Search the Community

I was going through the ledger looking at how Ripple.com sets up their accounts. Many of their accounts have 4 of 8 signatures required and master key disabled. Hypothetically, if the first four signers were all compromised, the original owners could still use the last four signers (5-8) to change signers 1-4. In this rare event, what's to stop thieves with signers 1-4 from removing/altering signers 5-8, essentially locking out the original owners completely? I speculate that they have signers 5-8 locked up in safes somewhere as a backup last resort and a 50% quorum so that they could 'save' the account in the event of 1-3 of the 'active' signers being compromised. As I understand it, once the master key is disabled and multi-sign is the only way to transact, there is no way to re-instate the master key ever. I've been looking through xrpl.org but there's zero mention of recovering a master key once it's disabled. Is this accurate?

Here's the link: httpsps://www.sec.gov/Archives/edgar/data/1048702/000119312521047532/d119950dex9928p7.htm Search keywords "xrp" or "cryptocurrencies" to find the relevant section.

Guys, Below is your May 2020 update on the lawsuits filed against Ripple Labs, Inc. As of today, May 4, 2020, there are four (4) open or active cases Ripple Labs, Inc is involved with and litigating. TL;DR - A new securities related lawsuit was filed against Ripple Labs, Inc. last week. That is three, securities related lawsuits Ripple is now defending. The open or active cases are in bold: 1.) 2014 - Ripple v. LaCore Enterprises (closed) 2.) 2015 - Ripple v. Kefi Labs (closed) 3.) 2015 - Arthur Britto v. Jed McCaleb (closed)** 4.) 2016 - Bitstamp v. Ripple, Jed McCaleb, Stellar (closed) 5.) 2016 - Ripple v. Pixel Labs (closed) 6.) 2017 - R3 v. Ripple (Delaware) (closed) 7.) 2017 - Ripple and XRP II v. R3 (California) (closed) 8.) 2017 - R3 v. Ripple (New York) (closed) 9.) 2017 - Tony Petrucci v. Ripple (closed) 10.) 2018 - Ryan Coffey v. Ripple, XRP II and Bradley Garlinghouse (California) (closed) 11.) 2018 - Ryan Coffey v. Ripple, XRP II and Bradley Garlinghouse (U.S. Federal Court) (closed) 12.) 2018 - Zakinov v. Ripple, XRP II and Bradley Garlinghouse (California) (closed; consolidated w/ #17) 13.) 2018 - David Oconer v. Ripple, XRP II and Bradley Garlinghouse (California) (closed; consolidated w/ #17) 14.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (California) (closed) 15.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (U.S. Federal Court) (closed) 16.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (U.S. Appeals Federal Court) (closed) 17.) 2018 - Zakinov et al v. Ripple et al (U.S. Federal Court) (open/active) 18.) 2019 - Cooperative Entertainment, Inc. vs. Ripple (closed) 19.) 2020 - Simmons vs. Ripple Labs, XRP II, LLC, and Bradley Garlinghouse (U.S. Federal Court) (open/active) 20.) 2020 - Ripple Labs, Inc. et al vs. YouTube, LLC (U.S. Federal Court) (open/active) 21.) 2020 - Bitcoin Manipulation Abatement, LLC, vs. Ripple Labs, XRP II, LLC, and Bradley Garlinghouse (U.S. Federal Court) (open/active) Notes on active cases: #17, #19, #21 (above) - There are now three different securities related lawsuits filed against Ripple Labs, Inc., two in U.S. Federal Court in California (#17, #21) and one in U.S. Federal Court in New York (#19). The second federal case in California (#21) was filed on May 1, 2020. #20 (above) - Over the years, Ripple Labs, Inc. has typically been the defendant in all of these lawsuits. However, as many of you are aware, Ripple just filed a lawsuit against YouTube (Google) for alleged trademark infringement, alleged right to publicity, and alleged violations under California's Unfair Competition Laws, all related to the XRP Scam Giveaways. My guess is that Ripple Labs, Inc. will move to have all three securities related lawsuits joined (combined), but we shall see. And as soon as I have upcoming dates on all of these cases, I will update this post. @Snoopy @Pablo @WillGetThere @vlad_got_it @jcdenton @Mrsrippley @xrpisking

Guys, Below is your March 2020 update on the lawsuits filed against Ripple Labs, Inc. As of today, March 20, 2020, there are two (2) open or active cases Ripple Labs, Inc is involved with and litigating. TL;DR - A new lawsuit was filed against Ripple Labs, Inc. on March 12, 2020. The open or active cases are in bold: 1.) 2014 - Ripple v. LaCore Enterprises (closed) 2.) 2015 - Ripple v. Kefi Labs (closed) 3.) 2015 - Arthur Britto v. Jed McCaleb (closed)** 4.) 2016 - Bitstamp v. Ripple, Jed McCaleb, Stellar (closed) 5.) 2016 - Ripple v. Pixel Labs (closed) 6.) 2017 - R3 v. Ripple (Delaware) (closed) 7.) 2017 - Ripple and XRP II v. R3 (California) (closed) 8.) 2017 - R3 v. Ripple (New York) (closed) 9.) 2017 - Tony Petrucci v. Ripple (closed) 10.) 2018 - Ryan Coffey v. Ripple, XRP II and Bradley Garlinghouse (California) (closed) 11.) 2018 - Ryan Coffey v. Ripple, XRP II and Bradley Garlinghouse (U.S. Federal Court) (closed) 12.) 2018 - Zakinov v. Ripple, XRP II and Bradley Garlinghouse (California) (closed; consolidated w/ #17) 13.) 2018 - David Oconer v. Ripple, XRP II and Bradley Garlinghouse (California) (closed; consolidated w/ #17) 14.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (California) (closed) 15.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (U.S. Federal Court) (closed) 16.) 2018 - Avner Greenwald v. Ripple, XRP II, Bradley Garlinghouse, Christian Larsen, Ben Lawsky (U.S. Appeals Federal Court) (closed) 17.) 2018 - Zakinov et al v. Ripple et al (U.S. Federal Court) (open/active) 18.) 2019 - Cooperative Entertainment, Inc. vs. Ripple (closed) 19.) 2020 - Simmons vs. Ripple Labs, XRP II, LLC, and Bradley Garlinghouse (U.S. Federal Court) (open/active) Notes on active cases: #17, #19 (above) There are now two different securities related lawsuits filed against Ripple labs, one in U.S. Federal Court in California (#17) and one in U.S. Federal Court in New York (#19). The case in New York (#19) was filed last week on March 12, 2020. #18 (above) was recently dismissed with prejudice. My guess is that Ripple Labs settled this lawsuit in order to avoid going to trial. If true, this was more likely than not a good move on Ripple Labs' part (avoid discovery and trial if you can). June 2018 Update: https://www.xrpchat.com/topic/24386-ripple-lawsuit-tracker/ August 2018 Update: https://www.xrpchat.com/topic/26151-ripple-lawsuit-tracker-august-2018-update/ October 2018 Update: https://www.xrpchat.com/topic/27832-ripple-lawsuit-tracker-october-2018-update/ December 2018 Update: https://www.xrpchat.com/topic/29587-ripple-lawsuit-tracker-december-2018-update/ November 2019 Update: https://www.xrpchat.com/topic/33506-ripple-lawsuit-tracker-november-2019-update/ @WillGetThere @Pablo @Snoopy @vlad_got_it @jcdenton @Mrsrippley @xrpisking

“Director William Hinman, head of the Division for Corporate Finance, says that the SEC may issue No-Action Letters for projects whose tokens are now in compliance, even if the original sales pushed the boundaries of securities regulations.“That’s the flexibility of the regulatory framework that we’re working with,” he said.” Source: https://cryptobriefing.com/good-news-ripple-sec-crypto-ico/

With ever increasing achievements towards a fully usable quantum computer by so many nations, is there a plan in place to secure against quantum computers (if not done already)? @JoelKatz it would be great if you could give us your insights in this matter. Cheers!

David Schwartz just spoke at the SXSW conference in Austin, Texas. He argued that XRP is not a security. This article explains more. Do you think it is a security or not? Let me know in the comments below.

DEFINITIONS Cold Storage (cold wallets) To create a cold wallet, first lets try to use a broadly accepted definition for that: https://en.bitcoin.it/wiki/Cold_storage Adaptation: In order to keep a reserve of ripple balances offline, I understand that the balances must be held by a key that has never been online and is out of the reach of online thieves. Wallet or Account A pair of public and private cryptographic keys that can hold value and create transactions (Master/Regular Key and Public Key). Wallet File A file that can be opened by a client which will have access to an account's Master/Regular Key in order to create transactions. 1 - Prepare the environment: The higher the level, the more secure. There are many levels of paranoia that one can escalate in order to be 100000000% sure nobody can reach the keys, but lets focus in practical everyday usage. The simplest path, ideal for safe computers and for normal amounts is Level 1 or 2. For those who need more certainty, please read the other levels. You can also mix the methods. Level 1: If you trust your computer is safe, download the client in your current OS and disconnect from any network. Level 2: If you trust your computer is safe, use virtual box to create a VM with a fresh OS (i.e. a clean Ubuntu), open the new OS, update it and download the client in the fresh OS. Level 3: If you trust your computer is safe, use virtual box to create a VM with a fresh OS (i.e. a clean Ubuntu), open the new OS, update it and build your own client from the github repo in the fresh OS. Level 4: If you trust your computer is safe, create an Ubunutu Live USB or CD, boot your machine using this media for a Live CD session, and download the client in the fresh OS or build your own client from the github repo in the fresh OS. Level 5: Buy a new computer meant to be offline forever, turn it on far away from any kind of network connection, download the client (or build it) in another safe computer, disconnect from the internet, copy it to a brand new portable media (i.e. USB) and copy it again to the new computer. Level 6: Suggestions accepted 2 - Create the wallet: In the environment you prepared, open the ripple client, go to create new account/create_an_empty_account, choose a place to save the wallet file. - - if the computer you are will go online again, save the file in an external media and remove the media before reconnecting to the internet. Choose a strong password and you will be presented to the option of saving your Secret Key. Write the Secret Key in a paper, or take a picture from it (not with your mobile phone!) or any other safe method to store it. Save the wallet file in several offline medias (USB), and never use them in your online computer, keep them private. You can use encrypted volumes if you want. Save your password too. The password alone can't do any harm, so you can use traditional password managers and you can have many online backups of it. Save your public key to a text file and backup it (you will need it every time you will send money to this account). Double check to see if the text file matches the public key in the client's top right corner. Close the client, remove the external medias, clean the clipboard. 3 - Activate the wallet: Open the text file with the public key in an online computer. Open one of your online accounts with the client. Send some XRP (50) to the cold wallet's public address. Check the address at https://www.ripplecharts.com/#/graph, or any ledger explorer you trust. DONE! OPTIONAL Validate the wallet: Will you send 1MM USD to this account without validating it? There is a risk balancing thinking you must do now. Offline Validation, by @jn_r, (I wrote a step by step tutorial about creating offline transactions here). If offline validation doesn't work for you, you may try this: In an offline Ubuntu Live CD session, plug the USB with the wallet file in, open the client and open the cold wallet. Remove the USB. Connect to the internet just for the time necessary for the client to show you the account received 50 XRP. If there is 50 XRP in the account, you are all good and you can send your money there. If there is not, there was an error in the process. Close the client, kill the Live CD session. Will this procedure invalidate your cold storage? IDK, up to you. DISCLAIMER Please, follow this instructions if you want at your own risk, this is not in any way professional advice. CONTRIBUTIONS Security experts are invited to step up and improve this method.

I've been wondering about this question regarding big players, institutions and such.. Can custody solutions somehow be integrated with markets? What I mean is, when it is not secure to keep huge stacks of xrp on the exchanges, what happens to liquidity? Can somebody have their assets safe at the same time as having them on the market? (Thinking about xRapid here). Sure my zerps can't be both on the nano s and exchange x simultaneously, but how about custody and other large scale stuff?

https://www.bnnbloomberg.ca/the-open/what-s-ahead-for-cryptocurrencies-and-cryptoasset-regulation~1463272 Don Tapscott, head of the Blockchain Research Institute, tech futurist and author of the 'Blockchain Revolution,' joins BNN Bloomberg to discuss his outlook for cryptocurrencies, which are struggling this year. He also outlines some of his recommendations for cryptoasset regulation. 04:45 (..) Utility tokens that perform some kind of function in a business - most of those are not really securities (..) Regulators need to understand the differences between all of these. 06:45 (..) We hope that that our report is gonna be read by regulators and government leaders (..) The stakes are very high here. (..) Creating an environment where innovation can flourish is gonna to be really critical.

https://globalcoinreport.com/here-is-the-upside-of-ripple-xrp-being-declared-a-security/

