Receiving lots of DMs on #iota on what's happening and what people should do. I am really the wrong person to ask - please join their discord or reddit etc. Afaik tangle is up again (https://t.co/OsaDnZzF9e) but you cannot transfer to exchanges as exchange addresses are stopped.
RT @nic__carter: a solid chunk of long tail alts can be quite simply 'turned off' at the sole discretion of the administrators. it's always fun when they let the veil slip.
but please, tell me more about your TPS https://t.co/dvYg6yHwGY
RT @iotatoken: Currently, #IOTA is working with law enforcement and cybersecurity experts to investigate a coordinated attack, resulting in stolen funds. To protect users, we have paused the Coordinator and advise users not to open Trinity until further notice. Updates: https://t.co/ME3Cvki3k9
a solid chunk of long tail alts can be quite simply 'turned off' at the sole discretion of the administrators. it's always fun when they let the veil slip.
but please, tell me more about your TPS https://t.co/dvYg6yHwGY
Do we know which version of Trinity is affected? The latest released version is from 5 days ago, i.e. Trinity V1.2.2 while the version before that was from December 2019. Do we know if the vulnerability was only inside Trinity V1.2.2?
Hnm..good catch, but i guess mines updated to 1.2.3.
So what is not known for certain is whether the wallet breach was just usage from early Feb like they say, or had the seeds already been in their hands for weeks.
Until they release the findings, how the attacker was able to get those seeds (opening trinity from the 10th? And began funds withdrawals soon after.)
Or has the attacker simply been collecting seeds since compiling who has the fat wallets first and simply begun the past few days. I did read before that the txs appear to be manually done, so its not a script i guess that a good thing? Slower process..
Id like to hear whether the exploit needed to work by the victims first opening of trinity and the attacker has to be running some sort of node capture in the middle attack. Or simply he had been logging seeds from who knows when.
This whole process has been very transparent and professional. Great work IF, shows that you can deal with a crisis. https://status.iota.org
February 14th 2020 - 15:50
We have found the exploit and are now working on resolving the issue. As expected, the exploit is related to the (user-facing) Trinity Wallet. The IOTA core protocol is - as already communicated before - not breached.We know that you would like to understand more details, but ask you to refrain from questions towards the Community Moderators due to the parallel ongoing coaction with law enforcement. The teams are currently developing the mitigation strategy. We will share all details about the exploit in due time and (of course) publish a post mortem analysis as well.
Two days ago we had the VP of Software AG call Iota “the future of the machine economy”. All attempts to post that on r\cc were denied because there was already Iota news posted the day before (about the new working group).
And yet today, the Coo is paused, and they not only stickie it for 30 hours, but they also allow numerous Iota threads devoted purely to shit talk.
They are literally inbred autists who can't accept that unfinished projects will have issues and would like to highlight this incident because they haven't got anything to hold over IOTA since that MIT thing a few years bsck.
I wasn't insulting anyone. It's a fact. They are literally autistic from their myopia and fixation on the details and their inability to articulate any cogent argument apart from this fixation. If they felt insulted by my pointing out their autism, that's their business.
Ok, I haven't delved deeply into this so if you can show me posts where they (the cc mods) talk about their autism then I totally apologize and retract my statement.
If however, you are calling them autistic because they are behaving in a way you don't like, exhibiting bias, or not presenting their arguments in an intelligible way then you are using the term autist as an insult.
Now I don't go on r/cc much anymore so I'm not claiming to be very informed but I have seen a bias on that group against iota. I think some people have made up their mind about the project a long time ago and react to it's progress and press releases in a negative way. When they're the moderators of a group I agree that's very frustrating as they should be better than that.
But that doesn't necessarily mean they're autistic and I'm just asking if perhaps you can refrain from calling them autists unless you actually know that to be the case by their own admission.
Using that phrase as an insult contributes to a lot of shame for people who have or might have autism and isn't too dissimilar from how the word gay was thrown around for behavior people didn't like not too long ago.
It's that sub that after the 2017 crash had walls of text about why they're "in it for the tech" as if they had nooses around their necks but had all sorts of Wolf of Wall Street and Dave Chapelle memes along with RAI, ADA and NANO shilling posted beforehand.
I am proud that this sub never exhibited that level of mental retardation and/or extra chromosomes.
Has anyone considered that this could be a follow-up to the online seed generator compromise from the end of 2017? Perhaps the attackers at the time decided to lay dormant for a while, and still had access to a large number of seeds. Since then, maybe they carefully studied which seeds gave access to the largest amounts of funds, and then the problems from yesterday came about because they started to withdraw funds again, starting with the largest wallets. Maybe they only decided to target a dozen or so wallets because those were the ones with the biggest reasonable amount of funds? Maybe they still have access to seeds for additional accounts that they didn't target, in the hopes that at some point in the next few years, those seeds will have more funds added to them? Maybe the Trinity wallet has nothing to do with this, and the only reason that Trinity is a connection is because it's so ubiquitous in the space. How many Iota users out there DON'T use Trinity?
But weren't the seeds online changed by users themselves when they realized that they might have a compromised seed? That's what I did. I was fairly certain that I hadn't used the online generator before then changing several characters for safety (which was admittedly still an absolutely stupid idea), and I changed to a new fresh seed just to be safe. So if I remember that correctly, there could be users out there who didn't know about the problem at the time, and who never bothered to change their original seeds.
I know, the odds of this are probably extremely low, but it can't hurt to consider all possibilities.
I'm guessing you meant "That doesn't...."
Sure, but the prisoner dillema of him seeing a reduced sentence by ratting out any accomplces would likely pretty damn enticing given how much jail time you can get for stealing >10 million dollars. Also, it makes far more sense to steal as much as possible before anyone realizes it in the community and people start moving their funds.
Not yet. That’s actually what the coordicide is all about. If and when this is implemented, Iota will be the only crypto to have solved the trilemma. Like all cryptos it is still in development with the end of 2020 being the target to complete this milestone.
It's funny how the cc mods have pinned the Trinity error post at the top of their sub to FUD Iota. They're notoriously anti-IOTA, but in all the years I've visited the sub, I've never seen them pin a security breach post to the top.
Because the installs are identical to the legit client and the clients that were attacked... this is my educated guess.
Somebody introduced a backdoor at some point. It might still be there, or it might be removed. Malware can remove itself afterwards
If somebody has access to the update Trinity URL, they could choose a subset of people updating and send a modified client to them that steals their seed then removes itself and replaces itself with the legit client.
This would lead to isolated, harder to track instances of the attack. If everybody was infected, it would be easier to track.
I've seen this behaviour before from russian malware installed on my webservers and it's very difficult to catch.
This is literally the best outcome, if I am right.
Would you prefer an exploit in the core hashing algorithms? Or how about a backdoor checked into a publically available source control system?
Do yourself a favor. Dont invest in things you dont understand, and then bitch at people who do understand it.
I am an investor just like you.
I am doing my own due diligence by attempting to stay informed on issues surrounding my investment.
I am doing that, by applying my understanding of how systems work.
I am sharing my views, because I am looking for constructive critic, or to inform other investors.
Because overall, I feel that we will all be better off with an informed market.
I have 10 years of experience working in this specific area.
Ive used the exchanges withdrawal history for the address to view on tangle but it just shows me the amt deposited/sent not the wallet balance. Maybe I am missing another selection to view wallet balance? Never done this before this way, thanks!
While the wallet checks all addresses of a seed and all balances on them (the result of incoming and outgoing transactions), thetangle.org only retrieves the balanace for a particular address.
To derive a total balance for all addresses generated with a seed on e.g. thetangle.org, you would have to manually check all addresses generated with it.
Ah ok yeah that what i thought. I went through the last few tx history and read the how-to. So itll just show that 1 value deposited and no other outgoing transactions should be there, so its all good. Thanks! Good to know.
Depends a bit on what you mean by „snapshot“ to my understanding.
There was a so called „global snapshot“ after the DCI allegations where encryption schemes changed have been changed. If you had funds on an address generated by the former encryption scheme, those wouldn’t show on today’s thetangle.org, afaik.
If you mean „local snapshots“ (a node simply pruning data), your address would show the total balance on thetangle.org, no matter whether it was „snapshotted“ (pruned) or not.
Locals snapshot = value stays, data & meta information goes
My, when did this happen? In 2018?
I did a transition in late 2017 when I was advised to when they changed the cryptography. I think anyway. Since then I've never had any advice to change anything and that my funds would be safe as long as I had my seed.
I hope the funds are still there but I'm too scared to use Trinity on iOS until this is rectified.
I know there was an old encryption scheme. This changed in late 2017 from what I thought. Is this true? I had to change my seed once in late 2017 when there was some major change. The funds were sent to my new seed.
Or was this something that happened later?
Well I remember having to transition to a new seed. I got into IOTA mid 2017 and then I recall later in 2017 I had to transition and send my funds to a new seed and that for some users their funds had to be reclaimed using some sort of process. I forget the month in 2017, was it October or November? My memory isn't too bad but it's not as good as I'd like it to be ;)
My trinity balance was correct up to a couple of days ago so I must be good, I just can’t track down all my address so can tie back the total balance, I’m not worried I can account for 70%, I reckon if I was a victim it would be all or nothing.
No, because hardware wallets require an extra step of verification to move funds. Currently its unknown how the seeds were exploited, but if your seed is compromised but locked in a hardware wallet the verification step should prevent anything.
The seed is stored on the ledger and never leaves it. Trinity doesn't know the seed on the ledger. When you make a transaction in Trinity, you use the ledger to sign the transaction with the private key.
You said: "if your seed is compromised, but locked in a hardware wallet...". I'm pointing out that if your seed is compromised, your hardware wallet won't help you. It's unlikely that anyone using a hardware wallet was compromised, but we still don't know how the attacker got access
Good to know. It will be interesting to see how they got the seeds with no malware and what looks like a secure wallet. It could be this started long ago through social hacking and they have been collecting seeds until they could launch an assault. Just speculation on my part of course. We will just have to wait and see. In the meantime, feel free to sell me your Iota.
There was defintely something targetting the users because the amounts stolen are very large. 650 and 780 GI wallets. Huge amounts to not be stored in a hardware wallet. As to HOW the seeds were compromised, I am very interested to learn. Hopefully its user-error (as cruel as that sounds) for the sake of IOTA.
No, I get it. User error would be better here and at least contain the damage. With a lot of the cryptosphere hating iota, any misstep like this would be disastrous to the project. Just having the coo halted is causing a shitstorm.
Look, I get it. But has the BTC network ever been "shut off" by anyone? That's the whole point people are making. Now once coordicide happens, then it's a different ball game. But for now, anything we as an Iota community have to say about decentralization amounts to "No, you're stupid!"
It's been in development since 2016, pretty much the same time as Ethereum, and yet IOTA has literally nothing tangible in production 4 years later, and the cofounder and founder of NXT has left the project. In the early days, cfb used his pseudoanonymity to sell the story that he was some genius crypto developer like Satoshi, yet everything he's made thus far has failed. Not to mention all of the pr disasters and how iota has been mocked publicly by the cryptography community. I bought iota in 2017 and sold last year because all of this nonsense. Don't even get me started on their whitepapers, and the blatant plagiarism of the Snowball to Avalanche protocols to sell as their own Innovation. It was never a large percentage of my stack, but it was meant as my high risk high reward alt, but I know when to cut my losses because I view things on a macro level. There's nothing here anymore
Good to know. It will be interesting to see how they got the seeds with no malware and what looks like a secure wallet. It could be this started long ago through social hacking and they have been collecting seeds until they could launch an assault. Just speculation on my part of course. We will just have to wait and see. In the meantime, feel free to sell me your Iota cheap. :)
The time it takes is not important. The sooner these things show up, the better. The other option would be that it manifests after the coordinator is gone which would make it so much harder to track down the transactions.
People will still get hacked after IOTA has been running for 10 years, but it won't be as easy then to stop the tokens from being moved.
It’s madness that they’ve just switched off the coordinator. People in this sub can sugar coat it all they want, but the wider crypto community is seeing iota as a total joke. What with this and the recent bug that took it off line for a day.
Why is that Madness? This and the other bug are EXACTLY why we still have a COO, and will continue to have it while iota is in beta. Feel free to head on over to the testnet without the COO to help with the testing process, in the meantime, you need to realize where you are, you are in a beta format of a world changing tech, that isn't sugar coating, that is FACT.
What would you do? let potentially millions of dollars from hundreds of users be lost? I guarantee the criticism of that would be a lot worse than "You paused the Coordinator? I guess this is why you are taking your time with Coordicide"
How massive is it? Is it massive enough to have a process in the works to have it removed? Massive enough to have an alphanet testing it as we speak? I'm guessing you're the only one who knows how massive it is and can tell us all how to feel about its massivenesses, right? None of the people working thousands of hours to make it happen could possible know or express it to us. There's no way the people who have been debating the math and theory behind the actual implementation could possibley know as well as you how deeply, hugely massive it is....
You seem to really care about accelrating coordicide, you can help expidite that effort by testing https://github.com/iotaledger/goshimmer
Just a note people, it's a technology, yelling at it isn't going to do a thing.
„Madness“? Everyone who understands some IOTA basics is well aware of the coordinator.
If not, here are some pointers:
- data transactions aren’t verified (how would you?), hence aren’t affected by the coordinator (irregardless of whether the Colrdinator is running or not). See that current TPS on thetangle.org? That’s people/machines using the network WITHOUT the Coordinator
- network participants, by using the official IOTA Node reference implementation (IRI), agree by proxy on what’s „confirmed“ by trusting the node software. The nodes in turn accept any transaction as „confirmed“ that have been referenced by a milestone
- anyone willing to ignore this security feature is free to remove that part from the reference implementation and accept value transactions that haven’t been referenced by a milestone. It would be „madness“, imho, but that’s maybe just me being me
Thus, it’s at least arguable whether the network is really „on hold“ when the Coordinator doesn’t issue milestones. Data transfers are unaffected and value is only affected if you want that extra bit of security.
In any case, there isn’t a Coordinator in the „final“ version of the protocol. It currently still is beta. It’s not used in production. Hence, the current „downtime“ only affects a few traders and gamblers. Biggi.
We don’t even know what happened. Let’s not jump to conclusions and assess „damage“.
Could be user error, and heck, even Bitfinex used to sign IOTA transactions more than once with the same key.
I rather have them do the responsible thing and „halt“ the network, even if it turns out not to be a compromised wallet than ignore the incident.
For now sure. But in the deap meaning, non value data that is not confirmed can not be trusted. I think about bosch and libdot. This is an issue. I really hope this year will be a game changing year for iota. We really need it.
Exactly my thought. IF needs to have a wallet that is 100% bulletproof and audited to hell and back. Other crypto wallets are way better as far as functionality and security it would seem. Then again i also still have nightmares about the old iota wallet too...
Since they had the wallet open at the time of the transfer I thought it might have been a script type scenario. You open Trinity, login, hidden script activates and transfers all your iota to an address before you realise what's happened. That way you don't need to really comprise the wallet itself or even grab your password or seed, just need to have it get onto a target's computer and wait around until it sees a Trinity wallet app open. I would imagine this type of thing could happen to any type of banking system or wallet. But who knows.
>After in depth transaction analysis it looks like about half of the victims with confirmed funds moved out are already in contact with the IOTA Foundation
It's about double that, so the odds are pretty unlikey that you're one of the vicitms. If you know your address(es), you can check on an explorer. If not, wait for it to be resolved and then contact the IF you indeed are one of the other 10.
Tnx for the reply!
I managed to check the address from old bitfinex emails.. No new transactions.. Latest was 12ish months ago. Exactly as i remember it. I guess good news?
Although after i transfer from bitfinex to my own seed, some miota were moved around between my seeds just for testing...
So I guess.... I will need to check it later yeah? Good thing I havent open my trinity for months,lol
@HBMY289 has a great write up on this topic if you want more detailed directions: @hbmy289/how-to-check-your-balance-without-using-trinity-e1cac78e97a7">https://medium.com/@hbmy289/how-to-check-your-balance-without-using-trinity-e1cac78e97a7
Edit: the guide assumes that all tokens would be gone if someone would be affected. Hence checking only one address would suffice
I copied that guide from Discord. It assumes that if you would be affected that all value would have been transferred. Under that assumption, it would be enough to check one address.
But feel free to check all of them.
Yeah i threw that guide together from what everyone was already talking about and it got stickied because people kept asking the same question over and over.
I think the best is to just sit back and try to relax everyone. Wait for IF announcement. Hang out in discord if you want to hear the latest.
When checking my address through [utils.iota.org](https://utils.iota.org), I get this message.
**An error occured while trying to retrieve the transactions with the specified address on the tangle.**
**All nodes failed**
**https://nodes.thetangle.org:443 the request timed out**
**https://nodes.iota.cafe:443 the request timed out**