HOW TO GET HACKED LIKE A DONK (and other stuff for regular people in the blockchain)
As the technology of cryptocurrency and blockchain goes mainstream, us normies (non-computer science trained people) are finding ourselves like tourists in the jungle. Even though we may be fairly intelligent, with a voracious appetite to dig in, we are still ill prepared for the sheer amount of new species of dangers we will face. Couple that with the fact that for the vast majority of us we are experimenting with our limited resources (money is a store of our physical labor and mental man-hours) means we are walking a fairly thin tightrope. We find ourselves over our heads and often being educated people who will benefit from our ignorance.
One of the concepts that is the most exciting and beneficial to the masses is that of decentralizing. It has been a long time in history since individuals had the possibility to really own their own labor, and be able to trade amongst each other without a highly controlled and manipulated currency dictating and hindering us. This is exciting, and we NEED to be in this space as much as possible while it is in its infancy so we can grasp the possibilities before the Ripples of the world trick us back in our place. Humans are very well trained, and it has been shown that one of the most import keys to our success as a species is our ability to memorize and perform rote actions on a large scale. We stand on each others shoulders, and are able to be lifted so high because we are not weighed down by having to fully understand everything we utilize. We delegate responsibility and specialization in a truly awe inspiring fashion: from mechanics to medicine we have more by entrusting others. The downside is we find ourselves victims of ignorance and our dependency leaves us vulnerable. To take our power back we have to relearn how to care for ourselves, and mistakes are inevitable.
It is ingrained in us that somewhere, somebody at the bank/internet company etc etc has the ability to get our passwords back if we lock ourselves out of our account, that our money is 'insured' against stolen credit card purchases and other such safety nets. Our autopilot has to be completely reprogrammed if we are going to survive and thrive in the blockchain. I think of people getting used to paper currency when it first found its way to the lower class, where months worth of work could be misplaced or dropped, whole seasons of crops up in smoke when a breeze swept your notes to the fireplace, and all of the myriad other issues from lacking the proper behavior patterns conducive to a new technology . We need to understand the whys so we can trigger our warning alarms while we retrain ourselves on the whats.
Now for some simplified "Whats" about Steemit passwords and security ;) :
For all crypto-currencies and truly decentralized blockchain accounts YOU will be the only one who can access these. Just like hiding cash around your house, if you misplace your passwords you have misplaced your money/data. This is more to reiterate how your crypto currency wallets will function. It is like a real wallet vs money in a bank, you have sole possession of it, and if you lose it or get it stolen, it is gone.
For Steemit specifically there are levels of passwords, understanding these will save you a lot of stress and loss.
Your Master Password is used ONLY for when you first log in, to change your settings or reset your password. I will explain how I and many others were hacked and how I could have easily prevented the loss below. But repeat this to yourself: I do NOT need to use the mater password, I do NOT need to use the master password. This password you should print or some other method ( now is your chance to get body tattoo clues Memento style) and keep it offline. This is like your lock box, safe or storage unit key.
Posting Key is what you use to log in to another device and post, comment, or upvote. This is the only password you should keep handy and really the only key you would use on a regular basis. If you insist on 'saving' your password on your computer or phone for easy logging in, this would be the ONLY one to save. If someone steals it, they can do some damage, but it will be mostly superficial and easily remedied.
-Active Key is what you use when you are doing any transactions in your wallet, transferring money in or out. If somebody gets this, they will be able to immediately transfer your Steem tokens and your SBD to another account. It is then gone, just as if you had been pick-pocketed. Even though we can see where it goes, unless you have the expertise or connections to some how track this to an end user and exact revenge, there is no other entity to cover the losses. A bank insures your money, but in exchange they are able to have access to it, and they use it to make themselves more money ( find ways to charge you fees, or lend it to others and keep the profit). The insurance you get from them is not 'free'. IF you have your active key stolen or hacked, the hackers WILL get your liquid money, but you will be able to immediately use your master password to lock them out and regain control, meaning all of your Steem Power ( SP-which is the bulk of your account) will be untouched, and you will be able to mitigate the damage they can do from posting or using your votes.
Phishing : This is not a new scam. Hackers have been phishing since online accounts began, but now we have to be extra vigilant, as we do not have a parent company to depend on to save us from mistakes. Its very simple: some link or email brings you to a screen that asks you log into your account, once you log in they now have your password and access to your account. They will immediately change the passwords and lock you out. You may ask yourself, "Who would be dumb enough to click a link or email and then give their password? " and he answer is A LOT of people because you don't have to be dumb to get tricked. The phishing scams are getting more elegant, and created in a such a way that if you, like most people, have a lot on your mind and maybe function on autopilot while you respond to messages or emails you will not realize anything is amiss. The scam that got me was a comment that I was clicking through to see a curation trail that had supposedly picked up my post (this is not weird, there are lots of groups that look for specific types of posts and then curate them to their followers). I was chatting with my boyfriend about dinner ideas, while having my dog jump on and off my lap for pets, so I didn't notice that that link brought me to this specific page. The page that came up was to login in to my Steemit account, it looked identical in every way except a single letter change in the web-address at the top. I don't keep my password saved and my internet is spotty sometimes, so it is not uncommon for me to accidentally log out of accounts while I'm using them. Of course NOW I will always look thrice at the address at the top, but even if you did look at it, this had said Steemil.com so most brains would see those letters and give the greenlight. I also had the misfortune of not really understand what the different passwords and keys were used for, because I am not on many accounts that have even more than a single master password. If I had made this mistake and only put my posting key, it would have been a much more benign event. But, like a donk, I gave my master and BOOM- SBD gone, and comment spam pouring forth from account at a dizzying rate.
