I care. How much was lost?

What do you expect the world to do about it?

I can't really tell what would be the most correct but I feel that if it was someone with clout there would have been fundraisers, boycotts, social media attention, movements for better practices, etc

Still feels weird to say it but it hurt 🥲

Alright I get it. You do not want to disclose it. I respect that.

Man, I love you. and I really feel you and I also know that you must find somebody to take some blame to lower that pain. But blaming Alby and hinting "bad actors" is too much there. Everybody at Alby is driven by the same love to Bitcoin as you are and has been doing all work open source and available to everyone. The problem that you describe is not even related to something that Alby builds but the umbrel app setup and the way you have been running things. LNBits is currently vulnerable to this problem and they will not change this because it is how it should work. You have to know how to use it! Do not run Umbrel publicly available, make sure you do the setups as required and if you run it publicly make sure to harden it. It sucks that there are actors stealing from community projects like yours but now blaming other open source projects and calling them "bad actors" is a bit too much. So please be a bit honest... denouncing other projects and calling them "bad actors" is just wrong. I hope it helps with dealing with the pain, but please don't do it like this.

Man thank you for your words and I love your too but I am in my right to disclose publicly what happened to me. I didn't accuse of bad actors, I said we will never know, as it makes no sense that you removed the default option that forces users to be logged-in in umbrel before using the apps, for a node manager. It's true that umbrel is not meant to be run openly and I did say in all posts that the blame was mine but the reality remains that it was because of the way alby hub was configured to be used in umbrel. Plus it was a very specific attack that likely only someone inside the umbrel/alby community would be aware of.

@Ben Arc please fix lnbits as well 🙏

sure publicly disclose it. but stay to reality. what you say is wrong and misses reality (just check LNBits for example) It leaves out that you did not run through the setup, that you opened up umbrel to the public net. etc. Maybe also engage with the related umbrel discussions. Even hinting to bad actors because of some config (which you seem to not understand) is imo wrong and pretty sad. and hinting towards somebody from the umbrel/alby community is stealing from you is also just hurting some of your beloved bitcoin communities. I hope it helps with your pain, but hate the thief and not some other open source bitcoin projects and communities.

It's a feature not a bug. 😉 join the umbrel discussion... You might have different opinions...

I understand enough dockerization enough to be about to rmerging my own soon, so don't be condescending. It's not a feature, it was a bug and even closer to malware. If you don't agree, fell free to call me ignorant but don't expect me to shut up while you say I don't understand why I was stolen

it’s NOT what I am saying. it’s what lnbits/umbrel is saying. they don’t change it. as I mentioned read it up there and engage there. The umbrel alby app was changed (and there have been also complains about that)

Ok I might not be informed on all the details and the goal of the initial post was not to accuse you but to re iterate how this personal subject makes me feel, sorry that you are involved in this.

As far as I can gather the issue was autopopulating the funding source for lnbits by alby, and Francis enabling lnbits but not setting up from lnbits launch page? We didn't autopopulate the funding source, alby did. We can add an extra safeguard to help albys flow, by disabling the setup page after x mins, but using lnbits this way by a service like alby, is not something we do or account for. I'm not playing the blame game, but its a vulnerability not created by us. We can try safeguarding it, but any service that alby autopopulates should be monitored by alby and disabled if not set up correctly. As far as I understand the issue.

Reading replies was this umbrel connecting the funding source? Then if any fixes should be applied thats where it should start. We can also add something. Bitcoin is built on blood and sacrifice of early adopters, it sucks, and no future users understand the pain and suffering of those who came before them.

no no… the issue is that if you install LNBits and not NOT set it up and have umbrel exposed on the public internet, then an attacker can do the setup and steal funds by extracting the LND macaroon. roughly like that. “public and not fully setup” is the important part here.

Which is what happened to alby in this example?

It didn't happen to lnbits it happened to alby.

LNBits is vulnerable to this. this has been reported quite a while ago. there is some discussion somewhere on github.

Sure, but in Francis instance it was Alby

I see, I believe this is important information that should be understood by all parts, maybe it can help someone in the future. What happened was: I had umbrel installed on a VPS, with bitcoind, lnd, lnbits. I accessed it via public IP and password. (I knew it was a precarious setup, I was supposed to change it, i kept delaying it because I didn't really use that node\lnbits, until the day I released the pubpay and I was hacked, which makes it very likely that it was someone that saw the release). I used the app store to install Alby Hub. But afterwards, you're meant to run the application as it has a first setup page, which I didn't. Bumi blames me for this set up, as the umbrel (and the funds) were only protected by the umbrel password. As Alby umbrel config was turning off the default umbrel authentication, albyhub was exposed to clearnet without password and the attacker had free access. Bumi says this is good UX, it might be for some, for me it was fatal. Bumi says that LNbits has the same vulnerability and, in similar scenarios, the same could happen again. So this might be something to look at cc: @Ben Arc

In the umbrel scenario there are a load of projects that would be impacted by autopopulating funding sources. I would say Umbrel is responsible for not creating backdoor. As I said we can also add safeguards fkr that scenario.

yes, he tagged you because he wants the same problem fixed in lnbits. the lnbits umbrel app is completely unrelated to the alby hub umbrel app it just has the same setup and potential exploit

Yes I get it. Umbrel should make sure setup pages are completed, and disable services after x mins. Not blaming Umbrel or anything. It's just a lesson that can be learned from.

It would be just a task and get for most projects.

I don't know if Umbrel is fully to blame here as they provide mechanisms of defense such as requiring authentication in umbrel to access certain apps but also providing variables that apps can use for situations like these like ${APP_PASSWORD}, for example.

there is certainly risk in hosting your own infra. It's always that way. Before you open a port to the world, you must understand the services running on that port. I have what I consider to be a large node that I self host,

The Mempool Open Source Project®

Explore the full Bitcoin ecosystem with The Mempool Open Source Project®. See the real-time status of your transactions, get network info, and more.

but I'm also a professional IT guy IRL and am quite broad. Even

Sovereign Node Web Wallet

and

Sovereign Craft

Join Sovereign Craft - A Minecraft server with a real-world economy.

all come from the same IP if you check DNS but are all reverse proxied, j\ust as my Proxy, webserver, Minecraft server and other services like my personal Nextcloud and more are all on the same IP but on separate internal networks, and have various rules between them. A Lightning node IS a bank and should be secured as such. I still have risk by having a node. But even I myself do not have full access to my node from the outside world without VPNs etc.

I don't think anybody is to blame. It is a valid point for apps that expose APIs to NOT require an umbrel login (otherwise they can not work and can not be used) and it is also a valid point to say that apps must require an umbrel login (if you're a user not using the API). Just depends on how you want to see and use it. both are valid. it's also important to mention that this is not in lnbits nor albyhub. it's a combination with them and umbrel.

I don't blame anybody! I feel very sorry for you! it sucks big time... (I just complained and I am sad about your hinting to intentional being "bad actors" and your blame on open source projects and communities. ) anyway... PROXY_AUTH: false is set for many apps for a reason because otherwise they can not be accessed and/or their APIs does not work. see:

GitHub

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

it's not even about good/bad UX. It is how those things work. In that combination of running this publicly and not completing the setup this can be fatal as we sadly had to see. We made a PR to change this in the albyhub umbrel app (about which also some complained because it broke things) - the umbrel app is community maintained. Afaik LNBits umbrel says it will not be changed (I don't know the details, but I think this is valid as many things and apps would not work then) This problem might exist on other deployments, too. And it is also not unique to umbrel: if you install some wordpress and don't complete the setup then some attacker might be able to take over the server.