With all the official statements regarding the hacking incident published on the official @utopian-io account, I still believe there is still room for explanation on by behalf on the incident, what happened, how and why.
In this post I’ve included an FAQ about the incident, and my own personal outlook on the present and future of the Utopian.io project.
What happened?
- The servers hosting the main Utopian backend services were compromised and the entire filesystem was erased.
- Images and backups from the last month were erased from CDN.
- SteemConnect tokens that were stored in the production database were leaked and used for bulk upvoting of random post and a downvote attack on a prominent stakeholder on the STEEM blockchain.
Why was Utopian storing users’ tokens in its database?
SteemConnect allows for some unique features. One of these features, that was extensively used by what was the Utopian.io frontend and backend, were the refresh tokens.
SteemConnect refresh tokens allow applications to post, vote and perform other basic Steem functions on behalf of the user, client side or server side, without the user having to directly accept the action. These tokens do not enable the transfer of funds, wallet actions or access to account keys.
Utopian was using the SteemConnect Refresh Tokens to:
- Store post submission data, such as the community quality score, moderation data, as well as other data necessary for the functionality of the Utopian frontend.
- Automate rewards for Moderators and Community managers by posting on their behalf as per the @utopian.stats model.
Were the tokens used by Utopian for any other purposes?
Utopian.io never used the tokens for anything that wasn’t immediately obvious for system functionality and integration with the steem blockchain as detailed above.
Is SteemConnect Secure? Should I be worried if I am using SteemConnect?
As previously stated, we see no direct risk in using SteemConnect. The attack was targeted against Utopian.io and there is no evidence that the attack came from a SteemConnect leak in any way. Other platforms may or may not store SteemConnect refresh tokens. It is up to the platform to decide if and how to secure them.
Why didn’t Utopian recommend to users to change their keys immediately?
The Utopian team is made up primarily of developers, and we have always been working closely with Busy.org and SteemConnect. It was instantly clear that no wallets or keys could have been compromised in this incident in any way, which made it unnecessary to change passwords and keys to ensure their security.
The only way for your key to have been leaked would have been a direct attack on SteemConnect and by accessing your client directly during login. Neither is very likely to happen and is far from what occured here.
Was the Utopian.io interface properly secured?
All the machines were thoroughly protected and credentials were owned by a handful of people who needed direct access to the servers for various reasons.
The Utopian.io frontend did not show signs of flaws that could have permitted an attacker direct access to realise such a disruptive action.
The production server was hosted with a well known hosting provider used by multiple leading companies and brands, and was secured based on the latest standards.
The CDN was hosted with a different provider, which lowers the chance of a simultaneous attack and loss of data.
Why was the attack suspected as internal?
As a CEO, handling a situation like this one is challenging. I wish to clarify that no one should ever be accused or suspected without clear and verifiable evidence. Utopian has been a place of collaboration for many gifted professionals worked in the past, and the information below is not, by any means, meant to show any of them in a bad light.
What I can bring here are facts regarding what happened and how we managed it.
- The attacker had intimate knowledge on the location of data and backups on different servers with different service providers, allowing them make sure no data was safe.
- The attacker knew the SteemConnect secret and refresh tokens were revoked.
- The attacker knew that even though refresh tokens were revoked accessing the new secret key on the server would have been sufficient to cast votes on behalf of the user.
- The attacker maintained a backdoor on the main production server with daily root passwords and ssh key changes a few days before the attack.
- The attacker knew what to access in AWS and what data to delete. We have evidences the access to the AWS application could have been kept on the mobile app, even though the auth credentials were changed.
- We got reports of unusual activities on the blockchain before and during the attack.
- Unusual activities on behalf of Utopian took place a few days before the main attack. For that reason tokens, secrets and other credentials were already changed everywhere. It is evident the attacker or attackers planned this attack and were successful in acquiring backdoor access to be used at the right time to act for maximal damage to Utopian.
Could this attack have been avoided?
This incident was taken very seriously by us, and we took the time to consider and learn from the mistakes made. Many companies and organizations regularly face breaches and attacks on their infrastructure. We are certain that better internal organizational processes could have been adopted to prevent such potential issues.
We consider this a lesson learn, and will take all precautions and steps necessary to ensure nothing like this every happens again. In addition, we will ensure no user tokens are required to be stored on our services in the future.
Why is the Utopian.io interface kept offline?
As a CEO, I will not take the risks entailed in bringing back a potentially flawed platform, even though the attack on Utopian was most likely not caused by any such flaw. This is to ensure the security of users’ accounts and to show the community our will to protect them at any cost.
It is also worth noting that Utopian.io was born as a proof of concept and a prototype. Utopian.io grew at an unexpected pace - much too fast for us to keep developing the prototype and supporting the existing community, all while working on a finalized and market-ready product.
Utopian aims to be a serious and professional business on the STEEM blockchain and create a sustainable solution for the open source community. It is our goal to be seen as such by entities on every level, in and outside the STEEM blockchain.
To make this utopian vision a sustainable reality, it is necessary for us to focus on the development of a solid, secure and scalable solution rather than continue developing a prototype.
The hacking incident was just another reason that made it clear that such a drastic decision had to be made.
Where is Utopian now?
We are right where we were - the STEEM blockchain.
The true value of Utopian is not in its interface or frontend, but in knowledge and people.
Guidelines that we have built with blood, sweat and lot experience, and through which we’ve learned many valuable lessons. https://join.utopian.io/rules is the result of efforts on behalf of dozens of professionals in the Steem community, created and optimized to enable the cohesive and organized submission of the best quality contributions and contents possible. Such guidelines are an asset and they not going anywhere.
Our Moderation teams. We have been selecting the best out of the best professionals on the Steem blockchain to help us review and improve contributions. They are our biggest asset, and as evident by their massive support in the past days - they are not going anywhere. For that, they will continue to be rewarded for the amazing work they do same as they were in the past.
When will the Utopian.io interface be back?
We aim to release an improved version of Utopian.io as soon as possible, while keeping all our processes functional. In developing the next generation of Utopian, we will focus mainly on ensuring stability and security.
Expect additional future updates on our progress.
Was the Utopian.io frontend necessary for Utopian to exist?
No, as is evident by the continued influx of contributions, renewed as soon as we announced contributions were once again welcome.
To submit contributions to Utopian.io the community can use any existing STEEM frontend, and our team can continue its curation work we did so far. While development efforts are focused on completing and delivering an improved new frontend solution, not a single operation of Utopian is being paused due to the deactivation of the old one.
Keep Contributing!
You can continue submitting your valuable contributions to Utopian and get a few extra advantages.
Use the platform of your choice to publish your contribution - Busy.org, Steemit.com, Esteem and others.
Zero Beneficiaries Required. While Utopian is no longer added as an automatic beneficiary, you may still choose to share your rewards with Utopian.
Additional information:
Utopian Now: How to contribute
We Made It!
As a CEO of this company I had to go through every possible challenge since I created Utopian.
- Battling scamming and abuse, both internally and externally.
- Teaching and guiding the community to provide valuable work.
- Continuous iteration on our guidelines.
- Fixing technical issues, internally and externally.
I am fully happy to have dedicated myself fully to this project. I see its potentials. I stick to the vision.
But nothing could have been achieved without the support of the Utopian team and community before and after the attack on Utopian servers.
The team members who worked with me in this challenging time are the passionate professionals we need to make this blockchain and Utopian a global success. I can’t mention them all as this post would then never end, so I will start by apologizing to everyone I’ve failed to mention. Here are my some of my heroes, in no particular order:
@espoem
The person who prioritizes quality, fights abuse and strives to grow the wealth of the platform.
@techslut
The pink lady who corrects my English, does PR everywhere, brainstorms on solutions, manages content and people to produce it, engages the core team and the community... I could go on, but the list is always growing.
@buckydurddle
It is hard to imagine what the video tutorials category would on Utopian would look like without him.
@amosbastian
A great developer. You ask for help, he fixed it before you even asked.
@ms10398
Another great developer. He was here during and after the attack making sure we had the tools to keep going.
@mcfarhat
This guy has been here from almost the start, participated to each and every conference, helped on any possible scenario and managed his team and the tutorials category wonderfully.
@jestemkioskiem
I can’t think of any other person who cares more about how we present ourselves publicly and brainstorming around solutions to make us improve on a daily basis.
@imwatsy
Whatever I needed something to be written well and fast - he was there. Whatever the day, whatever the time.
@favcau, @jmromero, @tobias-g, @Deathwing, @eastmael, @helo, @scipio, @mkt, @emrebeyler, @justyy, @knowledges, @roj, @rosatravels, @portugalcoin, @sirfreeman, @icaro, @sachincool, @therealwolf, @stoodkev, @wehmoen, @paulag, @abh12345, @crokkon, @codingdefined, @andrejcibik, @samrg472, @oups and others.
All the people who worked with us in the past and now, all our collaborators, Community Managers and Moderators; they have been there to help before, during and after the incident to keep the community engaged and updated. They have been there tackle any issue, any complaint and even harassment for one simple reason:
WE ARE UTOPIAN
And we’re not about to stop.
@elear and team, glad to see such resilience and team effort. This is a really awesome and welcome address to the utopian and wider steemit community. You have come such a long way since launching first and I look forward to what will come next.
Without utopian, I'm not sure @dana-varahi and I would have spent as much time as we have developing @blockpress. I will make sure to give the project a prominant thank you on the website when beta release finally happens. We're trying to remain fairly low key until then.
Thanks for you
I think the key to this is looking at motives, since there must surely only be a small amount of possible motives for making such an attack - for example:
I'm sure all of this will have been considered, but having come from a background where I have seen first hand the criminal extent to which 'world leading corporations' will go to stifle dissent and crush those they consider to be 'competitors' in some way - I just wanted to add that in to be clear!