The _____ (name your favorite federal government department) has just _____ (past-tense verb) the _____ (noun) for the _____ (number) time, according to _____ (favorite news source). While Bitcoin and Eth are in the clear, Ripple is still waiting _____ (adverb) for a _____ (adjective) ruling. The ______ (same department) has promised that _____ (date) will be the absolute latest Ripple has to wait. In an _____ (adjective) move however, the _____ (name a different federal department) has totally _____ed (past-tense verb) over the _____’s (first department) head, demanding that _____ (altcoin with ranking worse than 1200) be classified as a security. This is because during _____’s (name a past president) term, the _____ (second department) forgot to close a loop-hole, which is now allowing ____ (name a country) to use _____ (same altcoin) to take the place of the USD as THE world currency. Brad Garlinghouse was extremely _____ (adverb) at the news that a decision on XRP’s status would be delayed. Newly clean-shaven, he _____ed (past tense verb) that there might be a _____ (adverb) _____ (noun) at the _____ (noun) of the _____ (noun). He revealed, in a stunning revelation, that _____ (name five financial institutions), _____ (name your favorite restaurant), and _____ (number between 100-289) _____ (department stores) are now using xRapid. Making the _____ (letter in the alphabet) sign, _____ (body part) crossing _____ (body part), he screamed triumphantly, "_____!!!!" (insert whatever the hell you want). In related news, Brian Armstrong, CEO of Coinbase, was secretly recorded _____ing (verb) BG to forgive his past behavior toward Ripple. Brad _____edly (adverb) pointed out that Ripple has moved on and that Coinbase was now SBI’s _____ (adjective) _____ (noun). Armstrong wept soft, tiny, tiny tears and ______ed (past-tense verb) for one more chance. Brad calmly told Brian to go _____ (verb) himself. To conclude, apparently Ripple is waiting on no one and no department. Forging ahead, they vow to _____ (verb) the world. Evidence suggests that this is very likely. The team running the _____ (noun) over at Ripple seems _____ (adverb). One more surprise development: they have opened a new flagship headquarters in ____ (city), _____ (country). Apparently, the US took too _____ (your favorite expletive) long to make a ruling and Ripple has had enough. In this reporter’s opinion, the US government sometimes _____ (verb) over its own _____ (body part), despite its _____ (adverb) _____ (noun). For best results, have a friend pick the words while you fill them in. Do not allow them to read the template first.

Consensus is better than Proof of Work. When it comes to all categories of strengths for a decentralized cryptographic network, XRP is stronger than Bitcoin in every category: Double-spend prevention, security, censorship-resistance, dependability, scalability, and settlement speed. The fact that we're even still talking about Bitcoin in 2018 is a testament to how effective protectionist market interference can be; but XRP doesn't care - it is being adopted at scale by real businesses for real global commerce. There are a myriad of reasons for this, but in this blog, I focus in on one specific aspect of XRP: its transaction validation model and how it compares to Bitcoin. I hope you enjoy! Please leave any feedback below. Feel free to share my blog with a friend, or on any other platform! (and thanks for doing so!) Twitter Reddit r/Ripple Reddit r/CryptoCurrency Reddit r/CryptoMarkets Reddit r/xrp Reddit r/RippleTalk Reddit r/alternativecoin Bitcointalk - alt coin sub forum Bitcointalk - XRP speculation thread

Hello everybody, to secure your accounts we urge all our users to NOT reuse their passwords and to turn on two-step authentication. You are strongly advised to set up 2-factor authentication (2FA). This is an additional security measure to ensure you are the only one who can access your wallet. Below are the instructions on how to set up 2FA. Download the Authy or Google Authenticator app to your mobile device. Login to your GateHub account and navigate to settings -> security -> 2FA and turn it on. Open your authentication app and scan the on-screen QR code. Follow the on-screen instructions to finish the process. Once 2FA is enabled, you will be prompted to input the verification code generated by the authentication app on your mobile device. This step will provide a higher level of security for your account.

Here's another take on the matter... Ripple (XRP) Given Opportunity To Prove Itself By Ulysses Smith - May 8, 2018 https://stocksgazette.com/2018/05/08/ripple-xrp-given-opportunity-to-prove-itself/ "The Class Action suit brought against Ripple (XRP) by James Coffey has attracted sharp reactions from the Twitter community; with many holding the view that it’s misplaced and doesn’t represent all the XRP investors as termed in the suit. And to some, this is an opportunity for Ripple to prove what it has maintained all along: XRP isn’t and doesn’t qualify as a security." "One XRP holder fired: “As an XRP holder I want to inform you and others that you do NOT represent me, I demand to be excluded from the class. Furthermore, I will be discussing with my lawyer any legal remedies against you and your client if your frivolous lawsuit results in damage to my holdings.”

Article is a year old but its now relevant. It's long...but I feel it will help this discussion. I don't believe XRP will be classified as a security at all and mostly it's just a lot of FUD in the air.

Hey all, I would just like to alert new investors to be careful with the following site https://ripple-cloud.com/ and its twitter https://twitter.com/RippleCloud I lost almost 1800 XRPs and it's something I do not with wish to anybody. I live in Mexico so its ~$55k - $60k Mexican pesos over here, amount that its not easy to come by. We talked about this on reddit and turns out there are a lot of people falling in this, probably its something bigger than we expect and it might not be just 1 guy making profits out of this but maybe a group of people. I'm new at this so I paid the consequences... This twitter offers a giveaway bonus if you open an account with them but turns out that when you transfer your XRPs to this "wallet", you are actually transferring your XRPs to somebody else wallet. This was the conversation on twitter: https://imgur.com/a/YSVdD And these are the links to the transactions: https://xrpcharts.ripple.com/#/transactions/655223AA99F89E0237FEACBC9A1F30535E6FA10F6BF301482CEBA67DE2543B3E https://xrpcharts.ripple.com/#/transactions/A8A92A1A6E9C3987A8EEA1CB71A85E721C8678D0F74B4B80B4076061FB08E00A https://xrpcharts.ripple.com/#/transactions/B4954902618B070D5DFF7CB0225AA36B71249D5889575A3A72D9E62B48976486 I didn't know why my balance was showing over a million XRPs in my balance but then one other guy explained thats because Im using an exchange account so it works like a concentrated account, that's why my address contains a destination tag but other than that it shows what I sent, 1770 XRPs lost in total. An user on reddit did some tracking of the wallet i sent my xrps to and came with an User Id from Poloniex ( user id 106230559 ) so a report to Poloniex support was already done just to alert about this. Sadly I'm not going to recover what I lost but I hope this be a warning for all of those new investors like me to just be careful out there. I'm also new at XRPchat so please let me know if I need to edit this post if I'm not able to share information, also if you need or want more information about this situation let me know. Good luck everyone!

Until today, to process XRP into Escrow an individual needed to interact directly with Ripple or have fairly advanced coding skills with a deep understanding of blockchain technology. NOT ANYMORE!!! Secure Block Chains has created a very simple platform called Reservoir Lite. It enables users to process their XRP into escrow by filling out a single online form and then transmitting the XRP to escrow right from their desktop wallet. Once the escrow expiration date has passed you can use one simple form to release your escrow back into your wallet. We have consulted with some of the top XRP influencers and have listened to the concerns of the community. We have spent the last several months hardening the security of our product and have ensured that the process is completely anonymous. We do not ask for any unnecessary information to complete the transaction and we do not store any information about the transaction after it is complete. Reservoir Lite is currently the only method for the average XRP holder to access the escrow functionality of the XRP ledger. At Secure Block Chains we continuously strive to develop professional and secure solutions for the cryptocurrency community. If you have any questions about our program leave them here and we will answer them. Or email contact @ secureblockchains.com You can find us at https://www.reservoirlite.com

http://www.altcointoday.com/russia-blogger-boasted-crypto-wealth-beaten-robbed-425k A good reminder for zillioners out there... you never know who might be watching while you publicly show off your zerps.

https://finance.yahoo.com/news/researchers-finds-one-person-likely-174057067.html Can anyone here explain what this article is going on about in layman's terms? What I got was that one exchange was hacked, bunch of false trades made, somehow the false trades equated to 600K BTC actually moving to someone's wallet/account, but that also those trades somehow pushed the price from $150 to $1000. It didn't make much sense to me. Assuming those things are true though, is it possible for a single account to do something similar to an exchange for XRP? Like if binance was hacked, could someone convince the exchange to send them xrp on false trades, and also drive the price of XRP on all exchanges one way or another? What kind of security lessons did the exchanges or the blockchain take away from the Mt. Gox fiasco? And isn't the whole point of the POW system to prevent false trades? Is the POS system XRP uses an improvement in security?

According to Bleeping Computer's calculations, as of writing, the attacker collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate. https://m.slashdot.org/story/336101 https://www.bleepingcomputer.com/news/security/hackers-hijack-dns-server-of-blackwallet-to-steal-400-000/

With so many scam websites online how can you be sure of an honest transaction when purchasing XRP. I have looked at CRYPTOMONSTER, you select the XRP quantity you wish to purchase, are then given a bank account to transfer funds too {These appear to be account details of various individuals} you transfer your funds and then have to trust that your XRP appear in your wallet. What safeguards are there in purchasing not only XRP but any cryptocurrency?

BEWARE AND PASS THIS ON CryptoExchang - Bills themselves as Worlds Most Trusted. "Worlds Most Trusted Crypto Currency Exchange", who can neither spell EXCHANGE (It should have an E on the end) - Cannot spell TESTIMONIALS (Menus top & bottom say TESTMOINALS) , who links their social media icons to nothing but their own website and Google Maps shows their address as in the middle of an empty field. Haha nice try scammers. https://cryptoexchang.com/ripple.php

