Steemit Releases Groundbreaking Account Recovery Solution

in blockchain •  last year

Today we would like to introduce our innovative approach to securing user accounts. As far as we know, our solution is completely new in the cryptocurrency space and will raise the bar for security on all platforms. So before getting into our solution, lets give you some background on the nature of our security challenge.

Background

A recent post by @karnal talks about how no browser based wallet can ever be completely secure.

It is incredibly difficult for services like blockchain.info to keep user wallets secure and they have a major advantage over steemit: they do not display user-generated content. The mere act of displaying user generated content means we must filter said content for anything that could be reinterpreted by your browser as a request to send your passwords elsewhere. Filtering is very hard to perfect, something eventually gets through the cracks.

Recognizing what is Impossible

We recognize that it is impossible to prevent all browser side exploits. The reality is that there are too many factors that are completely outside the control of steemit. These factors include browser vulnerabilities, plugin vulnerabilities, phishing attacks, man-in-the-middle attacks, etc.

Some people suggest going to extreme measures such as hardware wallets and downloadable apps. The reality is that this approach to security is extremely costly and harmful to the user experience.

Steemit will do everything it can to give users the best possible options to secure their accounts. We also know that only 1% of users will actually use the best options. For most people, convenience trumps security.

I can put this into real world terms. It is impossible to prevent someone from breaking into your house. You could spend millions of dollars on the most advanced security systems and people can still break in. Not only that, every extra security measure adds inconvenience to your life and requires constant vigilance. Even a Nuclear power plant in Iran that was completely disconnected from the internet was hacked.

At some point the cost of preventing a break in is higher than the cost of recovering from a break in.

Attempting to do the impossible is bound to fail. Instead Steemit will take a new approach.

Recovering from Theft

You may not be able to keep thieves from breaking into your house, but at least you know you can get back in and change the locks. This is the approach that we are taking.

With Bitcoin and other cryptocurrencies a hacker breaks into your house and changes the locks. You are unable to get in without "hacking the hacker" and that is almost impossible for 99.999% of people to do.

With Steem all of this is going to change.

If your account gets stolen, then you will be able to work with Steemit, Inc (or someone else of your choosing) to recover your account. All you will need to do is have access to any key you used on your home in the past 30 days.

The thief got into your home because he got a copy of your key. From the blockchain's point of view there is no difference between you and the thief. From the outside world's point of view there is a huge difference.

In my previous post I challenged the concept that "Key is Law". I made the point that for blockchains to protect property rights they need to factor real identity rather than just evidence of identity. Your password (aka private key) is just evidence. It is not absolute proof. The mistake blockchains make is to assume that it is proof.

How it Works

When an account is hacked there are two or more competing claims of ownership because multiple parties may have access to the password. The blockchain simply needs a way to break the tie and pick one claim over another. This requires three things:

  1. Time
  2. Monitoring
  3. A trusted individual to vouch for you

Time

If there is no time period during which key changes can be challenged, then the first person to change the lock wins. The more time you have to respond, the less chance that someone will get away.

Monitoring

If you are not paying attention then all the time in the world will not be of use. You need to be notified every time the key changes on your house. This notification gives you the most time to find a trusted individual who will vouch for you.

A Trusted Individual

A trusted individual is someone who can identify you independently of your key. Steemit can identify users by their email, facebook, and reddit logins (if you signed up through us). You could also use your mother, wife, employer, or friend, or other 3rd party provider.

The Process

When you notice your account has been hacked you contact your account recovery partner (the trusted individual) and ask them to submit a request to change the locks on your account. They verify you by whatever means they find satisfactory and then submit a proposal to the blockchain to change the locks to the ones you gave them.

Once the promposal is submitted to the blockchain, you will have 24 hours to login with both your old and new keys (aka passwords). Any key you used within the past 30 days is sufficient. If you login in time, then the keys will be changed and the hacker will be locked out.

If you don't have a key that was used within the past 30 days, then your account will be unrecoverable.

Why it is Secure

This process is strictly more secure than what any cryptocurrency offers today. Your trusted account recovery partner does not have access to your account because they do not have access to any of your keys. This means that your account is secure unless you are hacked by your account recovery partner. Because you know who your account recovery partner is there is little chance they could hack you and get away with it.

What if your Recovery Partner is Hacked too?

In this case, they would simply appeal to their own account recovery partner. Once they recover their account, then they can work with you to recover your account. It is exponentially unlikely that the hacker can compromise all accounts in a very long chain of recovery partners.

Changing your Partner

At anytime the owner of an account can request a change to their recovery partner. After a 30 day wait (during which the change can be challenged), the recovery partner is updated. This means that if you buy an account from someone, then you can rest assured that they cannot take it back. It also means that if you don't like your current partner then you can change it. The recovery partner has no say over the process.

Selling / Transferring Accounts

Under this system it is still possible to transfer accounts. You must either notify your recovery partner of the change or change the recovery partner. Transfers can be instant if you both trust the recovery partner, or they can take 30 days if you don't trust the recovery partner.

Keeping the Horses in the Barn

When a thief breaks into your house he can still do a lot of damage while you are getting the locks changed. Any cash you have laying around can be taken. You may get your house back, but the cash is still long gone.

Enter Steem Power

90% or more of all wealth in Steem is held in the form of Steem Power. This means that even if the thief gets into your house, he must wait for the time-lock safe to unlock before he can get to your cash. As long as you get your account recovered before your account can power down (1 week) then 99% of your Steem Power will be safe.

Future Work

Now that we have a rock-solid account recovery process, we will add features for people to hold STEEM and Steem Dollars in time-locked "savings" accounts. These "savings" accounts would add a multi-day delay to any transfer request. If your account is hacked, then you will have a few days before your "savings" is at risk.

Conclusion

Steemit has created a solution to account security that is completely decentralized and based upon real-world identity rather than the poor substitute of a single private key. The entire social network collectively secures and identifies each other. It does all of this without introducing an increased level of trust nor requiring a centralized provider.

Under this model it should be completely unnecessary to hardfork in response to a hack. Any money that does get lost will be small amounts of liquid cash held outside of Steem Power or the time-locked savings accounts.

Due to these extra measures, Steemit can continue to provide a web-based interface even though keys will get stolen from time to time. What won't get stolen is account identity and that makes all the difference in the world.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  trending

In information security speak what Dan is talking about is incident response and disaster recovery. As long as the system you build has an ability to "self heal", which means to recover from attacks and develop immunity to future attacks which use the same methods, then you'll do fine. The attacker might be successful and in that event the system is resilient enough to heal and recover continuously from threats like an immune system.

Roaches for example are almost impossible to exterminate because they mutate so fast, reproduce so fast, and adapt to threats so fast. This indicates that roaches are incredibly resilient to attack because diversity and fast mutation provides collective security for the roach species. I wrote something about this in an article called Attack Tolerant Information Systems, and the point is you're never going to be able to prevent attacks but you want to build systems which tolerate being attacked and develop an artificial immune system of a sort.

That kind of solution may go beyond what Dan is talking about with Steemit so far but I thought I would mention it anyway for people interested in the state of the art in security.

Convenience vs security can be bypassed if you have good disaster recovery. Group owned accounts using multisig is the best idea. We can secure our accounts through our social networks of friends. If we are using Facebook then in the event of a compromise we can confirm on Facebook that it is us. Or we can simply use a PGP signed message which I also made a section for for on Steemit. If you know how to put up a PGP public key then I suggest you put one up in your blog just for Steemit.

  1. https://steemit.com/tauchain/@dana-edwards/attack-tolerant-information-systems
  2. https://steemit.com/steemit/@dana-edwards/private-communication-with-me-via-pgp-for-those-who-know-and-understand
·

Although, not completely related to the technical aspect of your post- I discovered a method of roach extermination on Amazon.com -which proved to be more effective than modern pesticides. Boric acid pellets worked more effectively because the roaches will crawl upon the pellets and often ingest the powder from the pellets as well.
Aftéwards, the roaches will transport the powder from the pellets back to the nests via its limbs. All of the roaches in the nest are exposed to the Boric acid residue introduced by the host. The host dies and all of the roaches in the nest as well.
Their ability to mutate and reproduce is cancelled within the nest environment. All other roaches -when exposed to the morbidity within the nest, will eventually flee the immediate area of infestation.
I believe modern manufacturers of pesticides discovered that boric acid was less profitable-because the roaches ceased to mutate, reproduce and develop the instinct necessary to evade attack.

·

this is incredibly interesting, thank you.

