NXT :: descendant of Bitcoin - Updated Information

[BitAddict]

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

you're 11794318797680953099?
http://22k.io/-account/12152013998194592943

Yes, that was me. Just created a new account, though, and sent the remaining 100k there.

If you acc got hacked they will take all not leaving you with 100K.

I guess this is the new way to spread panic and try to buy lower.
Or even better, you send funds to one new account, you come here and tell "hey, I got hacked! can someone please send me more NxT that was all my money "

Of course some histories will be true, but you can never know.

[rickyjames]

As a public key on a colored coin?

Your account number is public key already. You're constantly trying to create unnecessary entities.
Want to "freeze" some coins with some new private key? Just create new account with this key, trasfer coins to it, and then use this key only when you need to spend this coins.

The problem is that the "lucky gold strike" loophole for somebody else to hit this new account when miskeying their own password exists just like it exists for the old one.  Psychologically to the public this is always going to be perceived as a flaw because they don't understand how unlikely it is.  You haven't increased security one iota, you have only created a different winning lottery number.  

Publically announcing to the world not to accept withdrawals from an account until further notice via a second and completely different one-use-only password closes this loophole.  That will make a huge psychological difference to the public.  And I am telling you, for NXT to succeed with the public, irrational psychological issues are going to have to be addressed.

[cryptobanks]

Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..

Complete NIGHTMARE!  

It's a nightmare I have often.  

I am terrified of keystroke loggers.  The more widespread NXT becomes, the more keystroke loggers are going to be deployed to steal it.  That's a fact.

I am only running my main NXT account on an old XP laptop that I sanitized by doing a zero bit overwrite of the hard drive and reinstalling the OS from a Dell reinstall disk followed by the minimal add-ons like Java etc being brought over on a CD instead of via online downloads.   This laptop is now used for NXT and that's it.  I'm working on creating a second identical sanitized laptop as a backup.  I have a hidden and uncommented local handwritten copy of my random password generated offline on the laptop using Awesome Password Generator 1.4 from Google (you know, the guys that are secretly partnered with the NSA) and another handwritten copy in my bank vault safe deposit box.  

I still worry.

I understand that the user space is unimaginably huge at something like (I think I remember seeing) 10^70 - but still.  One lucky hit by somebody else miskeying their own password under the current scheme, and it's all over for you.  That's a fact, too, mitigated only by just how much luck the thief would need to have.  I've got a degree in math and I understand probability and it still doesn't do much to calm the reptilian fear in my brain.

Is there a separate white paper PDF someplace that goes over in detail from scratch / first principles the entire NXT security scheme and just the security scheme?  If not, there needs to be.  We are going to have to point specifically to that information over and over and over as more and more people come to risk larger and larger sums that the security scheme is adequate - particularly when single colored coins are made that could be worth millions of regular NXT.

So, bottom line, I think we need a security whitepaper PDF and a link to it.

Get anti keylogger software, a must IMO.

[utopianfuture]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

[jari76]

Hey there, i started an NXT forging pool, for poeople that want to forge nxt with some reliability or dont want the NXT client running all day long

Website: http://nxt-pool.uk.to/

Nextcoin.org thread: https://nextcoin.org/index.php/topic,1783.0.html

[utopianfuture]

As a public key on a colored coin?

Your account number is public key already. You're constantly trying to create unnecessary entities.
Want to "freeze" some coins with some new private key? Just create new account with this key, trasfer coins to it, and then use this key only when you need to spend this coins.

The problem is that the "lucky gold strike" loophole for somebody else to hit this new account when miskeying their own password exists just like it exists for the old one.  Psychologically to the public this is always going to be perceived as a flaw because they don't understand how unlikely it is.  You haven't increased security one iota, you have only created a different winning lottery number.  

Publically announcing to the world not to accept withdrawals from an account closes this loophole.  That will make a huge psychological difference to the public.  And I am telling you, for NXT to succeed with the public, irrational psychological issues are going to have to be addressed.

You still need a pass at some point to make an announcement like "I want to spend this money again" right ? you would still need to enter this pass into the network right ? It is essentially the same thing as current implementation.

[ImmortAlex]

Just forget about SMS, email, fingerprint and drone verification is no way to do that, the system would be centralized and easy to break.

