I understand that people who fell prey to the attack would probably say it's just a matter of semantics, but it's important to point out that there was no hack of Ethereum. Sure, some DNS servers were compromised - and it was poor judgement on MEW's part to rely on third-party cloud services that they didn't control for such a critical piece of their infrastructure. However, saying there was a hack of Ethereum because malicious actors were able to commandeer some DNS servers and put up a phishing site that used a self-signed certificate is like saying the Federal Reserve was hacked because some people had their bank accounts emptied after they clicked on an email purporting to be from their bank and entered their credentials when asked. Going a step further, those who fell victim to this scam really have no one to blame but themselves - there isn't a browser available nowadays that doesn't give you a super-nasty warning message when you access a site secured by a self-signed certificate. Most of them require that you make at least two clicks - one to access the button telling you not to click it unless you are absolutely certain that you know what you are doing and then a second to actually load the site...and even then, they put a giant red "X" in your address bar with the words "NOT SECURE" next to it. Anyone who went through all of those steps and still thought it was a good idea to send their private key over to the website they were browsing weren't stolen from; they just paid for a very expensive course in computer security. And to be honest, it was probably worth every cent for most of them - after all, the next time they are presented with those warnings, I'll bet you they won't be so quick to ignore them.
You are viewing a single comment's thread from: