Apparently ledger pushed an update yesterday that adds a “feature” that encrypts and uploads your seed to third parties? lmao.
https://www.reddit.com/r/ledgerwallet/comments/13itm7u/is_there_a_backdoor_yes_or_no/
Discussion
🤦🏼♂️
looks very serious.... Always rember to keep SAFU
You mean to tell me they worked on this for who knows how long without considering the PR backlash it would cause? Asking for gov ID when they can’t stop their clients from getting doxxed to just to make cold wallets hot and charge an outrageous monthly fee?
This article clears it up big time. Already noticed trust wallet also has a way you can back up to Google drive. They are trying to make adoption easier which I applaud them for. Not everyone is a as smart and tech savvy as all of us. They are trying to get over that hurdle.
Um did we read the same article? It's a $10 KYC subscription service that sends your private key over the internet to other companies... this isn't about increasing adoption. It's compromising users' security to increase profits.
It's encrypted and sharded to 3 different companies. It's not the best way. I don't recommend it. But it will appeal to some people, possibly older generation. Which helps adoption. It also will backup up to 50,000 euro if lost. I recommend to store on pen and paper. But we are not all responsible or tech savvy.
Doesn't matter if it's encrypted and "sharded". This opens up the private key to middleman attacks and backdoor exploits, not to mention that this information could be forced to be revealed by a court order or government overreach. It's insanely irresponsible.
Every comment I made, I said it's not recommended or safe. But it's all some people can handle/want/trust. And it's not mandatory. If you lose a bank card, you can show ID to the bank and get it back. People want the same thing in crypto, especially old generation. I will always use pen and paper. But I'm also open for other routes to get people on boarded.
Nah we should not be recommending or supporting this for anybody. If they can't handle their own recovery phrase, then they should use a multi-sig solution service like unchained, where each party holds a private key in a device that doesn't have a potential backdoor like ledger. That's safe and easy for anyone to do.
As I have said multiple times, I am not recommending it. But it may be the option for some people. Not a smart option. But an option. Which allows for more on boarding.
"The device sends encrypted shards of your seed to different companies if you decide to use the service. You can of course still choose to backup it yourself."
Well, that's at least good to know it's not enabled by default for everyone. That said, knowing that your Ledger now has the capability for your seed phrase to leave your device is damning.
If you use Ledger, it's time to switch to something else such as Coldcard, Passport, or Jade.
Unchained uses Trezor … is there any reason to believe that will change? #[4]
Trezor is fine to use too.
Trezor at its core is a shitcoin wallet. Sure, it’s open source and has so far been a much better run business than ledger. But any wallet which supports hundreds of shitcoins has bad incentives built in and worse security by nature due to increased complexity. Get a Bitcoin only hardware wallet and use Bitcoin only companies.
Maybe better at hiding stuff 🤔
I noticed trust wallet has it you can back up a seed to Google drive now. I feel a lot of hot wallets and cold storage device companies are going to start doing similar things. I'm not for it. But eventually I do see this similar service everywhere . Will be interesting to see how it plays out.
storing your seed words in the cloud is bad. is it easier, sure, but that doesn't mean it's a good idea.
I never said it's a great idea, I would never do it, and never recommend it to anyone. But there are people that are not tech savvy as us. Another point also is. How do we really know Trezor and other cold storage device companies aren't going to follow suit. 🤔
they could, but i believe any bitcoin-only company would be less likely to follow suit. and if one does, you move your funds to another wallet.
What if you’re only using this backup in a multisig, so the other keys remain private? How is that different than Casa?
Also read it is for ledger nano x. But not the other models.
I just purchased a COLDCARD™ Mk4 Colour: Purple ! Thanks #[4] 🤙🏼💜🫂
As funny as this is, it also creates more distrust for people needing to cold storage their Bitcoin. Who can you really trust?
Wtf?
a huge step backwards for Ledger
Not understanding what the author of that reddit article is trying to say 🤔
Not your keys, not your Bitcoin.
