NXT :: descendant of Bitcoin - Updated Information - page 1944.

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Quote

I think I downloaded the bad client zip from here:

http://www.nxtcrypto.org/

I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page.

EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download.

Quote

Not that I don't think you could have DL'ed yours there. I'm pretty much positive (I don't have the browser proof since i've cleared my history probably 10x since then!)
mine was DL'd from nextcoin.org, via the Mega link that was there at the time I DL'd it.

The only reason I mention it is I DL'd that client.zip from nxtcrypto.org as well, and never touched it.

I take it back. With a little help from the timestamp on my post here:

https://bitcointalksearch.org/topic/m.4240566

I figure I downloaded it from a link on this page:

https://bitcointalk.org/index.php?topic=345619.11920

What an idiot I am for doing that. To reiterate, I DO NOT think I downloaded the bad client zip from nxtcrypto.org.

MadCow

hero member

Activity: 655

Merit: 500

Can anyone confirm the download link on the first page of this thread is good? I think it is, but I'm not taking anything for granted now.

PaulyC

member

Activity: 82

Merit: 10

Quote from: bitcoinrocks on January 01, 2014, 11:50:36 PM

I think I downloaded the bad client zip from here:

http://www.nxtcrypto.org/

I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page.

EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download.

Not that I don't think you could have DL'ed yours there. I'm pretty much positive (I don't have the browser proof since i've cleared my history probably 10x since then!)
mine was DL'd from nextcoin.org, via the Mega link that was there at the time I DL'd it.

The only reason I mention it is I DL'd that client.zip from nxtcrypto.org as well, and never touched it.

Btw. that's awesome you got yours out.

newcn

full member

Activity: 143

Merit: 100

another account of mine was also stolen, it happened exactly the same time as former one, but only 93 nxt lost.
the accounts my money goes:
9793828175536096502 balance 18197, contains all my stolen nxt
6164081464868000542 balance 9528, my 92 nxt goes here

the transactions happend at 2014.1.1 12:04:50 GMT

opticalcarrier

full member

Activity: 238

Merit: 100

Checksum verification instructions:

https://forums.nxtcrypto.org/viewtopic.php?f=15&t=268&p=887&sid=718d82c02b89620a7b832d8f988ebf2a#p887

gbeirn

full member

Activity: 126

Merit: 100

Quote from: utopianfuture on January 01, 2014, 08:42:50 PM

Quote from: jl777 on January 01, 2014, 08:39:58 PM

Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...

Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.

If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.

I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.

Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?

James

P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?

Agree. PaulyC deserves a bounty to uncover this type of thief.

PaulyC if you haven't received any NXT yet, please post your new address here and I will reimburse your missing funds from my account.

Zahlen

member

Activity: 98

Merit: 10

Quote from: xyzzyx on January 01, 2014, 11:48:16 PM

Distribute new releases on the blockchain?

+1. This also removes the hassle of manually updating.

tk808

legendary

Activity: 1512

Merit: 1124

Invest in your knowledge

Quote from: Uniqueorn on January 01, 2014, 11:46:02 PM

Quote from: tk808 on January 01, 2014, 11:44:46 PM

Quote from: opticalcarrier on January 01, 2014, 11:40:10 PM

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems. Maybe dev team needs to run a dedicated VPS to host releases on? Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

but aren't the hashes different in every release?

On the Nxt Forums, the client download thread always has the new SHA-1 hash, of every release.

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

I think I downloaded the bad client zip from here:

http://www.nxtcrypto.org/

(EDIT: No I didn't. See my post below.)

I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page.

EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download.

xyzzyx

sr. member

Activity: 490

Merit: 250

I don't really come from outer space.

Quote from: opticalcarrier on January 01, 2014, 11:40:10 PM

Any more thoughts on how to best mitigate this theft risk?

Distribute new releases on the blockchain?

xyzzyx

sr. member

Activity: 490

Merit: 250

I don't really come from outer space.

Quote from: utopianfuture on January 01, 2014, 10:41:23 PM

http://onlinemd5.com/

That's a much nicer SHA-256 checker than the one I linked to -- everything in yours is done in the browser. Nice.

Uniqueorn

full member

Activity: 182

Merit: 100

NXT.org

Quote from: tk808 on January 01, 2014, 11:44:46 PM

Quote from: opticalcarrier on January 01, 2014, 11:40:10 PM

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems. Maybe dev team needs to run a dedicated VPS to host releases on? Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

but aren't the hashes different in every release?

tk808

legendary

Activity: 1512

Merit: 1124

Invest in your knowledge

Quote from: opticalcarrier on January 01, 2014, 11:40:10 PM

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems. Maybe dev team needs to run a dedicated VPS to host releases on? Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

opticalcarrier

full member

Activity: 238

Merit: 100

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems. Maybe dev team needs to run a dedicated VPS to host releases on? Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

I'm confused. The timestamp on my bad client zip is Dec 31 11:43. That VPS runs on UTC time and I can see that its time is correct. Converting that to my local time, that would put me on the computer really early in the morning which my browser logs tell me I was not. I just checked with my wife to confirm and she says I was not up that early yesterday. I'm still thinking this over.

Uniqueorn

full member

Activity: 182

Merit: 100

NXT.org

Are we sure it is Drexme?
If so, I have his real name. Pretty stupid if he really did it.

tk808

legendary

Activity: 1512

Merit: 1124

Invest in your knowledge

Quote from: bitcoinrocks on January 01, 2014, 11:29:14 PM

When was 0.4.8 released?

Yesterday

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

When was 0.4.8 released?

bitcoinrocks

legendary

Activity: 1372

Merit: 1000

Quote

can you get a timestamp from the file or some autid log that you can correlate in your web browser?

I'm actually working on that right now.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: allwelder on January 01, 2014, 11:14:23 PM

the max bit length of NXT Password is ?

Don't know. But 256 bit pass is already impossible to crack at the current state of science and technology. I use 35 character and it already 240 bit.

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1944. (Read 2761645 times)