I don’t recommend downloading from unofficial distrobution channels without verifying a hash. That said, why doesn’t Exodus give Linux users a PPA? Mac and Windows both have auto updates for the Exodus wallet.
Real tldr: someone downloaded a fake app and was scamed and here are the author’s recommendations:
Mandate & verify that all published applications using financial and/or cryptocurrency branding are officially published directly by the upstream developers
Change the store so all initial Snapcraft store name registrations are gated behind human review
Gate the first month of a new snap uploads behind human review
Block all interface connection requests behind a human review, including automatically connected ones like network and home
Fully staff the team doing the above to respond to registration, interface connection and upload requests in a timely fashion
Send out a clean snap update (as we did in 2018) to all clients that have the scam snaps still installed
Publishers should have their ’newness’ on the platform highlighted with a ‘New Publisher’ badge
Snaps that are less than $M (2?) months old should have a ‘New Application’ badge
Snaps that have fewer than $N (50?) installs should not appear in search results
The store should make prominent notes to users that newly published snaps and snaps from new publishers should be viewed with extreme caution
Provide better education to users on the risks of installing finance and cryptocurrency software from the Snap store
Review and update all wording in graphical and web software store-fronts to ensure users aren’t given a false impression that malware is ‘safe’
Me: What are your recommendations, dear lemmy users? I bet you can come up with much better recommendations
The idea of a package maintainer that is vetted by the distribution channel comes to mind. That’s the model that has worked with most distros so far. I don’t see why it wouldn’t work here.
App Store moderation (because this is what we’re talking about) is a hard and labor intensive problem. I’m not sure it can be done well enough at scale for free without introducing easily gained mechanics.
That said, this seems just a list of ways to blame someone else for messing up and getting scammed.
I like the recommendations but I would also just ban cryptocurrency wallets from the app stores (and traditional finance apps capable of transferring funds electronically). There’s not much you can do to stop scams in that space but if the devs distribute their own apps, at least the user can verify they’re at the original developer’s site or repo or whatever and possibly hold them accountable.
That probably won’t help on the scams — people in the crypto world get scammed more than aging grandparents, it seems. But I don’t want Canonical or Flathub to be held liable due to a lack of moderation resources. If they can ever automate moderation to the degree it’s safe, bring back the finance app category with some safeguards.
For comparison, I wonder how vulnerable Flathub (flatpak’s primary repo) is to these kinds of manipulations… Seems like every app manifest there is publicly available and is compiled on their servers, presumably making it easier to spot shady apps and updates, and the submission process requires manual approval.
Another thing that they do that should make the process less vulnerable is they try to get developers involved in packaging their own applications (and have a verified badge, though I’m not sure how rigorous their verification is).
This “Exodus” application published in the Snap store was indeed a scam application. There is a genuine organisation that developed a real, seemingly ’legitimate’ cryptocurrency wallet application. This is not that.
I mean FlatHub isn’t safe in general. You could just target someone downloading the package and give them a malicious package instead. FlatHub doesn’t check sigs, so its a hot mess
They seem to be doing more on that side than Canonical is. But I agree, it should be MANDATORY that the developer is thoroughly vetted and approved and the code run and checked before publishing.
I hope this is a wake up call for Snaps and Flatpaks.
Apps from the repo have the security, which is why I always default to the distribution repo
No, my point is that if flat pak doesn’t document that they cryptographically verify the authenticity of packages, then they dont.
Even the ostree docs say that it supports it gpg encryption. It supports it. It doesn’t enforce it. That depends on the implementation.
I will continue to harshly criticize projects that leave users vulnerable. Want to prove me wrong? Link me to the flat pak docks that clearly say that all packages are cryptographically verified after download and before upload.
That’s is the genuine one. There is a genuine company called Exodus for Crypto. The problem is that a scammer made their own clone and nobody verified whether they really are from the Exodus company.
If you check the manifest on Flathub you’ll see they verified it belongs to the real Exodus
For all the wrong reason, I can totally see some coiner bro tweeting this headline going “this is why your should use #windows when handling your #bitcoin” 🙄
That is an absolutely fascinating article on the technical operation of a scam app. A definite warning to us all. Also I was very interested to read the terms and conditions of the Snap Store, specifically section 14: Limitation of Liability (which could be titled “Sorry, You’re Fucked”).
I don’t like bitcoin, it’s an environmental disaster that had potential but has turned into a highly volatile speculative device beloved by libertarians, grifters, and scammers. I do feel for the person who lost the coins, that cannot be a very nice experience to deal with.
It’s sad, but as a crypto user I’d be sketched out enough about using a centralised hot wallet app like Exodus in an official capacity, let alone entering my private key in something installed via a 3rd party app store. This probably happens on the Play Store a few times a week, and that’s on a bigger platform with a full security review process. It’s ultimately unavoidable.
The problem with most crypto compared to regular money is that it’s often seen as an investment. However, one of the most important factors for a currency that is used in everyday transactions is stability and predictability. Money is supposed to ease trading goods and services as a universal middleman. It’s not supposed to make someone rich who invested first.
Of course there’s also inflation and deflation with regular money but as soon as that’s getting out of control, it typically leads to serious economic issues.
It’s seen as an investment, yes. Those are important factors for a currency, I agree.
Is there a part where you meant to connect these dots to substantiate the first statement about it being a problem that it’s seen as an investment?
Edit: I get it, you’re saying it’s a problem with the idea that Bitcoin should be used as a currency in everyday transactions. I don’t think that’s a popular use case for Bitcoin, though. I wouldn’t use “digital gold” for everyday transactions, similarly to how I wouldn’t use real gold. That’s not really a problem with Bitcoin though, more of a misunderstanding of it
Not to sound like a shill or anything but that’s what’s great about monero. Its actually used on a daily basis as money because it wasn’t designed to be an investment vessel. Unlike most crypto currencies monero is one a few if not the only crypto currency that could suffer from inflation as there is an unlimited supply however this works out in avarage uses favor as there’s no scarcity based value which means there’s less speculation trading leading to a more stable price. I’m not sure what the long term effects of having an unlimited supply of monero is but their justification is that it’s a predictable fixed ammount added which will prevent hyper inflation.
Once again I’m not a crypto shill, I’m literally saying investing in crypto is a bad idea and to only use it for it’s utility.
It’s actually not. If the energy used to mine is sustainably generated, there’s nothing BTC can do to hurt the environment.
IMO the fundamental problem with all (PoW) cryptos is the assumption that computing power is distributed fairly when it’s clearly not. Building microchips is not easy, it would not be hard for a government who wanted to to amass >50% of its nation’s compute power.
And PoS assumes that you’ll never end up in a situation where a small number of users own the vast majority of the wealth…(lol)…and that even if they could they would be disincentivized from destroying their own wealth. But the ability to devalue a society’s currency has immense value, especially if you’re powerful enough to be positioned to fill the vacuum with something of your own design.
And the last holdout argument is that “the network belongs to the people, if the people don’t like certain behavior on their network, they can fork a version without it”. Except that no lay-person will ever make a decision like this. Virtually every single crypto miner downloads someone else’s code and runs it without question. You can’t have accountability in a distributed system if it relies on intelligence and integrity that doesn’t exist (or the cost of which is unreasonably high).
The environmental cost is a red herring, but that doesn’t mean the technology isn’t fundamentally flawed as a currency. Maybe for other, more technical applications, but not currency.
Edit: consider the situation where I hook my own solar panel to a PC and just mine Bitcoin with it. Does this hurt the environment? Of course not. Is it a good use of the power being generated? Of course not. Do people have any reason to be outraged at me doing this pointless thing? Of course not. That’s my point.
Now if I hooked a gas generator up to the PC, that would be another story.
use the sustainable energy that was otherwise used for actually useful things.
But you could use that argument against literally anything you don’t like.
Consider the situation where we live in a society where 100% of energy generated is sustainable. Now imagine the society faces a problem where 90% of that energy is being sold off to private citizens to use for whatever they choose, be that mining crypto, or space heaters (same thing, really) and as a result the society’s infrastructure is left without enough energy (hospitals, emergency services, etc). What would you say the solution is in that situation?
That’s a bit how currency works in general, the only reason why that piece of paper / metal has value is because we agree that it does (mainly large banks will back it). People also buy and sell currency
The issue is around it being seen as an investment more than as a currency?
Of course based on that definition. Fiat currency is the same. Just without the complex number.
I am really not a huge fan of crypto. But honestly all modern (post gold standard) money. Is entirly based on users confidence in the nations backing it. The proof of work used for bit coin. Really is no more a matter of faith in folks dumb enough to buy it from you later.
popey.com
Hot