Trezor seeds can be extracted in 30 minutes !? Posted on May 23, 2023 by Anonymous Pascal Gauthier is the CEO of Ledger, and he claims his yeam can extract trezor keys with 30min? @6:50
No shit, retard.
Open source means hackers have all the source code to find faults within the code itself.
That's why I bought a ledger over a trezor.
Or... its an empty libelous claim
Open source makes thinks more secure.
Just because it's open source doesn't mean it's regularly audited by competent people nor does it mean that competent people can identify faulty code.
You can say the same about closed source, dipshit. Except you can’t even see what they’re doing to the code. Wtf.
Please argue this with LULZ and come back to me on this.
Open source > Closed source
Always has been.
Shut up, fag. (You) lost.
you need to go back
don't even care that you're right and that ledger sucks cock
>Open source > Closed source
You mean like how it took people YEARS to discover that the 7z developer doesn't understand ciphers and misimplemented AES by fucking hardcoding the IV?
And the worst part is that there are probably hundreds of millions of people using 7z and it still took years for someone to discover such a beginner mistake. Let's be honest, all free tards think "ah, I bet there's someone who continously looks at the source code" but the truth is, there isn't.
7z was founded in fucking 1999. You think there were tons of smart coders back then who understood compression algorithms or even basic data structures? You think this code was uploaded to github back then? Huffman compression wasnt so widely taught across ass cs classes. and there we're probably like 10000 competent coders around america in 1999. 7z worked and worked great. who cares about some small issue no one found in fucking NINETEEN NINETY NINE
Also the thing you're talking about seems to be some small subsection of 7z. specifically zipping with password encryption and trying ot unencrypt using built in windows decrypter
No one discovered it probably because no one used it much.
>7z was founded in fucking 1999. You think there were tons of smart coders back then who understood compression algorithms or even basic data structures?
This is not an issue of understanding compression algorithms or anything like that. This is an issue of not understanding basic cryptography.
>Also the thing you're talking about seems to be some small subsection of 7z
What the fuck are you talking about? Encryption is one of the most important features of archive features and the worst part is that Russian retard first dismissed it as a non-serious gap because he doesn't understand how ciphers work. You don't ever hardcode an IV unless you are encrypting something that is entirely unique.
And my problem is not really the firmware, it's the hardware of the Trezor wallets. They fucking use cheap chips as Gauthier mentioned as well. This is nothing new.
Oh my bad, it was about the encryption? See I used 7z for YEARS and i only used it to zip and unzip files so i can upload them. Never had a problem at all which is why I said its a sub-usecase. idk
That Igor guy got school tho lmao fucking hate people who just dismiss things without considering what he's saying
>They fucking use cheap chips
How does that affect the average user? I've had my trezor for 6 years and it still functions like new. I'd assume Ledger, at the cheaper price point, and many other hw wallets also use cheap chips. I mean the thing only cost 60 bucks anon and works great. what are you expecting? a mac book pro?
>How does that affect the average user?
It doesn't. Same way those new ledger features don't. But saying Trezor is more secure just because it's open source is just misinformation because from all we know so far, Ledgers have not been broken while Trezors have.
fairely certain in the current day 2023 where everyone has
>learned to code
and has real money at stake in the crypto scene would have looked over the code. look at how many open pull requests are in bitcoin's github
I'll admit ive never personally looked at the trezor code but seeing how much anal detectives crypto nerds are, im sure someone would have looked through one of the top sellign most popular wallets. hell ill go fucking look right now
An actual fed arguing closed source is better than open source. Wow, the seething is real.
There’s alternatives to 7zip last time I checked and 1 open source project having difficulty ≠ all open source projects are bad. Jesus christ.
Way to expose your own agenda, glowie.
>An actual fed arguing closed source is better than open source.
I didn't say that. You need reread what I've said. I said open source is not necessarily better than closed source just because it is open source.
>cherry picking my post and not reading the rest.
