Week 21 Recap
Halfway to 365 days! I hate Bon Jovi but...
The portfolio is now sitting at a 500% net gain since August, and this week alone it grew twice as much as the original investment (+640.25 USD). Only one asset in the portfolio has lost money at this point, which honestly tells me that there is literally no logic left whatsoever in the alt space, and I'm totally fine with that.
Although these gains have been great, the theme this week is security, security, security, and I'm not even going to be discussing Spectre or Meltdown! It was revealed this week that Electrum wallets running v3.03 or lower have a severe security vulnerability that is extremely easy to exploit.
***If you are running the Electrum wallet, shut it down IMMEDIATELY.***
Your Electrum desktop wallet runs a JSON RPC server on a random port in the background to communicate with other applications. Many merchants will run a web server that uses PHP or something similar to handle sending and receiving payments from their website (i.e. [purchases via Electrum](http://docs.electrum.org/en/latest/merchant.html). For example, let's pretend you run a website that sells Bitcoin related paraphernalia (t-shirts, etc.), and during checkout a customer chooses to pay in BTC. Your website will make a JSON RPC call to your desktop Electrum wallet to generate an address to accept the payment, and will respond to the request with a valid wallet address and other relevant details that your customer will need to send you BTC for their purchase. The Electrum JSON RPC interface is unprotected by default, but if your wallet is password protected then you have nothing to worry about.
At this point you might be asking, what does CORS have to do with the Electrum vulnerability? Remember that Electrum runs a JSON RPC service that accepts requests from a webserver without authentication (other than the wallet password if it's set). A properly configured CORS header and a same origin policy would typically ensure that the only application able to communicate with this JSON RPC service is one from the same origin, i.e. a local application. Unfortunately Electrum's CORS policy is as follows:
This vulnerability has existed for almost 3 years. It was pointed out in November 2017, and became a serious concern after Tavis Ormandy wrote an exploit and explained how serious a bug it was. So what are some concrete steps you can take to prevent something like this from happening in the future?
- Use a paper or hardware wallet.
- If you decide to use a software wallet like Electrum, don't run the application in the background; access it as infrequently as possible. If you do access it, don't browse the web while it's running (not all wallets run a JSON RPC server, but this is still sound advice).
- Open source doesn't mean bug free; never blindly trust any one person or application.
- For the love of god, never use online wallets!
Week 21 Results
XDN was the winner this week with a gain of +$111.15 USD (+147%), while NXT was the the worst performer with a loss of -$14.22 USD (-22%). The portfolio gained a whopping +$640.25 USD (57%)! Insane when you consider that the current portfolio is comprised of a ton of crappy assets.
|Symbol||Quantity||Price||December 31st||January 7th||Week Change $||Week Change %|
Want to follow along?
If you're Canadian and want to try the same thing, I use QuadrigaCX (wire transfer, interac online) and Coinbase (VISA, Mastercard, AMEX) to purchase bitcoin, ethereum, or litecoin to transfer to an exchange that supports all these alternative currencies. I used HitBTC to buy all 31 currencies, but many exchanges will work just as well.