WARNING TO COMMUNITY

[elambert]

Hello all,
I have seen someone try to do this with CGB a month ago and now I see it occurred with Krugercoin. The CGB occurrence went unnoticed fortunately and no damage was done, but I see the Krugercoin one took off and is creating issues.

Please be extremely cautious of where you are downloading updates! Either get them direct from github or take the time to confirm that the updates are from the development team (can be identified by tracking down the original ANN thread and seeing who posted it). One can only reason that we will see more of this, so please be cautious!

Any creative ideas should be thrown into the mix in order to create some kind of safeguard (signature or other) so the trusted sources can be confirmed.


FYI - From what I have seen, this issue occurs with a junior profile that is named after the coin. This should be an indicator to you to beware!

[tyrion70]

Hey,

Just an idea on signing.. What I did with some QT builds I created is the following:
- create a md5 hash of the files created
- sign the md5 hashes with my wallet address thats in my signature
- include a text file with binaries that contain those hashes and signing strings
- include the github address of the commit used to create the build

That way everyone can verify that the files are actually coming from the person owning that address. For fancyness you could use a vanity address containing the name of the coin

HTH,
Cheers

[digitalindustry]

great work tyrion70

recently Nybble lost its Client (it was only updated to Google drive)

i certainly suspected something like this .

[GoldBit89]

got to wonder what other alternate crypto coins are effected.

[Lethn]

This should be standard practice for all software people download, never ever download from untrustworthy sources and best practice if you can be bothered is to get some kind of virus scanner that works on download links before you get them but I'll admit I don't know much about that kind of software because I'm just using what comes with Windows 7.

[cryptocoinsnews]

http://www.cryptocoinsnews.com/2013/08/23/warning-to-community/

[Lauda]

Thank you for warning everyone.

[minerapia]

Hey,

Just an idea on signing.. What I did with some QT builds I created is the following:
- create a md5 hash of the files created
- sign the md5 hashes with my wallet address thats in my signature
- include a text file with binaries that contain those hashes and signing strings
- include the github address of the commit used to create the build

That way everyone can verify that the files are actually coming from the person owning that address. For fancyness you could use a vanity address containing the name of the coin

HTH,
Cheers

This doesnt actually help much on the krugercoin case since malicious client was not redirected or anything. But it was just some forum post which offered completly new link to client.

[digitalindustry]

Hey,

Just an idea on signing.. What I did with some QT builds I created is the following:
- create a md5 hash of the files created
- sign the md5 hashes with my wallet address thats in my signature
- include a text file with binaries that contain those hashes and signing strings
- include the github address of the commit used to create the build

That way everyone can verify that the files are actually coming from the person owning that address. For fancyness you could use a vanity address containing the name of the coin

HTH,
Cheers

This doesnt actually help much on the krugercoin case since malicious client was not redirected or anything. But it was just some forum post which offered completly new link to client.

In which case don't download from Devs you don't know with no forum account reputation, i'd call that evolution more than anything.

If Developers do not look after or care about a development then obviously its going to go that way , where users don't know who controls it or who is up-keeping it.

Most of that is the effect of a saturated market of pre-mined and insta-scammed crypto-"currency".

all things being equal.

[minerapia]

In which case don't download from Devs you don't know with no forum account reputation, i'd call that evolution more than anything.
If Developers do not look after or care about a development then obviously its going to go that way , where users don't know who controls it or who is up-keeping it.
Most of that is the effect of a saturated market of pre-mined and insta-scammed crypto-"currency".
all things being equal.

Deal was that someone created new account named "Krugercoin", then posted "Krugecoin, mandatory update" post which had the malicious client. Real dev of krugercoin (Nibiru) had nothing to do with it.

Well, its like oldest scam in the internet. send email to gazillion ppl which states:
'BankNameHere' wants youre feedback, win an iPAD !
then the link goes to BankNameHere.easyurls.com and steals credentials. Easy as pie.

Lesson pretty much is, allways check what you click allways check what u download.

[Snail2]

This is why I like using Cryptsy, Coins-e, Bter, and BTC-e as wallets for a part of my altcoins . I know this is also a dangerous practice but a distributed coin store as well.