LedgerWallet - Nano S - Does not Work

[Guest]

@JoelKatz @nikb and the Rest of Ripple,

I had planned to do a more informed investigation of the Nano S, but this is your problem. The problem in general, is that Ripple no longer has a hardware wallet, and to a large degree this should fall into the lap of Ripple and not the pseudo-developers at Ledger Wallet... after all, it is the clients of Ripple that will experience the problem.

Observations:

• Nano S - Ripple implementation does not conform to the security model, that Ledger Wallet has defined using secure Chrome and Chrome Apps. I could say more, but you guys know by now what the issues are. The real question is... why? Who pushed for a quick implementation?
• Nano S - Ripple implementation has SIMPLE bugs that even a co-op would find, which leads me to conclude that Ledger Wallet is not testing. Specifically, when the Ripple software (and it is Ripple because it uses Ripple-Lib) is installed on Windows 10 (I reproduced this on two machines, not clean machines) does not detect the Nano S USB device, while Bitcoin and Ethereum apps do.
• the Ledger Wallet implementation for Ripple does not used a signed and therefore trusted installer. Why?

If I were going to hack this device, I would look at the communications between the Ripple Native Windows app, and the Chrome Ledger Manager app. I mention this because, it appears to me, that the implementation was rushed. I refer to this as quick and dirty. The question, at a future date, may be raised as to which company pushed for the quick and dirty implementation.

Like the BitGo software, the Ledger Wallet software sucks. 

Lastly, only the desperate would choose a hardware device with 9x5 pixel characters at a resolution of teeny-tiny.

The guys at Ledger Wallet are twits.

--

So to you folks on the forum, many of you will be saying... it works for me... no problem.

That is not the issue, at ten (10) miles high you can not see much of what is happening internally. The points here are two (2):

• if Ledger Wallet can not find and fix the easy problems, then they will not find the nuanced problems.
• Ledger Wallets know that there are problems, in fact, they knew in August that there was a Ripple USB device detection problem, but have done nothing. See Reddit.
• if the Ledger Wallets can be compromised, then as John McAfee says, you will not know until, one morning when the price of Ripple is 5$ and then a bunch of Nano S devices lose funds. The point here is that a hacker will go for maximum return.

Very disappointing... again.

--

If Ledger Wallet does not fix this, I will write a more detailed version of this problem for Medium.com platform.

[XRPledger]

Max, I just ordered a ledger nano s yesterday.  Should I use it or not?  Good God man, for those of us without your tech knowledge, you have thrown a curve ball that’s left me swinging at the wind.  Right now my xrp is sitting in wallets on bittrex and gatehub and I assumed ledger nano s was the safest option. 

[JamesRay]

Wow. I'm in the same boat as @MoneyShot with my Ledger Nano S arriving this week. Following this post for the potential rebuttals as I've heard mostly good things prior to this.

[R-2-D-2]

No, problems with My Ledger Nano S and Ledger Blue both works excellent with Bitcoin, Ripple and others... !

/R-2-D-2

[Guest]

@MoneyShot Hi..

The problem with guys like me, is that I see problems quickly, but I am not funded or motivated to do deep analysis. I have friends who purchased the Nano S and they ask me the same question.

This is NOT advice but these are my thoughts:

• I continue to stick it to Larson because the issues you are experiencing are entirely related to Lack of Eco-System... and no... to some of you, I am not going to define the term. People without wallets (software or hardware) are by definition compromised. I hate that position. We know that the exchanges will be hacked because that is where the money is. We know the value will increase, and that is why we hold the crypto.
• i do not know enough about how to manually create Ripple Addreses. I expect that there are people who do, on this forum. I expect that manually created addresses are the safest, as they can then be used to create a paper wallet.
• I know what testing is about. Testing or Quality Assurance protects a software company from both the push from marketing, from sales, and from over zealous developers. Developers are the source of most bugs. I have referred to Ledger Wallet people as twits, because non-twits take their business serious enough to FIX and ACKNOWLEDGE bugs. From what I can see from various sources, Ledger Wallet does not. It would appear that they are working on new stuff.
• i have friends who are asking me similar questions... what to do? I don't have any good answers.

My sense is that Ripple SHOULD be offering guidance... in the absence of a competitive and healthy Eco-system.

--

The real irony here is that we know the Ripple folks all hold XRP personally, and as a company. Further, we know that Ripple does not have any wallet 3rd party software. BUT! We know that the good folks in Ripple will be using 'some form of wallet software' for 'personal' and 'corporate' use.

So, I would put it to Ripple, just as the banks would/will put it to Ripple... 

• What do you use?
• Can we have a copy of that technology?
• Why not?

--

I know that software that has easily found problems will equally have complex problems. From experience, problems manifest themselves when two (2) or more events present. So the QA guys have to spend the time to introduce combinations of issues.

--

My sense, is the following:

1. we listen to any guidance that Ripple will offer on this topic
2. we use manually created addresses and secrets. Fortunately, I still have a bunch from the Ripple Trade days.

I worry, that like the Ethereum Parity wallet that recently locked up millions of Ether... bugs are a problem. Extensive testing and fixing is the only solution. What I find egregious is that Ledger Wallet changed their security model for Ripple release and did not cryptographically sign the installer. This makes no sense to me.

Edited November 19, 2017 by Guest

[JamesRay]

6 minutes ago, Max Entropy said:

The real irony here is that we know the Ripple folks all hold XRP personally, and as a company. Further, we know that Ripple does not have any wallet 3rd party software. BUT! We know that the good folks in Ripple will be using 'some form of wallet software' for 'personal' and 'corporate' use.

So, I would put it to Ripple, just as the banks would/will put it to Ripple... 

• What do you use?
• Can we have a copy of that technology?
• Why not?

@Max Entropy I think you might scare some folk away with the aggressive way your posts read but you raise some very valid points (and some others that just go over my head). Security of assets should be a paramount concern to all, especially considering the potential long term gains. I love the point you raise above as I would also like to know where the Ripple folk keep their XRP.

[Guest]

Of course, I will... but security is big deal, almost as big as corporate direction, and day to day management of the company.

:-)

I am gone, not much more could be said.

Edited November 20, 2017 by Guest

[Guest]

I've had zero issues with the way my ledger works - I'm extremely happy with it.  

[Guest]

Interesting thread and thank you Max for putting time to address your fear, uncertainty and doubt about storing xrps on both exchanges and the nano s hardware wallet. Out of curiosity, would you mind sharing where you store your xrps?

[Guest]

2 hours ago, Max Entropy said:

 

• Nano S - Ripple implementation does not conform to the security model, that Ledger Wallet has defined using secure Chrome and Chrome Apps. I could say more, but you guys know by now what the issues are. The real question is... why? Who pushed for a quick implementation?

I have no idea what you are trying to state here - if you can state exactly what your issue is, rather than speaking in riddles, then people may be able to help. 

2 hours ago, Max Entropy said:

 

• Nano S - Ripple implementation has SIMPLE bugs that even a co-op would find, which leads me to conclude that Ledger Wallet is not testing. Specifically, when the Ripple software (and it is Ripple because it uses Ripple-Lib) is installed on Windows 10 (I reproduced this on two machines, not clean machines) does not detect the Nano S USB device, while Bitcoin and Ethereum apps do.

This sounds more like a Max Entropy issue, as you need to ensure that the settings for the ledger xrp app, on the ledger itself, are set to enable the app to connect with the ledger device.  If you fail to do this, it won't let you access.   

2 hours ago, Max Entropy said:

 

If I were going to hack this device, I would look at the communications between the Ripple Native Windows app, and the Chrome Ledger Manager app. I mention this because, it appears to me, that the implementation was rushed. I refer to this as quick and dirty. The question, at a future date, may be raised as to which company pushed for the quick and dirty implementation.

 

You can't hack the device because the physical device itself is used as the private key for confirming any and all transactions - you have to physically press buttons on the side of the ledger to process a transaction... period.  

The only way a malicious 3 party can access and export your funds from the ledger, is if they break into your house, tie you up, and threaten to chop up your wife unless you supply them with the ledger and you pin. 

Edited November 20, 2017 by Guest

[Sharkey]

1 hour ago, tartankiwi said:

I've had zero issues with the way my ledger works - I'm extremely happy with it.  

Same, but I can't say that I fully grasp the specific concerns raised above by @Max Entropy.  

I was also under the impression that it would be difficult for a third party to hack the physical device without having access to it,.  Is that incorrect?   

Also, I don't quite understand why @Max Entropy believes that "Like the BitGo software, the Ledger Wallet software sucks," or, for that matter, what is bad about BitGo.  I thought that BitGo was used primarily by large corporate customers. 

 

[Guest]

You folks are not developers... you won't get it... please carry on, nothing to see here.

--

This is Mike Novogratz speaking about Joe Lubin of Ethereum... and the Ethereum Eco-system... and why Bitcoin Core developers exist and can work for free in their Eco-system.

Time is tight for Ripple... 

 

The Herd is Coming... Mike Novogratz

 

[Guest]

Oh I see! Looks like a classic case of clickbait. Weak!

[Sharkey]

28 minutes ago, Max Entropy said:

You folks are not developers... you won't get it... please carry on, nothing to see here.

Class act, LOL

[Guest]

@Sharkey

I have no interest in being motherly... I expect companies and individuals to do their jobs.

I have no interest in belabouring issues here in a public forum, but as open source has yielded open responses, and these companies are clearly failing to function as if. we paid money for their products. I expect the products to work. I am not naive. All software has bugs, but I expect developers to be attentive to fixing reported problems... and not expect designers to design 'quick and dirty' implementations which lack common sense security features,

I have stated each of my issues clearly.

It is up to you, to deal with it.

:-)