When a client transfers NXT from one account to another, is there any record of the IP Address that is broadcasting this transfer?
No.
Topic: NXT :: descendant of Bitcoin - Updated Information - page 1926. (Read 2761645 times)
No.
Don't forget Framewood, too. Please notice the date and how little the community paid attention.
https://bitcointalksearch.org/topic/m.4172532
https://bitcointalksearch.org/topic/m.4172532
The issue reported by Framewood was of funds being sent to a different account to the one he entered into the browser, as part of a transaction that he initiated, at the same time as he made the transaction; rather than funds being stolen after having unlocked the account in the browser. I'm not fully up to date with the last few pages, but is it yet confirmed to be the same hacker, or even the same issue (bogus client, not e.g. code bug)?
Blocks Generated : 3933
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
devs, please take a look into this ASAP, that person just generated another block. They are obviously gaming the system somehow. The balance on that acct has never been very high, yet they forge TONS of blocks
all,
remember....
Actually there will be 3 flaws in the source code.
How fast it is ? It is 50 million account and perhaps it is the only big account forging.
nxt need more technical support!
What do you mean?
Pin
Dude (as you say) I have not accused anyone! Im taking a poke at all the fingers poking towards Thomas. We are all very quick to blame before (if) we know all the facts.
With respect I will not remove the image.
Don't care about the image...
But I do care about the implication that he is not to blame at all - facts so far;
Trojan download came from his server for the affected accounts (see posts about browser history)
He admitted - in the previous post in putting the trojan code there.
He denies having used the data that was sent to his server or attempted to be sent in the clear over the internet to steal from the affected accounts.
If we believe the denial I think 'accomplice after the fact' is still applicable...
the other statement 'there are other modified clients out there' is an obvious one I'm sure there are but other wrongdoers do not lessen the severity of this one.
I agree what Thomas did was a very severe bad act. But there's obviously more to the story here, and he knows it, and we need to find out about it. Hammering him about how bad he has been will not engender his cooperation. This is still a salvageable situation as long as the stolen NXT is isolated with the possibility of returning it to its rightful owners. Thomas is currently saying he cannot do that. Maybe that is true and maybe not. I want to hear more from him and I want to offer him a way to minimize the shitstorm he is walking through if he plays ball to accomplish restitution. If he can't do that, maybe he knows who can. I hope he will come back onto the site and talk about this, or PM me to discuss privately if he is more comfortable doing that.
Blocks Generated : 3933
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
devs, please take a look into this ASAP, that person just generated another block. They are obviously gaming the system somehow. The balance on that acct has never been very high, yet they forge TONS of blocks
all,
remember....
Actually there will be 3 flaws in the source code.
How fast it is ? It is 50 million account and perhaps it is the only big account forging.
...before starting playing with customers.
Your understanding of cryptocurrencies is jaw-dropping!
Your understanding of SW development is jaw-dropping! :-(
Blocks Generated : 3933
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
Fee Earned : 60,718 NXT
this is a nicer hack
just before source release.. great!!
devs, please take a look into this ASAP, that person just generated another block. They are obviously gaming the system somehow. The balance on that acct has never been very high, yet they forge TONS of blocks
all,
remember....
Actually there will be 3 flaws in the source code.
Hey guys see you on 666 page
Dude (as you say) I have not accused anyone! Im taking a poke at all the fingers poking towards Thomas. We are all very quick to blame before (if) we know all the facts.
With respect I will not remove the image.
I see your point. As you wish.
Dude (as you say) I have not accused anyone! Im taking a poke at all the fingers poking towards Thomas. We are all very quick to blame before (if) we know all the facts.
With respect I will not remove the image.
Don't care about the image...
But I do care about the implication that he is not to blame at all - facts so far;
Trojan download came from his server for the affected accounts (see posts about browser history)
He admitted - in the previous post in putting the trojan code there.
He denies having used the data that was sent to his server or attempted to be sent in the clear over the internet to steal from the affected accounts.
If we believe the denial I think 'accomplice after the fact' is still applicable...
the other statement 'there are other modified clients out there' is an obvious one I'm sure there are but other wrongdoers do not lessen the severity of this one.
Jean-Luc: Work is going well for the local check to test the update's sha256 hash via javascript. But I have to go away for a few hours so it may only be tomorrow before I release it.
nxt need more technical support!
yes, look like so ...
At least the debug tools should have been water broof before starting playing with customers.
Block chain explorer is currently the only 'debug' tool and it should work.
If it shows some strange figures, it won't increase the trust of a new currency - which indeed is told to present a totally new, different from bitcoin and others, currency platform.
New customers may think that they have made a new wheel - but it is not well enough tested.
Dude (as you say) I have not accused anyone! Im taking a poke at all the fingers poking towards Thomas. We are all very quick to blame before (if) we know all the facts.
With respect I will not remove the image.
Yes, but you should check the SHA-256 once you download it.
We will start linking to the client announcement post on nxtcrypo.org sites for easy reference back to verify checksum from dev team
I know there are other modified clients around whether they use the same type of attack I don't know.
Let me very direct with this question and you need to sit at the keyboard for 5 minutes thinking about the answer you are about to type.
Do not lie about this because you are in deep shit.
Who else did you communicate with about your posting a contaminated NXT client at 162.243.246.233, and who communicated with you about the posting of ANY contaminated NXT clients ANYWHERE?
I like your style, Mr. James.
Did you get my zip file, and were you able to verify or dis-verify (word?) the version?
I did indeed get your client file, definitely infected, SHA-256 was:
948CE760C379F13F4EA9DEF6BABAA36B0D706BF91098F1D64945FDDE3EAC5F06
THANK YOU!
You have no idea how awful this whole thing has been, not the least of which was being disbelieved by some on this thread. There is a reward in heaven, I suppose for your efforts. But you won't have to wait that long. I will be sending you a NXT thank you out of my remaining funds (or reclaimed funds, if that ever happens) in thanks for your advocating for me.
I know there are other modified clients around whether they use the same type of attack I don't know.
Let me very direct with this question and you need to sit at the keyboard for 5 minutes thinking about the answer you are about to type.
Do not lie about this because you are in deep shit.
Who else did you communicate with about your posting a contaminated NXT client at 162.243.246.233, and who communicated with you about the posting of ANY contaminated NXT clients ANYWHERE?
I like your style, Mr. James.
Did you get my zip file, and were you able to verify or dis-verify (word?) the version?
I did indeed get your client file, definitely infected, SHA-256 was:
948CE760C379F13F4EA9DEF6BABAA36B0D706BF91098F1D64945FDDE3EAC5F06
Is this legit? (http://info.nxtcrypto.org/client-update-0-4-9e-beta/)
Quote
NXT client v0.4.9e [beta] has been released!
This is to be considered EXPERIMENTAL release. There are quite a few changes so be careful. Stay with the stable 0.4.8 version if you don’t want to take chances.
SHA-256 checksum for v0.4.9e:
4e12df42f9f4727fa34eb62483880c0b2b93f45dfff4b4db8fdc293aecb815e9
From the blockchain, the alias for the sha256 sum is NRSbetaversion.
Download:
http://info. nxtcrypto.org /nxt-client-0.4.9e .zip
Changelog:
Many concurrency related fixes and optimization. Those should significantly improve performance and stability and decrease the likelihood of the client being stuck and needing a restart. Performance optimizations, reducing the number of temporary objects being created in the peer networking, making sure connections are properly closed.
Memory requirements are lower now, my servers never exceed 1.5 GB. You should be able to run it on a 2 GB VPS node with -Xmx1536M without problems now. If you don’t attract a lot of traffic (don’t publish your IP), memory will even stay below 1GB.
Unlocking an account now makes sure to automatically lock out all other instances of the same account on the same server. In other words, if you open several browser windows to the same server (localhost), you can only be logged in to the same account in one of them at a time. This does not prevent you however from unlocking the same account on multiple machines (but you shouldn’t be doing that).Generate authorization token will also ask for a secret phrase confirmation again.
