Author

Topic: NXT :: descendant of Bitcoin - Updated Information - page 505. (Read 2761624 times)

sr. member
Activity: 392
Merit: 250
Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom


"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.
hero member
Activity: 784
Merit: 500
Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Maybe somebody that is not a dev can do the research for this?

That´s what I am doing Smiley
This was the first step, asking the community Smiley
full member
Activity: 168
Merit: 100
I dont know if this is relevant...but there is someone who is stealing nxtcoins from "bad-protected" accounts.

I've just created an account with the pass: "mtvraps" to check and play. I made the nxtra.org faucet and they sent me 2nxt to this account "14345877598619007537". One minute after, someone sent these 2nxtcoins to other account (of course it was not me). The account was: "1413811113623034318".  I suppose there is a bot checking all the possible weak passwords...

It could be funny but......TAKE CARE!

I'm not a coder and I have no knowledge of softwaresecurity....but is there an option to use a 2w-factor-verification? Securityweakness could be the most dangerous problem to NXT mass adaption.

I agree
would be necessary to encourage any client developer to implement 2 factor authentication


What would you like to protect with 2FA? The startup of a client or do you think you can protect the secret with 2FA?

If the later, could you please list the steps how that would work?


it will be do the same that i do in my kee pass database. see this

then after reading a lot about the key generation choose to use absurd and nonsensical phrases formed by not less than 50 characters memorize words and 2 phrases from roughly 50 characters for the master password kee pass .

Install the plugin otpkeyprov keepass password and activate two factors to open kee pass with google authenticator

the first 50 characters of a sentence and the second sentence of 48 characters to activate google autenthicator 48 characters and match the standard b32 . the advantage of two-factor master password is if you can not make all phishing password .

Within keepass generate passwords you want including accounts of nxt ( nxt also advise to memorize words and not less than 50 characters consisting of nonsensical words )

Enable tools options " change master key in a secure desktop " every time you open your nxt account using automatic writing
Enable automatic writing on the flap of each password " Obfuscation 2 channel automatic writing"

I hope you can help with these tips. in any case you can write me for any questions in kee pass and handle the "plug in" otpkeyprov .

Finally the technique of two-factor authentication for passwords nxt would be a good option against phishing . I leave it open to discussion forum .

The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )
Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .

OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: English

http://keepass.info/plugins.html#keeotp

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]

If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.
sr. member
Activity: 392
Merit: 250
any date set for launch of AE yet?? or still to be decided?
I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.
March 13th is not possible. I posted my plan some time ago:
https://bitcointalksearch.org/topic/m.5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.
legendary
Activity: 1176
Merit: 1134
I need at least 1 million test NXT 18232225178877143084
does anybody have it?
sr. member
Activity: 421
Merit: 250
HEAT Ledger
Anyone likes my idea a Electrum-like passphrase generator to be included in Nxt clients? Today there are two new stories of newbies who had their Nxt stolen because they used a weak password

https://nextcoin.org/index.php/topic,4316.0.html

Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase.

Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom


"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

We disagree

- Edit. I agree about the passwords being crackable, since every password is crackable. Your logic however is wrong
full member
Activity: 238
Merit: 100
Current NXT circulation:
1. Buy NXT from initial stakeholder.
2. Register alias / send message / issue asset and pay fee to stakeholder.
3. Goto :1

As I always said, forging was created for stakeholders. You (community) always said that "when we'll have more transactions, fees would be better distributed". False! Forging is not dependent on fee in expected block. The only thing that will change is that stakeholders would get back their sold NXT faster.

Nxt is good platform. It is another P2P software like Bittorent. We need to find another way to prevent spam and get rid of NXT.

Ok.  All fees go to the genesis account.


If you send the fees to the genesis account you will destroy NXT because you will eventually run out of NXT.

With or without pooled forging, people with more NXT will get more NXT by forging.  People should view NXT as non-depreciating mining equipment.  The more NXT you own, the more NXT you will receive.  I'd rather purchase NXT than an ASIC because an ASIC will depreciate and I will earn less and less with my ASIC.  With my NXT, I will always recieve "MY NXT AMOUNT" / 1,000,000,000 NXT x 100% of the network's transaction fees.

The one worrisome thing about this Proof Of Stake concept is that it may very well turn out to be like a game of Risk. Where once a player passes a point where they have  a decisive advantage with troops, they quickly dominate the entire game, becoming more dominant with every battle until soon everyone else is slowly and methodically wiped out, or someone flips the board over, whichever comes first.

It seems like this might happen with something like NXT. The large stakeholders gaining the most out of forging, becoming more powerful with every block they win, achieving something of a compounding interest snowball type effect, until only a few big fish remain, sitting on their fat Jaba the Hut asses for the rest of NXT's existence gobbling up all the NXT while everyone else gives up forging at all; the network degrades until the Whales see the writing on the wall and push the SELL button, making NXT just another addition to the isle of coulda-shoulda-woulda.


Average fees per day is 7855 NXT
When the minimum fee is lowered to 0.1 or 0.01, it will probably go up to around 20000 NXT per day.
Thats one and a half years for 1% to be churned, more like 5 years at current rates.
This is not going to make anybody rich, it is enough to pay for server costs, but not much else.
forging fees are for spam prevention
nobody gets rich collecting spam prevention fees
please stop obsessing over the spam prevention and how it is fair or unfair about who gets the spam fees

If people spent half the effort actually building on NXT that they do complaining about whatever they dont like about it, NXT would be worth a lot more.

Isnt that what we all want? Distribution is what it is. No amount of complaining will change that. However, anybody can step up and start doing useful stuff and get rewarded. Anybody. Even a simple C programmer like me.

James

I am not a developer. I am just a guy who likes crypto and bought a few NXT and reads this thread to see how the development is coming.
I still can contribute a thought on what I think I see as a big flaw in NXT gaining widespread adoption and try to influence the developers by making suggestions. I can play musical instruments but if someone doesn't like what I'm playing I don't say "well if you spent more time learning to play you could play it yourself". That would be a copout.

As I stated, personally I would forge for free and am doing that now. My concern is about down the road when more users come along and less of them are going to be intimately involved and willing to run a program on their computer, especially one that opens them up to DDOS attacks or potentially worse for no reason. People follow the path of least resistance. I'm just one guy, but not the only one, who sees this as a potential serious flaw. The developers are busy with higher minded stuff and I think are a little bit removed from average users. That's why suggestions from nobodies like me can be helpful, or not. But to say we should be doing your job and developing your program for you is a little much.
I didnt say that people should become devs. I said TEST. ANYBODY can test.

All this complaining is getting me depressed. Maybe I shouldnt bother with any of the projects I am doing.
All people seem to do is complain about this, a release is not done, I dont get anything from forging, blah, blah blah
I am working 18hr days trying to bring significant improvements, but if this is the attitude people have and they wont be forging because it doesn pay them enough, then why am I bothering?

STOP COMPLAINING
START HELPING

Is that too much to ask?

For people that want to earn stuff from forging, there is nodecoin. That should be end of story on that issue. Not only do you help secure the network, you will get nodecoins. Unless I get so depressed from all this nonsense that I dont bother making nodecoin. Is that what you want?

James

James your work is highly appreciated so please continue doing what you were doing so far. People like you are really NXT. Also try not to react to every post on this thread. There are many people here and many opinions. I know some of those opinions are sometimes irritating but that is how life is.

NXT is not a quick rich get scheme, at least this is how I am looking at it. I am in it long term and everybody with the minning mindset that expected getting tons of NXT by forging, well that is their problem. Last 3 months we are screaming all over the forum that NXT is not about that. All this people will in the end probably end up leaving and that is OK too. We do not need them. I like to think that we are something bigger and this bigger thing takes time. Heck we are just 3 months old. Patience people.

On the other side, one thing that we need definitely is a client, ASAP. I am sure a lot more people would keep their clients open and forging and securing the network if they can just double click an icon. All these NRS updates are overwhelming, even for me and not for the average Joe.

So keep up a good work and thanks!!
legendary
Activity: 1176
Merit: 1134
All this complaining is getting me depressed.

James, calm down. I do think most of what you see as "complaining" is actually meant to further improve NXT. I can see very little ill-founded complaining in this thread.  Your efforts are highly appreciated by everyone who cares about this project.
Then whenever people complain about forging not being enough, tell them about nodecoin
I just saw a dozen calls for AE being released but where is the testplan?
It doesnt have to be a super formal test plan, it does need to be specific test cases
It also MUST be created by people who are NOT the devs for it. Otherwise the blind spots that created the bug wont be found because said blind spot will not come up with the test case.

We should have end user test points
We should also have client app test points. There are plenty of people here that can write programs to invoke NXT API

We need to gather all the test points and put it into a test plan. Then when there is a release, we run through the test plan and if it passes, we can release. Standard software development procedure,yes?

All we need are intelligent people using and abusing the AE in a methodical and also quite insane way to push the boundaries.

When CfB said the community had to approve, this is the sort of thing he meant. I am sure he didnt mean for people to arbitrarily set a date and push for release without objective reason to allow release.

James
hero member
Activity: 490
Merit: 504
Have you got any comments about:  An Invitation To Universities and Academic Researchers? http://justpaste.it/nxt-invites-universities
thx
full member
Activity: 182
Merit: 100
NXT.org
Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Maybe somebody that is not a dev can do the research for this?

Google says: http://www.bugtrackingtools.net/?opensource
legendary
Activity: 1205
Merit: 1000
If people spent half the effort actually building on NXT that they do complaining about whatever they dont like about it, NXT would be worth a lot more.
Isnt that what we all want? Distribution is what it is. No amount of complaining will change that. However, anybody can step up and start doing useful stuff and get rewarded. Anybody. Even a simple C programmer like me.

James, critical input is of extreme importance to any project as well and not to be neglected. It is necessary for improvement.
What is the point in complaining about the past unless you have a time machine?
Initial distribution cannot be changed. End of story.
Lets move on and change what we can, the future
I agree! +11
hero member
Activity: 798
Merit: 500
Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Bugzilla, Redmine
sr. member
Activity: 644
Merit: 250
I didnt say that people should become devs. I said TEST. ANYBODY can test.

All this complaining is getting me depressed. Maybe I shouldnt bother with any of the projects I am doing.
All people seem to do is complain about this, a release is not done, I dont get anything from forging, blah, blah blah
I am working 18hr days trying to bring significant improvements, but if this is the attitude people have and they wont be forging because it doesn pay them enough, then why am I bothering?

STOP COMPLAINING
START HELPING

Is that too much to ask?

For people that want to earn stuff from forging, there is nodecoin. That should be end of story on that issue. Not only do you help secure the network, you will get nodecoins. Unless I get so depressed from all this nonsense that I dont bother making nodecoin. Is that what you want?

James

James, we do appreciate all your hard work.  Thank you on behalf of the Nxt community.

Everyone should remember what BCNext said, Nxt is a platform.  If you think fees are too high (which I do too) then you can't complain about forging rewards.  In other PoS currency, the coins generated per block (besides the tx fees) are inflationary.  The NXT distributed per block in NXT are only the tx fees and therefore non-inflationary.
hero member
Activity: 644
Merit: 500
Anyone likes my idea a Electrum-like passphrase generator to be included in Nxt clients? Today there are two new stories of newbies who had their Nxt stolen because they used a weak password

https://nextcoin.org/index.php/topic,4316.0.html

Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase.

Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom


"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all




legendary
Activity: 1176
Merit: 1134
Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Maybe somebody that is not a dev can do the research for this?
legendary
Activity: 1176
Merit: 1134
This is weird. One one hand people complain about "fees" being too high, on the other hand they want to make money by "forging" These are contradictory statements.

Well, I guess the point is that there is actually no incentive to secure the network as one is not suitably rewarded by forging. This is a critical issue.
HuhHuh
No incentive?
Isnt making sure NXT isnt destroyed incentive enough
How short sighted are people?
For a few NXT that they are not getting, they will risk NXT being attacked?

I think you look at it from a tech perspective.

I know NO ONE who has a PC/Server running when they are not using it (besides a few of my tech friends).
Of those tech friends a lot of them are not that fond of running a program that is constantly contacting the internet in the background and most of them only have a NAS and no servers/systems/VM's running.

There should be a real incentive (money talks) to be forging and "securing the network" is not enough.
Assuming we get pooled forging for pooling your personal account and abeleau's web wallet forges for you. People can set things up so that they are forging 24/7 with all their NXT, even though only 1 NXT is in the web wallet

If it is too much trouble for newbies to set this up, we can probably even automate the process to make it easy.

Then there is nodecoin

James
hero member
Activity: 798
Merit: 500
All this complaining is getting me depressed.

James, calm down. I do think most of what you see as "complaining" is actually meant to further improve NXT. I can see very little ill-founded complaining in this thread.  Your efforts are highly appreciated by everyone who cares about this project.
legendary
Activity: 1176
Merit: 1134
...

the transaction fees are still too damn high, forging rewards are way to low & come too slow for all but the richest Nxters.

...

Slow? Maybe. Low? No, everyone gets the same percentage. Anyways, you can't have high forging rewards and low fees.
I estimate that average forging fees per day will triple if we lower the min. fee to 0.1 NXT

Most NXT is traded within exchanges, no fees are paid to the network for those transactions. Am I correct?

How then would a lowering of the fees triple the income for forging? Would people, all of a sudden, start sending more NXT over te network?
I have many service ideas that are currently nonviable due to 1 NXT fee. At 0.1 NXT some of them become viable, at .01 NXT most of them become viable. I am talking about automated robots doing transaction(s) every block. That is thousand(s) of transactions per day. That is just from me.

Elasticity of demand based on price.

Also, you usually pay 0.2% trading on centralized exchanges. 1 NXT would be the same at a 500 NXT transaction, less for anything bigger. At 0.1 NXT, at 50 NXT transation it is 0.2%. At 0.01 NXT 5 NXT has the same rate

James
hero member
Activity: 784
Merit: 500
any date set for launch of AE yet?? or still to be decided?

Nobody seems interested to step up and launch.

I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.

no reactions.


How many AE tests have you run?
It is easy complaining about why isnt is ready yet, when is it going to be ready.

NXT peoples, please stop complaining. It is annoying to those of us that are working. If you want to help speed things up, then HELP!

There is a web interface that lets ANYBODY test. You can issue assets, hold trading competitions, all stuff any end user can do.

STOP COMPLAINING
START TESTING

James

whatever ! I rest my case with this. I was testing constantly!

james, I will not COMPLAIN ANYMORE.

wish you all the best and hope you finally produce something out of your pages of ideas and dreams.



You should have a comprehensive test plan for AE. There should be many people coming up with use cases. There should be a checklist of which use cases work, which ones dont.

This should be published.

James

Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?
sr. member
Activity: 421
Merit: 250
HEAT Ledger
Anyone likes my idea a Electrum-like passphrase generator to be included in Nxt clients? Today there are two new stories of newbies who had their Nxt stolen because they used a weak password

https://nextcoin.org/index.php/topic,4316.0.html

Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase.

Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom

It depends on what you use the random number for, in this case it makes no difference if you would use SecureRandom or Random.
Anyways thanks for looking it up, tips are always appreciated.
Jump to: