You are viewing a single comment's thread from:

RE: Offline Attack on Steem User Credentials

in #steem8 years ago

Yup, this is exactly what I have been shouting about for weeks now and expected would eventually happen. I am happy that you are a white hat and didn't take control of the accounts for yourself to profit from.

I believe it is better to push away new users with less user friendly registration (that forces them to use a randomly generated key that they must store securely and use password managers to manage) than to bring them aboard easily only to completely piss them off when their account or funds are stolen [1]. It is our job to make it as user-friendly as possible and to provide great resources educating users how to generate and manage random high-entropy passwords. But I don't agree with compromising their security because it is "too hard" and we don't want to lose them as new users.

[1] Although the new recovery feature allows them to get their account back. Most funds are usually locked in the time-locked Steem Power, so hopefully not too much financial damage would be done by the time they recover their account. And there are plans for a user opt-in and configurable time-locked savings account to even protect their more liquid STEEM and Steem Dollar funds from being stolen by hackers assuming they recover their account in a few days.

Sort:  

… we are in needs of a bug bounty program with high rewards, that people are happy to publish the flaws, instead of misusing them for the own profit in the short run! Thank you for being honest and alarming the devs and community - and not run with the money …!

Chapeau !

and tipping is always an option as well - thx again!

I WILL donate/contribute my rewards gotten out of my comments here @robinhood as well, and you guys here should considering to do this as well...if everybody here WILL doing this i'd double the comment payment amount to donate out of my pockets again!

@cass - the largest flaw now in my opinion is that overgrowing "tag-spamming" people do. When you have for example in top 12 of "marijuana" topic just 3 related ones the platform has a massive problem. This get worse hour by our and people tag nearly all their posts wrong.

@wackou - thanks for your upvote... I wrote a article today of the topic. It would be a real interesting thing what a whale (like you) say to the actual situation as you too think tag-spam get a real pain. Would be great to get some words from you:

https://steemit.com/money/@hastla/why-whales-and-dolphins-have-to-start-work-for-steemit-or-lose-their-whole-investment

Happy to introduce anyone to Jacob at Cobalt - best bug bounties with a specialization in cryptocurrency companies.

This is someting i'm really concerned about arhag, do you have any information i can use at the moment to protect myself further?

I do actually. I just wrote this post about the importance of using password managers.

Thank you arhag, I had a look and have infact been using lastpass, but i've found a few issues it seems to be interfering with things, for example on bittrex it keeps trying to autocomplete the boxes in which I write trade values, so I had to turn it off. do you know any work around for this or perhaps an alternative? cheers.

I don't use LastPass so I can't give you specific instructions. But you should be able to disable its autofill functionality on specific websites that it has trouble with, while still taking advantage of it on nearly every other website. It may also be possible to manually fix the issue specifically for the Bittrex site so that you can even still use autofill on its website without having LastPass autofill in the wrong boxes.

This link may be helpful:
https://lastpass.com/support.php?cmd=getfeaturefaq&feature=feataure_4

Amazing work and really making a difference in how we all move forward in the world.