This seems a little disingenuous to me. The implication of the first attack is not that someone might sneak into your house and modify your Ledger hardware. It's that hardware could come to you with modified firmware from the get go.
I didn't watch the 35c3 presentation, but it certainly looks like it's an absurd attack. Kudos to Ledger people for constructively replying to it.<p>Some talks in 35c3, defcon, etc remind me of the rubber hose security (<a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a>).<p>On the other hand, www.ledger.fr web site does not properly redirect to HTTPS (e.g <a href="http://www.ledger.fr/bounty-program/" rel="nofollow">http://www.ledger.fr/bounty-program/</a>) and that would've been a more practical one.
What bothers me is that they did not responsibly disclose the vulnerabilities to the manufacturers ahead of time. This is not moral, and I'm not sure what one gains by not doing that. I think that conference organizers should pressure presenters to do that before talks.<p>Either that or attendees should apply bottom up pressure and ask live questions like "what did you do to responsibly disclose this issue?". I think I'll do that on future security conferences I attend.