Hello kind-hearted Steem blockchain developers
As you may be aware, we have an evil piece of code on the lookout for keys added accidentally to memo fields.
Yesterday, @surfermarly became the latest victim of this script that will use a misplaced key (with enough authority) to transfer any STEEM or SBD in your wallet to @sami100.
While @surfermarly concedes this was a 'stupid mistake' on her part, these mistakes do, and will continue to happen.
Can we do something to help?
source
Before I start with the main crux of the blog, I just wanted to check if there was not a feature in place previously on steemit.com that would check for a possible key in a memo and immediately wipe the field. I'm sure that this was present a few months back? If so, can we have this feature again please @steemit?
Beat ya!
While we are waiting for the above to be added to all applications where transfers are possible, I was wondering if someone could write a piece of code to do what @sami100's script is doing, but with the intentions of beating this evil script owner to the mark?
So far, this account has transfered somewhere in the region of 600 SBD and 50 STEEM and has not responded to the polite requests for a return of these funds - it looks as if the account is unlikely to do so.
Unfortunately this crypto looks unrecoverable, but what if there was a good bot/script doing the same thing, with the goal to return the funds to their rightful owner?
Without knowing the complexities, I assume that this script would need to sit on a steemd node to be in with a chance of being faster than the existing evil code?
The return of funds may also need to be manual - once the account holder has reset their keys (hopefully the owner key wasn't used to make the transfer and present in the memo field), but apart from this, what else is required?
I'm aware that yesterdays publicity (and this post), may give a few people the idea to copy this idea, but hopefully the good will out and we have kind coders around who opt to do the same, and then choose to try to return the funds.
And you never know, a successful recovery might mean a reward from the original account holder, or may incite some rewards to be distributed from the pool when good deeds have taken place.
What do you think? Is this worth looking at, or am I just encouraging more evil?
Cheers
Asher @abh12345 / Witness @steemcommunity
Edit: I just read the whole post AFTER commenting like some sort of idiot LOL
Hopefully you have enough influence to actually get enough attention on this issue to get things done!!!
This is terrible!! What I used to do is transfer the funds to my account and send back a message with 0.001SBD saying that they should change their password and I'll return their funds once their password is changed.
However, this was simply too time consuming for someone like me who has a lot of things on their plate.
I suggest someone make a bot to scan through the exchange wallets, if anything like this happens just do what I did and automatically transfer the funds to the bot's account then automatically send the a 0.001SBD transaction with a memo saying "Please change your passwords! Once you have contact me on Steemit or Discord for your funds back!"
Perhaps add a 5 day lock-in to ensure it's the real user responding, and not someone else pretending to be the user.
:)
Yep, I agree with the process above. Hopefully someone can get the job done.
Could the steemit site detect if something that looks like a key has been put in the memo? It could do an 'are you sure about this?' popup.
Great suggestion! The key was published via smartsteem.com and I already asked therealwolf if he could install such a "key-blocker" on his site :-)
I'm almost certain this was in place on steemit.com a few months back. And I'm sure I replied to you earlier too! :D
Quite possibly. I lose track of stuff
Why would I rather put a punch on @sami100 face, if you find him let me know! Ammm cool idea tho but I still think people need to be more careful when handling keys and stuff. Hey, maybe these dudes are behind the @sami100 acc... Major key alert:)
haha, send the boys down. Some people though, how do they come up with such evil ideas.
Deffo the first priority is to be super careful with keys, that crazy long set of characters is the most expensive thing I own, sheeeet :)
I dunno if you remember this case, it was just a few weeks after I joined Steemit. Maybe this dudes could really help, being smart and stuff :=)
https://steemit.com/steemit/@noisy/we-just-hacked-11-accounts-on-steemit-1158-sbd-and-8250-steem-is-under-our-control-but-we-are-good-guys-so
Yeah I remember that one now. Maybe he'll get a ginabot ping, and I see Taraz has mention Pharesim.
Could be done and dusted by the end of the day :)
Thanks for the link @kid4life! That is indeed very interesting.
"until you own your own key you can't be free"
Concerning "Why would I rather put a punch on sami100 face, if you find him let me know! "
Vigilante justice didn't worked out.
For example check the activities of the sami100 account at about 2 month ago, then if you would find "him", is it the original sami100, or the one that potentially hacked that original sami100 about 2 month ago that you would hurt.