·

This sounds like a lot of the concepts developed by James D'Angelo. I hope he's being reward it!

·

I'm confused, are we able to use multi-sig on steemit yet?​

·

I have no idea what you are all talking about but its interesting and I guess I have to learn how to lock my new steemit home ...Thanks for this @dan , you made my head very dizzy :)

·

Pleas check out this post I made about a steemit Bug the dev's should see this post so they can fix it. https://steemit.com/bug/@stijn/steemit-bug-needs-to-be-fixed

·

I commented in the wrong place sorry (edited)

Good lord! This makes me so insanely bullish on STEEM.
I think this can solve so much of the bad press and bad UX that have hindered adoption of crypto in general.
This solution is decentralized and can be applied to lots of other fields. Very similar to the way private law would operate in a Voluntaryist society.

The fact that STEEM has the vesting feature just makes it all that more robust.

So let me get this straight.. first you find a way to onboard non-crypto people into the crypto world.
Then you find a way to make POW non-ASICable (by posting, commenting and upvoting).
Then you figure out how to effectively peg a cryptocurrency to the USD.
Then you find a way to make transactions on a blockchain free.
Then you find a way to build a browser side open bazaar.
In fact pretty much everything is browser side for the masses to just type www. whatever and begin...
Now this genius free market solution to preventing theft!

Hat's off to you and your team...

As I said in one of my very first BitSharesTalk posts "Can we get a couple of full time security guards to guard this dude's house while he free's the world from tyranny?" haha!

For Chinese users:
“突破性帐户恢复解决方案”主要内容的翻译


解决方案是怎样运行的

当一个账户被黑客攻击了,将会有两个或更多的主张所有权的比赛,因为多方都能访问密码。区块链只需要一种方法来打破僵局,选择其中一个主张跳过其他的。这需要三件事:

· 时间
· 监测
· 一个值得信任的人为你担保


时间

如果这个时间段没有人换过钥匙是可以应对的,那么第一个换掉锁的人胜出。如果你应对的时间越长,你就越难把别人支开(可能被别人捷足先登)。


监测

如果你没有注意(特意重视),那么世界上所有的时间都不会被使用(时间就那样溜走了)。每一次你的房子钥匙换了你都需要被通知到(因为你是房子的主人)。这个通知会给你最长的时间去找到一个值得信赖的人——可以为你担保的人。


一个可信赖的人

一个值得信赖的人是一个可以独立识别你的钥匙的人。Steemit 可以通过用户的电子邮件、Facebook 登录、Reddit 登录(如果你是通过他们注册的账户的话)来识别用户。你也可以使用你母亲、妻子、雇主、朋友或者其它的第三方提供者。


过程

当你注意到你的账户已经被黑客攻击,你及时联系你的账户恢复合作伙伴(受信任的个人),并让他们提交一个更改你账户的锁的提议(冻结账户的请求)。他们可以用任何符合要求的方式来识别你(证明你是你,^_^),然后向区块链提交一个提议以更换一把锁(用房门锁做形象比喻,区块链里就是换一组公钥-私钥对)交给那个你信赖的人(也是发起换锁请求的人)。

一旦这个提议(换锁的请求)提交给区块链,你将有 24 小时的时间用你的旧钥匙和旧钥匙(也可以称之为密码、私钥)一起登录。在过去 30 天内使用的任何钥匙(密码、私钥)足矣。如果你及时登录,那么钥匙就会换掉,黑客的钥匙将被锁定(失效,打不开了)。

假如你没有一个过去 30 天内曾使用过的钥匙,那么你的账户将不能被恢复。


为什么它是安全的

这个过程严格意义上讲已经比目前的任何加密货币提供的方案都更安全。你信任的账户恢复合作伙伴(第三方)无权访问你的账户,因为他们没有你的任何钥匙(私钥)。这就意味着你的账户是安全的,除非你是被你的账户恢复合作伙伴(第三方)黑了。因为你知道谁是你的账户恢复合作伙伴(第三方),所以他们还是有一丝机会黑你然后消失的。


如果你的恢复合作伙伴也别攻击了呢?

在这种情况下,他们只能求助于他们自己的账户恢复合作伙伴。一旦他们恢复了他们的账户,然后他们就可以跟你一起来恢复你的账户。黑客是绝对不可能在一个非常长的账户恢复合作伙伴的链条里攻击所有的账户的。


换掉你的合作伙伴

任何时候账户所有者都可以要求换掉他们的(账户)恢复合作伙伴。经过 30 天的等待期(在此期间做变更是可以操作的),换掉恢复合作伙伴的请求就可以变更完成。这意味着如果你从别人手里买了一个账号,那么你可以放心,(经过 30 天的等待期)他们是没法拿回去的。同时也意味着,如果你不喜欢你的合作伙伴,(经过 30 天的等待期)你可以彻底地换掉它。恢复合作伙伴在这个过程中没有发言权(你是账号的所有者,你说了算)。


卖掉/转让账号

在这个系统下仍然是可以转让账号的。你必须通知你的账户恢复合作伙伴或者换掉恢复合作伙伴。如果你们(账号转让双方)都信任这个恢复合作伙伴,账号转让可以是即时生效的,如果你们不信任这个恢复合作伙伴可以选择换掉账户恢复合作伙伴然后等待 30 天。


让马待在马棚里

当一个小偷闯入了你的房子,你把锁换了(让他出不来),他仍然可以搞很多破坏。任何放在周围的现金都可以被他拿走。也许你能拿回你的房子(账户),但是钱不见了。


转换成 STEEM POWER

在 Steeem 里,90% 及以上的财富都以 STEEM POWER 的形式持有。这意味着即使小偷进入你的房子(黑客黑了你的账户),他也必须等待时间锁安全解锁(译注:STEEM POWER 是锁定的,转换成可以随意支配的 STEEM 需要线性解锁,锁定两年,一年 52 周,一周解锁一次,每周解锁 1/104)才能拿走你的现金(STEEM 就相当于你在 Steemit 里的现金)。只要你能在账户资金解锁(Power Down 即把 STEEM POWER 解锁成 STEEM,一周解锁一次,每次解锁 1/104)前——也就是一周的时间内——恢复你的账户,那么你账户里 99% 的(译注:有约 1% 是之前已经解锁了的,你未及时转移的) STEEM POWER 都将是安全的。


接下来的工作

现在我们有了一个坚实的账户恢复的流程,我们将为用户账户里持有的 STEEM 和 Steem Dollars 添加时间锁“储蓄”账户。这些“储蓄”账户将对任何转账请求添加一个几天的延迟。加入你的账户被黑客攻击,那么在你的“储蓄”有被盗走的风险之前,你将有几天的时间(来恢复账户)。


结论

Steemit 创造了一个账户安全的解决方案,这个方案是完全去中心化的(控制权分散的)且基于真实世界的身份,而不是一个单一的私钥的可怜的替代品。整个社会网络共同来互相保护和互相验证。它既不引入一个高级别的信任,也不需要一个中心化的服务提供商。

在这种模式下,应对黑客攻击完全不需要硬分叉。任何造成损失的资金都会是很小的流动现金——未被解锁成 STEEM 的 STEEM POWER 或者时间锁储蓄账户以外的那部分资金。

由于这些额外的措施,Steemit 可以继续提供一个基于 web 的界面(就像目前这个样子)尽管不时还会遭遇被盗。不会被盗的是账户的身份,这就是它(Steemit 提供的)的不同之处。

·

Wow 9K payout! Biggest ive seen on here so far i think. Cool

Very innovative concept. As many of us know we can always expect fresh creative and ingenious ideas from team Larimer!

Guys this is brilliant. this is why i dont mind investing into this, the devs are just world class.

·

right on the money

When will we see in the GUI

  1. Notifcation that our keys were changed? (Or by email?)
  2. The GUI of the time-locked saving?
  3. Settings for the partner?
  4. An integrated walkthrough for the newbie?
·

what about transactions? when are they re-enabled?

what I'm currently missing:

mobile app
marketplace (in development)
escrow (in development)
messaging (in development for GUI)
down votes stake based. (do not hide posts for newbie dv's)
restrict accounts with less than 20 SP (eg 1 post per hour, commenting every 10 mins)
better wallet overview (example add a ticking $D interest counter, explain payouts)
add clickable links to history payout posts
add follower stream
add mute lists and make them follow-able via proxy
language filters
addthis.com sharing buttons
post stats / analytics
referral program
a blog page where the user can decide which posts to show
night mode theme
ipfs images integration

·
·

There should be a mobile app for sure. User experience can be so much better.

·
·
·

completly agree with you

·
·
·

They are working on it - heard it in a youtube interview with one of their devs

·
·

Good list of future improvements.

·

This post is only about the technology being deployed in the hardfork taking place in 24 minutes. We are working to improve the web interface to take advantage of these features.

·

Yeah this is why Steemit is going to be successful compared to these other complicated cryptos that most people in the world would be confused/possibly scared by..

I believe in STEEM all the way which is why I'm holding out for my helicopter and island.. I tried to inspire people in a post I did yesterday called What sounds better.. a new car or a yacht?

Check it out and let me know what ya think :D
https://steemit.com/investment/@stealthtrader/what-sounds-better-a-new-car-or-a-yacht

Dan, it may be a good idea to state the timeframe for this recovery process to be fulling implemented and in effect as some folks me immediately become more relaxed on security, misunderstanding that the procedures and protocols are not yet in effect.

·

All I can say is that our developers are working around the clock to get this out as soon as possible.

The necessary blockchain level features are now in place. The web interface to enable the use of these features to recover accounts is half done and will be deployed as soon as it is ready. We wish to make the experience as smooth and seamless as possible to recover your accounts.

·
·

Thank you and please take your time. I am sure we can all wait for a solid implementation, rather something done under the pressure to rush out with!

·
·

Thank you and your team for all you're doing as far as security. It really says a lot about your commitment and responsiveness to the community needs... We're all grateful for the project overall Great Work!!!!

This is amazing, ground breaking is the right word, and the idea of a security parter goes hand in hand with steemit being a social network platform. This is also easy for the average person to adapt, no technical savvyness required.

·

There is a concept called "Social Networks as Contract Enforcement" in academic literature. Not only can you provide security in this instance but you can possibly do loans and other things which require trust. So for goods and services I think Steemit can expand into that too and compete with the likes of Open Bazaar with an edge.

  1. Social Networks as Contract Enforcement: https://stanford.edu/~arungc/CKL.pdf
·
·

Open Bazaar you say.. when the steem dollar marketplace launches, you wont be saying "Open Bazaar" anymore

How do we go about chosing a partner?!

·

by default all accounts have the account creator (steemit) as the partner. If you are an advanced user and pay to create a new account, you will be the partner on the new account by default.

We will provide an interface in the wallet as soon as possible. Please understand that interface work takes much longer than backend work.

·
·

Thank you for taking the time to answer our questions. You guys are under a lot of stress and pressure and, I imagine, lack of sleep. We appreciate you and please take the time to do it right. thanks.

·

I'd like to know how we choose a partner also?

@dan, this is remarkable. I haven't read through all the comments yet, but here is my biggest concern:

If a thief gains access to my account and powers-down to try to steal my SP, is that power-down request still set in stone when I recover the account? I.e., even if all my wealth is held in SP, it seems like a thief can effectively destroy my account by powering-down. True, he won't get any of the steam points, but now all of a sudden I don't have any SP because they're powering down for the next 2 years.

My question may actually not be relevant, depending on the answer to my earlier question about the timing of power-down.

·

from what i see. power down can be canceled at anytime. after 1week or 10. So that's not worrying. Also, if this will work, you'll have access back to your account in a day not 2 years, as much as i understand it at this point!

·

You can cancel power down.

·
·

And there it is. Thanks!

I hope the problem can be resolved properly, thanks to this notice and it was very important, waiting for good news my brother @blackjincrypto account being compromised, hopefully it can be re-accessed

hi

Sounds good!!!!!!!!

That you guys have been able to think through and so quickly deploy this in the midst of everything else is damn impressive. Great job to all!

Hello! I would like to get your opinion on this. Thank you! https://steemit.com/steem/@acidsun/banners-for-steemit-community

Thank you for this.

I agree with @dan on how any high-tech approach to the "impossible" 100% account/wallet security, will inevitably hurt user experience.

I think for now, the proposed method above will suffice, if we find other methods in the future that can improve on this, then why not?

Thank you again for being vigilant on this front. Security should always be one of our top priority. ANYWHERE. -east

Thank you for this article and the expalanation. Very impressed how you keep learning from challenges and keep blockchains improving.

Very nice work, this is truly an awesome addition and creates a new standard and sets the bar for all other cryptos.

