A hole in the Blockchain: Steemconnect? (Please take the time it is important)

tarazkp (80) in steemit • 7 years ago

Ok, this morning when I wrote the post about @dlive Force Following and pushing content, I didn't think through all of the potential ramifications of this. Now that I have had more of a think inspired by @personz comments an hour or so ago, I have to write this post.

Have you corroborated this with anyone else? And can you post more "proof"? This on it's own doesn't stand up as conclusive. @personz

No, I have no proof, can anyone find it for me? This is the blockchain, all the information for every transaction must be there. I have this from steemdb:

The only ones in there that are mine are those following the musician @benleemusic and @exyle's mum, @clio.

If someone with some blockchain exploring skills (@paulag or @miniature-tiger perhaps) is able to trace the actual blockchain transactions that would be great.

Now, as annoying as the force follow is, that is not the problem at all. The problem is that there is no way to indicate that the action and subsequent transaction isn't made by me as far as I am able to tell. This is a massive, gaping hole on an immutable blockchain.

Do you check every transaction recorded to ensure that it was actually made by you? Does @ned and @dan? Have they signed into Steemconnect anywhere?

Are you seeing the problem yet?

If there is no way for the transaction to be traced to the real transactor (@dlive in this case), that means that the it is attributed to me and I have no way to prove otherwise. I haven't been hacked, I haven't lost my keys, all I did was to use Steemconnect to sign in to a service.

That means that any Steemconnect enabled app provider can post as me without me being able to prove otherwise. What happens if they do not like me, what happens if someone pays them to plant something somewhere on an obscure post, what happens if I was a politician or celebrity?

I like conspiracy theories so let's create a quick scenario worthy of @v4vapid.

I am a young politician running for office and have a Steem account. I sign into @dlive to deliver some speeches for my fans. @dlive can now follow whoever they like and post as me. Someone running against me decides to skew the game. They create a few alts, set up some very questionable material in an obscure corner of the blockchain and pay @dlive to post under my name. With the flood of campaing actions I am making, will I notice? Perhaps they will introduce a few confessions, upload a few inappropriate images. At this point, they can either leak it to the press or use it to blackmail me. How can I fight it on an IMMUTABLE blockchain?

Blockchain technology is supposed to protect us from this possibility, it is meant to save us from fake news and false information. It cannot do that if I can't even prove if the transactions on the blockchain are mine or not.

From what I understand, @dlive has been pretty quiet about this so far and it is a closed project (with a massive Steemit delegation). How I see the options going forward:

Introduce a marker to Steemconnect ASAP and cross fingers
Shut down Steemconnect ASAP until the marker is created

This is a gaping hole in my opinion (if there really is no way to track it) and MUST be treated as such and with speed and decisiveness. With the amount of poor, scamming behaviour running rife on the platform and the amounts of value and future value at stake, there should be no shadow of a doubt as to WHO is making any of the transactions.

I know many of the whales here who commonly use these services and with the amount they are targeted already, this should raise many concerns. There are also many people scamming but now they have a Steemconnect scapegoat 'It wasn't me!'.

I am hoping that as a community we can force action upon this very fast so I ask to please share this on and bring it to the attention of anyone who is potentially using Steemconnect as it might be important to them to understand that there is a potential security risk.

This may sound alarmist but I mean it to be precautionary as the whole idea of the steem blockchain and the future of its value depends on immutability, trackability and the ability to TRUST IT completely.

Thank you.

Taraz
[ a Steemit original ]

steemit steemconnect dlive conspiracy security

7 years ago by tarazkp (80)

$102.46

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

pharesim (74) · 7 years ago

That's why I don't like steemconnect v2
Steeminvite uses v1 and will stay like that as long as possible.

$2.80

11 votes

[-]

tarazkp (80) · 7 years ago

There is a difference?

$0.00

[-]

pharesim (74) · 7 years ago (edited)

Originally sc didn't require sharing permissions,the signing happened in your browser.
When steemit took it over they decided to use the shared authority. (That's v2. They're still keeping v1 available right now, I hope for a long time). From a certain perspective it also makes sense. But it's up to the users to keep their auth list clean now, and having visible which authorites were used to sign the transaction would be very useful.

$3.05

[-]

tarazkp (80) · 7 years ago

The problem with users doing this (at least currently ) means they have a lot of learning to do and must trust the app developers. As the space expands exponentially, this is going to cause many headaches with a few being very severe.

and having visible which authorites were used to sign the transaction would be very useful.

This should be a no-brainer and implemented as soon as possible I hope.

Thanks for explaining a bit more @pharesim, always appreciated mate.

$0.00

[-]

chipmusical (40) · 7 years ago

Same thoughts i definitely thinks its up to us to keep our auth list clean as of now

$0.00

[-]

fairtoplay (47) · 7 years ago

Hoq can I wintness vote for you

$0.00

[-]

nazarwills (55) · 7 years ago

I really agree with you

$0.00

[-]

wiralhokseumawe (60) · 7 years ago

stemeet has brought us to share different histories, cultures, traditions and environments. steemit has been worldwide in our minds to share. We each have different friends and family to know and share experiences. Different from different traditions. always looking from eye to eye. About what we do not see for an opportunity. I am also grateful for what has been built in Steemit for all of us. Opportunity to share what we love and learn new things and find interesting people. I hope here a lot of friends Greetings steemian all my new guidance
Thanks @pharesim

Previously I apologize if commented, because it does not match the topic. But I am sure you are a good and caring person, I am very sure you are too great person of course, I am very motivated with you @pharesim
You love to travel, on the way you meet abandoned children, I am sure you are a caring, loving and loving person that children can smile at children, it will be nice even though the valentine moment has passed. I am sure you will want to be discouraged, if you do not mind visit my bloq, i hope you can give input to my writing and direct me @pharesim

Give a little smile (Save the children)

$0.00

[-]

marylee2480 (32) · 7 years ago

$0.00

Reveal Comment

[-]

kartiksingh (65) · 7 years ago (edited)

i don't understand one thing ...i login on decentmeme with steemconnect.. and after sometime i changed my password keys ...but still i can post using old keys ..how is that possible ...even i don't saved my new password keys to my browser..

$1.86

2 votes

[-]

tarazkp (80) · 7 years ago

not sure how that works to be honest. maybe someone else that reads through will know.

$0.00

[-]

crokkon (68) · 7 years ago

did you clear your cookies after the password change? decentmeme knows from a cookie that "it's you" using it and since you gave it posting permission via @decentmemes.app already it does not need any of your keys anymore. If this cookie is still there from before the password change, you can still post on decentmemes without entering your key again. Try on a different browser or in a private tab, then it should only accept the new keys.

$0.00

[-]

bobinson (63) · 7 years ago

I think you will have to deauthorize steem connect. But why this happening - not sure. I doubt this is as per Oathu2.0 also

$0.00

[-]

bawangmerah230 (57) · 7 years ago

a few days ago i read @demotruk post unfollow with @dlive via steemconnect. He also discusses the findings of such cases. you can see it below.

https://steemit.com/dlive/@demotruk/wtf-dlive

I will share this post to make people more careful. thanks for sharing.

$1.14

4 votes

[-]

drakos (70) · 7 years ago

I avoid and do not use any of those d- projects. They take massive beneficiary cuts and there's too many of them. Choose your apps wisely.

$0.34

2 votes

[-]

tarazkp (80) · 7 years ago

Indeed. I am unsure how the 'licence' for Steemconnect works but if anyone can create an app on it and it has a trackability flaw (my view), there is a lot of potential for harm on and off the platform.

$0.00

[-]

bobinson (63) · 7 years ago

further, just because the content is hosted on STEEM blockchain with a different interface, I don't understand what really is the value add. For censorship resistance, just putting the content on IPFS will help. There is no plagiarism checks as well. While I am a supporter of free knowledge sharing and do not agree with copy rights as such, respecting somone else's creative work is important as well.

$0.00

[-]

fingersik (66) · 7 years ago

Im sorry to say it but YOU ARE THE REAL TRANSACTOR. You have given them your posting key. Your posting key is "you".

Earlier today I realized what they want for their service and I realized that it very much do look like a scam project. Then your posts came in and it only assured me that it is the case. Unfortunately. I hope that they change their behaviour before I start streaming again:(