We have seen numerous posts attempting to prevent users from losing their passwords by accidentally putting them into the transaction memo field. It seemed to be the most frequent way of leaking one’s password, however it is by far not the only one. The story featured in this post started on GitHub, a platform unaffiliated with Steem, yet one that happens to gather a lot of developers, including those who contribute to Steemit.
While browsing different Steem-related directories, I noticed that several developers used placeholders for their keys in various, potentially dangerous, formats, such as wif = '5…'. This observation helped me realize these programmers would normally put their keys as string values in their locally stored versions of the code. Then, I started thinking:“what if somebody forgot to erase their key from the code
Well, devs are not the kind of people you expect to make such a mistake but I thought I may try searching for it, and so I did, which brought me to the following piece of code:
Sorry, it is no longer a valid key 😉
I quickly found out it belongs to @picokernel, whom I immediately contacted and potentially saved him from abuse of his account by a malicious user. As it turned out, he is a fairly successful Steemit Inc. Full Time Developer. We know everybody commits bloomers at times so I would not be particularly admonishing towards him, albeit it is great to note Steemit Inc. does pick right employees.
Our short conversation
Everyone is susceptible of leaking his or her password. Password crusades organized by @gtg and other users, while definitely worth support, may not necessarily be that effective, since there is a high chance that those who leak their passwords would never even bother to read the advice written by our prominent users. Instructing, preventing and saving is all we can do. We should help others when we can. Yet, Steemit as a community should not devote its time to babysit reckless users and care about their accounts more than the owners do. Sometimes losing an account may be a harsh way of teaching someone to take responsibility for what they do. Unfortunately, I doubt this is the last story related to a key loss on Steemit.
While browsing different Steem-related directories, I noticed that several developers used placeholders for their keys in various, potentially dangerous, formats, such as wif = '5…'. This observation helped me realize these programmers would normally put their keys as string values in their locally stored versions of the code. Then, I started thinking:
“what if somebody forgot to erase their key from the code
and accidentally posted it on GitHub”
Well, devs are not the kind of people you expect to make such a mistake but I thought I may try searching for it, and so I did, which brought me to the following piece of code:
Sorry, it is no longer a valid key 😉
I quickly found out it belongs to @picokernel, whom I immediately contacted and potentially saved him from abuse of his account by a malicious user. As it turned out, he is a fairly successful Steemit Inc. Full Time Developer. We know everybody commits bloomers at times so I would not be particularly admonishing towards him, albeit it is great to note Steemit Inc. does pick right employees.
Our short conversation
Everyone is susceptible of leaking his or her password. Password crusades organized by @gtg and other users, while definitely worth support, may not necessarily be that effective, since there is a high chance that those who leak their passwords would never even bother to read the advice written by our prominent users. Instructing, preventing and saving is all we can do. We should help others when we can. Yet, Steemit as a community should not devote its time to babysit reckless users and care about their accounts more than the owners do. Sometimes losing an account may be a harsh way of teaching someone to take responsibility for what they do. Unfortunately, I doubt this is the last story related to a key loss on Steemit.
Thank you for doing it right.
I appreciate the responsible disclosure.
@originalworks
The @OriginalWorks bot has determined this post by @haiyangdeperci to be original material and upvoted(1.5%) it!
To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!
This comment has received a 3.13 % upvote from @drotto thanks to: @haiyangdeperci.
Congratulations! This post has been upvoted from the communal account, @minnowsupport, by haiyangdeperci from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews/crimsonclad, and netuoso. The goal is to help Steemit grow by supporting Minnows and creating a social network. Please find us in the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.
Congratulations @haiyangdeperci! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
This post has received a 3.13 % upvote from @drotto thanks to: @haiyangdeperci.
A great service, there. Stay blessed