My old physics teacher always said: "It's the dumb criminals who get caught; you never catch the smart ones." He was a really smart guy, and he did live a nice lifestyle, hmmm...
Anyway, so IOTA. As with any digital currency, you need some random information - a passphrase typically - that is used when you create your wallet. In the case of IOTA, which is supposed to be IOT friendly, this means a string of 81 random characters, the generation of which could be pretty easily automated.
That's great, and the OSS world being full of helpful people, someone wrote a handy generator, put the code for all to see on GitHub, and put their generator onto a website where you could easily make use of it. Nice.
Actually, diabolical. The code on the website really was identical to the code on GitHub, except for one tiny, almost insignificant change: at some point, the owner swapped out the random seed to a value that he knew. Not even constant - that would have been too obvious - but known nonetheless.
And for many months, many people used his friendly little service. Until January 19th, when he emptied their IOTA wallets, erased his presence from the Interwebs, and quietly disappeared. $4 million or so richer.
This one won't be caught.
tl;dr for anyone who doesn't get it: The point of having a secret password, secret passphrase, or secret key is that it's secret. Which means that you don't have it generated for you by a public web service.
(Score: 5, Insightful) by maxwell demon on Thursday February 01 2018, @06:22AM (7 children)
Somewhat related: There is a huge number of online password strength checkers you find on the web. I've always wondered how many people would be dumb enough to enter their password to such a site. Well, judging from this story, probably quite a few.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by Bot on Thursday February 01 2018, @08:18AM (6 children)
Do you know that soylentnews automatically obfuscates your password in comments? try it.
******
EDIT: oh wait it does not work, the above IS my password. don't try it, does NOT work.
Account abandoned.
(Score: 1, Funny) by Anonymous Coward on Thursday February 01 2018, @09:27AM
correcthorsebatterystaple
(Score: 1, Informative) by Anonymous Coward on Thursday February 01 2018, @10:24AM
Your password is not secure anyway. Six characters are broken in no time these days.
(Score: 0) by Anonymous Coward on Thursday February 01 2018, @02:52PM (1 child)
Do you know that soylentnews automatically obfuscates your ******** in comments? try it.
FTFY
(Score: 0) by Anonymous Coward on Friday February 02 2018, @01:13AM
My password is hunter2. I can still see it in the preview. Does it appear as ******* to you?
(Score: 2) by bradley13 on Thursday February 01 2018, @03:54PM (1 child)
Whaddaya mean? My password is 1234, and it didn't get obfuscated at all! Oh, also, please don't steal the atmosphere.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Thursday February 01 2018, @05:09PM
Hey, that's the combination on my luggage!