Hello everybody. Long time lurker, first time poster. I’ve been snooping around the forums for a fair while now, enjoying the eclectic mix of speculation, analysis and amusing kid’s aspirational Lamborghini dreams. All while attempting, as I’m sure we all are, of forming my own view of this potentially exciting utility-based crypto world. My views are my own and I have no intention of discussing, coercing or belittling yours within this space or attempt to shill or otherwise promote any other crypto. This is not the purpose of this post. I’d like to begin with saying sorry for the potentially inflammatory title to this post. I’m sure Bezerker is just a passionate Ripple and XRP fan who uses his google-fu skills to locate newly created content from the web to share with you all to help fuel the excitement he shares. However, perhaps the title helps emphasize one of my many points of this post - The slightly aggressive tone of the baited title encouraged you to click on this post, and here you are…. A bit of background. I’m an IT Security engineer working out of England over in the UK. Over the years I’ve enjoyed working for both British, European and US based companies predominantly focused on day-to-day operational and network security. This post is not designed to be a “I'm holier than thou” arrogant statement from someone in the industry, but rather a gentle reminder by someone with experience to be conscious of your online presence and perhaps re-evaluate your approach to some of the channels in which exciting news is delivered to you on a daily basis or how much information you reveal about yourself without knowing. Up until this point I had no interest in signing up to the forum but I felt something needed to be said. This may indeed be my first and last post and apologies if I don’t reply to any comments left in its wake. If this post successfully serves its purpose, perhaps a MOD could sticky it to the top with a more benign title. Now, for those of you that can not be bothered to read further into the giant wall of text I’m about to present to you, there is just two clear messages to take from this post, and they are as follows: *** Do not follow web links to websites that you cannot verify as a legitimate and trustworthy source, even if the story appeals to reinforce your passions or enrages you so much that you feel you must put right the wrongs of the author. – NO REALLY, DON’T! *** *** It’s been said many times before, Do NOT reveal your Crypto holdings – NO REALLY, DON’T *** Still with me? Ok, I’ll proceed with my somewhat disjointed explanations….. (Note - I decided the ‘Press’ section was the right place to create this post due to its relevance on the topics I’m about to address. This is after all where I find the largest majority of content which *could* lead to an increased threat to you, the loyal forum member.) Over the past few months I’ve become somewhat alarmed by the number of external articles posted under the guise of news. Often these externally linked websites are just pure speculative re-hashes of previously posted forum or website content, adding very little independent content. The majority of these sites follow the same pattern. Take the last 20 or so externally linked sites and you’ll be able to discount about 75% as they link to well known companies. Forbes, BBC, CNN….etc. Although they often rely on advertising revenue, they also provide huge amounts of original content over many subjects and employ large teams of employees to create it. The ones I’ll focus on are those with some of the following indicators: Previously unknown domain hostnames. Occasionally sub-sites from free hosting providers. A simple whois lookup on the domain name suggests the domain has only been registered within the few months, if that. The sites are simple blog pages (WordPress templates..etc). Usually the articles have an exciting title and are followed with a potentially fictitious author name, occasionally with a job title and the current date. The author name attempting to convey a sense of legitimacy and occasionally this is boosted by being accompanied with personable photo. More often than not, attempting to research these individuals further, yields little to no results. However this is not always the case (Sorry Hodor!). The content on the sites are split about 60/40% or higher ratio of advertisements and other external click-bait articles / adware to article content. Often the article itself has adverts between paragraphs. The content is simply a re-hash of public information. Usually of optimistic forum posts or rumours with no citations or references to official sources, designed to appeal to your sense of optimism of fear of a certain subject. If most of these indicators ring true, usually what we have here is a pure money making site. These are designed to attempt to entice you onto clicking on adverts in the page in order to earn the site creator money. Traditionally people attempting to make revenue on such sites would have to find their audience by working incredibly hard to push their sudo-legitimate sites to the top of google page listings. Often using a heady combination of search engine optimisation and site cross-refences (Such as other fake articles on common internet ‘article’ sites like ehow.com, ezinearticles.com…etc linking back to their sites). This is of course very time consuming, so they look to ensnare a captive audience who are more than willing to visit their website. Where better than a hyped-up forum of exited people hunting for that next positive or negative piece of information that could potentially affect their wallet? You may or not know that some refence based advertisements can earn people as much as $1+ per click without the visitor going on to even make a purchase on the destination website. Where there is interest and hype, there is money to be made either legitimately or illegitimately. In short - You don’t need to invest in cryptocurrency itself in order to make money from it. Although I digress somewhat – you only need to look at the recent discovery of Nano Ledger S hardware being sold on eBay in sealed boxes yet with pre-generated keys (allowing the bad actor to siphon off your funds at his leisure) to see a horrific example of