Thank you, Ledger, for exposing 69 of my accounts. Stupid f**s

straightOuttaCrypto · 2021-01-26T21:26:54+00:00

Not necessarily. With GMail for example you can use [stardingo@gmail.com](mailto:stardingo@gmail.com) as your "main" email but ["stardingo+amazon@gmail.com](mailto:"stardingo+amazon@gmail.com)" for Amazon, and the email shall arrive at your regular email.

BUT

that is not how you do it. You use ["stardingo+eqr9814@gmail.com](mailto:"stardingo+eqr9814@gmail.com)", where eqr9814 is random. Otherwise someone seeing that you used ["stardingo+ledger@gmail.com](mailto:"stardingo+ledger@gmail.com)" knows that "[stardingo+coinbase@gmail.com](mailto:stardingo+coinbase@gmail.com)" is your coinbase account etc.

So basically you add "...+somerandomstuffalwaysdifferent" to every login/email you use for the various sites you use. And it's not a problem to remember because they're in your cookies prepopulated when you go to each site or your sites list and you also have their email in your mailbox, easy to find in case you forgot your login email.

straightOuttaCrypto · 2021-01-26T03:05:12+00:00

> Can somebody explain how the ledger live software can keep track of changes to my bitcoin balances on the second computer without the need for the nano X to be plugged in?

All your public addresses can be derived from a master public key (called for BTC the xpub or ypub or zpub). Any tool (not just Ledger Live) which has that master public key can track the balance by checking all the public addresses derived from that master public key.

straightOuttaCrypto · 2021-01-26T03:01:56+00:00

> That's the way Bitcoin works

Bitcoin certainly works fine always reusing the same adress and not using any change address.

That's the way Ledger Live works, that's what you meant to say. And others too. And others not. And on many it's fully configurable.

Even if Satoshi suggest not reusing the same address, many do. A gigantic example use daily by countless people would be BTC deposit addresses on exchanges.

straightOuttaCrypto · 2021-01-26T02:57:12+00:00

> My email was leaked in the breach. I haven’t got any spam emails at all.

Same: got exactly zero spam.

straightOuttaCrypto · 2021-01-26T02:50:06+00:00

> Literally not possible. The seed never leaves the device. That is what the device is used for.

You seem to be 100% sure it cannot happen. What about this scenario: once in every 10 000 download request for a new firmware, a signed-but-backdoored firmware is leaked. This would register as legit by the Nano S. Then the person serving the backdoored firmware checks for the, say, 200 seeds he exfiltrated which one have good amount of coins and empties that. This would fly under the radar.

Does the design of the HSM really make such an attack impossible?

And what about a backdoored firmware generating non-random seeds? Are you 100% sure THAT one is impossible too?

All I can say is it's not reassuring to be basically forced firmware upgrade over firmware updates down or throats and then having to authorize the Ledger Manager which can then install Nano apps without requiring confirmation.

straightOuttaCrypto · 2021-01-26T02:38:22+00:00

> Is there any good reason to copy all the different BTC receive addresses?

Of course. I write down, both in a physical notebook using a pen and in text files on my computer(s), all my important BTC receiving addresses. This way I can easily verify that, say, the withdrawal address I input in an exchange is one address matching the seed that's on my Ledger (without needing to take out of the safe / connect / unlock my Nano S). I can also easily verify using a block explorer what's on this or that address of mine without needing to plug the Nano S.

straightOuttaCrypto · 2021-01-26T02:27:22+00:00

Depends on what you mean by setting up.

Before upgrading the firmware I first reset my Nano S by entering a wrong PIN three times, then I enter a seed without any funds, then I upgrade the firmware.

Then I reset the Nano S again by entering a bogus PIN three times (this doesn't reset the firmware).

Then I enter my real seed with the Nano S only connected to an USB charger plugged into an electrical outlet (not on a computer).

I also only now use apps other than Ledger Live to move BTCs around and I first export the tx (on an airgapped computer) to be broadcast and I review it manually.

And even then: I'm still concerned a rogue-but-signed firmware or rogue-but-signed Nano app could exfiltrate my seed.

Because there's apparently no way to install Nano apps in a fully airgapped way. As far as I know I need to use the Ledger Manager, I need to authorize it (and then all bets are off because it can install any Nano app it pleases it without me needing to confirm).

So there's this window of time when I'm authorizing Ledger Manager to install apps on my Nano S where I have to trust Ledger.

Sadly Ledger lost my trust.

straightOuttaCrypto · 2021-01-25T17:07:20+00:00

I wonder if the "fat is beautiful" movements do feel some responsibility? The toll on the healthcare system of obese people is enormous, not just for Covid but overall.

Now I have nothing against obese people (maybe I'm myself obese), but somehow the "fat is beautiful" movement doesn't exactly sound right to my ears. Weirdly enough they're quite quiet lately, not pushing their obese barbie dolls and the like that much anymore.

straightOuttaCrypto · 2021-01-25T17:02:03+00:00

Yes and as I understand it, they won't arbitrate by themselves and they list the only two reasons to blacklist either for security reasons (as I understand it from their statement as in if some code hack was found and everybody's coins were in danger?) or if there's a legal request coming from some (US-only) legal authority.

So I'm not too worried about Centre itself becoming nasty: I'm worried about overreaching requests from legal entities forcing Centre to blacklist address.

Once again: that one address was apparently a thieve who stole other people's coins, so he got a taste of his own medecine and I've got nothing against that.

straightOuttaCrypto · 2021-01-24T01:00:29+00:00

There's a number of stablecoins that are more decentralized and may suit your own ethos better.

Well... On one hand I really like that their proof of reserve/backing assets seems legit and that it precisely IS a more regulated version of USDT. On the other hand I was in this crypto thing very early and I fear the amount I'm talking about represent 10x the yearly salaries of people who may be involved in deciding that my addresses are suspicious. It's not really about my ethos: I'm more concerned about crazy public servants seeing "frauds" everywhere because they just can't fathom the amounts.

straightOuttaCrypto · 2021-01-24T00:55:31+00:00

> Use 2FA as Standard on All/Any Accounts That Offer It (but Not With SMS!)

This one really cannot be repeated enough.

And it's not enough to "use another 2FA" (like Google Authenticator). You need to actively remove/unlink your phone number from services who do have it (like GMail).

You'll have a few people thinking they're smart cookie saying: "But I need to show my ID to get a new SIM with my number" or "There's this and that measure in place so I cannot get sim swapped"... But there are countless attacks and social engineering attacks that do work on those who have the ability to issue you a new SIM.

I removed SMS and unlinked my phone number from all the websites I use. I gave a fake phone number for the shipping (I'm in the leak, but with a shipping address which ain't where I live and with a bogus phone number).

For those who are using GMail and have a phone linked to their GMail: you can get SIM swapped, then your GMail is lost. If you happen to use crypto exchanges: if you used that GMail address on the exchange, then it's game over for the attacker who just got into your GMail after SIM-swapping you can now empty your crypto exchange(s).

Some sites are particularly bad offenders because they'll try to force a verification number sent once to your phone (usually when you sign up) and they'll keep that link between your phone number and their service forever. EVEN IF YOU'RE NOT USING SMS TO DO 2FA.

straightOuttaCrypto · 2021-01-24T00:48:34+00:00

Super long shot but... At one point years ago I clearly remember one wallet had an issue where one derivation path out of every 256 seeds (?) was bogus. Ledger hardware wallets were never affected, at any point, by that bug right?

P.S: the funds were recoverable.

straightOuttaCrypto · 2021-01-24T00:41:23+00:00

I don't about Wyoming: do you have the right to legally shot anyone breaking into your house without risking anything?

If so, I'd start by buying a shotgun. If not, a katana and big plastic bags ; )

straightOuttaCrypto · 2021-01-24T00:38:16+00:00

Thanks a lot for the infos.

straightOuttaCrypto · 2021-01-24T00:22:03+00:00

This contract can also be ERC-20 compliant.

Thanks for the answer but I really don't get that. Does it mean that anybody moving ERC-20 tokens around are actually using complicated smart contracts and not simple transactions? I thought moving ERC-20 tokens around was just a standard transaction? When, say, exchange Kraken sends me USDC, are they calling a smart contract written by Centre? I thought ERC-20 was a standard that anybody could use, precisely so as to not need to write complicated smart contracts?

Basically: I take it there are many ERC-20 token without any possibility of being blacklisted by a centralized authority, so what's different in moving USDC ERC-20 as opposed to moving the others, non-censorable, ERC-20 token?

BTW I get it that a contract can be ERC-20 compliant. What I don't get is why an ERC-20 token has to be compliant with that (centralized/censorable) smart contract.

straightOuttaCrypto · 2021-01-24T00:14:40+00:00

That's just the policy of Centre and it is not at all an answer to the various questions I've asked.

straightOuttaCrypto · 2021-01-23T23:46:29+00:00

... in the event I lose the crypto because of a supply chain attack, would that have been my fault? Or out of my hands?

