NXT :: descendant of Bitcoin - Updated Information

[opticalcarrier]

All,  I would immediately stop downloading clients from mega.co links, and only download from versions Jeanluc posts on info.crypto.org or on forums.nxtcrypto.org.  There should also be a mirror site on www.nxtcrypto.org.

If your funds were stolen and you have a 30+ long passphrase consisting of upper/lower/number characters and is not anything in print or spoken, then you have a keylogger on your PC that saw your password.  One was recently made and released as some IM app that stole funds.


Method to freeze funds into a new acct. (You will not be able to forge with these funds)

1. Boot to linux live CD.  Use one a few months old.  The live CD must have java jre 1.7
2. install latest client from forums.nxtcrypto.org/client.zip
3. write your new complex passphrase on a piece of paper
4. unlock the client with passphrase.
5. write down the new account number
6. lock it and unlock again.
7. verify account number.
8.  do 6 & 7 again once more to verify.
9. write long passphrase on a piece of paper. (paper wallet)
10. open old account, send funds to new account
11. close old account, open new account
12. wait for a few confirmations of the transfer to the new account

discussion of this method here: https://forums.nxtcrypto.org/viewtopic.php?f=17&t=267

[1715132388]

1715132388

[marcus03]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

[wesleyh]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

Latest client links are updated by someone else, not drexme. (But I doubt that's the issue).

[rickyjames]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

Dun dun DUN. (music)

[PaulyC]

Gonna take off for a min.
Btw. asked earlier, I have the latest ESET 64 antivirus software, running always, but I'll run a full scan, thanks again.

[rickyjames]

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was.  But this security stuff is serious with major psychological/political overtones for the acceptance of NXT.  I really want to get a consensus here on a proposed course of action.  Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features.  Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

[laowai80]

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was.  But this security stuff is serious with major psychological/political overtones for the acceptance of NXT.  I really want to get a consensus here on a proposed course of action.  Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features.  Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

Would your solution help from keyloggers and trojans?

[opticalcarrier]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

its unforunate that one of the links there is a mega.co server.  paulyc please tell us if you downloaded from the mega.co link or not.
in fact, can you please look on your HD and get the zipfile and post it somewhere for us to look at.

[intel]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

He should calculate the SHA256 Hash of the class files, no need to decompile.

So, keylogger or sniffing node or modified NRS.

1. Keylogger

NXT is too young to understand for hackers that random password for 127.0.0.1 is something good. I am sure it was not because of keylogger.

2. Sniffing node

Lets ask victim - which node did he use to access his account? Did he ever use 3rd party online wallet atleast once to access his account?

3. modified NRS

Send your copy of NRS to CfB or me and we 'll check each file's SHA/CRC against the stock version.

[Patel]

Finding the latest client from this thread is difficult. I think CFB should start another thread just with client update download links

[Come-from-Beyond]

We haven't looked at this possibility...updating client from the blockchain would solve this.

It's enough to modify only JavaScript part to send entered passphrases to adversary's server.

Edit: It's only 10 lines of JS code.

so how do we protect again this.

After downloading NRS check SHA256 checksum.

[intel]

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was.  But this security stuff is serious with major psychological/political overtones for the acceptance of NXT.  I really want to get a consensus here on a proposed course of action.  Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features.  Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

Would your solution help from keyloggers and trojans?

It's very easy to add a special KEYFILE additional to password, which 'll be used against keyloggers. Once again, protocol change is not required.

[BloodyRookie]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok.

[Come-from-Beyond]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

why?

Coz it's unknown what MAC address a transaction was sent from.

[NxtChg]

So, keylogger or sniffing node or modified NRS.

1. Keylogger
2. Sniffing node
3. modified NRS

4. Error in the client that allows remote connect and emptying of the account.

[intel]

Finding the latest client from this thread is difficult. I think CFB should start another thread just with client update download links

Last client is always available for download at info.nxtcrypto.org , we receive the file and SHA checksum directly from developers and it's hosted on our secure server and not some 3rd party file sharing service.

[Come-from-Beyond]

So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is   "mrbober777Alisa"     which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.

CfB ?

We can start prepending "Alisa" to our passphrases right now. (Need to create a new account though. And don't use "Alisa" plz.)

[bitcoinpaul]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.

What about this?

[nadrimajstor]

Please consider running a non-proprietary OS...
There are many flavours of Linux/BSD that one can easily run live from a CD / USB drive.
It is not a panacea for all attack vectors but it is helpful.

[intel]

So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is   "mrbober777Alisa"     which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.

CfB ?

We can start prepending "Alisa" to our passphrases right now. (Need to create a new account though. And don't use "Alisa" plz.)

Nobody prepend now, but with additional login field, they 'll be forced to prepend.