There is spam happening involving usage of this project/script #98
Comments
|
I also received an email like this and I've reported it to SendGrid, so they'll hopefully suspend the account that was used to send this, but the spammers will likely figure out a different way to send their emails in the future, so this project should definitely mention the spam somewhere in its README so that people don't fall for it. |
|
I have also received this same spam email. |
Definitely a good idea! |
|
I've been getting several of these emails, which are obviously scammers. However for "transparency" they redirect to this repo, which leaves me confused. If this project is legit, what does it do, and what is the scammers' plan. |
|
No free energy and no free money 🤑 |
|
@Fil From my limited understanding, Fluence is launching a cryptocurrency token, so Fluence (randomly?) selected a bunch of GitHub accounts to give 5000 of those tokens to. Of course, using OAuth would be too easy and secure, so instead they created their own system, but they didn't add mutual authentication, so if a scammer intercepts the communication (or deceives you into communicating with them) they can pretend to be you and get your tokens. Warning Even if you don't care about these tokens and would be happy to sell them, don't give your bank account number or other payment details to random people on the Internet. I think Fluence's authentication method works as follows. Fluence took the public SSH keys of the selected users and used those to encrypt some secret data, and uploaded those encrypted pieces of data to a public location. If (and only if) you have the corresponding SSH private key, you can decrypt the data, and with that you can create a proof validating your ownership. This repository is a tool that automates the user-side part of it and spits out a proof if you give it your SSH private key. You can then upload this proof at https://claim.fluence.network/ (don't sue me if that's the wrong link, verify it yourself) to claim the tokens into an Ethereum wallet of your choice. Of course, if you give your proof to a scammer, they'll take your tokens instead. Apart from lacking mutual authentication, there's a few other security flaws in their design as well. Most notably, it requires access to your private SSH key. Of course, they promise they won't abuse that privilege (you do thoroughly read all scripts before running them, right?), but they do not consider supply chain attacks (e.g. by pinning package versions with hashes). They don't even have a security policy. |
|
Thanks for the explanation. I have no plans to sue you nor to run any of these scripts :) |
|
I replied back on this email saying that i need to know more about what this code does and here is the reply I received. Make sure you look out for this phone number: |
Their explanation is sound, but that's usually how they get ya. But $500 for just a bunch of tokens? Well, if it sounds too good to be true, it probably is. |
|
So I was the one who batch sent this email. And I'm not a scam. I did purchase proof from some people. And I will deliver the money if they send me the proof. There is a lot of speculation around the FLT so some people are willing to sell the proof for a certain amount of money, also 500 dollars is negotiable and it is a fair market. I don't intend to run away with other people's proof without paying, so I don't think it is a scam. |
Yes, in hindsight, I realised it might not be a scam, since it appears that the tokens are currently valued at $1 each (and eligible people receive 5000 tokens), which explains your interest much more. (Though I still disapprove of your email not sufficiently informing people of the impact of sharing such a proof.) That said, though, unless I misunderstand something, how is the proof useful to you if you don't also have a corresponding signature containing the address of your own Ethereum wallet? |
|
By the way, if anyone here is willing to sell their proof, you can reach out to me at highground.ou@gmail.com, also you can add my telegram:xiaomaogy. I'm willing to buy the github proof if you are qualified, and the price is negotiable. |
So basically I can give them an address when they generate their proof. So the token price fluctuates, and it's hard to tell how much it would worth when it gets unlocked. There is a two month unlocking period. Also a lot of people don't have the channel to sell the token. I'm just providing another channel for them to benefit from it. Also I think I'm doing a good thing, because of my email more developers are aware of the dev reward, and if they don't want to sell at least they can claim it by themselves, and avoid the halfing later on. If you are bothered by my email, I'm really sorry. I don't want to scam you, but this is the only way I can reach out to people, and see if they are interested. Again add me on telegram if you are interested in selling, my telegram handle is: xiaomaogy |
You got some competition, I received an email offering $700 😄 |
|
Ah, so I'm not the first 😝 |
|
I've seen a lot of bad scams, but this one really shoots the bird |
Yes, I can compete with that price. I will offer the best price on the market. Just contact me on telegram if you are interest in selling. My telegram is: xiaomaogy |
I mean, I think it's fairly safe to generate the proof and sell it to someone if it's done properly (payment to ETH wallet, never sending private key etc.) they will not have access to any critical information? but maybe i'm missing something? |
👀 there is also a substantial risk to lose your private ssh key this way, which if you use this one for paid work, can also cause quite some very expensive liability issues. |
|
