An update on EncryptoTel
This post is largely a quick and simple response to this update from the EncrpytoTel team.
EncryptoTel used the icoTech platform to power their ICO, processing user registrations, and managing the flow of funds from users through the the various escrow wallets. EncryptoTel set up their own ‘blockswap’ server, which also functioned as the distribution server.
An unintended consequence of the complexity of this setup was that an API was required between our platform, and EncryptoTel’s distribution server.
Unfortunately the API key was compromised, and an attacker was able to steal tokens.
Following this hack, EncryptoTel have stated that they appointed an investigation team, the output of which is this report.
The vulnerability exposed in that report did exist, and is serious, embarrassing, and I’m professionally mortified that such a foolish error and security breach occurred. We are improving security practices across the board in our growing team — about which more later.
However, I have a very poor opinion of the report as written, for these reasons;
- The post is inaccurate. It states ‘ We are 100% certain the fault lies with Incent.’ They appear to be certain because of the existence of the vulnerability, as detailed. The server logs indicate that the vulnerability was only accessed on the 25th June, after the hack.
- Publishing the specifics of the vulnerability, including the credentials, without any obfuscation, is way out of line. Demonstrating that you used the vulnerability to actually access repositories, even for the purposes of investigation, is not just out of line, but illegal in many jurisdictions. It’s a dick move.
- At no point did any member of the investigation team communicate in any way with any icoTech team member. At the very least I would expect some investigation of the distribution server, and the server with the vulnerability.
At this point, I believe the focus needs to be on ensuring all investors receive their tokens, and that the project, which in my view has huge potential, can begin its build in earnest. I don’t want to be drawn into unnecessary drama, so don’t plan on responding in much more detail for a while, I’ve said my piece above.