Jump to content

IMPROVE PROTECTION FOR LEDGER NANO IDEA?


Recommended Posts

Hey guys,

As probably most of you know from my previous post, my ledger was probably compromised and I lost 18 000 xrp to some fradulent hacker that even has a freaking facebook page, but police is too lazy to even try catch the perpetrator :(

 

Now I am sure that there are critics etc. but forget that. Now I want to invest again and I want to prevent this sh** from happening to me or anyone else again.

 

Now What I am about to do is this:

 

I will buy a laptop, not the best not the worst ,cheap enough to do the job.

 

Buy ledger nano s from ORIGINAL LEDGER WEBSITE ONLY.

 

Buy new 8gb usb stick from reputable seller like currys pc world (in UK).

 

So what I want to do is buy the ledger nano and initialize it 3 - 4 times to make sure that the recover seed is not the same each time.

Initialise it in an actual USB wall socket rather than connect it to the computer.

Write the recovery seed down on a piece of paper and put that safely away.

 

Now with the laptop, reinstall the windows to clean win 10 install. Never connect it to the internet. Go on a clean pc, put ledger live and antivirus installator on it. Connect the usb to the laptop and install ledger live/antivirus. Connect the initialised ledger to the laptop and download relevant apps like xrp etc. Save the public wallet address in text document and put it on the usb stick. Delete all the apps from ledger nano. Now just buy the xrp on my pc with the public address i saved on usb stick and connect ledger nano only if needed on the laptop.  If I wanted to check the balance just put my address on a bithomp or some checker like that.

 

That way I think no one ever can steal my xrp again? Is there any idea on how to make it better? I know I wont connect the laptop never to internet and not get windows update etc but that shouldnt matter because no one can hack it when its not connected to internet?

 

Thanks guys!

 

-edit, already ahve the laptop - quite old acer laptop 2gb ram, intel pentium 250gb hdd. It was quite cheap

Edited by weex123
Link to post
Share on other sites
  • Replies 13
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Agree with @XRP-JAG, this is largely overkill. If you believe in the strength of the Nano S as a wallet (which clearly you do, given that you're willing to keep using it), you should realise that

I was talking about this post where you said it was probably compromised  Anyway, it’s all completely unnecessary. Your private key never leaves the ledger. Set the ledger up, hide it away. You do

AFAICS the only reason to use a Nano is convenience, when you want to be shifting XRP around regularly. The security problem is keeping your secret key safe. So what if you put it on the Nano? Then yo

1 minute ago, XRP-JAG said:

No, your ledger was not compromised.

You made an electronic copy of your seed word, which maybe was compromised.

I literally said no critics on the last post... So why talk about last post

Edited by weex123
Link to post
Share on other sites

I was talking about this post where you said it was probably compromised :rolleyes:

Anyway, it’s all completely unnecessary. Your private key never leaves the ledger. Set the ledger up, hide it away. You don’t need it again until cashing out. The XRP is not on the stick, only your code.

So long as your 24 word seed remains secret... (ie - never typed anywhere!)... you are safe.

Link to post
Share on other sites

Agree with @XRP-JAG, this is largely overkill.

If you believe in the strength of the Nano S as a wallet (which clearly you do, given that you're willing to keep using it), you should realise that most of the actions that you listed do not give any additional security benefits. Keeping it completely offline actually prevents you from performing crucial checks (see further down).

1 hour ago, weex123 said:

Write the recovery seed down on a piece of paper and put that safely away.

You should be focusing most of your efforts on working out the best way to do this ^. You know that this is the way that someone will steal your XRP. The whole offline laptop strategy is much more appropriate for a paper wallet/cold wallet setup, and the purpose of doing it is so that when you enter the secret key on the laptop (which a paper wallet requires you to do), there is no way for it to be stolen. A hardware wallet won't send the secret key to the computer, which makes all of this extra effort redundant.


If you don't believe that the Nano S will never send your secret key to the laptop, then you probably shouldn't be using it in the first place, because you mistrust the fundamental principle of hardware wallets.

1 hour ago, weex123 said:

So what I want to do is buy the ledger nano and initialize it 3 - 4 times to make sure that the recover seed is not the same each time.

I think this is fair - although it's not a conclusive test. If the Nano has been compromised, it could have been programmed to generate any number of predictable addresses and just cycle through them. But at least it could reveal a less sophisticated attack. Perhaps more important is to make sure that it passes the official Ledger tests of whether it's genuine or not. See https://support.ledger.com/hc/en-us/articles/115005321449 and https://support.ledger.com/hc/en-us/articles/360002481534-Check-if-device-is-genuine.

Your method should also include a test that you are in control of the wallet once it's generated. So send a test transaction of a small amount when you only have a small amount of XRP on it. Of course, this requires connecting the Nano to an online computer, which again invalidates all of your efforts in setting up an offline one. But the importance of this test IMO is much greater than the importance of keeping the whole system offline.

If you honestly think that the Nano S itself was compromised, then you should not continue to use it, because it might become compromised again. If you think that your wallet was compromised because the 24 words were leaked, then all of your effort should go into keeping the next set of words safe.

