Thread

Ouch! How? So sorry to hear.

It was an exploit related to nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spzcs8wumn8ghj7un9d3shjtnyv9kh2uewd9hj7qguwaehxw309ahx7um5wgknztnwvfhjuctwvasku6fwvdhj78w5jyy hub. Their installation page requires 0 authentication and gives access to the entire node. They call it good UI.

OMG. I have an Alby hub with very limited funds. I will use no longer.

Lightning fails us once again. Sorry to hear that

this was not a vulnerability on a LN node implementation directly, so your conclusion is not accurate.

i will also not use it and will recommend against it.

😟 nostr:nevent1qqsgr6a32vn35705fcuk38aymprwyzt4c6mmmqp4h05z7pqu9rw83ygpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgs96w4cwmpqdgm66wcffcstlsu5rhel5gdpttyw5akkjxz8x7ykdxsrqsqqqqqpp0pk0j

Man, that's so fucked up, Francis. You're the LAST guy who deserves this. What a wonderful experience nostr:npub1fdhjvx4kwxrw8gtxzqef8e4573ftxlx5g25ynln4096js979qvlqnlglhr and I had with you at that beautiful hacienda on the rugged coast of El Salvador. Thank you once again for the invite..🙏😘

Dayum, that sucks dude. 🙁

Ah damit never keep more then a few $100 worth of bitcoin in such wallets

thank you for your works 🙏 was great having you!

it sucks in so many layers..

That sucks. I don't use Alby. But know a few who do. Got more details?

Oh idk Hoping for drivechains to take over. Bip300

Hey Francis, we’re really sorry this happened. In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration. We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028 It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit. We call on the attacker to return the funds!

a lot of apps have this kind of silly pattern, but they are usually trivial and non-valuable things especially before you set them up. the default should be that it writes a token to the terminal, that you have to use to set the password. unless the SSH connection is breached this prevents this kind of bootstrap snipe attack. if you have ever set up SSH on a VPS and looked at the logs, you will see there is probably tens of thousands or more bots on the internet scanning and probing everything they can find. they now have claude, to help them with this, not sure if you caught the news but they discovered that some clever guys were using claude to automate breaching of servers on the internet, that were far more sophisticated and fast than any such exploit ever seen before. at this point, it's pretty much game over. nothing should be open to connections on the internet without a back channel lock.

Calling it a silly pattern is very kind from you. nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyw8wumn8ghj7un9d3shjtngd9nksmrfva58getj9e3k7mf0qqs8u5uf0rd2p9wmdxxaznpn54tkq8wwspmljy0cjqw6jdgm5kv84ds3selle admin menu on Umbrel requires you to copy a string from the apps page. The reason I didn't go through with the initial installation is because I went back to the apps page to look for the password and couldn't find it🥴 This wasn't an automated attack. First of all, it happened right after I shared the news release article on nostr:nprofile1qyt8wumn8ghj7ct4w35zumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qpqqf9pur8yz8e8w78ap6255fx9x6xrakm2jgmqyv063l9365p7sdcs7adyk5, I was probably attacked by someone that got the link directly from me by DM. Second, and most relevant to prove it was not automated, the perpetrator had access to the node for 18 hours before stealing the funds. He was probably learning how to clean up his tracks or maybe how to not feel guilty about being a thief son of a whore.

there's snakes out there. they don't get much visibility here because it's so hard to game visibility but they are out there. +ru5+ n0-on3

you could have omitted the last paragraph. in your business you must expect adversaries and build defensively. nice to see the linked PR.

nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm you could use nostr DMs as a mechanism for delivering the unlock secret to the user securely. in fact, i would very much like it if alby hub used nostr auth and instead of sending me emails to my protonmail, to send them to me as nostr DMs just a thought

nostr auth would allow you to set the npub with admin power before you even start it. it would then require that key to unlock. and ... then there would not be any need to set a password either.

Yes that is indeed sad. But maybe it’s a timely reminder. As an Alby customer who has been exposed to software risk analysis for a long time, I see a transition happening from technically very savvy cypherpunks on the base layer to higher level projects supporting more regular users (like me). Old security assumptions may no longer apply. So, those project developers should take an equally vigilant, adversarial mindset as the cypherpunks always have. I suggest that solution developers apply rigorous and transparent risk management best practices: FMEA analysis, security threat analysis and so on, going forward. The community could probably help with review of that analysis as we have a vested interest that projects like Alby succeed.