The operational security measures one has to take these days to secure crypto is insane. You have to build your own mini intelligence agency just to protect your digital crypto assets. You have to do:
- Principle of least privilege.
- Zero Trust.
- Compartmentation.
- Hardened Operating Systems with no malware and strong endpoint defense.
- Firewalls that whitelist only your IP and disavow everything else.
- 2FA/MFA/Biometrics auth for everything.
- Defense in Depth.
- Use crytography tools vetted from the community surrounding it, and use tools which are battle hardened.
Modern computing is very leaky and every node is malicious. You need extreme vigilance to safeguard crypto.
Are people up to the task of doing all this?
I'm asking because I lost crypto before, and now I'm more resilient and have better security posture.
If only some kind of institution that can hold coins safely existed. Some kind of central place with all the security measures. They can also offer you interest if you let them lend the coins to other people. We can call it a bank.
The best part about crypto is that it is always your fault.
Set up your own wallet and lose access? YOUR FAULT, DUMMY
Use an exchange and get hacked? YOUR FAULT, DUMMY
Use an exchange and they scam you? YOUR FAULT, DUMMY
Fall for a spearphishing email? YOUR FAULT, DUMMY
A flaw in the implementation that leads to an exploit? YOUR FAULT, DUMMY
Fail to maintain an EAL7-certified computing environment using only FIPS 140-3 level V cryptographic products in an ISO 27001:2022 Annex A.11.1-secured facility and something goes wrong? YOUR FAULT DUMMY-DUM-DUM!
It's never, ever, a flaw with entire concept-- it's always you.
No. Anyone who thinks they are is deluding themselves. There is no such thing as a setup that is 100% secure against human error (and nobody is infallible) or a sufficiently motivated and skilled attacker (and there are supreme amounts of motivation here).
The core problem is the lack of legal recourse. Anonymous, irreversible, distributed transactions for money are a really fucking stupid idea.
Still, most people who have a crypto wallet on their desktop computer don't get hacked. I always found this interesting because it puts an upper bound to how many machines out there are compromised (at least by an agency that's motivated only by money).
That's precisely why I never bothered with crypto. I figured even back in the days of early Bitcoin I would at the very least need a dedicated device like a mostly air-gapped laptop running my own wallet software to do transactions. Storing coins on an exchange had always struck me as fundamentally idiotic, even before MtGox occured.
The problem has gotten much, much worse, not better, over the past decade.
Yes, and this will finally bring banking to poor peasants in the third world!!111!! /s
Seriously, the idea that crypto (with its concomitant key management problems) is a solution for the challenges facing the poor in badly governed countries is rather absurd.
Canonical should not have displayed a "safe" icon at scam app page. The proper text should be something like "Not verified. Review the code and check the publisher before using the app.".
The same should be at Google Play and Apple Store. Scam apps and sanctioned apps are regularly passing through reviews.
This is scary and even a hardware wallet might not help.
When I create a transaction with Electrum on my computer, I use a hardware wallet to sign the transaction. When I sign the transaction, the hardware wallet shows the amounts, and the output addresses.
But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet. And since I and most people mainly check the address we are sending to but don’t pay close attention to the change address, we could end up having our funds stolen that way.
I’ve been thinking about moving to a multisig setup instead, that would have multiple computers independently used for checking and signing the transactions.
So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient. But now I think moving to a multisig setup is something me and more people should do sooner rather than later.
No, you're wrong. The issue you're describing can't be exploited on Ledger devices at least. (Source: I’m a contributor to their bitcoin transaction parsing code)
Their hardware wallet checks if the provided change output's address is actually owned by the device owner:
- if it does, then the change output is simply hidden from the user validation flow
- if it doesn’t it will appear as a second bitcoin transfer to approve, which require a second physical approval on the device. this is highly unusual and should trigger the user's suspicion.
I can’t say for other vendors but this is pretty standard security practice I’m sure, hardware wallets are fighting against attacks that are way more elaborate than this one.
Reading this, it is bonkers to me that people think cryptocurrencies are ready or appropriate for mainstream use, either as a currency or as an investment.
Line could go up, but if you aren’t extremely careful with processes that most people don’t and won’t comprehend—and don’t even realize are something you need to do—you can just straight up lose everything.
Assuming the hardware wallet is safe, and that you indeed check all the recipient addresses and make no mistakes there, I don't see how the software should be able to fool you, though? I would assume that the hardware wallet is built to never leak your private key, at least not when signing a transaction, and the signature that it produces would always be for the exact transaction (recipient, amount, data,...) that you checked (since we assume the hardware wallet to be safe). Can you explain?
So many of these exploits boil down to "hardware wallets not providing enough/the right information".
The screen is tiny, and protocol devs don't usually put a lot of thought into making stuff easily human readable. Ideally a transaction can be fully understood and verified from the hardware wallet but we still have a ways to go.
Since BIP-32, receive and change addresses have been generated from a single seed, never from outside sources. Hardware wallets verify this.
It's much more likely you'll fall victim to malware that waits until you're on an exchange website, and substitutes the attacker's receive address for the exchange's. You think you're depositing funds in your account, but they vanish instead. This is basically the same attack as fake escrow instructions emailed to people buying a home.
While it’s not foolproof, it’s a good reason to compile things yourself from source instead of using the binaries. Unless someone trusted is validating build reproducibility, but that isn’t as common as we’d all like.
Bluewallet Vault makes multi-sig simple. And when co-signing a transaction, it calculates the amount to display on the screen by calculating the difference between inputs & owned outputs, and so for general transactions this means you only need to check the amount and the destination address to be sure the right amount of money is going to the right place.
> But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet.
Pretty sure this is not the case for Trezor (This was an angle that got addressed a long time ago). Also, Ethereum doesn't have a change address.
> So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient.
If you are too concerned and use Bitcoin, there is an easier/simpler way. Sign the transaction offline and don't broadcast it. Copy the transaction Hex and decode it. You can there read the details of the output addresses, fees, etc.. When you are sure, then you can broadcast the transaction.
What I don't get about the Snap store is why there's no verified link back to a website?
If you have the technical ability to create an app, you probably have the ability to upload something to /.well-known/ or to add a DNS TXT record.
That way the Snap store could say "This app came from this website."
OK, it doesn't help if someone goes to the trouble of registering a homograph address, but it would at least give normal users a chance to check out who the author is.
That seems to be how Flathub works. It shows a verified domain, or prominently says that it is a community released app.
I suppose the problem is that Canonical wants to make the Snap store the default place for users to get GUI programs, so they've been willing to take the risk of letting random community members maintain Snaps of popular software so the store looks more active.
Back in the day, we had long internal conversations about doing verification 'properly' with government-issued IDs, third-party verification agencies and the like. But that never amounted to anything, sadly.
They might consider it further if the store got to a decent scale (like the contemporaries like iOS, Play and Microsoft). But with "only" 6K applications published, and the money canon being pointed in other directions, I can't see it happening any time soon.
This assumes the user would actually pay attention to that. (spoiler: they won't)
> OK, it doesn't help if someone goes to the trouble of registering a homograph address
Doesn't even have to be homograph, it can just be something that has "exodus" in it (coming back to users not paying attention, this would work, and is also the reason phishing and other fake sites work), if "exodus-wallet.com" was verified then many people would still fall for it.
The entire thing would've been avoided if users paid attention and going to the official website instead of blindly trusting the Snap Store (and following VERY common advice, such as don't enter your secret phrase or password anywhere)
This is not necessarily right. The exchangerate-api.com site is hosted behind Cloudflare, so I don't know where it's actually hosted, but the IP addresses shown in bandwhich could be unrelated.
It is common for malicious sites to redirect to legitimate sites to help evade detection, so it is possible that exchangerate-api.com is an unrelated and legitimate site.
I'm the developer of the ExchangeRate-API.com service.
Obviously it's upsetting to have our API used by a scammer, but our service couldn't have been involved in this hack beyond fetching a JSON-formatted response of up-to-date exchange rates because that's the only functionality our service/domain provides.
My guess is that the scammer implemented a call to our API to fetch up-to-date exchange rates in order to make their fake wallet seem more plausible & real. Interestingly my API doesn't even support any exchange rates involving cryptocurrencies and so the scammer would have had to additionally integrate with a different API to get something like the up-to-date exchange rate between BTC and USD.
The API is a very simple service - it's just a few endpoints that supply JSON formatted exchange rates over HTTPS. Anyone with an email address can sign up to use the service for free and there are even some totally "open access" endpoints that don't require any authentication. One of these has been used in the GNU `units` converter software for a while.
With regard to proving it's a legitimate service, this is the point where I wish I had made more progress with the landing page update that emphasizes social proof I've been working on recently! The API is used by ICs/teams at hundreds of recognizable companies. There are tens of thousands of free users including some that have used the API consistently for free for over a decade. I guess you could check many instances of the service being archived on the wayback machine? https://web.archive.org/web/20240000000000*/https://www.exch... I'll definitely admit the domain does look a bit odd but back in 2010 when registering it the "Exact Match Domain" bonus was a big factor for SEO. The site has been a top 3 Google result for "exchange rate api" pretty consistently - presumably also how the scammer ended up using the service.
I've used Cloudflare since approx. 2019 and their "cloudflared" tunnel infrastructure since approx. 2021 to secure servers against DDoS.
I'll contact popey to see if we can get more details on the exact path/request they saw being made to our domain and if that leads to any further information or logging from our side.
Sure, there was a bit of guesswork on my part. I could analyse the traffic in more detail, but when I wrote this all up, it was Sunday evening, and I wanted to do the minimum analysis to get a response to the unlucky rube.
I still have the snap, and could test further, but I suspect the endpoint linode boxes will disappear and popup somewhere else sometime.
I further thought about your feedback and the comments from the owner of exchangerate-API and have removed that section from the blog and mentioned it in a follow-up post.
I appreciate your comments, as they made me think more about that topic.
Another way IPv6 could make things better: no need to point multiple domains at the same IP address, so you could have a one-to-one relationship between domain and address and prevent shady things from hiding behind legit things.
I'm still not exactly sure, to be honest, why Snap exists.
The desktop on Linux has gone Flatpak.
If I'm running a server, why the heck would I trust Snap, a platform that until recently didn't even let me control updates, over Docker? If something goes wrong, who do I call? If I need a custom storage arrangement, who do I call? If I need a custom network arrangement, who do I call? If I need to scale up, who do I call? Why would I subject myself to this?
Is it IoT? Maybe it has a market there - but why doesn't it focus on being the best it can be, solely for that market, then?
One more note: Snap even allowing unapproved repackaging of apps was, in my opinion, a very bad idea in the first place. Case in point: Even the Snap homepage is advertising a community repackage of a password manager ("NordPass" - developer not verified). Why the heck should Snap be proud of that?
(Edit: Apparently NordPass's website does point to it - but the developer remains unverified. What's the point of verification...)
For reference, I've checked the Flatpak app and can confirm that the Flatpak for Exodus is the correct Electron app. In Flathub it's as easy as going to the github of the store and looking at the package's instructions. You'll see what it does is basically downloading the ZIP from the offical Exodus website and run it.
> They likely saw a button like this in the "App Centre", which gave them some confidence in the application. [...] Furthermore the title of the Snapcraft web frontend says "Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run."
Sounds like assurances made by UX and Marketing, which engineering might've been able to tell them they can't make.
If it ends up costing them $490K plus legal fees, that's still a relatively inexpensive way to learn this lesson.
In which being your own bank continues to be undesirable.
(Never understood why ‘be your own bank’ was meant to be at all appealing. Being a bank is terrible. And still realistically less risky than this sort of thing; apart from truly bizarre edge cases (see the Citi/Revlon drama), this sort of thing simply can’t happen.)
Well, they have a lot of money, and if you're morally flexible, as anyone who's played the banker in a family game of Monopoly can tell you, you can just take some.
Well, that's really unfortunate. I would never just go download a random crypto app, not even from the Apple App Store. But the "Safe" marker is a massive UI risk. It makes me think it was signed and verified in some way.
On a tangent, my neighbor came to me about a month ago and asked if I was a "hacker"?
He's around 75 and has known me for maybe 20 years, we're not close friends but we run into each other every now and then and he knows I work with IT; I'm about half his age.
Long story short, I find out he needs help to retrieve his bitcoin wallet because he's lost $300k. I spend an hour looking around his devices and find out he's been buying bitcoin from a young hip instagram lady in Florida.
Wait for it…
…they shared access to the wallet.
He had a chat log stretching back one year on whatsapp with her, he was now paying her smaller sums to cover the cost for some "hacker" to retrieve his wallet.