This is big conflict between general idea of cryptocurrencies and Joe Average's mind.
While cryptos are simple they aren't fit to the mind of average user of real-life monetary system.

[msin]

But I really do believe that some kind of hooks for a 2 factor authorization should be built into the code for transfers above a certain amount.  
  

This makes sense

Edit: A thief could always transfer smaller amounts under the threshold....

How about this - you can pay a fee to tell the blockchain that no further withdrawals are to be accepted from this account for all future times, and upon payment of the fee you register a second 50+ character password that can be used in the future to inform the blockchain to reauthorize withdrawals from the subject account.

We gotta do something here.  There are multiple reports of people having their NXT wallets emptied when they didn't want it to be during the low volume alpha / beta operations shakedown of NXT.  We have to do more that just say, "Well, if you used a strong password, it wasn't hacked by brute force".

I doubt any of these report is actually true since when they are all silent when further proofs and information are requested. Remember that any hostile entity would have an incentive to slur NXT's security. Surely we want to improve user's experience so it would be good to brainstorm but the conception that current implementation is of poor security needs to be disapproved.  

Yeah, these posts are just trolls, if you have a 35 character random password, you are not getting hacked.

[BitAddict]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

This kills NxT if people can't forge in a secure way. If no-one wants to forge because system is not secure enough (like having cold wallets) this is wtf.

[newsilike]

Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..

Complete NIGHTMARE!  

It's a nightmare I have often.  

I am terrified of keystroke loggers.  The more widespread NXT becomes, the more keystroke loggers are going to be deployed to steal it.  That's a fact.

I am only running my main NXT account on an old XP laptop that I sanitized by doing a zero bit overwrite of the hard drive and reinstalling the OS from a Dell reinstall disk followed by the minimal add-ons like Java etc being brought over on a CD instead of via online downloads.   This laptop is now used for NXT and that's it.  I'm working on creating a second identical sanitized laptop as a backup.  I have a hidden and uncommented local handwritten copy of my random password generated offline on the laptop using Awesome Password Generator 1.4 from Google (you know, the guys that are secretly partnered with the NSA) and another handwritten copy in my bank vault safe deposit box.  

I still worry.

I understand that the user space is unimaginably huge at something like (I think I remember seeing) 10^70 - but still.  One lucky hit by somebody else miskeying their own password under the current scheme, and it's all over for you.  That's a fact, too, mitigated only by just how much luck the thief would need to have.  I've got a degree in math and I understand probability and it still doesn't do much to calm the reptilian fear in my brain.

Is there a separate white paper PDF someplace that goes over in detail from scratch / first principles the entire NXT security scheme and just the security scheme?  If not, there needs to be.  We are going to have to point specifically to that information over and over and over as more and more people come to risk larger and larger sums that the security scheme is adequate - particularly when single colored coins are made that could be worth millions of regular NXT.

So, bottom line, I think we need a security whitepaper PDF and a link to it.

Gadgets like the trezor or something similar will solve such insecurities.

[BitAddict]

Just forget about SMS, email, fingerprint and drone verification is no way to do that, the system would be centralized and easy to break.

This is big conflict between general idea of cryptocurrencies and Joe Average's mind.
While cryptos are simple they aren't fit to the mind of average user of real-life monetary system.

Cryptos can't work this way unless you have a trusty and decentralized P2P email provider. You can forget about this until 3rd or 4th cryptocurrencies generation

You can't set a centralized verification system to your crypto because it's a bottle neck and it will fail at that point.

CENTRALIZED IN CRYPTOWORLD = EPIC FAIL

[rickyjames]

As a public key on a colored coin?

Your account number is public key already. You're constantly trying to create unnecessary entities.
Want to "freeze" some coins with some new private key? Just create new account with this key, trasfer coins to it, and then use this key only when you need to spend this coins.

The problem is that the "lucky gold strike" loophole for somebody else to hit this new account when miskeying their own password exists just like it exists for the old one.  Psychologically to the public this is always going to be perceived as a flaw because they don't understand how unlikely it is.  You haven't increased security one iota, you have only created a different winning lottery number.  

