It's unfortunate that you are avoiding the main issue. With the new firmware/feature, it's now possible for the seed to be extracted, which means physical Ledger devices are now a liability. Previously, the understanding was that if you lost your Ledger or it was stolen, NOBODY ever would be able to access the device's contents because the seed was stored on the Secure Chip and could NOT be extracted. Unfortunately, that is no longer the case. Your argument against open source software in crypto/hardware wallets is entirely bananas. Please refrain from spreading such nonsense. From a security standpoint the purpose of open source software is to allow third parties to READ the code and VERIFY that the software functions as claimed. Given that many users place their trust and finances in this code/hardware, it is crucial that the software can be audited by third parties, regardless of how few the auditors may be. The collaborative aspect of open source software has no bearing in here. To use your example of Linux, probably less than 1% of the Linux users understand the code and way fewer are able to improve/make changes, that has no bearing on the open/closed aspect of the code. To quote another commenter "This video was very disappointing. I wish Bitcoin didn't have so many influencers who care more about brands than security."
@xr1140 yeah Yeah, you still haven’t convinced me that a security device should be open source. It’s an idiotic assumption. Ask anybody that really knows how security devices work and they will tell you that they are all closed source. One example is Andreas Antonopoulos who wrote the book on bitcoin. “ All crypto hardware wallet devices require some level of trust on the part of the user”. Bitcoin Q&A: Can You Trust a Hardware Wallet to Generate Your Seed? ruclips.net/video/cONG2ZNjJ0c/видео.htmlsi=QmZYz4CmDjNABCw-&t=22 Open architecture crypto hardware devices like the Trezor One have failed miserably because they can be cracked and tampered with once an attacker has full access to the device. What’s really sad is that there are so many influencers out there saying that crypto hardware wallets should be open source. Do you want open source? use an open source desktop based wallet. Do you want security? use a crypto hardware wallet device. Enjoy your open source wallet. I prefer a secure device to protect my crypto.
@@CryptoDad What security the closed-source offers over open-source? It seems you put all your trust in the developers (never heard of an disgruntled employee, huh?). Good for you but stop advising other ppl to do so just because. Again you are missing the point... the seed can be extracted! What Ledger promised was that nobody (including them) will be able to extract your seed from the secure chip. Now they developed the ability and at some point all the users will be force to update the firmware (to preserve the compatibility with the Ledger Live software) and expose themself to potential risk.
So this whole argument that now that the private key is extractable, the device is insecure, is ridiculous. The Ledger Recovery Service is optional and can only be initiated from the device by the authorized user. This is the same principle that allows the authorized user to sign transactions locally. To suggest that somehow an attacker could steal the device and access this functionality, is incorrect. They would have to crack into the device first in order to perform this. And that’s what the closed-source secure element chip prevents.
OK, so I’m a hardware wallet manufacturer and I’m going to take your advice and make my software and my architecture completely open source. We all know that the open source cycle works like this: code is posted on Github, It’s checked for vulnerabilities and backdoors. Vulnerabilities are discovered and they get patched. Sounds like a perfect world to me, except for the fact that many vulnerabilities are discovered and exploited before a patch can be applied. So basically we have a cycle here where our device is secure and then someone discovers a vulnerability and then it is suddenly not secure anymore until someone comes up with a patch. And we go through this cycle continuously. Secure, not secure; Secure, not secure. This is the model that you think I should follow for a secure hardware device to protect my crypto? Do you think anyone wants to buy a device that is secure sometimes and insecure other times? All you Open Source advocates for hardware devices really make me laugh. You’re suggesting that I should store my crypto in a device that is only secure some of the time? And to make matters worse, you come into my comments like you’re some kind of authority scolding me for promoting misinformation when you are actually the one that really doesn’t understand how a hardware wallet security device should work.
So do you think Chase Bank would want to make their atm card chips open source so criminals can crack into their devices and figure out how to make unlimited withdrawals? Do you think the US government would want to make the smart card technology in passports open source so state actors can hack into their passport protocols? Do you think Boeing wants to make their employee ID card chips open source so competing companies can crack into their security protocols and gain access to their facilities? Of course not. They want to protect their secrets. The secure element chips in crypto hardware devices protect your secrets (your private key). Don’t you want your secrets protected?
@@CryptoDadI have found Ledger to be a reliable and secure option for me, and I have not experienced any issues with hacking or security breaches, as some users have reported. Despite exploring other cold wallet options, I continue to rely solely on Ledger due to its proven track record of security and performance. I want to emphasize that my statement is based on my personal experience and is not influenced by any affiliation or promotion with Ledger. Thank you and keep up the good work!
Totally agree I’ve owned ledger before they announced the subscription to back up your secret keys and I never went for that subscription and I have never had an issue with my wallet being drained.
So far, Ledger hasn't had any major security issues, but the past data breach makes me worry about whether the company might have more security problems in the future. Also, while no one has proven that Ledger Recover has a backdoor, no one has proven it doesn’t either, which makes me feel uneasy. But the biggest thing for me is that the Ledger Recover service goes against the whole idea of decentralization that crypto and Web3 stand for, which I just can’t get behind.
Yes, the "proof" or "no proof" argument can be applied to almost every cryptocurrency hardware wallet on the market. It can also be applied to the argument for or against the existence of God. It's basically a meaningless argument. There is no such thing as a completely open source wallet that employs a secure element chip. And most of the major crypto hardware wallets out there do employ secure element chips. And those wallets that focus completely on transparency and open architecture are vulnerable to tampering attacks. No one wants a wallet that is not tamper resistant. Therefore, there must always be a balance between transparency and security (secrecy). Unfortunately, the truth that no one wants to admit is that every hardware wallet out there that employs a secure element chip requires a certain level of trust on the part of the user. Now this does not really need to be blind trust, because secure element chips are rigorously tested & certified by 3rd parties. That is what the EAL 5+ and EAL 6+ certifications are all about. This is the same technology employed in ATM and credit cards and also passports and employee ID cards. Sure, we don't know all of the internal workings of these chips. That's because they are proprietary technology and every company that employs them has to sign an N. D. A. With the chip manufacturer. This does not mean that they have back doors per se. It just means that security needs to remain secret to be effective. And your concern about previous data breaches is noted. But the data breach you're referring to was a breach of the ledger customer database which did not affect their internal security that protects the Ledger architecture and OS. I don't want to rest my argument entirely on whataboutism, but customer database breaches are a fact of life. You hear about one almost every other month and they have occurred with some of the most large and secure companies out there: Target 2013, Equifax 2017, Yahoo 2017, Microsoft 2019 LinkedIn 2021. The list goes on and on.
@@CryptoDad Just as with messaging apps (Whatsapp etc) and their BS claims about "end to end encryption, your messages are totally secure!", it's 100% rational to believe that, oh yes indeedy, there is a backdoor. The only parameter to calculate from that basis is the odds of anyone ever deciding to walk through it and ransack your shack. If the Ledger company big-boys get fat and wealthy from their gig the back door will most likely stay shut; if, however, their personal circumstances suffer a total melt-down, I'd trust that door remaining closed not one iota.
What people are really angry about is that ledger pulled this seed extraction crap on people who had already bought their devices, believing the keys were secured on the device What ledger should have done is say that future devices would have this feature enabled, but all current devices would not They really should have kept two different streams of devices It's the back porting of this feature that has made people upset, and rightfully so
Yes, I totally agree it was a violation of one of the basic tenants of self custody to offer a seed backup feature to the cloud. It would have been great if they would have had two product tracks. As you mentioned, one with, and one without the recover feature. For whatever reason, they decided to integrate it going forward on all of their devices. In their defense, the Ledger recover seed exportation process can only be initiated locally by the user and is in fact totally optional.
These new people are repeating opinions they heard from qualified security experts in the field that have many valid concerns about Ledger security. If you learn about crypto security a bit more you also might understand what they're talking about.
Facts you cannot deny: Ledger for a long time promoted their products stating it would be "physically impossible" to extract the private key from their devices since their "secure element" chip was, again, designed in such a way that would make it unfeasible. By design. "Physically impossible". And then, some years later, they launch a "service" that does exact that --extracts the key from the device. The fact that they say you need to agree and give them permission to do so is irrelevant --Ledger lied and should not be trusted ever again.
Aww you're upset that somebody lied to you. Sounds like you're still mad at your ex-girlfriend for sleeping with your best friend. Ledger is a company. They decided to add new functionality to their products. Get over it.
I am not trying to pick either side but i have heard this : "If it has the capability to upload a seed phrase then some people might not want it." And that is a valid point to tell people. Everything else is exaggeration.
Ohh, I can't argue with you there. If you're uncomfortable with some of the features of the device, then definitely find something else. I'm just trying to address the issue of people claiming that the device is able to do this without the user's intervention.
So I had a feeling when I posted this video that it was going to generate a lot of controversy, pushback, and counterpoints in the comment section. That's actually a good thing! I will point out that I don't have a degree in cryptography. I've just been using hardware wallets and putting out tutorial videos for several years. This does not make me a cryptography expert. But I believe that my experience does contribute to my educated opinion. However, I don't claim to be correct on every point. I just felt that I owed it to my viewers to put my opinions out there even though many of them could be wrong or picked apart by people smarter than me.
Like others here, i had setup my ledger and left it alone for a while didn't and then i come back and started hearing all this about ledger but didn't really see the issue for the exact reasons mentioned here. And when researching other alternatives, they also have other issues some even similar Thanks for this reassurance and saving me a few bucks by not buying another wallet. You got a new subscriber!
Using a bunch of different wallets, and not keeping everything in one place, is the way to go. But I've never had any issues with the Ledger wallets. I did get an email compromised, years ago, in the data breach, but that is not anything to do with the wallets themselves.
Recover isn't the problem. Adding key extraction capability to Ledger hardware is the problem. Ledger Recover should have required separate hardware so their Nano hardware would stay truly "cold" and Recover hardware could have been "hot/semi-hot." People don't want to admit this, but Ledger hardware wallets aren't cold wallets anymore. I'm really surprised to see Crypto Dad, who I considered to be honest and trustworthy, suggest otherwise. He knows better. Hardware wallets should be able to share signatures, but never keys. Never keys. I'm also shocked that he suggested trusting Ledger until their hardware gets hacked. Ledger hardware has already been hacked, but their bounty program requires signing NDAs to keep those hacks private. I know Crypto Dad knows this as well. This video was very disappointing. I wish Bitcoin didn't have so many influencers who care more about brands than security.
I am with you Crypto Dad. While I may think it was a bone headed move by Ledger to offer the backup service I do not believe for a minute that their devices are any less secure than they were before. In fact they are my favorite hardware wallet and I own and use several of their Ledger Nano S Plus units. I don't like the Ledger Nano X only because it offers "bluetooth" connectivity which I consider a security risk. You can call me crazy if you like. But overall a good video. I totally agree with you. Kresp.
Thank you. I won't call you crazy for being security minded. In fact, you are in really good company. Andreas Antonopoulos is also leery of Bluetooth in hardware wallets. Recommended Video: Bitcoin Bitcoin Q&A: Are Hardware Wallets Secure Enough? Andreas M. Antonopoulos: ruclips.net/video/3zNVDIz6Snw/видео.html
Good to see another perspective and summary of the different dot points! I am keen to buy a new hardware wallet and tossing up between the Stax and whatever Trezor release mid June
We have also to take into consideration that the competitors of Ledger have vested interest to criticize and attack Ledger. Ledger is one of the leading user-friendly hardware wallets and all points Crypto Dad discussed on the video are honest and highly valid. There is no use being paranoid with Ledger and with the narratives by fanatic ancaps and owners of other hardware wallet companies.
Yes, I have often thought this myself, and though similar to ledger critics, I cannot prove this. I have often felt that a lot of the trolls on Reddit were paid by other wallet companies. Now I’m revealing my own paranoid fantasies.
You are my go to on this topic. So this just happened. A family members ledger live account just got drained. The seed phrases are in a vault. So what happened? Last transaction was in march with was a deposit from from a Coinbase account. Last weeks somebody made two deposits of several thousand dollars of XRP. Took the XLM that was there switch it to XRP and they had everything nice and tidy they drained it all and the entire transaction was in the span of less than five minutes. We are beside ourselves because all of it was locked in a vault. And we have no place to go to get help.
Thank you crypto dad. Seriously I was scared shitless because I set and forgot about my ledger and haven’t really been briefed on everything that has happened.
I believe the ledger wallet is safe. And when I need to find out and how to do stuff, I go to the Crypto Dad, and I've even told other people to do so. So don't listen to all the trolls.
How does the recovery service actually work from a technical standpoint? You sign up and give them a copy of your seed phrase? If you lose access to your wallet, how exactly do they recover it for you? Would love some clarity on that. Most don’t sign up specifically because that seemed like giving up ones seed phrase. Is their after the fact way for the. To recover it or do they get your seed phrase when you sign up?
I gave you links to their white papers that describe an excruciating detail how this service works. Just check the description of the video. But in a nutshell, when you sign up for the service, you upload your biometrics and those are stored in the cloud. The only way to initiate the restore process is by verifying your identity by using your biometrics. They check to make sure they match the ones you uploaded during the backup process.
Completely agree using a ledger as well. On one of the points you say no good hardware wallet is fully open source - what about Keystone? And what are the draw back switch that wallet.
Can't send to exchange. I have tried copying the address and also typing in the correct address. When prompted to confirm the address on device the address is different than the exchange wallet. I lost one transaction before I realized what had happened. Can't transfer my crypto.
It's like saying you are driving for several years and never had an accident therefore you will never have one in the future based on past experience. Really? That's how it works?
No need to limit yourself to one device or one particular brand. It's probably obvious, but I own several crypto hardware devices. And I use them all in different circumstances.
My Ledger Nano X got hacked this weekend when my Nano X and the seedphrase were locked away. They won't do anything to get my money back. I'd be glad to talk to you about this so others won't get scammed. This video is ABSURD! THEY ARE COMPROMISED. DO NOT USE ANY LEDGER DEVICE PEOPLE!
I'm really sorry to hear that this happened to you. But most of these cases involve inadvertently revealing your seed phrase to a scammer or interacting with a malicious smart contract on a shady web site.
Tangem wallet is open source and it’s pretty robust. Regardless the perception that the Ledger wallet did not disclose that the capabilities that came out in the news months back when PayPal was making their move damaged the “good will” in the product. So don’t feel like you have to take responsibility for the perception that has emerged.
That’s all I’m saying. If the company had disclosed that the capability was there from the beginning, it wouldn’t have been an issue and customers could and would have a more informed choice in their purchase. So regardless if it is secure or not is irrelevant at this point because the “good will” is eroded. And I also pre-ordered the new stacks but I’ll never use it with this revelation. Caveat Emptor.
Why is everyone telling that Tangem is open source? Only the Tangem app is open source (like Ledger Live), but the firmware of the card is completely proprietary. Ledger has additionally to Ledger Live also the apps running on their wallets on Github as well as parts of their BOLOS firmware (esp. the parts regarding Ledger Recover). Only Trezor, Bitbox, Keystone, OneKey and some Bitcoin only wallets have also full open source firmware. SafePal has open sourced the firmware of their X1 wallet, but only parts of their app.
Well you made the best Ledger Instruction video I could find online. 100%. We are living in a world were a lot people speak without thinking or having any knowledge. Those sad people want a stage for there Ego So keep up the good work Cryptodad
Love the level headed video, that being said you are asking everyone to take ledger's word for a lot here. After the customer data hack, seed extraction proposed patch, and constant social media fumbling we Ledger has lost all "Just trust me bro" points. There is 0 reason to have anything to do with this company because they have shown time and time again you cannot trust them. "prove it" - Nah that's Ledger's job not mine, and they have already failed multiple times.
Yes, your argument is impeccable. I appreciate you contributing to the discussion. And I totally respect your position. I'm not trying to sway you one way or the other. But for some of the people that might be reading these comments, I did want to bring up a few points. Yes, Ledger is expecting a level of trust in their product. But so is every other hardware wallet device manufacturer that uses a secure element chip. The only part of Ledger's code that is not open source is the OS space that interacts directly with the secure element chip. Everything else is open source. github.com/LedgerHQ/ledger-live github.com/LedgerHQ/wallet-api github.com/LedgerHQ/ledger-secure-sdk developers.ledger.com/docs/device-app github.com/LedgerHQ/ledger-secure-os github.com/LedgerHQ/ledger-secure-os/blob/main/dashboard/src/dashboard_recover.c And the reason that this is closed source, is because they have signed an NDA with the secure element chip manufacturer. But even this closed source code undergoes rigorous 3rd party testing. So ledger is really not asking you to trust them completely. The same holds true with every other crypto hardware wallet. They all use secure element chips to prevent tampering. Now there are a few outliers like Bitkey and Cypherrock, BlockStream Jade. But they use a completely different scheme that relies on mult-device authentication. But the major players like Trezor, Tangem, Ledger, and yes, even Ellipal, and Keystone 3 Pro. All employ secure element chips. There seems to be this dichotomy of opinion that goes something like this: 1. Ledger bad! Because their code is closed source and they want us to trust them. 2. Everyone else good, because their code is completely transparent and open source. This is a way over-simplified argument. As I mentioned, these other companies employ secure element chips, which are, by design, secret and designed to prevent tampering. I've also seen a lot of people and I'm not accusing you of this opinion. But it's something like this: My packaging is stretched in a weird way. I'm worried my device has been tampered with. What should I do? Return it? But I also want my device to be completely open source and transparent. In other words, I'm worried about tampering, but I want my device to be completely open source and transparent. Well, unfortunately, you can't have both. The secure element chip is what makes the device tamper proof. That's why Trezor has started adding them to their newer models. (Trezor Safe 3 & Trezor Safe 5) They want to avoid this debacle: blog.kraken.com/product/security/kraken-identifies-critical-flaw-in-trezor-hardware-wallets What made this hack possible was the open source architecture of the Trezor devices. A secure element chip prevents this kind of local tampering hack. So open-source (opensource.org/) is great for giant software projects like Debian Linux. But the concept doesn't really apply to a security device that needs to be both secure and tamper proof. And don't get me started with the prevalence of customer database hacks. You read about a new one almost every month of the year. I've said enough. And I know it doesn't excuse ledger when I say that it happens to other companies. But people seem to single out Ledger acting like they're the only ones that have ever had their customer database hacked. Remember Target 2013? Remember Equifax 2017? Remember Microsoft 2019? And the 2020 ledger database hack involved their public-facing e-commerce website. This was not their internal code base that runs the Ledger device. The integrity of the Ledger device was not affected.
Do you have any experience with the ledger live app install for Linux installation? is it safe to use or would this app expose the hardware wallet? Assuming the Linux OS and firmware was is kept up to date?
I have never used ledger live on a Linux machine. But really, the device is in charge of security. Ledger live is just the public interface. I'm sure it's just as safe to use as the Windows or Mac version of ledger live.
Yeah, I'm sure that's what they're referring to. But through all of my research, and spending time reading all of their white papers, the service appears to be totally dependent on user intervention. www.ledger.com/blog/part-1-genesis-of-ledger-recover-self-custody-without-compromise (there are 6 in total... a totally bland and boring read) In other words, it cannot be initiated remotely or locally without the end user (the person who knows the pin), authorizing the service on their device by using the buttons. And it does not appear that this creates any way for Ledger, the company, to serendipitously extract your private key without your knowledge or intervention. I think this is what people are calling the back door. I feel it is nonexistent. but DYOR
Ledger has the longest record of being unhackable and no one losing its coins aside from personal mistakes... so yeah im still using it... i rather use something that has been battle tested instead of newer wallets thats only been ard less than 5 years
I still use Ledger, anyone that thinks online services for keys wont become the standard is delusional. Products that provide monthly charges and give a business constant profits is the normal Ledger is just the first cab off the rank, others will follow. As for the open source argument, Tangem for example has the phone app and its open source, the code on the card itself isn’t. Nothing preventing them keeping something in that that collects your keys without knowledge, we have to trust the 3rd party testing of the devices. It’s easy to argue either side, the majority of RUclipsrs are being paid to sell something other than Ledger when they create a video against it, dont kid yourselves thinking otherwise Im more annoyed at LEdger for how they handled the email and data breach on customers. My email account become a dumping ground for crypto thieves trying to trick me, I get a load every day, they didn’t give a shit. VERY annoyed at that more than the other issues being raised around the RUclipsverse
Yes, I totally agree with you. The customer database leak was a major fumble on their part. And you're a savvy person that is being annoyed by all of the spam and phishing emails. I can only imagine how bitter the people are that were actually taken in by some of these scams and had their wallets drained.
It depends on the situation. But conceivably they could do it within the hour. If you still have access to your crypto, I would immediately transfer it somewhere else. You want to get all of the crypto out of that device that you've exposed. After that you can wipe it And set it up as new. Then you can move your crypto back in.
I still think that if some judge comes along and orders the executives at Ledger to produce the private keys of various customers, they will comply. And the motive of the judge would be surveillance.... or seizure of funds pursuant to a legal process.... rather than simple theft.
According to part four of their white paper series, this would be impossible, since the key is encrypted, even Ledger doesn't have access to it. (in unencrypted format). The only way to perform a restore is by the user verifying their identity. I understand your concern, and this is a very common concern when talking about the ledger recovery service. Here is a link to the white paper where they discuss the restore process and how it can only be initiated by the user: www.ledger.com/blog/part-4-genesis-of-ledger-recover-controlling-access-to-the-backup-identity-verification
@@CryptoDad I wouldn’t just go by what they have on paper, and I would listen to the very own words of the ceo who said that if a judges ordered it by court, on behalf of the government?? Then ledger would give up the private keys of sed customers, that in itself is a red flag. They’ve already proven that they’re not honest, so when they’re actually honest? People tend to over look what’s being said, even Canadian government already asking people to register their ledger, an I’m wondering for what? Naaa I don’t trust none of that idc how long they been around listen to the source themselves tell you they will and can do it.
Hey CryptoDad, love your content! Just my opinion of course. I don't think it's the fact that it's not safe. It's the fact that the whole concept of having self custody is that no one is aware of your private key and seed phrase. The fact that Ledger created a Paid Service to split your seed phrase is the concern. I get it, it's a great product for CORPS or maybe the forgetful however, for the norm of people in crypto that know about self custody, I don't think people want ANYONE to ever have access to their key. It's like your bank account. The bank has access. Crypto private keys give you the control that people want. It's just not something that self custodians would opt in for .. I would assume anyways .. if they did, just keep it on an exchange, it's a similar risk (of loss). Just my opinion - I don't like it. I'm not happy it was enforced on all of their product lines. HOWEVER, THEIR PRODUCTS ARE SOME OF THE BEST IN THE INDUSTRY thats what upsets me most. Lol.
Yeah, great overview. I agree with that also; crypto should be private and personal. However, the government wants to stick their nose in and have us declare every trade and transfer on our taxes. So since technically they know everything we’re doing, why worry about a back up company. Ha ha. But I think I also mentioned this is a natural progression for self custody towards mainstream adoption. It’s funny how Ledger and Trezor are both coming at this issue. Trezor just announced their new product line along with a new backup protocol that streamlines the seed phrase word list to make the words more unique and less ambiguous. They’ve also come up with a multi share backup that addresses the single point of failure when managing seed phrases. So both of these companies are addressing the issue that humans tend to screw up self custody. Interesting times!
@@CryptoDadThe Government always stick their noses in... There is no such thing as freedom anymore, it’s sad really. There’s pros and cons to that, however it still doesn’t mean Ledger should take the option away - what I mean when I say that is, if I want to be able to have control of my keys and not allow anyone access even if I will go prison for it, atleast I have that option if that makes sense? Ledger isn’t doing this because of taxes they’re allowing people to remove their control of their assets and this is what people in the crypto space don’t want. I believe Ledger is doing it firstly to generate more revenue as a company, and secondly, maybe for marketing to new people in crypto. If this recover stuff is ever enforced, our freedom of choice has been stripped away. As humans want to be able to make a choice even though majority of us will make the right choices it’s about having the option to make a bad choice lol. Anyways I don’t know if there is any back door or whatever, it’s just most upsetting that they did this whilst my Stax was purchased in 2022 and if I wanted a refund when they announced this, they would only give crappy FIAT and not my Ethereum back. Hahaha - I rant abit in my Stax unboxing lol - I laugh but I’m in pain inside lool. Regarding the taxes, the government do know everything and that’s fine as a law abiding citizen we will pay our taxes and get a good accountant hopefully to minimise tax legally. Better yet go to a tax free country if you want to pay no tax. Interesting that you say that regarding Trezor - do you mean the Shamir Back up? Or have they come out with something like ledger recover?? That would be insane if they did. Can’t find that anywhere on google lol. But if you mean the Shammirs Backup (SLIP39), that is the best form of seed phrase generation in my opinion. It’s not only the Trezor that does that by the way, the Keystone also does this. I own a keystone (well 2 actually) and it’s one of the best HODLing wallets I’ve got, I say this whilst I own an Ngrave. In the future once I obtain a larger subscriber count on my RUclips channel, maybe we can do a collaboration or something regarding BIP39/SLIP39 lol. I’ll send you a message via email in the future sometime if that’s ok.
So in your opinion, Ledger is safe, even if the seed storage companies get a subpoena and are forced to deliver the keys? Wouldn't his defeat the purpose of a "cold wallet"?
Well, strictly speaking if you're not using the ledger recover service, then you don't need to worry about any one stealing your key or subpoena-ing it. It is entirely optional. And although many claim that the existence of the service opens up ledger's ability to extract your private key without your knowledge and consent, I believe this is a paranoid fantasy. Now if you ARE using the Ledger Recovery Service, part 4 of the white paper shows that the only way to perform the restore is through user verification using biometrics. Otherwise the key remains encrypted. (In other words, it would be useless for law enforcement to subpoena Ledger, Coincover or Escrow Tech. Even if they fit two shards together, the key would still be encrypted) www.ledger.com/blog/part-4-genesis-of-ledger-recover-controlling-access-to-the-backup-identity-verification
@@CryptoDad The "paranoid fantasy" could be avoided if they really go Open Source. Maybe this is the key that would settle things: looking at the code and making sure that the use of the recovery service is a personal decision. But I think they have been "Opensourcing" for 3 years and nothing has happened.
I agree with your contention. But I don't believe "open source" is possible or applicable when we're talking about hardware wallet devices. So call me a heretic, because everyone is following the "open source is best" religion out there. But if a wallet employs a secure element chip, it is by definition not fully open source even if all of their software and firmware is open source and posted on Github. There are a lot of other hardware wallet companies that are throwing that term around, so they sound good. But most of these companies employ secure element chips in their devices. So there is an element of secrecy when using the device. I see no problem with this. I believe it is standard security practice to employ a secret design to avoid tampering. This is how most security devices work, such as atm card chips, credit card chips and smart employee ID cards. You want the design to be secret to avoid people from tampering. There is a company called Blockstream Jade that has what I consider to be one of the closest things to a fully open source wallet/device. Here is their article where they talk about the fact using closed source secure element chips is not fully open source and their solution: help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element Basically, this article gives tacit approval to my opinion that a secure element chip is not open source by design. I'm not sure how applicable this technique is to mainstream hardware wallet devices. But it may be a promising direction. I don't know that this technique is ready for mainstream adoption or all the other hardware wallet companies would be rushing to adopt it. As it stands, I think the secure element chip is the go-to security mechanism for most hardware devices. And the Blockstream jade wallet is BTC only. So it's not very practical for managing multiple cryptos. Back to the point of our conversation. People are worried about some kind of back door built into ledger because they are not following their open source religion. My contention is third party testing is enough to satisfy me that the device does what it says it does.
Thanks crypto that I appreciate it I haven't been on my ledger in a long time because I was afraid there might be some kind of compromise somewhere in the system I could have been staking ethereum for the last year but I was scared to and didn't have the time to really research it so I just left it alone.🎉
I've had an issue with ledger, I hadn't updated the software on my nano since 2017 stuck in a box and forgot about it. Then few months ago got it out tried to update and could not. Got the app for the phone managed to get the unit updated but no way of downloading or seeing the dogecoin in my wallet even after downloading the doge app. I re entered my seed and still nothing in the wallet I know it did exit as I have a photo of the amount in the wallet way back in 2017, and can see the purchases on the exchange I used. Any ideas why the nano won't show the amount either on the unit of the app on the phone? would purchasing a new unit do date unit help? all the other crypto still exist on the wallet just not the dogecoin purchased
Honestly just off the top of my head, I'd try to swap it for something and see if the something like uniswap or w.e can see any amount of doge In your wallet(tied to that address).
You might wanna check out this video. It has some pointers on syncing up your device to your phone or computer. Perhaps using some of these techniques you might be able to re-gain access to the account. Barring that you may have written down your seed phrase incorrectly originally and now it does not give you access to the original crypto. However, if your seed phrase that you used is valid, the chances of it being incorrect are pretty small. So I think maybe you should try these troubleshooting tricks: How to Recover Your Lost Crypto Using the Ledger Device vs Using Ledger Live ruclips.net/video/tcspePxhkhk/видео.html
@@CryptoDad Yes, the it is the correct seed as all the other crypto exist in the wallet when used, thanks for your help. I think purchasing the stax may be the way forward. I find the original ledger nano 2 button nauseating to use
The Coldcard has a secure element chip so although all of its software is open source, there is an element of secrecy inherent in using the device since the secure element chip is closed source. As far as Blockstream Jade goes, it claims to have a virtual secure element that is in effect open source. help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element So it may be the closest thing to a completely transparent hardware wallet. But personally, and this is just my opinion, (although I pretend that its fact), I don't believe that any wallet is completely transparent and any hardware wallet requires some level of trust on the part of the user. This is not a deal breaker for me, It's just a fact of life. Many people believe that they MUST be using a wallet that is fully open source and transparent and many believe that they are but I think they are mistaken in most cases (the Blockstream Jade device appears to be a welcome exception) However, both the Coldcard and the Blockstream Jade are Bitcoin only so if you want to manage other cryptocurrencies then you're going to have to make a informed decision on using a crypto hardware wallet that supports other cryptos besides Bitcoin.
@@CryptoDad What about AirGap Wallet? The one you install a vault app on an off-line cellphone or tablet and the wallet app on your daily phone. It is air gapped meaning transactions are authorized through QR codes.
what do you think about the software updates? I have not updated my software for sometime now should I continue as of update the OS I am probably at minimum 5 updates behind I don't want nothing weird to happen so I am hesitant
You’re gonna hesitate yourself right out of your crypto. Updates are there for a reason. They are to improve security. Add new features & fix bugs. They’re there for your own benefit. Avoiding updates is not viable strategy. It’s best practice to keep your device and software up-to-date. Pretty soon. The device will become unusable if you stop doing updates. And then you will need to purchase a new device and do a restore. You can avoid this scenario by keeping your device up-to-date. If you’re worried, I would run the recovery check app on your device to verify that your recovery phrase is valid. Once you have done this, you should have no qualms about running updates on your device.
Well, the short answer would be other crypto hardware wallet companies hiring trolls to discredit Ledger. But on a deeper level, after the FTX collapse, people were rushing into self custody. I think this made the powers-that-be nervous. And so suddenly the top crypto hardware self custody company was being attacked as unsafe. I know that sounds like a paranoid conspiracy, but that might be one motivation for discrediting Ledger.
Could Ledger push a software update requiring KYC to access every self-hosted crypto account created with the device? If so, is there a way to workaround it?
Ledger nano x for several years without anything being compromised. I know no one personally whos been affected. Please just protect your keys and do not connect a cold wallet to any dApp or anything for that matter.
Thank Crypto Dad I really appreciate this video and all the hard work you are doing for the crypto community you are truly a super hero and only want people to do well using crypto.Thank You 🇨🇦
It seems that you don't completely understand what exactly the backlash against ledger was about... The whole point of the backlash against ledger was their recovery service, You didn't mention that at all in this video. Obviously if they ever took advantage of this system they would be ruined as a company but the fact that they put it into the firmware ruined a lot of people's trust in ledger.
I mentioned to another commenter that this particular video was going to be an aside in a longer video discussing the ledger recover service. It basically took on a life of its own, and so I decided to simply post it as a standalone video. I plan on doing another video on the pros and cons of ledger recover. But although I personally would never use ledger recover, I think they took great care to create a system where exporting the private key was possible but still completely optional for the end users that don't want to use their service
I don’t like the Ledger customer database hack several years ago and I don’t like the new Ledger Recover functionality. I recommend everybody to search for other RUclips video’s about the new Ledger Recover functionality and safety concerns. Really amazing that Crypto Dad does not even mention this.
I plan on doing a separate video about whether to use ledger recover, or not. I wanted to try and keep this video separate. In fact, the points I made in this video we’re going to be my lead up to my discussion about the pros and cons of ledger recover. But then the subject matter took on a life of its own. I personally would never use ledger recover, but I understand why they decided to offer it. I’m planning on doing another balanced coverage of whether or not someone should use ledger recover.
Thank you for the informative video! I've noticed that whenever the topic of crypto wallets comes up on Reddit, many users strongly advise against using Ledger. This fear-mongering seems to be quite prevalent on the platform. It's disheartening to see this kind of negativity. Could you, CryptoDad, shed some light on why Ledger receives so much criticism on Reddit and address some of the concerns raised by these users?
Well, in this video I basically covered the claims, but the elephant in the room is the ledger recover service. This is where the whole controversy started. Ledger is offering a service that allows an end user to export their private key for cloud storage. I thought that most people would criticize the security of the process. But as it turns out, the criticism became more fundamental of ledger as a company. They were accusing Ledger of using the service to compromise the device. Or they felt that the only way to implement this service put regular users at risk. Basically, the Ledger recover service is optional. But that hasn't made anyone feel any better about the fact that Ledger is allowing their device to export the private key externally.
Ledger, a leading provider of cryptocurrency hardware wallets, experienced a significant data breach in July 2020. As a trusted name in the cryptocurrency security space, the breach was particularly concerning due to the sensitive nature of Ledger's business and the potential implications for its users' financial security.
The data breach had nothing to do with the hardware, though, and its hardware has never been breeched, unlike Trezor that has had a hardware breach (yes, it was patched by firmware) The data breach was names and addresses and emails, etc, still extremely lousy by ledger, and they sat on the situation before telling people, which also was not good
Yes, you are correct. It is cause for concern. And I know it doesn't really make it any better to say that large data breaches are happening on a regular basis with even bigger companies that should be keeping your data safe like Equinox and Target. In Ledger's defense, their customer database was being managed by a 3rd party. And that was completely separate from their internal security mechanisms for guarding the ledger internal code and the security protocols they have in place for software and firmware rollouts.
There is only one question to ask for any of these types of devices > Can the company/3rd party see or access your seed phrase under ANY CIRCUMSTANCE? Any device that can is a BIG NO.
Well, since you put "any circumstance" in caps, you've basically turned it into a theoretical question. I don't think any crypto hardware wallet can claim it is impossible to see (or access) the seed phrase in "any circumstance". As I mentioned, this is a risk game. You're just trying to minimize your risk. There's no way to totally eliminate it.
That's a great idea, it's been a while since I've done an engrave video. I'm assuming you've already seen my setup. ruclips.net/video/KspVwt-zGz8/видео.html and cash out: ruclips.net/video/KrBS-EnzVjM/видео.html
Facts you cannot deny: Ledger for a long time promoted their products stating it would be "physically impossible" to extract the private key from their devices since their "secure element" chip was, again, designed in such a way that would make it unfeasible. By design. "Physically impossible". And then, some years later, they launch a "service" that does exact that --extracts the key from the device. The fact that they say you need to agree and give them permission to do so is irrelevant --Ledger lied and should not be trusted ever again.
They saw a need. So many of their customers were calling them because they had lost access to their crypto because they lost their seed phrases or written them down incorrectly. (Because people are human). So they endured years of people screaming and crying to their tech support, demanding their crypto back. They had to tell them "There's nothing we can do" because, you know, self custody. So they decided to figure out a way that they could offer a service that would allow a customer to back up their private key for cloud storage. So sure, it's antithetical to crypto enthusiasts because it violates the basic principle of self custody. But Ledger is not the guardian of crypto policy. They're a company that makes a hardware device. They decided to add a new feature to their device called the Ledger recovery service. It's completely optional. How was that lying? They just added a new functionality to their device that it wasn't there before. Because they saw a market opportunity.
@@CryptoDadit's lying because at first they said they cannot get the keys, and now they say it is possible. See how that's a lie? First they said it is impossible, and now it is possible.
@@manowatis1557 they made it possible by modifying the device. How is that so difficult to understand? Have you ever seen a phone that had an upgrade? Have you ever seen a computer that had an upgrade? Have you ever seen refrigerator that added an ice dispenser? Come on. You’re telling me you think this product should’ve just stayed exactly the same for 50 years without ever being modified to appeal to a broader market?
And by the way, they still can’t get your keys. That’s ridiculous. Only the user can export the keys. You’re listening to too many rumors about the service.
@@CryptoDad That's really a lame excuse --they claimed for years that the "hardware" was built in such a way that it was "physically impossible" to get the seeds out, i.e. a simple software change/update wouldn't do the trick because there was a physical, material gap that could not be bridged by sofware... that is what they said, it was there in their ad material, there are videos of their people saying it. It's like Samsung stating their TVs can't listen to you because there are no microphones bult-in to the sets, and 3 years later you find out the microphones were there since the beginning. Samsung can claim they never activated the microphones so they could listen to you, but they lied about the hardware. Ledger lied.
Come on Dad…The video is pretty much besides the point. The real claim against ledger is that consumers were initially made believe that the private key could never leave the device. And then subsequently ledger introduced the “opt-in” recovery feature that basically shows the private key CAN leave the device. That’s what this video should be about…
I agree that's one of the main objections people have to this service. But that just really boils down to a trust issue. sort of a, "he said, she said" thing. Now I know a lot of people are going to dig up statements by ledger saying that the private key never leaves the device. But technically, it always has had that ability. In other words, when you're setting up the device, it exports the keys from the device to your eyes so that you can write down the seed phrase. So this idea that the hardware device was some sort of hermetically sealed key storage is not really accurate. The ledger Recover service is just another way that the end user can locally manage their private key. Even though they can now export it for cloud storage, it can only be authorized locally by using the buttons. And yes, they decided to modify the functionality of the device to allow the end user to optionally export the private key. There's no argument about that. But it sounds like Ledger just decided to modify their product. I totally get it, it crosses the line between a device that manages the private key locally to some sort of hybrid device that has backup functionality. But the world is changing and self custody is changing.
@@CryptoDad All of that is good if they didn’t market the device with the “feature” your key will never leave the device. They changed a promise that they made and I would have never bought the device if that was transparent from the beginning. I also think that your analogy is not the best as displaying the seed phrase is not the same as exporting it.
@@CryptoDad No one needs to prove Ledger management's terrible move and stupidity. Everyone can see it. It's all Ledger management's fault. They created the whole thing.
Indeed, I have dealt with a few people that have received similar calls. It's really sad that these scammers manipulate people by people by using fear and greed. I'm glad you were able to withstand the attempt.
With Ledger Recover, Ledger hardware is over. The ONLY value proposition was that our keys are safe. That value proposition is gone. Ledger have lost their minds.
I am curious what wallet is used by whales??? (For the few who don't know, a whale is someone who is usually rich and has a massive holding of cryptos) if a whale trust a certain wallet maybe we can look into that wallet. ex. what wallet does elon musk use???
They said is impossible to extract keys with an update and it turned out to he false, they keep customer data not sure why and when they get hacked , the hackers knows your address. They are not open source which in the crypto space is criminal. People who have alot of wealth in crypto simply aint taking the risk of using ledger. If you have not much wealth and like to gamble on altcoins then im sure you will be fine
Thanks for sharing. A lot of opinions out there about this. And yes, ledger described the functionality of their device as the "private key never leaving during use". So ledger decided to improve their product to meet customer needs, so they added the cloud backup functionality. Some people call this lying, some people call it just improving their product. But it's really just an opinion one way or the other. I wouldn't call closed-sourced criminality. That's a bit extreme. Ledger's code base is proprietary, just like Microsoft, Apple and almost every other software company out there. It was a design choice early on in the life of their product. Open source is not a silver bullet. It also has its own vulnerabilities. Not everything in the crypto space is black and white. There are essentially three main risks that come with using open-source software from a security perspective: Open-source software development is decentralized. This means that there is essentially no authority that is ensuring the safety of any given fork of the software. Crypto wallets inherently access sensitive information, and vulnerabilities discovered in the source code can be exploited by attackers before a patch is released. Electronic chips that allow the firmware to be open-source generally lack security measures that can be used to secure data stored on them.
Ledger has a sistem to know your seed key. I don't know nothing about technology, nether need to know about it. I prefer a cold wallet who don't have this option.
I think I made it pretty clear in the video that ledger does not have a system to access your seed key. I know that all of those white papers are quite a bit of reading, and it took me several hours to get through it. But nowhere in there does it mention that Ledger has access to your seed key.
From a cybersecurity perspective, you can't trust closed-source software, especially from a company with a history of breaches. It's common sense. No one using backdoors for their own benefit will announce them.
Ah yes, the old "we wouldn't know they are doing it because they're doing it in secret" argument. Which incidentally does not require a shred of proof.
Ledger devices are practically secure as long as you do not let others know your C-phrase nor saving it in any electronic devices linked to internet or via blue tooth etc. Ledger recovery is just an option that if you are carful enough will never use. Hard wallet actually has its own headache: 1. If you keep it to yourself, what is you die or forget? 2. If you tell the one you trust, what if they change their mind, or forget, or big mouth to others? 3. You can tell your lawyer but what if he and she is bad? 4. You can bury it but what if no one could find it? So ironically this anti-trust fortune requires some trust to continue its legacy😂
Yes, there are a lot of tricky issues related to dealing with hardware wallets. One of the biggest is making sure that your loved ones will have access to your crypto if something happens to you. There are some services out there and there are a few things you could try like giving your estate lawyer a sealed envelope with instructions and not letting him know that it involves crypto. But there are really no clear solutions.
It's discouraging that someone like you who had been objective and helpful, turns emotional and biased because you like the product. This is one of the most important issues in crypto and you're calling concerned users trolls?? Very strange.
I’m sorry you’re discouraged that I have an opinion. It does upset me that people bash ledger based on evidence free suspicions. Most of them are just parroting opinions they have heard elsewhere. It’s been almost a year since ledger announced their recovery service, and although there was a initial outcry, most rational people have concluded that this is not a serious security issue for the ledger device. Ledger has released a lot of information and articles about what this service is and isn’t. Although personally, I would not use the ledger recovery service, I can totally understand the need for it and why they are now offering it. The important thing to remember is that it is entirely initiated locally by the user. And also, that it is entirely optional. If you’re a crypto purist, you don’t have to use it. If you are a new user, that would like a little extra backup and peace of mind, it is something to consider.
It's unfortunate that you are avoiding the main issue. With the new firmware/feature, it's now possible for the seed to be extracted, which means physical Ledger devices are now a liability. Previously, the understanding was that if you lost your Ledger or it was stolen, NOBODY ever would be able to access the device's contents because the seed was stored on the Secure Chip and could NOT be extracted. Unfortunately, that is no longer the case.
Your argument against open source software in crypto/hardware wallets is entirely bananas. Please refrain from spreading such nonsense. From a security standpoint the purpose of open source software is to allow third parties to READ the code and VERIFY that the software functions as claimed. Given that many users place their trust and finances in this code/hardware, it is crucial that the software can be audited by third parties, regardless of how few the auditors may be. The collaborative aspect of open source software has no bearing in here. To use your example of Linux, probably less than 1% of the Linux users understand the code and way fewer are able to improve/make changes, that has no bearing on the open/closed aspect of the code.
To quote another commenter "This video was very disappointing. I wish Bitcoin didn't have so many influencers who care more about brands than security."
@xr1140 yeah
Yeah, you still haven’t convinced me that a security device should be open source. It’s an idiotic assumption. Ask anybody that really knows how security devices work and they will tell you that they are all closed source. One example is Andreas Antonopoulos who wrote the book on bitcoin. “ All crypto hardware wallet devices require some level of trust on the part of the user”.
Bitcoin Q&A: Can You Trust a Hardware Wallet to Generate Your Seed?
ruclips.net/video/cONG2ZNjJ0c/видео.htmlsi=QmZYz4CmDjNABCw-&t=22
Open architecture crypto hardware devices like the Trezor One have failed miserably because they can be cracked and tampered with once an attacker has full access to the device. What’s really sad is that there are so many influencers out there saying that crypto hardware wallets should be open source. Do you want open source? use an open source desktop based wallet. Do you want security? use a crypto hardware wallet device. Enjoy your open source wallet. I prefer a secure device to protect my crypto.
@@CryptoDad What security the closed-source offers over open-source? It seems you put all your trust in the developers (never heard of an disgruntled employee, huh?). Good for you but stop advising other ppl to do so just because.
Again you are missing the point... the seed can be extracted! What Ledger promised was that nobody (including them) will be able to extract your seed from the secure chip. Now they developed the ability and at some point all the users will be force to update the firmware (to preserve the compatibility with the Ledger Live software) and expose themself to potential risk.
So this whole argument that now that the private key is extractable, the device is insecure, is ridiculous. The Ledger Recovery Service is optional and can only be initiated from the device by the authorized user. This is the same principle that allows the authorized user to sign transactions locally. To suggest that somehow an attacker could steal the device and access this functionality, is incorrect. They would have to crack into the device first in order to perform this. And that’s what the closed-source secure element chip prevents.
OK, so I’m a hardware wallet manufacturer and I’m going to take your advice and make my software and my architecture completely open source. We all know that the open source cycle works like this: code is posted on Github, It’s checked for vulnerabilities and backdoors. Vulnerabilities are discovered and they get patched. Sounds like a perfect world to me, except for the fact that many vulnerabilities are discovered and exploited before a patch can be applied. So basically we have a cycle here where our device is secure and then someone discovers a vulnerability and then it is suddenly not secure anymore until someone comes up with a patch. And we go through this cycle continuously. Secure, not secure; Secure, not secure. This is the model that you think I should follow for a secure hardware device to protect my crypto? Do you think anyone wants to buy a device that is secure sometimes and insecure other times? All you Open Source advocates for hardware devices really make me laugh. You’re suggesting that I should store my crypto in a device that is only secure some of the time? And to make matters worse, you come into my comments like you’re some kind of authority scolding me for promoting misinformation when you are actually the one that really doesn’t understand how a hardware wallet security device should work.
So do you think Chase Bank would want to make their atm card chips open source so criminals can crack into their devices and figure out how to make unlimited withdrawals? Do you think the US government would want to make the smart card technology in passports open source so state actors can hack into their passport protocols? Do you think Boeing wants to make their employee ID card chips open source so competing companies can crack into their security protocols and gain access to their facilities? Of course not. They want to protect their secrets. The secure element chips in crypto hardware devices protect your secrets (your private key). Don’t you want your secrets protected?
Ledger is #1 safe in my opinion. I been using for years! Thank you for your hard work .
I appreciate that. I forgot to mention that I've been using ledger devices since 2017 and have never had any issues either.
@@CryptoDadI have found Ledger to be a reliable and secure option for me, and I have not experienced any issues with hacking or security breaches, as some users have reported. Despite exploring other cold wallet options, I continue to rely solely on Ledger due to its proven track record of security and performance. I want to emphasize that my statement is based on my personal experience and is not influenced by any affiliation or promotion with Ledger. Thank you and keep up the good work!
Totally agree I’ve owned ledger before they announced the subscription to back up your secret keys and I never went for that subscription and I have never had an issue with my wallet being drained.
Yet.
So far, Ledger hasn't had any major security issues, but the past data breach makes me worry about whether the company might have more security problems in the future. Also, while no one has proven that Ledger Recover has a backdoor, no one has proven it doesn’t either, which makes me feel uneasy. But the biggest thing for me is that the Ledger Recover service goes against the whole idea of decentralization that crypto and Web3 stand for, which I just can’t get behind.
Yes, the "proof" or "no proof" argument can be applied to almost every cryptocurrency hardware wallet on the market. It can also be applied to the argument for or against the existence of God. It's basically a meaningless argument. There is no such thing as a completely open source wallet that employs a secure element chip. And most of the major crypto hardware wallets out there do employ secure element chips. And those wallets that focus completely on transparency and open architecture are vulnerable to tampering attacks. No one wants a wallet that is not tamper resistant. Therefore, there must always be a balance between transparency and security (secrecy). Unfortunately, the truth that no one wants to admit is that every hardware wallet out there that employs a secure element chip requires a certain level of trust on the part of the user. Now this does not really need to be blind trust, because secure element chips are rigorously tested & certified by 3rd parties. That is what the EAL 5+ and EAL 6+ certifications are all about. This is the same technology employed in ATM and credit cards and also passports and employee ID cards. Sure, we don't know all of the internal workings of these chips. That's because they are proprietary technology and every company that employs them has to sign an N. D. A. With the chip manufacturer. This does not mean that they have back doors per se. It just means that security needs to remain secret to be effective.
And your concern about previous data breaches is noted. But the data breach you're referring to was a breach of the ledger customer database which did not affect their internal security that protects the Ledger architecture and OS. I don't want to rest my argument entirely on whataboutism, but customer database breaches are a fact of life. You hear about one almost every other month and they have occurred with some of the most large and secure companies out there: Target 2013, Equifax 2017, Yahoo 2017, Microsoft 2019 LinkedIn 2021. The list goes on and on.
@@CryptoDad Just as with messaging apps (Whatsapp etc) and their BS claims about "end to end encryption, your messages are totally secure!", it's 100% rational to believe that, oh yes indeedy, there is a backdoor. The only parameter to calculate from that basis is the odds of anyone ever deciding to walk through it and ransack your shack. If the Ledger company big-boys get fat and wealthy from their gig the back door will most likely stay shut; if, however, their personal circumstances suffer a total melt-down, I'd trust that door remaining closed not one iota.
What people are really angry about is that ledger pulled this seed extraction crap on people who had already bought their devices, believing the keys were secured on the device
What ledger should have done is say that future devices would have this feature enabled, but all current devices would not
They really should have kept two different streams of devices
It's the back porting of this feature that has made people upset, and rightfully so
Yes, I totally agree it was a violation of one of the basic tenants of self custody to offer a seed backup feature to the cloud. It would have been great if they would have had two product tracks. As you mentioned, one with, and one without the recover feature. For whatever reason, they decided to integrate it going forward on all of their devices. In their defense, the Ledger recover seed exportation process can only be initiated locally by the user and is in fact totally optional.
@@CryptoDad So they say.
These things happen’s when there are new people coming to the space without no knowledge and don’t want to learn
Yes. One of the issues I have with this, is that a lot of newcomers are being scared away by people pushing this narrative.
@@CryptoDadmostly Trezor fanboys and employees of other hardware wallets. Heavy is the head that wears the crown.
These new people are repeating opinions they heard from qualified security experts in the field that have many valid concerns about Ledger security. If you learn about crypto security a bit more you also might understand what they're talking about.
Facts you cannot deny: Ledger for a long time promoted their products stating it would be "physically impossible" to extract the private key from their devices since their "secure element" chip was, again, designed in such a way that would make it unfeasible. By design. "Physically impossible". And then, some years later, they launch a "service" that does exact that --extracts the key from the device. The fact that they say you need to agree and give them permission to do so is irrelevant --Ledger lied and should not be trusted ever again.
Aww you're upset that somebody lied to you. Sounds like you're still mad at your ex-girlfriend for sleeping with your best friend. Ledger is a company. They decided to add new functionality to their products. Get over it.
Been using ledger for 3 years now & so far so good.Came back to this video to reassure myself lol.
ha me too!
Whats the point of buying Ledger hardware wallet if i must trust the company? How is it different to trusting an exchange?
Hey Dad, thanks for the conversation concerning Ledger. I appreciate you taking time to explain these concerns.👍👍👍.
I am not trying to pick either side but i have heard this :
"If it has the capability to upload a seed phrase then some people might not want it."
And that is a valid point to tell people. Everything else is exaggeration.
Ohh, I can't argue with you there. If you're uncomfortable with some of the features of the device, then definitely find something else. I'm just trying to address the issue of people claiming that the device is able to do this without the user's intervention.
Yes, this ^. The attack surface is greater. Also, if you are BTC only, then multi coin support increases it further.
Great video! Very concise & thorough explanation. Thank you.
Have used the Ledger the last 7 years. In my opinion it is the best on the market. Thank you Crypto dad 👍
I have been using the ledger for a long time. That is my first wallet. Thanks for waiting for your new upcoming.
So I had a feeling when I posted this video that it was going to generate a lot of controversy, pushback, and counterpoints in the comment section. That's actually a good thing! I will point out that I don't have a degree in cryptography. I've just been using hardware wallets and putting out tutorial videos for several years. This does not make me a cryptography expert. But I believe that my experience does contribute to my educated opinion. However, I don't claim to be correct on every point. I just felt that I owed it to my viewers to put my opinions out there even though many of them could be wrong or picked apart by people smarter than me.
CrytoDad, you did a good job! Thx!
in term of educating people, cryptodad is objective and honest. Thanks cryptodad.
thank you CryptoDad boomer! we have featured your video in recent boomer on base article :) cheers
Like others here, i had setup my ledger and left it alone for a while didn't and then i come back and started hearing all this about ledger but didn't really see the issue for the exact reasons mentioned here. And when researching other alternatives, they also have other issues some even similar
Thanks for this reassurance and saving me a few bucks by not buying another wallet.
You got a new subscriber!
Thanks for the vote of confidence. I’m glad what I said was able to help you.
its easy to get conned by all the FUD. its good to see you took an objective approach to tackle this. great video.
Much appreciated!
Thanks for the info and taking the time to address this issue regarding Ledger
Another good think piece Rex! Wish more people in Michigan got in on hardware wallets.
Please talk about BISQ, that would be great 🙂
Using a bunch of different wallets, and not keeping everything in one place, is the way to go. But I've never had any issues with the Ledger wallets. I did get an email compromised, years ago, in the data breach, but that is not anything to do with the wallets themselves.
Sounds like a well measured approach. Thank you for taking the time to comment.
The Recovery service shouldve never been. And the personal info hack was terrible.
Could have been in the software years ago and you did not even know it. A Ledger is 1000 times more secure than a hot wallet.
Both very concerning. I’m still paying the consequences of the email hack!!! I like Crypto Dad but I’ve abandoned Ledger.
Recover isn't the problem. Adding key extraction capability to Ledger hardware is the problem. Ledger Recover should have required separate hardware so their Nano hardware would stay truly "cold" and Recover hardware could have been "hot/semi-hot." People don't want to admit this, but Ledger hardware wallets aren't cold wallets anymore. I'm really surprised to see Crypto Dad, who I considered to be honest and trustworthy, suggest otherwise. He knows better. Hardware wallets should be able to share signatures, but never keys. Never keys.
I'm also shocked that he suggested trusting Ledger until their hardware gets hacked. Ledger hardware has already been hacked, but their bounty program requires signing NDAs to keep those hacks private. I know Crypto Dad knows this as well.
This video was very disappointing. I wish Bitcoin didn't have so many influencers who care more about brands than security.
@@asteriskesque How do you know that it was not there from the beginning?
@@onepunchvegan866 You're right, and you're proving the point that closed-source code can't be trusted, because you can't verify what's in it.
I am with you Crypto Dad. While I may think it was a bone headed move by Ledger to offer the backup service I do not believe for a minute that their devices are any less secure than they were before. In fact they are my favorite hardware wallet and I own and use several of their Ledger Nano S Plus units. I don't like the Ledger Nano X only because it offers "bluetooth" connectivity which I consider a security risk. You can call me crazy if you like. But overall a good video. I totally agree with you. Kresp.
Thank you. I won't call you crazy for being security minded. In fact, you are in really good company. Andreas Antonopoulos is also leery of Bluetooth in hardware wallets. Recommended Video: Bitcoin Bitcoin Q&A: Are Hardware Wallets Secure Enough?
Andreas M. Antonopoulos: ruclips.net/video/3zNVDIz6Snw/видео.html
Thank you, Thank you, Thank you !!! I was a little concerned and was thinking I should replace my Ledger Nano ! You just saved me some money !!!
Good to see another perspective and summary of the different dot points! I am keen to buy a new hardware wallet and tossing up between the Stax and whatever Trezor release mid June
I’m surprised you didn’t mention the recovery service as that seems to be the root cause of the mistrust
The trolls are getting worst in my opinion. Sorry you have to go through this BS! Ledger still solid in my opinion.
We have also to take into consideration that the competitors of Ledger have vested interest to criticize and attack Ledger.
Ledger is one of the leading user-friendly hardware wallets and all points Crypto Dad discussed on the video are
honest and highly valid. There is no use being paranoid with Ledger and with the narratives by fanatic ancaps
and owners of other hardware wallet companies.
Yes, I have often thought this myself, and though similar to ledger critics, I cannot prove this. I have often felt that a lot of the trolls on Reddit were paid by other wallet companies. Now I’m revealing my own paranoid fantasies.
make a vvideo on update 2.2.4 please
You are my go to on this topic. So this just happened. A family members ledger live account just got drained. The seed phrases are in a vault. So what happened? Last transaction was in march with was a deposit from from a Coinbase account. Last weeks somebody made two deposits of several thousand dollars of XRP. Took the XLM that was there switch it to XRP and they had everything nice and tidy they drained it all and the entire transaction was in the span of less than five minutes. We are beside ourselves because all of it was locked in a vault. And we have no place to go to get help.
