Just recently, Ledger came out with a new firmware for their nano s, 1.4.1 . In it, we saw a massive scope of updates , including a new app limit of 24 wallets , something that many of us demanded. But the real big issue of the update was to patch a exploit that was brought to the attention from Saleem Rashid and two other security experts. No big deal right? Well , a sudden Twitter post by Saleem blew this wide open two weeks BEFORE the agreed release of the update. This upset Ledger, along with causing panic among the crypto community. An exchange of words between both parties happened, ultimately leading up to the official reveal of the exploit just yesterday. Ledger is saying Saleem was paid the bounty, and there is no worry of a hack. While Saleem is saying he WASN'T paid a bounty, and that all our wallets still remain at risk. So, who is telling the truth?
First, lets let's go back. About 15 days ago, Saleem made his Twitter exposing the exploit.
This tweet lead to a mass panic all over Reddit , many worried their private keys were compromised. This lead to the Ledger CEO directly addressing the issue. Direct quote below
Naturally, this upset Saleem, who also showed up in the very same Reddit post.
As you can see, both sides weren't very happy things went down. Fast forward to yesterday, 3/20/18 , when ledger finally released info of the update and exploit. Here is where things get a bit iffy. First we will start off payment for the bounty. Ledger is stating that all security researchers, including Saleem, were paid for their work. However, on Saleems blog.... We see something much different.
Here Saleem is saying that he wasn't paid for his bounty due to releasing his own technical report.... But..... In ledgers report we have something that contradicts that. UPDATE: during the writing of this article, it intially stated all researchers were paid. However, now it states that Saleem wasn't paid due to refusing to sign the agreement. Still goes against what Saleem has said.
Now why would Saleem say he was not paid? Well, it might very well be because of his report, or the fact his Twitter posted violated the terms of the bounty agreement. Who knows at this point .
As for the exploits themselves, both sides seem to match up with what was said, with one minor difference . Ledger believes the devices are now secure , while Saleem believes they still have possible holes in their firmware. Technically, the ledger is still venerable to a phishing scam where they fake a firmware update to install the needed malware. Definitely unlikely, but still possible.
It's really hard to say who was right or wrong on this situation. Both sides didn't take it very well, and the community itself is torn in both directions.
Who do you think was right in this all? I'll leave links below to both blogs for you to make the decision yourself.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
https://www.ledger.fr/2018/03/20/firmware-1-4-deep-dive-security-fixes/
Thanks for reading! Feel free to comment below.
First image came from Saleems own blog. The rest straight from Reddit.
I've already ordered a Trezor and lost faith in Ledger completely. Not only was the 1.4.1 update an absolute disaster to do, it's obvious there is some bs going on over there.
It really is. We have discrepancies on both sides now, with neither side willing to comment anymore. Intially I thought everything was fine, now I'm not so sure...
There are more options coming.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by mrbearbear from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.
This post received a $3.150 (84.84%) upvote from @upvotewhale thanks to @mrbearbear! For more information, check out my profile!