Publically announcing to the world not to accept withdrawals from an account closes this loophole.  That will make a huge psychological difference to the public.  And I am telling you, for NXT to succeed with the public, irrational psychological issues are going to have to be addressed.

You still need a pass at some point to make an announcement like "I want to spend this money again" right ? you would still need to enter this pass into the network right ? It is essentially the same thing as current implementation.

No.  If it is a dual colored coin scheme, attempts to unlock the account for withdrawals are publically seen on the blockchain and can be monitored and throw up warnings that an account is under attack.  If somebody hits the powerball jackpot and gets into an account through a miskey of another password, that is a one-time private event that is all over in under a minute and nobody even realizes it has happened until the next time they open their account or check it on the block chain.

I understand the math on how unlikely it is that a miskeyed password could open the fattest wallet by accident.  This isn't about math.  It's about public psychology.  Saying as a programmer it isn't necessary ignores the popularity of Powerball in the public mind and the psychology bias it introduces against brain wallets.

[sparta_cuss]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

This kills NxT if people can't forge in a secure way. If no-one wants to forge because system is not secure enough (like having cold wallets) this is wtf.

Exactly. Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation. I'm done participating. Just going to sit on the remaining investment and cash out when it reaches a decent price. But I won't be using this system.

Going to be sick now. Or punch someone.

[ImmortAlex]

And I am telling you, for NXT to succeed with the public, irrational psychological issues are going to have to be addressed.

I don't want to have any deals with such kind of public
Want to make them happy? Create "The BiG Nxt Bank", release nice looking pastic cards, offer some nice looking girls to promote, send ads to television... Oh yeah, and don't forget 2FA for you lovely clients when they enters online banking!

But let this shit has nothing common with good old decentralized network. Let it be just shiny wrapper for Joe Average.

[utopianfuture]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

This kills NxT if people can't forge in a secure way. If no-one wants to forge because system is not secure enough (like having cold wallets) this is wtf.

A node does not need a huge account to back. I could be wrong but I think a lot of nodes forging is more important than a few huge account forging. If you have a big account, that is the risk you have to take, have absolute security or earn some small forging income.

[ImmortAlex]

Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation.

Hey, what if they will hack Dgex? Or founder of Dgex will disappear in the dust?

[sparta_cuss]

Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation.

Hey, what if they will hack Dgex? Or founder of Dgex will disappear in the dust?

Like I said, cashing out as soon as I can.

It's like you guys are building a really high-performance car, and then criticizing the roads for being too bumpy and drivers for being unskilled. It's a great car, and it can do amazing things, but if it isn't adapted to the world as it is or drivers as they are (and not as you want them to be), then it will not have widespread adoption.

[rickyjames]

[quote rickyjames=msin link=topic=345619.msg4255905#msg4255905 date=1388594564]
  We have to do more that just say, "Well, if you used a strong password, it wasn't hacked by brute force".
[/quote]

Yeah, these posts are just trolls, if you have a 35 character random password, you are not getting hacked.
[/quote]

If I say it again, do I start an infinite loop here?

I agree they probably didn't get brute force hacked - but it's theoretically possible.  Maybe somebody else hit the powerball jackpot - that's theoretically possible, however unlikely, too.  Keystroke loggers and Trojans are sure as hell possible.

Having an option to tell the world an account is locked for withdrawals, period, until further notice via a second one-use password, addresses these problems.  This option will address a public fear.  Calming public worries about NXT is good.  Let's do it.

[brooklynbtc]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

This kills NxT if people can't forge in a secure way. If no-one wants to forge because system is not secure enough (like having cold wallets) this is wtf.

Exactly. Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation. I'm done participating. Just going to sit on the remaining investment and cash out when it reaches a decent price. But I won't be using this system.

Going to be sick now. Or punch someone.

hey Sparta_cuss

MUCH LARGER chance dgex will be hacked. It is not a bank. You are choosing to trust other people with your money. Make a new account, write it in PEN ON PAPER and run anti keylogging software.
Move you next to the new account, send a few coins to your old account to play with. Put the piece of paper in a safe. Save for later.

[ImmortAlex]

attempts to unlock the account for withdrawals are publically seen on the blockchain and can be monitored

Okey, let's narrow the problem.
What do you mean when speak "unlock the account for withdrawal"?