No one who runs a project worth a damn on Steem will ever ask for your keys.


image.png


Turns out there are a few websites out there that ask for posting keys promising the moon. That moon is not reachable. There is no moon.


DO NOT put your posting key, active key or password into ANY 3rd party website


#
Anyone telling you that you'll get free upvotes or upvote exchanges are full of shit. Their garbage easy money code will be hacked. Even if they're not outright trying to scam you, they will inadvertently screw you over. You don't want to be screwed over. No one does.


There are no shortcuts that can be taken through some half-assed service. Use the tools that have been verified as secure:


image.png image.png


Reputable vote-related services like Steemauto.com don't ask for your keys. They also have their code open source where possible.


There are also sites like Steemworld.org which have an offline version where you may audit the code before running it. Those sites don't rely on databases; they just use keys to sign the transactions they broadcast.


No one who runs a project worth a damn on Steem will ever ask for your keys.


Audit first, trust second.


If there's no open source, if there's a database, if there's no verified tools then there's no trust.


This is just a simple warning for all our mainstream users. No one wants to see you get your account hacked. Except for the hackers, they'd really like that kind a lot.


Don't feed the hackers


Hackers love those database sites that are pieced together with some NodeJS and hosted on random servers. They don't even have to build them when there's so many out there. They have attractive layouts to draw in their custies. They promise you whatever you want.


Half the time, they're other hackers phishing. Half the time, they're opportunists throwing you an easy 'service'.


Ask yourself why. Why the hell is someone developing a site for you to get more votes on your post? Did they fall in love with you after reading your tragic memoir of what you ate last night? Unlikely. Do they want your keys to be able to use your account without you knowing? Hey, chances are high. Bingo.


But don't trust me, you just go ahead and put those keys right back into wherever you think you'll get that one cent vote from


What do I know? Except this, this, this, this, this, this, this, this, this, this, this, this, this, etc.






Comments 13


If we can't trust giving the private posting key to third party apps, then there is not point in having it, not the key hierarchy...

And for as long as Steem connect requires 3 clicks and a separate password to use, I would rather have apps ask for a posting key (while ideally, but not necessarily, also offering Steem connect and Keychain as an option for those who want that).

Storing the private posting key of users have many advantages for convenience to allow posting after a Steem node has been down without requiring a new tx to be signed.

If we can't provide that level of convenience, then we may as well forget being a social platform..

16.12.2019 09:15
1

I think it is more asking for a bit of vigilance, vs. being a passive user that trusts everything. If everybody takes a bit more responsibility, this place will be much better off, and I will not have to zero my downvotes un-scamming accounts like superheroes...

16.12.2019 09:39
0

Oh, I absolutely agree with the parts telling people not to trust apps that promises free votes etc. But he goes way beyond that to assert that no decent apps will ask for the user's private posting key, or store them. This is just flat out false, as there can be many good reasons to do this. Or at least offer it as an alternative.

The posting key is something you should be able to use more frequently. Else, we may as well not have it at all.

16.12.2019 11:04
0

You're confusing developers like yourself who spent months on months on just their mvps vs developers who are throwing sites together with no care for user security. The former are rare, the later are 99% of them. The risk to typical users who don't want to wake up to their account compromised is tremendous. Even good dapps get hacked. Tasteem, Dlike, Faircrew exchange, Utopian back when just to name a few off the top of my head. It happens. 3 clicks is on Steem Connect is a small inconvenience which is already taken by those same users for other dapps.

16.12.2019 23:12
1

Agree 100%. For me, Steem Keychain support is a MUST. If not that then aConnect. Otherwise, "No Thanks".SteemConnect.

17.12.2019 00:49
0

`> if we cacan’t provide that level of convenience, then we may as well forget being a social mediplaform

I I feelel like your statement is throwing the baby out with the bathwater. It’s not just a social media platform. It’s also a high tech bank where the security is up to the user based on the provided tools. And unfortunately, The tools are as they are because the world is so vicious. As such, levels of convenience had to be sacrificed for security, and because convenience is a selling factor, there has to be a delicate balance. Not convenient enough and people don’t come here, but if it’s too convenient it’s not secure enough.

16.12.2019 13:37
1

That's why you have a key hierarchy. To provide high level of security for one's asset while also allowing for convenience of use of the social parts. We can give users both, which is one of the biggest success factors Steem have.

So no, I don't buy for a second that it has to be more secure. It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

16.12.2019 14:49
1

It should offer the opportunity to have cutting edge security, not insist on it even for those who don't want it.

Eh, I'm going to disagree with this because I feel like it sets users up for failure if they choose a lesser security. Because if/when something goes wrong (and they inevitably will), their word-of-mouth about how horrible an experience they had on this "scammy" platform is a powerful force which might keep potential new users from signing up. Besides, with the "customer" in mind, I don't consider "it's too secure" to be a valid complaint. That's like complaining that the safety ratings of a vehicle are "too high".

16.12.2019 14:53
1

I feel like the posting keys related problems could be resolved if there was an even lower security level key which could only vote when VP is above a given high valued percentage.

Posted using Partiko Android

16.12.2019 11:10
3

That's an interesting idea but would add more complexity. We exist in an ecosystem that by virtue of having the elements of finality and anonymity related to it attracts a lot of hackers and scammers. Just have to be careful and leverage our trusted tools.

16.12.2019 23:15
0

But don't trust me, you just go ahead and put those keys right back into wherever you think you'll get that one cent vote from
What do I know? Except this, this, this, this, this, this, this, this, this, this, this, this, this, etc.

Well just put in the website , it’s good

16.12.2019 12:29
0

dont.feed.hackers.

dixi

16.12.2019 22:38
0

You can never be too careful!

17.12.2019 17:37
0