There’s multiple *independent* coders reviewing updates for open source projects. Trezor iirc has 20 or even more that review before it even gets released. And when it does get released there’s 100 more that look at the code.
Closed source, you’re entirely dependent on the company.
Don’t use linux, veracrypt, firefox, or any open source projects if you’re stooping to this low.
>Don’t use linux, veracrypt, firefox
I consider veracrypt to be unsafe and the fact that you're using linux and veracrypt in one sentence already shows me you're a clueless homosexual. There is no reason, ever, to use veracrypt on Linux because LUKS/dm-crypt exists. If you have sensitive data and you're using Windows you're retarded anyway but if you're using veracrypt in combination with Windows you're even more retarded, especially if you think it's safer than Bitlocker just because it's open source. Not only can the Veracrypt bootloader be easily tampered but it runs on Windows anyway which means a) Windows itself can get the encryption key and b) basically any application can easily get the encryption key. At least with Bitlocker (again, I'm not saying Bitlocker is good) that shit sits in your TPM.
I don’t use any of that stuff, you’re actually retarded. I was using those as examples. And luks was able to get bypassed, btw. Cherry pick and seethe more.
>And luks was able to get bypassed
False. Source? Please, I know this is an online argument and you want to win but don't talk about cryptography because you obviously don't understand it.
>And when it does get released there’s 100 more that look at the code.
And that still doesn't lift any of the hardware concerns. They still use regular controllers that are literally being used in "fucking toasters". I'd be scared to pass that thing into the hands of a very skilled RE. You'd be surprised what can be achieved under laboratory conditions (which most feds have).
>spoonfeed me pls
Luks was able to get bypassed by french police. Luks2 is the go-to now. I’m not going to link, find your own shit. And yes, trezor does have people that review the code
>Luks was able to get bypassed by french police.
Again, source. Luks was never "bypassed". Not once. I know you're just pulling shit out of your ass. You're just an NFT trading rumble tumble nagger who acts as if he had any understanding of cryptography but the reality is you're a poorfag who just spend his money on a Trezor and is blindly defending it because he is having buyers remorse.
And btw I don't use hardware wallets because I don't trust them. I have my own airgrapped machine.
>says he has an airgapped machine
>says in a previous post “You’d be surprised what can be achieved under laboratory conditions (which most feds have).”
Larp moar, mr. hacker
Also I am one of the maintainers of the JVM implementation of bouncycastle. I certainly am not against open source.
Hey guys cool it with the R and F words. We’re all regular LULZners here. Let’s just calm down.
I know this is bait but I can't resist telling you that /r/ledger is that way you retarded homosexual
Cope: the post
So what you’re saying is all your shit is closed source and you trust a company to take of your stuff rather than yourself?
Holy shit, you literally will own nothing and you will be happy.
Open source (trezor) wins again. Put a passphrase and this won’t happen.
nice spacing homosexual
another one? go back faggy boy
What this anon said.
Trezor needs physical access, on top of that if you have a passphrase there's nothing you can do, get fucked.
Ledger are homosexuals that got caught slipping in firmware that will wxtract their users keys.
And the retard who runs the company acts like there wont be any incentive for it to be exploited.
How about the BILLIONS OF DOLLARS someone could steal.
Plus they've made a mechanism government can sopena and get your keys.
Only a retard would own a ledger now
This has to be troll bait
Every crypto project is open sourced. Any Open source hacks can be done on closed source
If anything, open source is scrutinized by tens of thousands of coders reading through it looking for issues, then suggesting updates
Closed source on the other hand, they could be doing anything you have no idea
All your crypto projects are open sourced retard
Ledgerfags really trying to do some distractions to save their business
Trezor has a feature where you can use an SD card as a key to your device, which makes it near impossible to physically hack when paired with pas phrase.
and the other guys nod and say yeah like it's obvious
then where are the demos of trezors getting breached?
Both will or have back doors soon enough thanks to KYC, AML and anti terrorist shit. On/off will be closed off and will be using CBDCs. Obviously people will P2P will still be able to trade their monopoly money with other wallets but won't be able to purchase items from shops.
so....what's the solution?
Going around with gold bars to purchase a coffee and a sandwich?
The money you refer to will be worth zero. Won't happen.
CBDCs will never work because nations need to trade and can't do it with an adversary's currency if it's programmable.
BTC will unironically be the world's reserve currency by 2035 because of this.
show me ONE retail trezor device sourced from trezor store, eg not some third world reseller obviously tampered with, getting keys extracted
if it's so easy for corpo whitehats then surely blackhats should also be in on this, yeah?
Extracted with physical access and no passkey lmao
Trezor chads won.
I remember a month ago some anon made a thread talking about how the ledger team is all israelites and how he has a bad feeling about this. Just a few weeks later this happens lmao
>not generating keys offline
>not making a paper wallet
>not adding coins to your ledger and immediately destroying it
>he doesn’t have his seed phrase tattooed on the inside of his foreskin
*inside of his colon
you need to use passphrase with trezor
Does anyone here think Ledger got forced into backdooring their waller and maybe monetizing or productizing it was their way of telling people? They basically had to an hero because Macron was touching their butts too much?
>using entirely closed source hardware and software to interact with entirely open source networks
normies are fucking retards
Such old news fuddies
>need to have physical possessions of your trezor
>need bunch of chips and hardware and software
>cant hack 25th word/passphrases
Keeep posting this same 2 year old news fuddies. One superhacker guy who opened a trezor and hooked it up to a bunch of hacking wires and replaced the onboard chips extracted the seed after some brute forcing of the pin.
Again, they need your physical device and 25th words arent included
Also im sure this works for physical possession of any device or paper wallet. They can hack your shit if they got your offline laptop too retards
Thisnis the equivalent or the FBI hacking one iphone USING TONS OF RESOURCES AND SKILLS and then everyone going
>ONG MUH IPHONES R NOT SAFE
Ikr, and now the narrative has shifted from “DON’T TRUST OPEN SOURCE” to “AIRGAP” to “BACKDOOR” to “DON’T USE CRYPTO AT ALL” in the past few weeks just as this news hit the interweb.
You’re seeing diversion by a multi-billion dollar company happen right now. They’d rather shut the whole system down rather than admit their own fault. I would also be careful calling them out tbh. They have serious connections. Stay safe, anon.
With a laptop you can choose several algorithms to encrypt your data, what is the hacker going to do with your laptop? Bruteforcing the passphrase to decrypt ONE algorithm he wont be even sure if it worked
yeah i think i might actually do this instead. actually the most secure. unless your windows 10 has a backdoor too
Someone tell me why I shouldn't get a blockstream jade?
did you recently suffer a cranial contusion?
serious questions bros, should i buy a trezor and transfer all my funds from ledger?
Yes, don’t buy into the “open source is bad” narrative because it can be “hacked” and you need to “airgap” because there’s “backdoors“…even though there’s backdoors in everything these days.
It’s all nonsense. The average crypto holder wouldn’t know how to do that stuff anyways.
Yes buy a trezor, but directly from their site or from one of their listed licensed retailers.
>Check all the packaging verify with their blog
>Check all the seals have not been tampered
>Check the Trezor comes with NO firmware installed
>OPTIONAL: download the github source code, read through it all, then compile and install it yourself
>Use a 25th word / passphrase so even if your physical device is compromised, they still need a password
Then you should be fine. Unless you own like 10,000 btcs and are out screaming it on the street. Even, then you're more likely to be shot by a nagger and crypto forever lost, than it is for some smart-hacker to physically take your device and hack it. There's only been a handful of people capable of doing said hack, and again they need your PHYSICAL device. Use a passphrase, if your device is stolen move it to new keys
Look at the amount of people writing code to fix / improve trezor.
You can't discredit all open source in 2023 just because there was a small bug in 1999 lmao
Afaik you can't even check if a Trezor is genuine because they use regular chips. You're bitching about hypothetical backdoors but when you order a Trezor you can't even be for sure that your hardware hasn't been tampered on the way to your home.
