api.deathwing.me Important Announcement | Anti-Phishing

in #hive3 years ago

Hello everyone!

Prelude

As you may know, the world of cryptocurrency is filled with scammers who would like to obtain the earnings of someone else without too much work.

Unfortunately, due to the nature of cryptocurrencies, it is usually near-impossible to track them. On Hive, accounts are based on usernames as opposed to addresses in other chains. This creates one substantial issue, usually, whenever you are transferring something to another address in let's say, Bitcoin, you copy and paste the address you are transferring to. Since it is near impossible to type it manually because of its length, on Hive, that is not the case.

Recently, @smooth had an issue where he mistyped bittrex as bittres causing him to send 18k HBD (18,094.456 HBD) to a phishing/typo account on accident. While some frontends do warn the user whenever they're potentially transferring to a phishing account, some apps (like Keychain) and scripts/cli_wallet do not.

So I've been working on a feature release for api.deathwing.me and I am happy to say that it is now implemented.

The Actual Announcement

With the new update to api.deathwing.me there is a new feature where broadcasted transactions for transfer transaction are checked by Jussi automatically to ensure the to (receiver of the transaction) is not an account name included in the blacklist. If the account is in the blacklist, the transaction will be rejected (the node will not submit your transaction to the blockchain) hence you'll be able to keep your funds.

(For devs: Error code is -42000 / Transfers to this account is prohibited on api.deathwing.me (phishing account blacklisted))

Please do note that this is a feature specifically for api.deathwing.me it WILL NOT WORK on other nodes, unless this feature is added to other nodes as well.

Again, as specified above, this will ONLY work on api.deathwing.me as it is a custom feature, it WILL NOT WORK on other nodes unless they add a similar feature.

Which accounts are blacklisted?

The blacklisted accounts include major exchange accounts' common misspellings. The list mainly includes Bittrex, Blocktrades, Binance, Huobi and Upbit at the moment.

The current list of blacklisted accounts are as follows:

"bittrax",
"bittre",
"bittrec",
"bittrecs",
"bittrecx",
"bittred",
"bittreex",
"bittrek",
"bittres",
"bittresx",
"bittret",
"bittrev",
"bittrex-deposit",
"bittrex-pro",
"bittrex.com",
"bittrexc",
"bittrexchange",
"bittrexe",
"bittrexs",
"bittrext",
"bittrexx",
"bittrexxx",
"bittrez",
"bittriex",
"bittrix",
"bittrrex",
"bittrrx",
"bittrx",
"bittrxe",
"bitttec",
"bitttex",
"bitttrex",
"blockrade",
"blockrades",
"blockrtades",
"blocktades",
"blocktardes",
"blocktraades",
"blocktrad",
"blocktraddes",
"blocktrade",
"blocktraded",
"blocktradee",
"blocktradees",
"blocktrader",
"blocktraders",
"blocktrades-com",
"blocktrades-info",
"blocktrades-us",
"blocktrades.info",
"blocktradess",
"blocktradesss",
"blocktradez",
"blocktrads",
"blocktradse",
"blocktraeds",
"blocktraes",
"blocktrdaes",
"blocktrdes",
"blocktredes",
"blocktrrades",
"blockttrades",
"bloctkrades",
"bloctrades",
"ddeepcrypto8",
"decrypto8",
"deepccrypto8",
"deepcripto8",
"deepcrpto8",
"deepcrrypto8",
"deepcryoto8",
"deepcrypot8",
"deepcrypo8",
"deepcrypoo8",
"deepcryppto8",
"deepcrypto08",
"deepcrypt08",
"deepcrypt8",
"deepcrypto-8",
"deepcrypto",
"deepcrypto0",
"deepcrypto7",
"deepcrypto88",
"deepcrypto9",
"deepcryptoo8",
"deepcryptos",
"deepcryptos8",
"deepcryptto8",
"deepcryto8",
"deepcrytpo8",
"deepcryypto8",
"deepcypto8",
"deeppcrypto8",
"deeprypto8",
"depcrypto8",
"deepcrpyto8",
"uobi-pro",
"upbbit",
"upbi",
"upbit",
"upbit.com",
"upbits",
"upbitt",
"upblt",
"uhobi-pro",
"huobbi-pro",
"huobi-ppro",
"huobi-pr0",
"huobi-proo",
"huobi-prro",
"huobi.pro",
"huobii-pro",
"huobl-pro",
"huoobi-pro",
"huuobi-pro"