Thank you crypto dad. Seriously I was scared shitless because I set and forgot about my ledger and haven’t really been briefed on everything that has happened.
I saw some video's and was scared like never before. Your video made me calm down haha
I love my Ledger and will continue to use it
I Appreciate you. Keep doing what you're doing. Thanks again
I appreciate that
Nothing wrong with my ledger thank you very much !
I believe the ledger wallet is safe. And when I need to find out and how to do stuff, I go to the Crypto Dad, and I've even told other people to do so. So don't listen to all the trolls.
Thanks!
are you able to do a video about Ledger Enterprise?
I've been wondering this as well.
Watching from Mackinac Island Michigan.
How does the recovery service actually work from a technical standpoint? You sign up and give them a copy of your seed phrase? If you lose access to your wallet, how exactly do they recover it for you? Would love some clarity on that. Most don’t sign up specifically because that seemed like giving up ones seed phrase. Is their after the fact way for the. To recover it or do they get your seed phrase when you sign up?
I gave you links to their white papers that describe an excruciating detail how this service works. Just check the description of the video. But in a nutshell, when you sign up for the service, you upload your biometrics and those are stored in the cloud. The only way to initiate the restore process is by verifying your identity by using your biometrics. They check to make sure they match the ones you uploaded during the backup process.
Completely agree using a ledger as well.
On one of the points you say no good hardware wallet is fully open source - what about Keystone? And what are the draw back switch that wallet.
Can't send to exchange. I have tried copying the address and also typing in the correct address. When prompted to confirm the address on device the address is different than the exchange wallet. I lost one transaction before I realized what had happened. Can't transfer my crypto.
I’ve been using ledger for two years and never had a problem whatsoever
It's like saying you are driving for several years and never had an accident therefore you will never have one in the future based on past experience. Really? That's how it works?
Thanks Rex as someone who uses a ledger this one is greatly appreciated.But I'm still looking into getting a trezor
No need to limit yourself to one device or one particular brand. It's probably obvious, but I own several crypto hardware devices. And I use them all in different circumstances.
So do you guys recommend Trezor or carry on using ledger
My Ledger Nano X got hacked this weekend when my Nano X and the seedphrase were locked away. They won't do anything to get my money back. I'd be glad to talk to you about this so others won't get scammed. This video is ABSURD! THEY ARE COMPROMISED. DO NOT USE ANY LEDGER DEVICE PEOPLE!
I'm really sorry to hear that this happened to you. But most of these cases involve inadvertently revealing your seed phrase to a scammer or interacting with a malicious smart contract on a shady web site.
Tangem wallet is open source and it’s pretty robust. Regardless the perception that the Ledger wallet did not disclose that the capabilities that came out in the news months back when PayPal was making their move damaged the “good will” in the product. So don’t feel like you have to take responsibility for the perception that has emerged.
Yes, there is definitely a PR component to this whole controversy.
That’s all I’m saying. If the company had disclosed that the capability was there from the beginning, it wouldn’t have been an issue and customers could and would have a more informed choice in their purchase. So regardless if it is secure or not is irrelevant at this point because the “good will” is eroded. And I also pre-ordered the new stacks but I’ll never use it with this revelation. Caveat Emptor.
Why is everyone telling that Tangem is open source? Only the Tangem app is open source (like Ledger Live), but the firmware of the card is completely proprietary. Ledger has additionally to Ledger Live also the apps running on their wallets on Github as well as parts of their BOLOS firmware (esp. the parts regarding Ledger Recover). Only Trezor, Bitbox, Keystone, OneKey and some Bitcoin only wallets have also full open source firmware. SafePal has open sourced the firmware of their X1 wallet, but only parts of their app.
Well you made the best Ledger Instruction video I could find online. 100%.
We are living in a world were a lot people speak without thinking or having any knowledge.
Those sad people want a stage for there Ego
So keep up the good work Cryptodad
Love the level headed video, that being said you are asking everyone to take ledger's word for a lot here.
After the customer data hack, seed extraction proposed patch, and constant social media fumbling we Ledger has lost all "Just trust me bro" points. There is 0 reason to have anything to do with this company because they have shown time and time again you cannot trust them.
"prove it" - Nah that's Ledger's job not mine, and they have already failed multiple times.
Yes, your argument is impeccable. I appreciate you contributing to the discussion. And I totally respect your position. I'm not trying to sway you one way or the other. But for some of the people that might be reading these comments, I did want to bring up a few points.
Yes, Ledger is expecting a level of trust in their product. But so is every other hardware wallet device manufacturer that uses a secure element chip. The only part of Ledger's code that is not open source is the OS space that interacts directly with the secure element chip. Everything else is open source.
github.com/LedgerHQ/ledger-live
github.com/LedgerHQ/wallet-api
github.com/LedgerHQ/ledger-secure-sdk
developers.ledger.com/docs/device-app
github.com/LedgerHQ/ledger-secure-os
github.com/LedgerHQ/ledger-secure-os/blob/main/dashboard/src/dashboard_recover.c
And the reason that this is closed source, is because they have signed an NDA with the secure element chip manufacturer. But even this closed source code undergoes rigorous 3rd party testing. So ledger is really not asking you to trust them completely.
The same holds true with every other crypto hardware wallet. They all use secure element chips to prevent tampering. Now there are a few outliers like Bitkey and Cypherrock, BlockStream Jade. But they use a completely different scheme that relies on mult-device authentication. But the major players like Trezor, Tangem, Ledger, and yes, even Ellipal, and Keystone 3 Pro. All employ secure element chips.
There seems to be this dichotomy of opinion that goes something like this:
1. Ledger bad! Because their code is closed source and they want us to trust them.
2. Everyone else good, because their code is completely transparent and open source.
This is a way over-simplified argument. As I mentioned, these other companies employ secure element chips, which are, by design, secret and designed to prevent tampering.
I've also seen a lot of people and I'm not accusing you of this opinion. But it's something like this: My packaging is stretched in a weird way. I'm worried my device has been tampered with. What should I do? Return it? But I also want my device to be completely open source and transparent.
In other words, I'm worried about tampering, but I want my device to be completely open source and transparent. Well, unfortunately, you can't have both. The secure element chip is what makes the device tamper proof. That's why Trezor has started adding them to their newer models. (Trezor Safe 3 & Trezor Safe 5) They want to avoid this debacle:
blog.kraken.com/product/security/kraken-identifies-critical-flaw-in-trezor-hardware-wallets
What made this hack possible was the open source architecture of the Trezor devices. A secure element chip prevents this kind of local tampering hack.
So open-source (opensource.org/) is great for giant software projects like Debian Linux. But the concept doesn't really apply to a security device that needs to be both secure and tamper proof.
And don't get me started with the prevalence of customer database hacks. You read about a new one almost every month of the year. I've said enough. And I know it doesn't excuse ledger when I say that it happens to other companies. But people seem to single out Ledger acting like they're the only ones that have ever had their customer database hacked. Remember Target 2013? Remember Equifax 2017? Remember Microsoft 2019?
And the 2020 ledger database hack involved their public-facing e-commerce website. This was not their internal code base that runs the Ledger device. The integrity of the Ledger device was not affected.
Thank you CryptoDad, you helped me understand and set up my crypto wallets years ago. I trust Ledger wallets 100%.
That means a lot to me!
Do you have any experience with the ledger live app install for Linux installation? is it safe to use or would this app expose the hardware wallet? Assuming the Linux OS and firmware was is kept up to date?
I have never used ledger live on a Linux machine. But really, the device is in charge of security. Ledger live is just the public interface. I'm sure it's just as safe to use as the Windows or Mac version of ledger live.
By back door I think People are referring to the New Feature of retrieving your old phrase [Ledger] Recover Maybe thats why
Yeah, I'm sure that's what they're referring to. But through all of my research, and spending time reading all of their white papers, the service appears to be totally dependent on user intervention.
www.ledger.com/blog/part-1-genesis-of-ledger-recover-self-custody-without-compromise (there are 6 in total... a totally bland and boring read)
In other words, it cannot be initiated remotely or locally without the end user (the person who knows the pin), authorizing the service on their device by using the buttons. And it does not appear that this creates any way for Ledger, the company, to serendipitously extract your private key without your knowledge or intervention. I think this is what people are calling the back door. I feel it is nonexistent. but DYOR
Great explanation of the Ledger Wallet. Thank you, sir, for posting the video.
My pleasure!
Thanks for sharing. Appreciate this.
Ledger has the longest record of being unhackable and no one losing its coins aside from personal mistakes... so yeah im still using it... i rather use something that has been battle tested instead of newer wallets thats only been ard less than 5 years
Great video Rex you’re 100% correct!
I still use Ledger, anyone that thinks online services for keys wont become the standard is delusional. Products that provide monthly charges and give a business constant profits is the normal Ledger is just the first cab off the rank, others will follow.
As for the open source argument, Tangem for example has the phone app and its open source, the code on the card itself isn’t. Nothing preventing them keeping something in that that collects your keys without knowledge, we have to trust the 3rd party testing of the devices.
It’s easy to argue either side, the majority of RUclipsrs are being paid to sell something other than Ledger when they create a video against it, dont kid yourselves thinking otherwise
Im more annoyed at LEdger for how they handled the email and data breach on customers. My email account become a dumping ground for crypto thieves trying to trick me, I get a load every day, they didn’t give a shit. VERY annoyed at that more than the other issues being raised around the RUclipsverse
Yes, I totally agree with you. The customer database leak was a major fumble on their part. And you're a savvy person that is being annoyed by all of the spam and phishing emails. I can only imagine how bitter the people are that were actually taken in by some of these scams and had their wallets drained.
If you accidentally enter your seed phrase somewhere into some protocol without realising you've done it. How long will it take for them to drain you?
It depends on the situation. But conceivably they could do it within the hour. If you still have access to your crypto, I would immediately transfer it somewhere else. You want to get all of the crypto out of that device that you've exposed. After that you can wipe it And set it up as new. Then you can move your crypto back in.
You're one of my go to's. Someone I can trust.
Thanks!
I still think that if some judge comes along and orders the executives at Ledger to produce the private keys of various customers, they will comply. And the motive of the judge would be surveillance.... or seizure of funds pursuant to a legal process.... rather than simple theft.
According to part four of their white paper series, this would be impossible, since the key is encrypted, even Ledger doesn't have access to it. (in unencrypted format). The only way to perform a restore is by the user verifying their identity. I understand your concern, and this is a very common concern when talking about the ledger recovery service. Here is a link to the white paper where they discuss the restore process and how it can only be initiated by the user: www.ledger.com/blog/part-4-genesis-of-ledger-recover-controlling-access-to-the-backup-identity-verification
@@CryptoDad OK, thanks for your response. (I distrust government more than I distrust the executives at Ledger)
@@CryptoDad I wouldn’t just go by what they have on paper, and I would listen to the very own words of the ceo who said that if a judges ordered it by court, on behalf of the government?? Then ledger would give up the private keys of sed customers, that in itself is a red flag. They’ve already proven that they’re not honest, so when they’re actually honest? People tend to over look what’s being said, even Canadian government already asking people to register their ledger, an I’m wondering for what? Naaa I don’t trust none of that idc how long they been around listen to the source themselves tell you they will and can do it.
Hey CryptoDad, love your content!
