It’s been 2 weeks since @noisy posted his text about not-hacking 11 Steemit accounts. It was the top 1 trending post for a week and I think at some point everyone saw it. And they probably did.
Private memo keys
First let me quote @noisy:
There are 4 pairs of keys: active, owner, posting and memo. Every pair has public key and private key. Under any circumstances, you should never expose any of your private keys.
As I wrote in a post, right now exposing a private memo key is not very dangerous. But it was said few times, that in the future memo-keys will be used to encrypt and decrypt private messages. So basically every your conversation encrypted with your memo-key would be basically public for everyone who poses your private memo key.
Also... even right now everyone with your private memo key could try do some kind of social-engineering attack, by pretending that attacker is you (because technically speaking only you should be able to sign message with your private key).
So... no, your account was not hacked right now, but with private memo key exposed, your account could be attacked in a moment when private-memo-keys would gain some new role in Steem ecosystem.
But many users, like @dollarvigilante, didn’t take it seriously.
And those users didn’t change their keys. No reason why.
Not in blockchain?
I have found one setting which is not stored in blockchain. So it means it can be changed in the user’s profile with ANY private key. This setting is viewing the Not safe for work (NSFW) content.
To show you how it works I have found user with NSFW content (one post without any images - @hungrylilkitten) and I will use @dollarvigilante private memo key as an example.
So are you still going to wait with changing private keys for something worse to happen?
A lot of memo keys
You might think there are only a few of those private memo keys so no need to worry. Let me surprise you - there are dozens of them.
Let’s have a look at the number of posted private memo keys (end date is 2017-06-19 17:27:12).
| Month | Keys posted | Percent of all |
|---|---|---|
| 07.2016 | 16 | 13,68% |
| 08.2016 | 18 | 15,38% |
| 09.2016 | 7 | 5,98% |
| 10.2016 | 7 | 5,98% |
| 11.2016 | 1 | 0,85% |
| 12.2016 | 2 | 1,71% |
| 01.2017 | 1 | 0,85% |
| 02.2017 | 0 | 0,00% |
| 03.2017 | 4 | 3,42% |
| 04.2017 | 4 | 3,42% |
| 05.2017 | 23 | 19,66% |
| 06.2017 | 34 | 29,06% |
First, I’m going to divide it into two categories: Keys posted and changed some time later by user OR keys posted with no response from user till now.
| Posted... | Number of keys | Percent of all |
|---|---|---|
| ... and changed later | 42 | 36.75% |
| ... and NOT changed later | 74 | 63.25% |
Let’s set a point in time called POST. POST is a date when @noisy published his text. Data shown above will be divided into more categories:
| Posted... | Number of keys | Percent of all |
|---|---|---|
| ...before POST and changed before POST | 28 | 23.93% |
| ...before POST and changed after POST | 13 | 11.11% |
| ...after POST and changed after POST | 2 | 1.71% |
| ...before POST and not changed | 51 | 43.59% |
| ...after POST and not changed | 23 | 19.66% |
Posted before POST and changed before POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @business | 2016-07-04 20:59:09 | 2016-07-16 08:53:12 |
| @katiasan1978 | 2016-07-15 14:53:03 | 2016-07-15 15:02:18 |
| @crypt0 | 2016-07-15 20:30:42 | 2016-07-21 18:14:36 |
| @pinkisland | 2016-07-20 05:24:15 | 2016-07-24 02:36:45 |
| @jl777 | 2016-07-26 23:06:24 | 2016-07-27 17:36:15 |
| @theanubisrider | 2016-07-27 19:26:15 | 2016-08-05 02:56:27 |
| @toxichan | 2016-07-29 05:03:51 | 2016-08-20 13:36:36 |
| @jl777 | 2016-08-01 11:52:54 | 2016-12-29 08:58:39 |
| @zhuvazhuva | 2016-08-03 18:39:21 | 2016-10-17 07:50:12 |
| @bdavid | 2016-08-04 00:20:03 | 2016-08-12 22:15:21 |
| @mandibil | 2016-08-09 21:07:21 | 2016-08-14 12:52:36 |
| @konti | 2016-08-12 15:42:12 | 2016-08-12 15:44:39 |
| @crypt0 | 2016-08-13 19:29:24 | 2017-05-21 07:50:12 |
| @instructor2121 | 2016-08-16 22:56:21 | 2016-10-02 06:57:30 |
| @infovore | 2016-08-29 10:32:51 | 2016-09-19 16:38:15 |
| @mohammed123 | 2016-09-05 08:17:30 | 2016-09-06 10:22:33 |
| @mohammed123 | 2016-09-06 17:40:39 | 2016-09-06 17:42:12 |
| @theprophet0 | 2016-09-12 01:00:12 | 2016-10-08 01:03:42 |
| @mohammed123 | 2016-09-14 17:48:57 | 2016-09-14 17:57:39 |
| @lichtblick | 2016-10-01 14:17:06 | 2016-10-09 07:45:09 |
| @hien-tran | 2016-10-13 08:04:57 | 2016-11-19 08:33:36 |
| @justtryme90 | 2016-10-17 02:27:51 | 2016-10-26 02:27:57 |
| @jacobts | 2017-03-21 10:46:24 | 2017-05-08 18:43:39 |
| @berovvv | 2017-05-13 08:18:09 | 2017-05-15 11:50:57 |
| @samdaman | 2017-05-14 03:14:03 | 2017-05-21 10:34:57 |
| @dancingstar | 2017-05-22 15:41:21 | 2017-06-04 01:52:00 |
| @cryptonouvelles | 2017-05-28 23:47:12 | 2017-05-29 01:45:57 |
| @tombstone | 2017-06-06 14:18:03 | 2017-06-06 15:37:06 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @mohammed123 | 1 | 1 min 33 s |
| @konti | 1 | 2 min 27 s |
| @mohammed123 | 1 | 8 min 42 s |
| @katiasan1978 | 1 | 9 min 15 s |
| @tombstone | 1 | 1 h 19 min 3 s |
| @cryptonouvelles | 1 | 1 h 58 min 45 s |
| @jl777 | 2 | 18 h 29 min 51 s |
| @mohammed123 | 2 | 1 d 2 h 5 min 3 s |
| @berovvv | 2 | 3 d 3 h 32 min 48 s |
| @pinkisland | 2 | 3 d 21 h 12 min 30 s |
| @mandibil | 2 | 4 d 15 h 45 min 15 s |
| @crypt0 | 2 | 5 d 21 h 43 min 54 s |
| @samdaman | 1 | 7 d 7 h 20 min 54 s |
| @lichtblick | 1 | 7 d 17 h 28 min 3 s |
| @theanubisrider | 2 | 8 d 7 h 30 min 12 s |
| @bdavid | 1 | 8 d 21 h 55 min 17 s |
| @justtryme90 | 8 | 9 d 0 h 0 min 6 s |
| @business | 2 | 11 d 11 h 54 min 3 s |
| @dancingstar | 6 | 12 d 10 h 10 min 39 s |
| @infovore | 2 | 21 d 6 h 5 min 24 s |
| @toxichan | 1 | 22 d 8 h 32 min 45 s |
| @theprophet0 | 3 | 26 d 0 h 3 min 30 s |
| @hien-tran | 1 | 37 d 0 h 28 min 39 s |
| @instructor2121 | 6 | 46 d 8 h 1 min 9 s |
| @jacobts | 1 | 48 d 7 h 57 min 15 s |
| @zhuvazhuva | 4 | 74 d 13 h 10 min 51 s |
| @jl777 | 2 | 149 d 21 h 5 min 45 s |
| @crypt0 | 1 | 280 d 12 h 20 min 48 s |
Posted before POST and changed after POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @alao | 2016-07-11 15:50:06 | 2017-06-11 17:44:57 |
| @saramiller | 2016-09-14 20:54:27 | 2017-06-07 17:26:06 |
| @mrgreen | 2016-10-01 11:19:33 | 2017-06-12 13:48:36 |
| @lichtblick | 2016-10-10 05:48:15 | 2017-06-07 15:43:03 |
| @tomino | 2016-10-27 10:55:51 | 2017-06-12 16:17:27 |
| @trump | 2016-12-19 02:05:45 | 2017-06-08 12:40:15 |
| @marionjoe | 2017-03-23 12:23:36 | 2017-06-11 15:08:48 |
| @steemshop | 2017-04-22 02:28:21 | 2017-06-09 10:52:54 |
| @kingofdew | 2017-05-07 21:50:09 | 2017-06-12 13:48:36 |
| @worldclassplayer | 2017-05-09 09:08:39 | 2017-06-10 22:49:18 |
| @wthomas | 2017-05-24 21:57:30 | 2017-06-07 21:01:03 |
| @golgappas | 2017-06-05 17:12:30 | 2017-06-09 17:01:57 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @golgappas | 5 | 3 d 23 h 49 min 27 s |
| @wthomas | 1 | 13 d 23 h 3 min 33 s |
| @worldclassplayer | 5 | 32 d 13 h 40 min 39 s |
| @kingofdew | 7 | 35 d 15 h 58 min 27 s |
| @steemshop | 1 | 48 d 8 h 24 min 33 s |
| @marionjoe | 4 | 80 d 2 h 45 min 12 s |
| @trump | 1 | 171 d 10 h 34 min 30 s |
| @tomino | 1 | 228 d 5 h 21 min 36 s |
| @lichtblick | 15 | 240 d 9 h 54 min 48 s |
| @mrgreen | 2 | 254 d 2 h 29 min 3 s |
| @saramiller | 1 | 265 d 20 h 31 min 39 s |
| @alao | 1 | 335 d 1 h 54 min 51 s |
Posted after POST and changed after POST
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Key changed |
|---|---|---|
| @deividas | 2017-06-10 00:19:15 | 2017-06-10 21:41:24 |
| @lulzim | 2017-06-11 14:22:00 | 2017-06-11 15:08:48 |
Table sorted in ascending order of key changed after:
| User | Times used | Key changed after |
|---|---|---|
| @lulzim | 3 | 46 min 48 s |
| @deividas | 3 | 21 h 22 min 9 s |
Posted before POST and not changed
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Times used |
|---|---|---|
| @onighost | 2016-07-09 22:17:36 | 4 |
| @kakradetome | 2016-07-13 23:45:09 | 11 |
| @vovaha | 2016-07-15 21:59:48 | 1 |
| @niliano | 2016-07-19 12:16:45 | 2 |
| @farinspace | 2016-07-19 14:02:24 | 1 |
| @francoisstrydom | 2016-07-19 14:17:33 | 2 |
| @qamarpinkpanda | 2016-07-29 14:12:09 | 1 |
| @pinkisland | 2016-07-29 14:18:15 | 2 |
| @romanskv | 2016-08-06 23:53:30 | 1 |
| @slimjim | 2016-08-07 19:12:00 | 1 |
| @malyshew1973 | 2016-08-08 01:13:39 | 1 |
