bumi's avatar
bumi michael@getalby.com 1 week ago
Man, I love you. and I really feel you and I also know that you must find somebody to take some blame to lower that pain. But blaming Alby and hinting "bad actors" is too much there. Everybody at Alby is driven by the same love to Bitcoin as you are and has been doing all work open source and available to everyone. The problem that you describe is not even related to something that Alby builds but the umbrel app setup and the way you have been running things. LNBits is currently vulnerable to this problem and they will not change this because it is how it should work. You have to know how to use it! Do not run Umbrel publicly available, make sure you do the setups as required and if you run it publicly make sure to harden it. It sucks that there are actors stealing from community projects like yours but now blaming other open source projects and calling them "bad actors" is a bit too much. So please be a bit honest... denouncing other projects and calling them "bad actors" is just wrong. I hope it helps with dealing with the pain, but please don't do it like this.
โ†‘ Parent

Replies (4)

Francis Mars's avatar
Francis Mars francismars@chainduel.net 1 week ago
Man thank you for your words and I love your too but I am in my right to disclose publicly what happened to me. I didn't accuse of bad actors, I said we will never know, as it makes no sense that you removed the default option that forces users to be logged-in in umbrel before using the apps, for a node manager. It's true that umbrel is not meant to be run openly and I did say in all posts that the blame was mine but the reality remains that it was because of the way alby hub was configured to be used in umbrel. Plus it was a very specific attack that likely only someone inside the umbrel/alby community would be aware of.
1 replies โ†“
Ben Arc's avatar
Ben Arc benarc@nostr.com 1 week ago
As far as I can gather the issue was autopopulating the funding source for lnbits by alby, and Francis enabling lnbits but not setting up from lnbits launch page? We didn't autopopulate the funding source, alby did. We can add an extra safeguard to help albys flow, by disabling the setup page after x mins, but using lnbits this way by a service like alby, is not something we do or account for. I'm not playing the blame game, but its a vulnerability not created by us. We can try safeguarding it, but any service that alby autopopulates should be monitored by alby and disabled if not set up correctly. As far as I understand the issue.
2 replies โ†“
Ben Arc's avatar
Ben Arc benarc@nostr.com 1 week ago
Reading replies was this umbrel connecting the funding source? Then if any fixes should be applied thats where it should start. We can also add something. Bitcoin is built on blood and sacrifice of early adopters, it sucks, and no future users understand the pain and suffering of those who came before them.
โ†‘