A current topic: In May 2020, fraud spread very quickly. A hacker installed malicious code in the wallet and faked the github repository of many projects. He has sent private messages in the Discord chat with the hint that there is a new wallet version that fixes critical security holes and that you should install the update quickly. The wallet he prepared, however, transferred the entire coin inventory from the wallet to an address of the attacker.
On the Internet you should be careful, you should not click on it everywhere. Everyone knows that, but reality is different. We know this from the many spam, scam and phishing emails.
We are looking beyond ideation stage to, at the very least, beta, and for companies that are corporate-ready. Retailers want to see it all, so they usually have not precisely identified one tech they want to focus on. Visual search and fit-tech are definitely trends.
It’s about money and where there is money in play there are cheats. However, this fraudster has done very bad research. At this time there was no release v1.7.0 of the PHORE wallet, version 1.6.3 was the current release. If you would read first instead of clicking… Furthermore when you see the github url, you will see the next mistake.
Security is annoying. Anytime, anywhere.
How can the user protect himself?
- A wallet update notification is never sent to the users by private message
- A wallet update is announced on various channels: on the Discord announcement channel, on Twitter, on Bitcointalk, on the website etc.
- Only download the update from a trusted source. There is only one: The offical project repository
- Check the download URL
- Verify the downloaded file of integrity & authenticity
Verify the downloaded file of integrity & authenticity
With this measure you can be 100% sure that the file is genuine. How this works and what is it, I will explain now.
Each file has a digital fingerprint. Digital fingerprinting is based on the use of a mathematical function to produce a numerical value where the function takes an arbitrary length of data as its input and outputs a numerical value of a specified length; 128 bits (16 bytes), 256 bits (32 bytes) and 512 bits (64 bytes) are typical lengths. The output value of such a function is generally referred to as a hash value or simply hash.
The digital fingerprint is therefore a unique arithmetic checksum of a file. If I know the real checksum, I can determine the checksum of my downloaded file and check it against the publish checksum.
There is only one trusted source for the published checksum: the project’s software repository. Of course, it is required that the project publishes the checksum.
Let’s do it togehter with a real example.
Open the GOSSIP Blockchain repository with the following link: https://bitbucket.org/GOSSIPCOIN/gossip/downloads/
You can download the marked .png file and open it. On the right side you can see the different software bundles (wallets). On the left side you can see a long number. This is the calculated SHA-256 checksum of every file. This checksum is unique.
Now you will download one of the packages.
To calculate the checksum of your downloaded file is easy, use this online tool:
Please compare the calculated checksum from the website with the checksum from the .png file.
With this check, you’re 100% sure that the downloaded file is authentic from the project.
There is another method which uses the PGP “Pretty Good Privacy” encryption method. I will also explain this method.
Pretty Good Privacy (PGP)
It’s not possible to explain PGP in this article, so you can check out what is it yourself.
Yeah, I know, arithmetic encryption is mathematics.
Explanation in fast forward:
PGP uses a key pair for encryption: Private and public.
I encrypt a file with my private key. For our purpose it is sufficient to verify that the encrypted file (mine) is authentic and the signature is correct.
We will have a practical exercise.
I downloaded the PGP encrypted file ‘SHA256_checksums.gpg’ from the GOSSIP repository.
To check the signature we will use the command:
gpg --verify-files SHA256_checksums.gpg
All looks good. We can see the RSA key. And we can compare it with the .png file which we downloaded before:
It is absolutely inacceptable that in the year 2020 almost no project is using these simple technical tools to ensure the integrity and authencity of their compiled software packages.Steven Mai
Satoshi Nakamoto provided us (blockchain developers) with all necessary tools for free many years ago. The documentation is available in any decent source code, we just have to use it. Why don’t you do that?
I have the following answers:
- You do not have an in-house blockchain developer in your project. You pay a freelancer for his work and this work is of course only done according to the principle: You get what you pay.
- There is a lack of expertise.