Topic: NXT :: descendant of Bitcoin - Updated Information - page 1964. (Read 2761645 times)

Amen brother, preach on.  When the public realizes that a hacker attacking NXT isn't trying to break into a specific big account but is going after ALL ACCOUNTS SIMULTANEOUSLY INCLUDING THEIRS - I'm telling you, the psychology outweighs the math.  You've got to give them some way to do something that makes them feel more secure - and actually BE more secure - than the current brainwallet scheme that requires Faith In Math.

The public ain't got no stinkin' Faith In Math.

Pooled Forging details

A special type of transactions will be used to lease part or all forging power to one or several accounts. These accounts will sign blocks and decide what transactions to include into them. Fees will go to leasee accounts, not to leasors. This may lead to centralization (similar to Bitcoin) so leasor accounts r not advised to lease more than 50% of their effective* balance. Splitting 100% effective balance among different leasee accounts won't work coz of Sybil attack.

Comment plz.

---
* - Effective balance == balance that used for forging

For a DoS attack you don't need those pricey HW firewalls... DoS should be resolved in nxt's code-base and if needed ad-hoc mitigated with simple greping/parsing server logs and applying appropriate iptables rules.
For DDoS attacks the bottleneck is the uplink... In case of DDoS having eg. 10 servers on same uplink (same data-center/rack) won't help whatever you place in front of them.
I could elaborate on poor's-man/wealthy's-man/our's-way of mitigating DDoS if anyone interested.

CfB

Why can't the client deal with email verification, google authenticator or even cellphone SMS
Aren't all verifications just software that runs somewhere? Why can't that somewhere be the client?

Granted, to fully support it properly i would imagine that there would need to be some additional code in the core, but please explain your statement that it is impossible.

Client can send email i know this. Client can wait for confirmation. So if there were api calls that required aditional confirmations and this was made secure cryptographically, then at least the hacker would have to hack the email too instead of just the password. I am not clever enough to figure out how to make a cryptographically secure api call, but i imagine you or BCNext could do it

The way things are now a hacker can brute force search the entire password space and without specifically targeting anybody, targets everybody. The more nxt accounts that get funded, the more likely a hacker will stumble upon an acct.

This needs to be fixed for mass market adoption. Without it nxt value will not increase much from what it is now. There needs to be some additional layer of security that the person who creates the account can optionally enable. As it is now there is basically one nxt account and a hacker just has to be patiently mining passwords until he finds a funded account. How long does it take to see if an account exists?

If that can be done locslly on a computer, then some sort of massively parallel setup or server farm could search through trillions of accounts per second. What is the density of nxt accounts if there are one million nxt accts?

James

P.S. I am hoping this is one of the planted security flaws that was talked about. Otherwise it turns out there is mining of nxt after alll, randomly try passwords till you find a funded acct. do we really think petahashes of computing will not be aimed at all the juicy nxt accts? It doesn't matter if you never use your acct after funding it. It doesn't matter if you never use the password online if nxt accts can be mined with a brrute force search. Please tell me we can fix this

I proposed this a few days ago.  I believe it is possible, but would require extensive rewrite, as different pairs/keys would have to be implemented, and I dont believe the current curve/sha256 implementation of the hashing is compatible with what we desire.

Small stakeholders don't bother with forging. Number of large ones is not very big, so u should see 2-3 blocks in a row.

Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.

"It's like you guys are building a really high-performance car, and then criticizing the roads for being too bumpy and drivers for being unskilled. It's a great car, and it can do amazing things, but if it isn't adapted to the world as it is or drivers as they are (and not as you want them to be), then it will not have widespread adoption."

I agree.

OK, just to bubble this to the top again, I officially request that a function be implemented in the NXT client and server that allows an account to publicly declare in the blockchain that it is closed to withdrawals until further notice.  Until this notice is given and verified, all attempts to withdraw from this account are to be deemed invalid by whoever is processing the block with the withdrawal request.

This function would be implemented by accessing a special lock page in the client software where a fee would be assessed for utilizing this option.  Clicking on the "accept fee" key on this page does two things: (1) sends out a colored coin or equivalent containing the account number, the freeze notification, and the public half of an unfreeze code (2) displays for the user the private half of an unfreeze code that is to be copied down manually.

During the account lockdown freeze period, all pending transactions on the blockchain are compared against a list of locked accounts as part of the verification process.  If the withdrawal is against a frozen account, it is rejected as invalid.

