RE: Offline Attack on Steem User Credentials

You are viewing a single comment's thread from:

Offline Attack on Steem User Credentials

in steem •  8 years ago 

TBH, i think this is a pretty shitty thing to do. It definitely isnt ethical hacking, and one can only hope that the owners pursue legal measures if your claims are true.
I agree with your point.. but i dont think you should be fucking with other peoples money to make it.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Sigmajin, based on this comment and your last, I'm not sure you 100% understand the situation.

  1. Regarding your first comment, I'm confused because if you can recover the private key you don't need the password. Also, you are correct in assuming 16 chars can't be brute-forced attacked but it can be dictionary attacked. If it was feasible to brute-force everyone would be screwed.
  2. I didn't take these users money. I re-assigned control of these user's accounts to Steemit which has a mechanism allowing them to establish new (hopefully better) credentials.
  3. I'm curious what you would have regarded as more ethical in this instance? Would doing nothing and watching these users get robbed be as ethical as merely burdening them with the inconvience of being forced to pick a password that can't be trivially guessed?
  ·  8 years ago (edited)

OK, i was a little pissy bittrex is fucking with my money.
anyway
1 yeah, i get that the private key obviates the need for the password here... my concern at the time was that after the users got their accounts back, the hacker could take the key, work their way backward to the users password, then use that password to attack other accounts.

2 SO what happens if the value of their assets decreases by 50% while theyre messing around with password recovery?

3 You could have proved your point by contacting tptb with the password list. Or upvoting this post.. or running some kind of script to make them all post horse pornography every few hours until they changed their password.

I know if it happened to me, id be pissed (even though i dont keep a ton of money here)... i guess im not behind it but i realize it was well intentioned.

  1. This is true. However, your point actually unscores another reason why machine-generated passwords are urgently needed. Any steemit user who has used his steemit username/password elsewhere has now given any attacker in the world a means to recover these credentials via offline attack since the steemit blockchain is forever public. I doubt most users appreciated this fact when steemit prompted them to choose a password at signup.
  2. There were very few accounts with significant liquid assets and I wagered they would prefer a recovery delay to getting robbed. IMHO Steem has gotten enough buzz recently that I can guarantee there's a pointy mustached blackhat somewhere silently cursing me for doing this before he had a chance to run the heist script he was working on.
  3. Conspicuously signaling which accounts had weak passwords but not updating their keys would have made it even more trivial for black hats to hijack these accounts since the scrambled passwords in the blockchain are essentially salted (making targeted attacks orders of magnitude more efficient). To your other point, there are several issues with sending an out-of-the-blue email to support@ with a boatload of user creds and an opinionated rant about password UI design; although, originally that was my plan. However, the more I thought about it, the more it seemed likely the current design is a conscious decision that unwisely (especially given point 1) trades off security to optimize signup completion rate and if that's the case a little bit of hand-forcing is useful.

Also

  1. I'm not the hacker from 2015-07-14 (I was unclear from your reply if you grasped this). His/her attack vector was totally different.
  ·  8 years ago (edited)

yeah, dk if you saw my post pointing it out but i think the 7-14 attack came from @goodgame... the script he was using is still in all of his posts if its him, and the domain it was pinging (steemit.uk) was regged that day. https://steemit.com/doyourpart/@sigmajin/um-this-guy-is-trying-to-do-something-bad-right

I'm actually shocked by this. There is really no legal distinction between "white hats" and "black hats". Nobody gave "robinhood" permission to hack 500 Steemit accounts. "robinhood", in fact, did "take the money"... since only "robinhood" now has access to these funds.

since only "robinhood" now has access to these funds.

Incorrect, as I stated in my post, I updated these accounts to Steemit's key (not my key) so only Steemit has access to the funds. This fact can be verified by inspecting the blockchain.