If you use Metamask without a hardware wallet you may be at risk.
A well known crypto security expert has is warning users that their funds are potentially at risk if they are not using a hardware wallet.
https://twitter.com/bneiluj/status/1306947547072794626
If you are using metamask, consider moving your funds to a more secure location until more information is known. There have been multiple reports of metamask wallets being drained. All information currently known suggests the victims were phished, but all known victims use metamask.
If you use Brave Browser it has built-in crypto wallet with support for a hardware wallet and supports Metamask protocols (can be used in replacement of Metamask).
If you are not using a hardware wallet, I highly recommend you get a Trezor or a Ledger from a reputable source.
Why you should vote me as witness
Posted Using LeoFinance
not really. you can still get fished, like the people that fell to this scam. nothing to do with metamask
It has everything to do with metamask as the phish is acting as a legitimate version of metamask.
no, it's a fake website. doesn't matter how you connect to it if you use bogus TX/contracts
I understand that, but the people affected are metamask users.
https://twitter.com/bneiluj/status/1307209453201223680
guy is not the brightest lamp of CT
LOL hahaha. omg.
Transferred to my Trezor anyway. Glad there's no threat.
How can you get phished on an already installed extension?
People are naturally stupid (including me)
To be honest, I don't like METHAMASK.
what is methamask? i do find metamask useful for small amounts and daily transactions
Metamask is a browser extension that lets you run DAPPS without being part of the Ethereum network as an Ethereum Node.
I've always been suspicious of Metamask's security, web browsers have traditionally been terrible with security and building a secure application on top of them is a recipe for disaster.
The state of Hive is even worse in terms of security, the only widely implemented options for authentication management here are Hive Keychain and HiveSigner. One is an extension, and one is served from a web server with seemingly no offline/standalone version. Not only that, HiveSigner is served through Cloudflare, which means users of Hivesigner have to trust Cloudflare, the developer of Hivesigner, and the server host of Hivesigner not to maliciously inject password stealing code in the page.
You should not trust any webpage served through Cloudflare, what little decentralisation Hive has is completely negated by the fact that every major in-browser application for accessing Hive is served through Cloudflare.
If a major adversary, such as the US government, wanted to destroy Hive, they could obliterate the entire platform within hours by forcing Cloudflare to inject malicious code into every major Hive website that burned everyone's tokens and reset their keys.
If they wanted to completely destroy public trust of Hive, they could do so for a mere few minutes. Such a short time would be very unlikely to be caught by anyone before it's too late and Hive would be blamed for the losses caused.
The only thing preventing Cloudflare from silently mass collecting data on Hive users right now, and the reason I've stuck around, is the fact that the actual API endpoints don't go through Cloudflare. Either developers were smart enough to realise that Cloudflare is a major security risk, or Cloudflare broke API access so often that they were forced to use direct access for the API.
The few people well versed in security would be able to manually check for a compromised page before trusting it, however that takes up quite some time and is not applicable to the average user.
The only method I've found so far for accessing Hive that can be trusted not to suddenly be compromised by a third party one day is Ecency-Mobile/Esteem-Surfer, as it's a standalone program saved locally on your device. However, Images are still served via Cloudflare, so if an image parsing vulnerability was found it could still lead to compromisation. Such a vulnerability is a much higher bar though and are often patched out extremely quickly before anyone manages to use them maliciously.
As for Hive Keychain, the other issues basically make it irrelevant, though it does seem to have less single points of failure than HiveSigner does.
Cloudflare is a direct enemy of decentralisation, they've managed to siphon a massive chunk of the internet through their servers and currently have the biggest data collection system in the history of the internet. Regardless of if they're using said system right now to harvest data, they are not to be trusted in the slightest as they could just as easily begin using it without anyone knowing.
I may make a dedicated post about Cloudflare, and possibly one about the failings of Hive. There's great potential in Hive and it would be good to see it overcome its current failings.
Corporations are not our friends, they are an enemy to democracy, privacy, and freedom.
Hive has the advantage that the government won't have any reason to shut it down. If they shut down hive, this means they shutdown bitcoin before. If they shut down bitcoin, then all cryptos will be shutdown.
Browser extensions are safe enough for hive, especially if one day the ledger integration pans out and becomes usable in browser.
Also, the powerdown is the most secure feature that any crypto can have. You get hacked, yet no one can steal your funds, and then you just need to change the password regularly for 100% certainty that nothing gets stolen.
The thing is, they can't shut down Bitcoin unless they take out nearly the entire internet along side it. It's been decentralised in a way that makes that near impossible.
They can cripple it, sure, but decentralised exchanges exist, and an attempted ban of bitcoin would just bring even more attention to it. It would be ultimately be a good thing in the long run if a major government attempted to ban Bitcoin.
An attempted ban by a major government is essentially a massive stamp of approval saying that the technology works and they can't control it.
Just look at Russia, they've been trying to crack down on cryptocurrencies as well as usage of privacy tools like Tor, I2P, and Freenet. The results have been a complete backfire so far and have lead to even more usage.
You can see Tor's usage increasing in Russia over the last three years here. I expect tor usage will go up even more with the upcoming release of Tor Browser 10.0. If you're in a country with uncensored internet, I highly recommend installing Tor's Snowflake extension as it will help out those who do have censored internet.
If you are saying Hivesigner is dangerous, how dangerous? Should I not use them anymore and reset my keys? I thought if it’s used by say, PeakD, then it was safe to use.
The problem goes well beyond just HiveSigner, Cloudflare has essentially been taking over the internet.
PeakD, Ecency (The website), Hive Blog, and LeoFinance are all also served through Cloudflare.
Cloudflare essentially breaks the trust model of the internet, 14.4% of all websites use them. Here's a simplified idea of what's going on here.
When you connect to a secure website, one with a padlock in your address bar, it's supposed to indicate that only you and the website can read the contents of your connection, like so.
You <==🔒==> WebsiteA Level 3/4 DDoS mitigation service would look like this.
In this example, your connection passes through the mitigation service and remains encrypted, it can't read the contents of your connection.
Here's what a Level 7 mitigation service like Cloudflare looks like
You <=🔒=> Cloudflare <=🔒=> WebsiteIn this case, you're establishing an encrypted connection to Cloudflare, not to the website. Cloudflare can see the contents of anything exchanged over this connection, messages, passwords, etc.
Cloudflare adds an unnecessary layer of trust to the internet and any website using them is by default less trustworthy by default as you not only have to trust the website, but also trust that Cloudflare won't get hacked, leak your info accidentally, or maliciously steal your info.
If you're wondering if that's happened before, yes, it has.
If you're worried about this, the best thing to do is encourage PeakD/LeoFinance/etc to stop using Cloudflare. This will improve the privacy and security of everyone using Hive.
Here's some more info about the Cloudflare problem.
https://www.unixsheikh.com/articles/stay-away-from-cloudflare.html
http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
https://blog.torproject.org/trouble-cloudflare
If you want first hand experience with how much they suck and how many websites use them, try using Tor Browser as your sole method of browsing the web for a week.
Generally, the more CAPTCHAs you get, the more desperate a service is to track you. They give you an excessive amount on purpose to try to force you to reveal your actual IP address by connecting without Tor.
While making sure I went over everything in this post, I discovered that PeakD is not a free and open source project. I would recommend avoiding using them at all because of that. Cryptocurrency would not exist if it weren't for the free and open source movement and the cypherpunks, a non-free client is essentially a slap in the face to the foundation of cryptocurrency.
A project being free and open source is essential to maintaining transparancy and trust, it allows the public to audit the code and if need be, make their own version of it in the event the original developer is no longer trusted.
Hive itself would not exist if it weren't for Steem being free and open source, and everyone would've been screwed after Sun's takover if it wasn't.
https://twitter.com/MarkyHive/status/1307198898457505795
Does the Trezor and Ledger work with all exchanges worldwide?
Can you keep multiple wallets on one hardware?
Thanks Mark
Yes, and yes.
A hardware wallet acts as a private wallet that only you have access to. You can send and receive from exchanges.
What happened to metamask is no hacking but more on user side stupidity, sorry my bad.
Why ???
Damn, gladly I dont have much assets to stress myself out, but still its all risky
다운보팅 고마해라~! 디진다~!