Damage control
If this has happened to you, and you signed up using Steemit.com (the other option is to have a friend sponsor and make your account) you can click stolen accounts recovery on the side bar, and they may be able to help you. If you did it the alternative way, and you gave your master password to the phishing site, the account is gone. I'm very sorry, it is devastating , and to add insult to injury, lots of the "cool computer kids" with say stuff about learning your lesson- screw them, they are heartless jerks . It sucks and you will be very upset, and anyone pretending they have never made costly mistakes in their life is lying. Also, while you are waiting for recovery, or even if the account is gone, you can reach out to @patrice and the @steemcleaners crew on discord, and they will be able to flag the comments coming from your account to help stop others from having the same fate. I have had a couple people reach out to me because they got tricked by a comment coming from my account, and it feels really bad to know that my mistake affected other people as well.
If you have any questions, even dumb ones that only a donk would ask, please feel free to ask. And remember to take the time to educate any friends you bring to Steemit on these different passwords. I had read about them before the hack, but the way it was explained obviously didn't really click for me. Feel free to link this post or reuse any parts you felt were useful. **just make sure to credit the parts you use as always ;)
**Second photo is property of Blizzard Entertainment. I chose this card because murlocs are annoying, and just like a phishing scam they spread quickly and overwhelm their opponent ;) teehee
Heartless jerks indeed. I often remind them that I don't tell them they are not worthy of driving a BMW because they can't even find the Battery, rebuild the Transmission, or change a flat.
Yeah, it is better when we can do things ourselves.
Here is a difference between 2 websites with the wallet: no background in my Steemit wallet but I see my background for the first time in my SteemING wallet.
Steemit.com
SteemING.com
When I go to my Wallet, the first image I get is like the first one here, but when I hit the "reload page" button in my browser I get the full image with back ground image and correct reputation. I have no idea why this happens.
Images on Steemit.com may load slowly at times because the images are not coming from a super mega universe like Facebook or Google. The good news is that Steemit is growing each day and things are getting better and faster each day and that is great news.
There are some days that everything loads blazingly fast, near instant. At other times it takes 60 seconds just to register an up vote, lol! Today everything was running like Molasses, really slow. Also in Europe some of us have trouble uploading video later in the day, so a few of us do that in the morning. The platform is new and has to work through a few childhood diseases, but over all, I've indeed seen some great improvements in the last 3 months.
Because of your browser caching. You don't have to worry about it, as long as you login using your POSTING KEY.
You just planted 0.66 tree(s)!
Thanks to @kilbride
We have planted already 4364.55 trees
out of 1,000,000
Let's save and restore Abongphen Highland Forest
in Cameroonian village Kedjom-Keku!
Plant trees with @treeplanter and get paid for it!
My Steem Power = 20721.86
Thanks a lot!
@martin.mikes coordinator of @kedjom-keku
Is SteemING.com a real mirror or application of Steemit by @Yehey? I logged into it and it is identical to how Steemit looks. Busy.org has different features. I see the different levels of passwords, or keys, in the wallet of Steemit, and that is good for people to understand.
I am not sure , I asked about it in a chat just now. I wouldn't put your password in. Just only use your password for STeemit.com. Other sites like Dlive, Dtube, and dmania, you only need to put your posting key in also.
For some transactions, Steemit specifically asks for your password, like sending a # private message, yet doesn't tell you if afterwards you have to log out and log back in with a posting or active key. We have no way of knowing what the system doesn't tell us.
Yeah, I don't feel like it is very clear, and the fact that we need our master to change our profile picture is kind of counter to the concept of "your master is only used for resetting your account". Its kind of a mundane action that should only require positing key
Steeming's wallet doesn't let you show the memo's private key, which is the last key (password code) at the bottom. You cannot click on it to show or hide the memo in Steeming.com like you can in Steemit.com. You can show the first 2 keys for Posting and Active. Does this mean Steeming has less access to my account than Steemit has? Can I change my owner's key?
I think I logged into Steeming with my active key and not my owner key. Therefore, does that mean Steeming cannot steal my money without the owner key? Is my Steemit password not the same as my owner's key? And is the owner key the same as a master key?
Yes and active key can transfer money, I would reset to be sure. Also, even if the scam account doesn't "save" the password on your computer doesn't mean they don't have it, if you put it in they save it on their end. I would just do a reset to be sure.Someone told me @yehey is a witness, so they think its trusted, but I don't understand WHY there would be a mirror of steemit hosted on another url?
Let me help clear some of the questions.
Steemit.com website is a open source condenser site. You can make your own website for yourself or offer it to the public just like what I did for https://yehey.org or https://steeming.com websites it was design using load balancing and GEO location to speed up the loading of website. It is hosted in multiple locations in USA and Europe.
The open source website is available in public. Here's the link, you can read the code.
https://github.com/steemit/condenser
As we continue to grow, more condenser website will come out. Your due diligent will always needed before you login using your account.
Regarding account, you only need to login using your "POSTING KEY" not the ACTIVE key, to comment and reply.
Why use other mirror site?
Keep in mind, we are distributed network no dependency to any websites like steemit.com yehey.org or other websites to access the STEEM Blockchain.
If you're using steemit long enough, you probably experience slow access using steemit.com sometime a dead page, that's where other mirrors site comes in.
And even @Ned encourage developers to develop more website and mobile apps to promote steem.
I hope that helps.
And if you still have questions, please come join us at https://SteemChat.com discord server.
And if you like what I do, vote for me as your Witness.
Thank you.
Interesting, thank you. If someone signs up through one of these mirror sites, the person hosting the url will be able to possibly capture input passwords correct? Are these like little mini islands of centralized chunks of steemian accounts? I am not a programmer and have only basic computer science knowledge, I might be saying stuff really wrong....
I can't speak for other condenser sites, they normally post an update about it.
For my condensers website (https://yehey.org or https://steeming.com) it doesn't save Post or Active key. When a user login, they will be authenticated directly to the blockchain. A simple analogy, a condenser sites is another door to access the STEEM blockchain.
And if you want to know the technical stuff, you can read the code it's open source.
https://github.com/steemit/condenser
Steeming.com project is to extend using mobile apps. The condenser site is simply my staging server and will see how far it can go.
I prefer to login using my own server, I know it's not so busy compare to Steemit.com :)
Got it, thank you for all the information! I will definitely read through :)
Steeming.com is made by @yehey. So, who is @yehey?
Does anybody know or trust @Yehey?
It says "@YEHEY [USA]" on STEEMING.COM (not Steemit.com):
Steeming.com SAYS "@Yehey [USA]" who has an account on Steemit.com since June 2017 and has a link to Que.com/SteemUSA and also on.king.net/Discord with 1,695 followers and 2,899 posts. And here is a post from @Yehey: https://steemit.com/witness/@yehey/yehey-witness-update-2018-03-07-reminder-to-upgrade-your-witness-server-to-a-minimum-64gb-ram
Now you know me more than anyone else :)
I logged into Steeming.com (not steemit.com) with my posting or active key. Can't remember which key I used. But I think I didn't use my owner or memo key. Is an owner key the same as a master password? So, I went into the settings to edit my display name on Steeming.com and it asked for my active key or owner key or master password. So, it appears that Steeming.com and/or my Firefox web browser didn't save the key there as seen in this photo below. So, maybe that is a good thing if Steeming is a scam or something. Or maybe not safer. Firefox keeps all my passwords saved. So, in Steemit.com, my password is remembered and I don't have to type it out each time I'm asked. It's automatic. But I trust my Ubuntu Mate OS, my Firefox, and Steemit.com. But not too sure about Steeming.com as Steeming.com is too similar to Steemit. Maybe I will change my Steemit password in my Steemit wallet.
To post or comment, you only need to use POSTING KEY. If any website is asking for ACTIVE Key, you have to stop and check the site reputation.
Memo key is use for encryption and you NEVER use the owner key for posting.
The website doesn't save POSTING key.
@Yehey, but what makes Steeming.com faster than Steemit.com? Is it only that Steemit is slower because it's busier than Steeming? Is Steemit busier than Busy.org? Does Steemit have more witnesses and/or servers than Steeming? I'm guessing that Steemit has more servers but also a lot more traffic and is therefore slower because of that.
Does Steemit use load balancing? And is that a key thing that Steeming uses that Steemit doesn't use? Or does Steemit use different kinds of load balance? And what is load balance? Is it a type of software or a feature in a server for managing bandwidth, traffic, from everyone accessing the site?
You got a 40.00% upvote as a Recovery Shot from @isotonic, currently working as a funding tool, courtesy of @kilbride!
@isotonic is the Bid Bot of the @runningproject community.
Earnings obtained by this bot, after paying to the delegators, are fully used to increase the SP of the @runningproject from which all affiliated members are benefited.
Check @runningproject posts in order to know further about.
You got a 25.00% upvote from @sunrawhale courtesy of @kilbride!
This service has been created with the help of @yabapmatt so please show your support by voting for him for witness!
Greetings! I am a minnow exclusive bot that gives a 5X upvote! I recommend this amazing guide on how to be a steemit rockstar! I was made by @EarthNation to make Steemit easier and more rewarding for minnows.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by Kilbride from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.