Who is nijeah?

in #witness-update6 years ago (edited)

As you might know, Steem was down for some hours today.

@holger80 has a good overview, what happened.
Also https://steemit.com/steemitdev/@bobinson/why-did-steem-blockchain-froze

So the question is, who is this guy, @nijeah?

image.png

Created by anonsteem.
That is of no help.

how about his wallet:
image.png

Look at that, he did use bittrex.
Lets continue our search on steemworld.org:
image.png

Let's scroll down a bit:
image.png

This points to @netuoso
Your Top 20 Witness
:(

On another note, my witness node (haha) is getting updated
( not that it matters at my position anyway)

I am way more angry, that I couldn't play and stream this morning!

UPDATE:
@netuoso answered:

do not own or run the @nijeah account. Several months back I helped the user with a couple scripts and answered a few questions on discord. I was compensated for my time.
I'll help anyone that asks or needs it on the Steem devs discord server.

UPDATE2:
@netuoso answered in a posting here:
https://steemit.com/drama/@netuoso/open-letter-to-the-harassers-and-anyone-else-paying-attention-re-blockchain-freeze

Sort:  

I do not own or run the @nijeah account. Several months back I helped the user with a couple scripts and answered a few questions on discord. I was compensated for my time.

I'll help anyone that asks or needs it on the Steem devs discord server.

Added more since this is getting blown out of proportion. https://steemit.com/drama/@netuoso/open-letter-to-the-harassers-and-anyone-else-paying-attention-re-blockchain-freeze

How many people would you say you have helped and been paid on bittrex? I dont see very many similar transactions.....

Why wouldnt you do direct steem transfer?
I wouldnt expect you to get upset at questions... Im guessing I cant pull up anything anyone else can.

Seems fishy to me, tbh.

Edit: are you willing to screenshot the conversation you had with them?

I was invited into a network security forum long ago where a lot of net-admins gathered to learn and combat abuse.

The longer I was there the more info I was allowed to see, I was there over a year before I was allowed to see everything..

Point is, to just allow anyone in to see how to take down networks would be irresponsible. You helping anyone that asks seems equally irresponsible to me...

Thank you for addressing it- staying quiet only makes things worse.

Upvoted so that @netuoso's comment is first, as he's the subject of this post.

curious you say you dont own @nijeah yet these outgoing transfers to @bittrex were sent at the exact same time on 2 different occasions this would tell me with 99.99996% certainty that @nijeah is indeed your account and that you had used script interface etc to submit the transfers at the same time to your @bittrex account





https://steemworld.org/@nijeah

2018-01-08, 05:08 nijeah bittrex 38.918 SBD f62cb7ea66e84c94867

2018-01-05, 23:47 nijeah bittrex 26.663 SBD f62cb7ea66e84c94867





https://steemworld.org/@netuoso

2018-01-08, 05:08 netuoso bittrex 33.850 SBD f62cb7ea66e84c94867

2018-01-05, 23:47 netuoso bittrex 43.528 SBD f62cb7ea66e84c94867

Thank you for your answer.
Maybe you remember what scripts and what issues this user was facing?

It was instructions on how to use Steem js to handle errors inside of promises mainly. The scripts I provided were some example bots that I used and coded from scratch. They did contain automated vesting withdrawals so could be related.

So would you guess that he did this accidentally?

Even if it was @netuoso, there's nothing malicious about trying strange operations out and seeing how the blockchain will be able to handle it or not. Imagine this happened after we already had millions of active users, it would be much worse. I'm glad @nijeah did what they did. After all, a fix was found, though not without lots of stress for all the witnesses/devs involved, I am sure.

Edit: Obviously I realize the seriousness of the situation. I'm also not a developer/witness so I'm somewhat ignorant about the proper procedures. But I expect the STEEM blockchain to be strong enough to handle something of this nature. If it cannot, there is no reason to use it over another coin. I'm sorry, but I just cannot blame the user who initiated this operation. Clearly it would have been wiser to make the attempt on a testnet, so perhaps there was some malicious intent.

There's something weird about it though. @nijeah tried 4 operations, first a -1Vest withdrawal, then a -2Vest, then -10 Billion, and finally -1 Trillion, which is way over the Vesting Fund of 391,231,329,807 Vests.

Not to shamelessly plug my stuff but, I emphasize this very detail here: https://steemit.com/steem/@jerc33/steem-blockchain-down-here-s-what-happened

Also, and not less important. No one just tries stuff like this and at these disastrous amounts (albeit negative amounts, sure) on a production environment. This is a completely irresponsible conduct for someone "just testing the system".

EDIT: The right approach would be. trying this in a testing environment, of course. But still disregarding that one, at a -1Vest withdrawal @nijeah had already all the information he/she needed to report it to @steemit directly. And by doing so, the SteemitDevs would have 7 days to prepare and probably correct the error, instead of having to push all-nighters just because of the incompetence of a, presumably self-entitled "pen-tester".

I have a hard time believing this had other intents than malicious ones. Incompetence doesn't look like this.

Yes, I did notice the absurd increasing quantities. I understand the view that this is irresponsible, but don't know enough about coding to be able to say whether there was a better way to test this than live on-chain. Besides, the operation was started 7 days before, there should have been plenty of time to detect this anomaly and implement a fix before the blockchain froze. I'm sorry, but I expect the STEEM blockchain to be extremely robust. After 2 years of being live it should be able to handle something as basic as negative withdrawals.

That's easy, We're all humans. Every code-base, be it Google's, Microsoft's, Facebook's or wtv, has flaws like this waiting to be discovered. And some of those that have been discovered already are even dumber, like the empty password flaw on macOS, recently.

Of course, if this happened to some software I created the first thing I'd want to do after fixing it would be hide under a rock out of shame. I'm sure SteemitDevs feel the same way already.

About detecting though, that's tricky. You can't implement unit tests on problems you don't foresee. But as someone involved in pen-testing projects I have to say, the lack of communication on nijeah's part raises all kinds of red flags to me.

But, I'm of the opinion that Steemit failed miserably at one very important thing, the fact that it never organized a proper bug-bounty program like, for example EOS did, on hackerone.com . Like @isnochys said, there's even no proper testing environment and that's clearly dumb on their part. (@ned you need a testing-evn and bug-bounties on hackerone or bugcrowd or whatever. utopian doesn't count, it's a joke.)

Correction: Maybe there is a testing environment after all, according to @therealwolf

That's not how coding works. Especially in something as sensitive as a blockchain.

You don't just try something and see if it breaks things. You write a test for it and if you have a suspicion about a bug, you'll let those people know, who are responsible and if you can fix it yourself - you'll do that.

Is there a live testnet for the STEEM blockchain? I agree that would be a more conservative place to try an operation like this. However, I'm a bit astonished that something as simple as prohibiting a negative power down has not been patched in 2 years. Then again, until it happened, it could just seem absurd.

That is strange, then, that the operation wasn't tried there first. Perhaps there was some malicious intent after all.

Actually there are several testnets, and the option to set up an own one: https://developers.steem.io/testnet/

Hehe.

But I'm pretty sure nearly every coder had a time where they just wanted to finish an update/feature.

Just. One. Last. Commit ...

Yes, that was not important!
just all of steem nodes stopped working, all applications on the steem blockchain and block production stopped for ~10 hours, and we got thousands of missed blocks

When did I say it was not important? It's one of the biggest crises to happen in the past 2 years of the blockchain being active.

That's why every product should have a valid test net.
Where one can try out things

But I may be repeating myself, steem(it) needs a proper service management.
Testing, Integration and Prod environments.

Steemit Inc has at least 1 testnet (but I think 2). You can even use the testnet easily with dsteem just with a line of code.

https://developers.steem.io/testnet/

Any "testing" of this sort should always be done on a testnet. Anyone experienced enough to do this is experienced enough to know that too.

That makes sense @blocktrades. I suppose it's easy to forget we're still in a beta phase because STEEM is so real for those of us that use it daily.

Fantastic friend

Strange..never seen such a transaction. But as others said i think its okay to test so we know what will happen with more adoption.

But it should have been done on the testnet.

nijeah is haejin backwards

Captain Obvious reporting for duty?

Captain rude being rude to a stranger?

I know its obvious but it was not stated in the post nor in the comments.

Lmao, you are funny

This is very very very disturbing! Good job on the detective work.

As I told @crokkon before, we don't have a smoking gun here, but at least a gun with maybe fingerprints on it.
The evidence wouldn't stand in front of a judge.
But I am only a steemcleaners detective.and not state attorney ;)

Will require further investigation into the blog/comments/replies of that account.

Ah, the beauty of the blockchain's transparency. The truth will surface at one point or another.

This post has been upvoted by @millibot with 40.0%!
Thank you for giving your trust and witness vote to my creator @isnochys!
More profits? 100% Payout! Delegate some SteemPower to @millibot: 1 SP, 5 SP, 10 SP, custom amount
You like to bet and win 20x your bid? Have a look at @gtw and this description!

The code should not allow the withdrawal of negative vests. There are going to be plenty of new users on here who don't know what they are doing. This wasn't nijeah's fault.

@isnochys I voted you as witness. As a witness you may know why Steem blockchain was down for hours. Nothing was working for hours. Do you know why?

Did you read the postings I mentioned in the article?

It is explained in detail there.
Are there any questions on the details?

TL;DR:
Someone did something, fixing took some time.

I could not understand what negative vesting withdrawal is? Can one person be so strong that he can put entire blockchain on standstill?

He tried to power down a negative amount of STEEM, and there wasn't a check if the number was valid, so the whole network went down after noticing this is wrong because it didn't know how to handle this (explained rather simple)

You are right. A small bug can crash a system.

This post has been upvoted by @minibot with 50.0%!
Thank you for giving your trust and witness vote to my creator @isnochys!
More profits? 100% Payout! Delegate some SteemPower to @minibot: 1 SP, 5 SP, 10 SP, custom amount
You like to bet and win 20x your bid? Have a look at @gtw and this description!

so that guy broke STEEM?

He stopped it for some hours, but didn't break it

thanks to some hard working folks who fixed it.