ferment
Full Member
Offline
Activity: 168
Merit: 100
IDEX - LIVE Real-time DEX
|
|
January 01, 2014, 12:52:50 PM |
|
So the idea would be that if "nxt:notsoshifty" was entered into a browser, the browser extension would fetch the alias, look for the 'web' entry, and go to that URL ( http://www.notsoshifty.de/). A nxt client would look for the 'nxtacct' entry if it was in reference to making a payment; an email client would look for 'smtp', etc. Ferment: if you think this is a good idea, perhaps you could modify the 22k.io site (and browser extensions?) to check for json and act accordingly? (It should also support the existing method of course). Also anybody who might be developing nxt clients using aliases as account numbers. I've been thinking about this too. The cool thing is that Service Providers (like 22k) can define what they support in alias URI strings. So a couple ideas pop out: 1. Support for json arrays. Arrays in a json could solve the problem of list multiple options for URI. So, you could set an alias to be an array of hostnames to stash well known peers in an alias! ["node1.nxtbase.com","vps1.nxtcrypto.org","nxt1.tweetmondo.com"]
2. Support for json hashes. The approach would be like your contact alias example. However, what I would do is just do other aliases to keep things small. {"web":"mywebalias","mail":"mymailalias","bitcointalk":"bctalias"}
3. Tagging aliases with semantics by using substrings. So say you wanted 22k.io to send you an email when your nxt account received funds, create an alias in your account starting with the "22knotify" in it like "22knotify2014yeehaw" with a "mailto" URI. (NOT IMPLEMENTED - yet!) All of these would require a new URI scheme for each format so a parser could handle it. Fun!
|
|
|
|
|
|
|
|
|
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
NxtChoice
|
|
January 01, 2014, 12:59:08 PM |
|
Thanks for your reference. From the wiki example, can I understand that if I set time to be 0 then all txs will be returned? BTW, it seems that this API "getAccountTransactionIds" just get the general tx, but don't return back the forging tx. Right? Is there any other API for the the forging tx, or should we just walk through the blockchain to find the tx?
|
|
|
|
PaulyC
|
|
January 01, 2014, 01:03:40 PM |
|
Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..
sent to receiver.. 16204974692852323982
had a 35 character PW. completely and extremely varied characters. Was never posted anywhere, and the only place I saved it locally didn't have a few characters just to make sure I never accidentelly pasted it anywhere..
wth..
and yes I know it says up to 50 or 70 now with 4.8 install, but damn. this is crazy. just a random password (different of course) with the same amount of characters would take..
197 quindecillion years to crack your password [Tweet Result] HIDE DETAILS Length: 34 characters Character Combinations: 96 Calculations Per Second: 4 billion Possible Combinations: 24 unvigintillion
something is ODD here??
thanks
|
Doge Mars Landing Foundation (founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
wesleyh
|
|
January 01, 2014, 01:09:35 PM |
|
Update regarding Nxt Alias Browser Extensions:
1. I've decided to join forces with ferment (owner of 22k.io), as it's import to cooperate on one of the best features of Nxt and not confuse users with multiple extensions and what not.
2. Now, there is a bit of a difference between my extensions and what 22k.io currently has. I would like some community input on which approach is best.
- 22k.io extensions are "thin clients". The alias entered is immediately sent to 22k.io which then processes the alias; (does a redirect, shows account info, etc.. depending on the alias). This is an advantage because new features can be added easily.
- My extensions are "thick clients". The extension itself processes the alias. It first tries to ask your localhost for the alias URI, if you have the Nxt client running on your computer. If not, it connects to a Nxt node on the internet and asks it for the alias info.
The extension then decides what to do; redirect, open an email, etc..
New features require an update to the extension. I haven't checked yet if auto-update is an option in all browsers.
Which approach is technically best? I don't know. Perhaps a combination of the two could also be done; if the alias is a simple URI or email address, the client handles it, otherwise it's sent to 22k.io which can then show account info, etc...
3. We also have to be careful about security. Especially when it comes to aliases that refer to an account.
If a node is compromised, it could return the attacker's ID instead of the real account ID. This could result in stolen coins if you send to that ID.
That's why it's perhaps better to connect to multiple nodes (3 or more, from different geographical ares) and ask all of them for the alias info, and only if all of them return the same information show the user the result. We also have to make sure that 22k.io is not compromised.
4. I think it's best if this entire project would be handled as a community effort, with some kind of official sanctioning so that users know they can trust the extension/website.