The list will be expanded as more phishing accounts are discovered.


Thank you for reading through the post.

I am a witness! If you like what I am doing feel free to vote me as a witness.
Vote for me by clicking here.
Sort:  

Will this work also for recurring transfers?

At the moment, no. But can be added.

Thank you for being an awesome person.

He is very wonderful for this. Many have suffered this.

Awesome this is super useful, also wants to say thank you because I've been using your node almost exclusively for quite some time and it's been extremely reliable, I always recommend people switch to deathwing when they are having problems :D

I would love to try a single of his node. It would really help

This is a fantastic piece of work! Will you be offering this code to other node operators as well?

Definitely, if anyone wants to run this version, they can reach out to me and I'll help them getting set up.

And that's why I vote for you as a witness!

I would really love to.. How do you help me friend

This is freaking amazing man!
I recommend using the list built into Hive condenser.

https://gitlab.syncad.com/hive/condenser/-/blob/develop/src/app/utils/BadActorList.js

Crowdsourcing this stuff has to be the way forward. We need some protections on Hive to prevent scammers profiting.

I have lost an account to sclammers before on hive. This is a great update

This is going to save so many people’s ass in the future!

I don't think you can help someone who would transfer $20K without triple checking the receiver's address, but it's interesting to see how easily Hive transactions can be censored

you don't need an api node to broadcast things. Even the most basic hived on the P2P network will accept a broadcast. There are many of those if you found yourself in the position of needing to find a friend, and they aren't that hard to start up if you wanted to use blockchain in a trustless fashion. This modification is to Jussi - a middleware that routes requests to a public api between hived (actual blockchain node) and hivemind (layer2 social media node). It isn't even a change to hived

Ok, if any hived node can do the job, then why only a few are used by the apps? I'm curious because I'm observing similar behaviour in the WAX blockchain and can't figure it out

An api node does things like provide posts, voting data, account history, etc. You need these bigger, beefier servers to serve up the information for the dapps and websites, but to broadcast a transaction you only need any hived on the p2p network

I think I got it now, thanks. And your other comments on this post were very helpful to see the picture more clearly

This has nothing to do with censorship lol. Nodes are not obliged to provide their service to you

exactly. I guess better would be a warning to check the account name again else you can lose your funds.

A reply I wrote in the comments:

In this case, for transactions, as I mentioned in the post... Some apps do provide "feedback" whenever potential phishing is about to occur. For example, as asgarth explained, Peakd uses a "similarity check" to see if you are sending it to the right exchange account.

Unfortunately, some apps, scripts, bots etc. Do not have this check. For example, Keychain does not detect whether or not you're sending a transaction to blocktraded instead of blocktrades just because you accidentally pressed "D" (which is right beside S in most QWERTY layout keyboards around the world.) -- This implemented feature helps mitigate that. I'd love to give a warning, but there is no Are you sure you want to perform this transaction? system in the codebase. It's True or False, Yes or No. In my case, I decided on creating a blacklist of phishing accounts to protect accidental transfers.

You're still free to send funds to the wrong recipient if that's what you want to do. Nobody is stopping you.

Some prefer to buckle their seatbelts while others prefer to fly through the windshield. It's a choice.

