Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Hardware wallets
Merits 36 from 3 users
Re: Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities
by
Meuserna
on 26/11/2024, 08:44:09 UTC
⭐ Merited by LoyceV (24) ,vapourminer (10) ,dkbit98 (2)
Quote from: satscraper on Today at 07:36:25 AM
They say...[/sup]

And there's the problem.  Ledger's word has no value.

First of all, Ledger has lied to their users so many times about so many things.  They said keys never leave Ledger devices while they were writing a key extraction API for their firmware and uploading it to users devices.  That's like your wife saying she'd never cheat on you while setting up dates on Tinder.  Ledger says they've never been hacked while paying bounties with nondisclosure agreements so people who hacked them can't say so.  They literally printed "We Are Open Source" on the boxes for hardware wallets that run closed source firmware.  They are liars.

Second: Their firmware is closed source, so they can say whatever they want, knowing no one can prove they're lying.  They might as well say their firmware cures cancer, since there's no way to prove it doesn't.  There's no way to prove they don't already have access to every Ledger user's seed whether or not the user signed up for their scammy Recover service since their API gives them access to every user's seed.  Now they're saying they'll add an option to turn it off?  There's no way to prove that off toggle will actually do anything.  Their firmware is closed source, which means they can't even prove it's safe.

The only provably safe use for a Ledger device is to use it as a decoy wallet with a B.S. seed.

I was a long time Ledger user.  The day their key extraction firmware got outed, I remember looking at my Ledger, thinking "How do I prove they can't access my seed the moment I turn this thing on?  How can I know for sure they haven't already accessed my seed?"  Ledger Recover had to have been in the works for at least a year or two before it was announced, considering how complicated the project was (the code, the legal contracts with multiple companies lawyers, etc.  Ledger Recover was not a small project).  Surely, Ledger's firmware already had chunks of the key extraction API by the beginning of 2023.  How can anyone prove any of it is safe?  You can't.

There's an old saying that's popular in Bitcoin:  "Don't trust.  Verify."

Closed source can't be verified.

Closed source code can't be trusted.