NXT :: descendant of Bitcoin - Updated Information - page 1933.

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: landomata on January 02, 2014, 08:19:01 AM

Ben just posted this in Forum....should this be regulated.

*LINK TO THE NEW CLIENT!

https://nextcoin.org/index.php/topic,2038.0/topicseen.html

WHO IS PUNKROCK?

This kind of link matches EPICTHOMAS Pattern!

We need multiple checks on this.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: plasticAiredale on January 02, 2014, 08:36:13 AM

Quote from: rickyjames on January 02, 2014, 08:25:31 AM

Quote from: ?? on ??

Quote from: rickyjames on January 02, 2014, 08:09:45 AM

Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:

Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

Don't forget Framewood, too. Please notice the date and how little the community paid attention.

https://bitcointalksearch.org/topic/m.4172532

This bears repeating:

Please notice the date and how little the community paid attention.

Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it.

Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?

We have three groups of core developers: BCNext, CfB and Luc. Luc will release new clients from now on. He just posted the 0.4.9 client and I am running it right now.

plasticAiredale

full member

Activity: 207

Merit: 120

Quote from: LiQio on January 02, 2014, 08:42:16 AM

Quote from: salsacz on January 02, 2014, 08:39:43 AM

Quote from: LiQio on January 02, 2014, 08:16:48 AM

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

Done

I modified my posts as well. Good thinking.

LiQio

legendary

Activity: 1181

Merit: 1002

Quote from: salsacz on January 02, 2014, 08:39:43 AM

Quote from: LiQio on January 02, 2014, 08:16:48 AM

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

Done

salsacz

hero member

Activity: 490

Merit: 504

Quote from: LiQio on January 02, 2014, 08:16:48 AM

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

Buratino

legendary

Activity: 1151

Merit: 1003

Is it possible to provide self test (like ECC) mechanism for safety code in Nxt client to prevent thefts in future?

plasticAiredale

full member

Activity: 207

Merit: 120

Quote from: rickyjames on January 02, 2014, 08:25:31 AM

Quote from: ?? on ??

Quote from: rickyjames on January 02, 2014, 08:09:45 AM

Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:

Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

Quote from CfB:

Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.

There's a clear pattern if you look at all the data:

Time   Victim   Vic Account   Thief Account   NXT

01.01.2014 12:56:54   plasticAiredale    8439060069775407509   15182566201738727933   18665
01.01.2014 12:58:03   PaulyC   16821029889165561706   16204974692852323982   7808
01.01.2014 13:01:45   newcn   16886318053889080545   9793828175536096502   18197
01.01.2014 13:05:06   sparta_cuss   11794318797680953099   12152013998194592943   147690

Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period.

Don't forget Framewood, too. Please notice the date and how little the community paid attention.

https://bitcointalksearch.org/topic/m.4172532

This bears repeating:

Please notice the date and how little the community paid attention.

Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it.

Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?

allwelder

legendary

Activity: 1512

Merit: 1004

Just an unmature question:
Is it secure that add some random nodes from the list(forget the website) to well know peers in web.xml?
Thanks.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: chanc3r on January 02, 2014, 08:22:34 AM

Quote from: Come-from-Beyond on January 02, 2014, 08:10:48 AM

Quote from: swansong on January 02, 2014, 08:02:55 AM

what i mean is if i want to download bitcoin official client i simply visit bitcoin.org
and same with litecoin.org and there are many others.

is there any official website for NXT?

There is no official website for NXT. Unlike Bitcoin and Litecoin, Nxt is supposed to be decentralized.

Apologies if I get some of the words wrong (as some people seem to be sensitive to terms being misused)

I think this is more about establishing and maintaining 'trust' in a decentralised environment where everyone is a peer.
The network does this for the transaction I think.
How do you extend this to the software that people use to initiate the software on the network is trusted and valid.
Cant this be done also by consensus - perhaps trusted people can test clients and submit a transaction signing the sha256 for the client
the more people sign a client the more it is trusted, the amount of trust generated relating to the stake of the signer.

I don't know if this has any legs.

Otherwise how will other clients ever get trusted after what has happened and the ease with which java can be recompiled, modified and repackaged is a concern.

In some ways its good this has happened now (although I feel for those affected) and is driving this debate, someones greed has undone them because if this type of attack had happened later the damage could have been far worse in terms of people affected and NXTs reputation.