That would be a fault in the existence of software, not Hive design. If you want to modify the software and run it, then it can do other things. This is true even in Bitcoin

If you are broadcasting to another node, you are trusting someone. This is why you find many blockchain purists that will only interact with their own node. It is the only way to guarantee trustlessness

There is really nothing to talk about. All cryptocurrencies, not just Hive, is subject to the same exact situation. A node operator in all cryptocurrencies can easily mess with the data they're relaying and it would be up to the scripts or the person to figure out if it's right or not.

All users can decide on which node they'd like to use, for whatever reason. Be it speed (low latency, better hardware etc. overall faster experience) or trust (they are certain that the node operator is not doing funky stuff in the background to their data)

This feature is a great step to maintain secure transactions!

Excellent work and Happy Hive Birthday @deathwing!

This is a blessing knowing
you guys are working to find this little hole and block it.
Hope all nodes adapt and put it to good use.
Verify and verify guys again.

That's a smooth move.

Amazing feature @deathwing!

Interesting article!!!, good to know that security is being improved.

Nice!

This is going to save so many people’s ass in the future! Thank you

Am feeling the peer pressure here...

So good job? Ok the blacklist list.

Gah way above my pay grade. Yeah good one!

Great work bro!

Nice one, I've send funds to a wrong address before (stupid autocorrect...) . Hope other nodes also adopt this!!

Makes sense, just please check that some of these accounts are not actual users.

I will, if there are, by any chance any mistakes. The account owners can contact me so that I can fix them as soon as possible.

Brilliant!

I understood everything that you just said in theory and I think that you are an absolute champion for trying to protect everyone from their own mishaps.

The day I am game enough to actually even get one of those exchange accounts to turn my crypto into fiat money to pay some bills, I'll be thinking of you and thanking you for helping me save me from myself...🤣

Voted as a witnessfor me!

Congratulations @deathwing! Your post has been a top performer on the Hive blockchain and you have been rewarded with the following badge:

Post with the highest payout of the day.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Congratulations @deathwing! You received a personal badge!

Happy Hive Birthday! You are on the Hive blockchain for 4 years!

You can view your badges on your board and compare yourself to others in the Ranking

just stopping by to say that "blocktard" is an awesome insult and I'm surprised it's not a on the list :))

Excellent work @deathwing, that's really a good extra layer of security to hive.
How the community will be able to send you the "malicious account" so it will be added to your next update?

Cheers to you,
@Yehey

Either through Discord or the accounts I manage to find myself one way or another.

!PIZZA
!BEER


@deathwing! I sent you a slice of $PIZZA on behalf of @eii.

Learn more about $PIZZA Token at hive.pizza (2/10)

Omg thanks for sharing this.

18,094.456 HBD is HUGE. It's unfortunate to lose such big amount of money. Thanks for the alert call.

Smooth that was not so smooth but not letting people send isn't it overdo a warning would have been nice. It sends a message if node manager like they could actually halt your account progress and if somehow all the node manager agree maybe screw someone up totally.

Node operators can definitely show wrong information for accounts etc. If they'd like. It's a case of trusting the node operator. Hence why some users manage their own private nodes for all their needs as to not rely on others both in terms of technical burden (bots, apps etc.) and security. (trust)

In this case, for transactions, as I mentioned in the post... Some apps do provide "feedback" whenever potential phishing is about to occur. For example, as @asgarth explained, Peakd uses a "similarity check" to see if you are sending it to the right exchange account.

Unfortunately, some apps, scripts, bots etc. Do not have this check. For example, Keychain does not detect whether or not you're sending a transaction to @blocktraded instead of @blocktrades just because you accidentally pressed "D" (which is right beside S in most QWERTY layout keyboards around the world.) -- This implemented feature helps mitigate that. I'd love to give a warning, but there is no Are you sure you want to perform this transaction? system in the codebase. It's True or False, Yes or No. In my case, I decided on creating a blacklist of phishing accounts to protect accidental transfers.

If anyone, for some reason, would like to send a transfer to these accounts, they're more than welcome to use other nodes that do not have this phishing blacklist in place.

