If Steemit were to get hacked, would my funds be safe?

in #steemit6 years ago (edited)


[edit] someone asked why am beating around the bush , but i already completed it in another reply :

https://musing.io/q/peachyladiva/p36wvarfx?r=profile-rudyardcatling

after reading the question i thought i was wrong, but i was incomplete, all info in the link or in the answer down here by @awesomeianist, thanks much

I'm not sure what you mean by hacked here.

As far as i know steemit does not store any password (or key) on its servers.

I'll try a bit of technicalities :

steemit is actually not the blockchain, steemit is an UI, short for User Interface, which takes data from the blockchain and transforms it into a visbile, readable format in .html format which can be rendered in the browser of your choice on your pc or phone (or tablet or whatever)

The underlying blockchain is accessible to anyone who cares to look and is maintained on a series of servers, which are maintained by witnesses. The witness system secures the data by making sure each and every one has a copy so no single one can alter the blockchain.
It is, in theory possible to change data in a ledger, but to do so you would have to recalculate / mine all subsequent transactions(hashes), the actual links between blocks of data

i went into this some questions earlier here : https://musing.io/q/bookoons/f33qrfhwx?r=profile-rudyardcatling

This is the main reason why you can not EVER delete any post , comment , or reply : once it is stored it sits in "a block" that only fits exactly between two other blocks and cant be moved to sit between any of the (i have no idea how many there are atm) other blocks ,

talked about that a bit here : https://musing.io/q/sagartalekar/pk4jssew5?r=profile-rudyardcatling

if you look at a chunk of the data it looks totally unreadable

its like

celerontcat@cerebro:/mnt/6f1cfa9e-a67f-43e5-bacd-8e60ac8ef226/steempyth$ cat steem.blockchain.json
{"block_id": "0000000109833ce528d5bbfb3f6225b39ee10086", "extensions": [], "previous": "0000000000000000000000000000000000000000", "signing_key": "STM8GC13uCZbP44HzMLV6zPZGwVQ8Nt4Kji8PapsPiNq1BK153XTX", "timestamp": "2016-03-24T16:05:00", "transaction_ids": [], "transaction_merkle_root": "0000000000000000000000000000000000000000", "transactions": [], "witness": "initminer", "witness_signature": "204f8ad56a8f5cf722a02b035a61b500aa59b9519b2c33c77a80c0a714680a5a5a7a340d909d19996613c5e4ae92146b9add8a7a663eef37d837ef881477313043"}
{"block_id": "00000002ed04e3c3def0238f693931ee7eebbdf1", "extensions": [], "previous": "0000000109833ce528d5bbfb3f6225b39ee10086", "signing_key": "STM8GC13uCZbP44HzMLV6zPZGwVQ8Nt4Kji8PapsPiNq1BK153XTX", "timestamp": "2016-03-24T16:05:36", "transaction_ids": [], "transaction_merkle_root": "0000000000000000000000000000000000000000", "transactions": [], "witness": "initminer", "witness_signature": "1f3e85ab301a600f391f11e859240f090a9404f8ebf0bf98df58eb17f455156e2d16e1dcfc621acb3a7acbedc86b6d2560fdd87ce5709e80fa333a2bbb92966df3"}
{"block_id": "000000035b094a812646289c622dba0ba67d1ffe", "extensions": [], "previous": "00000002ed04e3c3def0238f693931ee7eebbdf1", "signing_key": "STM8GC13uCZbP44HzMLV6zPZGwVQ8Nt4Kji8PapsPiNq1BK153XTX", "timestamp": "2016-03-24T16:05:39", "transaction_ids": [], "transaction_merkle_root": "0000000000000000000000000000000000000000", "transactions": [], "witness": "initminer", "witness_signature": "205ad1d3f0d42abcfdacb179de1acecf873be432cc546dde6b35184d261868b47b17dc1717b78a1572843fdd71a654e057db03f2df5d846b71606ec80455a199a6"}
{"block_id": "00000004f9de0cfeb08c9d7d9d1fe536d902dc4a", "extensions": [], "previous": "000000035b094a812646289c622dba0ba67d1ffe", "signing_key": "STM8GC13uCZbP44HzMLV6zPZGwVQ8Nt4Kji8PapsPiNq1BK153XTX", "timestamp": "2016-03-24T16:05:42", "transaction_ids": [], "transaction_merkle_root": "0000000000000000000000000000000000000000", "transactions": [], "witness": "initminer", "witness_signature": "202c7e5cada5104170365a83734a229eac0e427af5ed03fe2268e79bb9b05903d55cb965479

and so on for 100 or more GigaBytes , i don't know the exact current size , what you see there is already converted to.json format so you get every transaction in a nice line.

