NXT :: descendant of Bitcoin - Updated Information - page 1959.

laowai80

member

Activity: 98

Merit: 10

Quote from: rickyjames on January 01, 2014, 03:13:04 PM

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was. But this security stuff is serious with major psychological/political overtones for the acceptance of NXT. I really want to get a consensus here on a proposed course of action. Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features. Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

Would your solution help from keyloggers and trojans?

rickyjames

full member

Activity: 196

Merit: 100

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was. But this security stuff is serious with major psychological/political overtones for the acceptance of NXT. I really want to get a consensus here on a proposed course of action. Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features. Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

PaulyC

member

Activity: 82

Merit: 10

Gonna take off for a min.
Btw. asked earlier, I have the latest ESET 64 antivirus software, running always, but I'll run a full scan, thanks again.

rickyjames

full member

Activity: 196

Merit: 100

Quote from: marcus03 on January 01, 2014, 03:05:26 PM

Quote from: PaulyC on January 01, 2014, 02:57:23 PM

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

Dun dun DUN. (music)

wesleyh

sr. member

Activity: 308

Merit: 250

Quote from: marcus03 on January 01, 2014, 03:05:26 PM

Quote from: PaulyC on January 01, 2014, 02:57:23 PM

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

Latest client links are updated by someone else, not drexme. (But I doubt that's the issue).

marcus03

full member

Activity: 224

Merit: 100

Quote from: PaulyC on January 01, 2014, 02:57:23 PM

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

opticalcarrier

full member

Activity: 238

Merit: 100

All, I would immediately stop downloading clients from mega.co links, and only download from versions Jeanluc posts on info.crypto.org or on forums.nxtcrypto.org. There should also be a mirror site on www.nxtcrypto.org.

If your funds were stolen and you have a 30+ long passphrase consisting of upper/lower/number characters and is not anything in print or spoken, then you have a keylogger on your PC that saw your password. One was recently made and released as some IM app that stole funds.

Method to freeze funds into a new acct. (You will not be able to forge with these funds)

1. Boot to linux live CD. Use one a few months old. The live CD must have java jre 1.7
2. install latest client from forums.nxtcrypto.org/client.zip
3. write your new complex passphrase on a piece of paper
4. unlock the client with passphrase.
5. write down the new account number
6. lock it and unlock again.
7. verify account number.
8. do 6 & 7 again once more to verify.
9. write long passphrase on a piece of paper. (paper wallet)
10. open old account, send funds to new account
11. close old account, open new account
12. wait for a few confirmations of the transfer to the new account

discussion of this method here: https://forums.nxtcrypto.org/viewtopic.php?f=17&t=267

rickyjames

full member

Activity: 196

Merit: 100

Quote from: laowai80 on January 01, 2014, 02:57:20 PM

Quote from: Come-from-Beyond on January 01, 2014, 02:43:09 PM

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

0.0000000000000000001%
1-10%
80-90%
1-10%

about that kind of probability for each explanation.
Keylogger is the main suspect of course.

I totally agree with these ballpark estimates.

I would note that if my proposed public / private key account freeze page were implemented in the client, it would be virtually immune to a keylogger since the private part of the unfreeze key would be written down manually, and the one time it's typed in is to unlock the account anyway. Presumably the user would send NXT out of a high value account and immediately refreeze it once the transaction was gone.

Tho just to stay paranoid, there's also screengrab loggers that could get a visual unfreeze private key in my scheme...

2X84

newbie

Activity: 28

Merit: 0

Quote from: BloodyRookie on January 01, 2014, 02:54:48 PM

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address of you computer is the specified one, the transaction is executed. Just an idea.

Even if it were possible I'm afraid that would cause more problems than it would solve Tongue

...

BloodyRookie

hero member

Activity: 687

Merit: 500

Quote from: Come-from-Beyond on January 01, 2014, 02:43:09 PM

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

He should calculate the SHA256 Hash of the class files, no need to decompile.

intel

member

Activity: 98

Merit: 10

Quote from: jl777 on January 01, 2014, 01:48:29 PM

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

I can tell you some ideas.

Currently there is only a password. Lets also add login field when registering for account access.

This 'll require NO changes in protocol:

FINALPASSWORD = [LOGIN][PASSWORD]

So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is "mrbober777Alisa" which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.

CfB ?

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: laowai80 on January 01, 2014, 02:57:20 PM

Keylogger is the main suspect of course.

There is really no way to protect against keyloggers except proper vigilance....yet malware is still everywhere and not going away anytime soon.

This is where Rickyjames/Opti-carriers idea comes in handy

BloodyRookie

hero member

Activity: 687

Merit: 500

Quote from: Come-from-Beyond on January 01, 2014, 02:56:24 PM

Quote from: BloodyRookie on January 01, 2014, 02:54:48 PM

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

why?

laowai80

member

Activity: 98

Merit: 10

Quote from: ferment on January 01, 2014, 02:57:31 PM

Quote from: S3MKi on January 01, 2014, 02:33:54 PM

price on dgex to da moon!

if litecoin is a chikun. what's nxt?

chikun killer, by summer for sure )

ferment

full member

Activity: 168

Merit: 100

IDEX - LIVE Real-time DEX

Quote from: S3MKi on January 01, 2014, 02:33:54 PM

price on dgex to da moon!

if litecoin is a chikun. what's nxt?

PaulyC

member

Activity: 82

Merit: 10

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

laowai80

member

Activity: 98

Merit: 10

Quote from: Come-from-Beyond on January 01, 2014, 02:43:09 PM

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

0.0000000000000000001%
1-10%
80-90%
1-10%

about that kind of probability for each explanation.
Keylogger is the main suspect of course.

landomata

legendary

Activity: 2184

Merit: 1000

Quote from: Come-from-Beyond on January 01, 2014, 02:51:22 PM

Quote from: landomata on January 01, 2014, 02:46:02 PM

We haven't looked at this possibility...updating client from the blockchain would solve this.

It's enough to modify only JavaScript part to send entered passphrases to adversary's server.

Edit: It's only 10 lines of JS code.

so how do we protect again this.

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: BloodyRookie on January 01, 2014, 02:54:48 PM

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

BloodyRookie

hero member

Activity: 687

Merit: 500

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address of you computer is the specified one, the transaction is executed. Just an idea.

Topic: NXT :: descendant of Bitcoin - Updated Information - page 1959. (Read 2761645 times)