Skip to main content

Some guy from NZ with a strange desire to put random, useless, weird stuff on the intarwebs.

minds.com/arandomsteve

t.me/arandomsteve

arandomsteve.com

Stephen

The Ledger response to the hack is the concern

7 min read

While I am not personally affected by the Ledger hack, the response of the Ledger company itself is a massive red flag for me.

The hack has been known for a long time. The /r/ledgerwallet subreddit has been discussing it and trying to deal with it since June when the first reports of phishing spam started showing up. The fact these spam campaigns were happening on both email and SMS demonstrates that the hack was more than just a mailing list breach.

While the community has been dealing with these problems, Ledger themselves has been trying to downplay the issue. Initially they claimed only 9000 customers were affected. Then they said only some of the mailing list subscribers details got out. Now we know they lied in both cases. The personal details of nearly 300,000 customers, including full names, postal addresses, phone numbers, email addresses, were stolen in the hack. To compound matters, over 1,000,000 email addresses of the mailing list were also hoovered up by the hacker(s).

Now, as someone that has worked in the ICT industry for most of my working life, and a significant part of that was as a security engineer, the first rule of any internet connected service is to assume it WILL be breached. Your job is to mitigate those possible ingress vectors and try to make it as difficult as possible. Strong data practices are neccessary. Such a stance is even more important when you are a company selling security devices, dealing with extremely sensitive information, and there is a chance your customers will be relying on your product to secure extremely valuable or important data.

In this case, you're a security company selling cryptographic devices used to store the cypher keys that protect a persons Cryptocurrency assets, can be used as a Second Factor Identification device, can be used to generate deterministic passwords and other security devices based on the cryptographic cypher keys the device is supposedly protecting.

You could argue that any and every device that has ever been sold by Ledger is not in any way compromised by this hack. That is absolutely true. But the $5 wrench attack became a whole lot more of a concern for anyone that bought from Ledger. In fact, we're seeing exactly those kinds of threats, and worse, being made to people who's details were in the hacked database.

 

• Posted by u/jurban84 23 hours ago

I just got a death threat

I was in one of the 270k people. I am Polish.

Normally, I would ignore it, but the email was written in perfect Polish, which google translate always struggles with, sender name is also correct Polish (unusual for phishing), it was sent from a Polish domain, and a Polish IP, play mobile network to be exact.

He says I need to transfer 1000 PLN or he'll kill me.

 

So thank you Ledger. For the first time I fear for my life.

 

EDIT: So I went to the police. Apparently, I was already a second person who came in today with this. At my local precinct. In Poland.

How the hell is it that Ledger still continues to down play this entire issue? Their response? To paraphrase their CEO, "Our devices are not compromised, so nothing to worry about." Sure... For Ledger itself... Ledger staff aren't at risk because they didn't buy devices from the company using the same web portal that the rest of the world went through. 

 

received phone call threatening kidnapping and murder over my ledger.

Earlier today I have received a phone call from a fake number (it appeared as the phone number of my local police station).

A male, Anglo-accent caller asked if I was <my full name> and claimed to be a drug addict, and gave me my full address, and said he knows I have a lot of bitcoins. When asked how, he said my information has been leaked on the dark web. I played dumb and he eventually says I purchased a ledger hardware wallet and “only loaded c*nts” buy them.

He told me a sob story about how he is addicted to meth, is about to run out, and needs monero to buy more. He demanded 10 XMR and said if it’s not sent by midnight, he will show up at my house, kidnap me, and “stab to death” any relatives living at my address. I was able to record this phone call as I put him on speaker phone.

I have went to the police and filed a police report. They are going to try and trace the caller and has sent a police car to wait outside which I am very grateful for. All of my doors etc are locked and I have the officer’s phone on speed dial.

I just want to warn everyone about the dangers of Ledger’s recklessness. If there is a class action lawsuit I will gladly join and submit this as evidence.

Just think about that for a moment. You've bought a device that is designed to make it impossible for someone online to steal your digital assets. You've bought it from a company in France, that is subject to the EU privacy laws including the GDPR. You've bought it from a company that asserts it is a security company building a security device. You would expect that such a company employs extremely smart people that are aware of best security practices when it comes to OpSec online. You give that company your money, AND your trust.

Then it turns out that not only are they retaining ALL their customer data, they make no effort at all to obfuscate it, and they're storing it in what I can only describe as being misconfigured or mismanaged servers... At the very least. 

Now you're getting kidnapping and death threats.

Lets load on a heap of conjecture. How can we as prospective customers, or existing customers, now trust their devices? The code that runs on these devices is closed source. They make the desktop and mobile apps source code available via GitHub, and provide a lot of example code for installing apps onto the devices, but they do not make the firmware of the devices open source. There is no way I can be certain that the code they compile into their firmware is secure. There is no way I can be absolutely sure that their source trees were not also compromised.

One need only look at what is happening in the fallout of the SolarWinds Orion hack to see just one example of why I do not support such a business model. Not when it comes to software that is managing or responsible for core assets. Whether that be your network infrastructure, or your crypto keys.

In light of all this, I cannot, and do not, endorse Ledger wallets or products. I believe they have lost any possible trust I (and possibly the community) had. At this point, my recommendation would be to use a Trezor device as an alternative. Trezor make their firmware code available as opensource, so you can build it and run it for yourself. You can even build your own version of a Trezor Wallet on a Raspberry Pi if you want. There are other brands of hardware wallets, but very few of them make their code open source.

If you are serious about Crypto Currencies, then you absolutely do need an offline hardware wallet or cold storage. Until now Ledger Nano devices have been the best available because of the feature set. But I don't think the feature set can outweigh the security risks of their closed source any longer. It's just not worth the risk.