To unfreeze the account, a user goes to a special unfreeze page in the client, enters the previously copied private key half generated during the original account locking, pays a fee, and sends a colored coin or equivalent containing the account number, the unfreeze notification, and the private half of the unfreeze code.  A server processing a block containing a colored account unlock code verifies the public / private keys unfreeze the account correctly and removes the specified account from the frozen list.  There may be a time delay while this information is propogated throughout the system and this delay would be accepted as part of the unfreeze process.  

This effectively would implement two factor authentication for sending NXT from a high-value account because the sender would need both the unfreeze code and the original account passphrase.

This scheme is NOT the same as transferring large sums to a new and seldom used NXT account for safekeeping.  Such an account still has an extremely small but non-zero probability of being opened via a brute force or lucky hit of its password, or of being keylogged or trojaned.  Publically announced frozen accounts have a zero chance of being drained.  This difference between extremely small chance and zero is huge in the public mind and will go a long way in making the general public accept the NXT always-online brainwallet concept.

Question one:  is this technically possible, yes or no.

You are too crafty and have exposed my scheme of toppling NXT due to fud.....

Hey smartguy, the whitepaper isnt published yet.  So we dont really know yet do we; if you know the math then please post it.  You are a idiot if you think accusations of FUD as a response to legitimate questions are in the best interest of the NXT community.

Honestly though, are you fu**ing retarded?  Have you not seen the amount of time and effort Ive been expending on this project??  And you call FUD on me.... wow not very bright there are you sparky

Is this something where the eventual message feature of NXT could come into play? The node that forges the block send a message back to the originator of the transaction and requests confirmation? I'm not sure how you hold up the transfer until confirmed, just my $.02

Edit: After about 2 seconds of thought I realized this would send a message back to the person who has already gained unauthorized access to the account.

:\

Any actual roadmap? What would happen @ 32k?

Any chance Google Authenticator could be worked into the code, for everyone calling for extra security? Also, I wanted to see just how brute force resistant Nxt is, so I threw together some code and ran it. Unless a hacker is working with a ridiculously powerful rig, brute force is NOT an option. Even a 7 character pass-phrase would take several weeks to check all combinations of a mixed alpha-numeric set. So if your account has been hacked, you probably need to clean up your computer.

Id like these people claiming thefts to post their password.  If the account has been emptied please post the password.


yes but I'd like to be able to forge and also have functionality of a 2nd password in order to send funds.
This way, for forging, Id just use my regular PC.  But to ever send NXT, Id boot to a pupply linux usb drive and enter the password in that, with security from virus/keylogger/etc

If you send small amounts consider you will need to pay total 2 NxT fee for sending and return, so this is probably more than the NxT you're going to forge in years.

Every 24h currently you can forge about:

100k= 1NxT
10k= 0,1NxT
1k= 0,01NxT
100= 0,001NxT

So if you send 1k you will need 200 days just to breakeven the 2 NxT fee when you're risking your money in a 3rd party.

Also you can't use your coins when you want (you need to wait manual cashout), and now there is no decimals so is imposible to pay out under 1NxT.

And what about if your next forum account/email gets hacked and tell him to send coins to another new wallet? You also lose everything.

IMO is no point using this, and less with current 1NxT fee.

keepass 2 has expire date for every generated key/pass, I think, one must mention that as well. if it expire than users blame you to not posting about it so generate key/pass and write that to paper or something similar

There is no matter if you use one, two, or ten different passwords in sequence - or just one.

To be constructive, a password manager and generator (maybe like keypass2) could be integrated to NxT Client?
That would simplify it for causal user.

Have you any math for this? Or only fud?

All, JeanLuc has agreed to start posting releases at info.nxtcrypto.org and they will also be posted at forums.nxtcrypto.org as well as at the www.nxtcrypto.org site.

I think this neatly summarises everything that I was trying to point out.

To expand on that: for NXT to be succesful and truly added value, it will need to go mainstream at some point. Arguably not now, and I'm not in any way suggesting that.
But it needs to be on the cards and taken seriously.

How that will be achieved is a different matter. Third parties seems logical. It's not something that is the sole responsibility of the NXT devs.

NXT and any crypto that wants to survive, needs the general public. Those is also a fact.

Also, in a more productive vein, I'd like to add a security page to the wiki. I now have the following items:

- Making a secure password with keepass (does other software need to be added?) (50-60 characters long enough?)
- Treat your wallet pass like it was your PIN.
- Keep your computer malware/virus free!
- never post pass.

Does anything else need adding. If it isn't obvious already, I am not a techie (although I know enough to keep myself protected). Can anyone suggest other easily implemented safety precautions?
Might as well help people out as much as we can

What? Your argument can be applied to anything. How do you expect NEXT to safe you from keyloggers? A password is a password and it is up to you to choose and keep it safe.