·

I AGREE! Thank you for posting. Hope you get this to snowball to the top!
I up-voted you too... BTW, should steemit let us steemers advertise using steem? Be sure to tell everyone you know to come vote here at: https://steemit.com/steemit/@kingtylervvs/if-steemit-ever-does-decide-to-advertise-there-is-only-1-way-it-could-work-in-my-opinion-debate

This is a democratic community decision.


One of the important things here is to maintain honesty . Vote for posts and comments that are really good, or similar to your personal preferences. Many strategies made just for making money, are destined to fail, probably work a while but the community will go towards equilibrium.

The best strategy is generate value and find good posts or comments before the rest.

Great post!

All of these attacks and FUD being spread across the web have me even more interested in steemit. We have got the attention of some powerful people and they are not happy. I myself started to doubt the power of this thing, but I am seeing the light.

Keep up the great work dan and crew.

One new idea in chains to stomp out an unauthorized holder of a key, is to pre-sign a future "hard fork" when the account is created.

For instance:

I create an account, and associated key. I am also asked by the system, pick the next "3" days that your key can be reset with a certain phrase.

I enter in:

August 15, 2016 - "Its August and I love cherry pie 7820"
January 3, 2017 - "It's a wonderful life, and I think so too 3431"
April 21, 2017 - "This isn't my birthday and no one knows that 9020"

I then scribble these down on piece of paper and hide them in my safety deposit box.

Even if I lose my keys, or my hard drive crashes, with those phrases, and on those specific days I could reset my keys.

This stops:
A) Account selling
B) Loss of vested keys

It allows me to recover my account, myself, without the need for anyone's help, should something happen in the future.

All of this is encrypted, signed, and locked in a recovery blockchain. So I can protect my future self in advance. :)

This is better than a challenge question, or challenge answer, because it relies on a specific future date. Only I'd know that future date, so brute forcing, or social engineering my questions or phrases won't help a hacker.

2FA scares me incase I lose or break my device. We're all good with pen and paper and secret places to hide that piece of paper. So this is like 2FA, but a little more humanized.

·

"I actually understood that reference," said CPT Rogers. This quote was my first thought after reading your comments. I am, quite often, scrambling to understand any of this new language in this strange land called 'crypto'. Cheers.

Go dan...go dan

Good news!
BTW, I've been heard that there is gonna be a russian analog of Steemit soon. What about source code, is it open? What is the license?

This add an incentive to power up. One should not hold Steem in his account for security reason. Great solution @Dan

·

everyone should power up...

·

You can apply time-lock to your liquid steem/steem dollar in your wallet as well.

·
·

what does time lock do?

·
·

that is a future proposal, not currently implemented.

This is perfect, amazing progress in development. Especially considering how the problems came to light with the attack just a few short days ago. You guys are putting on a crash cource in the perfect way to begin a crypto project. Transparency, skills and most importantly excellent solutions to problems with real results. Bravo!

I have to congratulate steem on it innovative approaches to many problems with crypto currency. From stability issues of value by being able to convert steem dollars to steem as well as the steem power as a source of secured long term profits. I love it all. Great job! Keep up the good work.

Thanks for putting this together for the community.

Great work guys, I'm excited to see this in action, even if I am a bit skeptical in some ways (it's hard not to be in crypto, eh?)

Excellent. Way to be on top of things. Big Big VOTE UP!!

The STEEM team is a big part why this will more then succeed.

You guys are awesome!

Thanks

This looks very promising compared to other security implementations platforms are taking and a complete rethink is needed, keep up the good work dan

·

This was a team effort. I am very grateful for the all the developers who have been working 18 hr days this week to enable this innovation.

Good post! I like it! Good Luck To You!

Under this model it should be completely unnecessary to hardfork in response to a hack? its really?

·

Yes, even exchanges can use this process to secure their funds. In the event the process fails it should only be for small amounts and extremely special circumstances.

@dan: by the way... I tried contact you, to ask about upcomming hardfork:

https://steemit.com/steemit/@noisy/next-hardfork-scheduled-for-sun-17-jul-2016-15-00-00-utc

I would like to just make a sure that you are on skype chat for owners of the exchanges.

Excellent article another feature that could be added is for people to hold STEEM and Steem Dollars in partner-locked "savings" accounts. These "savings" accounts could add a "trusted partner ID verification" (or multiple partner ID verifications ) to any transfer request. This would make near instant withdrawals possible with no need for a time delay. Beneficial for those needing liquidity at all times.