NXT foundation does not claim to be a sole organization that represent NXT. As long as NXT foundation is trusted then it can be used for the source of trusted information. Currently official information come only from Luc or Cfb. If CFB do not think it is centralization, then I don't know what is.
We still need to trust in individuals, otherwise nothing get done.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: smartwart on January 02, 2014, 08:19:14 AM

Quote from: Come-from-Beyond on January 02, 2014, 07:58:33 AM

People ask why Nxt is not inflationary. Could anyone tell me why it's not inflationary if it's possible to issue other currencies using Asset Exchange? This increases number of "coins" owned by users, right?

interesting question!

at least, inflation is increase of the price.
if we substitute 1nxt by 3btc we have increased the price for one nxt by factor 3:0.0001
... hm ? Undecided

?

this point has to be stressed again and again. You don't issue Bitcoin, litecoin or any other actual assets via colored coin tech. You merely issue tokens or stickers that represent these coins . It's up to you to add a value on these tokens. They are basically IOU you issue. There would be a lot of uncertainty at the beginning of the asset market to see who can be trusted. Similar issue to the Ripple gateway currently.

rickyjames

full member

Activity: 196

Merit: 100

Quote from: ?? on ??

Quote from: rickyjames on January 02, 2014, 08:09:45 AM

Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:

Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

Quote from CfB:

Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.

There's a clear pattern if you look at all the data:

Time   Victim   Vic Account   Thief Account   NXT

01.01.2014 12:56:54   plasticAiredale    8439060069775407509   15182566201738727933   18665
01.01.2014 12:58:03   PaulyC   16821029889165561706   16204974692852323982   7808
01.01.2014 13:01:45   newcn   16886318053889080545   9793828175536096502   18197
01.01.2014 13:05:06   sparta_cuss   11794318797680953099   12152013998194592943   147690

Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period.

Don't forget Framewood, too. Please notice the date and how little the community paid attention.

https://bitcointalksearch.org/topic/m.4172532

This bears repeating:

Please notice the date and how little the community paid attention.

xyzzyx

sr. member

Activity: 490

Merit: 250

I don't really come from outer space.

Quote from: ?? on ??

Don't forget Framewood, too. Please notice the date and how little the community paid attention.

https://bitcointalksearch.org/topic/m.4172532

Yes, do notice the date: December 27, 2013, 06:26:16 PM

Looks like earlier clients may have also been compromised.

Here are my hashes:

Code:

c079e79d912811d6a0f6f027e0b8872c837a2909db80ae1f80fc4ce2dacba1d1 nxt (1).zip (Dec 6 20:37)
61ed14319bf2c5d0e3fe58200d2f17d572ce8cdd3aec1549f9f8048a9e6ee6df nxt (2).zip (Dec 9 22:47)
ea14310cd4099b03db715e76ef60e8f83dbd47d7bf50129bd8e0c270344a35d9 nxt (3).zip (Dec 11 22:15)
a8ff15b600d95ae8e280c35b14055677372fb20b2825682e9e35b6d68b8dfff3 nxt (4).zip (Dec 19 16:20)
794ec29a44f7dc2e5c00e682c06916b12e394ba43c0741c2ae748faa5baed606 nxt (5).zip (Dec 20 17:20)
5a4007e2ac28b636e6450d16ba058873ee68b619b6c0a649354708027c09c1ae nxt (6).zip & nxt (7).zip (Dec 22 21:47 & Dec 23 17:16)
22f589980583addeafde58588b8f1daed0a38c55cd462abf260d8212f3fd884a nxt (8).zip (Dec 24 14:20)
a15cde30abccf190535e3988eba21bb1974834651f454323e12da32807959317 nxt (9).zip (Dec 25 12:33)
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8.zip (Dec 31 16:42) [GOOD HASH]

Assume all are bogus until otherwise confirmed not bogus.

Get latest client, check SHA256 hash to confirm ok, install, and move your NXT to a known safe account, people.

S3MKi

legendary

Activity: 1540

Merit: 1016

who is the thief?

chanc3r

sr. member

Activity: 952

Merit: 253

Quote from: Come-from-Beyond on January 02, 2014, 08:10:48 AM

Quote from: swansong on January 02, 2014, 08:02:55 AM

what i mean is if i want to download bitcoin official client i simply visit bitcoin.org
and same with litecoin.org and there are many others.

is there any official website for NXT?

There is no official website for NXT. Unlike Bitcoin and Litecoin, Nxt is supposed to be decentralized.

Apologies if I get some of the words wrong (as some people seem to be sensitive to terms being misused)

I think this is more about establishing and maintaining 'trust' in a decentralised environment where everyone is a peer.
The network does this for the transaction I think.
How do you extend this to the software that people use to initiate the software on the network is trusted and valid.
Cant this be done also by consensus - perhaps trusted people can test clients and submit a transaction signing the sha256 for the client
the more people sign a client the more it is trusted, the amount of trust generated relating to the stake of the signer.

