You are viewing a single comment's thread from:

RE: Important Changes to Steemit.com and Wallet

in #steem6 years ago

The security was fine for 3 years.
So, it wasn't about security, it was about the ads which is fine as long as you aren't disingenuous about it.

Really what could have been handled better was the preparations.

A notice of when it was going to drop and help on the UI's of both screens would have helped a lot. Many users aren't on discord and don't read many of the updates posted since they are written in tech talk and don't speak to exactly the audience that you needed to reach.

Anyway, what is done is done it's about Damage control now. Par for the course.

Sort:  

The security was fine for 3 years

Nah, it really wasn't. There was a massive (relative to the size of the site at least) hack three years ago specifically because of keys being the browser. The mechanism was changed a bit and might be a little better but the fundamental vulnerability remains. It is good that Steemit is being pro-active on this instead of waiting for another incident.

You do realize the accounts that were negatively impacted are mainstream users who are using the Internet exactly the way they use pretty much every site they go to.

Most of them have no idea what key they saved and why they have 4 of them.

In addition... you anal security freaks. They have very small accounts and don't yet have to be concerned. Just as my knowledge grew, so did my understanding of how and why I should protect my account.

If you webstie requires a half an hour training course to log in you might be failing. :)

For one site to decide to sacrifice user experience without the slightest thought on impact shows why crypto in general is not ready for mainstream and how Steem is moving away from being mainstream friendly and away from being an onboarding or gateway platform.

The timing and the fact I had ads 2 seconds after they dropped the code is a pretty clear indicator of why they choose to do this now.

This is what I was trying to say, thanks for saying it so much better. I didn't see any notice of it beforehand - people pointed out that it was mentioned, but it was mentioned in a post titled something about a "condenser split," which is techno babble to me so I didn't click on it, because Steemit doesn't translate their tech-update posts for the non-techies. The post wasn't pinned, like some other unimportant posts were, and it didn't even show up in that update sidebar for me. The post about updates to wallet mentioned in the title was posted after the fact, and pinned.
Luckily I've learned enough that I know what to do about keys and keep them all written down and the like, but immediately after this rolled out, the Steemit FB group I'm in had several people asking how the heck to get in their wallets. Extrapolate our small group to the larger user base who maybe don't have a helper group to go ask, and I'm sure there are still people who are confused.
I don't begrudge them making the change, I just really wish Stinc would hire someone who's sole job would be to communicate things to the community, making sure pertinent things were pinned, warnings went out well in advance, how-tos and guides were available, and techno babble got translated. I'm not a techie but am in that middle ground where I can go searching for resources and usually grasp it - lots of people hit a wall and say, "what do I do now??"

It sounds like you make sense and understand that minnows such as me need to be backed up on there opinions and I thank you for it. You not only apply opposition to you advisary you supply understanding to us needing the knowledge.
Thanks again & Rock On

I’m one of those who still haven’t got a handle on the whole key thing.
What a cluster pluck I had. Fortunately, the nice folks who run this place let me start over. This time I took photos and copied and pasted the damn keys all over.
So now, if I want to log in on another machine,...... I don’t even bother trying. It never seems to work. But that’s okay. I’m taking a Lion’s Mane supplement these days so I expect to be smarter any time now.

I said the first time I joined Steemit that I wasn’t here to make money. It’s the whole freedom and no censorship thing that appeals to me.

So, basically I agree with you.

Yeah... I hear you.

These guys have forgotten what it is like to not KNOW all of this.

Often knowledgable people don't know what others don't know or understand as perfectly shown here. It isn't malicious just obtuse.

Yes, you are all right. Cryptos comes from the mind of crazy math people like Vitalik Buterin or security nerds that thinks that everyone on earth knows how to deal with security online.

At the same time, if you ride a car you need to learn how to ride and the norms. I think everyone needs to give a little, Steem should improve the way they explain how to do things over here, making things more intuitive like Facebook, Google, Youtube and other mainstream social networks do to have more people onboard. But we need to help people to understand better of this new tech works.

lastpass.com -use it, sync it with your devices - there is also web access!

Make sure you put everything in it! The chrome extension and mobile apps do a good job saving data automatically, but always make sure. Take the time out to create a manual entry if you have to.

Save everything that gives you access or identity verification for something - even if people tell you not to store the info online - a lost wallet seed is just as good to me as one that got hacked (Lastpass is very secure anyways)

I've been using it 4 years now, before Lastpass I used to recycle passwords etc.. a terrible habit to have!

Lastpass has saved my butt when I had to restore a wallet using it's seed after going 6 months without internet access, all my coins were there safe!!
Lastpass has paid for itself numerous times over the years, but did I mention all the great functionality is absolutely free?

Lions mane is great !

所以?

And this is why a few weeks aback I decided Steemit isn't for me & I haven't been back since until today.

Instead of me making an effort, I will only come on here when I have something written up on another site & just copy it over to here.

After I tried to get over 200 people leaving FB to come here & join & not ONE of them did, I realized Steemit doesn't really care at all, & this is a site purely for the geeks, NOT for regular lay people.

A shame.

I'm trying to make an effort on MeWe, but they are no longer responding to my e-mails & I think all the spammers went over there since I got almost 100 fake profiles trying to add me as a friend within 3 days.

It's true we do not handle mainstream users well.

Really Steem is a good fit for self=starters and independent problems solvers. I am not sure we will ever get good at onboarding those who need some help.

As someone who has been trying to onboard alot of people and getting very little traction because the barriers to entry I can only say, you hit the nail on the head... And the community can't be the one to fix this!

We can't fix it! we can try to help, but that's about it.

It's not that simple. Why somebody is going to move to another place if you are confortable were you are?

Well, things are going to get complicated in the mainstream world before the exodus begins.

Corporations are going to fail over and over and that is going to push cryptos like this one to the mainstream world.

Yes but there’s also the idea that with cryptocurrency, you are meant to become your own bank. In that sense, Steemit has always been a huge learning curve for mainstream users. I have no clue about the reward, I have to take Steemit INC’s word for it but the risk is very real.

Master password needs to be phased out for several reasons, one of which is that it derives to the owner key (which is meant to be entirely offline) yet many users continue to use it for logging in to Steemit.com, as well as a number of other apps. So this change had to happen at any rate. We did step up our communication for the rollout (many posts over the last few months) but it's evident it was not enough. While we don't anticipate any changes as big as this one anytime soon, we will keep all the feedback in mind as we proceed. The benefits of limiting the social site to posting key only are numerous. There are many other features we've had to postpone or reject due to security concerns. This change allows us to move faster, safely, and add more features that users expect from a social network.

Hi @roadscape,

Not a single Steemian is criticizing this security feature, which is of course a necessary one.

"We did step up our communication for the rollout (many posts over the last few months) but it's evident it was not enough."

We agree that you stepped up your communication, but if you would have added "If the users don't take necessary steps seriously, one fine morning they will be pushed to hardships" sort of warning like message, at least 50% of them would have surely given ears to your communication and this word of mouth would have reached some more Steemians and the like.

"This change allows us to move faster, safely, and add more features that users expect from a social network."

Yes, yes...we agree to it completely. There is no second thought about it.

Thanks for the comment @marvyinnovation. We will make future announcements about changes of this magnitude easy to understand and hard to miss.

I never saw ONE mention about this change & I was on here a few weeks ago.

Why not 2-FA
And a password that could be remembered would be so much easier

i like that idea too.

I don't know that 2FA would be any friendlier for the people that can't handle keys; what if they lost or broke their phone - they'd be just as lost about how to get back in.

2FA+password could be a solution in the future but it's much more complex from an engineering standpoint. Initially on Steemit.com you could simply set your own password, but we had to disable this. Many users had guessable passwords like password and got compromised. Then we raised the requirement to 16 characters; users were not happy, and it still wasn't enough. E.g. passwordpassword. Generally speaking, if you can remember your private key (password), then it's not secure.

Generally speaking, if you can remember your private key (password), then it's not secure.

The concept of cryptographic salt was invented specifically for this reason.

Store a bcrypt of the user's master password, and a long cryptographic salt. When they provide the bcrypt of their password, give the client app their salt and let it derive their keys. Rate limit the number of tries to the bcrypt-based-salt-providing-service.

Then users can use normal passwords. You could even protect the salt server with 2FA.

(Of course, after login, the user can see all of their derived keys in full without being dependent upon the server to provide the salt, thereby letting them avoid vendor lock-in.)

Yes - I love this idea honestly.

I have a few ideas that would expand upon this concept a bit also.

Interesting, never heard about this concept before.

