You are viewing a single comment's thread from:
RE: New App to Secure Your Steem Account
I have some concerns.
So let me get this right.
- You want me to launch an application on my system, which has i not been verified by a trusted 3rd party and is not open source with a completed throughough peer review, and create a password which will encrypt/protect/block access to my keys.
- While the untrusted app is running, you want me to cut/paste or type in my Private key, which controls all my steem/steemit accounts and then input them in your tool
- Alternatively you want me to input my Private key active password and my account name to your tool.
- Your tool is online and connected to the Internet
Okay, call me paranoid, but here is the deal (no offense, just apply some common sense)
- I don't know you, therefore I don't trust you. If I don't trust you, I also don't trust your software. Why would I run un-trusted software on my system? It can be malicious in nature. You could be using this to conduct surveillance, reconnaissance, harvesting data, opening connections, outright theft, and basically screwing up my system or purposefully stealing my identity.
- If you are benign (which we would all like to think, me included) we still don't know that your code cannot be compromised by a 3rd party, contain vulnerabilities, catastrophic bugs, or be infected with a trojan, thus introducing malware to my system again.
- Why in the world would I provide my Private key AND Password to any 3rd party app? I barely trust Steemit, much less some unapproved, untested, and unsponsored code writer (again no offense, you seem very talented. but this is about trust). Giving you access to the Private key and Password basically means I trust you with all my Steem accounts now and forever! You could steal everything, impersonate me, and even change all my passwords where I would have no recourse!
- The fact this application must be online as I am volunteering to give you the keys to my Steem kingdom, there is no guarantee data leakage is not occurring and all this information is being sent back to you or another 3rd party.
This might be the greatest volunteer effort which makes Steemit safer or the biggest scam which will harvest all the valuables for everyone who uses it. (or somewhere in-between).
So my advice to EVERYONE is to beware. Think critically. Understand if you launch an application, you are exposing your system and data. If you give your Private key you are granting your permissions and identity. If you give you Password, you are relinquishing all control, potentially now and forever! Think before you act.
All respect @modprobe. Nothing personal. Just concerned about security as well.
Regarding the first item on your list, the DAO code was audited by very famous and respectable company and what is the result? I think the fact that it is open-source is enough, just because you can check it by yourself and decide to use it or not.
Nope, I don't. I don't care if you use my app. I made this app because it would be useful to me, and I figured it would be useful to others as well (and the beta announcement got a $7k valuation, which is a nice incentive as well). I make no promises that it won't lose your keys, send your keys to Voldemort, steal your money, or set your cat on fire. I don't think it will do those things, but you've got to decide for yourself whether you want to accept that risk. And frankly, it makes little difference to me.
Best wishes! :)
Fair enough!
But would you consider opening up your code for a security and vulnerability review, having the Steemit devs (attn: @dantheman @pharesim @xeroc @theroetical) inspect it for potential inclusion into the overarching feature toolset, or at the very least have them sanction this tools as secure and recommended for the Steem community?
Certainly! The code is on Github, and there's a link to the repo in the OP. Anyone, including the Steemit devs, are welcome to review the code. I doubt they'll stake their reputation on it being secure, as I won't even do that yet (see the OP, which clearly states it's a beta and shouldn't be trusted too much yet), but I welcome comments from the developers you mentioned or any others who would like to commentate on my work or my reputation.
Outstanding! You have my support to get the Devs to review and endorse if it meets their criteria.