I don't know if this has any legs.

Otherwise how will other clients ever get trusted after what has happened and the ease with which java can be recompiled, modified and repackaged is a concern.

In some ways its good this has happened now (although I feel for those affected) and is driving this debate, someones greed has undone them because if this type of attack had happened later the damage could have been far worse in terms of people affected and NXTs reputation.

plasticAiredale

full member

Activity: 207

Merit: 120

Quote from: LiQio on January 02, 2014, 08:16:48 AM

Quote from: plasticAiredale on January 02, 2014, 07:53:59 AM

Quote from: swartzfeger on January 02, 2014, 07:40:07 AM

Quote from: plasticAiredale on January 02, 2014, 07:31:39 AM

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.

Account: 8439060069775407509

The 'transfer' went to account 15182566201738727933. It's the account's only activity.

Do you remember which link in the thread the client was downloaded from?

DO NOT DOWNLOAD FROM ANY LINKS IN THIS QUOTE!!!
It was somewhere in this thread, as its the only place I ever download the client from. According to my history I downloaded it from http://162.243.246.223/nxt-client-0.4.8.zip around 7:30am EDT on 12/31/1213.

I realize I got lazy and got used to not downloading the newest client from the first post, instead I just downloaded the latest from CFB whenever he posted new ones. I must have not noticed that the poster wasn't CFB. Granted I only lost 18K, but it still stings.

Thanks for the additional info, seems to point again to EpicThomas

He quoted the original message, but modified the link! And later modified it back!
Check:
https://bitcointalksearch.org/topic/m.4237883
BUT in Google cache:
http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=de

DUDE! Great research, if I had any NXT left I would tip you Cheesy

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: rickyjames on January 02, 2014, 08:18:45 AM

Quote from: utopianfuture on January 02, 2014, 08:16:29 AM

The hacker might have tried it for a while, but he hit multiple targets with 0.4.8 versions.

This means the forensic investigation has got to go deeper and not limit itself to 0.4.8.

Have we figured out yet just who the hell did this?

EpicThomas. First evidence here. The bogus client was at his IP address.

https://bitcointalksearch.org/topic/m.4263262

One of his thread

https://bitcointalksearch.org/topic/m.4263313

smartwart

full member

Activity: 171

Merit: 100

Quote from: Come-from-Beyond on January 02, 2014, 07:58:33 AM

People ask why Nxt is not inflationary. Could anyone tell me why it's not inflationary if it's possible to issue other currencies using Asset Exchange? This increases number of "coins" owned by users, right?

interesting question!

at least, inflation is increase of the price.
if we substitute 1nxt by 3btc we have increased the price for one nxt by factor 3:0.0001
... hm ? Undecided

?

landomata

legendary

Activity: 2184

Merit: 1000

Ben just posted this in Forum....should this be regulated.

*LINK TO THE NEW CLIENT!

https://nextcoin.org/index.php/topic,2038.0/topicseen.html

rickyjames

full member

Activity: 196

Merit: 100

Quote from: utopianfuture on January 02, 2014, 08:16:29 AM

The hacker might have tried it for a while, but he hit multiple targets with 0.4.8 versions.

This means the forensic investigation has got to go deeper and not limit itself to 0.4.8.

Have we figured out yet just who the hell did this?

LiQio

legendary

Activity: 1181

Merit: 1002

Quote from: plasticAiredale on January 02, 2014, 07:53:59 AM

Quote from: swartzfeger on January 02, 2014, 07:40:07 AM

Quote from: plasticAiredale on January 02, 2014, 07:31:39 AM

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.

Account: 8439060069775407509

The 'transfer' went to account 15182566201738727933. It's the account's only activity.

Do you remember which link in the thread the client was downloaded from?

It was somewhere in this thread, as its the only place I ever download the client from. According to my history I downloaded it from http://162.243.246.223/nxt-client-0.4.8.zip around 7:30am EDT on 12/31/1213.

I realize I got lazy and got used to not downloading the newest client from the first post, instead I just downloaded the latest from CFB whenever he posted new ones. I must have not noticed that the poster wasn't CFB. Granted I only lost 18K, but it still stings.

Thanks for the additional info, seems to point again to EpicThomas

He quoted the original message, but modified the link! And later modified it back!
Check:
https://bitcointalksearch.org/topic/m.4237883
BUT in Google cache (Do not use the link found in cache!):
http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=de

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1933. (Read 2761645 times)