LedgerWallet - Nano S - Does not Work

[Guest]

1 hour ago, Max Entropy said:

This is the situation that Ripple placed itself in...

The following is a URL to five (5) pages of unhappy Ledger Wallet - Ripple users... citing precisely what I have stated in my posts. Five (5) pages is about 100 posts. Notice that neither Ripple nor Ledger Wallet people have done anything about this.

Missing in Action 

https://www.reddit.com/r/ledgerwallet/search?q=ripple&restrict_sr=on&sort=relevance&t=all&count=75&after=t3_73glwe

--

This is the reference to the Ledger Wallet - Ripple repository. Notice, that Ledger people dismissively 'Close' the problem report about connecting to Nano S.

https://github.com/LedgerHQ/ledger-wallet-ripple/issues?q=is%3Aissue+is%3Aclosed

 

Re: reddit posts, looks like a bunch of folks who didn't read the manual. 

Re: github posts, looks like they're not developers and wouldn't understand so they kicked them to support. 

To date I've had no connectivity issues. I've had no issues with sending or receiving. I'm using a Ledger Blue on Fedora. I'm keeping my fingers crossed. ?

[Guest]

For those that have not developed and hence supported software products...

1. the first rule is... the user... the person who is experiencing the problem... is never wrong
2. repeat the first rule...

The point is that either there is a bug or the user interface/semantics are problematic.

The challenge for the organization is to:

• ensure that problems do not get to the field, and if they do...
• be responsive and fix them sooner than later, as the cost to the company is much greater when bugs go un-identified and un-fixed.
• get the developers to become critically aware of the fact the developers INTRODUCE the bugs
• lastly, ensure the testing group is given significant visibility so as to raise issues
• the rest is up to management to decide how to allocate resources.

--

Ok, this thread has gone on long enough for me.

[Guest]

3 hours ago, Max Entropy said:

@PaulKim Hi..

I was an early adopter of Ripple... I used the Ripple Trade system. I use those addresses and I use Kraken. I also like Quoine/Qryptos because they are in Japan/Singapore where crypto is accepted by the government and hence there will be adequate funding for the difficult work in maintaining secure systems.

WTF are you talking about? You think it's more secure to store your XRP on an exchange than on the ledger nano?

[kiklop]

3 hours ago, Max Entropy said:

For those that have not developed and hence supported software products...

1. the first rule is... the user... the person who is experiencing the problem... is never wrong
2. repeat the first rule...

Although there are some semi-valid points along with rest of your FUD, the quote above is just misleading and implies that you have no realworld experience in software develeopment (or if you really do, it's really strange or have another agenda here, Jed :P).

The user may not be wrong when describing their issue, but that does not mean than they did not do something wrong (eg. did not read the manual, or misinterpreted the same).

Classic B2C analogy ("the customer is always right") can not really be applied here, IMHO. It's not a cup of coffee, it's a product with a manual.

Furthermore, you act as you have successfully hacked someone's waller, or have been hacked yourself - but you did not.

You have provided zero arguments for your statements like: "Ripple implementation does not conform to the security model".

It seems like you do not like Ledgers' product or have some specific issues with your setup.

Btw, if you don't like "device with 9x5 pixel" - you get what you payed for - you could bought Ledger Blue.

[kiklop]

Since you have some issues regarding research and product dev skills, let me help you:

7 hours ago, Max Entropy said:

There are a lot of things that Ripple could do, that I would value. Please let me belabour this point:

1. If the developers of Ledger Wallet can not provider better Quality Assurance than this... then the conclusion is that WE should not be buying their products. It sounds to me like there are 'kids' developing products and do not have the experience with 'bugs in the field'. I can not state clearly enough... that this should have been caught really early on in testing... and if it did get to the field, as reported in the Ledger Wallet thread on Reddit... then Ledger Wallet should have fixed it immediately. I have looked at the Ledger Wallet on Github and it appears that 'they' do not take feedback but rather simply Close Issues... and make the problem report go away. Additionally, there are not enough problem reports to appear real. I think there are eight (8) only, if this is the case, then no one was thinking about the product... hence no issues... out of sight, out of mind.

QA could always be better, bugs happen and developer do NOT introduce them intentionally like you implied in several occasions. I've gone through issues submitted, not as serious as you describe it here.

7 hours ago, Max Entropy said:

The fact, that they changed their security model... is the biggest issue for me. I say this because, if they had a Chrome security model, there must have been a good reason for it. They, Ledger Wallet, people used their Chrome Security model for all cryptos EXCEPT Ripple... why?? I would bet they were incentivized to get the 'product' out early. Hence, the change to the security model. Windows is not known for its security. These are rather technical issues which I mostly understand, but do not have the hands on skills with debugging/reverse engineering tools to crack. But there are lots of guys in foreign countries who do, which is why I worry most about the security model issue.

The only fact here is that you do not do your research, but make conclusions based on your skewed point of view. It took me one google search and two clicks to answer your question, spoiler alert: it has nothing to do with your claim.

 

 

7 hours ago, Max Entropy said:

The lack of signing the executable/installer is just silly. I do not understand this. Maybe they outsourced the installer to another company.

Installer is signed, but, it is not clear as it probably should be, this is the only point i kind of agree with you, barely.

--

Someone could interpret that you suggest keeping coins on exchange, not on some wallet - sure, not all wallets are created safe or equal, but suggesting that someone should holding coins on exchange is just wrong.

Don't get me wrong, every discussion should have "devil's advocate", but it seems to me that you are here with only intention to spread false information based on your assumptions with zero research or arguments provided.

And no, I do not work for either Ledger or Ripple, i'm just doing my research before my Nano S arrives, and it seems better than the rest of the pack.

[nikb]

@Max Entropy: I appreciate your review of the Ledger Nano S. But I am unsure as to why I was tagged in this conversation, since I was not involved with or responsible for the development of the Ledger wallet, the "Ripple" app that runs on the device, or the software that runs on the machine.

If and when I put out a hardware wallet for Ripple, please be sure to tag me in your review. I very much look forward to reading it.

[aye-epp]

22 hours ago, Edm22 said:

Not sure if this is on point, as I am quite new to this space but there have been a handful of instances where an individual's XRP wallet was hacked and all of their XRP stolen....through phishing sites etc... This one of the reasons I invested in the ledger blue, which has worked beautifully.

 

What I'm saying is that XRP isn't designed to be used as a public store of value.

[Guest]

6 minutes ago, aye-epp said:

What I'm saying is that XRP isn't designed to be used as a public store of value.

I'm not sure I understand what you mean here sorry....   The reason XRP is able to be used in cross border settlement is because it has value.

Are you saying it's not meant for the general public?  In that case then yeah...    according to official Ripple statements that is perhaps true....   but I think it's a temporary situation.  And they are surely aware it is being, and will be held and used by the general public, but that's not their target market now or perhaps ever.

In time if you are a traveler why wouldn't you want to keep your value in XRP...  it's instantly transferable anywhere, and into any currency.  Assuming volatility falls as price rises and volumes increase,  I can see it becoming the premier store of value accross the world.

The unfortunate nature of Ripple not being allowed to create wallet software etc has temporarily crimped the ease of use....   but third parties have done, and will in future, step into the breach to provide ease of use, security and peace of mind.

As it becomes embedded in all areas of finance it may just be that you are correct in that only aficionados hold it directly....  it then becomes the magic oil below the surface sliding everything along smoothly.

[Guest]

Hi @nikb

Well, I can certainly understand why Ripple would want to distance themselves from this topic. But you will appreciate that Ripple is the ONLY crypto currency network that does not have a wallet. Aside, from the technical screw ups with BitGo and Ledger Wallet... I am sure that if looked more closely at what these people (Kids with Compilers) are doing, it would raise even more unpleasant surprises.

Reasonable people would ask WTF?

Reasonable people after 3-4 years would ask the same question WTF?

--

This is an outrageous position for your company, for the employees and for your customers... I am sure.

:-)

--

At what point, with what measures, do we (your investors) become first class citizens and actually get the other half of the Ripple Network product... you know... crypto require a place to put the stuff. You guys need to do something about this. I am inclined to start publicly writing to the Ripple Board of Directors on this topic... via Medium.com. Imagine the fall out, if Ledger Wallet is hacked??