All code, both client side (browser extensions), as well as server side, should also be available for peer review, open-source and hosted on github. I haven't yet got word back from ferment on this.
5. We also need some kind of agreement on the json syntax and other new features.
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 01:16:51 PM |
|
|
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 01:20:06 PM |
|
Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..
something is ODD here??
thanks
Well, did you scan your PC with antivirus? Where do you have your node hosted? Is this shared nore or your own? Who else have access to your email / node server? Did you check node server log files? Did you see some stange behavior or errors near to this?
|
|
|
|
PaulyC
|
|
January 01, 2014, 01:27:27 PM Last edit: January 01, 2014, 01:40:12 PM by PaulyC |
|
Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..
something is ODD here??
thanks
Well, did you scan your PC with antivirus? Where do you have your node hosted? Is this shared nore or your own? Who else have access to your email / node server? Did you check node server log files? Did you see some stange behavior or errors near to this? I use a pretty tight antivirus software ESET, all my NXT has been done local. no email or node servers. I would love to see who this receiver is, but blockchain is down. Hopefully someone can help! thanks. **edit no intrusions, no viruses, weird behavior, no odd ports open etc. It's at 51 confirmations.! is there anyway to stop this theft!??? I literally saw my client a few moments after it happened (it was open) so how this happened is odd! My actual User account that has been stolen from is NXT 16821029889165561706
|
Doge Mars Landing Foundation (founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 01:36:48 PM |
|
has anyone got any thoughts of implementation on decentralized storage with NXT involvement?
if so can you discuss/inform us a bit? is it theorhetically possible?
im a programmer and im gonna do a dissertation project in the next three months and i may combine stuff to build something for next
https://nextcoin.org/index.php/topic,1893.0.html
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 01:37:59 PM |
|
pls vote at the link...votes are only count if posted there. Thks
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 01:40:33 PM |
|
Update regarding Nxt Alias Browser Extensions:
1. I've decided to join forces with ferment (owner of 22k.io), as it's import to cooperate on one of the best features of Nxt and not confuse users with multiple extensions and what not.
2. Now, there is a bit of a difference between my extensions and what 22k.io currently has. I would like some community input on which approach is best.
- 22k.io extensions are "thin clients". The alias entered is immediately sent to 22k.io which then processes the alias; (does a redirect, shows account info, etc.. depending on the alias). This is an advantage because new features can be added easily.
- My extensions are "thick clients". The extension itself processes the alias. It first tries to ask your localhost for the alias URI, if you have the Nxt client running on your computer. If not, it connects to a Nxt node on the internet and asks it for the alias info.
The extension then decides what to do; redirect, open an email, etc..
New features require an update to the extension. I haven't checked yet if auto-update is an option in all browsers.
Which approach is technically best? I don't know. Perhaps a combination of the two could also be done; if the alias is a simple URI or email address, the client handles it, otherwise it's sent to 22k.io which can then show account info, etc...
3. We also have to be careful about security. Especially when it comes to aliases that refer to an account.
If a node is compromised, it could return the attacker's ID instead of the real account ID. This could result in stolen coins if you send to that ID.
That's why it's perhaps better to connect to multiple nodes (3 or more, from different geographical ares) and ask all of them for the alias info, and only if all of them return the same information show the user the result. We also have to make sure that 22k.io is not compromised.
4. I think it's best if this entire project would be handled as a community effort, with some kind of official sanctioning so that users know they can trust the extension/website.
All code, both client side (browser extensions), as well as server side, should also be available for peer review, open-source and hosted on github. I haven't yet got word back from ferment on this.
5. We also need some kind of agreement on the json syntax and other new features.
From user's perspective, I like browser's extension approach better. I still use 24k.io if I wan to check if an alias available or the total number of aliases one account has. But if I want to go directly to one alias's destination, I prefer the ease of just typing in my browser.
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 01:44:06 PM |
|
3. Tagging aliases with semantics by using substrings. So say you wanted 22k.io to send you an email when your nxt account received funds, create an alias in your account starting with the "22knotify" in it like "22knotify2014yeehaw" with a "mailto" URI. (NOT IMPLEMENTED - yet!)
All of these would require a new URI scheme for each format so a parser could handle it.
Fun!
Could you get a e-mail if funds where moved out of the account or if it was opened?
|
|
|
|
timmyd
|
|
January 01, 2014, 01:46:01 PM |
|
Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..
something is ODD here??
thanks
Well, did you scan your PC with antivirus? Where do you have your node hosted? Is this shared nore or your own? Who else have access to your email / node server? Did you check node server log files? Did you see some stange behavior or errors near to this? I use a pretty tight antivirus software ESET, all my NXT has been done local. no email or node servers. I would love to see who this receiver is, but blockchain is down. Hopefully someone can help! thanks. **edit no intrusions, no viruses, weird behavior, no odd ports open etc. It's at 51 confirmations.! is there anyway to stop this theft!??? I literally saw my client a few moments after it happened (it was open) so how this happened is odd! My actual User account that has been stolen from is NXT 16821029889165561706 Sorry to hear pal i hate thiefs with a passion. Scum of the earth they are. Do you use windows have you had remote view open at any point. Seems really strange for them to brute force a pass of 35 random characters. Did you use spaces and symbols or just dictionary words for tour password. ?
|
|
|
|
wesleyh
|
|
January 01, 2014, 01:47:04 PM |
|
Update regarding Nxt Alias Browser Extensions:
1. I've decided to join forces with ferment (owner of 22k.io), as it's import to cooperate on one of the best features of Nxt and not confuse users with multiple extensions and what not.
2. Now, there is a bit of a difference between my extensions and what 22k.io currently has. I would like some community input on which approach is best.
- 22k.io extensions are "thin clients". The alias entered is immediately sent to 22k.io which then processes the alias; (does a redirect, shows account info, etc.. depending on the alias). This is an advantage because new features can be added easily.
- My extensions are "thick clients". The extension itself processes the alias. It first tries to ask your localhost for the alias URI, if you have the Nxt client running on your computer. If not, it connects to a Nxt node on the internet and asks it for the alias info.
The extension then decides what to do; redirect, open an email, etc..
New features require an update to the extension. I haven't checked yet if auto-update is an option in all browsers.
Which approach is technically best? I don't know. Perhaps a combination of the two could also be done; if the alias is a simple URI or email address, the client handles it, otherwise it's sent to 22k.io which can then show account info, etc...
3. We also have to be careful about security. Especially when it comes to aliases that refer to an account.
If a node is compromised, it could return the attacker's ID instead of the real account ID. This could result in stolen coins if you send to that ID.
That's why it's perhaps better to connect to multiple nodes (3 or more, from different geographical ares) and ask all of them for the alias info, and only if all of them return the same information show the user the result. We also have to make sure that 22k.io is not compromised.
4. I think it's best if this entire project would be handled as a community effort, with some kind of official sanctioning so that users know they can trust the extension/website.
All code, both client side (browser extensions), as well as server side, should also be available for peer review, open-source and hosted on github. I haven't yet got word back from ferment on this.
5. We also need some kind of agreement on the json syntax and other new features.
From user's perspective, I like browser's extension approach better. I still use 24k.io if I wan to check if an alias available or the total number of aliases one account has. But if I want to go directly to one alias's destination, I prefer the ease of just typing in my browser. Oh don't get me wrong, the ferment extension also works like mine; you just type in nxt:blabla - but the difference is afterwards. His extension redirects to 22k.io/blabla and then redirects to the associated URI. The process of my extension is listed above. It's a bit more decentralized.
|
|
|
|
PaulyC
|
|
January 01, 2014, 01:50:59 PM |
|
Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..
something is ODD here??
thanks
Well, did you scan your PC with antivirus? Where do you have your node hosted? Is this shared nore or your own? Who else have access to your email / node server? Did you check node server log files? Did you see some stange behavior or errors near to this? I use a pretty tight antivirus software ESET, all my NXT has been done local. no email or node servers. I would love to see who this receiver is, but blockchain is down. Hopefully someone can help! thanks. **edit no intrusions, no viruses, weird behavior, no odd ports open etc. It's at 51 confirmations.! is there anyway to stop this theft!??? I literally saw my client a few moments after it happened (it was open) so how this happened is odd! My actual User account that has been stolen from is NXT 16821029889165561706 Sorry to hear pal i hate thiefs with a passion. Scum of the earth they are. Do you use windows have you had remote view open at any point. Seems really strange for them to brute force a pass of 35 random characters. Did you use spaces and symbols or just dictionary words for tour password. ? No all local, yes, all characters, numbers, random, upper, lowers, I would say REALLY strange too. I almost want to hope there's something going on with the Blockchain, but I guess not since it's being confirmed, anyways good luck I guess my NXT days are done, sucks I got in at 2900 satoshis too.
|
Doge Mars Landing Foundation (founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
ferment
Full Member
Offline
Activity: 168
Merit: 100
IDEX - LIVE Real-time DEX
|
|
January 01, 2014, 01:54:54 PM |
|
1. I've decided to join forces with ferment (owner of 22k.io), as it's import to cooperate on one of the best features of Nxt and not confuse users with multiple extensions and what not.
Alright! I think we can go really fast this way. The clock is ticking! 2. Now, there is a bit of a difference between my extensions and what 22k.io currently has. I would like some community input on which approach is best.
- 22k.io extensions are "thin clients".
- My extensions are "thick clients".
Which approach is technically best? I don't know. Perhaps a combination of the two could also be done; if the alias is a simple URI or email address, the client handles it, otherwise it's sent to 22k.io which can then show account info, etc...
I think a hybrid model would be good. Like an option where one could choose "public nxt nodes" or "22k.io" as the source of info. So there will naturally be a trade off on trust vs features. Thick clients (extensions, native apps, mobile apps with code) are more of a long term investment for the community as they require significant overhead of multiple codebases, releases, distribution, etc. Thin clients will allow us to test the functionality and progress rapidly. Both are necessary. 3. We also have to be careful about security. Especially when it comes to aliases that refer to an account.
If a node is compromised, it could return the attacker's ID instead of the real account ID. This could result in stolen coins if you send to that ID.
That's why it's perhaps better to connect to multiple nodes (3 or more, from different geographical ares) and ask all of them for the alias info, and only if all of them return the same information show the user the result. We also have to make sure that 22k.io is not compromised.
A valid point that supports the hybrid thin/thick model. Sensitive information should be handled in the thick client (or javascript in browser). One idea is the thick client could handle "verification" of 22k.io by providing a function to check localhost and public nodes (but not nxtbase nodes!). 4. I think it's best if this entire project would be handled as a community effort, with some kind of official sanctioning so that users know they can trust the extension/website.
I'll respectfully disagree on this point. NXT market adoption doesn't have time to wait this. My strategy is to build cool stuff and address trust issues as they arise. Sanctioning is implicit in adoption. All code, both client side (browser extensions), as well as server side, should also be available for peer review, open-source and hosted on github. I haven't yet got word back from ferment on this.
I'm all for client stuff being open source. However, I would prefer to keep the "special sauce" closed and then open source libraries based on the work. I'm still trying to figure out how to make the NXTs off this work. If the community wants to invest, then open sourcing everything is certainly an option I'd consider. I have a 5 person dev/ops team at my disposal, but I can't pull them off paying gigs without revenue generation. If we follow a model where security related things are always handled on the client side, then this shouldn't be an issue. If we follow a "trust, but verify" approach, the need for open sourcing as test of trustworthiness is not required (besides, I could run different code and not tell anyone). 5. We also need some kind of agreement on the json syntax and other new features.
My strategy is to just start defining stuff and implementing. If someone doesn't like the format, they're free to implement it differently. History has shown that adoption is the best form of "agreement". Let the market decide. So, would I propose, is that we start publishing an API and spec for 22k.io as we implement support for advanced alias features and other things. Exciting stuff!
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1132
|
|
January 01, 2014, 01:55:33 PM |
|
CfB,
How could we implement email confirmation for sending of NXT? How long would google authenticator support take to implement?
Some sort of 2 factor authorization will be needed down the road. Without it, competitors will make sure to highlight each and every time somebody loses NXT. I do not know the different probabilities of BTC account being cracked vs NXT, but the public perception would be that if only NXT had two factor authentication, the loss wouldn't have happened.
James
|
|
|
|
ferment
Full Member
Offline
Activity: 168
Merit: 100
IDEX - LIVE Real-time DEX
|
|
January 01, 2014, 01:56:09 PM |
|
3. Tagging aliases with semantics by using substrings. So say you wanted 22k.io to send you an email when your nxt account received funds, create an alias in your account starting with the "22knotify" in it like "22knotify2014yeehaw" with a "mailto" URI. (NOT IMPLEMENTED - yet!)
All of these would require a new URI scheme for each format so a parser could handle it.
Fun!
Could you get a e-mail if funds where moved out of the account or if it was opened? Yes, it could monitor any transaction or if a block was forged with that account.
|
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 02:00:28 PM |
|
Is this a really random pass or a passphrase that you can remember ? While Nxt security is not yeat at a desirable level I think it is an user's issue that your acc got hacked.
|
|
|
|
|