Author

Topic: NXT :: descendant of Bitcoin - Updated Information - page 503. (Read 2761624 times)

sr. member
Activity: 308
Merit: 250
Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.
sr. member
Activity: 457
Merit: 250
Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?

https://bitbucket.org/JeanLucPicard/nxt/src/

Thanks, as far as I understand this, this is not the actual version but something about v0.7. Correct?
hero member
Activity: 644
Merit: 500
Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

It doesn't

http://www.docjar.com/html/api/org/apache/commons/lang/RandomStringUtils.java.html
legendary
Activity: 1176
Merit: 1134
antanst, aka Evil Bob impersonator, has raised a security weak spot in the current gateway design.
Each gateway currently generates a custom deposit address and when a deposit comes in, it immediately sweeps it to the main multisig acct. The duration of exposure is less than a second (could be set to 50 milliseconds), but it is exposure.

So, I am changing things so that there is no sweeping into a main account. All custom deposit addresses will be 2 of 3 multisig. This will require a fair amount of internal changes, but it eliminates the in transit deposit exposure. Now, all deposits will go directly into a multisig account and stay there until a withdraw request needs the funds.

The multigateway isnt perfect, but I will do everything possible to make sure it is as safe as I can make it.

Does anybody know how to setup google authenticator? I think it works by having a seed value associated with each user. I can put the encrypted value of this seed in the AM response to the user. Then for people who choose to activate this feature, they would need to go to a webpage, input their NXT acct # and authenticator token

With such a setup, can anybody think of how Evil Bob can attack the gateway? All I can think of it a spite DDos attack that would just slow things down, but no money lost. Any other attack vectors? Can someone forge the NXT acct # in the "sender" field in a confirmed AM transaction?

James

The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )

Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .

OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: English
http://keepass.info/plugins.html#keeotp

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]

If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.
I am planning on generating a random seed when a user enables google authenticator and storing the encrypted version in the blockchain. That will keep it safe from being lost (at least until blockchain purge, guess need to regenerate seeds again).

I dont want to use keypass, I dont want to secure any database. I just want to be able to generate a google authenticator token when a withdraw request is made. So I need a C callable function where I pass in the random seed for the user and get back a pass/fail response. Some details about synchronizing the pass/fail response with user input.

I dont want to spend time figuring out how to configure a server, etc. I need somebody that can setup their own server with webpage that I can send an API to. Once it is all working, we can move it to the gateway server to avoid sending anything over the internet.

James
hero member
Activity: 644
Merit: 500

I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Why aren't you using SecureRandom random = new SecureRandom()?

Simpler version from web

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}

I don't believe I know better than the people from Apache who made that library.
That library is used in 1000s of production systems. You should not reinvent the wheel.

You are right about the difference between SecureRandom and Random, in the code I posted it does however not make sense to use SercureRandom. If you believe it does please explain why it does make sense in the code I posted.

http://www.docjar.com/html/api/org/apache/commons/lang/RandomStringUtils.java.html

They use java.util.Random

Where do you see SercureRandom used by RandomStringUtils?



sr. member
Activity: 392
Merit: 250
Why my public node seen in active peers window has red flag and shown as disconnected, while it is really live and I can connect to it from outside?
It will be shown as disconnected (permanently) if it cannot be reached at its announced address, or visible address in case it does not announce an address. It may also be switched to disconnected temporarily if a connection fails, but will appear connected again the next time it succeeds.
hero member
Activity: 784
Merit: 500
jean-luc

If you can get asset trades denominated in other assets implemented, then NXT AE would be able to dominate all other centralized exchanges. Basically all cryptos supported by the gateway could be directly traded against any other crypto. It would be fantastic!

After trading, people could withdraw directly to their wallet whatever crypto they have assets for

I think this is a much bigger change than assets supporting fractions, but maybe its a conditional handling in Order.java for all the trades of an asset denominated in another asset. Even if BTC is the only other asset something can be denominated in, that would get us 90% of the benefit, but I think the way the code is structured, it would be almost the same work to allow arbitrary denominations based in other assets.

James

I will look into that after I am done with the rest of my near term plan. I need to prioritize features, and this is again not a simple change. Supporting fractional amounts is critical because it is needed not only for the AE.

If you´ve read my PM, I am trying to help you build a core dev team...
sr. member
Activity: 392
Merit: 250
Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?
We only publish in the near past, this way we control the future Wink
hero member
Activity: 784
Merit: 500
Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?

https://bitbucket.org/JeanLucPicard/nxt/src/
sr. member
Activity: 392
Merit: 250
fractional assets also? If the comment field is not possible, I can work around that, but please let me know so I can plan accordingly.

Possibly, I will see what it takes for fractional assets. The comment field is an easier change, I will do that, but will have to reset the test blockchain again.
hero member
Activity: 784
Merit: 500
sr. member
Activity: 457
Merit: 250
Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?
sr. member
Activity: 301
Merit: 250
To increase the benefit of "forging", we can add a commission (eg Nxt 0.01) each time you start the client, this creates more comisones for forging and people are more interested in not close the client, not to return to charge the fee.

Is this possible?

Sorry for my English
----------------------------------------
Para aumentar el beneficio de "forjar", podemos agregar una comision (ejemplo 0,01 Nxt) cada vez que iniciemos el cliente, esto crea mas comisones para los que forjan y la gente esta mas interesada en no cerrar el cliente, para no volver a cobrar la comision.

¿es esto posible?

Perdon por mi ingles
sr. member
Activity: 421
Merit: 250
HEAT Ledger

I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Why aren't you using SecureRandom random = new SecureRandom()?

Simpler version from web

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}

I don't believe I know better than the people from Apache who made that library.
That library is used in 1000s of production systems. You should not reinvent the wheel.

You are right about the difference between SecureRandom and Random, in the code I posted it does however not make sense to use SercureRandom. If you believe it does please explain why it does make sense in the code I posted.
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Does anybody know how to setup google authenticator? I think it works by having a seed value associated with each user. I can put the encrypted value of this seed in the AM response to the user. Then for people who choose to activate this feature, they would need to go to a webpage, input their NXT acct # and authenticator token

https://github.com/ciyam/ciyam/blob/master/src/crypt_stream.cpp#L173

Although it is of course in C++ (if you search around you should be able to find it in C).

Am back from Hong Kong now (wasn't online at all for two days so have been busy trying catch up all afternoon).

As far as people wanting me to be a "core dev" I don't think it would make much sense as I am a C++ programmer not a Java programmer (and have only even looked at a small amount of the source code) so at this stage I will keep my main involvement to the AT side of things but may get involved with other things down the track.

As far as pools are concerned I think we are going to need them and without them we won't be able to create a "savings account" AT (which I think would be something fairly attractive from a marketing perspective).

I had stated before that my preference for limiting the power of an individual pool account would be to limit the number of accounts that it can use (so that trying to allocate your forging power to a "full" account would actually fail) or to limit the max. amount of forging power to a max. % of total coins (say 1%). Of course there is no reason that both of these limits would not be able to be imposed.

Someone else suggested the leased forging power to be restricted according to the balance of the forging account and I think that it could also be a reasonable way to do it.

The key thing that we are going to want to have is a "lot of small pools" rather then a "few huge ones" so I think we should try and focus on ideas that are going to make it easier for small pools and harder for large pools.
sr. member
Activity: 392
Merit: 250
Is JL available for new dev core team consideration post CFB?
My understanding is that he is here long term

JL, can you confirm this? The community is just trying to take stock of who is and isn't on-board for the months to come.

Yes, I will still be here after CfB leaves.
sr. member
Activity: 392
Merit: 250
about AE test

1. balance=2864
2. ask order (my asset)
  quantity:15, price=200(2nxt) fee=1
  quantity:10, price=300(3nxt)  fee=1
  balance=2862 Ok
3. bid order (my asset)
  quantity:25, price=300(3nxt)   fee=1
4.balance=2846
  should be 2864-3=2861
  so 2861-2846=15 is lost ( 25*3-15*2-10*3=15 )


test Ok  in .8.6

cancelling a order, there are two results :
e.g.
1. ask order
    quantity:5, price=100(1nxt) fee=1
    wait a minute, confrimed.
2. bid order
    quantity:4, price=100(1nxt) fee=1  
    not confrimed yet
3. cancel the ask order

two results:
2.bid order win ,confirmed before the cancelling ask order
  so order matched, and the left ask order cancelled ( quantity:1, price=100(1nxt))
3. cancel ask order win, confirmed before the bid order
  so bid order don't change, ask order all is cancelled.

test Ok  in .8.6

So you are saying I have managed to fix that bug? Are there any known AE bugs that are still reproducible in 0.8.6?
hero member
Activity: 644
Merit: 500
In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

Instead of relying on RandomStringUtils, isn't it much simpler to just use SecureRandom to create the password?

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}
sr. member
Activity: 392
Merit: 250
jean-luc

If you can get asset trades denominated in other assets implemented, then NXT AE would be able to dominate all other centralized exchanges. Basically all cryptos supported by the gateway could be directly traded against any other crypto. It would be fantastic!

After trading, people could withdraw directly to their wallet whatever crypto they have assets for

I think this is a much bigger change than assets supporting fractions, but maybe its a conditional handling in Order.java for all the trades of an asset denominated in another asset. Even if BTC is the only other asset something can be denominated in, that would get us 90% of the benefit, but I think the way the code is structured, it would be almost the same work to allow arbitrary denominations based in other assets.

James

I will look into that after I am done with the rest of my near term plan. I need to prioritize features, and this is again not a simple change. Supporting fractional amounts is critical because it is needed not only for the AE.
legendary
Activity: 1181
Merit: 1018


FreeRider AE Client released later today. Stay Tuned.



Nxt :: Asset Exchange Testing
Let´s get things organized!

I´ve created a project for Nxt AE on TestPad.

https://nxt.ontestpad.com

Anyone willing to test AE please join the site so I can add you to the project.

What is TestPad for and why to join?

We can

- write test cases
- run tests step-by-step
- track tests step-by-step
- track bugs
- track bugfixing progress


Please PM me your username after registration.

Edit: TestPad is charging $9/month for every new user. I will pay for the subscription from my own pocket, so please, only join if you are serious about testing.
Jump to: