IMPORTANT SECURITY INFORMATION regarding private memo / public KEYS and transfers (with statistics!)

It’s been 2 weeks since @noisy posted his text about not-hacking 11 Steemit accounts. It was the top 1 trending post for a week and I think at some point everyone saw it. And they probably did.

Private memo keys

First let me quote @noisy:

There are 4 pairs of keys: active, owner, posting and memo. Every pair has public key and private key. Under any circumstances, you should never expose any of your private keys.

As I wrote in a post, right now exposing a private memo key is not very dangerous. But it was said few times, that in the future memo-keys will be used to encrypt and decrypt private messages. So basically every your conversation encrypted with your memo-key would be basically public for everyone who poses your private memo key.

Also... even right now everyone with your private memo key could try do some kind of social-engineering attack, by pretending that attacker is you (because technically speaking only you should be able to sign message with your private key).

So... no, your account was not hacked right now, but with private memo key exposed, your account could be attacked in a moment when private-memo-keys would gain some new role in Steem ecosystem.

But many users, like @dollarvigilante, didn’t take it seriously.

And those users didn’t change their keys. No reason why.

Not in blockchain?

I have found one setting which is not stored in blockchain. So it means it can be changed in the user’s profile with ANY private key. This setting is viewing the Not safe for work (NSFW) content.

To show you how it works I have found user with NSFW content (one post without any images - @hungrylilkitten) and I will use @dollarvigilante private memo key as an example.

So are you still going to wait with changing private keys for something worse to happen?

A lot of memo keys

You might think there are only a few of those private memo keys so no need to worry. Let me surprise you - there are dozens of them.

Let’s have a look at the number of posted private memo keys (end date is 2017-06-19 17:27:12).

MonthKeys postedPercent of all
07.20161613,68%
08.20161815,38%
09.201675,98%
10.201675,98%
11.201610,85%
12.201621,71%
01.201710,85%
02.201700,00%
03.201743,42%
04.201743,42%
05.20172319,66%
06.20173429,06%

First, I’m going to divide it into two categories: Keys posted and changed some time later by user OR keys posted with no response from user till now.

Posted...Number of keysPercent of all
... and changed later4236.75%
... and NOT changed later7463.25%

Let’s set a point in time called POST. POST is a date when @noisy published his text. Data shown above will be divided into more categories:

Posted...Number of keysPercent of all
...before POST and changed before POST2823.93%
...before POST and changed after POST1311.11%
...after POST and changed after POST21.71%
...before POST and not changed5143.59%
...after POST and not changed2319.66%

Posted before POST and changed before POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@business2016-07-04 20:59:092016-07-16 08:53:12
@katiasan19782016-07-15 14:53:032016-07-15 15:02:18
@crypt02016-07-15 20:30:422016-07-21 18:14:36
@pinkisland2016-07-20 05:24:152016-07-24 02:36:45
@jl7772016-07-26 23:06:242016-07-27 17:36:15
@theanubisrider2016-07-27 19:26:152016-08-05 02:56:27
@toxichan2016-07-29 05:03:512016-08-20 13:36:36
@jl7772016-08-01 11:52:542016-12-29 08:58:39
@zhuvazhuva2016-08-03 18:39:212016-10-17 07:50:12
@bdavid2016-08-04 00:20:032016-08-12 22:15:21
@mandibil2016-08-09 21:07:212016-08-14 12:52:36
@konti2016-08-12 15:42:122016-08-12 15:44:39
@crypt02016-08-13 19:29:242017-05-21 07:50:12
@instructor21212016-08-16 22:56:212016-10-02 06:57:30
@infovore2016-08-29 10:32:512016-09-19 16:38:15
@mohammed1232016-09-05 08:17:302016-09-06 10:22:33
@mohammed1232016-09-06 17:40:392016-09-06 17:42:12
@theprophet02016-09-12 01:00:122016-10-08 01:03:42
@mohammed1232016-09-14 17:48:572016-09-14 17:57:39
@lichtblick2016-10-01 14:17:062016-10-09 07:45:09
@hien-tran2016-10-13 08:04:572016-11-19 08:33:36
@justtryme902016-10-17 02:27:512016-10-26 02:27:57
@jacobts2017-03-21 10:46:242017-05-08 18:43:39
@berovvv2017-05-13 08:18:092017-05-15 11:50:57
@samdaman2017-05-14 03:14:032017-05-21 10:34:57
@dancingstar2017-05-22 15:41:212017-06-04 01:52:00
@cryptonouvelles2017-05-28 23:47:122017-05-29 01:45:57
@tombstone2017-06-06 14:18:032017-06-06 15:37:06

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@mohammed12311 min 33 s
@konti12 min 27 s
@mohammed12318 min 42 s
@katiasan197819 min 15 s
@tombstone11 h 19 min 3 s
@cryptonouvelles11 h 58 min 45 s
@jl777218 h 29 min 51 s
@mohammed12321 d 2 h 5 min 3 s
@berovvv23 d 3 h 32 min 48 s
@pinkisland23 d 21 h 12 min 30 s
@mandibil24 d 15 h 45 min 15 s
@crypt025 d 21 h 43 min 54 s
@samdaman17 d 7 h 20 min 54 s
@lichtblick17 d 17 h 28 min 3 s
@theanubisrider28 d 7 h 30 min 12 s
@bdavid18 d 21 h 55 min 17 s
@justtryme9089 d 0 h 0 min 6 s
@business211 d 11 h 54 min 3 s
@dancingstar612 d 10 h 10 min 39 s
@infovore221 d 6 h 5 min 24 s
@toxichan122 d 8 h 32 min 45 s
@theprophet0326 d 0 h 3 min 30 s
@hien-tran137 d 0 h 28 min 39 s
@instructor2121646 d 8 h 1 min 9 s
@jacobts148 d 7 h 57 min 15 s
@zhuvazhuva474 d 13 h 10 min 51 s
@jl7772149 d 21 h 5 min 45 s
@crypt01280 d 12 h 20 min 48 s

Posted before POST and changed after POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@alao2016-07-11 15:50:062017-06-11 17:44:57
@saramiller2016-09-14 20:54:272017-06-07 17:26:06
@mrgreen2016-10-01 11:19:332017-06-12 13:48:36
@lichtblick2016-10-10 05:48:152017-06-07 15:43:03
@tomino2016-10-27 10:55:512017-06-12 16:17:27
@trump2016-12-19 02:05:452017-06-08 12:40:15
@marionjoe2017-03-23 12:23:362017-06-11 15:08:48
@steemshop2017-04-22 02:28:212017-06-09 10:52:54
@kingofdew2017-05-07 21:50:092017-06-12 13:48:36
@worldclassplayer2017-05-09 09:08:392017-06-10 22:49:18
@wthomas2017-05-24 21:57:302017-06-07 21:01:03
@golgappas2017-06-05 17:12:302017-06-09 17:01:57

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@golgappas53 d 23 h 49 min 27 s
@wthomas113 d 23 h 3 min 33 s
@worldclassplayer532 d 13 h 40 min 39 s
@kingofdew735 d 15 h 58 min 27 s
@steemshop148 d 8 h 24 min 33 s
@marionjoe480 d 2 h 45 min 12 s
@trump1171 d 10 h 34 min 30 s
@tomino1228 d 5 h 21 min 36 s
@lichtblick15240 d 9 h 54 min 48 s
@mrgreen2254 d 2 h 29 min 3 s
@saramiller1265 d 20 h 31 min 39 s
@alao1335 d 1 h 54 min 51 s

Posted after POST and changed after POST

Table sorted in ascending order of memo key posted:

UserMemo key postedKey changed
@deividas2017-06-10 00:19:152017-06-10 21:41:24
@lulzim2017-06-11 14:22:002017-06-11 15:08:48

Table sorted in ascending order of key changed after:

UserTimes usedKey changed after
@lulzim346 min 48 s
@deividas321 h 22 min 9 s

Posted before POST and not changed

Table sorted in ascending order of memo key posted:

UserMemo key postedTimes used
@onighost2016-07-09 22:17:364
@kakradetome2016-07-13 23:45:0911
@vovaha2016-07-15 21:59:481
@niliano2016-07-19 12:16:452
@farinspace2016-07-19 14:02:241
@francoisstrydom2016-07-19 14:17:332
@qamarpinkpanda2016-07-29 14:12:091
@pinkisland2016-07-29 14:18:152
@romanskv2016-08-06 23:53:301
@slimjim2016-08-07 19:12:001
@malyshew19732016-08-08 01:13:391
@athleteyoga2016-08-11 02:28:1211
@murat2016-08-12 08:34:451
@rawmeen2016-08-13 08:57:004
@tee-em2016-08-20 19:30:452
@smisi2016-08-22 13:16:033
@lostnuggett2016-08-23 16:21:152
@dollarvigilante2016-08-31 02:10:4510
@cryptoeasy2016-09-07 10:54:001
@iaco2016-09-28 17:59:181
@richarddean2016-10-27 13:33:241
@leesmoketree2016-11-11 21:42:5437
@luani2016-12-12 02:48:151
@nikolad2017-01-21 09:57:002
@colombiana2017-03-20 17:14:391
@beeridiculous2017-03-22 09:01:211
@norbu2017-04-03 10:44:243
@inphinitbit2017-04-18 06:27:242
@maxfuchs2017-04-18 15:34:481
@sraseef2017-05-02 18:17:451
@surpriseattack2017-05-09 05:22:031
@churchsoftware2017-05-10 21:19:481
@thunderberry2017-05-11 19:03:152
@hithere2017-05-14 11:09:213
@walcot2017-05-14 19:17:362
@bryguy2017-05-17 06:34:482
@mama-c2017-05-18 17:26:451
@blockiechain2017-05-19 02:42:331
@theofphotography2017-05-20 10:46:362
@writemore2017-05-20 16:55:121
@nathanhollis2017-05-22 15:51:333
@jellos2017-05-26 08:35:452
@coincravings2017-05-29 09:36:512
@chuckles2017-05-29 10:39:571
@amrsaeed2017-05-31 18:10:151
@dethie2017-06-03 03:42:511
@goldrush2017-06-03 10:10:002
@bloodhound2017-06-03 16:33:452
@datkrazykid2017-06-04 04:08:421
@mkultra87f2017-06-06 14:21:001
@lopezro2017-06-06 17:32:031

Posted after POST and not changed

Table sorted in ascending order of memo key posted:

UserMemo key postedTimes used
@cryptowaffles2017-06-07 19:12:391
@webwizards2017-06-09 12:00:091
@bitlamb2017-06-10 12:07:001
@aresmari2017-06-10 17:10:331
@dancingstar2017-06-11 01:37:031
@dattabitcoin2017-06-13 02:50:421
@wakeupworldnews2017-06-15 12:39:061
@gbonikz2017-06-15 14:50:212
@chrizbiz2017-06-15 20:16:121
@gary9112017-06-16 05:36:451
@hingedthomas2017-06-16 11:07:392
@edie842017-06-16 13:38:361
@brandonas2017-06-16 14:08:032
@imccormick822017-06-16 15:24:031
@marshallevans2017-06-16 20:13:125
@rottdean22017-06-16 21:43:121
@sandman19232017-06-16 22:31:241
@cwrz19762017-06-17 02:55:093
@murtazasyedm2017-06-17 18:37:422
@elfictron2017-06-18 14:02:362
@big-ginger-fuck2017-06-18 23:30:572
@acarl2112017-06-19 02:52:062
@neilism2017-06-19 02:56:331
@d-pend2017-06-19 17:27:122

Can I help?

After publishing this post I’m going to send every user with not changed key a minimal SBD transfer with a link to this text and information CHANGE YOUR PASSWORD. I hope this will work and at least some of those users will change their keys.

I’m going to keep an eye on keys updates and after a week or two data will be gathered to create new statistics.

What is Memo?

But there is also a second issue that I would like to talk about. Public keys and how users use them as a habit in the wrong places. By wrong places I mean mostly Memo Fields when withdrawing Steem and SBD from markets to Steemit.

I’m going to use Bittrex as an example. I was sending 1 SBD to my Steemit account.

And I received it like this (problem with apostrophe):

I did it to show you that every Memo Field is public. All that info can be found in your Wallet. If you write something in Memo Field during transfer from market to Steemit it will stay in blockchain forever. And sooner or later somebody is going to see that and maybe even use against you.

BECAUSE MEMO FIELD IS NOT THE SAME AS MEMO KEY.

Memo Field is a place for any information you want. It’s a place to write something like My daily update 2017-06-21 or Gift from aunt Betty. This field is for you.

All keys can be found in your Wallet and then Permissions. Those long strings of characters should stay in that place if you don’t know what you can do with them. And Memo key, as you can see, is used to create and read memos.

Public keys

I’m talking about all of this because if somebody used at least once a public key in Memo Field, there is a possibility that next time maybe for mistake user will paste private key. And that’s not good.

There are a lot of tutorials on Steemit with incorrect information. People read them and they make the same mistakes. Here are some the most popular posts that can be found using Google:

UserTutorial with INCORRENT information
@ninjaceHow to transfer Steem Dollars from Poloniex to Steemit Account
@cryptosHow to Transfer STEEM From Poloniex to Steemit.com [GUIDE]
@g-dubsHow To Transfer Steem from Poloniex to Your Wallet
@knozaki2015Tutorial: How to deposit Steem from an exchange to Steemit (without converting to BTC)
@me-tarzanTUTORIAL : BEGINNERS HOW TO SEND STEEM FROM POLONIEX TO STEEMIT
@nxtblgHow To Deposit STEEM In Your Account: Poloniex And Bittrex
@steempowerwhaleHow to Transfer Steem from Poloniex to Your Steemit Wallet? Visual Step by Step Help Guide

You know how many users used public key at least once to transfer Steem and SDB?

Transfers fromNumber of users
@bittrex743
@blocktrades13
@changelly46
@freewallet18
@openledger19
@poloniex1053

A lot of them. And there are more than 300 transfers between users!

The best part - many people after the first transfer with public key assume it’s the only good way and they duplicate this error over and over again.

Public keys usedUsers
89 times@lightsplasher
74 times@mctiller
67 times@murat
63 times@vortac
61 times@judasp
54 times@paws1t1veev
51 times@asim
47 times@royalmacro
46 times@asmolokalo
44 times@nxtblg
38 times@sflaherty
35 times@takertrade
34 times@mynameisbrian
31 times@surfyogi
30 times@btcshare7 @cqf @carface
29 times@catulhu
28 times@dreemit
27 times@coininstant @steemvest17
26 times@laonie
25 times@jl777 @marco-delsalto
23 times@exploretraveler @sneakgeekz @mixa @otisbrown
22 times@politicasan2 @urbanoid @jol @tradz
20 times@helikopterben
19 times@me-tarzan @claudiop63
18 times@cardboard @henry-gant @addicted
17 times@gigafart @btcbtcbtc20155 @sandrino
16 times@snubbermike
15 times@jerrybanfield @manoami @scotty2729

And here comes bigger numbers:

Public keys usedUsers
14 times6 users
13 times6 users
12 times11 users
11 times6 users
10 times17 users
9 times18 users
8 times29 users
7 times36 users
6 times53 users
5 times64 users
4 times88 users
3 times198 users
2 times454 users
1 time620 users

THIS IS FULL BLACK LIST: IF YOU CAN FIND YOURSELF ON IT THAN YOU COULD BE THE ONE WITH PRIVATE KEY POSTED INSTEAD - REMEMBER THAT!

If you want to know more about public and private KEYS on Steemit - look at @noisy profile.

If you like this text - please follow me!

H2
H3
H4
3 columns
2 columns
1 column
26 Comments