No one who runs a project worth a damn on Steem will ever ask for your keys.

in #warning7 months ago

image.png

Turns out there are a few websites out there that ask for posting keys promising the moon. That moon is not reachable. There is no moon.

DO NOT put your posting key, active key or password into ANY 3rd party website

Anyone telling you that you'll get free upvotes or upvote exchanges are full of shit. Their garbage easy money code will be hacked. Even if they're not outright trying to scam you, they will inadvertently screw you over. You don't want to be screwed over. No one does.

There are no shortcuts that can be taken through some half-assed service. Use the tools that have been verified as secure:

image.png image.png

Reputable vote-related services like Steemauto.com don't ask for your keys. They also have their code open source where possible.

There are also sites like Steemworld.org which have an offline version where you may audit the code before running it. Those sites don't rely on databases; they just use keys to sign the transactions they broadcast.

No one who runs a project worth a damn on Steem will ever ask for your keys.

Audit first, trust second.

If there's no open source, if there's a database, if there's no verified tools then there's no trust.

This is just a simple warning for all our mainstream users. No one wants to see you get your account hacked. Except for the hackers, they'd really like that kind a lot.

Don't feed the hackers

Hackers love those database sites that are pieced together with some NodeJS and hosted on random servers. They don't even have to build them when there's so many out there. They have attractive layouts to draw in their custies. They promise you whatever you want.

Half the time, they're other hackers phishing. Half the time, they're opportunists throwing you an easy 'service'.

Ask yourself why. Why the hell is someone developing a site for you to get more votes on your post? Did they fall in love with you after reading your tragic memoir of what you ate last night? Unlikely. Do they want your keys to be able to use your account without you knowing? Hey, chances are high. Bingo.

But don't trust me, you just go ahead and put those keys right back into wherever you think you'll get that one cent vote from

What do I know? Except this, this, this, this, this, this, this, this, this, this, this, this, this, etc.


Like what we're doing? Support us as a Witness.
Go to https://steemit.com/~witnesses
Select or type in guiltyparties
Click VOTE if typed in


Sort:  

I feel like the posting keys related problems could be resolved if there was an even lower security level key which could only vote when VP is above a given high valued percentage.

Posted using Partiko Android

That's an interesting idea but would add more complexity. We exist in an ecosystem that by virtue of having the elements of finality and anonymity related to it attracts a lot of hackers and scammers. Just have to be careful and leverage our trusted tools.

If we can't trust giving the private posting key to third party apps, then there is not point in having it, not the key hierarchy...

And for as long as Steem connect requires 3 clicks and a separate password to use, I would rather have apps ask for a posting key (while ideally, but not necessarily, also offering Steem connect and Keychain as an option for those who want that).

Storing the private posting key of users have many advantages for convenience to allow posting after a Steem node has been down without requiring a new tx to be signed.

If we can't provide that level of convenience, then we may as well forget being a social platform..

if we can’t provide that level of convenience, then we may as well forget being a social media platform

I feel like your statement is throwing the baby out with the bathwater. It’s not just a social media platform. It’s also a high tech bank where the security is up to the user based on the provided tools. And unfortunately, the tools are as they are because the world is so vicious. As such, levels of convenience have to be sacrificed to keep everyone's account as secure as necessary. And because convenience is a selling factor, there has to be a delicate balance. Not convenient enough and people don’t come here, but if it’s too convenient it’s not secure enough.

That's why you have a key hierarchy. To provide high level of security for one's asset while also allowing for convenience of use of the social parts. We can give users both, which is one of the biggest success factors Steem have.

So no, I don't buy for a second that it has to be more secure. It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

Eh, I'm going to disagree with this because I feel like it sets users up for failure if they choose a lesser security. Because if/when something goes wrong (and they inevitably will), their word-of-mouth about how horrible an experience they had on this "scammy" platform is a powerful force which might keep potential new users from signing up. Besides, with the "customer" in mind, I don't consider "it's too secure" to be a valid complaint. That's like complaining that the safety ratings of a vehicle are "too high".

I think it is more asking for a bit of vigilance, vs. being a passive user that trusts everything. If everybody takes a bit more responsibility, this place will be much better off, and I will not have to zero my downvotes un-scamming accounts like superheroes...

Oh, I absolutely agree with the parts telling people not to trust apps that promises free votes etc. But he goes way beyond that to assert that no decent apps will ask for the user's private posting key, or store them. This is just flat out false, as there can be many good reasons to do this. Or at least offer it as an alternative.

The posting key is something you should be able to use more frequently. Else, we may as well not have it at all.

You're confusing developers like yourself who spent months on months on just their mvps vs developers who are throwing sites together with no care for user security. The former are rare, the later are 99% of them. The risk to typical users who don't want to wake up to their account compromised is tremendous. Even good dapps get hacked. Tasteem, Dlike, Faircrew exchange, Utopian back when just to name a few off the top of my head. It happens. 3 clicks is on Steem Connect is a small inconvenience which is already taken by those same users for other dapps.

For me, Steem Keychain support is a MUST. If not that then at least SteemConnect. Otherwise, "No Thanks".

But don't trust me, you just go ahead and put those keys right back into wherever you think you'll get that one cent vote from
What do I know? Except this, this, this, this, this, this, this, this, this, this, this, this, this, etc.

Well just put in the website , it’s good

dont.feed.hackers.

dixi

You can never be too careful!