What does your implementation of words.getDiceWd look like?
It picks directly from an array of words. Why? How do you map the integer type parameter down to the range of items in the dictionary? int & 0X1fff returns a value between 0 (inclusive) and 8191 (inclusive) |
|
|
|
What does your implementation of words.getDiceWd look like?
It picks directly from an array of words. Why? |
|
|
|
I imagine a passphrase generator integrated in Nxt clients, similar to the one used in Electrum client for Bitcoin, with state of the art random generator and possibly a larger dictionary (Electrum uses 1600 words).
Hi, I really like your idea and wan't to implement that in Offspring (actually already did that with the Eglish list). It seems there are lists of words for most languages http://world.std.com/~reinhold/diceware.html available. I would like some input on the algorithm to combine the words and if and how to generate entropy with the mouse. It does for sure look really interesting to the average user (moving your mouse around to generate a password) but does it make a difference in the case of Curve25519 between doing that and using SecureRandom? Also great care is put into correctly providing a seed to the PRNG in SecureRandom and you are warned against providing your own seed (which is basically what you do when you move your mouse around and call SecureRendom.setSeed([MOUSE MOVEMENT ENTROPY]) ), so what is more secure? Default (and optimized) SecureRandom or SecureRandom with mouse movement as seed? DiceWords words = new DiceWords();
SecureRandom rand = SecureRandom.getInstance("SHA1PRNG", "SUN");
byte[] bytes = new byte[8];
rand.nextBytes(bytes); // initialize seed
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 12; i++) {
String word = words.getDiceWd(rand.nextInt());
sb.append(word).append(' ');
}
sb.deleteCharAt(sb.length() - 1);
String passphrase = sb.toString();
Edit: changed the algorithm to explicitly use SHA1PRNG instead of the platform default, call to nextBytes is to force PRNG to seed itself securely |
|
|
|
If you are offline and not forging you don't get a share
if you are offline for 1440 blocks you get removed from the Co-Op
How would you determine if someone is offline? |
|
|
|
I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.
Why aren't you using SecureRandom random = new SecureRandom()? Simpler version from web char[] allowedCharacters = {'a','b','c','1','2','3','4'}; SecureRandom random = new SecureRandom(); StringBuffer password = new StringBuffer(); for(int i = 0; i < PASSWORD_LENGTH; i++) { password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]); } I don't believe I know better than the people from Apache who made that library. That library is used in 1000s of production systems. You should not reinvent the wheel. You are right about the difference between SecureRandom and Random, in the code I posted it does however not make sense to use SercureRandom. If you believe it does please explain why it does make sense in the code I posted. They use java.util.Random Where do you see SercureRandom used by RandomStringUtils? I did not say they used SecureRandom in RandomStringUtils. What I did was look for ways to generate the safest possible passphrases and RandomStringUtils was mentioned and seemed to be used the most. It comes as a surprise that they do not use SecureRandom, if this in fact is unsecure this would mean that numerous production systems are at risk, which might even be the case who knows. You started your argument by saying Random should not be used, since Random was used in the piece of code I posted I assumed you were talking about the random number between 70 and 90 for the password length, for which it makes no sense to use SecureRandom. I do believe Apache should use SecureRandom. Looking at my code I also believe the seed string of characters used should not be a fixed string, it should be random as should your 'allowedCharacters' variable in the sample you posted. The site where you can generate a passphrase with your mouse is really cool, it does however not work for people without a mouse. |
|
|
|
I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.
Why aren't you using SecureRandom random = new SecureRandom()? Simpler version from web char[] allowedCharacters = {'a','b','c','1','2','3','4'}; SecureRandom random = new SecureRandom(); StringBuffer password = new StringBuffer(); for(int i = 0; i < PASSWORD_LENGTH; i++) { password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]); } I don't believe I know better than the people from Apache who made that library. That library is used in 1000s of production systems. You should not reinvent the wheel. You are right about the difference between SecureRandom and Random, in the code I posted it does however not make sense to use SercureRandom. If you believe it does please explain why it does make sense in the code I posted. |
|
|
|
Just throw AE in the water... it will either swim or drown!
best test is production, if it breaks we can fix it.