Stephen

Murderer and Sexual Abuser's name finally revealed in NZ

3 min read

While his name has been a very widely known secret for a long time, international press were not concerned about, or refraining from publishing his name from the start, it is seriously about time this man's name was shared openly in NZ without fear of reprisal.

From the NZHerald -- British backpacker Grace Millane's murderer named as Jesse Kempson, sexual violence trials revealed

The man who murdered British backpacker Grace Millane can now legally be named in New Zealand.

He is Jesse Shane Kempson.

And it can now be revealed Kempson faced two further trials for violent sexual offending against two other women.

The 28-year-old Auckland man's identity was due to be revealed last Friday, but with just minutes before an 11am deadline, the Supreme Court decided to keep suppression in place until it could make a final determination.

Today, the top court ordered suppression to lapse.

The one thing that really bothers me in this, and something I wish we could change our laws to address, is that this animal is serving 3 sentences for 3 different crimes concurrently. Meaning, he really is only serving a single sentence for all 3 crimes. Worse, he only has to spend 17 years in gaol for murdering a woman, and brutally assaulting at least two others (that are known to the police.)

Suppression for the Aotea College alumnus was continued throughout last November's high-profile murder trial in the High Court at Auckland, the guilty verdict and sentencing - the reasons for which were also suppressed until today.

His name was suppressed to protect his fair trial rights, the courts ruled, because of two sexual violence trials.

He has already been convicted and sentenced for those crimes against both women after judge-alone High Court trials were held in October and November this year under a shroud of secrecy.

His additional prison sentences will be served at the same time, alongside his life term for murdering Millane, which includes a non-parole period of 17 years.

In situations such as this, where crimes of violence are all of a similar kind, the sentences should be required in New Zealand law to be served consequtively. He should have to pay a penalty for each crime he has been found guilty of. Otherwise, how is there any fairness and restitution for the women he brutally assaulted? They have to live with the repurcusions and memories of his assault for the rest of their lives. He gets to pretend there was no punishment at all for them, simply because he got caught and found guilty of a brutal murder.

Fairness would mean that he doesn't even start the sentence for the murder until the sentences for the lesser crimes have each been served individually. 

Stephen

In this river, all shall fade to black

In this river ain't no coming back

1 min read

I really feel like this song has kind of become an anthem for me lately. The meaning really does resound within me so clearly. 

 

Stephen

Government considering anti-Hate Speech laws after Royal Commission of Inquiry report

2 min read

I'm sorry, but this is just ludicrous. You cannot legislate against hate speech without also removing the intrinsic right of freedom of expression and free speech. Making laws against so called "hate speech" is really the government using force to tell you what you're allowed to say. Or not allowed to say. That doesn't stop people thinking that way, doesn't stop people talking about those things in private. What it does do is create an underground where bad ideas grow and fester in darkness because they aren't ever exposed to scrutiny or opposing views until after they have blown over into something tragic. Such as what happened at the Mosque shooting in Christchurch.

So this idea from the Government, to even consider hate speech law changes, is just absolutely dangerous.

Government to take hate speech laws to the public after March 15 inquiry

The Government has accepted recommendations from the royal commission of inquiry into the Christchurch terror attack to amend hate speech laws and create new hate-motivated offences.

However, Prime Minister Jacinda Ardern said no changes would be made without consultation with the public and other political parties.

The Royal Commission of Inquiry into the Terrorist Attack on Christchurch Mosques on March 15, 2019, on Tuesday made public its 44 recommendations, including the need to make sure legislation relating to hate speech and crime is fit for purpose.

The commission found the current laws “neither appropriately capture the culpability of hate-motivated offending, nor provide workable mechanisms to deal with hate speech”.

You deal with hate speech by exposing it. You counter it. You explain why it is wrong. You teach people and allow them to learn and understand. But you do not make it illegal to hold an opinion. I cannot believe this is a thing. Did people learn nothing from history?

Stephen

Just spent the last few hours watching NASA shoot a group of people into space. That will never get old for me. It will always be exciting to see it happening. Space flight is absolutely the pinnacle of modern physics and math at the moment. That it is becoming more and more accessible with each year is truly amazing.

Stephen

Pretty certain the election has not yet been certified. So Joe Biden is *NOT* yet the President Elect. So the only ones pushing that story are the media. Which means this is the first time in US history the MEDIA has decided and announced who the president is before the election results are even certified.

I call that a slippery slope.

Stephen

The 2020 US Presidential Election will go down in history as the most corrupted and dishonest in history. It blows my mind that the Biden supporters aren't as pissed off about it as everyone else is.

Stephen

Literally so anxious about the election I feel like throwing up. Have had to turn off all the feeds. I think the Dems are going to get away with stealing the election and the media is absolutely complicit.

Stephen

Cancel Culture comes to NZ

Author's book removed from store for expressing opinion on social media

1 min read

I'm a realist. I know it happens, but I'd not seen it so blatantly before. This scares the ever-loving HELL out of me. I will NOT be buying anything through Mighty Ape again in the future.

Author Olivia Pierson has had her book removed from MightyApe because she dared voice an opinion about a politician that the woke leftist brigade doesn't like and deems to be racist.

This is now New Zealand. This is what has been enabled and emboldened by Labour's absolute electoral victory in our General Election in October.

Twitter thread in which Olivia Pierson has her book removed from Mighty Ape for expression an opinion on social media that the left deems racist.

This is not acceptable, New Zealand. Shame on you!

Stephen

If you haven't listened to/watched Glenn Greenwald on the Joe Rogan Podcast, you really need to do so. I think it's probably one of the best, and most honest, discussions about the state of Journalism today.

https://open.spotify.com/episode/6ryXHBRMkkIlAK2vCtAE2v?si=lXO1iWDcTpSlgwTH4Y3rSA