The Lemon Fool

In an effort to rehabilitate this board I have decided to try an provide some news.

First some very old news. Six years ago today (WEF) the World Economic Forum predicted that bitcoin would consume the entire electrical production of the planet by.... three years ago.
https://www.weforum.org/agenda/2017/12/ ... orld-2020/
Fortunately it didn't happen and WEF have changed their opinion. Praising "data centers" powered by gas normally either dumped or flared in the oil extraction industry. The oil companies are in fact being PAID to clean up their emissions, thanks to bitcoin mining.

News of El Salvador. Their bitcoin holdings are in the black and volcano bonds are back on the table.
https://cryptopotato.com/el-salvadors-b ... osses-41k/
https://cryptopotato.com/el-salvadors-b ... 024-debut/

Our government wants to regulate crypto.
https://www.coindesk.com/policy/2023/06 ... egulation/
But Mr Sunak seems rather tardy with responses to a "Freedom of information" request.
https://www.whatdotheyknow.com/request/ ... to_holding

In the US there are bun fights over crypto regulation.
https://cryptopotato.com/crypto-regulat ... ion-in-us/
And Senator Warren just wants to ban it. I'm sure that the there is nothing to the speculation about political funding.
https://cryptopotato.com/elizabeth-warr ... d-privacy/

Bad news though. Well we do have to expect some.
Crypto wallet Ledger has been hacked. Fortunately it only effects some users, not all of us.
https://cryptopotato.com/ledger-confirm ... mpromised/
There has also been significant amounts stolen in other hacks. $363 million in November alone.
https://cryptopotato.com/heres-how-much ... mber-data/

I hope that you are all well and that you are careful if you decide to become involved.

More details of how the Ledger/MetaMask hack happened and worked.
https://cointelegraph.com/news/how-the- ... -approvals

It doesn't look good at all.

Other apps may be affected as well, and experts have warned that the vulnerability may affect the entire Ethereum Virtual Machine (EVM) ecosystem.

Thankfully for me, I don't have any dealings with that ecosystem.

Put simply, it happened because the company had no effective security control and no effective leaver process.

Not only did a single employee have access to update the software with no signoff or oversight, but they still had that access after leaving the company.

If this was a 'real economy' business, there would be outrage, but it is just par for the course.

Here is what Ledger did (and didn't) say about it:

The standard practice at Ledger is that no single person can deploy code without review by multiple parties.

(But not in this case)

We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems.

(But not this one)

Any employee who leaves the company has their access revoked from every Ledger system.

(But not this one)

murraypaul wrote:Put simply, it happened because the company had no effective security control and no effective leaver process.

Not only did a single employee have access to update the software with no signoff or oversight, but [b]they still had that access after leaving the company[b].

If this was a 'real economy' business, there would be outrage, but it is just par for the course.

To be fair, I worked for a "real economy" business and retired with my company laptop and remote access. Then again, nothing to do with me, but I understand that companies servers have been down for a week due to a cyber attack.

Possibly we should just accept that Ledger has not learned from previous security faults, rather than make claims about the virtue of other companies.
While we are at it, I presume that you absolve Microsoft from malware in it's store?

https://www.bleepingcomputer.com/news/s ... in-crypto/

November 7, 2023
...
Published with the name Ledger Live Web3, the fake application appears to have been present in the Microsoft Store since October 19 but the cryptocurrency theft started being reported just a couple of days ago.

The same thing happened with the Linux snap store, lest any think I'm singling Microsoft out. Well to an extent I am in that I suspect they are a company that you would consider to be in the "real economy".

BTW, this sort of thing is not limited to crypto, as I'm sure that you know. I mention that fact for the benefit of those that think it is.

Be careful folks.

I'm going to continue using my Nano S for a while, but will consider moving to a different cold wallet. Probably sometime next year.

Urbandreamer wrote:While we are at it, I presume that you absolve Microsoft from malware in it's store?

I don't see the comparison?

Is the malware there because someone used the account of an ex-Microsoft employee that they forgot to revoke?

To be clear, this wasn't an app people could choose to download and use, and if they downloaded it after the hack they would have an issue.

It was part of the backend. Anyone using a distributed application while the hack was in place could be affected.

https://github.com/LedgerHQ/connect-kit ... dex.ts#L82

The ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds.

‎
Approval Phishing Scams Drain $1bn of Cryptocurrency from Victims -

Approval phishing scams have been used to steal at least $1bn in cryptocurrency since May 2021, according to a new report by Chainalysis.

The researchers estimates that this technique, which is frequently used by romance scammers, has led to crypto users losing at least $374m so far in 2023.

Approval phishing is a type of crypto scam in which attackers attempt to trick targets into signing a malicious blockchain transaction that gives their address approval to spend specific tokens inside the victim’s wallet. This allows the scammer to drain the victim’s address of these tokens at will, with some targets losing tens of millions.

Once the victim signs the transaction, generally the phisher sends the funds to a separate wallet from the one they approved.

https://www.infosecurity-magazine.com/news/approval-phishing-crypto-victims/

Cheers,

Itsallaguess

Itsallaguess wrote:‎
Approval Phishing Scams Drain $1bn of Cryptocurrency from Victims -

[i]Approval phishing scams have been used to steal at least $1bn in cryptocurrency since May 2021, according to a new report by Chainalysis.

Itsallaguess

Err you do know who Chainalysis are, what they do and what they can do.
https://www.google.com/search?q=Chainalysis

What you are basically reporting is that, unlike the fiat banking system, it's easy to identify the amount scammed.
It's less obvious how they identify what type of scam is being used. I would be very dubious about that fact, rather than the amount drained.

It might also be worth pointing out that this is the figure for the entire world.