This could be implemented by submitting the phone numbers of " trusted partners " who could submit the verification along with a code from googles "authentication app" on their phone/s.

Thank you very much for the continued transparency and updates, @dan .

I am very interested in seeing how you approach security - it is an innovative, and in my eyes ingenious, approach, which seamlessly addresses one of the core challenges when it comes to security: the user. I very much appreciate how you wish to enhance the user experience whilst keeping it as convenient and easy as possible to ensure proper security for as many users as possible. Kudos.

Imgur

great info !!!!! well done steem is more secure

·

These kinds of innovative & practical solutions from the Steemit team give me incredible confidence in the platform. It's hard to maintain the balance of user-experience and security and this is a creative & elegant solution!

Steemit up. Great indeed!

Classy post. cool

This has to be the greatest most innovative group of developers I have come across so far. Keep up the great work!

That's why I want to move everything to STEEM POWER!

I love the way Steemit handled this.. With a new site concept like Steemit seems like it is the best way to keep the site moving forward :D

Interesting solution!
A trusted 3rd party of the users choice is a nice change from being forced to trust some random company or fork over private information.

Hello! Transfers are temporary disabled today and with it associated i cannot login with my owner key?

This new security improvement is great. I feel much better now. Good work to say the least and a huge thank you for taking proactive actions.

This feature is absolutely critical to mass adoption and addresses one of the largest barriers to wealth entering crypto assets. In the fiat world banks and credit card companies can assist customers if they are hacked, in the crypto world there is effectively zero recourse. Congratulations to the devs on another revolutionary innovation!

https://steemit.com/money/@johnsmith/can-you-hear-it

What do you mean by "They verify you by whatever means they find satisfactory" ?

Is it a system like Hotmail accounts, where you had to answer successfully a sufficient number among 10 personal questions? I know, because i was in the customer service of Microsoft. And even if that was enough in 90% of the cases, you still had some cases when the guys could not remember the answers, or didnt provide enough info, etc...

Great and very solid concept! I truly believe that next project, which can solve Identity-based problem (blockchain powered, obviously) will be next big thing. Huuuge thing!

I'm sure you will do your best! Thanks for the update!

Dan!sure do appreciate all the clarification and availablity to answer questions on #steemithack

Beautiful!

Hey Dan,
the idea of a recovery partner is pretty good. How exactly can I choose who will be my recovery ?Where can he request to change the locks on my Account ?

Great initiative , its always logical to hope for the best but be prepared for the worst.

good tutorial there needs to be a place where you can find them all at one place

This is great! I suppose the hack was a wake up call of sorts to implement better security measures and features. Hopefully you will be implementing some changes to the web interface soon to make things a bit easier for all the users of the platform. But cheers on this ground breaking solutions for everyone on the platform!

You guys keep on surprising us!! One after the other innovative ways to deal with things. That's why Steemit is growing so fast and it deserves too!! Where else do you see groundbreaking solutions to different things all in one place!

I cannot thank you enough @ned and @dan for all the work that you put in and others as well who work countless hours to ensure the success of this platform. Really grateful to have come here. I am going to bring more people in so they too can experience the awesomeness that is Steemit.

Great post bro, well done :)

Awesome post! Thank you. Anybody who hasn't changed their passwords yet Please do so! Be safe and not sorry

https://steemit.com/steemit/@decryptson/in-wake-of-steemit-hack-important

Hi Dan, thanks for the great info and working so hard with the team to secure the platform. Do you know by any chance when our hacked accounts will be available to us again? (specifically those created without facebook login)

·

We will make a statement later tonight once we have more details.

It's great to see new technologies break in early stages. They always come out stronger in the end!

why don't you want to make an SMS confirmation at key moments? for those who wish it

·

This system will allow us to do that.

Wow! In my opinion this will be a game changer.

Great post. Thanks for the read

@dan this is incredible guide to save steemit from hacker or cracker reach, thank you.

@Dan I read this 3 times and still confused on how this works sir.

Graphene technology is always ahead of the curve.

Steemit 2016 killer app awesome ! Curious how many users it will attract ...

Damn it...now I feel comfortable pouring more money into this platform....arg!

