We have seen numerous posts attempting to prevent users from losing their passwords by accidentally putting them into the transaction memo field. It seemed to be the most frequent way of leaking one’s password, however it is by far not the only one. The story featured in this post started on GitHub, a platform unaffiliated with Steem, yet one that happens to gather a lot of developers, including those who contribute to Steemit.
While browsing different Steem-related directories, I noticed that several developers used placeholders for their keys in various, potentially dangerous, formats, such as wif = '5…'. This observation helped me realize these programmers would normally put their keys as string values in their locally stored versions of the code. Then, I started thinking:“what if somebody forgot to erase their key from the code
Well, devs are not the kind of people you expect to make such a mistake but I thought I may try searching for it, and so I did, which brought me to the following piece of code:
Sorry, it is no longer a valid key 😉
I quickly found out it belongs to @picokernel, whom I immediately contacted and potentially saved him from abuse of his account by a malicious user. As it turned out, he is a fairly successful Steemit Inc. Full Time Developer. We know everybody commits bloomers at times so I would not be particularly admonishing towards him, albeit it is great to note Steemit Inc. does pick right employees.
Our short conversation
Everyone is susceptible of leaking his or her password. Password crusades organized by @gtg and other users, while definitely worth support, may not necessarily be that effective, since there is a high chance that those who leak their passwords would never even bother to read the advice written by our prominent users. Instructing, preventing and saving is all we can do. We should help others when we can. Yet, Steemit as a community should not devote its time to babysit reckless users and care about their accounts more than the owners do. Sometimes losing an account may be a harsh way of teaching someone to take responsibility for what they do. Unfortunately, I doubt this is the last story related to a key loss on Steemit.
While browsing different Steem-related directories, I noticed that several developers used placeholders for their keys in various, potentially dangerous, formats, such as wif = '5…'. This observation helped me realize these programmers would normally put their keys as string values in their locally stored versions of the code. Then, I started thinking:
“what if somebody forgot to erase their key from the code
and accidentally posted it on GitHub”
Well, devs are not the kind of people you expect to make such a mistake but I thought I may try searching for it, and so I did, which brought me to the following piece of code:
Sorry, it is no longer a valid key 😉
I quickly found out it belongs to @picokernel, whom I immediately contacted and potentially saved him from abuse of his account by a malicious user. As it turned out, he is a fairly successful Steemit Inc. Full Time Developer. We know everybody commits bloomers at times so I would not be particularly admonishing towards him, albeit it is great to note Steemit Inc. does pick right employees.
Our short conversation
Everyone is susceptible of leaking his or her password. Password crusades organized by @gtg and other users, while definitely worth support, may not necessarily be that effective, since there is a high chance that those who leak their passwords would never even bother to read the advice written by our prominent users. Instructing, preventing and saving is all we can do. We should help others when we can. Yet, Steemit as a community should not devote its time to babysit reckless users and care about their accounts more than the owners do. Sometimes losing an account may be a harsh way of teaching someone to take responsibility for what they do. Unfortunately, I doubt this is the last story related to a key loss on Steemit.