>you order a Trezor you can't even be for sure that your hardware hasn't been tampered on the way to your home
This if true about anything you buy.
Trezor actually has in place a lot of safeguards where it tries to help you out at least. If you've even bought one, their box is literally fucking impossible to open. Someone would need to duplicate this equally hard to open box if they wanted to tamper.
If you look on their site they have a checklist of stuff to check
>Holographic seals not messed with - I think you can actually message trezor and verify the code on the seal?
>the box cannot be opened and resealed. It's like fucking impossible. I need a knife to open this thing and i still fail
>Nothing comes installed on trezor. when you plug it into the suite for the first time it will look for any sussy preinstalled firmware and warn you.
as for your concern about
>opening and tampering with the chip
Yes this is possible, but again it's possible for anything. and probably more profitable to do on say, a business's Mac book pro. and easier.
Think about it anon, unless it's TARGETED at one whale, how would they do this and would it be worth it?
>Reproduce a brand new trezor box, and all it's seals, and tamper evident safety checks
>intercept the delivery you want to target
>open the box, CAREFULLY open the trezor, carefully put the chips in, carefully glue it back together. Put it back in your exact trezor replicated box and seal it
>push it back in the chain for delivery
then it reaches the whale and the guy puts like 500$ on it because this is his spending wallet.
Is all this effort worth the 1000$? he will be barely break even
this is not a feasible, mass-reproducible hack
I agree with you and you basically hit my point, 99.99% of users out there are fine using either one. All the FUD around either wallet just proves how narcissistic a small and loud minority of the crypto community is. They believe that the whole world revolves around them and that the NSA is monitoring their every move just because they trade some NFTs. The real reason they are worried is that most of them don't pay taxes and fear that the FBI might destroy their devices if they confiscate their wallets, and in this case you are screwed with both Trezor and Ledger wallets. I still think Ledger is more secure, but if I was worried about the Feds, I wouldn't use one of those.
no actually i disagree with you. are you actually a Ledger paid shiller? It's not specifically about the FEDS man... I really don't believe you understand the issue with 7z so well, but can't understand this one. you HAVE to be a paid shill.
>Trezor is less likely/unlikely to be BACKDOORED via SOFTWARE because of the open-source.
>Trezor would be unlikely to be Physically hacked with a BACKDOOR chip as it would not be feasible to mass release these "hacked trezors" due to the cost:profit of this method. Most people would only have a few hunnid or thous on it.
On top of that I'm sure people take apart hardware wallets for fun all the time
Again, all of this can be avoided if you:
>Buy from a licensed retailer, or Trezor directly
Now Ledger's turn
>Company is VOLUNTARILY adding SOFTWARE that will STORE YOUR SEED ON THE CLOUD. On EVERY LEDGER this is possible.
>and its CLOSED SOURCED CODE, so you will never KNOW
how do you not understand this?
>how do you not understand this?
He doesn’t because he’s a larp. Don’t engage.
>no actually i disagree with you. are you actually a Ledger paid shiller?
Are you fucking blind or something? How many times do I have to recommend against hardware wallets in this fucking thread?
>I really don't believe you understand the issue with 7z so well
I understand it perfectly and I have described it above. Pavlov hardcoded the IV. 4 bytes of zeroes and 4 bytes of hardcoded arbitrary numbers. That is a fatal misimplentation, especially for a file archiver because files are not unique which means when you're looking at the ciphered bytes, you might be able to recognize patterns. Now if you encrypted something entirely unique, like a hash, a hardcoded IV wouldn't be an issue.
>Company is VOLUNTARILY adding SOFTWARE that will STORE YOUR SEED ON THE CLOUD. On EVERY LEDGER this is possible.
They can't add software to your device unless you let them. Unless you actually upgrade and confirm the upgrade with your device, there is no way to install software on it. I will give you 1 BTC right now if you can prove that the firmware can be tampered without the user's interaction.