And in case you've got the innocent one, what would that make of you?
Ammm... You went too deep :O
You can be a careful, smart person, and still make a mistake. Mistakes are just part of the human condition. Have you never lost something expensive because you had something on your mind and misplaced it? If not, I would like to know how you got your superpowers so I can get some of that.
I did lose stuff before, but not online. Here, you really need to be extra cautious. I guess the superpowers are just checking what the hack your doing at least twice hahha
It just drives me cuh-raaazy when people on Reddit (or whatever) get all like, "STOP TRADING CRYPTO YOU DESERVE TO BE POOR YOU IDIOT." It happens Every. Single. Time someone gets hacked and posts a warning about what happened or asks for assistance. I've gotten that one before when I asked a simple question about security measures--in that case I hadn't even been scammed or lost anything; I was actually asking for advice in preventing that. Ugh, crypto bro traders are the absolute worst. It's the cultural intersection of Reddit + 4chan + finance bros + tech bros. Not specifically accusing you or anyone in this thread about being aligned with that faction of the crypto world--in fact, the civility is the number one reason that I really appreciate having this place to discuss crypto--was just throwing in there that this could really happen to any of us no matter how careful we are. Though of course it wouldn't hurt to give people a run down about what the different keys do.
High five for bringing more attention to this! Mistakes happen. If someone leaves their leather wallet on a table in a restaurant we would not find if a thief grabs it, but a warning from the restaurant owner or anyone else would be appreciated, right? To precent thieving is a community responsibility, the more we can automate this the better.
Yeah, nice analogy. It seems we don't have the good people in the restaurant looking out for this at present.
Cheers.
I like it, a kind of whitehat Robin Hood...
I'm not to sure who this sami character operates, however as far as I'm aware his bot gains access to the keys, but then doesn't he have to manually steal the money?
I think how this could work is if the Robin Hood-bot saw the keys, and then changed the active key automatically, and then sent the owner a message or wallet transfer to contact for the new password.
Then maybe via email a verifying code could be given which the original owner would have to repeat in a wallet transfer back to the RH-bot, then the bot emails the new password.
I think this might work, and I remember seeing the script for the memo-key steal and thinking it didn't look that complicated.
I'm not sure this is within my capabilities and I'm busy as hell trying to write an Ethereum Dapp at the moment, but I hope someone takes you up on this, it's a great idea.
Everytime I paste my password somewhere on Steem by accident, I change it! I'm on my 4th one!! :-)
Cg
lol, 4th :)
Yeah the basic idea is there I think, changing the active/owner key could be part of the process, and then some kind of verification - email sounds like an option.
Cheers, let's see what comes of it...
That sounds like a challenge, I’m in!
Nice!
Are you running a full node? Could be a race against time and being 'closer' to the action might help?
You know more than me though, good luck! :D
You are just the best!!!
Thank you so much for spreading the word. The idea is absolutely brilliant - I've always been a huge fan of peaceful fights :-)
Smartness will beat him - yeah!
I'm curious to know if someone's gonna be able to code such a counter-bot.
Of course I resteemed this now :-)
:D
Well we've had a Dev who likes a challenge (and is a witness) comment here in the past hour, so you never know, it could be game on and bye bye Sami (you &^%$$!#)
Thank you!
I think it's a great idea, as long as it truly did good.I wish I knew how to build a bot. I'd make a good one right now. That REALLY sucks. It is NOT ok. This person should go to jail. @surfermarly I'm SO SO sorry this happened to you. If I didn't just get a phone stolen I'd transfer sbd to help.
Thanks, and me too.
Luckily for Marly she didn't do this with her house funds, and has made the crypto back in one blog calling this guy out.
Hopefully though, some measures can be put in place to try help when mistakes are made.
You're too cute! I'm all good - just very angry :-)) But thanks for your kindness.
Now we'll need to make sure that not many more people step into the same trap.
I think “security” should be the biggest focus on the steemit platform
Excuse me if this is a dumb suggestion but surely the initial fix would be to stop him getting the stolen funds out of the steem blockchain? I guess @blocktrades handles all movements of funds in which case cant they put a block on the accounts ability to do transfers, either from someone elses account or from Steem to an exchange ? This would negate requiring a bot being written that was faster than his bot.
Perhaps that step is already in place yeah. But in that case the funds are just sitting in the account. I was thinking of trying to grab them before he does and return them.
