New App to Secure Your Steem Account
In the wake of the recent XSS attack on Steemit.com, which compromised many users' accounts and funds, I am excited to introduce Steem Pressure, an app which secures your Steem account by changing your keys so that the Steemit.com website no longer controls them. In the following video, I explain exactly how Steem Pressure secures your account, and how to use it.
[Edit] Much love to @keepdoodling who made this awesome pic for me. It'll make a fine thumbnail for the streem. Be sure and upvote his comment below!
Steem Pressure is currently in beta! I do not yet recommend trusting it solely with your private keys -- it would be wise to keep at least the owner key backed up separately (or based on a secure key recovery phrase you can remember).
Also, Steem Pressure is a very raw app at this point. I have not dedicated much time to adding features or making it look better or finding and fixing all the bugs; right now I am more interested in whether anyone other than me will find this app useful. I welcome feedback and feature requests. Some features I am considering adding in the future include:
- Multisig support; having more than one key (or even other accounts!) control an account
- Forgotten password recovery
- Encrypted messaging
- Mobile apps
Eventually, I would like to provide binaries for Windows and Mac, but for now I can only provide Mac binaries as, after many days of failed attempts, I am still unable to build Steem on Windows. If anyone can provide me with some insight as to how to make Visual Studio compile standards-compliant C++, I would be grateful.
Until then, the source code is available on Github and Mac binaries are available in the releases section.
[Edit] I forgot to mention, it builds and runs on Linux fine too, but it's so easy on Linux that it seems silly to make binaries. If there's a lot of demand for Linux binaries, though, I can do that too!
Want to Earn Some Steem Dollars?
I will pay SBD for any contributions I utilize, be they pull requests, documentation, better UI/UX designs, a killer icon for the app, or anything else you can think of. All contributions must be open source/copyleft for consideration.
Please make issues on Github for feature requests :)
I don't get all the tech stuff yet, but I should definitely try this app just because of your beard! Respect, man. Growing one of my own right now :)
I don't really have much voting power to make any change, so I made you this doodle instead :)
@Dev @Dan
#Dev #Dan
Limit the input characters
The first thing to do is limit the characters that a user can enter in the fields
text. For example, if we have a field to enter the user's name, we will not leave it open
so that they can enter any number of characters, but we will limit such
20 or 30 characters. to limit the number of characters, we can use the variable "maxlength" that
It provides the HTML standard.
Sanitize data
When we talk about cleaning up the data, we are referring to stay only with the information
we are interested in removing the HTML tags that can be included in a text box.by
example, if you are storing the name of a person, little good is that the user enter
bold, because all we want is his name.
To achieve this cleaning, we can use the "strip_tags" function
Escaping data
To protect data and display as the user entered them, should "escape" the data to
present them to the user. That is, characters to be represented by HTML entities if desired
preserve its meaning (eg double quotes must transform & quot; which is as
It represents HTML).with this we prevent the browser to execute and evaluate the code.
To accomplish this, we can use the "htmlspecialchars" function
Hillary 911 LOGO !!! Apollyon's candidate
https://steemit.com/illuminati/@cryptocurrency1/hillary-911-logo-apollyon-s-candidate
Still trying to figure all the tech details - writing, politics, homeschooling, business - my forte. I am trying out STEEMIT due to Jeff Berwick's advice however when I read tech posts, it is like I am back in 2nd grade. Nonetheless thank you for the information and I will continue to try figuring everything out here.
This is great, thanks! I made this the thumbnail for the post.
Wow! Really glad you like it! :)
Thanks @modprobe for making this important tool and @keepdoodling for the clever doodle :)
Yeah agree with you..... I will see and try this app :)
Great info!
Thanks~👍
Great!!!!!
Wisdom has tackled something that is feared
As usual this wisdom comes from a guy with a beard
He is coding on steempressure and coding it fast
Making these security issues a thing of the past
Give him your up vote and give him a yell
Then run to the streets and find others to tell
Bring them here to this wonderful steem
And swim in this freedom, and monetary stream
lol.. i see what you did there.... :)
I have some concerns.
So let me get this right.
Okay, call me paranoid, but here is the deal (no offense, just apply some common sense)
This might be the greatest volunteer effort which makes Steemit safer or the biggest scam which will harvest all the valuables for everyone who uses it. (or somewhere in-between).
So my advice to EVERYONE is to beware. Think critically. Understand if you launch an application, you are exposing your system and data. If you give your Private key you are granting your permissions and identity. If you give you Password, you are relinquishing all control, potentially now and forever! Think before you act.
All respect @modprobe. Nothing personal. Just concerned about security as well.
Regarding the first item on your list, the DAO code was audited by very famous and respectable company and what is the result? I think the fact that it is open-source is enough, just because you can check it by yourself and decide to use it or not.
Nope, I don't. I don't care if you use my app. I made this app because it would be useful to me, and I figured it would be useful to others as well (and the beta announcement got a $7k valuation, which is a nice incentive as well). I make no promises that it won't lose your keys, send your keys to Voldemort, steal your money, or set your cat on fire. I don't think it will do those things, but you've got to decide for yourself whether you want to accept that risk. And frankly, it makes little difference to me.
Best wishes! :)
Fair enough!
But would you consider opening up your code for a security and vulnerability review, having the Steemit devs (attn: @dantheman @pharesim @xeroc @theroetical) inspect it for potential inclusion into the overarching feature toolset, or at the very least have them sanction this tools as secure and recommended for the Steem community?
Certainly! The code is on Github, and there's a link to the repo in the OP. Anyone, including the Steemit devs, are welcome to review the code. I doubt they'll stake their reputation on it being secure, as I won't even do that yet (see the OP, which clearly states it's a beta and shouldn't be trusted too much yet), but I welcome comments from the developers you mentioned or any others who would like to commentate on my work or my reputation.
Outstanding! You have my support to get the Devs to review and endorse if it meets their criteria.
Great job. There are a few things I would love to see in the future for an application like this.
I think the application should also be able to generate a 256-bit entropy password as well (like steemit.com does) so that the user can use that password to derive multiple keys rather than only generated single keys that are isolated from one another. That way, a user can generate a single key for the owner authority, and generate a single password which they then use to derive the active and posting authorities as well as the memo key, for example. I suppose they could already use the randomly generated public key as a passphrase, but that could quickly get confusing for the user since their passphrase would look like a public key. The UI could also be streamlined for it so that they don't need to copy and paste the randomly generated password into another field in order to update their account to use the derived keys; they would just click the button to randomly generate the passphrase and then click checkboxes to determine which of the authorities/keys (owner, active, posting, memo) of the account should be derived from that randomly generated password.
Also, I think the UI should put less emphasis on the ability to derive keys using a user-chosen password. That could be a hidden away advanced feature. Most users cannot be trusted to choose a safe enough passphrase that won't be bruteforced.
I think it is important to have a GUI that allows the user to choose the server and port of the steemd websocket to connect to, since right now it is hardcoded to Steemit's websocket.
Finally, I don't know if this would be in your intended usage for Steem Pressure, but what I would really love to see in an app like this is an offline mode. This ecosystem desperately needs some offline transaction signing tools, at the very least for just the limited operations that require owner authority authorization (which so far means either changing the owner authority of the account, changing its recovery account, or proving owner authority).
Under normal operation, the application could generate the transaction to be signed during online mode and write it out to disk. It could also be run in offline mode which would allow the user to: select the serialized unsigned (or partially signed) transaction from disk; see the transaction visualized in the app so that they know what exactly they are signing; input the appropriate private key or passphrase that derives the appropriate key to sign the transaction; and then finally write the new signed (or partially signed) transaction back out to disk. Users could then use flashdrives with a live Linux OS and this app to do offline signing on an air-gapped computer.
Great points all around. Thanks! I'd love to add support for offline signing, multisig, air-gap, etc. at some point. Sadly, there are many other things I want to add as well, and I have limited time to work on the app.
What I need is a way to prioritize new features. :P
Very interesting modprobe.. i am not sure of all the technical stuff behind what the hell you just did there, but it sounds pretty damn cool to me. My stupid question may be; does this stop Steemit.com from assisting us in recovering our account if we are hacked? thanks for your time ....
I would appreciate comment from @dantheman on this, but I don't think it will block that. Note that when you first change keys, Steemit.com will warn you that someone might have hacked your account because your keys changed. Just ignore that, since you did it yourself.
I do not change the recovery account, so I see no reason Steemit.com's recovery service would no longer work.
Would you mind adding that (recovery account change)? It would fit well within your app imo.
Ideally I would add support for the full recovery process -- setting the recoverer, requesting recovery and rejecting/fulfilling recovery. That's not a small change, but it's the kind of thing I'd like to support eventually. :)
You are the man! Well aside from @dantheman....
Thanks for your response... i would feel safe using this and changing my own keys if they will verify that for us. I think this is a breakthrough app for the security of my keys. Thank you for your time you put into this app.
Not a stupid question - this is a very good question. I am also curious.
In case anyone has problems compiling it under Linux/Ubuntu, I had some problems too and solved them.
I posted an issue about that on GitHub: https://github.com/nathanhourt/SteemPressure/issues/1
I try make an push of some changes later - but I am not sure if I can integrate them well, maybe @modprobe is better in adjusting that.
Ahh, yes, unfortunately my pull requests are not getting integrated: https://github.com/cryptonomex/fc/pull/50 Applying that ought to have your fc installing properly, which should resolve most of your issues. I'll also update the README to note that up-to-date versions of the dependencies are required (silly Ubuntu). :)
Well done, though! I'm flattered at the amount of effort you put into getting the project building. :)
Congrats Nathan, wonderful app and I like your roadmap...
How about even creating new accounts maybe?
Or you could built this out into a wallet even for transferring monies?
Thanks for this little piece of greatness. Checking out your code how you did it...
Ps. I've added you to the SteemTools.com overview with this project and @keepdoodling 's image ;)
Great, thanks! Yes, I can absolutely extend this for creating new accounts. And I've been thinking about adding some basic wallet functionality as well, particularly a "send tip to the developer" feature. =D
I hear modprobe hasn't shaven his beard ever since steemit launched.
Will using the app make ny beard grow? Then I definitely will use it. No seriously, thank you for providing us security options