OMG someone actually discovered malware (on the official Monero website) because the attackers changed the download binary but didn't change the hashes posted on the website https://t.co/2t9W7DMySQhttps://t.co/gBKQYLla3n
this is a big day for hash checkers everywhere
Someone hacked the official Monero website and replaced the binaries with a version of Monero that stole their funds. So anyone that downloaded and ran the Monero software from the official site at the time got their funds stolen.
This is a known security issue, and something that can happen to the bitcoin.org website (or any site you download from) as well. Therefor it's important to check the hashes of the software you downloaded.
A hash function is a cryptographic protocol that outputs a number (or hash) for any given input. It's what makes Bitcoin work, mining bitcoin means that you make a hash of a certain proposed block and if your output (hash) has a certain amount of leading zeros in it, it gets accepted by the network to be the next block in the blockchain. Everyone can check it's a valid block by making a hash of the block and check if there are enough leading zeros.
With every release of new Bitcoin software the developers publish the hash of the software, so that everyone can check if their downloaded version is the exact same version than the one the developers have.
In case of Monero someone checked the hash of their downloaded software and noticed it didn't match. He reached out to the developers who then found out the website was hacked. He saved himself from theft by checking the hashes.
It helped in the case of monero. Some argued that if the attackers changed the hashes as well, it would've been discovered sooner.
You can also get the hashes from reddit https://www.reddit.com//r/Bitcoin/wiki/verifying_bitcoin_core
Nothing is perfect, and there will always be some kind of attack vectors, but that's no reason to not do anything.
You get the gpg-public key from the maintainer through other means. For example, when they hold a lecture and display the fingerprint on their slides, like Thomas Voegtlin does here https://www.youtube.com/watch?v=hjYCXOyDy7Y
Every influential person, who is public with their real persona, should have a YouTube video out just reading out their gpg-finger-print.
This is a good read, not for the article really, but the subsequent comments. If you have the time, please read the comments below the article. This gives a decent idea of people's perception of crypto outside of Monero specific forums, Reddit, and social media.
Always try to influence outside of Monero specific information channels.
Those comments are trash.
Even the "informed" comments basically focus on a theoretical missed opportunity to fake the hashes on the website. Nobody there seems to know about github having a mirror of the compiled files and their hashes, and nobody there seems to know about the additional option of compiling from the source code also hosted on github.
It really felt to me like vote manipulation. Every informative comment about monero was downvoted and every anti crypto post was upvoted similarly. You really can’t trust anything you read online you have to go experiment with things for yourself
The overwhelming majority seem to be citing there's no one to fall back (bank, FDIC, government, regulators, legal system) on when you screw up and lose funds or get robbed. Sort of like with cash. The general population likes the warm and fuzzy feeling they get from always being able "to get their money back". I've also learned that InfoSec is a mystery to most people and in their eyes hackers have magical powers.
Cryptocurrency is irreversible; sometimes that's a feature you want, and sometimes it's not. Unfortunately, I'm afraid at least a high-level understanding of computer security is necessary to use cryptocurrency properly. People who jump in without doing adequate research are likely to be burned. I found out about Bitcoin and Linux in 2010 or 2011, but it took me until about 2016 to really be confident that I knew what to do. The risks to users only increase over time as the industry (and malware that attacks it) matures. Keeping your keys on a Windows machine may have been fine in 2010, but today a greater level of security is required. Thankfully, hardware wallets have come a long way. The ability to input passphrase directly on the Trezor Model T is one of its biggest advantages over its predecessor imo
I'm quite surprised by how many comments there are. I had no idea ars technica had a community this active (especially on a non Bitcoin crypto related news).
Edit after reading the comments: we're still early boyz.
I honestly expected 50 - 90% venomous comments as I have seen this previously on "tech" news sites. Overall crypto is so missunderstood by the public at large, I was happy to see at least a couple neutral comments with basic understanding of what happened.
No one is *forced* to use Monero, so I almost feel sorry for those who are so consumed with anger at its mere existence. Can't they just lighten up and enjoy life? It's like someone who doesn't understand croquet seething with rage every time he sees a croquet lawn, and lecturing the players on why they should swap sports to pétanque.
Disclaimer: I've never played croquet or pétanque.