|
Secondleo
|
 |
January 18, 2014, 10:38:44 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again?  This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. |
|
|
|
|
|
Bitventurer
|
|
January 18, 2014, 10:39:32 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? had you used online wallet? or local client? |
SP8DE - The Game of Chance. Changed.
|
|
|
coolmist
Newbie
 Offline
Activity: 56
Merit: 0
|
|
January 18, 2014, 10:39:42 PM |
|
Hittin' dat horseshoe since Nov 2013
it is nice and predictable isn't it? Working on a long message NXT client for Mac with encryption. Here is the code for dispatching a message, I commented off the encryption so it can easily be run and proven as functional. Paths to pubkey and privkey will be changed, just a temporary fix. script AppDelegate
property parent : class "NSObject"
property textField : missing value
property secretPhrase : missing value
property messageFee : missing value
property accountReceiver : missing value
property messageEncrypted : missing value
property keyReceiver : missing value
set rsaPrivate to "/Library/rsaprivkey.pem"
set rsaPublic to "/Library/rsapubkey.pub"
tell application "Finder"
if not exists rsaPrivate as POSIX file then
do shell script "openssl genrsa -out " & rsaPrivate & " 16384"
end if
if not exists rsaPublic as POSIX file then
do shell script "openssl rsa -in " & rsaPrivate & " -pubout > " & rsaPublic
end if
end tell
set rsapubkey to (do shell script "cat " & quoted form of rsaPublic) as text
tell application "Finder"
set theName to name of file 1
end tell
on buttonClicked_(sender)
set feeMessage to (stringValue() of messageFee)
set receiveraccount to (stringValue() of accountReceiver)
set textCipher to "/Library/ciphertext.txt"
-- write receiver's public key to a file--
set rpubPath to "/Library/pubreceiver.key"
set rpubKey to (stringValue() of keyReceiver)
tell application "System Events"
set file_ref to open for access rpubPath with write permission
set eof of file_ref to 0
write ((stringValue() of keyReceiver) as text) to file_ref
close access file_ref
end tell
-- write receiver's public key to a file--
--write plaintext to a file--
set textPlain to "/Library/plaintext.txt"
set message to (stringValue() of textField)
tell application "System Events"
set file_ref2 to open for access textPlain with write permission
set eof of file_ref2 to 0
write ((stringValue() of textField) as text) to file_ref2
close access file_ref2
end tell
--write plaintext to a file--
set ciphertext to do shell script "cat " & quoted form of textPlain
--encrypt plaintext to ciphertext--
-- do shell script "openssl rsautl -encrypt -pubin -inkey " & RpubPath & " -in " & textPlain & " -out " & textCipher
-- set ciphertext to (do shell script "cat " & textCipher)
--encrypt plaintext to ciphertext--
--cipher to hex
set thelist to "0123456789ABCDEF"
set hexvalue to ""
repeat with i in ciphertext
set theAscii to ASCII number of i
set hexvalue to hexvalue & character (theAscii div 16 + 1) of thelist & character (theAscii mod 16 + 1) of thelist
end repeat
set finalText to (hexvalue as text)
--cipher to hex
set messageLength to the length of finalText
set var_a to messageLength / 4
set var_b to var_a / 200
set iterations to round var_b rounding up
set counter to 1
repeat iterations times
if messageLength is less than 800 then
set charnumberalpha to 1
set charnumberbeta to messageLength
else
set charmaximum to messageLength
if counter is equal to iterations then
set charnumberalpha to 1 + 800 * (counter - 1)
set charnumberbeta to charmaximum
else
set charnumberalpha to 1 + 800 * (counter - 1)
set charnumberbeta to 800 + 800 * (counter -1)
end if
end if
set messageFinal to (text charnumberalpha thru charnumberbeta of finalText)
if counter is less than 10 then
set identifierLength to 1
else
set identifierLength to the length of counter
end if
set completeMessage to identifierLength & "000" & counter & "000" & messageFinal
set urlMassive to "http://localhost:7874/nxt?requestType=sendMessage&secretPhrase=" & (stringValue() of secretPhrase) & "&recipient=" & (stringValue() of accountReceiver) & "&fee=" & (stringValue() of messageFee) & "&deadline=1440" & "&message=" & completeMessage
do shell script "open " & quoted form of urlMassive
set counter to counter + 1
end repeat
end buttonClicked_
on applicationWillFinishLaunching_(aNotification)
-- Insert code here to initialize your application before any files are opened
end applicationWillFinishLaunching_
on applicationShouldTerminate_(sender)
-- Insert code here to do any housekeeping before your application quits
return current application's NSTerminateNow
end applicationShouldTerminate_
I'm adapting this to upload files onto the blockchain. zip will be converted to hex in python this looks like with open(filename, 'rb') as f: content = f.read() print(binascii.hexlify(content)) hex will be truncated and given identifiers individual messages will be dispatched master message(s) will be dispatched containing "directory" of information signature message(s) will be sent to validate master message (s) to get file master messages are loaded and checked with signature messages if true then identifiers will be read and messages will be parsed in ascending order hex will be converted to zip posted script contains method of using identifiers. |
|
|
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 18, 2014, 10:41:09 PM |
|
I don't want to be an asshole, but how do we know, that 696356957947686421 isn't your account?
Does the acct have a public key? This could be related to the previous unsolved mystery |
|
|
|
|
relm9
|
|
January 18, 2014, 10:42:32 PM |
|
I don't want to be an asshole, but how do we know, that 696356957947686421 isn't your account?
Yes, he should post the actual passphrase. No harm in doing so since it's been compromised anyway. |
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 18, 2014, 10:43:07 PM |
|
Web based password generator?? Is the password sent in plain text at any point? It could be packet sniffers or somebody that knows the keypass algorithm (hacker or insider) We need a verified random password generator for Windows that can be run locally |
|
|
|
|
EvilDave
|
|
January 18, 2014, 10:43:21 PM |
|
Gone quiet all of a sudden....
That was an interesting day, to say the least.
Good moment for my 2 cents worth:
Unclaimed 10 million NXT: like the idea of giving it to 10 unknown accounts, don't like the idea of putting a lock mechanism into the code.
Unless the lock is actually a properly planned feature, we shouldn't finagle the code just for one-off situations.
Be a good idea for the 10 accounts to submit their real-world identities to an trusted Nxt'er, such as Anon136 or rickyjames.
Destroying the 10 mill is such a bad idea, i could cry. (Just give it to me, I'll see how quickly I can burn thru it)
Amsterdam Bitcoin conferences: I'm up to help, maybe with getting promo material sorted out. We need to form a working group to get moving on this. Maybe even a real-world meet-up in the not-to-distant future.....no clowns allowed, tho'
Love the price at the moment, but keep looking to the long term, guys. NXT has not arrived yet, but we do have a very good start.
Onwards and upwards.
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 18, 2014, 10:43:35 PM |
|
Come on, guys. KeePass is safe. I'm using it since years! Don't spread rumors about it. I'm not spreading rumours, I am answering a question. I use KeePass, too  |
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 18, 2014, 10:43:43 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this? |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 18, 2014, 10:44:55 PM |
|
Web based password generator?? Is the password sent in plain text at any point? It could be packet sniffers or somebody that knows the keypass algorithm (hacker or insider) We need a verified random password generator for Windows that can be run locally KeePass is a locally run application. Not web based. |
|
|
|
coolmist
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 18, 2014, 10:45:53 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this?
There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this?
it is virtually uncrackable if truly random. But random number generators do not generate truly random numbers... |
|
|
|
|
|
EvilDave
|
|
January 18, 2014, 10:46:31 PM |
|
......10 unknown accounts, don't like the idea of putting a lock mechanism into the code.
Unless the lock is actually a properly planned feature, we shouldn't finagle the code just for one-off situations.
Just changed my mind, after reading the above posts. Implement the lock, and use it in cases like this. Either it's a real hack, or someone trying to game the community. Result will be the same, no possibilty to get the NXT out into BTC or fiat. And for fucks sake, stop using software to generate passwords. Use yr brain, thats what it's there for. |
|
|
|
|
relm9
|
|
January 18, 2014, 10:50:49 PM |
|
There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this?
The second and third accounts had no 256-bit public key (no transactions out) so someone possibly could have accessed them via a collision. As someone else mentioned though as all three accounts were accessed (basically at the same time) it may be more likely he has malware on his machine. |
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
January 18, 2014, 10:54:18 PM |
|
Thank you guys for the responses.
I just looked into my keepass 2 and i was using the following feature: 256-Bit Hex key Generator (Built-in). I never realized this is no truly random password because i didn't read the word "hex" ....
Does this make the password totally unsafe???
|
|
|
|
|
instacalm
|
|
January 18, 2014, 10:55:48 PM |
|
Thank you guys for the responses.
I just looked into my keepass 2 and i was using the following feature: 256-Bit Hex key Generator (Built-in). I never realized this is no truly random password because i didn't read the word "hex" ....
Does this make the password totally unsafe???
No |
|
|
|
|
|
Secondleo
|
|
January 18, 2014, 10:56:18 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this? Yes, actually the password is very long. It's late, I didn't see the obvious  With three cracked accounts it is really much more likely there is an infection somewhere. Password composition is very poor nevertheless. |
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 18, 2014, 10:56:55 PM |
|
Thank you guys for the responses.
I just looked into my keepass 2 and i was using the following feature: 256-Bit Hex key Generator (Built-in). I never realized this is no truly random password because i didn't read the word "hex" ....
Does this make the password totally unsafe???
The likeliest explanation is that there is a keylogger on your computer. Assuming all three accts had different passwords. No password is strong enough if there is a keylogger on your computer. James |
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
January 18, 2014, 10:57:40 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? had you used online wallet? or local client? always local client. @anon why do you say windows is the problem? I used it for >2 years and never had any problems ect. Also i never type the keys always copypaste them, so would a keylogger really get these passwords? Damn.... I guess i have to format my PC and setup a new OS. Atleast my BTC are in cold storage and still safe. |
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 18, 2014, 10:57:58 PM |
|
There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this?
The second and third accounts had no 256-bit public key (no transactions out) so someone possibly could have accessed them via a collision. As someone else mentioned though as all three accounts were accessed (basically at the same time) it may be more likely he has malware on his machine. Does the destination acct have a public key yet? |
|
|
|
|
