So my ETH address got hacked. Just the one I was mining to, I was doing like 72MH/s for a couple months, so I'm only out 0.29 ETH and like 500 BAT that I had stored on that wallet. Not the end of the world.
I know roughly how it happened - I stored all my private keys in plaintext on a single note (also with a regularly mirrored copy in a separate note as a "backup") in Evernote, which I opened often on my laptop, which is Windows, to access all my offline wallets. I've been noticing recently that a couple times when browsing on chrome, when I click some unrelated link, a new tab will pop up by itself pointing to some random ICO's landing page that I've never heard of. It was weird but I didn't connect that it might be actual private key-crawling malware (rather than chalking it up to me not paying attention and maybe just accidentally hitting a link on a page that I didn't see) until I checked on my mining address last week and saw that the wallet was swept completely 3 days prior. The hacker had like $33k of ether and random shittokens in there. Oh well.
Anyway I'm obviously not going to open that evernote note on my windows lappy again. Also want to eliminate the Windows weak point altogether for private key handling activities, so I spun up a Manjaro Linux dual-boot once again and am going to use that to sweep all my (potentially compromised) offline wallets into new ones; create paper wallets with the keys; and hopefully find a good place to store them.
But what's the most robust current solution for private key storage, for coins that don't have Ledger support? I have a Nano S which I should've been just mining to in the first place, but stupid. Is paper the way to go or is there a good cloud method? Veracrypt vault maybe?
Be careful out there nerds, don't fuck with your private keys. If you can see your private key onscreen on an internet-connected computer, immediately consider it compromised and get your coins out before someone else does.
Dude, a webpage cannot access your hard drive data. That's impossible with modern browsers.
Zachary Nelson
>lappy ugh
Angel Torres
Of course, I mean I probably had a keylogger or some type of malware from something I downloaded. I had a bunch of different desktop wallets and miners, had to be in one of those >inb4 it was turtle miner
umad?
Nolan Mitchell
He probably just got a trojan infection. My mother had her bank account accessed thanks to my father surfing the wrong porn sites recently. He then spent a month trying to remove the viruses and thinks they are all gone (I doubt it), rather than doing the smart thing and moving away from Windows.
Ryan Davis
Veeky Forums allows you to browse files to post images.
Michael Allen
disable admin rights on your parents pc and problems solved
Aiden Davis
>my father surfing the wrong porn sites recently is getting infected this way even possible if you have proper adblock?
Benjamin King
Yeah, you most likely did. Would be wise to run miners on a separate machine
There's a kind of malicious webpages that prompt an .exe file download. Probably he clicked on one of those.
>derp
Aiden Morris
Honestly, you fucked up. >when browsing on chrome, when I click some unrelated link, a new tab will pop up by itself >I didn't connect that it might be malware What the ekse was it supposed to be? It was clear as day and you disregarded it. You were getting crypto related ads in these popups too, it should be a red alert.
Normies don't use it/have regular adblock with filter lists not updated for last 5 years.
Adrian Bennett
This is why I dualboot Linux and Windows and only ever use Windows when I absolutely need to use Windows apps. Do not do anything crypto related with Windows
Adrian Cooper
I'm assuming you are not retarded enough to just click any random .exe. So my guess is that you double clicked an .exe that you thought was legit but was in fact infected with malware. Check the .exe's PGP signature and SHA256 hash to make sure that it wasn't tampered with
Kayden Rodriguez
The thing is, even if your adblocker is disabled, you cannot catch malware unless you directly download a file (i.e. press "Open" or "Save"). Modern browsers are pretty much a safe environment
Brody Young
kek, i've had tabs open up but shutdown almost instantly by adblock, am i fucked?
Oliver Davis
Thanks just hacked 33k
Ethan Diaz
>72mh for 2 months >0.29 eth I think you got scammed from the beguinning with that shitty pool lmao
Camden Anderson
This is why you don't use eth. Code is unstable and gets hacked.
Austin Jackson
This is why even on linux I run all wallets in their own VM or at least a separate user.
Adam Scott
I had it off sometimes ;)
Srsly though my miner is kinda fucked, it random reboots all the time but in a totally unpredictable fashion so I can't figure out what the root cause is. I even put the mining scripts in the startup folder, but they don't start till you sign into Windows (I have a PIN set), and Nanopool's miner offline notification emails send hours later for some reason, so a lot the time it'll be sitting there for hours to days before I realize I haven't been mining.
Either way, until I move out in a couple weeks, my current roommates noticed the power bill going slightly astronomical, so I've kept it off mostly kek
thx for the lel
I haven't kept up in recent years, but what if any vulnerabilities are there with Linux? I know they're less likely to get viruses because most malware is made for windows to target dumb normies, but is there a specific reason (other than better-stratified Unix user privileges compared to Winderp """run as administrator""") why someone couldn't say, build a keylogger into some smaller, lesser-known app package in the AUR or Ubuntu package repo?
Obviously the most thorough tinfoil hat route is to e.g. run MyEtherWallet offline in firefox in an airgapped linux machine, but 1. is there any possible way for this to still be compromised if you do connect it to the internet later, and 2. is it even necessary to take any further security measures than just running something like MEW online, in chrome, as you would a normie in Windoze, but just on a Linux machine instead?
Justin Torres
Oh yeah, also wondering about the current state of security in Android devices. What's the story there, I've heard a few things 1. Galaxy phones are the most secure for cryptoshit (???) no real idea why 2. Android is generally safe/at least better than iPhones for sending crypto, and 3. Rooted androids are potentially problematic and could be compromised.
I have a Moto G5+ rooted, should I be worried and why? I do have F-Droid and Clover and a bunch of maybe-insecure 3rd party shit like that. No extremely sketchy obviously Russian botnet shit though. But I've still avoided doing anything with private keys on my rooted phone up till now to be safe.
Lucas Jackson
>So Well, you type like a douchebag so...
Benjamin Ramirez
I dont even know my own private keys and passwords. They are all on keypass and I just copy paste without actually revealing the password.
Xavier Johnson
The absolute state...
Landon Lopez
Prove me wrong, cunt. Protip: you can't
Jose Gomez
A deliberate compromised package in a distro's repo would destroy it's reputation forever.
Nolan Wright
Not malware, but other tabs can hijack your meta mask if you are not paying attention.
Blake Howard
Yeah, that's the problem with using such extentions >The extension injects the Ethereum web3 API into every website's javascript context
Blake Perez
Here's one I still exploit: digitaltrends.com/computing/browser-bug-can-fill-in-personal-information-in-hidden-fields/ There's a lot you have to do to properly secure a browser these days, far beyond the skillset of most people. I'm a security researcher and I'm not even dumb enough to say that my browser is secure. Zero days are everywhere, and without adblock enabled, you could be running someone else's code without even knowing it
Joseph Hughes
Yeah, autofill. Indeed a thing if you're not using private mode. But that's phishing. My point still stands valid.
David Carter
You should have made a paper wallet. Print out your keys, laminate it and keep it somewhere safe. They can't hack paper.
Jacob Lee
Use a ledger nano retard
Ryder Cook
And if you must have software wallet, make an encrypted virtual machine using something virtualbox. running linux for example
Then run the wallet from inside the virtual machine. you can even back the whole thing up onto a thumb drive to protect from hard drive failure etc.
Aaron Brooks
Nobody is gonna burn a firefox/chrome 0day to steal a few thousand in crypto. 99.9% of the time, exploit packs are gonna use patched exploits and only exploit outdated browsers.