? I don't use TPMs or anything like that. I have an old thinkpad with libreboot, using an SED (might not be safe but it's just an additional burden) + LUKS/dm-crypt + qubes. WAN was removed from the machine. Tell me, how the fuck are you ever going to break it?
>Tell me, how the fuck are you ever going to break it?
Nigga, are u this dumb.
Too much cope in here. I don't need to argue with poor fags who will never even reach the level of my hot wallets.
>they can sneak in any code they want to put your shit on the cloud
>uses the word "cloud"
No, they can't. Prove it.
>I would stay far away from them from now on if this is the way they are headed.
The same way I would stay away from Trezor. Trezors have actually been broken already. The GP chips they use are garbage.
That balance can be faked, Mr. Larp.
>That balance can be faked, Mr. Larp.
LMAO nah, this isn't your regular shitty we-packed-our-webapp-into-a-chromium-container wallet.
Keep coping. At least I'm not suffering from buyers remorse over 100 bucks.
It literally can tho.
And showing how much XMR you have, ever.
Lol, lmao even. Mr. Larp, you’re so funny.
>It literally can tho.
how. Do it then.
>And showing how much XMR you have, ever.
First of all, you would need the exact balance to even have a chance ot exposing me. Second of all, it's my hot wallet anyway. Please keep cope posting. I know you're jealous of the fact that I've been into Monero from the very beginning. Also nice reddit spacing. You're prob. not even white. So far you have proven you don't understand encryption, you don't understand operating systems, basically nothing.
Btw I found the source about trezor. But I’m not going to link it, obv. And it’s true about luks.
You lost, ledger
Open source (trezor) wins again, kek.
Open source > Closed source
See ya in future threads, Mr. Larp.
>Are you fucking blind or something? How many times do I have to recommend against hardware wallets in this fucking thread?
I'm not stupid and I hope no one falls for this. You are discrediting ALL hardware wallets, and thus trying to, from a higher level, lump Trezor and Ledger into one. The effect of this is people see
>Trezor and Ledger are the same
and thus ends this competition. No one should fall for this.
>I understand it perfectly and I have described it above. Pavlov hardc...
You are ignoring what I said.
>They can't add software to your device unless you let them. Unless you actually upgrade and confirm the upgrade with your device, there is no way to install software on it. I will give you 1 BTC right now if you can prove that the firmware can be tampered without the user's interaction.
That's the thing. Just the fact that it's on their fucking roadplan and they thought users would be okay with this, speaks a lot about the company. I would stay far away from them from now on if this is the way they are headed.
And again, closed source, they can sneak in any code they want to put your shit on the cloud. You thing a mega-corp just goes
>Oh no we had a bad plan! We learned from it!
>Fucking sheep, we'll let this blow over and then sneak it in later. We have plans. For now let's pay some shills to do some publicity coverups.
Trezor can't do this because the
>OPEN SOURCED CODE HAS A HASH SIGNATURE
Ledger is superior... with or without the 'Recovery Service'.
This panic is just that, panic. Low IQ people thinking they know something because they can repeat a couple of buzzwords. Pic related
As a programmer I can tell you 100% that open source code is better in almost every aspect. When it comes to security, the only reason for code to be closed source is because the security design can't stand on its on, the code is just too embarrassingly bad to expose, or they straight up copied someone else's code without permission and don't want to get sued. Most proprietary code is also almost entirely built on top of open source libraries too.
And it doesn't matter if your seed is exposed, you should be using a secure passphrase. If you know your seed is exposed you should probably use a new seed but a decent multi word passphrase would take literally years to brute force.
Trezor is just a better design than ledger because it relies on actual math/crypto (seed + passphrase) rather than some dumb marketing gimmick like preventing physical extraction of the seed which is not needed, which comes at the huge cost of having to use some proprietary, closed source hardware/firmware.
oh that said, ledger is fine if you already have one, just don't update the firmware until they open source it which they say they are doing. all good then.