this in play. So now you may be thinking to yourself “So what? I never click on adverts anyway. They’re not making money off me”. Here’s where things take a turn for the darker….. Some of you are likely to know that when you visit a webserver your IP address details are more than certainly logged in an access log, both at the server level and potentially at the application layer. (Yes, some of you are probably already thinking about one of the many ways you can attempt to obfuscate this, VPN tunnels, P2P networks, proxy servers…etc. – but hold your horses, I’ll get to that). As unlikely as it may seem or even be to exploit this information, this instantly provides a bad actor / website owner a potential vector into directly targeting you. All those sites you’ve visited with the next big story – well, they now have your IP address and know that you’re a likely holder of XRP if not other crypto currencies. Indeed - Do you even know the XRPChat administrators personally? Can you trust them to keep your access log details secure or not act upon them themselves? ***DISCLAIMER – this is absolutely not suggesting XRPChat owners are bad actors, but simply hypothetical food for thought*** What can someone do with just a simple IP address you ask? Well. Perhaps nothing, perhaps everything. You only need to look at the horrific recent occurrences in the US of ‘Swatting’, causing armed officers to storm innocent people’s houses, sometimes with terrible consequences. Often the innocent’s information given to law enforcement agencies is based off simple reconnaissance and enumeration of the gamer’s IP address and its geo-location information, nickname/gamer ID and their associated social media content. A lot of this information on forum users is also freely available. Sadly this is not where it ends and the above example is merely child’s play in comparison to some of the more advanced techniques that could be utilized against you. IT security is a hot topic now as we enter a world dominated by computer assisted processes. Companies play a constant cat and mouse game attempting to keep on top of new vulnerabilities and associated exploits released by legitimate security researchers and underground hackers. There’s not a day that goes by that the large OS or software producers (whether it's a traditional Linux/UNIX/Windows/MAC operating system, a mobile phone OS or even those responsible for the firmware on your smart TV or fitness tracker) aren’t releasing patches to address known vulnerabilities in software. Some of you may be confident in your patching schedules and be lucky enough to own the latest and greatest devices on the market of which you have, perhaps misplaced, confidence in to be secure enough to trust your personal information to. Others of you will likely be running old models of phones with old versions of Android or other OS which have since been retired from active development and no longer benefit from timely patching. You know, that phone that you hold a crypto software wallet on and keep an unencrypted text file of all your website login details in? Perhaps you’ve even rooted it to take advantage of a more advanced feature set, allowing any malicious code to potentially access low level system files? This brings me to those few websites that may have the potential to ruin your day even if your IP address is not revealed directly... I’m sad to say that there is a nefarious contingent of websites that exist with the sole purpose of exploiting weaknesses in something as simple as your web browser. You only need to google ‘browser exploitation’ for a myriad of examples on this topic. Anything from cookie tracking injection to code execution on your machine, to even total reverse shell access to your workstation is _potentially_ possible. Do not underestimate this. You can bounce your connection all the way around the world using a VPN service, but this is not going to help you should your browser or other application be compromised. The same goes for Tor or other P2P networks. Example - Back In 2013 it was revealed that the FBI were using a then unknown vulnerability in the Firefox browser’s implementation of JavaScript to reveal the real IPs of users on the network. If you think the FBI are at the forefront of online security activities, think again. Classic phishing sites are also one to look out for. The domain name looks to be legitimate but in reality its slightly off the names you’re actually familiar with. getehub.net looks a lot like gatehub.net, but the former is a pure pass-through credential harvesting phishing site with all the looks of the official service. According to Gatehub’s security bulletins it appears that many people have lost funds via such sites. Usually either by a simple typo, or you’ve guessed it, following a bad link in an email or public forum. And it doesn’t just stop there. Another example - Recently a friend of mine asked him to quickly audit his home network. On the face of it, everything seemed relatively in order. That was up until the point that I discovered, unbeknownst to him, that a member of his family had exposed his home network attached storage device to the internet via firewall rules on his home router (you know, one of those NAS devices made by QNAP, Synology and the likes to store his family photos on so that if he dropped his laptop the memories would be safe and backed up). The family member wanted to be able to access the web-frontend for the device when they were out of the home in order to access or save files to it. Hey, why not huh? Well it turns out that this device had not been patched in forever and a day and was several firmware releases out of date. Sadly, during this time several severe web based vulnerabilities had been discovered by security researchers along with proof of concept exploits able to take control of this device. When exploited, not only would an attacker then have access to the complete contents of the device, but they would be able to pivot into his network unimpeded by his router’s firewall capability in order to launch attacks against his internal network’s devices and workstations. As we move into the time of the internet of things, many of us now have devices which could potentially increase our chances