NXT :: descendant of Bitcoin - Updated Information

[jl777]

Peercover has been working hard and has already implemented the account balance check prior to withdrawing to a NXT account.

http://dev.peercover.com/#/simpleGateway

Is ready to start getting more traffic. The trading is via distributed ledger so no single point of failure. Making deposits and withdrawals are automated. Conversion to other currencies is built in.

If you don´t have a ripple account, it´s easy to open one at https://ripple.com/client/#/register

All we need is some NXT inventory and a market will form as there is also interest in the ripple community about NXT. If any founder is willing to help jump start a market, please PM me. You can set the min price you want to get for a block of NXT and I will do all the ripple things and get it sold for you, I just need some NXT to make a market, probably 100,000 NXT will be plenty.

James

[1715150679]

1715150679

[1715150679]

1715150679

[1715150679]

1715150679

[1715150679]

1715150679

[jl777]

Correction, that was the test address. The live gateway is on https

https://peercover.com/#/simpleGateway

Its everything people have been asking for. More secure using https, more robust using distributed ledger. Has account confirmation prior to withdrawing to NXT account. Automated deposits and withdrawals.

All we need is someone who is already on ripple to deposit NXT and put in some good sell offers, or I can do all the work within price guidelines, just PM me to work out the details, but basically you would just send NXT to peercover and I will send BTC back to you after the inventory is sold.

I am planning on bringing some large investors through ripple, so the sooner we get the connection between NXT and ripple flowing, the better.

James

[xyzzyx]

I noticed that if you need to differentiate between an account with zero balance, and an account that has never been funded, you can do this:

Code:

http://localhost:7874/nxt?requestType=listAccountAliases&account=[ACCOUNT_NUMBER]

An account that was never funded will return error code 5.  An account that was funded, but now has a zero balance will return an alias list (even an empty list if no aliases were registered in that account.)

This seems like a hack though, so I wouldn't assume it will always be this way in future versions of the server.

[aldrin]

curl -vk "https://localhost:7875/nxt?requestType=sendMoney&secretPhrase=MySuperSecretKey&amount=1000&fee=1&deadline=30&recipient=11111125831111116332"

Good catch, I overlooked this

You might have overlooked this... but it still SOLVES the issue because a hacker would not get far if he/she found only the cmd window open because the passphrase is needed in order to send NXT this way... as opposed to finding the browser open with an unlocked account where they would freely send NXT without needing the passphrase (at least until a client comes out that will ask for the passphrase again).

Just explaining for the rest... I know you get it!  

Then I did misunderstand your original question. Yes, with the cmd window open there appears to be no easy way to s(p)end NXT without knowing the passphrase. Certainly no supported API call.

However, if someone does get SSH access to your server and can login with the unix user that is running the Java process (or root, or a user that can sudo, etc), and you have used the web browser to unlock your account using your passphrase since Java was last restarted (i.e. your are actively trying to forge), then that person can get your passphrase. It's not trivial, but it's not difficult either. I've tested it on a remote instance just now, and it was relatively straightforward. It could probably be scripted to get the passphrase quickly and transparently, and bundled into your favourite trojan/virus/rat/etc.

(I was testing on Linux, but the same would likely apply with remote access to Windows).

So there are interesting questions about where you should forge, what precautions you should take, and with how much of your nxt stash. Don't assume that typing your passphrase over SSL to your VPS is necessarily enough. I don't believe this is purely a client-related topic, so long as the key required to forge is the same as the key required to send/spend nxt. I understand that transparent mining/forging and/or multi-sig (?) may fix this, but I don't know much about those concepts yet.

Thanks for spelling this out!! The fear of being hacked has stopped me forging now. I asked a question along these lines a couple of days ago on a related theme but haven't had a response yet (I know everyone on the dev side is super busy now) - My question is, is it possible to detect the location and status of unlocked accounts on other nodes? If it is, then forging with a large account is too risky IMO.

https://bitcointalk.org/index.php?topic=345619.msg4182386#msg4182386


I have a large account balance, and the other day I noticed a few separate transactions in my history where unknown users to me had sent 1 NXT amounts to my account. I hadn't noticed them before, as the only difference between a forged NXT and a sent NXT is the small icon next to the transaction number.

I suspect someone was experimenting with trying to identify the location of accounts with large balances on the network. I don't have much experience with these things, but I suspect there could be ways of analysing transaction logs and other data sources to try and determine the IP address, or identity/location of an open account.

My account number is one of the accounts on the block explorer page of top accounts, so I think someone was searching for the location & account status of big accounts.

That said, I have done some thinking, and I would like to explore the possibility of using my account to forge NXT for community activities like faucets, promotion, and bounties. I would retain full ownership of the account, but I would be happy for all the forging revenue to go into funding community activities.

My intention would be to help create a consistent revenue stream to help fund worthwhile activities. I have enough NXT, but I don't have the time or skills to contribute much to all the good things going on at the moment. I am also not interested in choosing worthwhile people and projects myself. I have too many commitments (work & family), and I'm finding it too hard to keep up with all the reading required to be an active, and informed, participant. I can see that there are others in the NXT community with time, passion and skills. I want to help supply those people with a small, but consistent revenue stream.

I am prepared to investigate this, but I think the hacking threat of forging with a known account is too great at the moment. Once this risk is eliminated (if it can be) my account could forge 24/7. That would be 1-4% of the NXT supply, depending on how much more NXT I sell. If other big stake holders contributed we could create a semi-permanent funding source to help NXT in these formative years.

But the security situation has to be 100% water tight.

[jl777]

does anybody have the latest list of servers? I can´t find it

[xyzzyx]

That said, I have done some thinking, and I would like to explore the possibility of using my account to forge NXT for community activities like faucets, promotion, and bounties. I would retain full ownership of the account, but I would be happy for all the forging revenue to go into funding community activities.

My intention would be to help create a consistent revenue stream to help fund worthwhile activities.

I don't have the knowledge to help you in your goal, but I just wanted to let you know that I think you're pretty awesome.  That is all.

[intel]

I have a large account balance, and the other day I noticed a few separate transactions in my history where unknown users to me had sent 1 NXT amounts to my account. I hadn't noticed them before, as the only difference between a forged NXT and a sent NXT is the small icon next to the transaction number.

I suspect someone was experimenting with trying to identify the location of accounts with large balances on the network. I don't have much experience with these things, but I suspect there could be ways of analysing transaction logs and other data sources to try and determine the IP address, or identity/location of an open account.

My account number is one of the accounts on the block explorer page of top accounts, so I think someone was searching for the location & account status of big accounts.

Dont worry. It was me, who added your account to one of NXT faucet, as you seems too poor to fund activity of NXT supporters or too busy watching your balance growing.

Joke. Or not?

Dont take it personally. This is my message to all high volume shareholders.

[onecent]

Nice work!

[Come-from-Beyond]

Huh - I thought that WAS the official NXT forum.  So...is THIS THREAD on Bitcointalk considered the OFFICIAL thread?  Are there others that are recognized by the paid dev team as official? 

I keep popping in and out here because this dang thread is so hard to keep up with continuously, but I always keep coming back because this is obviously where The Cool Gang hangs out.

Oh, and CfB too, of course....   

We should NOT use word "official". Nxt is decentralized.

[Come-from-Beyond]

I am having troubles sending NXT. I triple checked the acct number.
Sending dialog takes several seconds, then says money was sentç
After a while I see what I am pretty sure is my transaction in the unconfirmed transactions box
as soon as the next block is generated, it disappears

However, my acct is not being debited and the receiving account is not getting the money

I restarted java and localhost.

with blockchain site being upgraded, not sure how to track this down.
How can it say it was sent, appear in unconfirmed, then disappear from unconfirmed but not do anything?

Try to adjust ur computer clock by minus 1-2 hours. Quite often this problem arises due to incorrect time/timezone. Peers reject transactions with timestamp > current time plus 15 seconds.

[Come-from-Beyond]

I noticed that if you need to differentiate between an account with zero balance, and an account that has never been funded, you can do this:

Code:

http://localhost:7874/nxt?requestType=listAccountAliases&account=[ACCOUNT_NUMBER]

An account that was never funded will return error code 5.  An account that was funded, but now has a zero balance will return an alias list (even an empty list if no aliases were registered in that account.)

This seems like a hack though, so I wouldn't assume it will always be this way in future versions of the server.

It's better to use http://localhost:7874/nxt?requestType=getAccountPublicKey&account=100000
If u get unknown account message, then there were no transactions to that account.

[Come-from-Beyond]

I suspect someone was experimenting with trying to identify the location of accounts with large balances on the network. I don't have much experience with these things, but I suspect there could be ways of analysing transaction logs and other data sources to try and determine the IP address, or identity/location of an open account.

Sending transactions to accounts can't give the location.

[opticalcarrier]

curl -vk "https://localhost:7875/nxt?requestType=sendMoney&secretPhrase=MySuperSecretKey&amount=1000&fee=1&deadline=30&recipient=11111125831111116332"

Good catch, I overlooked this

You might have overlooked this... but it still SOLVES the issue because a hacker would not get far if he/she found only the cmd window open because the passphrase is needed in order to send NXT this way... as opposed to finding the browser open with an unlocked account where they would freely send NXT without needing the passphrase (at least until a client comes out that will ask for the passphrase again).

Just explaining for the rest... I know you get it!  

Then I did misunderstand your original question. Yes, with the cmd window open there appears to be no easy way to s(p)end NXT without knowing the passphrase. Certainly no supported API call.

However, if someone does get SSH access to your server and can login with the unix user that is running the Java process (or root, or a user that can sudo, etc), and you have used the web browser to unlock your account using your passphrase since Java was last restarted (i.e. your are actively trying to forge), then that person can get your passphrase. It's not trivial, but it's not difficult either. I've tested it on a remote instance just now, and it was relatively straightforward. It could probably be scripted to get the passphrase quickly and transparently, and bundled into your favourite trojan/virus/rat/etc.

(I was testing on Linux, but the same would likely apply with remote access to Windows).

So there are interesting questions about where you should forge, what precautions you should take, and with how much of your nxt stash. Don't assume that typing your passphrase over SSL to your VPS is necessarily enough. I don't believe this is purely a client-related topic, so long as the key required to forge is the same as the key required to send/spend nxt. I understand that transparent mining/forging and/or multi-sig (?) may fix this, but I don't know much about those concepts yet.

Thanks for spelling this out!! The fear of being hacked has stopped me forging now. I asked a question along these lines a couple of days ago on a related theme but haven't had a response yet (I know everyone on the dev side is super busy now) - My question is, is it possible to detect the location and status of unlocked accounts on other nodes? If it is, then forging with a large account is too risky IMO.

https://bitcointalk.org/index.php?topic=345619.msg4182386#msg4182386


I have a large account balance, and the other day I noticed a few separate transactions in my history where unknown users to me had sent 1 NXT amounts to my account. I hadn't noticed them before, as the only difference between a forged NXT and a sent NXT is the small icon next to the transaction number.

I suspect someone was experimenting with trying to identify the location of accounts with large balances on the network. I don't have much experience with these things, but I suspect there could be ways of analysing transaction logs and other data sources to try and determine the IP address, or identity/location of an open account.

My account number is one of the accounts on the block explorer page of top accounts, so I think someone was searching for the location & account status of big accounts.

That said, I have done some thinking, and I would like to explore the possibility of using my account to forge NXT for community activities like faucets, promotion, and bounties. I would retain full ownership of the account, but I would be happy for all the forging revenue to go into funding community activities.

My intention would be to help create a consistent revenue stream to help fund worthwhile activities. I have enough NXT, but I don't have the time or skills to contribute much to all the good things going on at the moment. I am also not interested in choosing worthwhile people and projects myself. I have too many commitments (work & family), and I'm finding it too hard to keep up with all the reading required to be an active, and informed, participant. I can see that there are others in the NXT community with time, passion and skills. I want to help supply those people with a small, but consistent revenue stream.

I am prepared to investigate this, but I think the hacking threat of forging with a known account is too great at the moment. Once this risk is eliminated (if it can be) my account could forge 24/7. That would be 1-4% of the NXT supply, depending on how much more NXT I sell. If other big stake holders contributed we could create a semi-permanent funding source to help NXT in these formative years.

But the security situation has to be 100% water tight.

if you are not going to use your hallmarked balance then please get with me so I can use your hallmark on some high powered nodes public vps is that I am running

[Come-from-Beyond]

Perhaps tie the quantity to the cost, instead of a static 1000 NXT fee.  Make an attack like this too costly.

No need. The attacker will just spend all his bitcoins money on Nxt fees.

[langkeming]

new comer
5180760439149633299
waiting for the new giveaway
thanks

[chanc3r]

Is it possible to get a list of active peers and other stats from the client via http://localhost:7874/nxt?

Interested to see if I can script something to check on the client externally, e.g. restart if certain conditions are met

thanks,

Ian

[wesleyh]

How are aliases verified?

Say I want to send to an account alias (presuming this is implemented in the future), if a rogue node tells me that nxt:name links to acct:000000001 (attacker account) instead of acct:3209075099254042753 then I could loose my money by sending it. How is this prevented?

[Come-from-Beyond]

Is it possible to get a list of active peers and other stats from the client via http://localhost:7874/nxt?

Interested to see if I can script something to check on the client externally, e.g. restart if certain conditions are met

thanks,

Ian

Check http://localhost:7874/nxt?requestType=getState and http://localhost:7874/nxt?requestType=getPeers.

[Come-from-Beyond]

How are aliases verified?

Say I want to send to an account alias (presuming this is implemented in the future), if a rogue node tells me that nxt:name links to acct:000000001 (attacker account) instead of acct:3209075099254042753 then I could loose my money by sending it. How is this prevented?

U should trust only to hallmarked nodes that signed their response. If one of them sent u incorrect data u can prove that and stakeholders can vote on destroying all the stake of the rogue node. Also u can ask 2-3 nodes before sending big amounts.

Edit: BCNext said that pay-to-alias would be implemented later.

[MyZhre]

NXT Assets currently are issued with all of them created at once. Kind of in the spirit of NXT. However, for creating a 1:1 correspondence between the NXT AE Asset and something tangible, this issue all at once model is not quite right.

For example, in the gateway I have to exchange deposited DOGE with NXT AE DOGE. Since there are 100 billion DOGE and only 1 billion NXT AE DOGE possible, that would create a problem if more than 1% of all DOGE is deposited. For a NXTcoins that are mined at a rate of 100,000 per day it is quite important that the number of NXT assets in circulation match the number that was mined.

In order to make it easy for people to deal with these type of cases, I am creating a NXTcoins development kit where you will be able to specify (within reason) the properties of the coin, especially as it pertains to total authorized, total in circulation, creation criteria, etc.