| @athleteyoga | 2016-08-11 02:28:12 | 11 |
| @murat | 2016-08-12 08:34:45 | 1 |
| @rawmeen | 2016-08-13 08:57:00 | 4 |
| @tee-em | 2016-08-20 19:30:45 | 2 |
| @smisi | 2016-08-22 13:16:03 | 3 |
| @lostnuggett | 2016-08-23 16:21:15 | 2 |
| @dollarvigilante | 2016-08-31 02:10:45 | 10 |
| @cryptoeasy | 2016-09-07 10:54:00 | 1 |
| @iaco | 2016-09-28 17:59:18 | 1 |
| @richarddean | 2016-10-27 13:33:24 | 1 |
| @leesmoketree | 2016-11-11 21:42:54 | 37 |
| @luani | 2016-12-12 02:48:15 | 1 |
| @nikolad | 2017-01-21 09:57:00 | 2 |
| @colombiana | 2017-03-20 17:14:39 | 1 |
| @beeridiculous | 2017-03-22 09:01:21 | 1 |
| @norbu | 2017-04-03 10:44:24 | 3 |
| @inphinitbit | 2017-04-18 06:27:24 | 2 |
| @maxfuchs | 2017-04-18 15:34:48 | 1 |
| @sraseef | 2017-05-02 18:17:45 | 1 |
| @surpriseattack | 2017-05-09 05:22:03 | 1 |
| @churchsoftware | 2017-05-10 21:19:48 | 1 |
| @thunderberry | 2017-05-11 19:03:15 | 2 |
| @hithere | 2017-05-14 11:09:21 | 3 |
| @walcot | 2017-05-14 19:17:36 | 2 |
| @bryguy | 2017-05-17 06:34:48 | 2 |
| @mama-c | 2017-05-18 17:26:45 | 1 |
| @blockiechain | 2017-05-19 02:42:33 | 1 |
| @theofphotography | 2017-05-20 10:46:36 | 2 |
| @writemore | 2017-05-20 16:55:12 | 1 |
| @nathanhollis | 2017-05-22 15:51:33 | 3 |
| @jellos | 2017-05-26 08:35:45 | 2 |
| @coincravings | 2017-05-29 09:36:51 | 2 |
| @chuckles | 2017-05-29 10:39:57 | 1 |
| @amrsaeed | 2017-05-31 18:10:15 | 1 |
| @dethie | 2017-06-03 03:42:51 | 1 |
| @goldrush | 2017-06-03 10:10:00 | 2 |
| @bloodhound | 2017-06-03 16:33:45 | 2 |
| @datkrazykid | 2017-06-04 04:08:42 | 1 |
| @mkultra87f | 2017-06-06 14:21:00 | 1 |
| @lopezro | 2017-06-06 17:32:03 | 1 |
Posted after POST and not changed
Table sorted in ascending order of memo key posted:
| User | Memo key posted | Times used |
|---|---|---|
| @cryptowaffles | 2017-06-07 19:12:39 | 1 |
| @webwizards | 2017-06-09 12:00:09 | 1 |
| @bitlamb | 2017-06-10 12:07:00 | 1 |
| @aresmari | 2017-06-10 17:10:33 | 1 |
| @dancingstar | 2017-06-11 01:37:03 | 1 |
| @dattabitcoin | 2017-06-13 02:50:42 | 1 |
| @wakeupworldnews | 2017-06-15 12:39:06 | 1 |
| @gbonikz | 2017-06-15 14:50:21 | 2 |
| @chrizbiz | 2017-06-15 20:16:12 | 1 |
| @gary911 | 2017-06-16 05:36:45 | 1 |
| @hingedthomas | 2017-06-16 11:07:39 | 2 |
| @edie84 | 2017-06-16 13:38:36 | 1 |
| @brandonas | 2017-06-16 14:08:03 | 2 |
| @imccormick82 | 2017-06-16 15:24:03 | 1 |
| @marshallevans | 2017-06-16 20:13:12 | 5 |
| @rottdean2 | 2017-06-16 21:43:12 | 1 |
| @sandman1923 | 2017-06-16 22:31:24 | 1 |
| @cwrz1976 | 2017-06-17 02:55:09 | 3 |
| @murtazasyedm | 2017-06-17 18:37:42 | 2 |
| @elfictron | 2017-06-18 14:02:36 | 2 |
| @big-ginger-fuck | 2017-06-18 23:30:57 | 2 |
| @acarl211 | 2017-06-19 02:52:06 | 2 |
| @neilism | 2017-06-19 02:56:33 | 1 |
| @d-pend | 2017-06-19 17:27:12 | 2 |
Can I help?