‘ I’m writing this in the hope Canonical will fix its processes so reputation-damaging events like this don’t keep happening.’
That is such a poor attitude. Instead maybe hope that canonical may fix the lax vetting and security of their store, but to care directly about their reputation and not the user who was scammed due to their weak practices goes hand in hand with everything else I’ve seen from snap.
Maybe I could have worded that sentence better. Thanks for the feedback. It wasn't intended the way you took it. But I appreciate you mentioning it anyway.
The strangest part to me is that it shows it as "Safe", based on what? It doesn't seem like any checks were done at all to make sure this was a real app from Exodus.
I suspect that the definition of "Safe" in this context is that it has limited ability to mess with your computer. From what I have read, the application didn't violate the security of anyone's computer, it didn't need to!
So we need to be careful with how we interpret "Safe!"
A wallet app like Exodus is not for keeping BTC, it's for transacting with it.
The wallet file is for keeping BTC, and whether you print it on laminated paper or copy it to multiple USB sticks that you distribute in multiple places (you can encrypt a USB stick, but not really a piece of paper, so beware who has access to your storage!), doesn't matter once you want to use your BTC.
Using your BTC requires a computer and a wallet app; there's no way around that besides online platforms.
The real solution for fake wallets is to independently validate signatures of wallet app releases or to build from source yourself. Also wait for a few weeks before jumping onto the latest wallet version. Who knows if the developer's supply chain got compromised.
Edit for completeness:
Last but not least, do offline transactions (send the signed transaction using an online device without access to the wallet).
It has been 10 years since I left Canonical (on good terms), but what popey describes (hi popey) about the intentional lack of human review in the Snap store sounds very Canonical to me.
I agree with all the recommendations - add human gates. Yes, it's expensive, but still far cheaper than the unbounded reputational damage that just occurred around the untrustworthiness of the store (hi Amazon).
The crypto industry has had a serious UI/UX problem, no doubt about that. I also presume this bitcoin holder wasn't a sophisticated one, because the main point of a cold wallet is NOT ever have your seed phrase (12-24 words) go online. That's the real exploit in here.
Crypto has a long way to go and some improvements are being made but it definitely is one of the main pain points.
when they said that these Snap packages were "safe" they probably meant from a "linux is secure" and "properly sandboxed" meaning, not "we've verified that this person isn't trying to scam you".
I founded a company that makes a distributed wallet that is immune to these types of problems. You might be scammed out of your specific keyshare, but the scam would need to compromise all nodes at once which is nearly impossible. It's called Gridlock.
Only if the attacker only transferred funds to one wallet.
I could also see a sophisticated attacker holding off on draining wallets until the amount contained started to drop or increased past a threshold. Draining funds as soon as a user attempts to setup the app gets you a few suckers but also means you'll be reported quickly. Giving everyone a failure message while recording the recovery key might let you go significantly longer before discovery.
"One of the goals is to automate the whole Snapcraft publishing and review pipeline so there’s fewer (expensive and slow) humans in the loop." (from op article).
automation should not replace human judgement, it should
replace human drudgery.
If only there were some kind of system or network of long-standing institutions with a deep commitment to paper-trails and accountability that was overseen by some kind of community-managed regulation to control this type of thing.
Glad I'm not the only one who is thoroughly tired of this second coming of the financial system except with bonus insane energy waste and an absolute obliteration of consumer protections at seemingly every tier.
A security product built by people who have zero understanding of actual financial security and how financial crimes actually happen. Truly astonishing.
I feel the same exact way whenever I see a car crash:
"If only there was a mode or system of human transportation backed by long-standing institutions with a deep commitment to dirt trails and rideability that occurred at speeds which were safe for this type of thing."
The world has evolved, lot of phishing and scam on cryptocurrencies . its very important to know that a source is legit before investing and most importantly safe guarding and upgrading security concerning your crypto like two factors authenticators and all necessary precautions .. although there are lot of good coders and hackers like recovering ATusa com that make it easier to recover stolen cryptocurrencies and of course only few are able to get theirs in full......
Even the real version is the app is a software wallet right? If you have almost 500k in BTC and do not have it on a hardware wallet and use their official software for it, I have to say it's at least partially on you if you lose it.
Indeed, the victim, in this case, did mention on the linked 4chan thread that they realised their mistake. While we only see a small part of their world through text communication on forums, I suspect they're kicking themselves in the real world.
Or perhaps not, and they have a ton of other wallets full to the brim with crypto-nonsense.
Bitcoin "wallet" is just a pair of public and private keys. Honest question - what is the difference between a "hardware wallet" and a thumbdrive with the keys on it, except for the price tag?
Cryptocurrency is the only place where regular people use cryptography that they control in a way that matters enough for someone to attack it. Of course we will see mistakes being made. Covering your ears and singing "lalala crypto bad" instead of trying to learn how to make cryptography easier to use is boring.
vmoore|2 years ago
- Principle of least privilege.
- Zero Trust.
- Compartmentation.
- Hardened Operating Systems with no malware and strong endpoint defense.
- Firewalls that whitelist only your IP and disavow everything else.
- 2FA/MFA/Biometrics auth for everything.
- Defense in Depth.
- Use crytography tools vetted from the community surrounding it, and use tools which are battle hardened.
Modern computing is very leaky and every node is malicious. You need extreme vigilance to safeguard crypto.
Are people up to the task of doing all this?
I'm asking because I lost crypto before, and now I'm more resilient and have better security posture.
drdrek|2 years ago
snakeyjake|2 years ago
Set up your own wallet and lose access? YOUR FAULT, DUMMY
Use an exchange and get hacked? YOUR FAULT, DUMMY
Use an exchange and they scam you? YOUR FAULT, DUMMY
Fall for a spearphishing email? YOUR FAULT, DUMMY
A flaw in the implementation that leads to an exploit? YOUR FAULT, DUMMY
Fail to maintain an EAL7-certified computing environment using only FIPS 140-3 level V cryptographic products in an ISO 27001:2022 Annex A.11.1-secured facility and something goes wrong? YOUR FAULT DUMMY-DUM-DUM!
It's never, ever, a flaw with entire concept-- it's always you.
geek_at|2 years ago
1. Make a paper wallet, laminate it, put it in a safe location or maybe two
2. Use any exchange and send the coins to the wallet. Never leave any coins on the exchange
When you want to get them out again, this is the safest approach:
1. Boot Tails from USB
2. Enter your private key in Electrum (it's preinstalled in Tails)
3. Send to exchange and convert to fiat
If you want to do daytrading it's a whole other story
AlienRobot|2 years ago
brazzy|2 years ago
No. Anyone who thinks they are is deluding themselves. There is no such thing as a setup that is 100% secure against human error (and nobody is infallible) or a sufficiently motivated and skilled attacker (and there are supreme amounts of motivation here).
The core problem is the lack of legal recourse. Anonymous, irreversible, distributed transactions for money are a really fucking stupid idea.
velox_neb|2 years ago
himinlomax|2 years ago
The problem has gotten much, much worse, not better, over the past decade.
cassepipe|2 years ago
lucw|2 years ago
FabHK|2 years ago
Seriously, the idea that crypto (with its concomitant key management problems) is a solution for the challenges facing the poor in badly governed countries is rather absurd.
codedokode|2 years ago
The same should be at Google Play and Apple Store. Scam apps and sanctioned apps are regularly passing through reviews.
LelouBil|2 years ago
yau8edq12i|2 years ago
codetrotter|2 years ago
When I create a transaction with Electrum on my computer, I use a hardware wallet to sign the transaction. When I sign the transaction, the hardware wallet shows the amounts, and the output addresses.
But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet. And since I and most people mainly check the address we are sending to but don’t pay close attention to the change address, we could end up having our funds stolen that way.
I’ve been thinking about moving to a multisig setup instead, that would have multiple computers independently used for checking and signing the transactions.
So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient. But now I think moving to a multisig setup is something me and more people should do sooner rather than later.
popol12|2 years ago
- if it does, then the change output is simply hidden from the user validation flow
- if it doesn’t it will appear as a second bitcoin transfer to approve, which require a second physical approval on the device. this is highly unusual and should trigger the user's suspicion.
I can’t say for other vendors but this is pretty standard security practice I’m sure, hardware wallets are fighting against attacks that are way more elaborate than this one.
stouset|2 years ago
Line could go up, but if you aren’t extremely careful with processes that most people don’t and won’t comprehend—and don’t even realize are something you need to do—you can just straight up lose everything.
t_mann|2 years ago
woah|2 years ago
The screen is tiny, and protocol devs don't usually put a lot of thought into making stuff easily human readable. Ideally a transaction can be fully understood and verified from the hardware wallet but we still have a ways to go.
sowbug|2 years ago
It's much more likely you'll fall victim to malware that waits until you're on an exchange website, and substitutes the attacker's receive address for the exchange's. You think you're depositing funds in your account, but they vanish instead. This is basically the same attack as fake escrow instructions emailed to people buying a home.
zepton|2 years ago
Scoundreller|2 years ago
While it’s not foolproof, it’s a good reason to compile things yourself from source instead of using the binaries. Unless someone trusted is validating build reproducibility, but that isn’t as common as we’d all like.
Some 4y old discussion of how some OSs for electrum are built reproducibly: https://old.reddit.com/r/Bitcoin/comments/dcz0my/what_is_not...
npoc|2 years ago
yieldcrv|2 years ago
This app simply transmitted seed phrases to a server, or derived the first private key of one and sent that
Starting to agree with everyone else here, if the crypto enthusiasts on HN can’t differentiate
csomar|2 years ago
Pretty sure this is not the case for Trezor (This was an angle that got addressed a long time ago). Also, Ethereum doesn't have a change address.
> So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient.
If you are too concerned and use Bitcoin, there is an easier/simpler way. Sign the transaction offline and don't broadcast it. Copy the transaction Hex and decode it. You can there read the details of the output addresses, fees, etc.. When you are sure, then you can broadcast the transaction.
ews|2 years ago
david4568|2 years ago
[deleted]
edent|2 years ago
If you have the technical ability to create an app, you probably have the ability to upload something to /.well-known/ or to add a DNS TXT record.
That way the Snap store could say "This app came from this website."
OK, it doesn't help if someone goes to the trouble of registering a homograph address, but it would at least give normal users a chance to check out who the author is.
That seems to be how Flathub works. It shows a verified domain, or prominently says that it is a community released app.
ndiddy|2 years ago
popey|2 years ago
They might consider it further if the store got to a decent scale (like the contemporaries like iOS, Play and Microsoft). But with "only" 6K applications published, and the money canon being pointed in other directions, I can't see it happening any time soon.
KomoD|2 years ago
> OK, it doesn't help if someone goes to the trouble of registering a homograph address
Doesn't even have to be homograph, it can just be something that has "exodus" in it (coming back to users not paying attention, this would work, and is also the reason phishing and other fake sites work), if "exodus-wallet.com" was verified then many people would still fall for it.
The entire thing would've been avoided if users paid attention and going to the official website instead of blindly trusting the Snap Store (and following VERY common advice, such as don't enter your secret phrase or password anywhere)
bagels|2 years ago
__MatrixMan__|2 years ago
I'm not sure what Bitcoiner's preference would be exactly, but I'm sure they've got something involving signed wallet hashes published on the chain.
The hard part, as with anywhere else, is getting users to check it.
Atotalnoob|2 years ago
Right now, the only real usage for apis is in oauth2.
There are dozens of tiny use cases we could use a standard uri for ease of use in corporate environments…
.well-known/documentation - redirects to the docs
.well-known/health - health check
.well-known/specificiation - api contracts
Etc…
jstanley|2 years ago
> it connects to some API at https://www.exchangerate-api.com/
This is not necessarily right. The exchangerate-api.com site is hosted behind Cloudflare, so I don't know where it's actually hosted, but the IP addresses shown in bandwhich could be unrelated.
You also said:
> Visiting one of those IPs redirects to https://www.exchangerate-api.com/
It is common for malicious sites to redirect to legitimate sites to help evade detection, so it is possible that exchangerate-api.com is an unrelated and legitimate site.
zx76|2 years ago
Obviously it's upsetting to have our API used by a scammer, but our service couldn't have been involved in this hack beyond fetching a JSON-formatted response of up-to-date exchange rates because that's the only functionality our service/domain provides.
My guess is that the scammer implemented a call to our API to fetch up-to-date exchange rates in order to make their fake wallet seem more plausible & real. Interestingly my API doesn't even support any exchange rates involving cryptocurrencies and so the scammer would have had to additionally integrate with a different API to get something like the up-to-date exchange rate between BTC and USD.
The API is a very simple service - it's just a few endpoints that supply JSON formatted exchange rates over HTTPS. Anyone with an email address can sign up to use the service for free and there are even some totally "open access" endpoints that don't require any authentication. One of these has been used in the GNU `units` converter software for a while.
With regard to proving it's a legitimate service, this is the point where I wish I had made more progress with the landing page update that emphasizes social proof I've been working on recently! The API is used by ICs/teams at hundreds of recognizable companies. There are tens of thousands of free users including some that have used the API consistently for free for over a decade. I guess you could check many instances of the service being archived on the wayback machine? https://web.archive.org/web/20240000000000*/https://www.exch... I'll definitely admit the domain does look a bit odd but back in 2010 when registering it the "Exact Match Domain" bonus was a big factor for SEO. The site has been a top 3 Google result for "exchange rate api" pretty consistently - presumably also how the scammer ended up using the service.
I've used Cloudflare since approx. 2019 and their "cloudflared" tunnel infrastructure since approx. 2021 to secure servers against DDoS.
I'll contact popey to see if we can get more details on the exact path/request they saw being made to our domain and if that leads to any further information or logging from our side.
popey|2 years ago
I still have the snap, and could test further, but I suspect the endpoint linode boxes will disappear and popup somewhere else sometime.
popey|2 years ago
I appreciate your comments, as they made me think more about that topic.
m_eiman|2 years ago
gjsman-1000|2 years ago
The desktop on Linux has gone Flatpak.
If I'm running a server, why the heck would I trust Snap, a platform that until recently didn't even let me control updates, over Docker? If something goes wrong, who do I call? If I need a custom storage arrangement, who do I call? If I need a custom network arrangement, who do I call? If I need to scale up, who do I call? Why would I subject myself to this?
Is it IoT? Maybe it has a market there - but why doesn't it focus on being the best it can be, solely for that market, then?
One more note: Snap even allowing unapproved repackaging of apps was, in my opinion, a very bad idea in the first place. Case in point: Even the Snap homepage is advertising a community repackage of a password manager ("NordPass" - developer not verified). Why the heck should Snap be proud of that?
(Edit: Apparently NordPass's website does point to it - but the developer remains unverified. What's the point of verification...)
ladyanita22|2 years ago
neilv|2 years ago
Sounds like assurances made by UX and Marketing, which engineering might've been able to tell them they can't make.
If it ends up costing them $490K plus legal fees, that's still a relatively inexpensive way to learn this lesson.
loloquwowndueo|2 years ago
Source: I’m a former Canonical employee.
ElijahLynn|2 years ago
rsynnott|2 years ago
(Never understood why ‘be your own bank’ was meant to be at all appealing. Being a bank is terrible. And still realistically less risky than this sort of thing; apart from truly bizarre edge cases (see the Citi/Revlon drama), this sort of thing simply can’t happen.)
fragmede|2 years ago
kwar13|2 years ago
ceejayoz|2 years ago
renewiltord|2 years ago
nntwozz|2 years ago
He's around 75 and has known me for maybe 20 years, we're not close friends but we run into each other every now and then and he knows I work with IT; I'm about half his age.
Long story short, I find out he needs help to retrieve his bitcoin wallet because he's lost $300k. I spend an hour looking around his devices and find out he's been buying bitcoin from a young hip instagram lady in Florida.
Wait for it…
…they shared access to the wallet.
He had a chat log stretching back one year on whatsapp with her, he was now paying her smaller sums to cover the cost for some "hacker" to retrieve his wallet.
¯\_(ツ)_/¯
yankaf|2 years ago
whimsicalism|2 years ago
hsbauauvhabzb|2 years ago
That is such a poor attitude. Instead maybe hope that canonical may fix the lax vetting and security of their store, but to care directly about their reputation and not the user who was scammed due to their weak practices goes hand in hand with everything else I’ve seen from snap.
popey|2 years ago
philipwhiuk|2 years ago
Case in point: https://www.web3isgoinggreat.com/?id=fixedfloat-hack
Saris|2 years ago
jis|2 years ago
So we need to be careful with how we interpret "Safe!"
nly|2 years ago
Multiple laminated (real) paper wallets in a safety deposit box and multiple locations is the only way to go.
akaiser|2 years ago
The wallet file is for keeping BTC, and whether you print it on laminated paper or copy it to multiple USB sticks that you distribute in multiple places (you can encrypt a USB stick, but not really a piece of paper, so beware who has access to your storage!), doesn't matter once you want to use your BTC. Using your BTC requires a computer and a wallet app; there's no way around that besides online platforms.
The real solution for fake wallets is to independently validate signatures of wallet app releases or to build from source yourself. Also wait for a few weeks before jumping onto the latest wallet version. Who knows if the developer's supply chain got compromised.
Edit for completeness: Last but not least, do offline transactions (send the signed transaction using an online device without access to the wallet).
fsflover|2 years ago
How about an offline virtual machine on Qubes OS?
achiang|2 years ago
I agree with all the recommendations - add human gates. Yes, it's expensive, but still far cheaper than the unbounded reputational damage that just occurred around the untrustworthiness of the store (hi Amazon).
popey|2 years ago
kwar13|2 years ago
Crypto has a long way to go and some improvements are being made but it definitely is one of the main pain points.
Pxtl|2 years ago
https://xkcd.com/1200/
when they said that these Snap packages were "safe" they probably meant from a "linux is secure" and "properly sandboxed" meaning, not "we've verified that this person isn't trying to scam you".
upofadown|2 years ago
* No way for anyone (user or store) to verify the identity of the publisher.
* User was not given enough understanding to be able to protect their Bitcoin identity (usability, identity backup).
* No way for anyone (user or store) to identify who had downloaded the malicious snap.
DerekRodriguez|2 years ago
fuddle|2 years ago
laverya|2 years ago
I could also see a sophisticated attacker holding off on draining wallets until the amount contained started to drop or increased past a threshold. Draining funds as soon as a user attempts to setup the app gets you a few suckers but also means you'll be reported quickly. Giving everyone a failure message while recording the recovery key might let you go significantly longer before discovery.
lyu07282|2 years ago
diego_sandoval|2 years ago
democracy|2 years ago
doubloon|2 years ago
then tried to 'self checkout' the app store
"One of the goals is to automate the whole Snapcraft publishing and review pipeline so there’s fewer (expensive and slow) humans in the loop." (from op article).
automation should not replace human judgement, it should replace human drudgery.
Devasta|2 years ago
outside415|2 years ago
shuntress|2 years ago
ToucanLoucan|2 years ago
A security product built by people who have zero understanding of actual financial security and how financial crimes actually happen. Truly astonishing.
mistercheph|2 years ago
"If only there was a mode or system of human transportation backed by long-standing institutions with a deep commitment to dirt trails and rideability that occurred at speeds which were safe for this type of thing."
*spits into spittoon*
lxe|2 years ago
ZaynBashar|2 years ago
[deleted]
Jeremyiv2|2 years ago
[deleted]
Jeremyiv2|2 years ago
[deleted]
Jeremyiv|2 years ago
[deleted]
paulhowson|2 years ago
[deleted]
clarkrizzo|2 years ago
[deleted]
BirgitMeyer673|2 years ago
[deleted]
david4568|2 years ago
[deleted]
Hwanpark|2 years ago
[deleted]
markd081711|2 years ago
[deleted]
ketrymercy|2 years ago
[deleted]
lucaalessandro|2 years ago
[deleted]
Michaelhartnett|2 years ago
[deleted]
GeorgeCaldwell|2 years ago
[deleted]
Jacquepagan080|2 years ago
[deleted]
judith48|2 years ago
farukmanon12|2 years ago
[deleted]
arnoldpritzker|2 years ago
[deleted]
redder23|2 years ago
popey|2 years ago
Or perhaps not, and they have a ton of other wallets full to the brim with crypto-nonsense.
ramijames|2 years ago
reisse|2 years ago
yieldcrv|2 years ago
lobito14|2 years ago
8organicbits|2 years ago
http[://]example.com
nerdbert|2 years ago
Linda231|2 years ago
[deleted]
GoodUser77|2 years ago
[deleted]
GoodUser77|2 years ago
[deleted]
florieger|2 years ago
[deleted]
aaroninsf|2 years ago
[deleted]
ivana111|2 years ago
[deleted]
FabHK|2 years ago
louwrentius|2 years ago
[deleted]
woah|2 years ago
mhluongo|2 years ago