The "only solution" is a trustless approach that doesn't rely on any specific individual, company, or provider. Independence. No registration, no email, no customer lists.
I encourage you, DarthCoin, to think about it deeply. Maybe you are not ready yet?
a phishing email is just a phishing email. not an attack, Those idiots that click on phishing emails deserve what they get. And that have nothing to do with the manufacturer. Could happen to all HW types.
I personally care less for any HW, including seedsigner. I simply do not use any. Are useless for me.
With all due respect @DarthCoin, this is indeed a very serious issue (for both Blockstream and any other HWW maker).
Yes, generic phishing emails are pretty "dur don't click on the link", but now imagine it's your mother or father, someone 60 years old, 80 years old or even someone very young that hasn't had the experience of seasoned technical people. They'll click it.
That's "phishing" emails. Now let's talk about "spear phishing" attacks. These are hyper targeted forms of attacks. Not just some generic spam email with questionable English grammar but ones directed explicitly AT YOU. With your name, email, from legitimate sources not "spammer69@fakeassdomain.com".
They might email you back and forth, quote your credit card number, address, previous purchase date, card number used, invoice number etc etc. All this info is hyper targeted and spear phishing attacks virtually ALWAYS are successful. Even against IT pros. These types of leaks allow for this attack vector and only a fool thinks that they're immune.
But it gets worse.
Even spear phishing is just an online attack. How about a group of thugs rock up to your home late one night with 5 baseball bats and start beating the shit out of you and/or your family until you give up the Blockstream Jade they now KNOW you own.
What's the solution? Don't use your real identity when purchasing a HWW. We've had this highlighted in our Advanced Bitcoin Privacy guide for ages now. So once again for those in the back...
If the hardware wallet company gets hacked, your identity is forever linked to “this customer has so much crypto they needed to buy a hardware wallet” = huge target.
Most Hardware Wallet manufacturers will accept Bitcoin making this a relatively easy process. Make up a name, create a one time Proton.me email account via Tor Browser, pay via Bitcoin you obtained via a non-KYC source and get it delivered to an address that's not associated to you (eg. work, PO box etc) and you’re set!
As OP also states, any HWW that uses General Purpose Hardware (GPHW) or that you can go buy directly from the manufacturer in person in cash without identity is fine too 🙂
Practice good opsec and general safety measures. Don’t click on links in emails. Be cautious of unexpected emails. This can happen to any vendor in any space. Stay frosty
no is not. Is just a meaningless phishing attack.
Please stop this madness gaslighting with "oh, some x was leaked, now buy y..." is lame marketing.
no is not.
The "only solution" is a trustless approach that doesn't rely on any specific individual, company, or provider. Independence. No registration, no email, no customer lists.
I encourage you, DarthCoin, to think about it deeply. Maybe you are not ready yet?
any HW is useless for me...
deleted by author
a phishing email is just a phishing email. not an attack,
Those idiots that click on phishing emails deserve what they get.
And that have nothing to do with the manufacturer. Could happen to all HW types.
I personally care less for any HW, including seedsigner. I simply do not use any. Are useless for me.
With all due respect @DarthCoin, this is indeed a very serious issue (for both Blockstream and any other HWW maker).
Yes, generic phishing emails are pretty "dur don't click on the link", but now imagine it's your mother or father, someone 60 years old, 80 years old or even someone very young that hasn't had the experience of seasoned technical people. They'll click it.
That's "phishing" emails. Now let's talk about "spear phishing" attacks. These are hyper targeted forms of attacks. Not just some generic spam email with questionable English grammar but ones directed explicitly AT YOU. With your name, email, from legitimate sources not "spammer69@fakeassdomain.com".
They might email you back and forth, quote your credit card number, address, previous purchase date, card number used, invoice number etc etc. All this info is hyper targeted and spear phishing attacks virtually ALWAYS are successful. Even against IT pros. These types of leaks allow for this attack vector and only a fool thinks that they're immune.
But it gets worse.
Even spear phishing is just an online attack. How about a group of thugs rock up to your home late one night with 5 baseball bats and start beating the shit out of you and/or your family until you give up the Blockstream Jade they now KNOW you own.
What's the solution? Don't use your real identity when purchasing a HWW. We've had this highlighted in our Advanced Bitcoin Privacy guide for ages now. So once again for those in the back...
Don’t buy a hardware wallet with your real world identity!Don’t buy a hardware wallet with your real world identity!
If the hardware wallet company gets hacked, your identity is forever linked to “this customer has so much crypto they needed to buy a hardware wallet” = huge target.
Most Hardware Wallet manufacturers will accept Bitcoin making this a relatively easy process. Make up a name, create a one time Proton.me email account via Tor Browser, pay via Bitcoin you obtained via a non-KYC source and get it delivered to an address that's not associated to you (eg. work, PO box etc) and you’re set!
As OP also states, any HWW that uses General Purpose Hardware (GPHW) or that you can go buy directly from the manufacturer in person in cash without identity is fine too 🙂
too much noise for nothing
I would just use both. HWW and SeedSigner.
Practice good opsec and general safety measures. Don’t click on links in emails. Be cautious of unexpected emails. This can happen to any vendor in any space. Stay frosty
They made a post on nostr this morning. https://primal.net/e/note18x6e799dx8wn9czp5kenq4w4lxezl500v2s6dyczyxj8hm8uganskjgt8z
That's what i meantioned, it's from 13 hours ago. They are still investigating.
The way you've written it, it sounds like the leak happened 13 hours ago. Not that their last response was 13 hours ago.
You didn't even link the note.
This makes you look less trustworthy imo.
I linked both Twitter and Nitter of Blockstream, it was their first post, and still is.
https://image.nostr.build/7802127d02ec061f7200044a3d035e24316d17c351fa19010e97951942ba012a.jpg
after Ledger , Blockstraem is "No No" company for me
insecure wallets
not working products
data leaks