-- --

Well, I will not continue to beat you up, as you are decent enough on most matters.

Signing off,

Max

 

Edited November 21, 2017 by Guest

[nikb]

I don't know what you understand, but I am speaking only on my own behalf and not on behalf of Ripple. 

As far as the topic of wallets goes, I don't think anyone likes the fact that we don't have a wide array of wallets to choose from. But it is what it is. If I could snap my fingers and produce a great wallet, I would. If I could do it 9 more times and produce 9 more, I would. But alas, I don't have magic powers. I'm also curious about one thing: instead of looking more closely at what the "kids with compilers" are doing, why not actually create a wallet and make it available? 

Which brings us to another part of your post:

1 hour ago, Max Entropy said:

At what point, with what measures, do we (your investors) become first class citizens and actually get the other half of the Ripple Network product... you know... crypto require a place to put the stuff. You guys need to do something about this. I am inclined to start publicly writing to the Ripple Board of Directors on this topic... via Medium.com.

Please don't misunderstand my post. I'm not being flippant, but I also have a limit and don't appreciate the kind of "lectures" you fancy delivering or the aura or superiority you seem to enjoy projecting while pontificating. I've attempted to engage and address your (often valid) criticisms and answer your (often interesting) questions many times, only to be generally faced with arrogant responses and comments. With that said:

First of all, holding XRP doesn't make you an investor in Ripple. Please stop perpetuating this notion.

Second, permit me to circle back to my previous question: why bother writing to the Board of Directors - publicly or privately when you could spend that time actually writing code for... you know... "a place to put the stuff."? 

 

1 hour ago, Max Entropy said:

Imagine the fall out, if Ledger Wallet is hacked??

Well, Trezor, the 800lb gorilla in the space was hacked with a piece of wire. The fall out wasn't terrible, and the sky didn't come crashing down. Although it did expose a number of bad decisions, from design to implementation that conspired to make the product less secure than one would have naively imaged it to be. The Trezor devs responded by fixing the issue, and making their product better, to the benefit of all.

Does the Ledger suffer from similar issues? I don't know. I'm not privy to their design and don't wish to be. I haven't performed a security analysis and don't want to do so. Based on my own threat model, I generally find the Nano S to be a decent product, and that assessment takes into consideration the price (at that price point I'm not expecting to get even basic hardening and tamper resistance, much less to get cool stuff like cold zeroisation). 

I'll put it as plainly as I know: 

If you have found security issues with the Ledger wallet I certainly urge you to responsibly disclose them to the folks at Ledger, instead of making ranting posts on a forum of enthusiasts.

If you have complaints about the Ledger wallet, I submit that the appropriate venue to raise them is with the folks at Ledger and not a forum of enthusiasts such as this.

If are intending your message to sound a caution, then I submit that you need to be a lot more specific about the problems you've identified and explain how they compromise security, instead of the sort of statements you've been making in this thread. Don't just spread FUD.

[Edm22]

2 hours ago, aye-epp said:

What I'm saying is that XRP isn't designed to be used as a public store of value.

I am in complete agreement with you. XRP has a very specific use case which is IMO in a completely different class than the rest of Cyrpto (esp. Bitcoin), that being said personal investors are still investing in it because of it's very likely massive increase in value, within it's use case, and therefore are looking for a place to safely store it from those that are looking to steal it. 

[Guest]

34 minutes ago, nikb said:

I'll put it as plainly as I know: 

If you have found security issues with the Ledger wallet I certainly urge you to responsibly disclose them to the folks at Ledger, instead of making ranting posts on a forum of enthusiasts.

If you have complaints about the Ledger wallet, I submit that the appropriate venue to raise them is with the folks at Ledger and not a forum of enthusiasts such as this.

If are intending your message to sound a caution, then I submit that you need to be a lot more specific about the problems you've identified and explain how they compromise security, instead of the sort of statements you've been making in this thread. Don't just spread FUD.

Yep...   that's it in a nutshell.  If he really wants to help....     contact Ledger with specifics.  By all means tell the community the specifics also...   but do the right thing first.

But Max isn't trying to do good here...   for some reason, (even though he holds and hopes to gain from XRP,) he has an axe to grind with Ripple and finds every opportunity to do so.  He is like the crazy uncle that you just can't mention [....insert pet hate here.....] to or you will be subjected to a rant...    

[Guest]

@nikb

Writing software requires time and commitment to the project. I do not see myself working this area. It does not interest me. I am working on my own exploratory project which analyzes some 50 crypto exchange in near real time for ‘instrument price data’ using machine learning in Azure. It builds on my knowledge in AI. Security systems are a different animal.

What I do expect is that a viable crypto currency network should have supporting products. Ripple does not, and these are not the terms I entered the space on. When I purchased as an investor in Ripple, I used Ripple Trade... and then my tokens were locked up in the Ripple Network at fractions of penny for years. They still are. So I left them there. This idea that Ripple can ‘hand wave’ these common sense issues away by saying ‘it is what is’, does not help.

—

I may have to look at the ‘Ledger Wallet for Ripple’ soonish. I am thinking that I will take a copy of the executable from the Program Files directory in Windows. Transfer the file to a development machine ; modify the executable; and then return it to the original Windows 7 machine on which it was installed. If the executable is not blocked by Windows OS, and if it executes... then I will have demonstrated why it is important to use a secure environment like Chrome. The whole point about the Chrome version of Ledger Wallet software is that it can run on a compromised machine. Clearly, a ‘Ledger Wallet for Ripple’ native Windows app which connects to Ledger Wallet and to the Ledger Wallet USB, appears to be less secure. How will banks deal with this?

—

I am beginning to think that the ‘Ledger Wallet for Ripple’ native Windows app was not written by Ledger Wallet people... as I really can not understand why the security model was broken; and why the installer was not cryptographically signed; and why it is not supported. This makes no sense if Ledger Wallet was the developer. It does make sense if they are not the developer.

—

Ripple has been getting an easy ride here on XRPchat as everyone is a fan. Else where in crypto land no one is paying attention to Ripple tech, hence no feed back on the silly things that transpire. In a normal development environment the folks who developed and deployed the ‘Ledger Wallet for Ripple’ would be fired. But here... it is what it is... year after year... you will recall I said the same things in 2016 October.

—

We should drop this discussion, else it will become more technical as I drill down on what the ‘Ledger Wallet for Ripple’ code actually does. There are people here that have expressed concern about my public statements could hurt the price. Few are concerned that Ripple eco- system products suck. Fewer are concerned about security. I would not normally be this vocal, but we are talking about ‘big bucks’ and great responsibility... and, I would like a product that I can use, both for a mobile device and for offline hardware storage.

—

There are things that Ripple could do, if Ripple thought Ledger Wallet software did not meet expectations. Ripple could ask Ledger Wallet to not use the ‘Ripple’ intellectual property.

Signing off,

Max

[nikb]

I'm unsure why you are addressing all those issues to me. If you have problems with Ledger and the software they provide, then by all means... contact Ledger.

With that said, it's unclear to me why it matters if the executable  you run on your windows machine can be surreptitiously modified. The whole point of a device like the Nano S is to keep the signing keys safely tucked away in a device that is designed to prevent them from being exported. Let me make this clear: Unless you're able to use a Wallet or a Trezor or other similar devices on a virus- and malware-infested machine without compromising your secret key which should remain safely inside the device, then those devices are broken.

That's not to say their binary shouldn't be signed, but Authenticode isn't a panacea. First, anyone can modify the code and resign it with a different cert. Certs are stolen all the time. And workarounds (of varying complexity) have been developed.

Anyways... as I said, please raise your complaints with Ledger directly. Venting here doesn't help. 

 

[Guest]

Closure... for those that have followed this thread, you will note the following:

1. Ripple does not dispute the issues I raised
2. Ripple would like to see these issues discussed elsewhere, out of sight, out of mind
3. Ripple has offered no guidance re: these issues

I won't be responding to more comments.

Discerning readers will understand the outcome.