MetaCartel Ecosystem Security Proposal

MetaCartel Ecosystem Security Proposal

What: I would like to contribute to the MetaCartel Ecosystem by helping secure assets and business operations. I propose to start with a task that requires minimal coordination and has potential major impact by securing the integrity of emails sent from the metacartel.org domain and it’s subdomains. I have recently worked with RaidGuid to implement similar changes.

Why: Currently it is possible with a low level of skill to spoof a metacartel.org email address and have this email land in the inbox, not marked as spam, of a MetaCartel member and practically any other email user on the web. What this means is a malicious actor could pose as a MetaCartel member which could lead to many headaches, breaches, or have an impact on the reputation of MetaCartel.

In the web3 space, corruption and scams are prevalent and it is important to secure and educate users as much as we can & to the best to our abilities; this is where I can add value and begin contributing to the MetaCartel today!

Timeline for completion: 2-3 weeks depending on MetaCartel member assistance.

Phase 1: I have completed a preliminary research review, looking from outside your organization to gather a set of proposed changes.

Phase 2: Work with the appropriate MetaCartel members who can help identify anything I do not spot on the first pass, other things that are not public knowledge.

Phase 3: Implementation – Coordinate and work with the appropriate MetaCartel members, after proposed changes are agreed upon, implement these changes with the help of MetaCartel members or if granted temporary access can execute without further consuming member’s time.

Thank you for your time and consideration. I would be honored to help secure the MetaCartel Ecosystem in exchange for a membership share in the DAO.

Cheers
Adán

2 Likes

Hey @0x4d4n I appreciate the sentiment of this proposal, meeting you personally gives me a better sense of your skill and ability to execute this.

I think it makes a lot of sense to give you the permissions to move forward on this, especially siince you are only asking for a sweat share, will wait for a few more days on feedback from others but this has a :+1:t3: from me.

2 Likes

Thanks @Yalor

Here is some additional info for those who want to learn or further understand what is currently possible.

Currently metacartel.org does not have any SPF, DKIM or DMARC DNS records. These records all play a role in telling email servers across the world who has permission to send email on behalf of a domain and weighs how likely an email is delivered as legitimate.

When signing up to the Forum you are greeted with an account creation email. In the below screenshot you can see this email and then one other that looks similar:

The below screenshot is the (legitimate) email received from Forum signup in this we see the email was sent from james@metacartel.org and was delivered to the inbox with a SPF Neutral rating.

In the below screenshot you can see an email that was spoofed to make it look like it was sent legitimately from the Forum pretending to be james@metacartel.org

Funny enough this spoofed email may be more likely to land in a user’s mailbox than the legitimate one since the SPF and DKIM record check passed.

Open ear for anyone who wants to learn more, discuss or explore.

-Adan

4 Likes

Seems like a great mission and way to sweat into the cartel! 100% yes from me

3 Likes

Hi @joseph thank you for the vote of confidence I really appreciate it.

Security is a passion of mine and I want to see web3 excel where web2 failed, security is one of these major failures.

If any members are on the fence, would like a demo, need more information or credentials regarding myself let me know.

I envision this growing and spreading through the ecosystem where we all help others secure their assets and reputations. Maybe this is something MetaCartel could sponsor or do for others; revenue stream for MetaCartel, who knows? There are many avenues to explore however the first objective should be to secure MetaCartel.

Being hacked or spoofed is a very stressful and damaging process. I have worked with Gov agencies and major law firms throughout the US on cleaning up after hacks that were orchestrated using this method. Multi-Millions in funds lost, classified documents extracted, and organizations who were forced to close their doors.

Security, especially in web3, is a major concern that should be addresses by anyone with the knowledge and willingness to lend a hand.

Always happy and here to discuss.

Thank you,
Adan

1 Like

Sounds good to me, we discussed in town hall a bit. Seems like most support it. @0x4d4n what do you need to start this?
Generally we do “sweat” first and then you get a share(s). And we can see how much time it takes and do shares that are fair based on that.

1 Like

Amazing @joseph :pray:

Needs: Coordination

A secure channel of communication with (internal ops) the individual(s)who can get me temporary access into the appropriate accounts/services. I am in discord or drop me a DM here with the appropriate members to contact via X channel.

Deliverables:
I will create a doc that I will share with the member(s) involved with proposed changes, explanations and the accounts/services I need access to in order to execute.

I am stoked and appreciative for the opportunity to help and work towards the goal of securing MetaCartel and sweating for a share(s).

:pray:
Adan

gm gm. Haven’t heard back on this let me know if you guys want to fix this.

Adan