May Utopian be reborn stronger and better than ever!
"The pink lady who corrects my English, does PR everywhere, brainstorms on solutions, manages content and people to produce it, engages the core team and the community... I could go on, but the list is always growing."
I honestly think that if you elaborated more on what she's doing you would've just make a whole post about her :)
Great hearing directly from you!
<3
Yes, I proofed this post too. :)
great day ..
It's time for even us as users to draw from experiences like this.. That this can happen to anybody, but the ability to keep the team focused and undivided to rise from something like this is rare..
You deserve come real commendation for keeping everything calm and handling everything in no time without any panick..
Utopian-io is here to stay..
I will also join in and say "we are utopian-io" because I also want to draw from this Wealth of Knowledge in managing situations around me.. Being calm and collected rather than over-reacting and making things worse..
We are utopian-io.. Stronger each day..
if you find it very easy to achieve your goal this means you are heading to the wrong way
WE ARE UTOPIAN :D
Excluding you, you are knackers 😜
We are utopian 😉
LOLOLOL
We are all knackers around here. :P
I know right 😉
yes. we are utopian :D
I am not sure. how many still assume I exist. :D
Me :D
I count 5 people from you.
Me!
and I count 20 people from elear. :D
so i have 25 :D
I am about half a person cause I don't code.
Haha. Why. I count 10 from u. 😀
Nah. I am just very small and I move very quickly.
@elear put it perfectly, it's a vision, people that don't share it leave sooner or later. We started on utopian but due to circumstances moved on, but never forgot, and still share the vision. I'm grateful to have contributed a little bit to it, and I'm grateful to get to know some people.
Just to say, I know you're still alive ;-)
WE ARE UTOPIAN!!!
We are Utopian <3
Who says we gonna stop? Those are our stepping rock so we can achieve more. That's Utopian.
WE ARE UTOPIAN
Way to go @elear!
We are Utopian ;)
We will learn from the mistakes...best of luck utopian... best of luck @elear
Thanks for addressing us
We are Utopian :)
Thank you @elear, looking forward to building the greater product. If that was a prototype imagine the future product. Well done team
I am sure there is a mule there#siliconValley5 get yourself a gilfoil because dinash will leak the info..Still believe in decentralization .Go team go
Although the attacker(s) planned and executed this evil act in a such a way it will not be easy for utopian.io to bounce back to life so soon, but am pretty sure this attack will eventually take utopian.io to a new and better level.
@elear Regarding @utopian-ion this post is very informative for all @utopion-ion members.
Thanks @elear for acting as such a wonderful CEO. You'd surely go places as you have the right attitude to be someone in charge of even greater companies and organizations. You have not let your spirit falter, neither have you let your head droop.
Such never-die spirit is necessary to rally the team around and work together to bring back what was there before.
Kudos to you @elear and kudos to all the hardworking Utopian team.
What is dead may never die...!! We are Utopian!!!
UNITED WE STRONG !!!!!
WE ARE UTOPIAN :D
We are UTOPIAN
Can't wait for it to come back up
Hey Utopian, love what you guys are doing. I hope to dive in and get involved in the near future.
We are utopian !!
I WAS UTOPIAN (RIP TRANSLATION)
You are still Utopian! While translations contributions are off, you still have many categories you can contribute into :)
I'm not dev. sad :'(
Thanks for reaching out to us on the incidence. We hope to continually have a great, secured and reliable company like this.
Im sorry about this and I trust you will improve a lot after this. It is great to see that you keep accepting contributions. I was wondering: What about github access? I remember that when I approved utopian to access my github account it requested for delicate permissions over all my public repos.
@elear Thanks for the clarifications. I really appreciate them. This was kind of what I was referring to previously.
@eclear i must say, am glad you have take your time to speak about the current state of the platform. Utopian has always remain strong with people like you and other moderators who have been making drastic effort to ensure the growth and success of the platform. This is actually a stepping stone for utopian to move higher. Before anything can be called extra ordinary, it have to pass through the stage of been ordinary, i believe utopian will now be an extra ordinary platform, when it is fully restored.
Cheers!
@elear dan tim, senang melihat ketangguhan dan upaya tim seperti itu. Ini adalah alamat yang sangat mengagumkan dan disambut baik untuk komunitas steemit utopis dan lebih luas. Anda sudah begitu jauh sejak peluncuran pertama dan saya menantikan apa yang akan terjadi selanjutnya.
Good
Greetings from Venezuela. I invite you to take a look at my first OpenMic post and support me: D and thanks in advance
STEEMIT OPEN MIC SEMANA 85 - Time in a Bottle by @maycorjerjes18
Great Update!
Congratulations @elear! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on any badge to view your Board of Honor.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last announcement from @steemitboard!