your account history, unformatted looks more like

'```
celerontcat@cerebro:~/Documents/steemUX/history$ cat fullhist_rudyardcatling
{"jsonrpc":"2.0","result":[[0,{"trx_id":"da5654724f6a0b35886d8173072148a8c1ca54f8","block":16163657,"trx_in_block":12,"op_in_trx":0,"virtual_op":0,"timestamp":"2017-10-08T23:49:03","op":["account_create_with_delegation",{"fee":"0.500 STEEM","delegation":"57000.000000 VESTS","creator":"steem","new_account_name":"rudyardcatling","owner":{"weight_threshold":1,"account_auths":[],"key_auths":[["STM7HigTEkCNePTR1QHHTaMX5kqPB2omaDcpY5RKs1zH2cG8mAweS",1]]},"active":{"weight_threshold":1,"account_auths":[],"key_auths":[["STM82DwaTnZrNNCU4eCm2FLCRWmZaMCz63BXDhtaYKNzUrgyf4aHm",1]]},"posting":{"weight_threshold":1,"account_auths":[],"key_auths":[["STM6bSVB2LUguK5wKNKE6i33ADmDBKh9mWw2oya1xTHkDCepbNHJb",1]]},"memo_key":"STM8G87DXb8cCBbimvkvfb9zAajGYzJX5kkVoQYhkJJUNGt88hxaW","json_metadata":"","extensions":[]}]}],[1,{"trx_id":"e125d4fe88eea6a6c82a38c7e9cff24106fb8d2a","block":16168890,"trx_in_block":32,"op_in_trx":0,"virtual_op":0,"timestamp":"2017-10-09T04:10:42","op":["comment",{"parent_author":"","parent_permlink":"introduction","author":"rudyardcatling","permlink":"a-story-an-introduction-mhh-well-what-s-in-a-name","title":"A story ? an introduction ? mhh ... well, what's in a name ?","body":"one might say the original question was, like ... like my google account closed by the name +retorica t ... lots of people thinking that i'm good with words since i'm not a native english speaker but sometimes somewhat punny ..


if you had to get your posts like this it would take quite some time to figure out who is saying what , lol, so UI's (user interfaces) like steemit, or busy, or musing, or dlive or any of the others take all that data and bring it to your browser in a nice, readable format, as you see here

if you have a pc, for instance, what you can do (i would recommend firefox for that) is take your account , in my case 
https://steemit.com/@rudyardcatling

and add .json to the end so https://steemit.com/@rudyardcatling.json

you will get a formatted overview of all things and variables related to your account

you can do the same to a post :

https://steemit.com/religion/@rudyardcatling/p3q7y8af5.json

and you will get an overview of about everything related to the post, including voters, the weight they voted with, the amount of vests every vote is worth and so on, you could for instance exactly calculate what every vote is worth, compare it to the voters current steempower and see if their 100% vote is a 100/100 vote or a 100/10 vote (voting weight comes from the slider but as you see on steemd or steemnow you have voting "power" which goes down about 2% for each consecutive vote, unless you waitt 2.5 hours (i think its more like 2hours24minutes)

Now the thing is : NOWHERE in all those gigs and gigs of data will you find any password or any key from any of the 1099352 number of accounts (at time of writing), they're not stored inthere.

So basically its not possible to "hack" steemit since steemit is only a translating tool for the data in the blockchain, and the blockchain, visible to anyone anywhere who cares to look

<center>*there are no secrets on the blockchain*</center>

does not contain any sensitive information (unless you accidentally post a naked selfie hahah)

several reasons for this : 
1) they dont have to provide storage
2)they have no liability
3) they have full deniability , if you're a supervillain and uncle fed wants you, they can't even give them the password, simply because they don't have it :)
4) no one up there has access to your account (but everyone on the planet can see the data that's included, thats just how present-day blockchain works , hyperledger (linux foundation) and banca (wallstreet) provide options for separate "zones" if you like that don't involve confirmation from the whole chain so its basically possible to have private transactions there, it hasnt lifted off yet, but seeins as linux foundation probably is the worlds biggest ultrageek collection i'm sure it will, after all : all supercomputers in the world run linux , not windows, not iOS, they ALL run linux (look that up if you dont believe it)

and then some

So the only who has your masterpassword is you

the only one who has your keys is you (unless you give them to someone)

if you don't know where to find those, open up a browser, click the icon with the profile picture, from the drop down menu select wallet , then select permissions, this will allow you to show your four keys on screen, the master key is needed to login , and to change the others, the posting key is (well....) for posting lol and the active key is used for financial transactions, sending sbd or steem from and to wallets. I assume the master can be used for all three ? (not 100% sure but since the other keys are generated from the master key i assume (again not 100% sure) the other keys can be calculated when needed if you enter that one

It's imperative that you keep a backup of at least your master key in cold storage (cold storage means offline) , wether that's a piece of paper or an encrypted flash drive is up to you and your financial situation i suppose, i wouldnt pin in on a sticky note on your desk at work in any case.

If you lose that , then there is NO WAY EVER you can recover your account, no one can help you , the keys are strictly private (althoug if you make an account @blocktrades as an alt you get the option to store your original key with them, probably for a fee but  PLEASE NOTE : the backup they have is only valid until you change your password, once you change that, they have no way of recovering it for you)

Now, about the hacking, where's the vulnerability ?

hacking is romanticized a lot and the word has also lost much of its original meaning .. a hack actually refers to creative use of resources, finding ways of doing things within any given system in a way it wasn't meant to be used originally ... you could call steem a hack of the original satoshi whitepaper if you like lol or maybe the [popcorn robots](https://www.futurity.org/popcorn-robots-1823052-2/) ... (<- that's a serious 'hack' hahah)

its not really like you see on t.v. , your prime example of a hacker would be Kevin Mitnick actually who hit it on the head with 'hacking humans' ... something the elusive and notorious Q of the original anonymous understood well (demonstrated by the way he used a 16 year old groupie to smile a bit at an admin to get a password to access a server from a security firm from a guy who had been on the #anonymous channel all the time boasting how he was gonna take them down and expose them and what not ... which he is probably regretting still until today since his security firm got "hacked by a 16 year old" as said Q did not neglect to rub in his face afterwards .. quite a funny story but hacking in almost all cases comes by local access.

You have your phishing scams, which will lead you to a place that looks familiar to enter a password , which then gets intercepted and stored on their drives and can be used to login to your account, that's probably the most widespread way

The attacks by anonymous arent really hacks in most cases but mostly exploits (which are hacks of sort) in the form of DDOS attacks which basically consists of flooding a server with so much data it can't cope anymore and either the system shuts down or no one can access it anymore, mind you, ddos requires quite some resources to generate the necessary flood to gobble up all that bandwidth)

Then you have your brute-force, but a standard steemit generated password would require some minor quantum computing to be done in a lifetime i think, i didnt do the numbers but i would really take quite some time to get a specific password
MIND YOU : the more keys there are, the more chance a brute force attack will get to at any given time get any given key , that's pure statistical , undeniable math, you know the length , and you know the possible characters used so the simplest of scripts can run indefinitely until it hits jackpot .. less chance than winning the lottery but very possible. Could be prevented if all nodes have a policy of logging for a short time, if an ip tries to access 60 times a minute it could be marked suspicous, but these two paragraphs hold two separate dissertations in itself and i don't wanna overdo it for the 50 cents this gets me so lets move on

The best chance for anyone to get your password is to have local access, since secure connections make it hard to hijack sessions. Someone who can get to your device can empty your wallet from there.

Then there's tools that simulate local access, hacks of hacks if you like ... memory resident programs that log keystrokes and file them , then send them to some remote server for analysis, i heard about (woops buxus moth ... i'm gonna make an exception to my non-kill policy , second ...)

i heard about the possibility to hijack the contents of the clipboard in memory, which means : if you copy-paste your password, the time it's in memory , that is in some systems until its pasted and in some until something else is copied to the clipboard it can be read , and just like a keylogger , filed and transferred for analysis.

That's like government level hacking (the most malware you would find is actually government issue or derived from that ... the best hackers they can catch rarely go to jail lol) but available to any script-kiddie as it used to be called who knows their way around.

You can even get data from optical emanations :

(emissions)
http://www.applied-math.org/optical_tempest.pdf
https://dl.acm.org/citation.cfm?id=545189

this means a guy with an iThing that has a high enough resolution could potentially read whatever you send out from the leds on your computer while standing across the street from your open window :p

(sci-fi stuff? not really but i doubt its gonna be easy to get your encrypted password out of that lol)

what's the maximum length of a post btw ? oh thats a good question, im going to ask that one first , hold on a minute

hm ... it wont let me post the question guess i'll have to get back on that

lets hope i'm not over it yet but i'm gonna draw the conclusion, thats more than enough time/reward ratio and more than i should put in it i think.

- Never give your password when anyone asks for it
- only use sites that use steemconnect, dont use sites who ask for your key directly
- always make sure you have the https connection to steemconnect or use metacert  to make sure you're on a trusted crypto-site
- spread your assets : once you get to a certain level of steempower, instead of putting all of it behind one password, get an alt-account, make one with steempy or @blocktrades, put half your steempower in the alt, delegate it back. That way your vote stays the same but you have TWO passwords, if one gets compromised or you lose it, you only lose half.

you can withdraw to an offline wallet (i wouldnt recommend keeping it on an exchange, large sums should be transferred to exchanges on the moment of trading and not kept there, these places are high profile and therefor prime targets for your professional hacker. Which, as mister robot would, wouldnt hold back of getting a job at the company that holds it ... local access, and who's got better mad skillz than the l33t haxx0rs of the world , hm? the only time those people would or need is to get access and to have cover ... to be a 'working man' ...

i think thats about the best way to secure it, dont log in to your alts unless you have to (i mean re-log, enter your password as few times as possible over time to reduce the risk at hijacking and SPREAD YOUR ASSETS ...)

an offline wallet means all that steem is sitting there, making you no money, if you keep it spread and active your vote is higher and you can do and reach more

i think that's enough for one post, don't you .... feel free to tell utopian or any of the enlightened ones how much you liked it because i 'm not gonna roll over to get a cookie from a fat fish . If its not good enough its not good enough, its good enough for me.

"do you like fish" ?

i like fish :p

me : 
https://steemit.com/introduction/@rudyardcatling/rudyardcatling-signature-post-20180719

feel free to delegate me a million SP, i'm not ever gonna run for witness here :D

feel free to upvote everything i post hahah

i hope you found something useful here , @rudyardcatling - out
dammit i forgot to vote again, i lose about one to two votes daily because im always overtime for my 100/100

anyway, o yasumi , why cant i post that question ???


Sort:  

good sound advice like always from @rudyardcatling for the uninformed about blockchain security and how it's composed, while it's very reassuring that our keys and passwords are not stored in the blockchain and being vigilante with our keys should always be a priority if you value your coins. i would add getting a good antivirus and firewall is also an added prevention from hackers. and yes i like fish :)

well someone made me doubt for a moment there i missed a bit
https://musing.io/q/peachyladiva/p36wvarfx?r=profile-rudyardcatling

but i was only incomplete in my assumptions and ramblings there

an extra layer of security would be awfully nice, yes but that would mean all passwords are stored on a remote server, which gives way to local access hackers , its always something, the only thing so far i can see is spread assets over different passwords and yea

if it weren't underpaid as bad as a kid in china fabricating iThings for about the same amount of hours a day being on and hovering around i should maybe think about change my name to

eduCAT.png

:D ... i fear there's not much else to do without a massive cash injection or selling your soul to the whalegod than grinding like a biblical farmer until you pass that point on the exponential curve (hopefully before i'm 90 lol)

fish will have a whole different meaning since that day, truly and really :p:p:p

the reward is in patience keep on truckin don't forget it's an exponential curve the more you have the more you make so... knowledge is power here more is better, myself i have to make adjustments like everyone else this all seems to take longer than anticipated but then again you kinda never know whats around the corner in next act and it would be nice if it was a pleasant surprise for once :)

Loading...

You just planted 0.05 tree(s)!


Thanks to @rudyardcatling

We have planted already 3396.74 trees
out of 1,000,000


Let's save and restore Abongphen Highland Forest
in Cameroonian village Kedjom-Keku!
Plant trees with @treeplanter and get paid for it!
My Steem Power = 19249.82
Thanks a lot!
@martin.mikes coordinator of @kedjom-keku
treeplantermessage_ok.png

Upvote and comment my last post

Congratulations @rudyardcatling! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes received

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

lol ... we got ourselves a reader

takes a coder to get to the bottom of the code and a reader to read, i'll send it right away but it takes about 7 days to get hold i'm sure you know the deal with @steembasicincome, THANKS for reading (or scrolling down hahah)tu.png

blatant difference with comment and upvote my post .... hmz ... ;-)

it's coming in from @ubasti but you wont get a notice, i think they only send it the first share you get, you can check your totals on the spreadsheet they link in their posts or take it up with @josephsavage for questions, the man is always most helpful and dedicated

lol hehe, thanks. I'll check it.

Informative and appreciated

thank you very much

eduCAT.png at your service :p :p

Coin Marketplace

STEEM 0.23
TRX 0.21
JST 0.035
BTC 97816.08
ETH 3416.41
USDT 1.00
SBD 3.21