NXT :: descendant of Bitcoin - Updated Information - page 1957.

NxtChg

hero member

Activity: 840

Merit: 1002

Simcoin Developer

Quote from: Jean-Luc on January 01, 2014, 03:41:18 PM

I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.

So can the client itself send money if the wallet is unlocked? Without that additional check?

What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly.
And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat.

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

Quote from: laowai80 on January 01, 2014, 03:43:26 PM

Quote from: utopianfuture on January 01, 2014, 03:41:29 PM

How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .

in linux type:

sha256sum filename.zip

In Window 7 ?

opticalcarrier

full member

Activity: 238

Merit: 100

I have devised a method for us VPS admins to maintain a running list of wellKnownPeers. We can do it outside the scope of this thread over on forums.nxtcrypto.org

https://forums.nxtcrypto.org/viewtopic.php?f=39&t=229

The gist of the method

Quote

The last post with "SIGNOFF" in the thread will have the latest list.
So basically, if you wish to update the running list we will maintain here, don't ever hit QUOTE on the last post in this topic to do so unless that last poster has gone back and verified that their post is 100% current by going back and editing their post and putting SIGNOFF at the bottom outside of the quote. Then you quote their post, add your data, remove their SIGNOFF message, hit submit, then go see if you should edit your message with SIGNOFF or if you should replace your post with NOT IN TIME.

rickyjames

full member

Activity: 196

Merit: 100

Look, ask Graviton about all of the Other People's NXT from Dgex he's got combined for storage into one of the biggest NXT accounts in the blockchain. Graviton, which would let you sleep better at night - the current NXT account setup, or the current NXT account setup plus an additional account withdrawal freeze code capability?

landomata

legendary

Activity: 2184

Merit: 1000

Are these randomly generated passwords stored by the generating service in some centralized database?

laowai80

member

Activity: 98

Merit: 10

Quote from: utopianfuture on January 01, 2014, 03:41:29 PM

How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .

in linux type:

sha256sum filename.zip

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: laowai80 on January 01, 2014, 03:39:44 PM

Isn't the party line not to use the word 'official' any more? Cheesy

Official doesn;t have to mean centralized Grin

utopianfuture

sr. member

Activity: 602

Merit: 268

Internet of Value

How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .

Jean-Luc

sr. member

Activity: 392

Merit: 250

Quote from: PaulyC on January 01, 2014, 08:27:27 AM

I literally saw my client a few moments after it happened (it was open) so how this happened is odd!

My actual User account that has been stolen from is
NXT
16821029889165561706

I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct?

Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction.

And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.

Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random?

intel

member

Activity: 98

Merit: 10

Quote from: laowai80 on January 01, 2014, 03:39:44 PM

Isn't the party line not to use the word 'official' any more? Cheesy

Ignoring official download locations may lead to heart-attacks and loss of trust.

laowai80

member

Activity: 98

Merit: 10

Isn't the party line not to use the word 'official' any more? Cheesy

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: ?? on ??

Quote from: landomata on January 01, 2014, 03:28:19 PM

Quote from: Come-from-Beyond on January 01, 2014, 03:24:19 PM

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

Please expand landomata.

meaning the average user shouldn't have to run this check.

Edit: there should one secured official source for client updates...preferably Blockchain to clients

intel

member

Activity: 98

Merit: 10

Quote from: Come-from-Beyond on January 01, 2014, 03:28:05 PM

Quote from: intel on January 01, 2014, 03:22:25 PM

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

And they'll be entering 1234 into the login field all the time

Most people 'll not. Better than nothing

Requires only UI JS changes.

rickyjames

full member

Activity: 196

Merit: 100

Quote from: laowai80 on January 01, 2014, 03:25:10 PM

Quote from: rickyjames on January 01, 2014, 03:23:48 PM

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.

There are remote control trojans that can print screen and send it to the hacker.

This is true. I suggest the client software could display it as an animated gif perhaps with random 3 to 5 second intervals between key fragment displays, so that a single screen grab or even multiple screen grabs wouldn't get it. Whereupon the Trojan could be written to...

We can go a long way down this hall of mirrors. I still think it is worthwhile to implement user account withdrawal freeze codes as I have described in the blockchain, for the psychological comfort aspect as well as the undeniable increased security aspect, hypothetical screengrabber Trojans or no.

I will keep parrying about if this then that if you want. Deciding as a community whether or not to actually implement it is a completely separate issue that I still would like resolution upon.

2X84

newbie

Activity: 28

Merit: 0

Quote from: opticalcarrier on January 01, 2014, 03:30:46 PM

Quote from: 2X84 on January 01, 2014, 03:28:33 PM

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment Undecided

...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

Thanks CFB and Optical, I almost had a heart attack when I heard about the hack.

opticalcarrier

full member

Activity: 238

Merit: 100

Quote from: 2X84 on January 01, 2014, 03:28:33 PM

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment Undecided

...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: 2X84 on January 01, 2014, 03:28:33 PM

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment Undecided

...

It would be very much appreciated as the explorer is still down.

{"balance":350997600,"effectiveBalance":350997600,"unconfirmedBalance":350997600}

laowai80

member

Activity: 98

Merit: 10

Quote from: landomata on January 01, 2014, 03:28:19 PM

Quote from: Come-from-Beyond on January 01, 2014, 03:24:19 PM

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

by the way, there are new custom automatic installer packages coming into light every day, I am sure nobody is checking those before recommending

2X84

newbie

Activity: 28

Merit: 0

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment Undecided

...

It would be very much appreciated as the explorer is still down.

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: Come-from-Beyond on January 01, 2014, 03:24:19 PM

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1957. (Read 2761645 times)