NXT :: descendant of Bitcoin - Updated Information

[notsoshifty]

@Cfb

Good point, is it the consensus of the forum folk, I should do this? haha

sorry seems crazy but everything I said is true, so i have nothing to hide.

I'm just thinking what if someday say someone develops a way and people agree aliases should be transferable, and the hacker just happens
to be sleeping when it is announced, and I'm able to transfer my aliases!? just wondering.? hope hope.

Your reasons are valid, and I don't see why you should be asked to put your password on a public forum. The very most you should be expected to do is send it to a trusted third party (e.g. c-f-b), who can verify that e.g. i) your password does indeed equate to your accountId, and ii) it looks like a nice long randomish password.

[Vega]

I would say, the future policy on hack claims should be:
No password revealed = no hack happened.
Everyone can say they were hacked, prove it.
Otherwise, hundreds of black PR artists all could claim they were hacked and post some obscure transaction.

Making them reveal the password don't help if they really have (had) Nxt, not just picking a random account/transaction for back PR. Anyone who has Nxt can transfer them to a new account and say they been hacked, revealing password won't disprove that.

(Just for the record I believe PaulyC, not sure about the other guy.)


Edit: Of course revealing the password are also a good way to make sure they are truthful about the strong enough password claim.

[laowai80]

Your reasons are valid, and I don't see why you should be asked to put your password on a public forum. The very most you should be expected to do is send it to a trusted third party (e.g. c-f-b), who can verify that e.g. i) your password does indeed equate to your accountId, and ii) it looks like a nice long randomish password.

What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.

[joefox]

Damelon and I both had the same impulse and created an "account security" page for passphrase generation warnings.

I've merged his and mine together here: http://wiki.nxtcrypto.org/wiki/Account_Security

It's intended to be written for laypeople, so I stayed away from math (even though it pains me to day so).  Frankly, I think I may have tipped the balance too far into "you WILL be robbed" territory, but I'd rather make people paranoid than have too many more folks using "boobs" as a password.

At this point, the How To Create Account page is littered with warnings (and, I hope, TOOLS to manage the issue)

[Come-from-Beyond]

What's a legit DDoS attack? You mean newcomers doing something legit all at the same time and overloading the network?

Or hackers DDoSing the network when newcomers try new features to show NXT in unfavorable light?

Just a lot of users overloading public nodes. Game publishing companies face this problem each time they launch an online game.

[rickyjames]

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

If they can do this with NXT why can't they do it with Bitcoin?

You can take bitcoin offline and put it in a safe deposit box with an airgap disconnected from the internet.  Not everybody does this, but IT IS AN AVAILABLE OPTION.  We need a similar available option.

[Come-from-Beyond]

Making them reveal the password don't help if they really have (had) Nxt, not just picking a random account/transaction for back PR. Anyone who has Nxt can transfer them to a new account and say they been hacked, revealing password won't disprove that.

I've already seen 2 trolls who were too lazy to create accounts with secure passwords in advance. They just stated that were hacked but were unable to provide passwords that would match account ids.

[User705]

I think this is the wrong way. what we need are clients that fore seamlessly, so even though the chance of winning will be minuscule, there will no no cost to forging, no barrier to entry so people will do it anyway. People pay to play the lottery now don't they? This lottery would be free to play, i think there is definitely some appeal there for users.

BCNext was forced to offer such the way coz small stakeholders won't bother with forging due to very high variation. Less coins forge - cheaper attacks.

I don't really like pools for forging. This is like one step back to centralized system.

I know we need to do something to allow small stakeholders to forge and get fee's everyday, but not this way.

But why?  Small stakeholders can forge now and the odds are appropriately lower.  Large balance forgers are taking larger risks so their rewards should be larger as well.

[PaulyC]

Ok I'll PM Cfb the PW, honestly I would like that he didn't post it as of yet, maybe there is something goofy going on that can be remedied?
will be someway to get my coins back or retain my aliases, I would hope!.


btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.

[landomata]

Quick question on the theft issue:

If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?

You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?

[utopianfuture]

Ok I'll PM Cfb the PW, honestly I would like that he didn't post it as of yet, maybe there is something goofy going on that can be remedied?
will be someway to get my coins back or retain my aliases, I would hope!.


btw. I in no way condone giving up a PW ever, believe me I'm crazy secure about it, and I don't want comments about well if he'll PM his PW then he must be loose with it!..
argh. but if it can help catch that mofo! haha I know that's not likely..not.

Where did you download the client ? is it a trusted source ? this could be a potential leak of security.

[Zahlen]

@PaulyC:

maybe it wasn't a hack. Could it have been an address collision (even if statistically unlikely), from two different passwords that lead to the same account number?

[Come-from-Beyond]

You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?

Nxt (and Bitcoin) doesn't work such the way.

[landomata]

Quick question on the theft issue:

If someone is just running a brute force attack on the whole NXT network attempting to hit the jackpot, wont this activity be very visible in the blockchain?
Way I see it, every password generated by the brute force attack will create an account.
Can anyone (with more skillz than me) have a look at the account creation (possibly vs IP address) stats and see if something wierd is showing up?

The account will not show up in the blockchain before a transaction is made.

so it would be impossible to track account creation..as all passphase attempt will unlock one account....each time a different passphase is entered

[PaulyC]

Yes I was wondering the same thing.
from nextcoin.org 4.8
this version..

https://nextcoin.org/index.php/topic,4.0.html

I PMd Cfb my password, i recounted it's 34 randoms.  anyways..

[S3MKi]

price on dgex to da moon!

[notsoshifty]

What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.

Everybody trusts c-f-b!

In this situation, I don't see huge tangible benefits to the hackee of putting his/her password in public; whereas keeping the password out of a public forum may still save the aliases. The hacker might be offline if/when alias transfer is enabled (and, indeed, sitting on a tropical beach or a private yacht not caring about a few aliases). The hacker might have discarded the password. Or maybe never had it; who's to say the hacker's hacking tools ever actually send the password back to him?

[laowai80]

Someone's buying up all NXTs they can get their greedy hands on at dgex   despite all this hack talk too.

[landomata]

You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?

Nxt (and Bitcoin) doesn't work such the way.

doesn't each new passphase entered unlock a new account?

[PaulyC]

What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.

Everybody trusts c-f-b!

In this situation, I don't see huge tangible benefits to the hackee of putting his/her password in public; whereas keeping the password out of a public forum may still save the aliases. The hacker might be offline if/when alias transfer is enabled (and, indeed, sitting on a tropical beach or a private yacht not caring about a few aliases). The hacker might have discarded the password. Or maybe never had it; who's to say the hacker's hacking tools ever actually send the password back to him?

That's my exact same thoughts, maybe I can salvage something here!