😲
Before everyone loses their shit, how is this different than you _voluntarily_ just storing your seedphrase in cloud storage or using the backup only in multisig in lieu of Casa/unchained?
I guess it’s more of a honeypot than the other options but let’s not pretend there are no legitimate use cases for 3rd party key storage.
It helps adoption. Not everyone is as tech savvy as we are. This solves this. Same with wallets storing it on a cloud server. Definitely not the safest route. But some people only know how to keep on exchange which is even more sketch. I was against this till I read more. Pays to not assume .
With this update it's now possible for your private key to leave the device, whether you opt-in or not. The firmware is also closed source... this is beyond stupid for a hardware device.
You are correct. I think the concern with this one though is the idea that Ledger can retrieve your seed phrase with a firmware update. It isn't clear to me though that this is what Ledger is offering or capable of doing. I think folks are speculating some from the Q&A. This planned service from Ledger may be a thing where you provide your seed phrase in some manner voluntarily, maybe upon the seed phrase creation phase of setting up a device. I have heard it involves encrypted shards and multiple custodians. I am going to wait for more information.
nostr:npub1h8nk2346qezka5cpm8jjh3yl5j88pf4ly2ptu7s6uu55wcfqy0wq36rpev is bitbox02 still good?
Still love my Bitbox and haven't heard any negative news. I've been all about the tapsigners more recently though (for mobile) and have both bitbox and coldcard in my cold storage. Also still use the Trezor and will recommend it, but its not my first pick because of the enormous amounts of shitcoinery.
Basically I go for bitcoin only at the top of my hierarchy and go down. Other hardware wallets I like are the Keystone, I'm interested but have spent too little time with the Passport, and the Jade.
Well thanks Ledger. I now have all my coin in a hot wallet while I wait for my passport to arrive because that feels safer than whatever the fuck you are doing over there. Might be overreacting, but better safe than sorry.
As if everyone’s data leaking wasn’t enough?
How has anyone trusted ledger after that?
I have one sitting in my drawer as a reminder about how that company treats people. I would never use a ledger.
What do u use? I’m using one jade, one Trezor.
So glad I stopped using their products and deleted all their software. I should’ve known when they were pushing alts and staking that they weren’t reliable. Bitcoin only + open source is the way to go.
Lol
but we can opt-out... right 😟
That’s what happens when you give carte blanche to a bunch of PMs that don’t get the ethos of Bitcoin
Omfg who decides those things?
I was using Trezor, but lost it while I was on a boat last summer 🥲
I read it’s optional, isn’t it?
Get one if this. I use #BitBox02 , not using anything else 😉
And it's #Bitcoin only 👍
Ask me or nostr:npub17tx8y8cfk05fypwm80m67qxl0vat7vxaup2l50qzatuwwcvqn6tsvgkah7 for info or a promo code
That doesn't sound possible, technically. I don't think you can get the secret out of a secure element, but I'm not an expert here.
Time for people to get a cold card
Simply speechless. Why would they think this is a good idea. Also the secure element doesn't seem secure if this is possible.
How? Like how can it simply export private key using just software?
The concern here seems overblown. You have to opt into this service.
The fact it exists at all is the issue
Do you not feel the same about the existence of Trezor’s chain analysis ties and Terms of Service? Once leashed by the state, there are no take backs, only more demands, a tighter collar, until everyone with integrity has left the company and users are captured.
I guess I can see that. According to Ledger they don’t have access to it unless you give them access. Sounds like trust is the issue which I know many don’t have in Ledger.
Private keys are meant to be air gapped or at least never leaving a device, especially not sent to the internet - no matter what alleged encryption or security is used.
Imagine to get access you need an email and password. They know your email. Now your password. You effectively transformed your secure private key into a short password brain wallet or low time brute force puzzle.
Ledger is not something I’d recommend to anyone, even if it’s fairly mature and nice enough general UX.