Just my opinion of course. I don't think it's the fact that it's not safe. It's the fact that the whole concept of having self custody is that no one is aware of your private key and seed phrase. The fact that Ledger created a Paid Service to split your seed phrase is the concern. I get it, it's a great product for CORPS or maybe the forgetful however, for the norm of people in crypto that know about self custody, I don't think people want ANYONE to ever have access to their key. It's like your bank account. The bank has access. Crypto private keys give you the control that people want. It's just not something that self custodians would opt in for .. I would assume anyways .. if they did, just keep it on an exchange, it's a similar risk (of loss). Just my opinion - I don't like it. I'm not happy it was enforced on all of their product lines. HOWEVER, THEIR PRODUCTS ARE SOME OF THE BEST IN THE INDUSTRY thats what upsets me most. Lol.
Yeah, great overview. I agree with that also; crypto should be private and personal. However, the government wants to stick their nose in and have us declare every trade and transfer on our taxes. So since technically they know everything we’re doing, why worry about a back up company. Ha ha.
But I think I also mentioned this is a natural progression for self custody towards mainstream adoption. It’s funny how Ledger and Trezor are both coming at this issue. Trezor just announced their new product line along with a new backup protocol that streamlines the seed phrase word list to make the words more unique and less ambiguous. They’ve also come up with a multi share backup that addresses the single point of failure when managing seed phrases. So both of these companies are addressing the issue that humans tend to screw up self custody. Interesting times!
@@CryptoDadThe Government always stick their noses in... There is no such thing as freedom anymore, it’s sad really. There’s pros and cons to that, however it still doesn’t mean Ledger should take the option away - what I mean when I say that is, if I want to be able to have control of my keys and not allow anyone access even if I will go prison for it, atleast I have that option if that makes sense? Ledger isn’t doing this because of taxes they’re allowing people to remove their control of their assets and this is what people in the crypto space don’t want. I believe Ledger is doing it firstly to generate more revenue as a company, and secondly, maybe for marketing to new people in crypto. If this recover stuff is ever enforced, our freedom of choice has been stripped away. As humans want to be able to make a choice even though majority of us will make the right choices it’s about having the option to make a bad choice lol. Anyways I don’t know if there is any back door or whatever, it’s just most upsetting that they did this whilst my Stax was purchased in 2022 and if I wanted a refund when they announced this, they would only give crappy FIAT and not my Ethereum back. Hahaha - I rant abit in my Stax unboxing lol - I laugh but I’m in pain inside lool.
Regarding the taxes, the government do know everything and that’s fine as a law abiding citizen we will pay our taxes and get a good accountant hopefully to minimise tax legally. Better yet go to a tax free country if you want to pay no tax.
Interesting that you say that regarding Trezor - do you mean the Shamir Back up? Or have they come out with something like ledger recover?? That would be insane if they did. Can’t find that anywhere on google lol. But if you mean the Shammirs Backup (SLIP39), that is the best form of seed phrase generation in my opinion. It’s not only the Trezor that does that by the way, the Keystone also does this. I own a keystone (well 2 actually) and it’s one of the best HODLing wallets I’ve got, I say this whilst I own an Ngrave.
In the future once I obtain a larger subscriber count on my RUclips channel, maybe we can do a collaboration or something regarding BIP39/SLIP39 lol. I’ll send you a message via email in the future sometime if that’s ok.
I’ve been following your videos and advice for over 5 years…if CryptoDad doesn’t say it, I’m not doing it! Take that TROLLS!🤬😤
🏅🏅🏅🏅
Thank you for the peace of mind
So in your opinion, Ledger is safe, even if the seed storage companies get a subpoena and are forced to deliver the keys? Wouldn't his defeat the purpose of a "cold wallet"?
Well, strictly speaking if you're not using the ledger recover service, then you don't need to worry about any one stealing your key or subpoena-ing it. It is entirely optional. And although many claim that the existence of the service opens up ledger's ability to extract your private key without your knowledge and consent, I believe this is a paranoid fantasy.
Now if you ARE using the Ledger Recovery Service, part 4 of the white paper shows that the only way to perform the restore is through user verification using biometrics. Otherwise the key remains encrypted. (In other words, it would be useless for law enforcement to subpoena Ledger, Coincover or Escrow Tech. Even if they fit two shards together, the key would still be encrypted)
www.ledger.com/blog/part-4-genesis-of-ledger-recover-controlling-access-to-the-backup-identity-verification
@@CryptoDad The "paranoid fantasy" could be avoided if they really go Open Source. Maybe this is the key that would settle things: looking at the code and making sure that the use of the recovery service is a personal decision. But I think they have been "Opensourcing" for 3 years and nothing has happened.
I agree with your contention. But I don't believe "open source" is possible or applicable when we're talking about hardware wallet devices. So call me a heretic, because everyone is following the "open source is best" religion out there. But if a wallet employs a secure element chip, it is by definition not fully open source even if all of their software and firmware is open source and posted on Github. There are a lot of other hardware wallet companies that are throwing that term around, so they sound good. But most of these companies employ secure element chips in their devices. So there is an element of secrecy when using the device. I see no problem with this. I believe it is standard security practice to employ a secret design to avoid tampering. This is how most security devices work, such as atm card chips, credit card chips and smart employee ID cards. You want the design to be secret to avoid people from tampering.
There is a company called Blockstream Jade that has what I consider to be one of the closest things to a fully open source wallet/device.
Here is their article where they talk about the fact using closed source secure element chips is not fully open source and their solution: help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element
Basically, this article gives tacit approval to my opinion that a secure element chip is not open source by design.
I'm not sure how applicable this technique is to mainstream hardware wallet devices. But it may be a promising direction. I don't know that this technique is ready for mainstream adoption or all the other hardware wallet companies would be rushing to adopt it. As it stands, I think the secure element chip is the go-to security mechanism for most hardware devices. And the Blockstream jade wallet is BTC only. So it's not very practical for managing multiple cryptos.
Back to the point of our conversation. People are worried about some kind of back door built into ledger because they are not following their open source religion. My contention is third party testing is enough to satisfy me that the device does what it says it does.
Thank you for this review! Ledger should still be very very safe.
Had ledger 5years. No problem
Thanks crypto that I appreciate it I haven't been on my ledger in a long time because I was afraid there might be some kind of compromise somewhere in the system I could have been staking ethereum for the last year but I was scared to and didn't have the time to really research it so I just left it alone.🎉
I've had an issue with ledger, I hadn't updated the software on my nano since 2017 stuck in a box and forgot about it. Then few months ago got it out tried to update and could not. Got the app for the phone managed to get the unit updated but no way of downloading or seeing the dogecoin in my wallet even after downloading the doge app. I re entered my seed and still nothing in the wallet I know it did exit as I have a photo of the amount in the wallet way back in 2017, and can see the purchases on the exchange I used. Any ideas why the nano won't show the amount either on the unit of the app on the phone? would purchasing a new unit do date unit help? all the other crypto still exist on the wallet just not the dogecoin purchased
Honestly just off the top of my head, I'd try to swap it for something and see if the something like uniswap or w.e can see any amount of doge In your wallet(tied to that address).
You might wanna check out this video. It has some pointers on syncing up your device to your phone or computer. Perhaps using some of these techniques you might be able to re-gain access to the account. Barring that you may have written down your seed phrase incorrectly originally and now it does not give you access to the original crypto. However, if your seed phrase that you used is valid, the chances of it being incorrect are pretty small. So I think maybe you should try these troubleshooting tricks:
How to Recover Your Lost Crypto Using the Ledger Device vs Using Ledger Live ruclips.net/video/tcspePxhkhk/видео.html
@@coffee3986 Thanks for the reply
@@CryptoDad Yes, the it is the correct seed as all the other crypto exist in the wallet when used, thanks for your help. I think purchasing the stax may be the way forward. I find the original ledger nano 2 button nauseating to use
What about Coldcard and Blockstream Jade?
The Coldcard has a secure element chip so although all of its software is open source, there is an element of secrecy inherent in using the device since the secure element chip is closed source. As far as Blockstream Jade goes, it claims to have a virtual secure element that is in effect open source. help.blockstream.com/hc/en-us/articles/13745404122265-Does-Blockstream-Jade-have-a-secure-element
So it may be the closest thing to a completely transparent hardware wallet. But personally, and this is just my opinion, (although I pretend that its fact), I don't believe that any wallet is completely transparent and any hardware wallet requires some level of trust on the part of the user. This is not a deal breaker for me, It's just a fact of life. Many people believe that they MUST be using a wallet that is fully open source and transparent and many believe that they are but I think they are mistaken in most cases (the Blockstream Jade device appears to be a welcome exception)
However, both the Coldcard and the Blockstream Jade are Bitcoin only so if you want to manage other cryptocurrencies then you're going to have to make a informed decision on using a crypto hardware wallet that supports other cryptos besides Bitcoin.
@@CryptoDad What about AirGap Wallet? The one you install a vault app on an off-line cellphone or tablet and the wallet app on your daily phone. It is air gapped meaning transactions are authorized through QR codes.
Thanks crypto dad for valuable video❤❤❤❤❤❤❤❤❤❤❤
Thanks again. You’re my go to for legitimate and honest information. All my fud has vanished around this topic. I like ledger pdcts 😇
what do you think about the software updates? I have not updated my software for sometime now should I continue as of update the OS I am probably at minimum 5 updates behind I don't want nothing weird to happen so I am hesitant
You’re gonna hesitate yourself right out of your crypto. Updates are there for a reason. They are to improve security. Add new features & fix bugs. They’re there for your own benefit. Avoiding updates is not viable strategy. It’s best practice to keep your device and software up-to-date. Pretty soon. The device will become unusable if you stop doing updates. And then you will need to purchase a new device and do a restore. You can avoid this scenario by keeping your device up-to-date. If you’re worried, I would run the recovery check app on your device to verify that your recovery phrase is valid. Once you have done this, you should have no qualms about running updates on your device.
love my ledger and live software for daily trading but wouldn't trust to hodl with it unless is a part of multisig from different vendors.
what do you think could be their motive to discredit the ledger wallet?
Well, the short answer would be other crypto hardware wallet companies hiring trolls to discredit Ledger. But on a deeper level, after the FTX collapse, people were rushing into self custody. I think this made the powers-that-be nervous. And so suddenly the top crypto hardware self custody company was being attacked as unsafe. I know that sounds like a paranoid conspiracy, but that might be one motivation for discrediting Ledger.
Thanks crypto dad❤️ new subscriber here🤗
Well said Rex 👍🏻
Could Ledger push a software update requiring KYC to access every self-hosted crypto account created with the device? If so, is there a way to workaround it?
Ledger nano x for several years without anything being compromised. I know no one personally whos been affected. Please just protect your keys and do not connect a cold wallet to any dApp or anything for that matter.
Good advice! or use a "burner device" with small amounts of crypto if you want to do dApps.
Thank Crypto Dad I really appreciate this video and all the hard work you are doing for the crypto community you are truly a super hero and only want people to do well using crypto.Thank You 🇨🇦
I appreciate that!
It seems that you don't completely understand what exactly the backlash against ledger was about... The whole point of the backlash against ledger was their recovery service, You didn't mention that at all in this video. Obviously if they ever took advantage of this system they would be ruined as a company but the fact that they put it into the firmware ruined a lot of people's trust in ledger.
Almost as if he avoided talking about it on purpose. This video proved nothing
I mentioned to another commenter that this particular video was going to be an aside in a longer video discussing the ledger recover service. It basically took on a life of its own, and so I decided to simply post it as a standalone video. I plan on doing another video on the pros and cons of ledger recover. But although I personally would never use ledger recover, I think they took great care to create a system where exporting the private key was possible but still completely optional for the end users that don't want to use their service
I don’t like the Ledger customer database hack several years ago and I don’t like the new Ledger Recover functionality. I recommend everybody to search for other RUclips video’s about the new Ledger Recover functionality and safety concerns. Really amazing that Crypto Dad does not even mention this.
