NXT :: descendant of Bitcoin - Updated Information - page 1935.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: jl777 on January 02, 2014, 07:39:03 AM

Quote from: smartwart on January 02, 2014, 07:28:52 AM

Quote from: jl777 on January 02, 2014, 07:20:29 AM

Quote from: smartwart on January 02, 2014, 07:12:14 AM

Quote from: jl777 on January 02, 2014, 06:50:50 AM

I am not a cryptographer and ...

James

so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

its not wrong.
but its not more secure too.
there is no difference between using one or two passwords for the probability getting hacked.

the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.

Will you reimburse the first person whose acct key is cracked with the offline parallel test against all nxt accts?
If so you can provide hackers insurance for all for free

They would do such thing to Bitcoin first. At protocol level, NXT security is at the same level as Bitcoin.

Bitventurer

sr. member

Activity: 491

Merit: 250

S P 8 D E

Quote from: swartzfeger on January 02, 2014, 04:24:27 AM

One thing that hasn't been mentioned (I don't think), how are we going to vet/verify future client downloads?

As much as I don't share some users' level of conviction when it comes to user adoption vs. difficulty (I think this is rickyjames point), regular users having to worry about 1) brain wallet, 2) clunky client installer PLUS having to verify SHA256 for every update might drive people away.

I have a dedicated server which can be used b core devs , located in germany ,
currently there is a public node on it : https:nextcoin.info:7875

any from the core devs can contact me and il send them the root+pass from the server...

S3MKi

legendary

Activity: 1540

Merit: 1016

Quote from: swansong on January 02, 2014, 07:38:15 AM

Can someone pls help me find a official links? official website? official forums if there is any?
everybody sharing links and saying download that, download this. who to trust? i am simply asking what is the official nxt website that can be trusted???

see first page.

swartzfeger

full member

Activity: 350

Merit: 100

Quote from: plasticAiredale on January 02, 2014, 07:31:39 AM

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.

Account: 8439060069775407509

The 'transfer' went to account 15182566201738727933. It's the account's only activity.

Do you remember which link in the thread the client was downloaded from?

jl777

legendary

Activity: 1176

Merit: 1134

Quote from: smartwart on January 02, 2014, 07:28:52 AM

Quote from: jl777 on January 02, 2014, 07:20:29 AM

Quote from: smartwart on January 02, 2014, 07:12:14 AM

Quote from: jl777 on January 02, 2014, 06:50:50 AM

I am not a cryptographer and ...

James

so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

its not wrong.
but its not more secure too.
there is no difference between using one or two passwords for the probability getting hacked.

the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.

Will you reimburse the first person whose acct key is cracked with the offline parallel test against all nxt accts?
If so you can provide hackers insurance for all for free

swansong

full member

Activity: 151

Merit: 100

Can someone pls help me find a official links? official website? official forums if there is any?
everybody sharing links and saying download that, download this. who to trust? i am simply asking what is the official nxt website that can be trusted???

S3MKi

legendary

Activity: 1540

Merit: 1016

Quote from: plasticAiredale on January 02, 2014, 07:31:39 AM

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.

Account: 8439060069775407509

you are 3th who lose nxt today

xyzzyx

sr. member

Activity: 490

Merit: 250

I don't really come from outer space.

Quote from: salsacz on January 02, 2014, 07:26:29 AM

this is only account with very weak password and people were 3x stealing Nxt from it probably
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801
(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)

This one is for the null password:
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3791936988034107349

And I set this next one up with a purposefully weak password mostly as a joke, and I was curious what people would do with it. I was hoping people would mark it with alias registrations, perhaps. Perhaps later using it like a geo-cache site once NXT storage was implemented. So far, it has been kinda disappointing to see it was merely plundered for the 2 NXT that were transferred in.
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=2980315497189667873

I'm sure there are lots of others with weak passwords, but I've not taken the time myself to look for any. Others likely have. Sad

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: jl777 on January 02, 2014, 07:30:15 AM

How can client side enforce one time setting of sendmoney public key?

API v2 won't have sendMoney. Client soft will prepare transaction and sign it locally. Then the transaction will be broadcasted. This is 100% secure if client provides 100% security.

plasticAiredale

full member

Activity: 207

Merit: 120

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.

Account: 8439060069775407509

jl777

legendary

Activity: 1176

Merit: 1134

Quote from: Come-from-Beyond on January 02, 2014, 07:28:11 AM

Quote from: jl777 on January 02, 2014, 07:23:09 AM

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?

How can client side enforce one time setting of sendmoney public key?

smartwart

full member

Activity: 171

Merit: 100

Quote from: jl777 on January 02, 2014, 07:20:29 AM

Quote from: smartwart on January 02, 2014, 07:12:14 AM

Quote from: jl777 on January 02, 2014, 06:50:50 AM

I am not a cryptographer and ...

James

so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

its not wrong.
but its not more secure too.
there is no difference between using one or two passwords for the probability getting hacked.

the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: jl777 on January 02, 2014, 07:23:09 AM

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?

jl777

legendary

Activity: 1176

Merit: 1134

So the objection to my solution is that it is difficult
Good, at least we are off the impossible mantra

Founders give me million nxt and i will implement this myself

James

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: Come-from-Beyond on January 02, 2014, 07:25:24 AM

Quote from: landomata on January 02, 2014, 07:22:11 AM

Quote from: Come-from-Beyond on January 02, 2014, 07:19:30 AM

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.

I'm not saying your english is bad....im just saying if the option was there many people would make use of it.

Edit: i'm also a bit confused

salsacz

hero member

Activity: 490

Merit: 504

Quote from: newcn on January 02, 2014, 07:02:19 AM

Quote from: newcn on January 01, 2014, 10:05:09 PM

In summary,what I found from Chrome history:
from download history, the malware link was:
http://162.243.246.223/nxt-client-0.4.8.zip
sha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06

the creation time and modification time of the zip file on my local disk was:

Code:

creation time:2013‎.‎12‎.‎31‎，‏‎20:31:14
‎modified time:2013‎.‎12‎.‎31，‏‎20:35:16

in that time period, I only accessed two pages:

Code:

20:29 https://bitcointalk.org/index.php?topic=345619.11740
20:30 https://bitcointalk.org/index.php?topic=345619.0

from the download history, I probably downloaded the malware from the first page,that is:
http://info.nxtcrypto.org/nxt-client-0.4.8.zip
(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page)
the thief might changed the link directly,
or he might changed IP address of info.nxtcrypto.org
current IP of info.nxtcrypto.org is 46.28.204.121,
which is different from 162.243.246.223

the following are some clues about the accounts where my nxt goes:
2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account.

another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account:6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex!

this is only account with very weak password and people were 3x stealing Nxt from it probably
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801
(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: landomata on January 02, 2014, 07:22:11 AM

Quote from: Come-from-Beyond on January 02, 2014, 07:19:30 AM

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.

swartzfeger

full member

Activity: 350

Merit: 100

Quote from: CoinBuzz on January 02, 2014, 07:15:27 AM

Why we should move our coins to new accounts while i have not used my pass on other public nodes and only i my local node?

See my previous post where I quoted/bolded Jean-Luc's update from the previous page.

1. Delete your browser cache
2. Enable private browsing
3. Use a separate, dedicated browser/profile for NXT client

jl777

legendary

Activity: 1176

Merit: 1134

Quote from: Come-from-Beyond on January 02, 2014, 07:19:30 AM

Quote from: jl777 on January 02, 2014, 07:02:57 AM

Quote from: Come-from-Beyond on January 02, 2014, 06:56:46 AM

Quote from: jl777 on January 02, 2014, 06:50:50 AM

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

CfB

Did you miss my post aboutp the client automatically generating maximum entropy private keys? Do you think jean-luc will generate 1234 as a private key

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

James

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: Come-from-Beyond on January 02, 2014, 07:19:30 AM

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Edit: Many would most likely input 2 x 50 char random passwords.

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1935. (Read 2761645 times)