Nobody prepend now, but with additional login field, they 'll be forced to prepend.
And they'll be entering 1234 into the login field all the time
Topic: NXT :: descendant of Bitcoin - Updated Information - page 1958. (Read 2761645 times)
And they'll be entering 1234 into the login field all the time
I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
Hmm... post by Drexme.
The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok.
well the link could have been changed since his download. but most likely not. to be 100% sure paulyc will need to get the .zip from his PCs download folder and post it for us.
But most likely it was either a keylogger or he put his password into a remote node, with the latter being most likely IMO.
Coz it's unknown what MAC address a transaction was sent from.
And nobody ever spoofed a MAC address. 
I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.
There are remote control trojans that can print screen and send it to the hacker.
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.
It's impossible.
why?
Coz it's unknown what MAC address a transaction was sent from.
No, you misunderstood me. I don't claim that other nodes have to verify the MAC address. It's just a test that the server on your computer locally performs before he releases the transaction to other nodes. The MAC address is a fingerprint of the device you are using to send nxt coins.
Edit: OK, I think I see your point.
Hey CfB... shouldn't Page 1 client download link agree with the one given by Jean-Luc?
Thought I had this under control... but getting confused myself.
Since we all respect your opinion, please inform where we should be downloading the client from.
thnx
We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.
OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was. But this security stuff is serious with major psychological/political overtones for the acceptance of NXT. I really want to get a consensus here on a proposed course of action. Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features. Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?
Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).
Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).
Would your solution help from keyloggers and trojans?
I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unfreeze code.
So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is "mrbober777Alisa" which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.
CfB ?
CfB ?
We can start prepending "Alisa" to our passphrases right now. (Need to create a new account though. And don't use "Alisa" plz.)
Nobody prepend now, but with additional login field, they 'll be forced to prepend.
Please consider running a non-proprietary OS...
There are many flavours of Linux/BSD that one can easily run live from a CD / USB drive.
It is not a panacea for all attack vectors but it is helpful.
There are many flavours of Linux/BSD that one can easily run live from a CD / USB drive.
It is not a panacea for all attack vectors but it is helpful.
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.
What about this?
So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is "mrbober777Alisa" which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.
CfB ?
CfB ?
We can start prepending "Alisa" to our passphrases right now. (Need to create a new account though. And don't use "Alisa" plz.)
Finding the latest client from this thread is difficult. I think CFB should start another thread just with client update download links
Last client is always available for download at info.nxtcrypto.org , we receive the file and SHA checksum directly from developers and it's hosted on our secure server and not some 3rd party file sharing service.
So, keylogger or sniffing node or modified NRS.
1. Keylogger
2. Sniffing node
3. modified NRS
1. Keylogger
2. Sniffing node
3. modified NRS
4. Error in the client that allows remote connect and emptying of the account.
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.
It's impossible.
why?
Coz it's unknown what MAC address a transaction was sent from.
I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
Hmm... post by Drexme.
The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok.
OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was. But this security stuff is serious with major psychological/political overtones for the acceptance of NXT. I really want to get a consensus here on a proposed course of action. Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features. Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?
Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).
Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).
Would your solution help from keyloggers and trojans?
It's very easy to add a special KEYFILE additional to password, which 'll be used against keyloggers. Once again, protocol change is not required.
We haven't looked at this possibility...updating client from the blockchain would solve this.
It's enough to modify only JavaScript part to send entered passphrases to adversary's server.
Edit: It's only 10 lines of JS code.
so how do we protect again this.
After downloading NRS check SHA256 checksum.
Finding the latest client from this thread is difficult. I think CFB should start another thread just with client update download links
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
He should calculate the SHA256 Hash of the class files, no need to decompile.
So, keylogger or sniffing node or modified NRS.
1. Keylogger
NXT is too young to understand for hackers that random password for 127.0.0.1 is something good. I am sure it was not because of keylogger.
2. Sniffing node
Lets ask victim - which node did he use to access his account? Did he ever use 3rd party online wallet atleast once to access his account?
3. modified NRS
Send your copy of NRS to CfB or me and we 'll check each file's SHA/CRC against the stock version.
I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html
nxt-client-0.4.8.zip
its unforunate that one of the links there is a mega.co server. paulyc please tell us if you downloaded from the mega.co link or not.
in fact, can you please look on your HD and get the zipfile and post it somewhere for us to look at.
Jump to: