Hi everyone— Reuters just published a big story today on a hacking-for-hire firm that attacked my previous activist organization Fight for the Future. The story is pretty lurid. This firm did exclusively for-hire work—on behalf of household-name corporations, it seems—targeting competitors, adversaries in lawsuits, and political adversaries like activists or journalists working on issues ranging from net neutrality to climate change.
I wrote a thread about the experience and on the importance of secure tools for activists and journalists who face attacks like this. Sharing here in case anyone finds it interesting:
Also, Zbay is now in public beta!
It’s still not ready for storing large amounts of funds or where security is critical, and light wallet functionality is still on its way. But we’ve tackled a lot of stuff in the past few weeks:
Zbay now plays nicely with other wallets - We did a bunch of work to make Zbay play nicely with Zecwallet. Messages sent between Zbay and Zecwallet work now. Existing Zecwallet, Zecwallet-lite, and zcashd installs won’t mess up Zbay or vice versa. We now show incoming messages and money from unknown (e.g. non-Zbay) users, and we let you send messages or money without including your Zbay signature or reply-to address. I spoke a bit with Aditya and I’m really excited to make Zbay’s human-readable usernames (for example: I’m @holmes on Zbay, and that name is registered on-chain) interoperate between Zbay and Zecwallet lite too, so hopefully that’s in the works!
Zbay recovers gracefully from zcashd crashes - There was a nasty bug where some users (especially on Windows) would be locked out of Zbay after they restarted. This was due to a known zcashd bug, where after being shutdown abruptly (we think hibernation is a factor) zcashd will consistently crash on restart. We now make a backup of wallet.dat and restore the backup automatically and start a rescan when we detect a crash on startup. This increases startup time, so it’s not great, but it’s better than being locked out and having to muck about in a terminal to fix things!
Privacy & security improvements - We now get USD/ZEC price updates via encrypted memo instead of a normal url-based API, to reduce our attack surface by moving data over encrypted memos wherever possible. We also now require user intervention before registering an account—in case, for example, a user would like to connect via Tor before registering. We also let you create new transparent or shielded addresses when you need one, a basic privacy feature Zbay was missing.
We’re really excited about all the awesome progress that Aditya and ECC have been making on light wallets, and we’ll be working on light wallet functionality in Zbay over the coming weeks.
—Holmes @ Zbay