Well BCNext is far smarter than me, unless he says that he cant implement a practical indistinguishability obfuscator, who am I to say that he cant?
The article you yourself posted says it's not ready for commercial applications: "However, the new obfuscation scheme is far from ready for commercial applications. The technique turns short, simple programs into giant, unwieldy albatrosses. And the scheme’s security rests on a new mathematical approach that has not yet been thoroughly vetted by the cryptography community. It has, however, already withstood the first attempts to break it." BCNext from what I understand isn't even cryptographer. I doubt he would have any clue how to approach this. |
|
|
|
Also, I must be too tired to understand why if the forging node can verify they are running the correct plugin and it puts the result of running the plugin into the forged block and the forged block is verified cryptographically by the peers, then why cant all the peers conclude properly that the correct plugin was indeed run on the correct input data (which is the output of NXT VM script)?
Sounds totally voodoo nonsense. There is no reason believe this is secure. |
|
|
|
If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach.
You might think that you could try to guarantee than an email has actually been sent if the "receiver" indicated that they had received it through another AM, however, just because they didn't receive it doesn't mean that it was sent - again - "there is simply NO WAY to do this - so please stop trying now" (you are wasting time just as much as you would trying to solve "the halting problem"). Besides, there are many other problems. Most of these emails would end up in spam folders anyway Sender Policy Framework http://en.wikipedia.org/wiki/Sender_Policy_Framework |
|
|
|
I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?
Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.
Wouldn't it make more sense for such things to be services instead?
About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).
NXTsmtp is just for proof of concept that incorporates something everybody is familiar with. I want to verify the peer verifiability of hardcoded NXTplugin followed by external NXTplugin. I am not worried about NXTsmtp for anything other than proving that NXTplugins work and are peer verified. At first I couldnt understand how on earth a DAC could be implemented. When I started thinking about email plugin, it became not as hard. If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach. The problem is that I see all of the things I am posting about as connected. Like the elephant described by different people. All sounds very different, but it is all the same elephant. If I described the elephant in its entirety, it wouldnt fit in posts. I feel a great sense of urgency due to competitive pressures. James P.S. I usually dont post when I am sleeping or flying  James, First of all thank you for all your great ideas, but ... My background is IT project manager and I am going crazy by you. You throw 10 projects on the table but have not one worked out. exactly. it's like everyday there is something new. zerocoin, then turing complete language, then decentralized cross-chain exchanges, then plugins, then emails ... Why on earth would I want to use Nxt for emails? There are zillions of better email services, and Nxt already has private messages. |
|
|
|
Funny how we are taking about plugins (more security issues) when one fatal flaw that existed in all versions prior to 0.6 could have completely ended Nxt experiment https://nextcoin.org/index.php/topic,3884.0.html Had this flaw been discovered by someone more nefarious, that would have been pretty much the end (40 million Nxt stolen for bter, for example). blockchain.info is a pretty big outfit and I think they had the same issue. It was not the same issue. blockchain.info is web based wallet. This was a fatal flaw with Nxt code. He could have stolen money from any Nxt account, not just bter. Even yours. You think this is some kind firefox browser where we want plugins.Really? How many more flaws exist? We don't know. Get the code reviewed by many more sources. Finish the announced projects. |
|
|
|
I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need thorough code rechecking from many more independent sources , finishing already announced projects, and other basic stuff. I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account https://nextcoin.org/index.php/topic,3884.0.htmlHow many more flaws exist? We don't know, but yet we want to implement "plugins" Wow. This isn't firefox. Seriously. Forget plugins and spend more resources on code auditing and finishing the announced features. |
|
|
|
Funny how we are taking about plugins (more security issues) when one fatal flaw that existed in all versions prior to 0.6 could have completely ended Nxt experiment https://nextcoin.org/index.php/topic,3884.0.html Had this flaw been discovered by someone more nefarious, that would have been pretty much the end (40 million Nxt stolen for bter, for example). |
|
|
|
Guys, sorry for the super silly question. I read every post here but when i saw that FC was promoting NEM i ignored every post in which i see "NEM". Now i see that Utopianfuture is responsible for NEM and most of the active people here are in the staheholders' list of NEM (are they really? Anon? Come-from-beyond?). Will NEM have the same features like Nxt (especially transparent forging)? And the only difference will be the community and developers? I know I gotta be missing something and i sound silly but i have to ask. Thank you for the response!
NEM is a clone of Nxt created by Nxt insiders. So rather than improving on Nxt, these folks have decided to fork a clone of Nxt. With a "fairer" distribution stategy (in principle), u used to be very keen on fairness, as I recall. NEX does not involve Nxt insiders. nex seems to involve almost no-one. Love your dev thread, btwhttps://bitcointalk.org/index.php?topic=398461.msg4956801#msg4956801[/i] So Nxt folks condone NEM efforts because they are all buddies with them. And maybe because no-one on the NEM project has vowed to destroy NXT ? And we r buddies, u got some?
Nxt folks however take great efforts to criticize NEX because NEX folks aren't Nxt insiders. If u remember, FCs, you were the one who started this game.....
@eMule: u missed a great chance to kill NXT in the last 24 hours. One good hard dump from u could have started a panic sell, if u dumped hard like u are always promising us. Are u ever going to back up your talk with just a little bit of action? ok now i am piss off, i didnt want to kill next out of respect for the creators, but now i will dump it to hell. BUT on my terms and my timeline! That will be fine, but just post it here so we know the time and date to buy it cheap |
|
|
|
Critical bug disclosureFew days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm. ... I can't explain details of the flaw, coz it's out of my area of expertise. U can contact him directly via nextcoin.org forum. I'm the guy. I just created a thread providing more technical details https://nextcoin.org/index.php/topic,3884.0.html and to answer questions. I don't really check this forum/thread so posting there is the best way to reach me. Huge respect to you. I'm gonna send some NXT to your "ransom" account once I'm comfortable running the client. Thank you for this. Should be warning that we shouldn't be too quick with implementing "turing complete" language. That thing could (probably will) have security implications |
|
|
|
Critical bug disclosureFew days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm. Can someone explain how he found out the passphrase of the genesis account? "It was a bright cold day in April, and the clocks were striking thirteen." It has 14 words and some punctuation. Ignoring the punctuation and using a simple 2000 words long dictionary (and this is tiny! There are 1013913 words in the English language) we get 2000^14 possible passphrases, or about 10^46 possibilities, if we go by characters from the alphabet, it has 26^72 ~ 10^101 possibilities. A password written in base 58 and 26 characters long is also about 10^46 possibilities. In comparison, a random 8 character long password takes 3 hours to crack on a desktop pc. 9 char -> 3days, 10 char -> 1 year, 11 char -> 48 years. 26 char -> An octillion years. Now it is a given that the entropy of a random password is much higher than that of a phrase from a novel, but I still can't see how he could crack the passphrase unless the entire thing was already in his dictionary! Let's not forget he was using a python script which is notably slow! Google for "It was a bright cold day in April, and the clocks were striking thirteen" (with quotes) shows 506,000 results https://www.google.com/search?num=100&newwindow=1&rlz=1C1CHMO_enUS560US560&espv=210&es_sm=122&q=%22It+was+a+bright+cold+day+in+April%2C+and+the+clocks+were+striking+thirteen%22&oq=%22It+was+a+bright+cold+day+in+April%2C+and+the+clocks+were+striking+thirteen%22&gs_l=serp.12..0i7i30l3j0j0i30l4j0i8i30j0i30.4660.4660.0.6104.1.1.0.0.0.0.93.93.1.1.0....0...1c.1.34.serp..0.1.93.GxjJ0e2D-xwso it wasn't a random collection of words, but well known phrase. First sentence from George Orwell's book http://ebooks.adelaide.edu.au/o/orwell/george/o79n/chapter1.1.html |
|
|
|
Critical bug disclosureFew days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm. ... I can't explain details of the flaw, coz it's out of my area of expertise. U can contact him directly via nextcoin.org forum. I'm the guy. I just created a thread providing more technical details https://nextcoin.org/index.php/topic,3884.0.html and to answer questions. I don't really check this forum/thread so posting there is the best way to reach me. Let's get this guy on board, Klee is in charge of the infrastructure team, so perhaps Klee can get him on board and a good chunk of Nxt from unclaimed. That would be best use of unclaimed funds |
|
|
|
How about contacting D. J. Bernstein himself to see if he can check the implementation http://cr.yp.to/djb.htmlHe designed curve25519 so no one would know better than him. It's more about Java implementation than about Curve25519. I know, but I am sure he understands Java. I am not sure if he will respond though. His email is listed as djb@cr.yp.to |
|
|
|
We need audit of Crypto and Curve25519 classes.
