I thought I was safe. I had 2FA enabled. I had 12-word seeds on Mac OS/Linux. I thought I was invulnerable.But my love of the Warriors basketball and cord-cutting got the best of me.sportsarefree.xyz is a sports streaming website that played a super LONG con. This is how it worked:They streamed every basketball game and every football game for free, even a WWE channel 24/7. I knew it was too good to be true, and you know what? It almost was.While I have no love for hehestreams or other $100 paid services, I saw no other option. As an aside, I believe NBA League Pass needs to figure out how to monetize their streams using crypto to cut out middle men and trim the fat from their lucrative TV blackout deals and charge everyone a more reasonable fee for League Pass.So until that day, sportsforfree was my drug.Then, all of a sudden, they stopped streaming games by saying the NFL and the NBA figured them out and learned how to block their streams. The mod on the chat box suggested in a real smooth way that we anons install HLS Magic, a new streaming codec. This was actually not their first time doing this, but somehow I managed to escape the first Chrome extension I was duped into installing.Here's how they did it: they used a vulnerability in the Chrome developer protocol called CORS. HLS Magic was the trojan horse for a keylogger.Now, normally I would be much more secure in Mac OS but I let. them. in. In my stupidity, I installed Clappr using the Terminal. Clappr was an insecure Github repo that took forever to install, but I thought I was genius when I finally figured out how to use it. After all, I was able to watch the 49ers get back to their Quest For Six, and Jimmy Garoppolo caused me to forget all of my hacky computer foibles.So I decided to wash my digital identity as much as possible. It was a panic fest for a while.I learned from /r/bitcoin that even though Bitcoin is unusable with long confirmation times and high fees, that it is still fucking stupid to use the same phone number for my credit card and Coinbase. It doubles the attack vectors when really you can keep them separate and more secure with Google Authenticator and 1Password with Touch ID. Using my Google Voice number, they could have gained access to my Gmail using SMS and a temporary phone number. They could even go as far as looking in the Gmail trash bin because those old emails from whenever Coinbase or Bitstamp tells you to login don’t disappear until you DELETE them from trash. You have no idea how many old emails reveal your activities.Please learn from me and make crypto more secure. Or else more thefts will scare people away from digital wallets. Take your computer security seriously. Don't fuck with free sports websites.And don't fuck with Steph Curry. He is the only Skyfucker worth all my crypto.(Throwaway for obvious reasons)Edit: remember to revoke all access to third party APIs that require too much info. Especially CORS. via /r/Bitcoin http://ift.tt/2FcWFHC