After publishing this post I’m going to send every user with not changed key a minimal SBD transfer with a link to this text and information CHANGE YOUR PASSWORD. I hope this will work and at least some of those users will change their keys.
I’m going to keep an eye on keys updates and after a week or two data will be gathered to create new statistics.
What is Memo?
But there is also a second issue that I would like to talk about. Public keys and how users use them as a habit in the wrong places. By wrong places I mean mostly Memo Fields when withdrawing Steem and SBD from markets to Steemit.
I’m going to use Bittrex as an example. I was sending 1 SBD to my Steemit account.
And I received it like this (problem with apostrophe):
I did it to show you that every Memo Field is public. All that info can be found in your Wallet. If you write something in Memo Field during transfer from market to Steemit it will stay in blockchain forever. And sooner or later somebody is going to see that and maybe even use against you.
BECAUSE MEMO FIELD IS NOT THE SAME AS MEMO KEY.
Memo Field is a place for any information you want. It’s a place to write something like My daily update 2017-06-21 or Gift from aunt Betty. This field is for you.
All keys can be found in your Wallet and then Permissions. Those long strings of characters should stay in that place if you don’t know what you can do with them. And Memo key, as you can see, is used to create and read memos.
Public keys
I’m talking about all of this because if somebody used at least once a public key in Memo Field, there is a possibility that next time maybe for mistake user will paste private key. And that’s not good.
There are a lot of tutorials on Steemit with incorrect information. People read them and they make the same mistakes. Here are some the most popular posts that can be found using Google:
You know how many users used public key at least once to transfer Steem and SDB?
| Transfers from | Number of users |
|---|---|
| @bittrex | 743 |
| @blocktrades | 13 |
| @changelly | 46 |
| @freewallet | 18 |
| @openledger | 19 |
| @poloniex | 1053 |
A lot of them. And there are more than 300 transfers between users!
The best part - many people after the first transfer with public key assume it’s the only good way and they duplicate this error over and over again.
| Public keys used | Users |
|---|---|
| 89 times | @lightsplasher |
| 74 times | @mctiller |
| 67 times | @murat |
| 63 times | @vortac |
| 61 times | @judasp |
| 54 times | @paws1t1veev |
| 51 times | @asim |
| 47 times | @royalmacro |
| 46 times | @asmolokalo |
| 44 times | @nxtblg |
| 38 times | @sflaherty |
| 35 times | @takertrade |
| 34 times | @mynameisbrian |
| 31 times | @surfyogi |
| 30 times | @btcshare7 @cqf @carface |
| 29 times | @catulhu |
| 28 times | @dreemit |
| 27 times | @coininstant @steemvest17 |
| 26 times | @laonie |
| 25 times | @jl777 @marco-delsalto |
| 23 times | @exploretraveler @sneakgeekz @mixa @otisbrown |
| 22 times | @politicasan2 @urbanoid @jol @tradz |
| 20 times | @helikopterben |
| 19 times | @me-tarzan @claudiop63 |
| 18 times | @cardboard @henry-gant @addicted |
| 17 times | @gigafart @btcbtcbtc20155 @sandrino |
| 16 times | @snubbermike |
| 15 times | @jerrybanfield @manoami @scotty2729 |
And here comes bigger numbers:
| Public keys used | Users |
|---|---|
| 14 times | 6 users |
| 13 times | 6 users |
| 12 times | 11 users |
| 11 times | 6 users |
| 10 times | 17 users |
| 9 times | 18 users |
| 8 times | 29 users |
| 7 times | 36 users |
| 6 times | 53 users |
| 5 times | 64 users |
| 4 times | 88 users |
| 3 times | 198 users |
| 2 times | 454 users |
| 1 time | 620 users |
If you want to know more about public and private KEYS on Steemit - look at @noisy profile.
If you like this text - please follow me!