As you may or may have not noticed, Transparent Forging has already started. My last minute decision to start at 32000 somehow didn’t make it in the package I released as 0.4.8 (I make mistakes too), so 0.4.8 got released with the switchover still at 30000. So block 30000 it is now, and we are already there.
Minor changes:
Added Get Account Aliases, Get Alias URI, and Get Multiple Account Balances features to the https://localhost:7875/admin.html page.
Added a few more well-known nodes to the default in the web.xml.
There is one serious security issue which is not completely fixed in 0.4.9e. All requests URLs are being cached by the browser, and even though they don’t appear in the browsing history (which is why we didn’t discover the problem earlier), they are still in the browser cache. Check for yourself using about:cache on firefox.
This is bad, as it means your secret phrase is being written out to disk as plain text in the browser cache. And I am sure javascript exploits will appear which will try to extract it from there. To really fix that, all API requests from the browser that include the secret phrase have to be sent as POST, rather than GET requests. But this will require some significant changes to the javascript client, which will take some time.
As we don’t plan to maintain the current javascript client, I am not sure if such rewriting should even be undertaken now. In 0.4.9e I at least added the response headers which prevent caching to disk. Firefox honors those, but still caches the request URLs to memory.
To be safe, I strongly suggest using a separate browser profile only for accessing your NXT client, or private browsing mode.
Everybody using 0.4.8 and earlier should immediately delete their browser cache.
This is to be considered EXPERIMENTAL release. There are quite a few changes so be careful. Stay with the stable 0.4.8 version if you don’t want to take chances.
SHA-256 checksum for v0.4.9e:
4e12df42f9f4727fa34eb62483880c0b2b93f45dfff4b4db8fdc293aecb815e9
From the blockchain, the alias for the sha256 sum is NRSbetaversion.
Download:
http://info. nxtcrypto.org /nxt-client-0.4.9e .zip
Changelog:
Many concurrency related fixes and optimization. Those should significantly improve performance and stability and decrease the likelihood of the client being stuck and needing a restart. Performance optimizations, reducing the number of temporary objects being created in the peer networking, making sure connections are properly closed.
Memory requirements are lower now, my servers never exceed 1.5 GB. You should be able to run it on a 2 GB VPS node with -Xmx1536M without problems now. If you don’t attract a lot of traffic (don’t publish your IP), memory will even stay below 1GB.
Unlocking an account now makes sure to automatically lock out all other instances of the same account on the same server. In other words, if you open several browser windows to the same server (localhost), you can only be logged in to the same account in one of them at a time. This does not prevent you however from unlocking the same account on multiple machines (but you shouldn’t be doing that).Generate authorization token will also ask for a secret phrase confirmation again.
As you may or may have not noticed, Transparent Forging has already started. My last minute decision to start at 32000 somehow didn’t make it in the package I released as 0.4.8 (I make mistakes too), so 0.4.8 got released with the switchover still at 30000. So block 30000 it is now, and we are already there.
Minor changes:
Added Get Account Aliases, Get Alias URI, and Get Multiple Account Balances features to the https://localhost:7875/admin.html page.
Added a few more well-known nodes to the default in the web.xml.
There is one serious security issue which is not completely fixed in 0.4.9e. All requests URLs are being cached by the browser, and even though they don’t appear in the browsing history (which is why we didn’t discover the problem earlier), they are still in the browser cache. Check for yourself using about:cache on firefox.
This is bad, as it means your secret phrase is being written out to disk as plain text in the browser cache. And I am sure javascript exploits will appear which will try to extract it from there. To really fix that, all API requests from the browser that include the secret phrase have to be sent as POST, rather than GET requests. But this will require some significant changes to the javascript client, which will take some time.
As we don’t plan to maintain the current javascript client, I am not sure if such rewriting should even be undertaken now. In 0.4.9e I at least added the response headers which prevent caching to disk. Firefox honors those, but still caches the request URLs to memory.
To be safe, I strongly suggest using a separate browser profile only for accessing your NXT client, or private browsing mode.
Everybody using 0.4.8 and earlier should immediately delete their browser cache.
Yes, but you should check the SHA-256 once you download it.
Jump to: