In summary, Ledger’s own marketing initially led their customers to believe that the private keys could never leave the devices. Now they tell us it can and how foolish of the customer to think this was not always possible. But now that trust is broken, please trust them when they say that they would never extract your private keys.
He says that even when open sourcing the firmware update, you would have to trust that that code is the actual code being implemented into the firmware.
ledger is now fffked, govt can easily ask them to update the firmware again to bypass auth required for seed phrase If something can be upgraded to pull seed phrase after verification, it can also be upgraded to pull seed without verification
This is true of any hardware wallet that requires and update. Even air gapped devices can have malicious code injected. Now you have to trust the qr code is legit and not a beacon.
@@shadowreaper999 the hacking surface its paramount complicated with air gaped device, just to star QR codes can transmit a limited data, while an malicious beacon may be used a.e. to froze the RNG which will expose the private keys thru signature attacks, its possible on closed source devices, there are enough airgaped wallets with reproducible opensource both on signing device as on client /hot wallet.
You know we’re in a bear market when a company is willing to risk ruining their reputation for $8/month. They should have made a new device to offer this horrible feature.
@@pomp4401 You sound like someone who did not pay for a Ledger wallet. Their customers are not happy with this, and I think their greed is going to cost them their company. Trust in crypto is everything and they just lost their trust of their customers.
Yeah, if the only thing he's hearing from the community disgust is that 'PEOPLE REALLY CARE ABOUT LEDGER', then he has lost the plot. I care about my keys and money. I now no-longer trust that Ledger is being run by sane people. This is a huge mis-step.
@@coffeemaddanthis is it right here. You said exactly what we’re all thinking. I came to this video wanting to give Ledger a chance but so far I’m not hearing anything that absolutely resolves the potential of a back door. Even if it’s not his strict definition of a backdoor. If the ledger devices can be made to send out the keys/seed one way then there’s no reason to assume it can’t be made to send out the keys another way. The fact that they won’t come straight to this point and recognize the fundamental point of issue doesn’t inspire confidence.
but they can't opensource it to everyone and show how they were upgrading firmwares all this time. this will expose their upgrade codebase and hackers will create similar firmwares to update old ledger wallets to get seed without verification
>"A firmware update cannot extract the private keys from the Secure Element" >Ledge pushes update to extract the private keys from the Secure Element >"Private keys cannot be extracted without user interaction" >.....
Open sourcing the code will change only a part of the problem. As he said, ST Microelectronics chip inside isn’t OS, like the screen. These companies can put back doors in their components. All this bad buzz is stupid, it’s like if people just discovered that you need to do a trade off between security/trust and features. If you only want to store some btc, generate your private key and keep it on a paper. But if you want to do more you will need to do concessions on security and trust.
@@overman2306 - The idea of seed words belonging to me only - appealed to me. Ledger has moved the goalposts. Trust is the commodity that Ledger has sacrificed. Perhaps an interview with Trezor may be worth following up on. Your comment merits thought -especially with AGI entering the global stage.
@@overman2306 The thing that keeps most companies in check is called a "class action lawsuit." Ledger is DEFINITELY gonna face one, and it's gonna be big.
"bad business decision" I'm amazed to see people did still not get the point. The lack of security always existed. This is the real and only topic on Ledger that shoud exist from now. SECURE ELEMENT WAS ALWAYS SUBJECT TO HACK like ANY OTHER SOFTWARE IN THE WORLD !
So, basically, it's all about trust. Do I trust Binance more when I leave my crypto on their platform or do I trust Ledger more to not put a backdoor in the device so the government can snoop around. I guess it was always like that, but I didn't want to linger on that thought.
With all due respect to Ledger CTO Charles Guillemet who took the time out to do this damage control interview, if the issue is communication, why on earth wouldn't Ledger have the Chief Product Officer and the Chief Marketing Officer on this interview as the main guests with CTO Charles attending as a third wheel soley to clarify technical questions? Another comms blunder.
exactly because of his CTO title. so he can clearly educate the masses. like he said its all hardware wallets....but the bots are just gonna gloss over that and not do any research
I'll add that why in the world would bankless ONLY have on the CEO of Ledger, and not a few well-regarded IT secuity and crypto secuity specialists who have been openly cricital of this move that Ledger has made? I'll reserve final judgement until I watch this episode, but it certainly looks like damage control and spin on the part of the Ledger CEO, and it also appears to be paid shilling/PR on the part of Bankless, who are probably trying to burnish their reputation as crypto isiders/big players.
@@billf8217 that would have made for an interesting episode and I do challenge them to do so. However. I recommend the optional feature of self education to be an it people or crypto security specialist.
Screw em'. They could´ve created a new wallet with this possibility. Instead they snuck it in and lied about it. I hope this will be the end of them. Thanks for the podcast!
@@andrewmcmurray8081 I can steal your wallet upgrade it with some malicious firmware which now allows me to get seed phrase without verification, If old wallets are upgradable then nothing is secure
@@peterpan8374 How can you be so sure everyone has it? Either way, Ledger is lying, making excuses and being arrogant. Not a very good way of gaining trust. So why should anyone trust them? They're just a fractional reserve bank now as far as I'm concerned.
Charles did not address one important option that is on the table. Ledger can choose to keep existing devices working the way the first diagram shows. Absolutely minimal firmware updates. Only to fix vulnerabilities. Thus allowing it to become more secure over time. Ledger can choose to sell a separate device with sharded keys and plenty of OS updates for users who are ok with that level of security. Of course the big difference in this case is that high frequency updates with new features deteriorates the chances to make the device more secure over time. New features come with new bugs. I really rather use a mobile or browser wallet for testing fancy new features. Like most other ledger users, I trusted it to only sign messages for ETH and BTC. Nothing else. Now ledger is moving one step closer to be as in/secure as any other mobile wallet. Losing me as a core user. Modern mobile and desktop CPUs come with Secure Enclaves (Intel SGX, arm trust zone) which is probably more secure than the new Ledger posture because they allow separating at hardware level private key storage and signatures from OS and Apps.
So true. In fact, who would buy a ledger now? This news is going the speed of light and everyone will be hearing, Don't get a Ledger. That's what I'm saying. I bought, me, my son and my two daughters Ledgers last year. Now we need an alternative. Which one?
Good video, he seems a bit trustful and makes good points, yet it seems like he is trying to hide the fact that he is being forced to implement this feature.. would been good to ask the community and via different polls figure out a way to make everyone happy.. not just implementing a window of stress into ledger holders.. cuz if you don’t upgrade you are vulnerable and if you do you could at the end become vulnerable and we had no choice or say.
I have not heard a single argument that put my mind at ease. Ledger got their emergency marketing gig but "nothing changed" and, in fact, the backdoor was always there.
the only way they can get your 24 word seed phrase is if your give it to them via ledger recovery? they cannot just hav a software update to manually extract seed phrases without the person giving them.
@@overman2306 there still is no physical way for anyone to get your words unless the user gives it up to them? to be clear , people are made at ledger for offering ledger recovery and giving them your keys to shard. there not worried about you loosing your keys any other way? only thru subscribing and giving them your keys. they can’t hack your keys off ur device. need to physical get from user?
The French guy keeps saying secret. I think he is referring to private keys. Then at one point I think he referred to hardware wallet as a software wallet. They really should employ someone who has better English literacy 😅
For sure. He fumbled his way through the whole thing. It was like listening to my Sicilian Aunt speak English. It's ok if it's about fun and pasta but not about crypto self custody! Geez!
Should have asked outright whether they have been approached by the French government, or other entities, asking questions that we would not approve of.
Ledger clearly states right in their app that their devices are certified by national cyber security agencies. How else are you gonna get SE chips that require NDAs. But if that freaks you out. Wait until you find out who's funding the development of some of the biggest blockchains. It's not THE government. It's WHO from the government.
What absolute ignorance of the market or the trade-offs, risk models etc.etc. Also the ignorance to promote his new feature instead of addressing the issues first. Insanity
This is absolutely a cash grab, recurring revenue justification. If they created a new product offering this (for those that want the feature/are comfortable with it), no problem. However, this was not supposed to be possible...hence the public outrage. *though at least they admitted to everything I have left this comment more times than I care to remember on Bankless episodes, but it is never more true than today (seeing as how Ledger is a company Bankless promoted): You guys have to stop with the ads, shilling, promotions, and sponsorships. Given your standing and influence (and the carnage that has occurred/could occur), there is no way you should be promoting anyone...no matter how much you like them/no matter how much you think you know what is going on behind the curtain. *see Cobie and Ledger and their FTX association *see Bankless and their Ledger association Before you counter with "that's how we pay the bills", there are better ways to go about this: >see Kevin Rose and the Modern Finance podcast (pre Moonbirds money) >see Demetri Kofinas and the Hidden Forces podcast ...both are very successful and ad/sponsor free
PrIvate keys are SAFU, trust me no human force or law could convince our brave key backup providers to bring your keys... (how this guy even got a degree🤡?)
@@JoseAngelAcostaEngineering I was going to change the quote to SAFU. 🤣 You listen to him talk about his grandmother and trust. It's almost like he needs to read the white paper. Actually, a lot of people need to, eliminating third party intermediaries.
If it was always possible to extract the private key can someone please explain how anyone can know for sure that everyone’s devices have not already had their keys copied to a database of private keys? Other than just having to trust a company that has already misrepresented the security of their products.
Ledger really messed up. instead of doing a firmware update and making all ledger devices compatible with this feature, why not make separate device with the recover feature inbuilt and sell it to customers who are interested in this feature. just saying!!
Some wallets are completely air-gapped using a built in camera to read QR codes or NFC tap to verify transactions. I doubt that a key could be easily extracted using these methods. I think I will look for something where I no longer need to trust the vendor.
His French accent makes it very difficult to be certain what he’s saying about a very critically important subject. In fact at times he was slurring his words, going too fast and even put his hand near his lips a number of times. At 11:42 he seems to be saying the seed phrase is in three chards and someone would need at least two to “combine the secret.” What? He was fumbling the words at this point and he must have misspoke. He said you need at least two of the chards to “combine the secret.” I’m sure he meant to say you need all three chards to enable completing the seed phrase. I sure hope so! This was terrible. Perhaps an interpreter should have been used or an authorized spokesman of the company that can speak clearly to an English speaking audience. My serious concerns persist.
What I learned: Ledger uses a 3rd party chip provider called Secure Element which prevents Ledger from open sourcing their OS. Therefore we not only need to trust the Ledger company but also the Secure Element company.
In fact, unless you build the entire technology stack yourself (something impossible for one person to do), you have to rely on people and contracts. After all, the stack is huge: operating system, compilers, libraries, utilities, encryption algorithms and so on.
What Ledger did was unfair to the crypto OG's! If Ledger wants to appeal to the grandmas in crypto, that's a business decision that's totally fine. It's a standard way of losing the OG customers while growing the business. In fact every successful company eventually does that. I just don't understand why the crypto OG's need to get f**ked in diaz when they've been just minding their own business. IMHO it would've been better for everyone if Ledger spun up a brand new company so that we know what's what. And then you get all the grandmas! Isn't this better?
To me this is obviously tied to the government. They want a way to know who holds what, and a way to sieze it if they want to. Governments cant stand the fact that they cant take wealth from people, BTC is a nightmare for authorities. Edit : "it's difficult to prove the absence of a back door." He's fully admitting to having a backdoor for government access if it came to that.
A much simpler explanation is that they're trying to make money. A Ledger device is a one time purchase and a very infrequent repurchase. It's not a smartphone. It's not a carton of eggs. A subscription service would help them grow and not go out of business.
@@Ivelin it's both imo. Of course they want to grow the business, in fact that's the only objective. Cooperation with government is just securing their opportunity to continue growing. Trust is evolved with the company that I naively thought wasn't a factor (they can access your key if they wanted). Have we not learned how trusting company's, banks, and governments can go horribly wrong? How many lessons do we need (celcius, Voyager, blockfi, banks failures, austerity measures in Greece a decade ago where banks/governments froze and stole citizens money, etc), the list is endless. Bitcoin was made to solve counter party risk! We just want our keys to our hardware wallets, us alone.
@@acpjr growing a business is fine, but the process of growing has made many of us aware (myself included) that we don't solely own our keys, and if we don't have sole control of our keys, it's not really safe.
@@andrewmcmurray8081 You say that you are now aware that you "don't solely own your keys". Oh really? Are you saying that you have discovered that the Ledger company now has a *copy* of your keys? Surely don't actually think that...
