@PaulyC :
Have u scanned yr PC for malware? Trojan/key logger looks like a very good possiblility at this moment.
And how is yr off-line security ? Anyone else have acess to yr PC?
Topic: NXT :: descendant of Bitcoin - Updated Information - page 1960. (Read 2761645 times)
We haven't looked at this possibility...updating client from the blockchain would solve this.
It's enough to modify only JavaScript part to send entered passphrases to adversary's server.
Edit: It's only 10 lines of JS code.
doesn't each new passphase entered unlock a new account?
U don't need to unlock an account. This is how I would brute force accounts:
1. Got all non-empty account ids
2. Launched my GPUs (they r unprofitable to mine BTC but still useful)
3. Each GPU generated an account id and checked it matches one of the 7000 already existing ones (repeat zillion times)
Another possibility is that the global mod that went rogue from the nxtforum, he could have changed the download link to a infected copy of NRS and people who used that link from the forum were using a compromised version
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
We haven't looked at this possibility...updating client from the blockchain would solve this.
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.
The password should be in public.
Everybody trusts c-f-b!
In this situation, I don't see huge tangible benefits to the hackee of putting his/her password in public; whereas keeping the password out of a public forum may still save the aliases. The hacker might be offline if/when alias transfer is enabled (and, indeed, sitting on a tropical beach or a private yacht not caring about a few aliases). The hacker might have discarded the password. Or maybe never had it; who's to say the hacker's hacking tools ever actually send the password back to him?
That's my exact same thoughts, maybe I can salvage something here!
You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?
Nxt (and Bitcoin) doesn't work such the way.
doesn't each new passphase entered unlock a new account?
Someone's buying up all NXTs they can get their greedy hands on at dgex 
despite all this hack talk too.
despite all this hack talk too. What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.
The password should be in public.
Everybody trusts c-f-b!
In this situation, I don't see huge tangible benefits to the hackee of putting his/her password in public; whereas keeping the password out of a public forum may still save the aliases. The hacker might be offline if/when alias transfer is enabled (and, indeed, sitting on a tropical beach or a private yacht not caring about a few aliases). The hacker might have discarded the password. Or maybe never had it; who's to say the hacker's hacking tools ever actually send the password back to him?
price on dgex to da moon!
Yes I was wondering the same thing.
from nextcoin.org 4.8
this version..
https://nextcoin.org/index.php/topic,4.0.html
I PMd Cfb my password, i recounted it's 34 randoms. anyways..
from nextcoin.org 4.8
this version..
https://nextcoin.org/index.php/topic,4.0.html
I PMd Cfb my password, i recounted it's 34 randoms. anyways..
Quick question on the theft issue:
If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?
If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?
The account will not show up in the blockchain before a transaction is made.
so it would be impossible to track account creation..as all passphase attempt will unlock one account....each time a different passphase is entered
You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?
Nxt (and Bitcoin) doesn't work such the way.
@PaulyC:
maybe it wasn't a hack. Could it have been an address collision (even if statistically unlikely), from two different passwords that lead to the same account number?
maybe it wasn't a hack. Could it have been an address collision (even if statistically unlikely), from two different passwords that lead to the same account number?
Ok I'll PM Cfb the PW, honestly I would like that he didn't post it as of yet, maybe there is something goofy going on that can be remedied?
will be someway to get my coins back or retain my aliases, I would hope!.
btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.
will be someway to get my coins back or retain my aliases, I would hope!.
btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.
Where did you download the client ? is it a trusted source ? this could be a potential leak of security.
Quick question on the theft issue:
If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?
If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?
You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?
Ok I'll PM Cfb the PW, honestly I would like that he didn't post it as of yet, maybe there is something goofy going on that can be remedied?
will be someway to get my coins back or retain my aliases, I would hope!.
btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.
will be someway to get my coins back or retain my aliases, I would hope!.
btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.
I think this is the wrong way. what we need are clients that fore seamlessly, so even though the chance of winning will be minuscule, there will no no cost to forging, no barrier to entry so people will do it anyway. People pay to play the lottery now don't they? This lottery would be free to play, i think there is definitely some appeal there for users.
BCNext was forced to offer such the way coz small stakeholders won't bother with forging due to very high variation. Less coins forge - cheaper attacks.
I don't really like pools for forging. This is like one step back to centralized system.
I know we need to do something to allow small stakeholders to forge and get fee's everyday, but not this way.
Jump to: