NXT :: descendant of Bitcoin - Updated Information - page 1931.

BloodyRookie

hero member

Activity: 687

Merit: 500

Quote from: Come-from-Beyond on January 02, 2014, 09:36:43 AM

Quote from: ?? on ??

Hey CfB... will there be a new thread for the official NXT source code release?

U should ask Jean-Luc. I'll create a thread about the bounties for found flaws.

@Jean-Luc and CfB: Is there a concrete timeline or do we just have to refresh the browser every minute tomorrow? Grin

mcjavar

hero member

Activity: 784

Merit: 500

Quote from: Jean-Luc on January 02, 2014, 09:45:55 AM

Isn't there a javascript library to check sha256 sums? If so, somebody more fluent than me in javascript can easily add an update.html page to the client. It can request the value of the NRSversion alias from localhost, which contains the latest stable version and sha256, and I can also start putting the download url as a value of NRSrelease alias. Then download the zip file from that url, check if sha256 matches, and notify the user whether the downloaded zip file is legitimate or not. No need to trust a third party or manually check sha256 sums. Only the first time you download a client need to verify manually.

Great idea! Anyone fit in javascript?

S3MKi

legendary

Activity: 1540

Merit: 1016

Quote from: allwelder on January 02, 2014, 09:50:46 AM

with 0.4.9e,can not synchronize the blockchain.
Need to copy .nxt from 0.4.8 to 0.4.9e?

maybe add more wellknownpeers

gbeirn

full member

Activity: 126

Merit: 100

Quote from: allwelder on January 02, 2014, 09:50:46 AM

with 0.4.9e,can not synchronize the blockchain.
Need to copy .nxt from 0.4.8 to 0.4.9e?

Yes copy them over from the .4.8 to the new one
No need to delete *.nxt files between releases.

allwelder

legendary

Activity: 1512

Merit: 1004

with 0.4.9e,can not synchronize the blockchain.
Need to copy .nxt from 0.4.8 to 0.4.9e?

S3MKi

legendary

Activity: 1540

Merit: 1016

Quote from: allwelder on January 02, 2014, 09:45:05 AM

There is an NXT thread for Chinese people and all of you. Wink

中国人的NXT。

https://bitcointalksearch.org/topic/nxt-361812

完成了！

salsacz

hero member

Activity: 490

Merit: 504

Jean-Luc

sr. member

Activity: 392

Merit: 250

Isn't there a javascript library to check sha256 sums? If so, somebody more fluent than me in javascript can easily add an update.html page to the client. It can request the value of the NRSversion alias from localhost, which contains the latest stable version and sha256, and I can also start putting the download url as a value of NRSrelease alias. Then download the zip file from that url, check if sha256 matches, and notify the user whether the downloaded zip file is legitimate or not. No need to trust a third party or manually check sha256 sums. Only the first time you download a client need to verify manually.

allwelder

legendary

Activity: 1512

Merit: 1004

There is an NXT thread for Chinese people and all of you. Wink

中国人的NXT。

https://bitcointalksearch.org/topic/nxt-361812

S3MKi

legendary

Activity: 1540

Merit: 1016

Quote from: ?? on ??

Quote from: Come-from-Beyond on January 02, 2014, 09:36:43 AM

Quote from: ?? on ??

Hey CfB... will there be a new thread for the official NXT source code release?

U should ask Jean-Luc. I'll create a thread about the bounties for found flaws.

Hey ~~CfB~~ Jean-Luc... will there be a new thread for the official NXT source code release? lmao Grin

Jean-Luc

sr. member

Activity: 392

Merit: 250

Quote from: ?? on ??

Hey ~~CfB~~ Jean-Luc... will there be a new thread for the official NXT source code release? lmao Grin

Fine, I will start one tomorrow after I do it.

Vega

hero member

Activity: 739

Merit: 500

Quote from: rickyjames on January 02, 2014, 09:15:15 AM

Quote from: utopianfuture on January 02, 2014, 08:00:18 AM

Quote from: landomata on January 02, 2014, 07:53:48 AM

Going forward from this moment:

How can we be 100% sure someone coins are actually stolen? the victim could himself open an account and send the funds there....then after a period of time he then transfers the stolen funds to some new account and carries on happily ever after.

MOTIVATION: Those who have there funds stolen may get some sort of funding to compensate for their loss. An greedy individual may take advantage of this.

Because of this reason, I think only PaulyC and newcn are eligible for some type of reimbursement/ bounties for uncovering the bogus client.

You guys need to rethink this. The evidence shows pretty conclusively that Sparta_cuss was actually robbed and reported it before either PaulyC or newcn. Plus Framewood beat them all to it by a couple of days.

So - we gonna create a loss fund to cover 300K NXT and counting?

Paying back stolen Nxt is not realistic. Shit happends.
However PaulyC (and for a smaller extent newcn) should (and did) get bounty for uncovering the method of the theft, saving others.

Damelon

legendary

Activity: 1092

Merit: 1010

Quote from: Come-from-Beyond on January 02, 2014, 09:35:18 AM

Quote from: ?? on ??

Quote from: Damelon on January 02, 2014, 08:45:35 AM

I just checked the nxt$Crypto.class that I downloaded yesterday via the instructions for linux, and I get this.
It doesn't match at all with what is reported should be in there, but is also different from the "modified" file posted yesterday.
Can someone explain if I need to freak out or not?

Code:

things that are confusing to Damelon

thnx for posting!

Hey devs... should users be worried about having arrayOfByte as opposed to publicKey in the code above?

Looks like arrayOfByte is just how ur decompiler translated this:

Code:

things that are also confusing to Damelon

Halleluja, seems I am still safe then. Thanks for the feedback.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: ?? on ??

Hey CfB... will there be a new thread for the official NXT source code release?

U should ask Jean-Luc. I'll create a thread about the bounties for found flaws.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: ?? on ??

Quote from: Damelon on January 02, 2014, 08:45:35 AM

I just checked the nxt$Crypto.class that I downloaded yesterday via the instructions for linux, and I get this.
It doesn't match at all with what is reported should be in there, but is also different from the "modified" file posted yesterday.
Can someone explain if I need to freak out or not?

Code:

import java.security.MessageDigest;
import java.util.Arrays;

class Nxt$Crypto
{
  static byte[] getPublicKey(String paramString)
  {
   try
   {
   byte[] arrayOfByte = new byte[32];
   Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8")));
   return arrayOfByte;
   }
   catch (Exception localException) {}
   return null;
  }

  static byte[] sign(byte[] paramArrayOfByte, String paramString)
  {
   try
   {
   byte[] arrayOfByte1 = new byte[32];
   byte[] arrayOfByte2 = new byte[32];
   MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
   Nxt.Curve25519.keygen(arrayOfByte1, arrayOfByte2, localMessageDigest.digest(paramString.getBytes("UTF-8")));
   byte[] arrayOfByte3 = localMessageDigest.digest(paramArrayOfByte);
   localMessageDigest.update(arrayOfByte3);
   byte[] arrayOfByte4 = localMessageDigest.digest(arrayOfByte2);
   byte[] arrayOfByte5 = new byte[32];
   Nxt.Curve25519.keygen(arrayOfByte5, null, arrayOfByte4);
   localMessageDigest.update(arrayOfByte3);
   byte[] arrayOfByte6 = localMessageDigest.digest(arrayOfByte5);
   byte[] arrayOfByte7 = new byte[32];
   Nxt.Curve25519.sign(arrayOfByte7, arrayOfByte6, arrayOfByte4, arrayOfByte2);
   byte[] arrayOfByte8 = new byte[64];
   System.arraycopy(arrayOfByte7, 0, arrayOfByte8, 0, 32);
   System.arraycopy(arrayOfByte6, 0, arrayOfByte8, 32, 32);
   return arrayOfByte8;
   }
   catch (Exception localException) {}
   return null;
  }

  static boolean verify(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, byte[] paramArrayOfByte3)
  {
   try
   {
   byte[] arrayOfByte1 = new byte[32];
   byte[] arrayOfByte2 = new byte[32];
   System.arraycopy(paramArrayOfByte1, 0, arrayOfByte2, 0, 32);
   byte[] arrayOfByte3 = new byte[32];
   System.arraycopy(paramArrayOfByte1, 32, arrayOfByte3, 0, 32);
   Nxt.Curve25519.verify(arrayOfByte1, arrayOfByte2, arrayOfByte3, paramArrayOfByte3);
   MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
   byte[] arrayOfByte4 = localMessageDigest.digest(paramArrayOfByte2);
   localMessageDigest.update(arrayOfByte4);
   byte[] arrayOfByte5 = localMessageDigest.digest(arrayOfByte1);
   return Arrays.equals(arrayOfByte3, arrayOfByte5);
   }
   catch (Exception localException) {}
   return false;
  }
}

thnx for posting!

