Communication Channels & Best Security Practices
KIRA Network community, we are getting close to the grand finale of the public round and for that reason we will be highlighting in this article means of communication between Kira Team along the best practices to stay safe and vigilant in order to prevent any possible scams and social engineering techniques.
Social Networks
There are many ways through which Kira Team engages with the public, the main ones are currently twitter, medium, telegram and email. It is very important that all those channels can be easily identified and that no one is misled by fake accounts and channels with differently spelled names. For your convenience we created following subdomains which you can trust to redirect you to the desired source:
- Medium: blog.kira.network
- Twitter: twitter.kira.network
- Telegram: tg.kira.network
- Discord: discord.kira.network
- LinkedIn: in.kira.network
- Github: git.kira.network
- Keybase: keybase.kira.network
When requesting any types of links and sources, always ensure that they originate from the kira.network domain or corresponding *.kira.network subdomain. It is recommended that you should never click on any sort of hyperlinks provided to you, but rather copy or type the source manually to your browser bar after checking the syntax, then save the tab in your bookmarks for easy access. More details on why, and what other possible exploits you should be aware of see the Best Practices section.
Always exercise due diligence, just because something is posted on one of the official channels does not automatically imply that the message was not posted by a compromised admin account or account that visually resembles an admin account. Many social media platforms do not provide multi-factor authentication methods and those that do can also be exploited. Best way to stay safe is to always think critically and verify the source along the content. If any doubts arise, always ask for a cryptographically signed proof.
Our admins will never PM you first, never ask for money, private keys, seed words or any other type of private data and potentially sensitive information.
Email Communication
Emails by any metric are not a secure means of communications. You should never receive an email from us unless you explicitly messaged hello@kira.network prior to the response or took part in the contest where you submitted your information and expected the response. In the case where you receive an email it is essential that you verify sender address and PGP signature which must be part of the message body. If the signature is not present it is essential that you request it and verify.
By far the simplest way of verifying the signature is to exercise the following routine:
- Visit verify.kira.network which will redirect you to keybase
- Paste the content of the message within the “Message to verify” box
- Click Verify button and ensure that a green label “Signed by …” appeared
- Click on the name in the green box which will redirect you to the keybase user page
- Verify that keybase user who signed the message has a verified kira.network DNS record (blue badge next to the address)
For advanced users who prefer not to use third party services to verify PGP signatures they can find our public key though following hyperlink: https://pgp.kira.network, we also published our public key on our official github page here to provide at least two sources of validation.
Best Practices
When accessing any websites ensure that they possesses valid HTTPS certificates, which you can identify in the navigation bar of our browser by clicking on the padlock symbol.
Always stay vigilant when clicking on any types of hyperlinks regardless if provided to you by the admin in the chat or present on the website. Before clicking on any address, always hover your mouse for a few seconds over it and verify where you are being redirected. You will notice a grey box with the address appear next to the text you are hovering over or in the bottom left of your browser window.
To test your diligence we created the following test. Can you spot four fake links among a single real one that redirects to the KIRA Network website without clicking on it ?
If you spotted the correct one without clicking on any of the above links, type your answer 1,2,3,4 or 5 in the comments below the article : )
You have to always stay vigilant, links and admin handles might not only only be visually identical but exactly identical. On mobile devices such as smartphones it might be even more difficult to spot a fake address or account. In case of doubts you can request a cryptographic proof from any of the admins and stop communication until they present it. The simplest way of establishing trusted communication is to request an admin to reply to you with a signed message containing his handle and a long random string of your choice. You can then verify the signature the same way as mentioned before in the case of email content signed using PGP.
If the admin has no common channels with you, does not have a handle or PM’ed you first then it is 100% a scam. Always remember that admins are also only humans and they can be mischeaved and their accounts compromised. The social media platforms can be attacked and exploited to provide you false information.
Summary
The safety convention for the average user should be content originating from the kira.network domain. There is no ideal way to guarantee 100% security of communication channels and social engineering techniques can mischief even professionals. All communication of importance such as public keys or contract addresses will be always cryptographically signed by our team. Common sense is often the best defense, we ask you all to stay vigilant and report all cases of potential abuse to hello@kira.network
PS
To learn more about potential threats and analyze example signatures see the summary of our Security Challenge: https://medium.com/kira-core/kira-network-security-challenge-summary-results-3dd0cd201b8d