I love the sheer amount time, planning, and future penetrability issue prevention that not only the Steemit Devs themselves put into their work,
but that the community itself adds onto and in turn creates a community
where we don't just feel like we as individuals, with our singular voices,
can have a positive impact, but where we actually see how often that
actually occurs.

This (Steemit) is an absolutely remarkable breakthrough in every aspect of
social media/interaction, cryptocurrencies, and technology as a whole.

Signed,
obfuscate-me

Excellent, great news and very interesting developments!!

Thank you

The truth is very bitter. Thanks

Thank you dan for making this post in a way that everyone can understand.

Good system of restoration. You are good fellows!!!
Хорошая система востановления. Вы молодцы!!!

Dan,

Would it at all be possible to blockchain-integrate hardware-based PKI certificates from the TPM 2.0 specification from the Trusted Computing Group (i.e. http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/) as an alternative to recover a stolen account? I find that this approach would offer a convenience that the partner account couldn't offer. I know this would require a technical solution to onboard PCs with an activated TPM, but it might be worth it to offer a secure, hardware-appliance based approach to this problem. I mean, when was the last time DirectTV streams got compromised in general, sure a box or two, here and there with compromised key cards, but nothing large. Thanks!

This is groundbreaking for sure. More incredible, it's a social media platform among a cryptocurrency trading scheme. With this security net, there's less hesitancy.

Only downvoted, as I sometimes do, to prevent platform announcements from draining too much of the rewards pool away from other posts. I agree the new feature is quite interesting, potentially revolutionary. I look forward to seeing how it works out in practice. On merit alone (if a reward pool were not involved), I would upvote.

As long as you get your account recovered before your account can power down (1 week) then 99% of your Steem Power will be safe.

Minor correction. If you recover the account within a week, and it had not already been powering down, then 100% of the SP would be safe, not 99%. If power down was already in progress then it depends on the remaining time until the next power down, but if the account is recovered in time, 100% could still be safe.

I can't see my login tab for my "owners key" on my permissions page any more?? has something changed? do I just write "/owner" when I log in or it asks me for it? or am I hacked?
edit: nor can I log into my active key !!??
also I notice when I look at other people's pages I can look at their wallets? does that not make targets of the bigger holders? is there an option to hide it?

thanks for your time, I'm loving the site so far

Well this is a relief considering i'm living off steem currency alone for 30 days.
https://steemit.com/steemit/@ma3/i-m-going-to-live-off-only-steem-for-30-days-and-see-how-it-goes-advice

Could I be my own security partner by using another service like Blockstack, if I had already proofed ownership of the steemit account I mean.

This addresses one of the biggest barriers to adoption in the crypto space and could not be more timely or a more perfect fit for the Steemit platform. Congrats on another quantum leap!

·

Great!

Now that I think about it. The founders of @steemit really thought it through. With the former experience of founding #Bitshares and overseeing the years of turbulence, Daniel Larimer brought his experience on board and co-designed a blockchain platform that is here to stay. This Policy -Steem Power is non-transferrable and will require 2 years and 104 payments to convert back to Steem -will shape a community of long-term content quality producers and thinkers, and most importantly, prevent severe losses when it comes to account hacking. I look forward to the other social media platforms that Steem founders have planned to create to change this world for the better. #SteemPower #Futureishere #powertothepeople

tanks for sharing...

I'm excited - again, this is revolutionary. Thank you for being such a forward thinking admin team :)

Wonderful Implementation! This is definitely a game changer In "Social Media Mining!"...https://steemit.com/steem/@steemit-life/social-media-mining

Another brilliant solution on a brilliant platform. Thank you.

we should learn from bitcoin, all mistakes was made on price, now no one get hacked as individual who had more than 1000$ in bitcoins and using them (thief getting personal wallet etc) i dont count some exchange go rogue or some 3rd party website
the bitcoin wallets (offline for example) idea are secure enough for steemit
and make offline signs on all action after we done writing/voting/using our wallets , but steemit already have that in mind by having more than one key for each action so should be very easy to setup someting up :)

Really awesome work you are doing! Thank you for this amazing platform and for putting in all of the time and effort to keep it safe. These security features are genius. Well done :)

Great post, im glad you make it to us :)

It seems to me the most important part of this will be to create a long chain of recovery partners. I like that thoughts coming out of this as they seem pretty foolproof. I'm also super curious about the time locked savings account.

Why not call it multi-sig wallets? Allowing to have one or more recovery partners