Eine Software-Schwachstelle wurde also erfolgreich über das Hauptbuch hinausgeschoben.
Home › Foren › Ledger Wallet › Eine Software-Schwachstelle wurde also erfolgreich über das Hauptbuch hinausgeschoben.
- Dieses Thema hat 8 Antworten und 1 Teilnehmer, und wurde zuletzt aktualisiert vor 4 Monaten, 4 Wochen von FlatlandResearch.
-
AutorBeiträge
-
-
21. Dezember 2023 um 22:36 Uhr #3269634root_s2yse8vtAdministrator::
Wie viel wahrscheinlicher oder unwahrscheinlicher wäre es, dass so etwas in eine der Anwendungen oder in Ledger Live oder sogar in Ledger Recovery eingebettet werden könnte.
Ich spreche speziell über eine Art von korrupter Software.
Ist das Sicherheitsprotokoll von Ledger in Bezug auf diese anderen Angelegenheiten wasserdicht? Und ob dieser letzte Vorfall nur einer war, der durch einen Riss geschlüpft ist.Ich verstehe, dass Krypto-Sicherheit ein schwieriges Unterfangen ist, und ich glaube nicht, dass Ledger ungeschickt ist. Ich glaube immer noch, dass sie unsere beste Option sind. Aber die Bedenken bleiben bestehen.
-
21. Dezember 2023 um 22:36 Uhr #32696350xAERGGast::
[https://www.reddit.com/r/ledgerwallet/comments/18igjck/comment/kdddo34/?utm_source=share&utm_medium=web2x&context=3](https://www.reddit.com/r/ledgerwallet/comments/18igjck/comment/kdddo34/?utm_source=share&utm_medium=web2x&context=3)
>There are code repositories, like GitHub, where developers push code, review it, amend it and, ultimately, merge it into the actual codebases. This is where everything happens and authorizations are extremely scrutinized.
>
>In the case of apps, like Ledger Live, code is then periodically bundled, released and uploaded to the spaces where it will eventually be downloaded by users. Dozens of eyes verify everything at each step.>
>But here it’s not an app that was affected, it’s a library that is used by other developers, so the process is a bit different. When bundled by the continuous Integration system on GitHub, Libraries are then deployed to package managers like NPM in this case.>
>These deployments are not man made, they’re automatic processes handled by the continuous integration system itself.>
>Developers are not supposed to upload packages to NPM directly, so there were very few people that actually had the right to push anything to NPM apart from a few employees that had been there from the start to set things up.>
>The affected employee was one of those.>
>The hacker exploited the access to the package manager to push a fake version of the library in place of Ledger’s.>
>As soon as the team handling this infrastructure realized this, they revoked access to NPM to anyone that previously had it, except from a couple of selected admins. A security process was instated to prevent this from ever happening again. -
21. Dezember 2023 um 22:36 Uhr #3269636
-
21. Dezember 2023 um 22:36 Uhr #3269637
-
21. Dezember 2023 um 22:36 Uhr #3269638bibimbap0607Gast::
You never know. I honestly want to believe them that they won’t mess up one more time. But it’s already their 3rd miss and this makes me really hard to believe in their competence.
If I am not mistaken, 1st time was user data breach. Well, shit happens. We can close our eyes and ignore it. Who doesn’t make mistakes? And it’s not like it was a huge one, software, firmware and hardware are all intact and good.
2nd time was half a year ago or something when they introduced backup feature. This made me worry but I still ignored it. One bad optional feature. Yeah, shit happens. They probably have to make money somehow. Pass.
And now it’s the 3rd time and it’s quite a big one. Will there be one more? Maybe. Who knows? But that’s why public image is so important. If you keep failing multiple times you can simply lose all your customers and go out of business.
If I need “trust me bro” wallet I can easily get Trust wallet or whatever hot wallet is there. When I get hardware wallet I want to make sure that my keys are protected by secure chips and other mechanisms.
It’s a shame as I really like my Ledger but guess I’ll be jumping ships soon. I am not sure what wallet I will end up with yet. Getting tired of this shit. It’s almost Christmas for god’s sake, can you give me a rest please and make me not to worry about my coins.
-
21. Dezember 2023 um 22:36 Uhr #3269639technician451Gast::
Now the problem that ledger recover literally can get your seed…..
i might switch to ellipal titan. i get that the dapp vulnerabilities and all that come and go with the connector but the next headline for ledger is going to be rogue employee uses ledger recover to steal user recovery seed…
-
21. Dezember 2023 um 22:36 Uhr #3269640brianddkGast::
To be fair, if any of the victims really read the manual and employed the best-practices outlined, then they wouldn’t have gotten drained. They had to acknowledge the TXN on-device. Even if they enabled blind-signing. And if they did enable blind-signing there is a huge warning that says “Dangerous”
But yes, if a zombie mind-virus were to run rampant through Paris, then perhaps nothing from Ledger could be trusted, not from their website, not their SSL keys, not their GPG keys, not their Authenticode keys, not their social profiles, none of it.
But that is a pretty big IF, and even IF that happened there are things that users could do to catch it. The code is duplicated to other (non Paris) data centers and any new FW release should be questioned, even if you are waiting on it.
-
21. Dezember 2023 um 22:36 Uhr #3269641
-
21. Dezember 2023 um 22:36 Uhr #3269642
-
-
AutorBeiträge
- Du musst angemeldet sein, um auf dieses Thema antworten zu können.