Has Ledger at least explained how a former employee still had enough access to cause this latest debacle?
They have, but it doesn't make them look any better.
https://www.ledger.com/blog/a-letter-from-ledger-chairman-ceo-pascal-gauthier-regarding-ledger-connect-kit-exploit The most important parts about their security protocols:
- One person can't deploy any code without review by multiple other people. They didn't respect this procedure.
- They are talking about multi-signature access and what I assume code deployment. Again, none of that happened this time. Unless it's a lie that only one person got phished/hacked and not multiple people.
- Finally, ex-employees have all access rights revoked. Obviously, not this time.
Ledger even lies on their packaging:
"WE ARE OPEN SOURCE"
That's written
on the box for hardware wallets running closed source firmware. That's intentionally misleading, which means it's a lie.
Yeah, that's not correct. But I am pretty sure they were talking about the Ledger Developer Portal and everything concerning native and 3rd-party crypto apps (
https://developers.ledger.com/). That part of their software should be open-source, (the Github rep. link is at the top right) but with the firmware being the opposite, one can't call the device open-source. I agree that it's misleading.