Jump to content


  • Content Count

  • Joined

  • Last visited


About gray

  • Rank

Contact Methods

  • Website URL

Profile Information

  • Gender

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Here's the actual writeup in case anyone wants to read it: https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/ Takeaway here is basically: * DON'T buy from third parties and if you do, verify firmware * If there was an opportunity for someone else to have physical access to your device, consider it compromised until you verify firmware * Don't install firmware updates from a compromised computer/verify the firmware update you're installing is actually from ledger
  2. That attack vector only applies when you 1. Have a wallet with an unsecure RPC server running 2. Have a user that is browsing the web normally while that wallet/RPC server is running Neither of these applies to any XRP wallet that I know of, so that specific attack vector is not one that's going to apply to really any XRP user.
  3. Hi FlyingFox! I actually just noticed this error independently and have adjusted it so it should be fixed now!
  4. Small update to XRPToolkit got merged today: dependency tracking using package.json file and native support for RippleWarpWallet-based accounts using Warp2account and Warp2accountQR on the offline computer -> https://github.com/Duke67/xrptoolkit-nodejs
  5. No. Once those 20xrp go in, they don't come out. This is to prevent spam and clogging the network -- you have to buy in and have a stake in it. Helps prevent bad actors. HOWEVER--if XRP's price skyrockets, the Ripple protocol itself can be updated to lessen the amount of "reserve" you must keep in an account. So potentially in the future, the reserve amount could go down to 15XRP, 10XRP, 1XRP etc. in which case you could then withdraw the extra reserve you have in your account. You need to understand where this comes from though--it's not that creating a wallet costs a fee of 20XRP, it's that opening an account on the ledger costs 20XRP. What does this mean? Well, with Ripple, you have what are called "accounts" on the ledger. This is what your "wallet" really is--it's your credentials that allow you to "sign in" and modify your account on this big public ledger. Based on my other thread that you have assumedly read, you know that a wallet having a balance is simply due to the ledger having a record of all the transactions that have happened to it. Well, with Ripple, the ledger will only track accounts which have a balance above a certain threshold (the reserve amount) to protect against users creating spam accounts for free to try to attack the network. So, what this means is that no matter what method you use to create a wallet, when you "transfer funds to the wallet" what you're really doing is transferring funds to an account on the XRP public ledger, and your wallet is the credentials which then allow you to use that account on the ledger and transfer those funds. The fee for holding an account on the ledger is the reserve amount, which is currently 20XRP.
  6. You should really understand what a wallet actually is, and how blockchains actually work, before it costs you significant amounts of money I made this thread that explains it in (hopefully) easily understandable terms: Blockchains are not inherently secure... they're not a holy grail of security. If you do not control your own private key, then your funds are not really yours, they're just an IOU--just like leaving your money in the bank, but Crypto exchanges are generally much less trustworthy than banks. If you control your own private key, then you control your funds... however you also control your own security. If anyone else gets access to your private key, they can transfer your funds wherever they want from anywhere in the world where they have an internet connection. Now, please make sure you actually read the above thread so you understand what a private key is and why it's important
  7. They're talking about the screen on the Nano itself, not your computer screen. They did a firmware update so that you can see/inspect the whole receive address by having it scroll.
  8. Yep this is the new popular phishing technique -- using Cyrillic and other Unicode letters that look very similar to the actual english ones and then getting TLS certs from certificate authorities that aren't doing their due diligence. Url that's basically indistinguishable from the real one, with green https lock, but not real.
  9. If you have a "secret key" that you must type in every time on gatehub to make transactions then yes gatehub is not hosting your wallet. If you had a gatehub hosted wallet then they would have your secret key for you. Gatehub, in addition to being an exchange, can also function as wallet software (aka a piece of software that lets you make transactions on the Ledger using your secret key). Check out my thread about what wallets actually are and what they're not explained in non techie terms:
  10. I don't think Gatehub are thieves. That said, using a wallet hosted by an exchange (or anything you dont' control) is almost always a bad idea.
  11. Ultimately it probably doesn't matter much. Personally I still think the whole market hasn't finished correcting from nov/dec FOMO run and everything will fall a bit more before it goes back up. The current XRP run is probably just whales pumping a little bit and it will go back down again. Then again, I could be wrong. I'm thinking I'm going to get back into xrp again soon. Hopefully at a price around $0.70-0.80
  12. Yep, this is correct. XRP doesn't generate receive addresses for extra coins each transaction. However there's a slight nuance here, which is that in theory your receive address could be compromised any time you look at it on the Ledger app, but with Ripple, you know that something is wrong if that receive address is different than your original address. With other cryptos, it's completely normal that it is different.
  13. Ha, indeed. There's no known attack vectors on the ledger/trezor that don't involve physical access to the device itself, and even then it's INSANELY difficult. True haha. Hopefully it wouldn't be that easy and if you have a significant amout enough to warrant that then you won't be advertising it anyway ;p Shared secrets. Ripple actually has a built in multi-sign function that you can use for this. If you're really super paranoid. You can create multiple cold wallets (could be multiple trezor/ledger or just multiple paper wallets) and then set the primary account your funds are in so that multiple of those (but not all) are required to actually sign a transaction. Then you distribute them to various places. One on your person, one with a lawyer, one in a local bank, a couple in banks around the world, etc. This way you have redundancy if one gets destroyed, one getting stolen doesn't matter unless a majority get stolen by the same person at the same time, and none of them individually are able to sign something so you have deniability to threats of your person like you described before (at least in a limited capacity).
  14. In theory that sounds all well and good, but there's definitely holes. Browser sandboxing only does so much, windows inbuilt security like UAC is pretty awful and there's been a 0-day on it that still has not been fixed since the days of Vista, and there's other exploits as well. Consumer antivirus is pretty much useless except against the widest-net malware, not if you're at all being targeted (which ripple is a small enough community that could easily be targeted as such). Once someone gets a shell/code execution, there's may ways to escalate privileges and get administrator on your system, at which point they can do whatever they want and get past any firewall or whatever without you knowing. And all of this can happen from a phishing email that's indistinguishable from a real one because it was engineered by someone who is actually smart about it and makes one that looks totally legit.
  15. It was for toast haha. Anyway, what you're describing is true for a standard attack vector you're thinking about, but may not for another creative attack vector. For example, I don't know exactly how Toast holds keys in memory while in use, nor how Veracrypt holds things it decrypts in memory... in theory you could have malware that just scalps things that look like they could be cryptocurrency keys from memory and then send them back to a remote server for processing. Windows Defender and any other Antivirus are basically useless against targeted or new malware--they're good for malware once that malware has been identified and you can put its signature in the program, but depending how that malware works and how it is written, you could definitely still get some. Yes, this is quite paranoid, but ultimately, having your keys ever in memory on an internet connected computer that could possibly have malware on it is just about as dangerous as just storing them in plain text on that computer permanently.
  • Create New...