to be successfully targeted by the very people running those innocuous looking websites. Perhaps you now have a printer you can print photos to while away from your house? Perhaps you can turn your lights on and off or fire up your boiler while you’re on your way back from work? CCTV monitoring? These devices are all becoming potential attack vectors into your home. I was lucky enough to attend Defcon last year which is one of the better known hacker conventions. You can bet your bollocks to a barn dance that IoT devices are a hot topic right now and assure you that in the dimly lit hotel room parties, Vegas bars and back rooms of vendor sponsored free-beer events, these sort of non-public/0-day exploits are increasingly being traded around like hot cakes (or candy for you yankees). So, what’s in an IP address? Why should I question that random news site? You should now be in a position to tell me. If you’ve ever been part of a large office based organisation, you will have likely have had to complete a yearly IT security based training course for policy or compliance reasons. This will usually party drill home how important it is not to click on random links delivered to you in spam or phishing emails for the very reasons I’ve outlined. Most of us will know this already. So if we know this, and stick to it….. why would you click on a random link in a public forum? Finally. The topic of hardware wallets. Yes – they’re great. They take lots of the risk associated with a software wallet away and remove your dependency on a relatively unknown exchange to hold them for you. But please, please be aware that these should only be depended on as a ‘security in depth’ approach. Just like running a firewall, an up to date antivirus solution or an intruder detection system – these are simply layers of security to improve your security posture and not one should be considered fool proof. Where you build strength on one hand, you potentially weaken the other. Storing digital currency on a physical device is the equivalent withdrawing all your money from the bank and hiding it under your mattress. Have you lost redundancy and recovery by doing so? Do you store a backup or recovery phrase in another secure geographical location? Do you trust this location? Are you more at risk of fire and water damage? How about deliberate or accidental theft? Did you bury it? What are the risks? Do you place it in a rented bank vault deposit box? I’d be surprised if many do! Are you 100% confident that if your computer was breached that someone would still be unable to interfere or replace the software wallet on your machine, potentially modifying your next trade instructions at the application or network stack, even though you think you’re confirming the correct transaction physically on your device? If someone managed to physically locate you using some of the methodology outlined previously, could you honestly attest to the fact that under potentially extreme duress that you wouldn’t hand over the device along with the passcode? Say, if your life was at risk. These are all questions you must be able to answer and this reasoning should help justify why you must NEVER, NEVER reveal your crypto holding on a public forum and if you do – well, quite simply, you’re an idiot. For this reason, Ripple employees are never going to confirm exactly how much crypto they hold and how they store it, so stop asking! One thing’s for sure, it’s a lot more secure than yours! ? Now there will be people after having read all this that will be chomping at the bit to whip out their e-peen and argue the toss or emphasise subtitle inaccuracies in my post, after all, that’s what internet forum replies and YouTube comments sections are for, right? Perhaps you have the burning urge to regale me with stories of how you regularly don a hat with fake beard and affix fake plates to your car right before driving to an open wifi network you know or internet café with no physical cameras, fire up your laptop that has never been purchased or registered to yourself, spoof the MAC address, use a memory-only OS such as ‘Tails’ and connect via the Tor network in order to use these forums? Perhaps you fire up a virtual machine on an isolated VLAN on your network before establishing a VPN session to Timbuktu in order to browse, then after every session securely erase your VM image before hitting the physical disk with a large sledge hammer? This is great, and I have admiration for you for having such a strong security and privacy mindset which leads you into relatively complex processes that I certainly wouldn’t bother with in order to casually browse internet forums. There will be exceptions to my post and perhaps my suggestions are not for you. However, I’m aiming here for your average forum user like me… Stay safe out there Rippleers! Pottymoose P.S. No - I can’t help you ‘hack’ your sister’s Hotmail account, No – I wont tell you if I have any exposure to crypto, Yes – It’s in that place that I put that thing that time. @JoelKatz – love your work & blog @Hodor – I enjoy your unwavering enthusiasm

I'm sure this is old news for many of the members here but it might be useful for newer members or lurkers. I have seen thousands of XRP cold wallets sucessfully sold on eBay, some empty and some pre-loaded with XRP. Despite claims in the listings that "all security keys are destroyed after production", the fatal security flaw with every last one of them is that you are trusting that no one in the entire manufacturing process took a photo of or wrote down the secret key. There is a period of time before the scratch-off material is applied, when the secret key is visible to anyone in the manufacturing facility. Some wallets even have the secret key uncovered on the finished product. People may be used to scratch-off cards like gift cards or lottery tickets being secure but they are produced under high-security. These wallets come with no such assurance. These products are potentially a time-bomb in that the stolen key may not be used for a long time, lulling the new owner into thinking it is secure. They have no recourse if down the road their wallet is emptied. Those potential victims may even wrongly blame Ripple the company, causing public relations problems.