16:34 nah brah…ALL of your PAST CUSTOMERS cared about the SECURITY and INTEGRITY of private keys That your “grandma” could not handle private keys is irrelevant…Warren Buffett himself thinks that ALL OF CRYPTO is garbage… Ledger made a HUGE mistake and the SOONER IT FIXES IT the better the chance that it remains relevant…
BTW. Who asked for this service... I did not see or hear a soul on social media, traditional media, or on any public forums talking about how bad they wish they had this option. This is a. trojan horse. They should cancel this effective immediately, and if they dont then we know there are bad actors involved. I think we know where it goes from here.
the big problem is that you KYC with ledger and they have your seed. Now the problem became that if someone can trick Ledger in to a false KYC they have your seed without even touching your device.
Not even that, consider that the bankers own the politicians, well all it needs now is for the bankers to make crypto illegal in your country for whatever reason (like if truckers are using it) and boom, whichever company is holding the “encrypted shards” now by law (even though it’s a false law) has to give up that data, and their customers Identity, and faces losing their business.
No! That CTO need to get it into his head! The people don't care about Ledger! They care about their Crypto! And if he does anything to jeopardize them, they will move to another brand! I bloody hope realise the difference!
Dude, I can't recommend Ledger. When I received my device it comes with a hardware/design defect. Thanks to a youtube tutorial I fix it by opening the device with a lot of risk of damage it. Nevertheless, I forget about that defect because after that all was fine until now. How can I trust a company with a costumer data breach, devices with silly hardware design fails and stupid updates like this one. I'm very angry. I feel scammed by this company. I don't have money to buy another cold wallet soon and all this fiasco makes me lost confidence in holding BTC and other assets.
Ledger makes the best advertisement for Trezor. No matter what Ledger says if some force pushes them like the government no matter where keys are stored they will give them. I personally just now order a Trezor wallet
You probably need to level up your knowledge, my bro. The Trezor has been hacked on multiple occasions, including by the security teams of Kraken and Ledger.
Listening. Not buying it. Don't trust it. Just the idea that they opened up the possibility that someone else would get my keys makes them untrustworthy. I DO NOT TRUST THEM. If they wanted to create this quasi custody service, the should have created a a UNIQUE device with AND separate unique firmware. This is a HUGE betrayal. You can NEVER trust a liar for anything. Especially your keys.
What if ledger had a bad employee write code in another update that allowed the seed to leave without having to physically click the prompt to accept.. these devices need to be safe against the creators of the device and im seriously doubting ledger is now
Proposal: Move private funds to smart contract multi-sig wallet protected by private keys from 3 different hardware wallets of three different vendors. And then Government and Ledger need to hack Ethereum to get your funds or to make some massive coordinated action involving all 3 vendors....
I'm afraid if that's what it takes, crypto is never getting off the launching pad. Ledger self-custody is onerous enough, now with this "new development" we add true fear and uncertainty. I might as well have Fidelity or JP Morgan store my keys, they flawlessly custody billions of dollars of stocks for customers for the last hundred years. If we're going to give up actual trustless self-custody then might as well let the pros do who really know how to. That's where this is going. If we can't legit self-custody then the whole ball of yarn is going to unravel.
Moving to Coldcard. Been a Ledger user since 2018. I figured they would shore up their security after the user data breach a couple years ago but instead they decided to make a quick buck instead. I have zero trust in these clowns.
Thanks for the interview, it was very informative. Maybe Charles from Ledger doesn't realize that we got the idea that they had an updateable device that was nevertheless unable to export secrets from Ledger itself. I hope his exasperation about having to educate everyone about what a hardware wallet is extends to the Ledger marketing team and not just the "OGs" who believed them.
Everything is the same except now your device is ready for a `ledger_backup_phase` authorization telling it to share your key with 3 (spoofed) recipients.
@@mughat they can’t “extract” your 24 word seed phrase without you giving it to them via ledger recovery. not even thru firmware. the words are generated random when u make wallet. only way they get ur words is thru giving it to them
@@mughat your missing the point. unless YOU give YOUR 24 words by typing them into ledger recovery service, LEDGER cannot get your key words.. it’s up TO YOU whether they get them
That was a bullshit answer as to why Ledger can’t open source the code! There are many open sourced hardware wallet solutions. That said, hardware wallets are a joke that border on a scam anyway. Smart contract wallets ftw!!!
