You are viewing a single comment's thread from:

RE: Utopian.io Hack - May 3rd - May 4th 2018. No Wallets Or Keys Compromised.

in #utopian-io7 years ago

Don't want to rub salt in the wound, but shouldn't a huge project like Utopian, juggling with millions of SP and thousands of users, have a top notch secured servers? To me, there's no excuse for incidents like that.

Sort:  

You are very right @drakos they have to take care about that and they don't have any exuses because we trusted them our keys and hackers downvoted very powerful people from my account because of that, yes I removed the downvote, but what if I wasn't home ? What if I had a vacanccy or something ? Will I comaback after a few days and see that a flagging war started against me ? utopian have to share the reward of the post not just with busy and steem connect , even with those who was touched by this hack, I am working hard on steemit for about a year to take care about my reputation, not to be flagged because someone didn't take care about security, I used utopian a few months ago and I am not using it anymore because if their hard moderation, I forget to revoke them before, I hope that wil not happen with other platforms as well.

@drakos we had our servers secured and backups in place. Who did this knew where to act. We are verifying with those who had the possibility to work on our servers directly if there was anything that may have opened a security breach. Literally anything can be hacked. Today was our turn. We are not looking for any excuse. We have been plain honest on what happened here.

When there's no server handling tokens or keys, and that your website build is hashed and verified, then there's nothing to hack. Hackers would need to hack individual users.

@heimindanger we had background processes in place to broadcast actions required for our system to work on behalf of the users. Without having an offline token for that, I don't see how could we have achieved such functionalities. Do you have a suggestions for this?

I believe we shouldn't do operations without the users explicitely knowing about it. What type of transactions do you need for utopian where user consent is impossible?

A possible solution would be a mobile app and push notification. It sends a notification and asks user for approval and unlocking his key for forging the transaction. For example

@heimindanger we had a review system in place, where users could make a poll to verify the quality of the post and the final score stored in the blockchain for the original post, among with other similar functionalities. You can't just request for a user consent on every single operation that makes the site functional.

Arguably I have much less need for this type of 'server side' feature. A good example for DTube is the feature to schedule when your video gets published, I've received that one a lot.

Still I believe this ability from SteemConnect to create arbitrary tokens in the name of your users, and giving the power to these tokens to vote or comment or whatever, to be a security issue for the whole network.

So basically you edit the post and put some extra data in it, and for that you need access to the original poster account. You could do that without the user account by using a custom_json operation or inside of a json_metadata of a comment of the post (and using the @utopian-io acc).

Working with compromises is always hard. Any established social media platform has a solid Oauth system in place and we should focus on how we could implement the most secure and customisable tool, while not hurting the user experience. I believe there is room for improvements on that. Hacks happen everywhere and at any level, it is always a question of how you could minify the consequences. Obviously we were not ready for this.

I think every one will agree that in all the systems we can find some problems wich we can use for overself. Hackers are trying to find probelms in systems and to make 100% secure system i think is imposibble.

When did you last have a penetration test against the web application?

That sucks. Good luck finding the culprit.

Saya tidak khawatir akan hal seperti ini, karena saya yakin @utopian-io mempunyai sistem keamanan yang bagus, semoga tidak ada newbie yang korban disini.

Utopian is giving flimsy excuses for their incompetence. I suggest everyone should change their passwords. Why allow another body who can't secure or encrypt your password on their servers. Why can't utopian use password salts and encryption. So it means they just stored the user's passwords on a stupid server?? I've looked at the utopian repo, it still has more stupid flaws and must be addressed

@doctorvee honestly you missed the whole point. No passwords are ever stored by any party involved. Everything is explained in this post. Thank you

You don't need to start telling everyone to start changing their passwords. You can if you want, Gho ahead but no passwords were compromised so this si just FUD your spreading now. Your comment seems like you just read the title and are just spreading fear for upvotes. Who told you ANYTHING about storing a users password on a "stupid server" haha who runs tyyhis company stupid brand server? I didn't know you could get a stupid servers I thought all servers were inhgeritly smart?

Anyway lol I'm just jokin around with you, heres an upvote, I hope you can calmd own and realize that you just need to re read the article

also I suspect your knowledge and understanding of how all this works is a lil lacking am I right to suspect that? :D

Even Google and Facebook got hacked. Even if the server is super secure, a hacker with the skills could exploit it if such vulnerability exists (which is pretty common).

Well said, it's actually the point.