Damus
Open in Damus
Francis Mars profile picture
Francis Mars
@FrancisMars

https://www.francismars.com • bringing Bitcoin to the people with chainduel.net && pubpay.me

nprofile1qqs96w4cwmpqdgm66wcffcstlsu5rhel5gdpttyw5akkjxz8x7ykdxspzpmhxue69uhkumewwd68ytnrwghszxthwden5te0wfjkccte9eekummjwsh8xmmrd9skctc3lg79jnpub
[email protected]nip05
[email protected]lnurl
Relays (13)
  • wss://no.str.cr/ – read & write
  • wss://nos.lol/ – read & write
  • wss://nostr-pub.wellorder.net/ – read & write
  • wss://nostr.bitcoiner.social/ – read & write
  • wss://nostr.milou.lol/ – read
  • wss://nostr.mom/ – read & write
  • wss://nostr.oxtr.dev/ – read & write
  • wss://relay.damus.io/ – read & write
  • wss://relay.nostr.band/ – read
  • wss://relay.nostr.bg/ – read & write
  • wss://relay.nostrati.com/ – read
  • wss://relay.orangepill.dev/ – read
  • wss://relay.snort.social/ – read & write

Recent Notes

FrancisMars profile picture
I don't know if Umbrel is fully to blame here as they provide mechanisms of defense such as requiring authentication in umbrel to access certain apps but also providing variables that apps can use for situations like these like ${APP_PASSWORD}, for example.
FrancisMars profile picture
I see, I believe this is important information that should be understood by all parts, maybe it can help someone in the future.

What happened was:

I had umbrel installed on a VPS, with bitcoind, lnd, lnbits. I accessed it via public IP and password. (I knew it was a precarious setup, I was supposed to change it, i kept delaying it because I didn't really use that node\lnbits, until the day I released the pubpay and I was hacked, which makes it very likely that it was someone that saw the release).

I used the app store to install Alby Hub. But afterwards, you're meant to run the application as it has a first setup page, which I didn't.

Bumi blames me for this set up, as the umbrel (and the funds) were only protected by the umbrel password.

As Alby umbrel config was turning off the default umbrel authentication, albyhub was exposed to clearnet without password and the attacker had free access. Bumi says this is good UX, it might be for some, for me it was fatal.

Bumi says that LNbits has the same vulnerability and, in similar scenarios, the same could happen again. So this might be something to look at
cc: @nprofile1q...
FrancisMars profile picture
Ok I might not be informed on all the details and the goal of the initial post was not to accuse you but to re iterate how this personal subject makes me feel, sorry that you are involved in this.

FrancisMars profile picture
From my understanding, the docker-compose of the albyhub page was set up to override the default option that requires authentication. If I'm correct, this is your responsibility, not umbrels.
If I'm not understanding correctly, please explain



FrancisMars profile picture
I understand enough dockerization enough to be about to rmerging my own soon, so don't be condescending. It's not a feature, it was a bug and even closer to malware. If you don't agree, fell free to call me ignorant but don't expect me to shut up while you say I don't understand why I was stolen

FrancisMars profile picture
Man thank you for your words and I love your too but I am in my right to disclose publicly what happened to me.

I didn't accuse of bad actors, I said we will never know, as it makes no sense that you removed the default option that forces users to be logged-in in umbrel before using the apps, for a node manager.

It's true that umbrel is not meant to be run openly and I did say in all posts that the blame was mine but the reality remains that it was because of the way alby hub was configured to be used in umbrel.

Plus it was a very specific attack that likely only someone inside the umbrel/alby community would be aware of.