Normal people needs user-friendly approach.

In my honest opinion, if users are stupid enough to make easily guessable passwords, then they should get compromised. Teach people a damn lesson to do things for themselves and be smart.

Hi @amethystmidnight,

Please don't get emotional. Actually, they aren't doing it wantonly and their ignorance being the reason for this mistake of theirs.

They are thinking about one side of the coin and are not thinking about the other side. A little eye-opener sort of blog post detailing the risks involved in having easy passwords, which is more of like a soldier guarding the palace gates without any armor.

After this strict implementation of this strict feature, they should be knowing now the mistake they did in the past.....FOR SURE!

When users come here they have no idea about the financial part, and how it works differently than their bank site. Which likely has more money and still allows them to save a password.

It doesn't make you sound smart to shame the end users with less knowledge, it just makes you sound out of touch with who we are onboarding.

If you are you are afraid of account compremise then use local softwere to control your main account and use a different account for posting. Delegate your steemit power to that account. Use 50/50 reward, and send the profit back to your main account.So then steem power in your posting account is just a bonus.

Hi @coinmaster4you,

Excellent idea.

But I don't understand one thing.

Can you please enlighten me about the words "....use local software...."?

Well, it is a type of light wallet you can download to control your steemit account.

Posted using Partiko Android

Amen to that I had no Problem typing in a 50 digit password. It was secure and sometimes you have to have patience for extra security.

I still can't distinguish the differences between a master password and the owner key. Too many keys, but it does make me feel safer to have all these options.

Hi @tntdabomb,

MASTER PWD: The master password is the actual password that you get after Signing up for the Steemit account and that is given by Steemit.

OWNER KEY: The owner key is the master key for the account and is required to change the other keys. This key has additional permissions to recover your account or change your other keys. It's the most important key and should be securely stored offline.

ONE MORE THING: Please watch the Steem basics video posted above between the 1:21 and 2:21 minutes duration, you will clearly understand what is what.

Hope this info gives you clarity.

Take a look at the 3rd party tracking cookies your picking up from all these ads, might make you reconsider that statement.

🎁 Dear @woodywood143,

SteemBet Seed round SPT sale is about to start in 2 days!

When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.

In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!

Join the whitelist on SteemBet webiste now and start investing! Feel free to AMA on Discord

spt-sale-2-day.jpg

🎁 Dear @woodywood143,

SteemBet Seed round SPT sale is about to start in 2 days!

When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.

In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!

Join the whitelist on SteemBet webiste now and start investing! Feel free to ask us anything on Discord https://discord.gg/tNWJEAD

spt-sale-2-day.jpg

I agree you guys did step up your communication.

Hi R, Are you reachable via discord or email @roadscape? I'd really appreciate a minute of your time.

I would suggest a upcoming release note on the right side of steemit... Weeks to a- month before any major rollout with a big days till change clock..... Something like this....

It should use a graphic and stick out like a sore thumb... so everyone sees it. and it should have a link embedded so that they can follow up with details.... But tell it in simple to understand terms. NO TECH TALK......

I've been a systems designer for 30 years and the present systems out there have terrible UX, and a lack of erogonmetrics. With just an extra hour taken on big issues to take care of the ergonometrics. You would have avoided 90% of your complaints.

PS: as I have said before I live in New York and am willing to donate some pro-bono time to the staff.

RJSTtagline.jpg

Another money grab. Now we are in another limbo contest. How low can we go?

I agree I just got here and it was a struggle for the first month then I started enjoying it for the second month. Now it is back to struggling again in the third, I am to fat to go any lower on the limbo stick so lets just "KISS" that's encryption, (Keep It Simple Steemians) thanks @hawgwild out.

Hi @whatsup,

"A notice of when it was going to drop and help on the UI's of both screens would have helped a lot. Many users aren't on discord and don't read many of the updates posted......"

Of course, you are right. Before doing any such important thing like this, the users must be well informed as to what they intend to do in how much time, This would have avoided a lot of confusion and yes, now we need to go to the next phase i.e., Damage control......

@steembitblog, @whatsup... if it's good for the ads - maybe it could be nice to let participate the authors of the revenues. In addition it would be another reason to post on steem for many actors who post somewhere else now 😊 And if an 'Apple-like' model would be applied with 70% for the authors and 30% 'for the platform' it would be the biggest advertising for the steem platform itself. @peekbit