And again, since it's open to the world and its IP is well known, this is scary.
Access to API and interface is blocked by default. Someone has to edit web.xml and put * into allowedUserHosts and allowedBotHosts.
Topic: NXT :: descendant of Bitcoin - Updated Information - page 1956. (Read 2761645 times)
Access to API and interface is blocked by default. Someone has to edit web.xml and put * into allowedUserHosts and allowedBotHosts.
The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole.
And again, since it's open to the world and its IP is well known, this is scary.
So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct?
I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.
That was a good addition, thanks.
Do you think NXT value will reach $1 this year? is it a realistic prediction?
Your prediction is extremely conservative.
+1
What I think everyone missed about this security thing is that c-f-b mentioned that this can easily be fixed client-side: e.g. a 3rd party client (perhaps the one in development by nexern), can take your particular passphrase and run it through SHA256 (or whatever hash function you want to use) and uses that to generate your account number.
No need to modify anything in the base code. We can even implement wallet.dat files client-side, for increased security (public + private keys can be generated by the client), if the user so desires.
EDIT: This gives NXT users the unique choice of a) using NRS and generating their own complex 30+ char passphrase, so they can use their account anywhere in the world through brainwallet or b) simpler security for average users, but you have to go through a hashfunction/particular client if you want to access your account.
No need to modify anything in the base code. We can even implement wallet.dat files client-side, for increased security (public + private keys can be generated by the client), if the user so desires.
EDIT: This gives NXT users the unique choice of a) using NRS and generating their own complex 30+ char passphrase, so they can use their account anywhere in the world through brainwallet or b) simpler security for average users, but you have to go through a hashfunction/particular client if you want to access your account.
NXT episode-32 [ opoZdun ] EN
http://youtu.be/DZpf_he41vc
-------------------------------------
true today
NXT episode-33 Crazy [ aTTack ] EN
http://youtu.be/WDK53ly-6Pw
Support for the work and to "further figachit"
NXT - 5708493317559318384
http://youtu.be/DZpf_he41vc
-------------------------------------
true today
NXT episode-33 Crazy [ aTTack ] EN
http://youtu.be/WDK53ly-6Pw
Support for the work and to "further figachit"
NXT - 5708493317559318384
I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ?
http://info.nxtcrypto.org/nxt-client-0-4-8-released/
You 'll find SHA256 sum provided by developer with every release of NXT Client.
Compare it with a hash of downloaded file.
Looks good, the download file and its hash in the font page of this thread is safe also. Thanks Intel, It is good to learn these things.
I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ?
http://info.nxtcrypto.org/nxt-client-0-4-8-released/
You 'll find SHA256 sum provided by developer with every release of NXT Client.
Compare it with a hash of downloaded file.
yes, but would be smart to do external verify of checksum in this thread. So info/www/forums site should provide a link back to the post here that announces the new client and its checksum
I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ?
http://info.nxtcrypto.org/nxt-client-0-4-8-released/
You 'll find SHA256 sum provided by developer with every release of NXT Client.
Compare it with a hash of downloaded file.
I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check?
The client (the browser) does not store the secret phrase. Before 0.4.8, when doing send money from the browser, it would identify itself to the server using a random session id generated by javascript. I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.
I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ?
Isn't the party line not to use the word 'official' any more? 
Official doesn;t have to mean centralized
Regardless, at this point all client dev is in 1 place, so it is currently centralized. They may as well for now just post 1 place. We are trying to use the NXT Foundations' sites for this purpose (www/info/forums). The goal right now is for the latest client to always be posted at
info.nxtcrypto.org/client.zip
www.nxtcrypto.org/client.zip
forums.nxtcrypto.org/client.zip
Not all links have been updated yet though, so continue to use http://info.nxtcrypto.org/nxt-client-0.4.8.zip
Maybe the announcement for new client releases can be in this thread with the sha256 checksum and a link to those 3 downloads, then someone at admin/forums/www can then update the sites with the sha256 info?
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type:
sha256sum filename.zip
In Window 7 ?
Download HashTab
What should I expect when run the file ?
There 'll be a new tab when clicking right-mouse -> properties
Also, you can select required checksum algorithms:
What's hash comparison ? the hash of the authentic file ?
I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check?
What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly.
And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat.
If a hacker has ALREADY gotten your main account password once to get in the account in the first place, having to type it AGAIN is no additional security at all. This only prevents somebody physically in front of your keyboard from ripping you off.
This is absolutely a concern and why a withdrawal verification/unfreeze password shouldn't enable the LOCAL CLIENT/SERVER do something, it should be COMBINED WITH SOMETHING PERVIOUSLY PUT ON BLOCKCHAIN that is processed by THE REMOTE SERVER PROCESSING THE BLOCK to enable the withdrawal. The latter is MUCH MORE SECURE.
The first time a local client is hacked in NXT (and you should assume this WILL happen) then NXT has a HUGE PR problem....
How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .
If you're running Windows, an online calculator would be easiest:
Edit: http://onlinemd5.com/ (thanks to utopianfuture) or
http://hash.online-convert.com/sha256-generator
If you're running OS X, a SHA-256 can be calculated using the openssl command in an open terminal (the terminal is located in /Applications/Utilities). The openssl command would look something like this:
openssl sha256 [FILE_NAME]
If you're running GNU/Linux, the program sha256sum is standard on most versions of the OS. Using the sha256sum command in a terminal would look something like this:
sha256sum [FILE_NAME]
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type:
sha256sum filename.zip
In Window 7 ?
Download HashTab
What should I expect when run the file ?
There 'll be a new tab when clicking right-mouse -> properties
Also, you can select required checksum algorithms:
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type:
sha256sum filename.zip
In Window 7 ?
Download HashTab
What should I expect when run the file ?
Am I right in thinking that the person who runs the Nxt install thread which this thread links to, is the same guy who stole some of the Nxt bounty funds recently?
Also, can someone point me towards a safe place to download the next client. I'd like to sell my small stake.
Thanks.
Also, can someone point me towards a safe place to download the next client. I'd like to sell my small stake.
Thanks.
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type:
sha256sum filename.zip
In Window 7 ?
Download HashTab
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type:
sha256sum filename.zip
In Window 7 ?
I only have windows 8 around, but looks like it doesn't have sha256sum.exe program, have to download it from somewhere, you could google it, but then again, make sure you don't download a trojan
There are online services too, that you can upload the file too and they'll provide the sha256sum.
Jump to: