NXT :: descendant of Bitcoin - Updated Information

[zorke]

Current NXT circulation:
1. Buy NXT from initial stakeholder.
2. Register alias / send message / issue asset and pay fee to stakeholder.
3. Goto :1

As I always said, forging was created for stakeholders. You (community) always said that "when we'll have more transactions, fees would be better distributed". False! Forging is not dependent on fee in expected block. The only thing that will change is that stakeholders would get back their sold NXT faster.

Nxt is good platform. It is another P2P software like Bittorent. We need to find another way to prevent spam and get rid of NXT.

Ok.  All fees go to the genesis account.

If you send the fees to the genesis account you will destroy NXT because you will eventually run out of NXT.

With or without pooled forging, people with more NXT will get more NXT by forging.  People should view NXT as non-depreciating mining equipment.  The more NXT you own, the more NXT you will receive.  I'd rather purchase NXT than an ASIC because an ASIC will depreciate and I will earn less and less with my ASIC.  With my NXT, I will always recieve "MY NXT AMOUNT" / 1,000,000,000 NXT x 100% of the network's transaction fees.

The one worrisome thing about this Proof Of Stake concept is that it may very well turn out to be like a game of Risk. Where once a player passes a point where they have  a decisive advantage with troops, they quickly dominate the entire game, becoming more dominant with every battle until soon everyone else is slowly and methodically wiped out, or someone flips the board over, whichever comes first.

It seems like this might happen with something like NXT. The large stakeholders gaining the most out of forging, becoming more powerful with every block they win, achieving something of a compounding interest snowball type effect, until only a few big fish remain, sitting on their fat Jaba the Hut asses for the rest of NXT's existence gobbling up all the NXT while everyone else gives up forging at all; the network degrades until the Whales see the writing on the wall and push the SELL button, making NXT just another addition to the isle of coulda-shoulda-woulda.

Average fees per day is 7855 NXT
When the minimum fee is lowered to 0.1 or 0.01, it will probably go up to around 20000 NXT per day.
Thats one and a half years for 1% to be churned, more like 5 years at current rates.
This is not going to make anybody rich, it is enough to pay for server costs, but not much else.
forging fees are for spam prevention
nobody gets rich collecting spam prevention fees
please stop obsessing over the spam prevention and how it is fair or unfair about who gets the spam fees

If people spent half the effort actually building on NXT that they do complaining about whatever they dont like about it, NXT would be worth a lot more.

Isnt that what we all want? Distribution is what it is. No amount of complaining will change that. However, anybody can step up and start doing useful stuff and get rewarded. Anybody. Even a simple C programmer like me.

James

I am not a developer. I am just a guy who likes crypto and bought a few NXT and reads this thread to see how the development is coming.
I still can contribute a thought on what I think I see as a big flaw in NXT gaining widespread adoption and try to influence the developers by making suggestions. I can play musical instruments but if someone doesn't like what I'm playing I don't say "well if you spent more time learning to play you could play it yourself". That would be a copout.

As I stated, personally I would forge for free and am doing that now. My concern is about down the road when more users come along and less of them are going to be intimately involved and willing to run a program on their computer, especially one that opens them up to DDOS attacks or potentially worse for no reason. People follow the path of least resistance. I'm just one guy, but not the only one, who sees this as a potential serious flaw. The developers are busy with higher minded stuff and I think are a little bit removed from average users. That's why suggestions from nobodies like me can be helpful, or not. But to say we should be doing your job and developing your program for you is a little much.

I didnt say that people should become devs. I said TEST. ANYBODY can test.

All this complaining is getting me depressed. Maybe I shouldnt bother with any of the projects I am doing.
All people seem to do is complain about this, a release is not done, I dont get anything from forging, blah, blah blah
I am working 18hr days trying to bring significant improvements, but if this is the attitude people have and they wont be forging because it doesn pay them enough, then why am I bothering?

STOP COMPLAINING
START HELPING

Is that too much to ask?

For people that want to earn stuff from forging, there is nodecoin. That should be end of story on that issue. Not only do you help secure the network, you will get nodecoins. Unless I get so depressed from all this nonsense that I dont bother making nodecoin. Is that what you want?

James

James your work is highly appreciated so please continue doing what you were doing so far. People like you are really NXT. Also try not to react to every post on this thread. There are many people here and many opinions. I know some of those opinions are sometimes irritating but that is how life is.

NXT is not a quick rich get scheme, at least this is how I am looking at it. I am in it long term and everybody with the minning mindset that expected getting tons of NXT by forging, well that is their problem. Last 3 months we are screaming all over the forum that NXT is not about that. All this people will in the end probably end up leaving and that is OK too. We do not need them. I like to think that we are something bigger and this bigger thing takes time. Heck we are just 3 months old. Patience people.

On the other side, one thing that we need definitely is a client, ASAP. I am sure a lot more people would keep their clients open and forging and securing the network if they can just double click an icon. All these NRS updates are overwhelming, even for me and not for the average Joe.

So keep up a good work and thanks!!

[verymuchso]

Anyone likes my idea a Electrum-like passphrase generator to be included in Nxt clients? Today there are two new stories of newbies who had their Nxt stolen because they used a weak password

https://nextcoin.org/index.php/topic,4316.0.html

Not sure about the Electrum passphrase generator. Offspring does have a passphrase generator since day one. This is the algorithm that generates that passphrase.

Code:

import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}

Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom

"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

We disagree

- Edit. I agree about the passwords being crackable, since every password is crackable. Your logic however is wrong

[jl777]

I need at least 1 million test NXT 18232225178877143084
does anybody have it?

[Jean-Luc]

any date set for launch of AE yet?? or still to be decided?

I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.

March 13th is not possible. I posted my plan some time ago:
https://bitcointalk.org/index.php?topic=345619.msg5449690#msg5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.

[igmaca]

I dont know if this is relevant...but there is someone who is stealing nxtcoins from "bad-protected" accounts.

I've just created an account with the pass: "mtvraps" to check and play. I made the nxtra.org faucet and they sent me 2nxt to this account "14345877598619007537". One minute after, someone sent these 2nxtcoins to other account (of course it was not me). The account was: "1413811113623034318".  I suppose there is a bot checking all the possible weak passwords...

It could be funny but......TAKE CARE!

I'm not a coder and I have no knowledge of softwaresecurity....but is there an option to use a 2w-factor-verification? Securityweakness could be the most dangerous problem to NXT mass adaption.

I agree
would be necessary to encourage any client developer to implement 2 factor authentication

What would you like to protect with 2FA? The startup of a client or do you think you can protect the secret with 2FA?

If the later, could you please list the steps how that would work?

it will be do the same that i do in my kee pass database. see this

then after reading a lot about the key generation choose to use absurd and nonsensical phrases formed by not less than 50 characters memorize words and 2 phrases from roughly 50 characters for the master password kee pass .

Install the plugin otpkeyprov keepass password and activate two factors to open kee pass with google authenticator

the first 50 characters of a sentence and the second sentence of 48 characters to activate google autenthicator 48 characters and match the standard b32 . the advantage of two-factor master password is if you can not make all phishing password .

Within keepass generate passwords you want including accounts of nxt ( nxt also advise to memorize words and not less than 50 characters consisting of nonsensical words )

Enable tools options " change master key in a secure desktop " every time you open your nxt account using automatic writing
Enable automatic writing on the flap of each password " Obfuscation 2 channel automatic writing"

I hope you can help with these tips. in any case you can write me for any questions in kee pass and handle the "plug in" otpkeyprov .

Finally the technique of two-factor authentication for passwords nxt would be a good option against phishing . I leave it open to discussion forum .

The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )
Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .

OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: English
http://keepass.info/plugins.html#keeotp

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]

If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.

[mcjavar]

Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Maybe somebody that is not a dev can do the research for this?

That´s what I am doing
This was the first step, asking the community

[Jean-Luc]

Code:

import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}

Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom

"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

[Fatih87SK]

I think people are complaining about forging because maybe we we're marketing forging wrong in the beginning.

We had to tell everyone that forging was for securing the network instead of earning money like mining Bitcoin or other coins.
We even made a video with someone on a boat forging comparing with Bitcoin.

What we're we thinking? So all those complaints we get now are our fault.

But...

James was so great to deliver those promise we made to the mass; Nodecoin.

Now, we can secure the network and earn something with it.

[ChuckOne]

any date set for launch of AE yet?? or still to be decided?

Nobody seems interested to step up and launch.

I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.

no reactions.

How many AE tests have you run?
It is easy complaining about why isnt is ready yet, when is it going to be ready.

NXT peoples, please stop complaining. It is annoying to those of us that are working. If you want to help speed things up, then HELP!

There is a web interface that lets ANYBODY test. You can issue assets, hold trading competitions, all stuff any end user can do.

STOP COMPLAINING
START TESTING

James

Thank you, James.

We need different kind of test:
 - feature tests
 - load tests
 - border case tests (malicious tests)

[verymuchso]

Code:

import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}

Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom

"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

[Fatih87SK]

James,

Some of us (me too) are feeling the danger of the competition.
It's normal to react like this. The reason why we are pushing is the same reason why you are working on NXT right now.

Because we love NXT and we want it to be the best.

Don't get us wrong by asking when it is ready.  

We will be patiently waiting for a date.

[jl777]

antanst, aka Evil Bob impersonator, has raised a security weak spot in the current gateway design.
Each gateway currently generates a custom deposit address and when a deposit comes in, it immediately sweeps it to the main multisig acct. The duration of exposure is less than a second (could be set to 50 milliseconds), but it is exposure.

So, I am changing things so that there is no sweeping into a main account. All custom deposit addresses will be 2 of 3 multisig. This will require a fair amount of internal changes, but it eliminates the in transit deposit exposure. Now, all deposits will go directly into a multisig account and stay there until a withdraw request needs the funds.

The multigateway isnt perfect, but I will do everything possible to make sure it is as safe as I can make it.

Does anybody know how to setup google authenticator? I think it works by having a seed value associated with each user. I can put the encrypted value of this seed in the AM response to the user. Then for people who choose to activate this feature, they would need to go to a webpage, input their NXT acct # and authenticator token

With such a setup, can anybody think of how Evil Bob can attack the gateway? All I can think of it a spite DDos attack that would just slow things down, but no money lost. Any other attack vectors? Can someone forge the NXT acct # in the "sender" field in a confirmed AM transaction?

James

[Jean-Luc]

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...

[verymuchso]

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...

Releasing now would be mad.

[jl777]

any date set for launch of AE yet?? or still to be decided?

I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.

March 13th is not possible. I posted my plan some time ago:
https://bitcointalk.org/index.php?topic=345619.msg5449690#msg5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.

fractional assets also? If the comment field is not possible, I can work around that, but please let me know so I can plan accordingly.

James

[mcjavar]

@Jean-Luc: Could you please have a look at the PM I´ve sent you yesterday? Thanks!

[Eadeqa]

I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Why aren't you using SecureRandom random = new SecureRandom()?

Simpler version from web

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}

[mcjavar]

Nxt :: Asset Exchange Testing

Let´s get things organized!

I´ve created a project for Nxt AE on TestPad.

https://nxt.ontestpad.com

Anyone willing to test AE please join the site so I can add you to the project.

What is TestPad for and why to join?

We can

- write test cases
- run tests step-by-step
- track tests step-by-step
- track bugs
- track bugfixing progress

Please PM me your username after registration.

Edit: TestPad is charging $9/month for every new user. I will pay for the subscription from my own pocket, so please, only join if you are serious about testing.

[Eadeqa]

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...

Yes, don't release anything until it has been thoroughly tested on testNet

[jl777]

10000 NXT BOUNTY for google authenticator help


I am announcing a 10000 NXT bounty for someone to help me integrate google authenticator to the gateway. It will be paid when the gateway passes the community created test plan for multigateway.

I need someone that can do the webpages needed for account # and token input and the server side code that properly correlates that. along with whatever other help I need. Especially making sure the process is secure.

James

Edit: I hope somebody knows where to update the list of bounties and will do so