@FWDekker No way that I run those scripts, but did you have a look at the paranoid instruction? What do you think? I found an old vulnerability from grep but the ubuntu 22.04 they tell to spin is supposed to have the patched version 🤔 Looks legit to me, but I'd be up to have second opinions before trying it, don't want my sk to get hacked |
I understand, thankfully I can dispose of my ssh key and already have generated a new one, so I don't know if there are more "shady" parts about that, the only thing I can say about @xiaomaogy is that he paid what we settled for the proof, half before half after so that part I can vouch for |
The paranoid instructions involve disabling the network of the Docker container before importing your SSH key, so it can't covertly exfiltrate your key. (Instead of Docker, you can also use Podman, which is rootless, but then you can only disable the network by running The proof itself also doesn't contain anything that is related to your private SSH key. The private SSH key is only used to decrypt the ciphertext from I haven't checked the other scripts in this repo, but if you follow the paranoid instructions I don't see the private key leaking (assuming they have not been maliciously edited as of me writing this). No, I think the main risk here is you giving away tokens without the other paying you. If you are still paranoid about losing your SSH key, then generate the proof, remove your public SSH key from all accounts where you use it, and then give the proof to someone else. (If you follow the best practice of using a unique SSH key per machine per service, this is easy. Otherwise, this might be a good time to start doing that.) |
|
I also received one of those mails. Well, fluence is not up to date on ssh obviously. FIDO2 ssh keys private part never leaves the security token (and so you can't use them with age), so good luck generating your proof in that case ! 😆 |
Yeah. Otherwise a scammer will send money to your bank account and you'll be left with the money like an idiot. |
Go ahead, share whatever details you want with strangers on the Internet. Surely, they won't use it to build a profile by connecting various data leaks to perform a (spear)fishing attack against you, your family, or your colleagues, right? ;-) |
|
Yes scamming is really a thing these days. After purchasing around 5 proofs I got someone contacting me, acting as if they are certain github account users. I didn't verify that(which is my fault), and sent them the first half of the money via different crypto payment method (like ZEC or Dash). And after they received the crypto they deleted the telegram chat and disappeared. I'm really disappointed and now I really need to verify the ownership of the account before I actually pay people. I'm still purchasing git proof for the fluence rewards if anyone is interested. My telegram is: xiaomaogy. But I will be more careful. |
|
Why don't use OAuth for this proof??? |
|
I don't know why I was listed in it either. And I really don't care about any of that crypto stuff. However, I can vouch for @xiaomaogy as well. I sold my tokens to them because I have no use for it. The process was pretty straightforward there. So that at least isn't a scam. |
I was paranoid but highly curious. I went with a hybrid of the paranoid method but used the web interface to generate proofs:
Complete overkill, but worked.
|
Thanks for the vouch, really appreciate it. So far I've traded with more than 25 people. Some of them are scams and never return after I sent them the initial batch of the money, but many of them are honest and we made the trade work. You can still reach out to me on telegram: xiaomaogy. I'm still purchasing the git proof. I can also use the approach mentioned by @LeslieOA if you are worried. That way I don't have access to anything from you, just the proof. You can be sure that I'm honest and all I want to do is get the proof so that I can claim the FLT reward. |
|
@xiaomaogy not scammer. Hi send me $250 in eth. But then i read this project more carefull and claim tokens for myself. Send eth to @xiaomaogy back. No scam, no hate. |
|
The TLDR, Is running that script and giving the requested proof safe? Can anyone confirm? |
|
I learned about Fluence from the scam e-mail, so it's not all bad! |
|
It could have been done much more easily, like how StarkNet has done it. |
|
This might be the first time in a long time a spam email in my inbox is somewhat legitimate at the source. Not using OAuth is an oversight, giving your docker image access to my raw private keys? Yeah that's a pass from me. The manual method seems fine but overly tedious. |
|
I wanted draw attention to another way of luring people into buying tokens: My Github profile just contains forks of already existing projects (so the |
|
I am getting also some scammy looking mails? |
Looks safe. The person was just expecting some finder's fee as the reward |
@FWDekker imagine yourself in 2010 when you heard of Bitcoin for the first time. Those who've been complaining here about a scam, would've likely complained about Bitcoin and cryptocurrencies being a scam in 2010 too. Hence, your advice is a shitty one. Only in some cases can it be applicable. |
Haha, that's an apt comparison :P In my defence, both Fluence's communication about the offering (i.e. none, they didn't even tell me I was eligible at all) and Fluence's authentication procedure (see my criticisms in another comment) are very lacking, so it's not surprising so many people are confused and distrusting. |
|
So That is not scam and fluence has a reward link?Beste Grüße,Nils BaumgartnerAm 13.07.2024 um 11:10 schrieb Florine W. Dekker ***@***.***>:
"Their explanation is sound, but that's usually how they get ya. Well, if it sounds too good to be true, it probably is.
@FWDekker imagine yourself in 2010 when you heard of Bitcoin for the first time. Those who've been complaining here about a scam, would've likely complained about Bitcoin and cryptocurrencies being a scam in 2010 too. Hence, your advice is a shitty one. Only in some cases can it be applicable.
Haha, that's an apt comparison :P In my defence, both Fluence's communication about the offering (i.e. none, they didn't even tell me I was eligible at all) and Fluence's authentication procedure (see my criticisms in another comment) are very lacking, so it's not surprising so many people are confused and distrusting.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
|
@NilsBaumgartner1994 Difference is, Bitcoin has solid design, while Fluence's authentication mechanism for claiming tokens is shoddy. And remember that this issue is not about Fluence in general, but specifically about the implications of sharing authentication material with a stranger. I won't make any claims about how Fluence works or what it is, because I genuinely don't know. As for my advice, I still stand by it. If someone claims that you can get free money, be very, very wary, and look at the details very closely before you act. Ask for the opinions of others as well. Though Bitcoin and Fluence indeed turn out to be "free money" if you played your cards well, asserting that you don't need to be wary of other cases is simply hindsight bias. So, remain cautious. Next time, it might be a scam. There's thousands of crypto scams out there, after all. Always think before you invest money with someone you don't know, and don't take risks you can't afford. |
I agree that it's sketchy if you give it network access and don't check the code, but it works offline and the proof string is shorter and has lower entropy than your private key, so it's provably not leaking it. |
|
I sold my tokens to the guy in the question a few months ago. The token back then was worth around $1. Now it's dropped to $0.25. All the while watching the idiots here screaming "scam!", particularly the biggest screamer of all being @FWDekker :) Where's scam? |
|
Wait so I have to share my private ssh key ?Beste Grüße,Nils BaumgartnerAm 13.07.2024 um 12:33 schrieb Florine W. Dekker ***@***.***>:
@NilsBaumgartner1994 Difference is, Bitcoin has solid design, while Fluence's authentication mechanism for claiming tokens is shoddy. And remember that this issue is not about Fluence in general, but specifically about the implications of sharing authentication material with a stranger. I won't make any claims about how Fluence works or what it is, because I genuinely don't know.
As for my advice, I still stand by it. If someone claims that you can get free money, be very, very wary, and look at the details very closely before you act. Ask for the opinions of others as well. Though Bitcoin and Fluence indeed turn out to be "free money" if you played your cards well, asserting that you don't need to be wary of other cases is simply hindsight bias. So, remain cautious. Next time, it might be a scam. There's thousands of crypto scams out there, after all. Always think before you invest money with someone you don't know, and don't take risks you can't afford.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@NilsBaumgartner1994 I see now that I misread your previous comment due to its bad formatting. I thought your comment was "imagine yourself in [...] it be applicable", but that was in fact a relatively old comment from someone else. To actually answer your question(s): If you are eligible, you can claim your FLT-DROP tokens here, which requires you to create a proof as described in the README of this repo. After two months, you can convert your FLT-DROP to FLT tokens at the same website, and those tokens you can freely use and trade. The proof requires that you decrypt something using your private SSH key. Doing so does not leak your private SSH key. The instructions for creating a proof are in the README of this repo, and last time I checked, those instructions seemed reasonable. |
|
Set up a VM to run the untrusted code, generated a ssh key specifically for the proof, aaaaand
Well guess I'm SOL then. |
|
@ariesgun I got the same email like yours. |
Yeah, I have claimed it.. It's all good. |
They claim they want a more decentralized solution. https://blog.fluence.network/fluence-developer-community/
https://blog.fluence.network/how-we-built-a-truly-trustless-flt-rewards-claiming-process/ |
|
@rardiol Fluence determined airdrop eligibility based on the "centralized" github activity, sounds contradictory lol. Although I respect the technical approach, I hope to see this in a coherent and consistent context in the future. |
wtf? the whole verification could literally be just a few clever openssl commands is all Fluence would need to verify ownership edit: added key select prompt. |
Could you help me claim my token, having issues with the process. |
Could you kindly help me claim my token, having a few issues with the process. |
|
all right. I'm trying to get my flt. |
and others
I got this Mail.
The text was updated successfully, but these errors were encountered: