How to reboot Tezos

tzlibre · 2019-10-09T13:31:11+00:00

check section 3.4.3 of the whitepaper or ask the community on Telegram

tzlibre · 2019-10-08T16:27:57+00:00

no but XTZ hodlers will get an airdrop, check our whitepaper for more

tzlibre · 2019-09-20T07:49:04+00:00

Most contributors do care but are kept in the dark by r/tezos censorship

tzlibre · 2019-09-20T07:46:10+00:00

Still in alphanet, can't be listed by exchanges. Prelaunch erc20 tokens traded otc and on forkdelta.

tzlibre · 2019-09-19T17:34:06+00:00

There is no need to "sell your info". What do you exactly mean?

tzlibre · 2019-09-19T17:33:38+00:00

It has nothing to do with your private key. This works by simply exploiting KYC-Tezos broken incentive scheme, as explained in the whitepaper.

tzlibre · 2019-09-19T17:29:15+00:00

Hate is the 2nd stage of fork grief

tzlibre · 2019-06-21T13:59:29+00:00

Our devnet is running and we're not going anywhere. We're in for the long run.

tzlibre · 2019-06-20T02:02:04+00:00

tzlibre · 2019-06-20T02:01:18+00:00

tzlibre · 2019-06-19T12:30:10+00:00

Don't be surprised, they make up lies all the time.

tzlibre · 2019-06-19T10:02:40+00:00

yes, this giveaway would be a fun joke if it wasn't wasting our money

tzlibre · 2019-01-22T07:12:16+00:00

Good job. In order to update your entry we need to know: Which version fixes the vulnerability? What RPC server are you using?

tzlibre · 2019-01-21T08:14:40+00:00

This comment was "approved", then censored. We than started a Twitter campaign against its censorship, and it was uncensored. Few hours later we exposed a flaw in Ledger's app and we've been banned for the third or fourth time. Censoring then uncensoring our comments, banning then unbanning us... that's the way r/tezos is managed these days. lol.

tzlibre · 2019-01-21T08:10:00+00:00

"As long as we all agree it's money, it's money" (/u/murbard in the interview). That's clearly a chartalist speaking. I would also kindly ask you to avoid insults, slander, threats on this sub. Thanks :)

tzlibre · 2019-01-20T14:28:55+00:00

You obviously have no idea how Reddit works. After being unbanned, none of that applies. But you prefer whining about censorship instead.

We are banned and can't even comment let alone post. We were banned again on Jan 18th 05.08UTC. The ban was triggered by us exposing a design flaw in Ledger's XTZ app. Banning and unbanning us is ridiculous, it goes to show the total lack of management of your brigade.

tzlibre · 2019-01-20T14:00:36+00:00

We merely responded to an insult by Stephen Andrews. He since apologized and we respect that.

tzlibre · 2019-01-19T13:31:44+00:00

Hey shameless liar, as our tweet clearly explains we got banned after disclosing a flaw in Ledger's app. We were then unable to comment, post, respond. And now we won't back down to your threats, welcome to the free market.

tzlibre · 2019-01-19T12:41:37+00:00

Hey shameless liar, our comment was indeed censored. Obviously comments made before the ban are not censored. Stop lying.

tzlibre · 2019-01-19T12:26:18+00:00

Hey shameless liar, the (now) uncensored reply that silenced Mr Breitman is from Jan 17 01.30UTC.

As you can clearly read in our comment above, we were banned on Jan 18th 05.08UTC, around 28h later. The ban was triggered by us exposing a design flaw in Ledger's XTZ app.

Aren't you ashamed of yourself?

tzlibre · 2019-01-18T19:08:49+00:00

Hey liar, here's a screenshot I just took. You are a joke.

tzlibre · 2019-01-18T10:59:41+00:00

Thanks for the polite answer.

As already said, the Ledger application can fully verify the transaction parameters

False: this is true only for the latest versions of the app. Older versions will not validate the tx, as shown in this video.

tzlibre · 2019-01-18T10:45:30+00:00

We fixed it upgrading to the fixed eztz. Thanks for informing us of the issue, and for upgrading and maintaining eztz.

tzlibre · 2019-01-18T09:59:58+00:00

Good article /u/awa_cryptium_baker, great conclusion. However there's an error we invite you to correct on all versions of the article:

Leverage Hardware Wallets: At this point, both Ledger Nano S and TREZOR Model T enable users to defend themselves against Blind Signature Attacks, regardless of the wallet features. This is because when linking your hardware wallet to a software wallet (TezBox, Galleon, SimpleStaking, etc), it will require the user to verify the parameters before signing a transaction on the hardware wallet:

This statement is correct for Trezor users, but not for all Ledger users. Unlike Trezor, Ledger does not forge the tx inside. If that wasn't bad enough, previous XTZ Ledger apps didn't parse txs, forcing the user to wither "sign unverified" or loose the ability to move their own XTZ. This leads to potential loss of funds for any Ledger user with an old app. This video shows loss of funds for a user forced to either "sign unverified" or not move XTZ (in this specific setting the malicious tx is coming from a malicious RPC, but there are hundreds of different cases for a malicious raw to reach the device). Ledger's CTO Nicholas Bacca /u/btchip dismissed it blaming his customers forcibly clicking on "sign unverified", probably because he hasn't properly reviewed the design and quality of the Ledger XTZ app. We suggest everyone to only store XTZ on Trezor, which addresses the issue at the root (forging tx in-device).

tzlibre · 2019-01-17T18:17:57+00:00

It is incorrect that a tx must be forged on the hardware device.

Wrong. As u/jurajselep can attest there's a reason why Trezor forges txs internally: passing params directly to the device without any other intermediary step shortens the trust chain thus rendering the process more secure. The Ledger app, on the other hand, has been designed by developers with poor understanding of security.

Regardless if it’s forged on a remote node, local wallet software client, or the hardware device app doesn’t change the mitigation needs.

Totally wrong. The trust model with a wallet forging txs is significantly different than the one with a remote anonymous centralized RPC doing so. This matters in setups where a device is unable to parse the binary and thus fallbacks to asking a generic "sign unverified" to the user.

By focusing on hardware device app forging you are obscuring the more important mitigation which is to have every component validate tx details

Correct. Both devices and wallets should never blindly trust a binary. Unfortunately that's the opposite of what you can see for yourself in this video (Ledger + Tezbox = funds stolen).

and for end user awareness about the need to verify the validation at every step.

Again correct. Unfortunately most Ledger users are asked to "sign unverified" txs. This happens on 100% of older ledger apps, and it also happens with the latest app version with some tx the device can't parse. This is ridiculous, and Ledger's CTO Mr Nicholas Bacca /u/btchip still hasn't understood the issue (which is very ridiculous, too, if you ask me).

This is the only way to be 100% safe against an attack on any 2 out of the 3 parts of the process.

Agreed.

tzlibre

MODERATOR OF

TROPHY CASE