NXT :: descendant of Bitcoin - Updated Information

[mcjavar]

jean-luc

If you can get asset trades denominated in other assets implemented, then NXT AE would be able to dominate all other centralized exchanges. Basically all cryptos supported by the gateway could be directly traded against any other crypto. It would be fantastic!

After trading, people could withdraw directly to their wallet whatever crypto they have assets for

I think this is a much bigger change than assets supporting fractions, but maybe its a conditional handling in Order.java for all the trades of an asset denominated in another asset. Even if BTC is the only other asset something can be denominated in, that would get us 90% of the benefit, but I think the way the code is structured, it would be almost the same work to allow arbitrary denominations based in other assets.

James

I will look into that after I am done with the rest of my near term plan. I need to prioritize features, and this is again not a simple change. Supporting fractional amounts is critical because it is needed not only for the AE.

If you´ve read my PM, I am trying to help you build a core dev team...

[Jean-Luc]

Why my public node seen in active peers window has red flag and shown as disconnected, while it is really live and I can connect to it from outside?

It will be shown as disconnected (permanently) if it cannot be reached at its announced address, or visible address in case it does not announce an address. It may also be switched to disconnected temporarily if a connection fails, but will appear connected again the next time it succeeds.

[Eadeqa]

I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Why aren't you using SecureRandom random = new SecureRandom()?

Simpler version from web

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}

I don't believe I know better than the people from Apache who made that library.
That library is used in 1000s of production systems. You should not reinvent the wheel.

You are right about the difference between SecureRandom and Random, in the code I posted it does however not make sense to use SercureRandom. If you believe it does please explain why it does make sense in the code I posted.

http://www.docjar.com/html/api/org/apache/commons/lang/RandomStringUtils.java.html

They use java.util.Random

Where do you see SercureRandom used by RandomStringUtils?

[jl777]

antanst, aka Evil Bob impersonator, has raised a security weak spot in the current gateway design.
Each gateway currently generates a custom deposit address and when a deposit comes in, it immediately sweeps it to the main multisig acct. The duration of exposure is less than a second (could be set to 50 milliseconds), but it is exposure.

So, I am changing things so that there is no sweeping into a main account. All custom deposit addresses will be 2 of 3 multisig. This will require a fair amount of internal changes, but it eliminates the in transit deposit exposure. Now, all deposits will go directly into a multisig account and stay there until a withdraw request needs the funds.

The multigateway isnt perfect, but I will do everything possible to make sure it is as safe as I can make it.

Does anybody know how to setup google authenticator? I think it works by having a seed value associated with each user. I can put the encrypted value of this seed in the AM response to the user. Then for people who choose to activate this feature, they would need to go to a webpage, input their NXT acct # and authenticator token

With such a setup, can anybody think of how Evil Bob can attack the gateway? All I can think of it a spite DDos attack that would just slow things down, but no money lost. Any other attack vectors? Can someone forge the NXT acct # in the "sender" field in a confirmed AM transaction?

James

The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )

Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .

OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: English
http://keepass.info/plugins.html#keeotp

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]

If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.

I am planning on generating a random seed when a user enables google authenticator and storing the encrypted version in the blockchain. That will keep it safe from being lost (at least until blockchain purge, guess need to regenerate seeds again).

I dont want to use keypass, I dont want to secure any database. I just want to be able to generate a google authenticator token when a withdraw request is made. So I need a C callable function where I pass in the random seed for the user and get back a pass/fail response. Some details about synchronizing the pass/fail response with user input.

I dont want to spend time figuring out how to configure a server, etc. I need somebody that can setup their own server with webpage that I can send an API to. Once it is all working, we can move it to the gateway server to avoid sending anything over the internet.

James

[Eadeqa]

Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

It doesn't

http://www.docjar.com/html/api/org/apache/commons/lang/RandomStringUtils.java.html

[muto]

Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?

https://bitbucket.org/JeanLucPicard/nxt/src/

Thanks, as far as I understand this, this is not the actual version but something about v0.7. Correct?

[wesleyh]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

[jl777]

jean-luc

If you can get asset trades denominated in other assets implemented, then NXT AE would be able to dominate all other centralized exchanges. Basically all cryptos supported by the gateway could be directly traded against any other crypto. It would be fantastic!

After trading, people could withdraw directly to their wallet whatever crypto they have assets for

I think this is a much bigger change than assets supporting fractions, but maybe its a conditional handling in Order.java for all the trades of an asset denominated in another asset. Even if BTC is the only other asset something can be denominated in, that would get us 90% of the benefit, but I think the way the code is structured, it would be almost the same work to allow arbitrary denominations based in other assets.

James

I will look into that after I am done with the rest of my near term plan. I need to prioritize features, and this is again not a simple change. Supporting fractional amounts is critical because it is needed not only for the AE.

Thanks!

I understand completely about prioritizing. I am just concerned that if we go live with AE without supporting fractional assets, it would be quite a mess transitioning to it later. I think it would be worth a week delay to get fractional assets

James

[antanst]

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...

Just take your time. Everybody acknowledges your huge effort here.

[mcjavar]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

[muto]

Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?

https://bitbucket.org/JeanLucPicard/nxt/src/

Got it, so this seems to be v0.7.6 as far as I understand it. So ist the plan to release v0.8.x source code as soon as 0.9.0 is released?

[wesleyh]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

Well, you can do everything whilst it's downloading the blockchain, of course you'll only get your balance once it reaches the correct block.

It opens NRS in the background, yes, locally.

[wesleyh]

Are there any plans to publish the complete and actual source code somewhere in the near future?

I only found the source code of v4.6. Is ther something more actual available?

https://bitbucket.org/JeanLucPicard/nxt/src/

Got it, so this seems to be v0.7.6 as far as I understand it. So ist the plan to release v0.8.x source code as soon as 0.9.0 is released?

Check the develop branch.

[antanst]

10000 NXT BOUNTY for google authenticator help


I am announcing a 10000 NXT bounty for someone to help me integrate google authenticator to the gateway. It will be paid when the gateway passes the community created test plan for multigateway.

I need someone that can do the webpages needed for account # and token input and the server side code that properly correlates that. along with whatever other help I need. Especially making sure the process is secure.

James

Edit: I hope somebody knows where to update the list of bounties and will do so

I can do both, but we must put down all the details first. I suppose you don't want them in C, do you? :-)

[wesleyh]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

Btw, this can easily be created for linux and mac as well, all the same interface, same code. It's node-webkit based.

[mcjavar]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

Well, you can do everything whilst it's downloading the blockchain, of course you'll only get your balance once it reaches the correct block.

It opens NRS in the background, yes, locally.

For me it is hanging. The mousepointer converts to a pointing finger but nothing happens wherever I click.

[mcjavar]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

Btw, this can easily be created for linux and mac as well, all the same interface, same code. It's node-webkit based.

I think that is the client we were waiting for. So fucking awesome. Very nice job!

[martismartis]

Could somebody sent TestNxt to the 13965125640011039998 please?

Thank you.

[wesleyh]

Hey, I made a windows app for my nxt web interface;

You can download it here: http://nxtra.org/nxt-client/NxtWalletWindows.zip

Just run NxtWallet.exe to start.

Proof of concept at this point, probably bugs in there. Please report.

Donations appreciated at 8189784314684138350

I have also sent the html interface to jean-luc, hopefully it will be in the next version (it is in this NxtWallet.exe already)

Btw, "tools" menu doesn't do anything at the moment.

Very nice!
One suggestion: The "downloading blockchain..." should be in the middle of the screen as I thought it is hanging as you can´t really do anything while the blockchain is getting downloaded.

Does it also open an NRS in the background?
Or it connects to a server?

Well, you can do everything whilst it's downloading the blockchain, of course you'll only get your balance once it reaches the correct block.

It opens NRS in the background, yes, locally.

For me it is hanging. The mousepointer converts to a pointing finger but nothing happens wherever I click.

OK, I'll check this out tomorrow, as I have to leave in an hour. Weird, which windows are you on?

[ChuckOne]

Nxt :: Asset Exchange Testing

Let´s get things organized!

I´ve created a project for Nxt AE on TestPad.

https://nxt.ontestpad.com

Anyone willing to test AE please join the site so I can add you to the project.

What is TestPad for and why to join?

We can

- write test cases
- run tests step-by-step
- track tests step-by-step
- track bugs
- track bugfixing progress

Please PM me your username after registration.

Edit: TestPad is charging $9/month for every new user. I will pay for the subscription from my own pocket, so please, only join if you are serious about testing.

This is what I like about this community. Great.