If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies. We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net... Releasing now would be mad. |
|
|
|
import org.apache.commons.lang3.RandomStringUtils;
private String generatePassphrase() {
// No space, backslash, newline, tab
String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
int low = 70;
int high = 90;
Random random = new Random();
int count = random.nextInt(high - low) + low;
return RandomStringUtils.random(count, symbols + alphaNum);
}
Java.util.Random is not cryptographically secure. Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values." This means all passwords created by OffSpring should be crackable. It's not secure at all In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter. I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised. |
|
|
|
Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase. import org.apache.commons.lang3.RandomStringUtils;
private String generatePassphrase() {
// No space, backslash, newline, tab
String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
int low = 70;
int high = 90;
Random random = new Random();
int count = random.nextInt(high - low) + low;
return RandomStringUtils.random(count, symbols + alphaNum);
}
Java.util.Random is not cryptographically secure. Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values." This means all passwords created by OffSpring should be crackable. It's not secure at all We disagree - Edit. I agree about the passwords being crackable, since every password is crackable. Your logic however is wrong |
|
|
|
Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase. import org.apache.commons.lang3.RandomStringUtils;
private String generatePassphrase() {
// No space, backslash, newline, tab
String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
int low = 70;
int high = 90;
Random random = new Random();
int count = random.nextInt(high - low) + low;
return RandomStringUtils.random(count, symbols + alphaNum);
}
Java.util.Random is not cryptographically secure. Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandomIt depends on what you use the random number for, in this case it makes no difference if you would use SecureRandom or Random. Anyways thanks for looking it up, tips are always appreciated. |
|
|
|
Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase. import org.apache.commons.lang3.RandomStringUtils;
private String generatePassphrase() {
// No space, backslash, newline, tab
String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
int low = 70;
int high = 90;
Random random = new Random();
int count = random.nextInt(high - low) + low;
return RandomStringUtils.random(count, symbols + alphaNum);
}
|
|
|
|
[5-3-2014] version 0.3.2e:- Compiled against NXT 0.8.6
Lol, you're fast  You know what took the longest time? The upload to bitbucket. Your client looks really slick btw. I wish I could do that in SWT, we do have CSS styling in the client but that will never look as good as a web based client. |
|
|
|
Offspring v0.3.2e releasedDownloads available for Windows, MacOS and Linux. https://bitbucket.org/incentivetoken/offspring-public/downloadsSee wiki for changelog. https://bitbucket.org/incentivetoken/offspring-public/wiki/Home[5-3-2014] version 0.3.2e:- Compiled against NXT 0.8.6
- Fixed a bug where Offspring thinks it's already running (when it's not)
[4-3-2014] version 0.3.1e:- Offspring now uses NXT from source instead of precompiled versions
- Compiled against NXT 0.8.5
- Offspring version and NXT version shown in title bar
- At startup user can select to start main or test network, if you choose test network you will use a separate wallet
- First bare-bones implementation list of assets in Trader section (only available on test network)
- First bare-bones implementation list of trades in Trader section (only available on test network)
- You can now add *read-only* accounts, enter any account number and it will show up in the accounts section
[3-3-2014] version 0.3e:- Offspring now uses the NXT Java API
- NXT 0.8.3
- Added easy discovery/registration/update for aliases
- Temporarily disabled recent blocks viewer
- Added Trader section (not yet enabled)
- Numerous changes to UI in the dialogs because responses from NXT are instant now
- Database and wallet are now in the users home folder
- Database can be cleared from menu, new blockchain will be downloaded
- Total uploaded/downloaded visible in the statusbar
- Height of latest block in your blockchain is shown in the statusbar
- Last block timestamp and number of seconds ago are visible in the statusbar
- A progressbar displays how much of the blockchain you have downloaded and how much more to go
- Each account is forging by default, you can turn forging on and off and your generation time is shown
- Early version of messaging implemented. You can enter an account number and a text and it will send the text to that account number. Messages are not encrypted! Everyone can read what you send (like twitter).
|
|
|
|
Is anyone knowing what we paid for?
Yes. Refactoring, consulting, some extra functionality like API calls. how do we know you actually delivered what BCNext has paid for is better formulated. how do we know you did all what he asked?  Who will communicate with BCNext in April after CFB departs? Uncertainty about the core dev team isn't instilling much confidence in investors and current holders. Investors will stay away until this confusion and uncertainty disappears. Friends of mine have no idea which client to download so are keeping their NXT on exchanges. They won't do anything until there is a one click install that works. They ask me which one is the 'main' website. All they want is to Send/Receive and not lose any NXT. No messing around with batch files, firewall settings, testnet and having to update twice a week. They don't even want to know about forging.I'm sure it wouldn't be difficult to promote one simple client that works and isn't going to freak out newbies. Can someone design a simple, safe, client that just sends and receives? I can assure you that would make so many people happy. Most newcomers aren't going to use all the other features they don't even understand, at least not yet. Forging is not an issue for them and don't care about that because they own 5k to 10k. None of their other coin wallets make any money and they don't expect NXT to either. They just want to send and receive and know their wallet is safe (secure password of course) It's that simple. Does this make sense to anyone and does anyone have any ideas about how we arrive at one website and one simple client. All my friends asks the same I agree completely with all of the above.. 5-6 people that I got into NXT are asking me the same question. For 3 of them I am holding NXT because they are freaked out they will mess up something since and lose their investment. Problem with a client exist. i mean we are launching an AE and we still don't have a go to client. And one might say how we have several clients out there, but they are all half working or if I am wrong than we should just choose the best one and offer it to the people.. Nexern client I won't even mention anymore. I doubt we will ever see it. I dont like to spam but Offspring is currently fully functional, it has a wallet to store your keys and it shows you how much of the blockchain has downloaded in a progressbar in the statusbar. There is no one-click installer (yet) but all you need to do is unzip and double click the executable. https://bitbucket.org/incentivetoken/offspring-public/downloadshttps://bitbucket.org/incentivetoken/offspring-public/wiki |
|
|
|
I posted this kinda late yesterday, in case anyone missed it.  Offspring v0.3.1e releasedDownloads available for Windows, MacOS and Linux. https://bitbucket.org/incentivetoken/offspring-public/downloadsSee wiki for changelog. https://bitbucket.org/incentivetoken/offspring-public/wiki/Home[4-3-2014] version 0.3.1e:- Offspring now uses NXT from source instead of precompiled versions
- Compiled against NXT 0.8.5
- Offspring version and NXT version shown in title bar
- At startup user can select to start main or test network, if you choose test network you will use a separate wallet
- First bare-bones implementation list of assets in Trader section (only available on test network)
- First bare-bones implementation list of trades in Trader section (only available on test network)
- You can now add *read-only* accounts, enter any account number and it will show up in the accounts section
[3-3-2014] version 0.3e:- Offspring now uses the NXT Java API
- NXT 0.8.3
- Added easy discovery/registration/update for aliases
- Temporarily disabled recent blocks viewer
- Added Trader section (not yet enabled)
- Numerous changes to UI in the dialogs because responses from NXT are instant now
- Database and wallet are now in the users home folder
- Database can be cleared from menu, new blockchain will be downloaded
- Total uploaded/downloaded visible in the statusbar
- Height of latest block in your blockchain is shown in the statusbar
- Last block timestamp and number of seconds ago are visible in the statusbar
- A progressbar displays how much of the blockchain you have downloaded and how much more to go
- Each account is forging by default, you can turn forging on and off and your generation time is shown
- Early version of messaging implemented. You can enter an account number and a text and it will send the text to that account number. Messages are not encrypted! Everyone can read what you send (like twitter).
|
|
|
|
At some point a bunch of devs are going to have the "aha" moment that Nxt is the leanest blockchain possible and that Nxt provides the most competitive advantages of any available cryptocurrency platform.
At that point, this thread would explode. It would be like the Twitter servers crashing because of the Oscars retweets.
Do we/can we have separate Client Bug Report Threads because I am forging on Offspring, was sent NXT, and Offspring shows no update in balance like the Blockchain Explorer does. This is the type of comment/bug report that each dev needs to be monitoring individual Bug Report Threads for. How do we get this done?
Hi, I make Offspring there is an issue list here https://bitbucket.org/incentivetoken/offspring-public/issues please report your bug there and include the version number, I'll help you solve it there. Please make sure you have the latest version 0.3.1e https://bitbucket.org/incentivetoken/offspring-public/downloads |
|
|
|
Offspring v0.3.1e releasedDownloads available for Windows, MacOS and Linux. https://bitbucket.org/incentivetoken/offspring-public/downloadsSee wiki for changelog. https://bitbucket.org/incentivetoken/offspring-public/wiki/Home[4-3-2014] version 0.3.1e:- Offspring now uses NXT from source instead of precompiled versions
- Compiled against NXT 0.8.5
- Offspring version and NXT version shown in title bar
- At startup user can select to start main or test network, if you choose test network you will use a separate wallet
- First bare-bones implementation list of assets in Trader section (only available on test network)
- First bare-bones implementation list of trades in Trader section (only available on test network)
- You can now add *read-only* accounts, enter any account number and it will show up in the accounts section
[3-3-2014] version 0.3e:- Offspring now uses the NXT Java API
- NXT 0.8.3
- Added easy discovery/registration/update for aliases
- Temporarily disabled recent blocks viewer
- Added Trader section (not yet enabled)
- Numerous changes to UI in the dialogs because responses from NXT are instant now
- Database and wallet are now in the users home folder
- Database can be cleared from menu, new blockchain will be downloaded
- Total uploaded/downloaded visible in the statusbar
- Height of latest block in your blockchain is shown in the statusbar
- Last block timestamp and number of seconds ago are visible in the statusbar
- A progressbar displays how much of the blockchain you have downloaded and how much more to go
- Each account is forging by default, you can turn forging on and off and your generation time is shown
- Early version of messaging implemented. You can enter an account number and a text and it will send the text to that account number. Messages are not encrypted! Everyone can read what you send (like twitter).
Offspring is created by DGEX http://dgex.com
|
|
|
|
DGEX is planning a new release it's Offspring client in a few days! Stay tuned. |
|
|
|
|
Same here, please send some test nxt
12790521293207104739
|
|
|
|
|
Could someone please send me test nxt?
12790521293207104739
Thanks
|
|
|
|
|
Show Posts