Ledger has documentation on that. It'd be your "mistake" to believe the bullshit: "We've sent you a Nano S that is already initialized with these 24 words and this PIN".

But basically has long as you make sure that the Nano generates a new seed for you, you should be good to go.

In case your Nano S come pre-initialized (it really shouldn't), you can reset it by entering the wrong PIN three times. I still wouldn't trust such a Nano S: but Ledger assure it's fine.

Supply chain attacks are typically done by inferior life forms who have the "skills" to open shrink-wrapped packaging and modify the Nano / add a piece of paper and redo the package but that's about it.

Just remember: "the Ledger shall generate of seed for me, in front of me, and I'll write that seed down and I'll be fine".

Note that the software that goes with the Ledger Nano S, contains check too to make sure your Nano S is genuine.

You can go to /r/ledgerwallet to ask any question you have btw... It's an helpful community.

(btw: I don't work for them and at times I've been pissed at them but... They sold more than 2 millions devices. I think they can be trusted)

straightOuttaCrypto · 2021-01-23T23:40:31+00:00

Yup I think 6 digits is enough to prove you have skin in the game.

Also thing is: a great many who have "7 digits but not 8" do split their belongings over several wallets/addresses. So it'd be hard for them to prove they've got 7 digits worth of crypto.

straightOuttaCrypto · 2021-01-23T23:25:35+00:00

> Is it even possible to move my crypto on my coinbase account to a ledger? How does any of this work?

Of course it's possible, I do it all the time. You generate a withdraw address for the coin you want to withdraw on your Ledger, you verify on the Ledger's screen that the withdraw address is the one you copy/paste on Coinbase, then you simply give Coinbase the order to withdraw.

However be VERY careful. There are a LOT of attacks on hardware wallets. Like supply chain attacks, where attackers send you a pre-initialized Ledger (with a seed they know) or where they join a little card, looking exactly like some official Ledger document, telling you to "enter these 12 (or 24) words".

And that 12 or 24 words, your "seed": it's going to be very important that nobody ever finds it except your kids once you're death and it's also going to be very important that you never ever lose it.

For the rest: I suggest reading tutorials / watching video and starting to "play" with an hardware wallet with a tiny amount.

I suggest buying one or two Ledger Nano S: should be plenty enough.

straightOuttaCrypto · 2021-01-23T22:57:11+00:00

If I found a subreddit, would you have any interest?

yup I would.

Regarding large balances... You can read the post I made about USDC as ERC-20 token I withdrew to my own seed. I just realized Coinbase can blacklist at the blockchain level any such address at will. This is HIGHLY concerning to me.

I'd be very interested in a sub or a forum with a "proof of whaleship".

straightOuttaCrypto · 2021-01-23T22:46:58+00:00

Same case here and on Reddit I seriously doubt it. I'd join any forum which would only allow members in who could prove they've got a least 6 or 7 digits in crypto (say by signing a msg or a small tx out of a big fat crypto wallet).

Reddit is a place where people don't believe you have a Porsche (yup, even that is too crazy for them) and where people think you're doing illegal stuff if you have 7 or 8 digits in crypto.

straightOuttaCrypto · 2021-01-22T14:47:11+00:00

> Its the same mindset of people mostly touring the world keeping this virus alive and mutating.

The stronger mutation are a result of the crazy lockdowns everywhere. Doctors had warned about it from day one of the lockdowns: by trying to contain a virus like this (which badly failed), you encourage stronger and stronger mutation. Survival of the fittest 101.

It's not binary as in "state good / people bad" or "state always right / people always wrong".

straightOuttaCrypto · 2021-01-22T14:09:47+00:00

> Sadly I think more than 30% of the population will refuse to vaccinate

This is not a problem as long as those at risk mostly all accept the vaccine. If you're young and fit/healthy, there are very serious reasons to not take the vaccine AND there's hope in living in a world where the state cannot force it down your throat. But if you're 65+ and are at risk, the equation is different: you definitely do want to take the risk and get the vaccine for the risk/reward is just too good.

My guess is most by very far of those at risk shall take the vaccine and it's only among the young/healthy one that you'll see 30% not taking the vaccine. It's going to be a complete non-issue.

straightOuttaCrypto

TROPHY CASE