Hey devs... should users be worried about having arrayOfByte as opposed to publicKey in the code above?

Looks like arrayOfByte is just how ur decompiler translated this:

Code:

static class Crypto {

static byte[] getPublicKey(String secretPhrase) {

try {

byte[] publicKey = new byte[32];
Curve25519.keygen(publicKey, null, MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8")));

return publicKey;

} catch (Exception e) {

return null;

}

}

static byte[] sign(byte[] message, String secretPhrase) {

try {

byte[] P = new byte[32];
byte[] s = new byte[32];
MessageDigest digest = MessageDigest.getInstance("SHA-256");
Curve25519.keygen(P, s, digest.digest(secretPhrase.getBytes("UTF-8")));

byte[] m = digest.digest(message);

digest.update(m);
byte[] x = digest.digest(s);

byte[] Y = new byte[32];
Curve25519.keygen(Y, null, x);

digest.update(m);
byte[] h = digest.digest(Y);

byte[] v = new byte[32];
Curve25519.sign(v, h, x, s);

byte[] signature = new byte[64];
System.arraycopy(v, 0, signature, 0, 32);
System.arraycopy(h, 0, signature, 32, 32);

return signature;

} catch (Exception e) {

return null;

}

}

static boolean verify(byte[] signature, byte[] message, byte[] publicKey) {

try {

byte[] Y = new byte[32];
byte[] v = new byte[32];
System.arraycopy(signature, 0, v, 0, 32);
byte[] h = new byte[32];
System.arraycopy(signature, 32, h, 0, 32);
Curve25519.verify(Y, v, h, publicKey);

MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] m = digest.digest(message);
digest.update(m);
byte[] h2 = digest.digest(Y);

return Arrays.equals(h, h2);

} catch (Exception e) {

return false;

}

}

}

mcjavar

hero member

Activity: 784

Merit: 500

Quote from: Damelon on January 02, 2014, 09:31:58 AM

Quote from: EvilDave on January 02, 2014, 09:24:51 AM

I volunteer as part of a doorkicking crew if he's within a reasonable distance of Amsterdam.

We could travel together Grin

We can make a fund for that!
But you have to post photos!

Damelon

legendary

Activity: 1092

Merit: 1010

Quote from: EvilDave on January 02, 2014, 09:24:51 AM

I volunteer as part of a doorkicking crew if he's within a reasonable distance of Amsterdam.

We could travel together Grin

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: plasticAiredale on January 02, 2014, 08:36:13 AM

Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?

Just make sure it matches SHA256 checksum posted by Jean-Luc.

rickyjames

full member

Activity: 196

Merit: 100

Quote from: xyzzyx on January 02, 2014, 09:21:33 AM

Quote from: rickyjames on January 02, 2014, 09:15:15 AM

You guys need to rethink this. The evidence shows pretty conclusively that Sparta_cuss was actually robbed and reported it before either PaulyC or newcn. Plus Framewood beat them all to it by a couple of days.

So - we gonna create a loss fund to cover 300K NXT and counting?

I'm relatively NXT poor, but I'll contribute 1k to a theft fund if it's set up.

The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex. That ain't gonna happen.

This is a major crime in the tens of thousands of dollars range and we know who did it. People go to prison for years for this kind of crap.

(Are you reading this, EpicThomas? I know you are.)

You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city.

Do you feel lucky, punk?

EvilDave

hero member

Activity: 854

Merit: 1001

Quote from: salsacz on January 02, 2014, 09:07:48 AM

I am still updating my originall post.
https://bitcointalksearch.org/topic/m.4269560

EvilDave is online so he is cleaning probably. After my research I will check all quoting links for the clients, can anyone help? Like to check pages 500-550...?

Not me, salsa, I'm an innocent bystander here.
Intel got EpicThomas and EvilDave mixed up for a moment in the heat of the fight.

So do we have any leads on the realworld ID and/or location of EpicThomas ?
I volunteer as part of a doorkicking crew if he's within a reasonable distance of Amsterdam.

@Damelon...thx for the quick correction, bro.

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1931. (Read 2761645 times)