The Ledger hack

I think i may have been caught in the latest ledger leaks and wanted to find out for sure. Is there a way to verify without further risking adding my data? Has the HaveIBeenpwned approach been applied to the Ledger hack database? Is there a zero knowledge proof way that can verify what if any information was leaked? Since learning that my risk may have increased including the potential of home address being leaked. I see others have also been effected so would really appreciate advice!

Action I have taken so far, created a new protonmail & Safenetwork forum account and email via TOR Private mode on Brave. This is one of the communities I frequent who’s collective intelligence on these issues I respect and trust the most. This is already a credit to the project!

Q1 how can one see if they are affected and what data has been stolen? HaveIbeenPwned?

Sorry, I can’t help with alot of that.
Do you trust tor that much?
The exit node sees exactly what your doing and can easily grab the data.

• If you suspect that your personal data were leaked try to go to intelx.io

• Haveibeenpwned does not distinguish if just your email was posted or other personal data too

2 Likes

I take from the question that I shouldn’t have trusted TOR? What would a secure connection look like to ask these questions?

Tor is more than fine, just be sure that the “clearnet” website you are visiting is connected via https and that the certificate is okay.
By doing that the exit node doesn’t get to read the content.

And of course only use the Tor Browser when browsing on Tor.

5 Likes

You already got good advice of piluso.
I just don’t get why ppl use tor for the clearnet.
If you don’t know what your doing you can leak everything.
If your trying to be anonymous, it really isn’t that anonymous.
I’ve used tor, but not for normal Internet things, and not for years now.

1 Like

What do you think should be used instead of Tor?

Normal Internet. Why not?

1 Like

Was just curious if there was something more secure you would recommend.

Nope.
As I said , piluso gave good advice.
But if you get careless, it can make things alot worse than using normal Internet.

https://protonvpn.com/blog/is-tor-safe/#:~:text=The%20answer%20is%20no.,the%20non-profit%20Tor%20Project.

I dont trust vpn either, you have no clue if they are really logless, or how well secured they actually are.

1 Like

Not mine, found on reddit… pretty apt.

2 Likes

Ledger are sending out emails to everyone whose data has been released so you could check the email address you used when you ordered to see if they’ve sent you one.

Other than that, I’ve got a copy of the breached database so if you want to message me one part of your info like email or the last few digits of you phone number or whatever i could check for you if that helps.

So we can use these home addresses for promoting SAFE
“With SAFE this will gonna not happen any more”

This is a very bad idea. People will not like that someone use this information that way. See if you do it indirectly with ads around addresses without being intrusive it can have an effect…

3 Likes

What Bitcoin Did: Ledger Hack - What Happened with Pascal Gauthier (Ledger CEO) https://www.whatbitcoindid.com/podcast/ledger-hack-what-happened-with-pascal-gauthier

For people looking for alternatives to Ledger cold storage, for when they introduce new people to crypto.

Ledger - newbies to the crypto world, the people I have helped buy crypto for the first time, maidsafe, some did some initial reading and asked me about ledger.

I took one look at the price, even just now EUR 60 for one of the ledgers.
A firm NO!

I taught them how to use truecrypt, taught them how to get around the version number issues on macs…

also gave them the option of a truecrypt friendly alternative,

EUR 60 will buy you a lot of high quality USBs.
For redundancy you can keep multiple copies of your vault type across your USBs,
you won’t give personal details to a 3rd party.

Ledger is just an overpriced USB stick, with added privacy issues. Unbelievable.

1 Like

If you don’t have a serious setup and really know what you are doing, your private keys can be stolen very easily, even if you use truecrypt/veracrypt. If you don’t have a setup like an air gap and cold storage, all your security setup is effectively nullified.
Even if you have an airgap, if you are plugging an usb from one computer to another, you’ve got to be an expert to be sure that the usb hasn’t been infected. And we are not talking about checking if it has an autorun.inf file, but having your usb stick reprogrammed by malware.

Teaching opsec and infosec to newbies at this level is overkill, and most likely they will f-up because they don’t really know what they are doing.

A Ledger is way more than just a USB stick. It saves you from all that headache as the private key is completely inaccessible.
With a hardware wallet, it is nearly impossible to mess it up while the learning curve is very fast for anyone to execute.

7 Likes

It sees the exact bitstream passing through between your browser and the server. Nowadays that usually means something very well encrypted.

You raise a good point about some setups requiring a level of commitment beyond most users. Consequences if some steps are don’t wrong that might outweigh the risk. My guess would be that far less people lost bitcoin to stolen keys than lose it from lost or forgotten keys? It’s also pretty pointless for users to place elaborate security into their processes slowing down their efficiency only to have forgotten a key part that undoes all that work - a simpler scheme with lower error rate or error consequence is required.

Your risk assessment has to include “usability” but surely there are some basics people can realistically follow.

On a mainstream PC or Mac this might be a clean open source VPN and browser, password manager with unique passwords for the commonly used low risk accounts. 2FA and password memorization or mind algo for more secure sites.

Look like BIP39 hardware token cold storage and seed backup is the recommended for bitcoin. Trezor for example.

What other approaches strike a balance between UX and security for a 20’s internet user? What schemes have we seen work best? What can we hope for on Safe?

1 Like