Edit: Wait for critical bug disclosure to get it better. The bug is related to Crypto implementation. An audit would let to avoid the bug.
If we get an academic to agree to do the review, we might better give them the latest cleaned-up 0.7.x source. Nothing has changed in the Crypto classes, but overall it will be much easier to navigate the code. Good idea. How about contacting D. J. Bernstein himself to see if he can check the implementation http://cr.yp.to/djb.htmlHe designed curve25519 so no one would know better than him. |
|
|
|
|
For success, 2 things are needed the most.
(1) Very good native client (a few of them coming soon)
(2) The native client should be able to sign the transactions and broadcast it to a public node. That way people don't have to install java and and run complex Nxt server
These two things should be top priority.
|
|
|
|
ctrl-c has been signaling shutdown, I dont think it used to handle it properly, but lately, ctrl-c signals process to end and do a final write to blocks.nxt and transactions.nxt.
I can't do ctrl-c as I don't have the console. I have kill JVM from the task bar. NRS client should have a console or something to shut down the server cleanly. Then we wouldn't have so many issues with corrupted files |
|
|
|
So when I do my installer for 0.7, is it going to cause any issues if I include the nxt_db folder as I include blocks.nxt and transactions.nxt now?
No, but make sure the server has been shutdown cleanly before saving that nxt_db folder. What's the best way to shut down the server "cleanly"? |
|
|
|
fix me! only 1 to 0.1! I never said 0.3333  0.01, so this thing isn't revisited any time soon |
|
|
|
To a certain extent if the lead developer issues a release and says it's critical we have no choice but to trust him. But, outside developers can and should perform their own independent audits of new releases to see if something suspicious is done and raise the alarm if need be.
Most Nxt users are not "developers", so while I take your point, I also suggest that most people are being asked to update software without being able to understand OR verify the reason for the update. It's the software-developer equivalent of "trust me. Just do it." There is no such thing as zero trust. You are using operating system, and you trust it's not logging everything you type and sending it somewhere. You trust the software developers of your web browser. Even if you are using open source software, how would you know if the official binary is based on the released source code? (unless you build your own binaries after going through the source line by line). Zero trust doesn't exist. In this case, everyone who is a Nxt user is trusting the developers. There is simply no choice. There maybe reasons not to publish the exploits until most users have upgraded. |
|
|
|
Why do you hate java so much, is it because its an internet trend to hate java?. Java is the second most used programming language in the world (next to C) , the programming language was also taught in my university. I've written in both python and Java and Java is a much more feature rich language for object oriented programming.
The Java docs are also extremely detailed.
Maybe they see it as proprietary technology developed by a corporation?! Compared to python I think is P.I.T.A. to develop in java as it requires to write bunch of code to do some simple tasks. Open JDK is open source licensed under GPL http://en.wikipedia.org/wiki/OpenJDKJava has been around a long time (1996). Amazon.com and ebay.com run on java on server side "as it requires to write bunch of code to do some simple tasks." Nonsense. You don't know what you are talking about php code to read from file: $content = file_get_contents("filepath");
php code to read from url: $content = file_get_contents("http://javaispita.com");
python code to read from file: fp = open("filepath","r")
content = fp.read()
fp.close()
java code to read from file: BufferedReader br = new BufferedReader(new FileReader("filepath"));
StringBuilder sb = new StringBuilder();
String content = null;
try {
String line;
while((line = br.readLine() != null) sb.append(line);
content = sb.toString();
} catch (IOException e) {
e.printStackTrace();
} finally {
br.close();
}
The code speaks by itself. The discussion started by someone whose exact quote was this: "call me when its in something i trust(C++)" Where did PHP came in this discussion? There is no reason to "trust" software on the basis whether it's written in C++ or Java. |
|
|
|
|
Show Posts