Edited by at3n
Link to post
Share on other sites
1 hour ago, at3n said:

Agree with @XRP-JAG, this is largely overkill.

If you believe in the strength of the Nano S as a wallet (which clearly you do, given that you're willing to keep using it), you should realise that most of the actions that you listed do not give any additional security benefits. Keeping it completely offline actually prevents you from performing crucial checks (see further down).

You should be focusing most of your efforts on working out the best way to do this ^. You know that this is the way that someone will steal your XRP. The whole offline laptop strategy is much more appropriate for a paper wallet/cold wallet setup, and the purpose of doing it is so that when you enter the secret key on the laptop (which a paper wallet requires you to do), there is no way for it to be stolen. A hardware wallet won't send the secret key to the computer, which makes all of this extra effort redundant.


If you don't believe that the Nano S will never send your secret key to the laptop, then you probably shouldn't be using it in the first place, because you mistrust the fundamental principle of hardware wallets.

I think this is fair - although it's not a conclusive test. If the Nano has been compromised, it could have been programmed to generate any number of predictable addresses and just cycle through them. But at least it could reveal a less sophisticated attack. Perhaps more important is to make sure that it passes the official Ledger tests of whether it's genuine or not. See https://support.ledger.com/hc/en-us/articles/115005321449 and https://support.ledger.com/hc/en-us/articles/360002481534-Check-if-device-is-genuine.

Your method should also include a test that you are in control of the wallet once it's generated. So send a test transaction of a small amount when you only have a small amount of XRP on it. Of course, this requires connecting the Nano to an online computer, which again invalidates all of your efforts in setting up an offline one. But the importance of this test IMO is much greater than the importance of keeping the whole system offline.

If you honestly think that the Nano S itself was compromised, then you should not continue to use it, because it might become compromised again. If you think that your wallet was compromised because the 24 words were leaked, then all of your effort should go into keeping the next set of words safe.

I dont think I trust myself enough to acctually open the ledger up

Link to post
Share on other sites
5 minutes ago, weex123 said:

I dont think I trust myself enough to acctually open the ledger up

Are you talking about physically opening it up?

If your existing ledger confirms itself with the Ledger servers to be genuine and unedited, then the only weakness (and likely previous exploit) is the discovering of your 24 word seed.

If you never type it onto a computer anywhere ever... it is unhackable. The tricky part is keeping it in a physical location safe, but yet with contingency that there is not a single copy that if destroyed / lost prevents you from gaining access.

This is why your USB stick idea is bad. 1, because you make your words electronic, and therefore theoretically hackable.  2, because loss or corruption of that USB stick itself makes your funds inaccessible.

Link to post
Share on other sites
43 minutes ago, XRP-JAG said:

Are you talking about physically opening it up?

If your existing ledger confirms itself with the Ledger servers to be genuine and unedited, then the only weakness (and likely previous exploit) is the discovering of your 24 word seed.

If you never type it onto a computer anywhere ever... it is unhackable. The tricky part is keeping it in a physical location safe, but yet with contingency that there is not a single copy that if destroyed / lost prevents you from gaining access.

This is why your USB stick idea is bad. 1, because you make your words electronic, and therefore theoretically hackable.  2, because loss or corruption of that USB stick itself makes your funds inaccessible.

The usb stick wouldnt store the recovery seed, the recovery seed would not be typed anywhere, the usb stick is to save the wallet address for transfers nothing else

Link to post
Share on other sites
15 minutes ago, weex123 said:

The usb stick wouldnt store the recovery seed, the recovery seed would not be typed anywhere, the usb stick is to save the wallet address for transfers nothing else

You mean the public key? Could save it to USB if you want, no real benefit in doing that though over getting it from the Ledger software, saving it to favourites or having it as a post it note on your fridge.

Link to post
Share on other sites

AFAICS the only reason to use a Nano is convenience, when you want to be shifting XRP around regularly. The security problem is keeping your secret key safe. So what if you put it on the Nano? Then you have to keep the 24 words safe, so you're back to square one. May as well write the secret key down on a piece of paper if you're just buying and holding.

Link to post
Share on other sites
1 minute ago, PunishmentOfLuxury said:

AFAICS the only reason to use a Nano is convenience, when you want to be shifting XRP around regularly. The security problem is keeping your secret key safe. So what if you put it on the Nano? Then you have to keep the 24 words safe, so you're back to square one. May as well write the secret key down on a piece of paper if you're just buying and holding.

Please note, this user have no idea of what he or she is talking about take a look here:dfhiygre98wayhrwu8.thumb.JPG.50c6f68e2cc230f9862479e58d0a561d.JPG

Wallet balance and the address is on ledger live and don't  need to connect the device. This user don't  have a pale idea how the nano s work and seem never used it. What the reason of these thread ?

Link to post
Share on other sites
3 hours ago, weex123 said:

I dont think I trust myself enough to acctually open the ledger up

Most people wouldn't, and it's not necessary in most cases. But it's an option, with official instructions. Hey, open up the eBay one, never know, maybe you'll see something.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.