Dan Finlay 🦊

@danfinlay

190 Following

186524 Followers

Dan Finlay 🦊 pfp

Dan Finlay 🦊

I wonder what fraction of the NPS workforce could be crowdfunded with a transparent crypto DAO streaming salaries to vigilante rangers.

0 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Can they type? I think the rabbit r1 UX is pretty great for a pre-literate kid, but it ain't local/private. If they can type, LM Studio on mac is an awesome way to download/run anything you can run locally.

1 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

As for "gaslighting people about screenshots", the first reports we received were only screenshots, not proof, so we mistakenly thought people were buying off screenshots, which seemed sillier. It got a lot more serious once we learned this was a real account takeover. https://warpcast.com/danfinlay/0xe4e586e5

0 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

But yeah I agree you will do fine to basically trust nobody in this space. I'm not really asking for your trust, tbh. I'd be very happy if nobody had trusted any memecoins posted from my account, and would continue to. If I ever raise funds, it will be on comprehensible terms for a clear reason.

0 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

"This" did not happen to me multiple times. I once toyed the memecoin scene, and had a bad time, and wrote about it: https://blog.danfinlay.com/meme-tokens-and-consent/ I ended up donating all the fees I received from the BASE coin to the Roman Stormf legal defense. The more recent memecoin & rug was a takeover of my DNS, I posted here on FC recently, and would link to it but my profile page isn't loading right now for me.

1 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

I might recommend it as a step after any user connects a wallet. Most people don't dig into advanced settings.

0 reply

0 recast

3 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

ERC-7811 looks great, I've wanted something like this for a loong time. I'll try to get us adopting it fast. As for 7555 and the plugin standards: I'm not sure that "add a plugin that can do anything" is a really acceptable security model, and I suspect 7715 makes a more private + consensual way to enable other contracts/acounts from any account/chain.

0 reply

0 recast

0 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Neat! Was I some inspiration here?

1 reply

0 recast

0 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Or like, could I opt into "only let me log in with my eth account"?

2 replies

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Well, as long as you've got "log in to web with emailed recovery link", you've got a pretty big DNS anchor. Maybe worth adding 2FA to that system. I know, people love sign in with email links...

1 reply

1 recast

5 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

In a situation like this, what you really want is one place where you can rotate your keys which implicitly revokes all outstanding connections, but allows you to resume signing in as before. Happy to be building a contract account that makes that possible, and then I hope to normalize that around the web. gator.metamask.io

1 reply

1 recast

7 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Another thing: I've started to record whether sites I use allow "sign out other devices" or logs that would indicate whether other devices have gained access to an account. It's staggeringly rare. There are some security features that feel like basics but somehow are rarely part of a new app. Candidates for an ideal framework.

1 reply

0 recast

6 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Yes. Right now I'm prioritizing potentially compromised accounts over safely locked accounts.

0 reply

0 recast

1 reaction

Dan Finlay 🦊 pfp

Dan Finlay 🦊

By the way: Fuck DNS security. It's horrendous that one grumpy sysadmin can decide that they want to keep moving the goalpost and simultaneously give away control of your name and also deny it to you on arbitrary terms. I've been critical of DNS safety for years, and concerns around it are part of why we did not pursue a web wallet at MM years earlier (though we had working prototypes). Not your smart contract, not your terms?

4 replies

4 recasts

28 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Anyways, I have a lot of accounts to comb through and ensure are secure now, and I won't feel perfectly happy until I've covered them all, but fortunately I have good records of this and can do a thorough pass.

1 reply

0 recast

11 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

The domain that was taken over was used for many of my accounts, but none of my MetaMask related responsibilities, which were gapped to accounts that are controlled by different machines entirely, so MetaMask infrastructure was never at risk during this attack.

1 reply

0 recast

7 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

Some friends in the security community were able to freeze the attacker's stolen funds. I believe this does not mean they are recoverable, but it does mean the attacker will not profit from this attack, which is nice. Some readers of this were probably defrauded and will continue to assume the worst of me, and that sucks.

2 replies

0 recast

6 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

At this point, the registrar requested EVEN MORE documents from me, and claimed they had stopped forwarding emails to the attacker (I later found this was also not the case). I drove around getting the docs they requested and regained control of the account on the same day (Monday), but due to issues within the registrar site, only was able to finally transfer the account to another registrar today, so I'm free of them now.

1 reply

0 recast

7 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

The registrar had requested many documents from me to restore the account to myself, and I provided them, and they were slow to reply. I should have nagged more, but I believed the account was at least no longer under attacker control. A month later, they conducted this FC attack, which promoted a meme coin which was used to defraud my followers of ~$150k after the rug.

1 reply

0 recast

6 reactions

Dan Finlay 🦊 pfp

Dan Finlay 🦊

The registrar claimed they locked down the account, and no attacker had my domains/emails anymore, but they were wrong. They had left an email forwarder on their servers (not visible on public DNS records) to the attacker's address. That forward is how the attacker performed a password reset/login using the warpcast web interface.

1 reply

1 recast

13 reactions