be extracted, or my wallets will start cooperating with blockchain analysis, or so I can start linking my KYC to my wallets' addresses, or some other such nonsense.

The only hardware wallet I would ever consider using again is one which is both open source and permanently airgapped.

[BlackHatCoiner]

The crazy thing is that I know both of you have extensive knowledge of hardware wallets, and if you're both arguing about something so fundamental, can you imagine how confused people like me--who don't have the technical knowledge to evaluate these claim on their own--are, and how jaded some of us are now that it seems like most if not all HW wallets can theoretically extract a user's private keys?

I get your concern, let me break the situation down for you.

Humans make mistakes, like really often. It applies everywhere, including software engineering and designing. If a software is exploited in an Internet connected device, the attacker can steal your keys. Being airgapped grants you this invaluable property that even if things get really fucked up, it is physically incapable of sending anything anywhere.

Trezor is not airgapped. Even if we assume they are coding with the best intentions, there's this chance of an attacker exploiting their software and taking advantage of the fact that the device can communicate with the Internet. And we know they don't have the best intentions when it comes to privacy as they're cooperating with Wasabi (references on why that's a red flag can be found on dozens of topics in this board) and had enforced a dystopian Address Ownership Proof Protocol in the past.

Nobody claimed Trezor is insecure. What is being said is that Trezor has the ability to surveil you, and is definitely less trustworthy than an airgapped device.