I plan on doing a separate video about whether to use ledger recover, or not. I wanted to try and keep this video separate. In fact, the points I made in this video we’re going to be my lead up to my discussion about the pros and cons of ledger recover. But then the subject matter took on a life of its own. I personally would never use ledger recover, but I understand why they decided to offer it. I’m planning on doing another balanced coverage of whether or not someone should use ledger recover.
Thank you for the informative video! I've noticed that whenever the topic of crypto wallets comes up on Reddit, many users strongly advise against using Ledger. This fear-mongering seems to be quite prevalent on the platform. It's disheartening to see this kind of negativity. Could you, CryptoDad, shed some light on why Ledger receives so much criticism on Reddit and address some of the concerns raised by these users?
Well, in this video I basically covered the claims, but the elephant in the room is the ledger recover service. This is where the whole controversy started. Ledger is offering a service that allows an end user to export their private key for cloud storage. I thought that most people would criticize the security of the process. But as it turns out, the criticism became more fundamental of ledger as a company. They were accusing Ledger of using the service to compromise the device. Or they felt that the only way to implement this service put regular users at risk. Basically, the Ledger recover service is optional. But that hasn't made anyone feel any better about the fact that Ledger is allowing their device to export the private key externally.
@@CryptoDad Thank you :) .
It bothers me as well when they push that narrative. You're exactly right, crypto dad 🙏🏾
Drives me crazy when they say that
Ledger, a leading provider of cryptocurrency hardware wallets, experienced a significant data breach in July 2020. As a trusted name in the cryptocurrency security space, the breach was particularly concerning due to the sensitive nature of Ledger's business and the potential implications for its users' financial security.
The data breach had nothing to do with the hardware, though, and its hardware has never been breeched, unlike Trezor that has had a hardware breach (yes, it was patched by firmware)
The data breach was names and addresses and emails, etc, still extremely lousy by ledger, and they sat on the situation before telling people, which also was not good
Yes, you are correct. It is cause for concern. And I know it doesn't really make it any better to say that large data breaches are happening on a regular basis with even bigger companies that should be keeping your data safe like Equinox and Target. In Ledger's defense, their customer database was being managed by a 3rd party. And that was completely separate from their internal security mechanisms for guarding the ledger internal code and the security protocols they have in place for software and firmware rollouts.
There is only one question to ask for any of these types of devices > Can the company/3rd party see or access your seed phrase under ANY CIRCUMSTANCE? Any device that can is a BIG NO.
Well, since you put "any circumstance" in caps, you've basically turned it into a theoretical question. I don't think any crypto hardware wallet can claim it is impossible to see (or access) the seed phrase in "any circumstance". As I mentioned, this is a risk game. You're just trying to minimize your risk. There's no way to totally eliminate it.
The people are shilling for competitors. Ledger is not perfect, but it it is perfectly adequate.
Can you do another video on NGrave?
That's a great idea, it's been a while since I've done an engrave video. I'm assuming you've already seen my setup.
ruclips.net/video/KspVwt-zGz8/видео.html
and cash out: ruclips.net/video/KrBS-EnzVjM/видео.html
Facts you cannot deny: Ledger for a long time promoted their products stating it would be "physically impossible" to extract the private key from their devices since their "secure element" chip was, again, designed in such a way that would make it unfeasible. By design. "Physically impossible". And then, some years later, they launch a "service" that does exact that --extracts the key from the device. The fact that they say you need to agree and give them permission to do so is irrelevant --Ledger lied and should not be trusted ever again.
They saw a need. So many of their customers were calling them because they had lost access to their crypto because they lost their seed phrases or written them down incorrectly. (Because people are human). So they endured years of people screaming and crying to their tech support, demanding their crypto back. They had to tell them "There's nothing we can do" because, you know, self custody. So they decided to figure out a way that they could offer a service that would allow a customer to back up their private key for cloud storage. So sure, it's antithetical to crypto enthusiasts because it violates the basic principle of self custody. But Ledger is not the guardian of crypto policy. They're a company that makes a hardware device. They decided to add a new feature to their device called the Ledger recovery service. It's completely optional. How was that lying? They just added a new functionality to their device that it wasn't there before. Because they saw a market opportunity.
@@CryptoDadit's lying because at first they said they cannot get the keys, and now they say it is possible. See how that's a lie? First they said it is impossible, and now it is possible.
@@manowatis1557 they made it possible by modifying the device. How is that so difficult to understand? Have you ever seen a phone that had an upgrade? Have you ever seen a computer that had an upgrade? Have you ever seen refrigerator that added an ice dispenser? Come on. You’re telling me you think this product should’ve just stayed exactly the same for 50 years without ever being modified to appeal to a broader market?
And by the way, they still can’t get your keys. That’s ridiculous. Only the user can export the keys. You’re listening to too many rumors about the service.
@@CryptoDad That's really a lame excuse --they claimed for years that the "hardware" was built in such a way that it was "physically impossible" to get the seeds out, i.e. a simple software change/update wouldn't do the trick because there was a physical, material gap that could not be bridged by sofware... that is what they said, it was there in their ad material, there are videos of their people saying it. It's like Samsung stating their TVs can't listen to you because there are no microphones bult-in to the sets, and 3 years later you find out the microphones were there since the beginning. Samsung can claim they never activated the microphones so they could listen to you, but they lied about the hardware. Ledger lied.
Come on Dad…The video is pretty much besides the point. The real claim against ledger is that consumers were initially made believe that the private key could never leave the device. And then subsequently ledger introduced the “opt-in” recovery feature that basically shows the private key CAN leave the device. That’s what this video should be about…
I agree that's one of the main objections people have to this service. But that just really boils down to a trust issue. sort of a, "he said, she said" thing. Now I know a lot of people are going to dig up statements by ledger saying that the private key never leaves the device. But technically, it always has had that ability. In other words, when you're setting up the device, it exports the keys from the device to your eyes so that you can write down the seed phrase. So this idea that the hardware device was some sort of hermetically sealed key storage is not really accurate. The ledger Recover service is just another way that the end user can locally manage their private key. Even though they can now export it for cloud storage, it can only be authorized locally by using the buttons. And yes, they decided to modify the functionality of the device to allow the end user to optionally export the private key. There's no argument about that. But it sounds like Ledger just decided to modify their product. I totally get it, it crosses the line between a device that manages the private key locally to some sort of hybrid device that has backup functionality. But the world is changing and self custody is changing.
@@CryptoDad All of that is good if they didn’t market the device with the “feature” your key will never leave the device. They changed a promise that they made and I would have never bought the device if that was transparent from the beginning. I also think that your analogy is not the best as displaying the seed phrase is not the same as exporting it.
@@dwade9 Exactly. Seeing your seed phrase on a display to backup isn't the same as exporting
The moment Ledger management decided to sell that stupid program, most people won't trust Ledger anymore. Period.
Their loss
@@CryptoDad No one needs to prove Ledger management's terrible move and stupidity. Everyone can see it. It's all Ledger management's fault. They created the whole thing.
I received a call from a so called 'ledger support team' they knew all me details. Not happy.. they almost got me too. almost
Indeed, I have dealt with a few people that have received similar calls. It's really sad that these scammers manipulate people by people by using fear and greed. I'm glad you were able to withstand the attempt.
With Ledger Recover, Ledger hardware is over. The ONLY value proposition was that our keys are safe. That value proposition is gone. Ledger have lost their minds.
I am curious what wallet is used by whales???
(For the few who don't know, a whale is someone who is usually rich and has a massive holding of cryptos)
if a whale trust a certain wallet maybe we can look into that wallet.
ex. what wallet does elon musk use???
Well done
Hey Dad THX man.
They said is impossible to extract keys with an update and it turned out to he false, they keep customer data not sure why and when they get hacked , the hackers knows your address. They are not open source which in the crypto space is criminal. People who have alot of wealth in crypto simply aint taking the risk of using ledger. If you have not much wealth and like to gamble on altcoins then im sure you will be fine
Thanks for sharing. A lot of opinions out there about this. And yes, ledger described the functionality of their device as the "private key never leaving during use". So ledger decided to improve their product to meet customer needs, so they added the cloud backup functionality. Some people call this lying, some people call it just improving their product. But it's really just an opinion one way or the other. I wouldn't call closed-sourced criminality. That's a bit extreme. Ledger's code base is proprietary, just like Microsoft, Apple and almost every other software company out there. It was a design choice early on in the life of their product. Open source is not a silver bullet. It also has its own vulnerabilities. Not everything in the crypto space is black and white.
There are essentially three main risks that come with using open-source software from a security perspective:
Open-source software development is decentralized. This means that there is essentially no authority that is ensuring the safety of any given fork of the software.
Crypto wallets inherently access sensitive information, and vulnerabilities discovered in the source code can be exploited by attackers before a patch is released.
Electronic chips that allow the firmware to be open-source generally lack security measures that can be used to secure data stored on them.
Ledger has a sistem to know your seed key. I don't know nothing about technology, nether need to know about it. I prefer a cold wallet who don't have this option.
I think I made it pretty clear in the video that ledger does not have a system to access your seed key. I know that all of those white papers are quite a bit of reading, and it took me several hours to get through it. But nowhere in there does it mention that Ledger has access to your seed key.
The white paper may say Whatever you want, but they offer a way to retrieve the seed phrase, for a monthly price. There is that possibility.
From a cybersecurity perspective, you can't trust closed-source software, especially from a company with a history of breaches. It's common sense. No one using backdoors for their own benefit will announce them.
Ah yes, the old "we wouldn't know they are doing it because they're doing it in secret" argument. Which incidentally does not require a shred of proof.
@@CryptoDad Lol, everyone is free to use what they want. Just don't come crying once you get burned.
Ledger devices are practically secure as long as you do not let others know your C-phrase nor saving it in any electronic devices linked to internet or via blue tooth etc. Ledger recovery is just an option that if you are carful enough will never use. Hard wallet actually has its own headache: 1. If you keep it to yourself, what is you die or forget? 2. If you tell the one you trust, what if they change their mind, or forget, or big mouth to others? 3. You can tell your lawyer but what if he and she is bad? 4. You can bury it but what if no one could find it? So ironically this anti-trust fortune requires some trust to continue its legacy😂
Yes, there are a lot of tricky issues related to dealing with hardware wallets. One of the biggest is making sure that your loved ones will have access to your crypto if something happens to you. There are some services out there and there are a few things you could try like giving your estate lawyer a sealed envelope with instructions and not letting him know that it involves crypto. But there are really no clear solutions.
I use Ledger since couple of years. No problems whatsoever. Im staying with Ledger....
It's discouraging that someone like you who had been objective and helpful, turns emotional and biased because you like the product. This is one of the most important issues in crypto and you're calling concerned users trolls?? Very strange.
I’m sorry you’re discouraged that I have an opinion. It does upset me that people bash ledger based on evidence free suspicions. Most of them are just parroting opinions they have heard elsewhere. It’s been almost a year since ledger announced their recovery service, and although there was a initial outcry, most rational people have concluded that this is not a serious security issue for the ledger device. Ledger has released a lot of information and articles about what this service is and isn’t. Although personally, I would not use the ledger recovery service, I can totally understand the need for it and why they are now offering it. The important thing to remember is that it is entirely initiated locally by the user. And also, that it is entirely optional. If you’re a crypto purist, you don’t have to use it. If you are a new user, that would like a little extra backup and peace of mind, it is something to consider.
@@CryptoDad what about the thing about if there is a subpoena, that they will comply and retrieve the keys. Is that true or rumors?
Thanks Dad