Another thread talking about risks of crypto and personal identifiable information was the reason for this post. I’ll say now, I’m in no way a security professional but figured at least some of this may help a novice or further the discussion.
I view securing your crypto as sliding scales of time
, and risk
. Understand them, then you can dial the knobs as you see fit. You’ll want to mitigate as much risk as possible when securing “life changing” funds, spending as much time and money securing them. And maybe dial it back (or as you see fit) when keeping $100 bucks of crypto on your Parity wallet on your computer.
Taking this example further:
- The Winkevoss twins spend millions of dollars securing funds on Gemini. It takes security engineers, formation of policies for security controls & separation of duties, auditors, 3rd parties, consultants, countless meetings/hours, penetration tests, Lawyers to comply with laws, and a whole bunch of other things way over my head.
- Average income redditor spends 3 minutes downloading Jaxx on his mobile phone and sends $20 bucks to it
Both examples accomplish the same goal of storing crypto, but both have completely different aspects of time, money and risk. This may sound obvious, but I HAVE SEEN others not know this.
I think a good way to start talking about this is attack vectors. I had time to write out ~3, but there are more. Phishing
: This is probably the most popular right now. Phishing is basically a method of presenting a victim with seemingly legitimate information with the goal of stealing money or information. The scope is super broad and sometimes meant to target inexperienced users. You may have seen examples of this in phishing in e-mail. That Nigerian Prince intentionally misspelt a bunch of words to filter out intelligent recipients. If their scam has 5 parts to it, they don’t want to spend time on getting almost all the way through to the scam and have the victim realize it looks sketchy at the end.
Taking this example in the Crypto space, we have seen phishing domain names appear to look like “MyEtherWallet.com”
, and Tricking users to send them coins here
, or fake messages on Slack
, or even Sending Vitalik a fake message on reddit
Ways you can prevent this
- Type the domain you need manually in the address bar
- Bookmark the site you need
- Always take “time” to verify a source before sending money or entering your private key
- Take the “time” to read up on security, a good start would be to follow the above links when you have time.
: Or simply a targeted attack. Spear phishing is a more targeted phishing attack. Unlike phishing, it casts a smaller net, but is geared more towards the target. More time and effort could be spent by the attacker doing this for greater reward. A good way of not being a targeted attack is simply not letting potentially malicious people know you’re a target. Letting others know
your wealth either on purpose or accident puts you on an unnecessary radar. Similar to a bug bounty
, it will only encourage malicious actors to make you the bounty. Do not give any personal identifiable info when not necessary. A good example of this is this post
. It involves a targeted attack/spear phishing and social engineering.
The attacker in short found a tweet by a target that he uses Coinbase. Attacker was then able to obtain Name and phone number of target. Attacker then used social engineering to convince Verizon to relocate victims phone number to another device. With that he was then able to gain access to Coinbase. Among the several things mentioned in the article on security, simply not letting others know he used Coinbase was one of them. Protect your identity and personal information around Crypto when possible. Security Vulnerabilities and Malware
All operating systems should be considered unsecure. 0 day exploits are exploits that are known to malicious actors and not know by the developers of the software. There are also exploits that are known, but simply not patched by users. When was the last time you patched Windows? Malware (Malicious Software) can be installed on your computer via these exploits easily by a hacker given enough skill, and the reward being high enough. They can be deployed on your machine by visiting legitimate websites! The exploit can live in an advertisement banner
not completely controlled by the site. This Malware once infected can log keystrokes or read clipboard data (think: Private Keys), allow remote control.
Let’s give a plausible scenario that takes some or all attack vectors here.
- I (Attacker) find out a person (Victim 1) on the internet has lots of crypto. I find out his name, email address and find out someone else’s (Victim 2) email address he seems social with on Twitter all via publicly accessible means. I have a zero day exploit that I can stage on a legitimate site, it just needs a visitor. Via this exploit I can remotely take ones clip board using malware. I use an open relay to send to victim 1 an email as victim 2 stating some plausible reason to follow a seemingly legitimate link. Victim 1 clicks on it. Days pass and Victim 1 finally copies his private key to clip board preparing a paper wallet. Funds are sent to it and I transfer them to an address I control.
Ways to help
prevent this are
- Keep up to date on patches
- Never keep large amounts of funds on a computer or “hot wallet”
- Create a paper wallet offline (or opt for a hardware wallet for large amount of funds (e.g. time and/or money)
- You can keep a paper wallet backup Safe Deposit box in bank in case of fire
- Do not give a malicious person a reason to stage an attack on you.
- Don’t let people know how much money you have
- Keep personal identifiable information off social media if possible
This was only a few feet wide, and an inch deep. There’s much more to this, but hope it helps someone not lose a great deal amount of funds! Understanding your risk
will help you associate enough time
to protect it
The following is the exact copy of my medium article
. No need to go there if you prefer reddit. And please ignore my startup mentioned here. I spent a whole month writing this huge guide - it's far beyond a mere promotion. This post is about Ethereum blockchain. I do love it.
As I'm an entrepreneur myself (with some humble programming skills) I think I managed to explain clearly the practical side of Ethereum smart contracts - what can be done and how. Think this sub is the best place for it. Hope you'll find this helpful.
Will do my best to answer all your questions (please mind the time difference - I'm in Russia).
An entrepreneur, programmer and user walk into a smart contract - The ultimate Ethereum blockchain stratup guide.
Lifehack - you don't need to understand blockchain to build a smart contract startup.
I made my smart contract project
and still feel as a total noob reading discussions on blockchain. There is so much to learn for me. But, hey, my project works! Why bother? Though blockchain is cool and it's cool to understand the technology, there is no need to understand everything.
Take a look at smart contracts from an entrepreneurs point of view - focus on how you can benefit from it. What kinds of projects you can actually do? What business models are there? What an MVP would look like? What it takes to engage a user, find a programmer and build infrastructure?
This guide with examples and exercises will show you the practical side of smart contracts and help you estimate your idea or generate a new one. Use it as a starting point for your further investigation.
What you do need to know about blockchain and what you may just skip Mining
. The first thing to skip. From an entrepreneur's point of view mining is more like playing the stock market - buy equipment, analyze reward price charts and decide which crypto currency to invest your computing power to. But if you are dealing with smart contracts, you don't have to care about mining for the same reason you don't care about Internet providers when visiting a web-site. Blocks, hashes, cryptography
and all that math - we gonna ignore it too. The important practical outcome can be reduced to this mantra: "Everything that gets into blockchain remains there forever, anything can be verified, but nothing can be changed". In practice it means that data is stored permanently, transparently and securely.
Now let's turn to the terms you cannot do without and explain them as if it's year 2005 now. Blockchain is like a BitTorrent network
. A program on your computer downloads files and afterwards gives them away. But the program is called blockchain client
rather than torrent client. And those files you download store transactions instead of videos and music. Sender, recipient, date-time and ammount - records are stored one after another (yes, they are stored in blocks, but who cares). Everybody who runs blockchain client has his own copy of the whole blockchain database and keeps all transactions that have ever been made. This database is huge. Ethereum blockchain is currently about 43 GB, Bitcoin is 125.78 GB
. todo Cryptocurrency is a list of money transfers.
In blockchain world your balance is not just a single record, but the sum of all your receipts and expenditures (the entire transactions history). If a blockchain stores transactions which only contain money transfers (sender address, recipient address and amount being sent), we call this type of blockchain a cryptocurrency. Bitcoin - is a cryptocurrency. But any transaction is just a string in a file, thus it may contain any information. An address in turn may not belong to a human... which gives us much wider opportunities then just a crypto currency. Smart contract is like a web site.
A blockchain address may belong to a program. A program then is called a smart contract. It is called a contract just because the code is open. However it is simpler to compare it to a web site (or web service). For example, a classified advertisements service could be a smart contract. Its code would be stored at a particular address in the blockchain - just like a web site url. A transaction to this address would not contain money but an advertisement text. And the smart contract would publish this advertisement, i.e. saves to blockchain. Ethereum is like the Internet
Ethereum - is exactly the kind of blockchain in which transactions may contain not only money, but data. The blockchain database (those files one downloads) stores transactions between people, transactions involving smart contracts and contracts source codes. This makes Ethereum kinda new type of the Internet, which is stored locally by everyone involved.
And that's really enough for the theory. The rest you'll learn from what it all means in practice.
What is the difference between a smart contract and a conventional web site
What are the advantages (and disadvantages) of a smart contract driven service.
Openness and Encryption
A user doesn't have to trust you. "Everything that gets into blockchain remains there forever, anything can be verified, but nothing can be changed". The user sees exactly how your system works (smart contract code is open) and stays confident in the reliability of your database (database is transparent and unchangeable). Meaning there is no need to win users trust.
For example, you can turn a classified advertisements service into an open auction with charity donations. The process of selling would look as follows. A seller sets the initial price and posts a lot. After that anybody will be able to track bets, see a winner, see how much seller earned and how much was deducted to charity and to platform commission. Everybody is confident there was no cheating.
Where it benefits most. Gambling (Roulethvdice.io
), prediction markets (Augur
), voting, multilevel marketing (TheMillionEtherHomepage
Payment processing "out of the box"
You don't have to deal with any payment processing services. Solidity language with which smart contracts are written incorporates all the necessary money (Ether cryptocurrency) operators. User balance is just another variable in your code. You can program any behavior to it - like triggering an event on receiving a certain amount of money or making a multisignature payment and much more. That is why Ether and other cryptocurrencies are often referred to as programmable money.
Where it benefits most. Crowdfunding platforms (Weifund
), rent services Golem - rent unused CPU/GPU cycles
You don't have to worry about DoS attacks
and scalability. Every blockchain user has it's own smart contract copy locally on his computer, thus it will withstand any load, free of charge.
Where it benefits most. Smart contracts gave rise to a totally new kind of companies - decentralized organizations (DAOs). DAO is a separate phenomenon worth studying. In the meantime, just ask yourself: "Why do we need an intermediary like Uber, if it is possible to connect a driver and a passenger through a smart contract directly?". What prospects does it opens? Have a look at this startups: Arcade city
Lifehack: When googling for A DAO, ignore the hassle around THE DAO). The only reason THE DAO failed was braking some basic smart contract safety rules (we'll discuss them further).
Transaction delay and commission
A user have to pay for every transaction and have to wait a bit too. The average transaction is mined (read included) into Ethereum blockchain in 14-15 seconds
. There is a high chance of reducing this delay down to 4 seconds
in the near future. But even then we are all got used to a better responsiveness. Moreover a simple money transfer (two addresses involved, no contracts, minimal amount of data) would cost about 0.000861 ETH ($0.02 in March 2017)
. These "drawbacks" are tiny, but enough to build a heavy threshold for certain types of projects.
Where it doesn't benefit. A chat for example. Each message chips a couple of weis (Ether denomination
) off your balance and requires half a minute to reach the other end. This is probably a bad idea for a startup unless you are dealing with some official correspondence, which requires legal force and does not require privacy. With smart contracts you can choose almost any web service and make it blockchain. Plus you are free to create completely new blockchain-only types of projects.
See what has already been done
, mix it up with Internet of things, artificial intelligence, virtual worlds or fintech, and you'd most probably get a unicorn.
Note: You can make a smart contract with Bitcoin too, but it's like doing 3D in MS Excel. Kinda possible, but why?
What business models are there
You are free to use any business model. But first have a look at what have already become a new standard in Ethereum - tokens.
In conventional terms tokens business model is like crowdfunding and IPO combined. The "crowd" buys shares of your company instead of products. And in the future the shares (tokens) may be sold or exchanged for your services.
This became possible because Solidity
(Ethereum smart contract language) allows issuing your own cryptocurrency.
For example. You came up with a classified advertisement platform idea. You want it to have its own internal currency (tokens) called Advertisement (ADV). You want to charge 1 ADV for placing an advertisement, 2 ADVs for pinning it to the top and 0.2 ADVs for updating. You write a smart contract. All that it is capable of at this point is receiving money (ETH) and keeping users balances.
Now you announce your platform in a way that crowdfunding projects usually do and offer to buy ADVs at low cost 1 ADV = 1 ETH. Later when your platform is live you'll set the ADV price to 10 ETH. After that those who invested in the very beginning will be able to sell their ADVs gaining income or place their ads 10 times cheaper than the current price. But for now you've earned your ETH to spend on development. Tokens are attractive enough on their own to start experimenting with smart contracts.
What it takes to engage a user
Ok. You published your first smart contract. But what it takes to engage a user with no blockchain experience to use it? And how can we lower the threshold?
We can break user experience into two parts: interacting with blockchain (what a user has to do anyway) and interacting with your smart contract (ways we can make a user's life easier).
Interacting with blockchain
What a user has to do anyway. Get an address (a wallet).
An address and a key to it is like username and password. There is no way to interact with blockchain without it. The easiest way to get it is to use generator at MyEtherWallet.com
. It takes less than one minute and as a result, user receives an address and a key. The address is a 42 character sting and the key is a small file. The key file is used to sign transactions and has to be saved as securely as possible - there is no way to restore it. A user can use the same address to interact with any smart contract. IMG: Generate a wallet at MyEtherWallet.com Get some ether (ETH).
Any transaction requires commission (0,001 to 0,01 ETH on average). A user has to fuel up his address with a sufficient sum to interact with your contract. Buying ether is possible through major exchanges
. These exchanges require 1-3 day for identity approval and are available in a limited list of countries. Users from other countries and those not eager to wait (especially when buying Ether worth a couple of bucks) may use almost instant alternatives
Look and feel exercise: generate a wallet and send some Ether to it. Access a blockchain client.
Any interaction with blockchain and with any smart contract accordingly is done through a blockchain-client.
As of March 2017 downloading Ethereum database to an HDD disk (70% are still using HDDs
) requires 2-3 days and 43 GB of spare space. It makes computer unresponsive enough to start throwing things at it. Keeping blockchain in sync too requires about the same amount of resources as watching a movie online does.
Not to confuse the pros. For the sake of simplicity we call EthereumWallet, Mist browser, geth and parity the blockchain client. We are entrepreneurs here, it is only a programmer who should really know the difference.
There is also a so called light client. It doesn't require downloading the database. But it still requires installation and getting hands dirty with manuals. Our target audience is not willing to do it either.
So let's be realistic our target audience will hardly install any blockchain client on their computers. Let's see how we can help. A necessary and sufficient minimum for a user to start interacting with any smart contract is an address (key file) and a tiny amount of ether on it.
Interacting with your smart contract
We got to simplify user experience with a graphical user interface (GUI). In Ethereum GUIs do not belong to smart contracts and are stored off the blockchain. There are several ways to "attach" GUI to a smart contract. Here are they from the least to the most user-friendly.
Smart contract with no GUI
Users can interact with smart contracts directly, with no GUI at all.
Blockchain client can identify smart contract functions and let user work with it. The client provides auto-generated GUI so a contract looks and feels like a sign-in form of a website. This is a straightforward way of writing to and reading from contract. IMG: Access contract function through Ethereum Wallet
But we agreed we won't force user to deal with blockchain clients. To set user free from it we can try to offer MyEtherWallet.com
(an online client). Contract interaction will look just the same, but there is no need to download or learn anything. IMG: Access the same function through MyEtherWallet.com
The contract without GUI has to be very well documented. It is also a good idea to make a landing page to display the current state of the contract.
For example, TheMillionEtherHomepage.com
displays the state of the underlying contract and offers users to work with it directly giving all necessary instructions. The same setup would likely be a minimum for a classified advertisements smart contract. So the user with no blockchain background would be able to grasp the idea of the service.
Look and feel exercise: Try following sign in instructions for TheMillionEtherHomepage.com (it's free) and see what it is like to use MyEtherWallet.com. A Smart contract without GUI will do as a minimum viable product
Decentralized application (DApp) - GUI in a browser
In the above example the website doesn't allow writing to the contract being just a representation of its state (it only reads from the contract). To let user interact with your contract (read and write) through your own GUI you gonna need a DApp. DApp is a GUI for your contract in a browser.
A browser can simultaneously connect to the Internet and to a blockchain client. This allows a smart contract to look (and work) just like a conventional web-site. A user will follow a link like http://myClassyAdvertisements.com
The GUI is taken from the Internet, but transactions are sent to a local blockchain client.
Browser can connect either to full or light blockchain client. We discarded them both. There is a browser with "included" client - the Mist browser
. But it is too complex too. The easiest solution is the Google Chrome plugin Metamask
which brings all blockchain benefits right into the browser. This is what we want our user to install.
Look and feel exercise: Go to tokens exchange platform Maker Market, then install Metamask Chrome plugin and try Maker Market again. See how metamask brings blockchain functionality to the website. DApp and Metamask browser plugin make your smart contract look and feel just like a web-site
We can make any GUI for mobile or desktop application and bring any feature to it. But in order to send transactions it has to communicate with a blockchain client too.
The ways to do it without any locally installed client are: embedding a light client right into your application or communicating with a remote blockchain client (see infrastructure section further).
Look and feel exercise: Try installing Jaxx wallet or Free Wallet on your phone. To engage a user with no blockchain background means to make him get an address, buy a bit of Ether and install your mobile app or Metamask browser plugin.
What it takes to build an infrastructure
Let's turn to even more practical (and technical) parts. First what will you have to buy. From the cheapest to the most expensive setup.
Smart contract with no GUI
Regardless of the way you've implemented the GUI, you need to publish your contract first. Publication of a contract is a transaction too. Commission for it is negligible. If you managed to pay 1 ETH for commission, then your project is larger than the majority of existing ones.
Project documentation may be published for free at readthedocs.com. Or upload instruction videos to youtube.
If you want to display the status of the contract on a web-site the way TheMillionEtherHomepage.com
does, you have to develop a back-end that will "listen" to the contract through a blockchain-client. Thus you need a hosting to run your website, blockchain client and your blockchain client "listener".
Before buying a hosting check out Etherscan.io
). So introduce a version for those with no access to blockchain (see a paragraph up - make a web-page representing your smart contract status).
For a mobile app you'd probably need a server with a running blockchain client to let your app communicate with the blockhain through it. Or you can embed light client
right into your app. Or use Etherscan.io
API. Depends on your features. A more detailed (and more technical) guide is here - Mobile: Introduction
Which developer skills are required
What kind of developers skills you want to search?
Smart contract with no GUI
Ethereum has its own language for smart contracts which is called Solidity
Any contact is open source. Anyone can copy it and quietly experiment with attack options before an actual attack. With no thought out bug fixing strategies, neither address nor contract code can be changed after its publication. If there is a vulnerability and no escape paths, you'll helplessly observe your balance approaching zero. So it was with the ill-fated DAO (remember the life hack - The DAO is just an example of how one shouldn't write smart contracts). Responsibility.
Ethereum community recommends writing smart contract as if it were a firmware for electronics or a financial service (but NOT a web-site). For anyone eager to write smart contacts this official document on safety
is a must.
provides interaction with blockchain client. A front-end developer will do the job. Patience
You need a patient and curious developer. This is the person to dive deepest into blockchain technology, make raw developer tools work and read through tons of documentation.
Mobile apps and back-ends
Mobile and desktop applications can be written in any language. Recommendations are the same as for the DApp. To connect your app to a blockchain client (full, light or remote) there are ready-made libraries available. For example, python
. To embed a light client, check out geth
Lifehack: Jump off the cliff and build wings on the way down © Ray Douglas Bradbury.
There are only 368 dapps listed at the official Ethereum dapps list
and only one third of them is live. I believe this indicates the lack of understanding, not possibilities. It makes Ethereum a great chance to build a future game changer.
You may get some insights learning technology deeper. It is useful to know many of the underlying concepts of Ethereum and blockchain technology in general. But for the smart contracts and for the start this guide is a enough.
Thank you for reading.
Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.. Visit Stack Exchange A test message composed on privnotes.com, which is phishing users of the legitimate encrypted message service privnote.com. Pay special attention to the bitcoin address in this message. I believe there are some chains that allow that. I'm not sure if it has been merged upstream to bitcoin or not. I know I've been discussing ways to do messaging within a coin blockchain (vs bitmessage). You could use a blockchain.info wallet and send a message over blockchain.info. – Joe White Jan 5 '14 at 21:20 The key data is the least of your worries. The number of files this system will maintain (apparently indefinitely) will grow in N*M fashion. Every node will be given every e-mail ever sent by anyone, and be expected to keep that file for some relatively long time. 10 users, whose computers are nodes in the web of trust, who each send an e-mail to all users (including themselves; what, you've ... Bitcoin stackexchange com/users/message/9 sent=1#9 bedeutung hebel beim traden . Bitcoin stackexchange com/users/message/9 sent=1#9 visa prepaid card not working on amazon . Ing Diba Extra Konto Girokonto. reussir-avec-fleche.org. bitcoin stackexchange com/users/message/9 sent=1#9 forex in norway . Buchhandel Düsseldorf Hbf
0:16 - 9 year anniversary of the first Bitcoin billboard 0:42 - More than 1,000 BCH gifts given away with gifts.bitcoin.com 1:03 - New interview with Roger Ver coming soon Bitcoin will be the new store of value and crypto will be the new technology evolution and I want to be a part of that trough this channel. I will be sharing my ideas about the future of Bitcoin ... Cyber Security and Crypto News - BTC 100 Quintillion Ecuador Leak - Skidmap Malware Snowden Sued - Duration: 3 minutes, 25 seconds. Send me an email to [email protected] 📝Legal: *'The above video references an opinion and is for information purposes only. It is not intended to be investment advice. Thank you Andreas for your constant support. I hope you all enjoyed it as much as we did. SEE YOU IN THE NEXT VIDEO! Twitter: https://twitter.com/techwithc...