How exactly is writing down 24 words on paper and storing it in a safe place too complex? It literally is using centuries old tried, true, and universally understood technology (pen and paper) to secure your crypto.
@@beardbandwidth8821 Backing up with paper or metal is not the same as transacting. Nobody is expecting grandma to manually process transactions between cold storage and view only wallets. But the core principle of self custody, keeping your seed / keys secure, is not complex while Guillemet is falsely claiming that it is.
@@6400ab no of course not. Self custody in that respect is easy. However believe it or not some people actually use crypto daily and don't just hold for financial gain. If the purpose of crypto is peer to peer cash then we need secure ways to do so. Not to mention when you do need to transact you have an attack vector by imputing your seed phrase. Not a problem for the techno wise. But we can't expect normal people to come onboard if they need to have a separate airgapped PC to transact. The more complicated it is for the general user, the more likely they will just stick to a cex or in the upcoming years banks.
@@beardbandwidth8821 dude. Again, I wasn't talking about transacting. Why are you belaboring that point so much? I know crypto is used daily. It's a separate issue to the security of the private keys which is what this whole ledger mess is about.
if they do compromise everyones keys through a hidden worm in the updates, then they need to be sued as they are potentially costing users hundreds of millions of dollars.
Whoever at Ledger made this decision should be FIRED GARBAGE. They F’d EVERY SINGLE CUSTOMER they ever had in the past. Why not leave THAT CIRCUS IDEA for another company to do? Absolutely utterly stupid…
I love Charles but do have push back on what he said at end. To parapharse, 'some of OG, hardcore users aren't using the [BTC] features'. I really disagree. Ask Trezor how many users ARE using Tor, RBF and detailed coin control? And, even Electrx node support. I'd bet alot. I assume he was specifically talking about miniscript and Taproot, esp for multisig. Those features would be used more if software wallets implemented them. Ledger Live is a software wallet, of sorts, a really doesn't utilize those features.
They are giving it a good go, all things considered. But Ledger is a sponsor, so Bankless is compromised regarding this issue and cannot be 100% objective. End of story. Next up: Exclusive interview with Sam Bankless Fried, of former Bankless sponsor FTX.
As soon as they admitted they have a back door, i moved everything to Tangem.. Our Government does not have jurisdiction over a manufacture in Sweden Not only is the device clearly not as secure as we have been falsely allowed to believe, but we can't trust the manufacturer to be honest about their products either... Anyone wants to buy a pair of Like New Nano x , i will be happy to sell you the two i just Wiped and Reset.....
I don't believe people will use this, I think this is a desperate attempt to make more and continuously money. People who want this service are more than fine with simply going to RobinHood and buying BTC there...
To me, Ledger should keep the current model as is, as purchased and as understood. I do see merit in a "different" offering that will provide more acceptance from the less technical. One can always go with a paper wallet if total security is desired.
This dude has to show me where I can deny the install of the new firmware on the Nano X... I don't want that Recover thing.... You simply can't deny the firmware, there is no button to deny it!! They want you to install it its as simple as that.
Not a good idea to sell "Self custody" wallets with a back door built in to them. once your ever so secure 3 part division of the seed phrase falls in on itself, Laywer will sue you. You guys shouldve stayed in you parameters.
If my mother can dare to enter into crypto and she know how to buy some then setting up seed phase is a piece of cake too. Your selling point is stupid
Look at this sucker saying all customers have to trust ledger and trezor and other manufacturers…. Yeah yeah at least other manufacturers have their code open sourced so auditors can audit what they include in each firmware update …
Ledger has always been out of touch. I remember like 6 years ago they had a firmware update that would erase the seed from a person’s device without warning. Granted, people should know they need to have access to their seed when doing updates and be prepared for such an event but to not warn the user? They later added a warning and fixed the problem but the lack of foresight by Ledger is hilariously bad.
Ive worked as a software test engineer for ages. Estimated 13% of bugs fall through the net. This is according to IEEE standards. I personally will NOT be opting into this upgrade. If they ever force me to accept this new functionality I will move my assets to my trezor
Everyone tought that Secure Element was something like a ROM with functions to encrypt and decrypt but you would never access to the private key (RAM).
You could only write in the RAM when setting or resetting the private key, but could only be read by the ROM for the functions of encrypting and decrypting. Meaning you would never expose the key but still could use it to encrypt and decrypt. At least this is how i see it...