Ladies and gentlemen and honourable members of Steemit, it gives me great pleasure to introduce you tonight a new defender of this platform. Please give a round of applause to.. @keys-defender ❗
🤖 🤖 🤖
Tonight I finished developing and testing the features that were in the works during my last development update post:
- Recover Account when an Owner key is leaked;
- Transfer funds to Savings when an Active key is leaked;
- Publish a post on @keys-defender's blog when a Master or Active key is detected;
- Automatically reply to the comment/post in which a compromised private key is detected (1x day per user to prevent abuse);
- Send a wallet transfer when any compromised private key is detected (1x day per user to prevent malicious users from intentionally burning the scanner bot RC)
THE THREAT IS REAL
As disclosed in my previous posts, there are tons of compromised accounts credentials still stored in the blockchain.
( In case you missed it, scanning the whole STEEM blockchain I found 123 compromised keys ).
On top of that, there are malicious users (black hats) running bots to STEAL accounts and their funds. These bots are actively scanning new blocks published into the blockchain and will compromise your account within seconds from accidentally leaking a private key.
Testing my bot with real accounts made me realize that the threat is very REAL.
As I verified myself (losing a test account) if you publish an owner key, within seconds all your private keys get changed and all the funds transferred to the account of the attacker.
If you instead publish an active key, besides putting your funds at risk, your posting key will stop working after a few seconds. The only way out is to restore all your keys using your master password or master key.
There could be a solution for this but it will require tons of RC. I may get to it one day:
it looks like that account would run out of RC after only 7 transfers. I could get it to burn its RC intentionally leaking an active key from the same account every day so that when a real user compromises their key the malicious bot won't have enough RC to operate.
I will add this feature to my features backlog and will get to it when I have enough RC (I have a STEEM purchase in the order book but I may need more - delegations are welcome, by the way 😊).
My testing so far went great.
This is the post that I used for debugging and end to end testing: /@b0ts-testing/tomated-posts-test-2-1580640786922
As you can see @keys-defender (after some bug fixes) replied correctly to all types of leaked keys.
And it also published a post for each active and owner compromised key.
Feel free to leave a private key in the comments of that debugging post or this one as well.
I do not guarantee a 100% success rate but the risk is low as a dummy test account costs only 3 STEEM ($ 0.5).
PLEASE do not post the owner key of an account with funds in it!! I do not assume responsibility in case my bot has a bug and does not recover your keys in time.
Also, if you want to test intentionally compromising an active key, make sure that most of your funds are in the savings or transferred to another account.
Same as above though, I do not assume responsibility in case something goes wrong during the test.
So, again, please only use test accounts.
If you want to create one here you can find my guide on how to create an alt account in seconds.
NOTE: the bot is slightly slower than expected because is running in debug mode (eg. verbose logs enabled).
If you intentionally compromised a private owner key please reach out to me on discord to get the new keys: gabe#5784
During normal operations instead, real accounts with funds found during the LIVE scanning will be given to @guiltyparties and proof of identity will be requested.
These are the expected results when a private key is published in any type of operation into the STEEM blockchain:
- Owner key: keys change, reply, memo warning, post
- Active key: transfer to savings, reply, memo warning, post
- Posting key: reply, memo warning
- Memo key: reply, memo warning
I haven't tested these but they should work correctly as well (as proven in the past):
- leaking keys in wallet transfers
- leaking keys in other uncommon operations (eg. account update)
PLEASE LET ME KNOW IF YOU FIND ANY BUGS! Much appreaciated. =]
According to my backlog :
 Monitor leaked dead accounts and burn their RC if abused - checked though daily scheduler
 Auto-publish weekly report with live scanning stats
After these, before moving on to the other items on the backlog, I will spend some time working on minor bug fixes, stability, refactoring, testing, etc.
Previous related articles:
And now finally some sleep!! =']