Even if all the public api node operators did somehow agree to gang up on someone - this is only a modification in Jussi. It isn't even a modification to any of the blockchain software itself (Jussi a middleware that routes things between hived (blockchain direct node) and hivemind (layer2 social media api).

All that's needed to broadcast is the most basic of hived nodes. The most minimal requirements, and not hard to find someone running one

Nice but I don't have enough HP to Vote!😁

One more thing that I think would make this perfect is a way to get the list that you are using of blacklisted accounts.

Your content has been voted as a part of Encouragement program. Keep up the good work!

Use Ecency daily to boost your growth on platform!

Support Ecency
Vote for Proposal
Delegate HP and earn more

Keychain just spins forever when I try and transfer to one of these accounts. Fixing that so it tells me I can't on this node would probably be better don't you think?

It should give a "Something went wrong!" error, as it did during my testing. I did send a message to @stoodkev about being able to properly display error message if there is a error code/message returned.

Since this returns -42000. It is up to stoodkev to add it.

I'll look it up this coming week.

Hi deathwing, this is amazing and thank you

Can you also add @neox I remember sending money into it one time I wanted to send money to neoxian.

Thank you

Please all nodes needs to get on this ASAP, why isn’t this more publicized and emphasized.

Edit

I just switched my node. I guess it’s late but. For whatever it’s worth I’m glad to be on your node now, I should have done this since

If decentralization means "nobody should be allowed to offer their services to the public", then I think we have some major disagreement about what decentralization is

My idea of decentralization is that someone could provide a service that evades control censorship. It doesn't mean that everyone is forced to do so. If someone wants to build a "My ABCs!" app that runs on Hive, I don't think we have to tell them it isn't permitted because their app doesn't allow someone else to post about their 1953 Ford fetish. They should both be allowed

If someone wants to provide a service on Hive, and they are able to do it, decentralization is winning

If someone wants to provide a service on Hive, and they are not able to do it, then I think there is a problem

To say that deathwing's service should not be allowed, and someone else's service should be allowed based on the some person or group's determination would be the opposite of what I want to see

It's not even close

You can't build a censorship resistant platform on Facebook or Twitter

I am saying that people thinking similar to Facebook or Twitter should be allowed to build on Hive and use Hive

I also think that people with counter thinking should be allowed to build on Hive and use Hive

As an example, the Proof of Brain tribe could build a censorship-resistant blogging platform on Hive with token rewards and offer a public api to support that mission. Deathwing would have absolutely zero power to stop that

At the same time, the Fords Only tribe could start a censorship-resistant blogging platform on Hive with token rewards and offer a public api that doesn't allow transactions from known Chevy lovers. We have absolutely zero power to stop that

And that is decentralization. There isn't some central authority that determines what you are allowed to build, what you are allowed to say, what you must not build, or what you must say. You are not granted that authority over the rest of us. Deathwing isn't granted that authority over the rest of us

**edit since the prev post was edited:

You know that censorship doesn't align with the ideals of decentralization, you do it anyway

I would say you are trying to force censorship by telling deathwing and others they may not offer their services. Your position is authoritarian and demands that people only run the code you permit them to run

Decentralisation lies at the heart of the blockchain. There are several other nodes to use that are not utilizing my "localized censorship" feature. If anyone does not like this feature (and would likely be at risk of typoing something themselves in the future) they are more than welcome to use other nodes.

More nodes are always better for the ecosystem. (and usually makes decentralization even better) As a long-time node operator, I decided to implement this after witnessing people complaining about how they lost their funds. Not to mention that I disdain people who deliberately and knowingly created these commonly misspelt accounts in the first place so that they can "earn" from someone else's mistake.

There are quite a few private nodes. And if anyone thinks that we do not have enough public nodes, we encourage, not to mention even help people setting their own API nodes up.

I've always advocated for more API nodes.

I use a private node for broadcasting. Its relatively low cost to set one up.