One single mistake and there we have a bot stealing people's money.
I hope this gets fixed soon because the scammer account's has already 600sbd, and I bet the majority of those were stolen.
Yeah almost all were taken as soon as the mistake was made. What a heartless soul he is.
It actually just makes me feel insecure about having money on this platform is people with scripts can just take it away...
If you watch what you are doing when transferring, and keep your owner key offline, then hopefully you're good. It's a good reminder to all though.
Yes, definitely thanks for the reminder! I don't know, sometimes it asks for my active key to do things. I'm never sure if that's ok or not. And couldn't sometime just as easily make a script to just hack your account? I have no idea.
I think your master key is only to change your keys, everything else should be possible with Post/Active or Memo.
Should not be possible to do this without your private keys.
Good to know! Lol I'm glad you know more tech stuff than I do! Otherwise we'd all be asking the same dumb questions lol. I meant my active key! Not master.
😁 no worries
The whitehat who is faster than cybercriminal is the only solution here. Good move to lynch @sami100 in public!
Yeah I was thinking so. Lets hope someone can out-script him!
Asher, great post. Resteemed so minnows know how important it is to keep their private keys private. I made that mistake once when I was new by accidentally putting a private key in a memo field transferring to an exchange. Fortunately, it was just the memo key which I doubt could be used to plunder an account. Bottom line is, it's worth taking the time to change your keys if you think you are exposed. I'm happy @surfermarley made her money back by calling out the scumbag who stole from her.
Phew! You got lucky there :)
Yes the key change, whilst a bit nerve-racking is part of good account ownership. Just remember to back-up the new set :)
Looking at her posts from the past, she doesn't seem to have much technical experience. Do you think there's any chance that her account was stolen and that somebody else other than her is doing this? Also, does flagging her post that are as old as hers are, lower her reputation? And also thank you so much for letting everybody be whatever this. And I offer my sincerest apologies for everybody who has been taken advantage of. Maybe this is a good example of why we should use our savings accounts that are in the wallet. To help prevent people taking our money right away.
The account could be a stolen one, but I guess this doesn't matter so much as it's still actively taking from others.
A fine example of using the saving option.
Cheers John!
I personally go a step further, and transfer a "safety net" amount into my etherium wallet as I earn it. Then when people need help or I want to up my contests, I pull it back out. To me the small transfer fee is well worth it. Have a great week sir, and thanks a million for everything you do. Never give up!👍 Also, does flagging her now (she hasn't posted or commented in 2months) do any good?
You're a good egg @abh12345 :) I love your idea a lot; instead of griping about bad things, you are proactive and find a solution. My kind of guy! And thank you for bringing attention to this...I hadn't heard about this guy before.
Aww thank you :)
Yeah might as well think about solutions - there are many problems to solve.
What a punk he is though, disgraceful.
I hope the developers/programmers come to the victim's rescue before this menace spread out on the blockchain. I am really sorry for the victim, if there is anything I can do to help, don't hesitate to let me know please.
Yeah, it's a mistake, but very harshly punished. Hopefully something can be done.
I'm not a programmer, nor a shrink. I doubt that the thief will return the funds, they started their time on steemit as a photo thief, and could gain no or very few rewards through that route, so they upped their game, that money is gone. I saw one comment that maybe it was a hacked account, from what I saw, it started like I said as a thief.
From a programing point, it seems that it would be a simple fix, "a quick look at the memo string, hmmm this starts with a 5 and is a mix of numbers characters and of a password length, lets ask if the person really want to hit the enter key, just in case". If string starts with 5 has 33 characters, goto error - are you sure. But like I said, I am not a programmer, so not sure how easy/hard that would be to do.
Okay off to see the damaged post.
Yeah i think it's pretty easy to script in. Check the length and the first few chars and wipe the field if it looks suspect.
I always twitch a little when people call others stupid for making an honest mistake or say that they deserved to get hacked or should get out of the crypto game, or whatever. Not saying YOU did this at all--I see it on Reddit a lot, for example. Every time someone posts saying that they were hacked or somehow scammed, some asshole has to respond with something snarky telling them they don't deserve to be successful. It's like, really?? Have you NEVER dropped your wallet in public, or left your expensive phone somewhere? Does anyone really think that they're immune to copy/pasting the wrong string of characters into a field when they have something on their mind or are a little bit tired or something? It's our responsibility as good human beings to be sympathetic and helpful to each other and not take advantage when someone makes a mistake. Making mistakes is not stupidity; it's just part of being a human.
I totally agree. Accidents happen all the time, and those waiting to prey on mistakes like this are the really b@$t@rds.
This is why I'm proposing the solution above. Like a person in a restaurant looking out for wallets left on the table and seeking to return them.
I was kind of agast when I saw the latest post and victim. Seems like an honest mistake... Albeit a costly one. But to have a script sitting waiting for it... Not cool. Hopefully someone picks up the torch. Wish I had the time and skill...what an asshat.
Total asshat indeed. I'm hopeful a dev will come up with something.
This stuff is scary @abh12345!
The thing that worries me is the way various front ends talk to Steemit and the Steem blockchain.
Let's say I want to use Steepshot. That requires an initial login at Steepshot... isn't that a "transaction" that gets written to the Steem blockchain? And can't someone with a blockchain viewer go in and look at that? I mean, even when I look at my activity with a utility like SteemWorld, there's pretty much an entry for EVERY single action we take. Including, it seems, the initial set-up to pass information back and forth between the various front ends and Steemit, itself.
Maybe I'm missing something here... please tell me I am!
=^..^=
The key will be encrypted, so as long as you are using a trustworthy site then that's fine. Sending the key in a memo though, this is baaaad.
that's the world of blockchain @abh12345.all free, no exception anonymous and untraceable even to do evil though.
there should be a separate security party in steemit, which actually has a consensus of the majority of members to root out the likes of @sami100
Upvoted - Commented - Resteemed
Yeah, free to roam, good and bad. I still think there an easy fix to try, we shall see.
ooh, good discussion, the threat of theft is always a concern
Yeah, hopefully the community can find a solution to this sharpish.
@surfermarly is a great soul, it's very painful to see her go through this, I do not know whether you're spot on or not, but one thing is certain, we curb and eradicat theft and cheating In a community such as these people like that aren't needed
Yes we really could do without these people. But they act as a reminder at time to stay on guard.
OMG he took $489 from canburaksimsek, that would make the best of us feel sick and want to quit, is there no way to delete that vile account? I know you will say he can open another, but there must be something stinc can do about this theft and fraud.
My stomach sank when I read your comment @deliberator! That would kill me for sure. I'm with you...how can this simply happen, and continue to happen?
No idea, I do not know the ins and outs of the system, I feel certain something could be done, I just do not have the answer.
I feel the exact same way!
Eh if we keep doing this all day, we can come first and second in ashers league. :-)
I'm not sure they would want to delete. We just need a way to stop it happening in future. And his address... :)
This is an interesting case. He or she could've used the talent for good and make more money than the one he or she had made via stealing at the moment.
Indeed. He chose the wrong path :/
When I read what happened to Marly my heart dropped because i know how good a person she is and helps other people and for someone to do something like this just makes me want to hit the person with a steel chair on the face!!!
I know we are decentralized and everything and that Steemit Inc has not really want to do anything because they want the community to self govern and weed out the bad apples but there must be a consensus board or a moderating team that can take out accounts that are like this.
Steemcleaners and Patrice do a good job of doing this maybe revoking transfers is a good way of combating these.
Sure the scammer can just keep creating an account but it better than nothing being done and that scammers can do this without any repurcussions.
It is as if we go through a gold rush, mine some gold and put it on our camp and since someone saw that we went to the mine or did something else they walk in help themselves to the gold and quiet leave and encash it in the bank and the tellers know it is not theirs but process it anyway because they don't have the power to stop a transaction nor can call the sheriff, even if a sheriff arrives can do anything and the thief will just stroll out and wait for another victim.
haha, tell us what you really think Mav! :D
I'm hoping that the suggestion in the post is something to work on, and a witness has replied to the post saying he's game for a challenge. As you say, Steemit inc might continue with the hands-off approach, and so it's up to 'us' to come up with a solution.
cheers.
I have been thinking all night about a possible solution to this predicament and with my limited knowledge it does point to a consensus mechanism that we will need like Steemcleaners having more power in bringing accounts that scam to negative levels quickly and once that is done should have transfer mechanism turned off. (although I did think how it would affect accounts like Bernie)
We really cannot stand idly by anymore.
Hoping for a solution to appear - it's whitehat theft I guess, with a promise to return the funds.
These parasites piss me off to no end. I really want to start breaking some peoples knees. Dirty ass pieces of shit. Grrrrrrrrrr
Yep. A real low set of morals, and if someone finds him, he might be standing a bit lower too :)
When logging into Busy, DTube or DLive through Steemconnect, they keys are checked in real time. I can imagine a similar tech can be used to check memos during a transaction.
Another option would be to change the Steem blockchain to require an owner (Master) key to transfer funds. It will be inconvenient but way more secure than it is now.
Interesting. Cheers. I'm sure some JavaScript was in place to check the memo field for something that resembled a key, no-one has confirmed this so far though so I could have been dreaming :)
Ohh thanks for the heads up @abh12345 not aware of such bots getting into beast mode
No worries, thanks to @surfermarly for broadcasting it loudly yesterday :)
Thanks for giving you the information. I think everyone reading your post will benefit a lot. We will be aware of this issue. again thanks
No worries :)
Almost time the thief is always a thief. There is no heart exist on them. They have no kindness. "A online cheater became good" i never heard of this. But we can still hope better. If they fall in same problem or his family, then he may realize the pain. Thus one cheater became good. and this percentage is below 1% i think.
@pharesim
The man for the job? Cheers for the shout-out.
was in the car.
perhaps man for the job and sits on a node.
Also, there should be a massive warning when anything resembling as key goes into a posting field that isn't for keys. it can't be very hard to implement.
I'm sure something was in place a few months back, because I've put my key in there before. I think a warning popped up and the transfer page then closed.
I don't think I was dreaming, but no-one has commented confirming this at present :)
Now here the one thing is very clear.There is no heart exist on cheaters them. They have no kindness
I am not able to understand how is he stealing all those money?
Wow leave it to humans to ruin such an awesome system and steal when $ can be earned based on merit and value added....
“Nah, F*ck that, ima rob these fools.”
Exactly what happened to me! 19 days ago @sami100 took 15.578 SBD and 0.001 Steem from my account shame on him.
Sir you know its been 9 months i came to this platform and what all made was $47 its my class fellow account, yesterday i was posting and suddenly password section appeared i cancelled it once again i clicked on the post button again it came on my screen so i putted my pass into it and continued, when i saw my wallet my 47$ and 5steem is transferred to @sami100.
after some time my key is also changed and i lost access to my account @mazharnoor.
i am looking forward what you discussed above if happened it will help too many heartbroken now waiting for their accounts and money to be back.
You will need the master key that appeared on the screen the first time you logged into steemit.
This is the key you can use to change your passwords.
i am putting that key showing that wrong password
If this was the key you used in the memo field then I'm afraid the account will be lost.
These kinds of things are frustrating to me. Stealing is a criminal act and should not be permitted, period, mistake, carelessness or what have you. It should just be impossible to do. What's in your wallet should be sacrosanct. If not hidden away from the world, then at least impervious to any kinds of sniffs, phishes or attacks. Such lack of safeguards if not out and out security is not good for business. It discourages people from trying to do basic things and it only emboldens the thieves more because they know they're going to get away with it.
I know there's some solutions out there. I know they all have their consequences. I also know that we all need to be on guard and careful with any kind of transaction that we make.
But what's going to happen when the hordes come and there's suddenly triple the amount of people active on the platform than there is now and they're all trying to do similar transactions? Is it going to work to just sit idly by and say, "Your money, your problem?" I think that's the quickest way to a mass exodus.
I understand the whole freedom vs. security issue. I'm 99.9% going to sit on the side of freedom. However, when it comes to criminals, I think they forfeit certain rights and freedoms the moment they go a thieving.
I just saw this article and wrote a small program which crawls the blockchain and puts every block in a regex.
If something smells like a key it will check if the key is still valid (or never has been a key and is still not valid).
I still need some testing with transfering funds and posting an article for the guy, who lost his key, so he knows what's going on.
And maybe later auto payback, when they have changed their passwords.
It seems like sami100 also changes the withdraw_vesting_route.
@sadiq689, @aponamran and @maruharraca will send all their Steem to sami100 when they start a Power Down.
I don't think you can change the vesting route on steemit or steemconnect, yet. You need an api for this.
Getting a script set up tonight hopefully to get that done for them. Thanks for noticing this.
I put up an issue about it https://github.com/steemit/steem/issues/2498 Message me if you want to help with the recovery project, the more the better.