Come-from-Beyond
Legendary
 Offline
Activity: 2142
Merit: 1009
Newbie
|
 |
January 01, 2014, 07:43:09 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
|
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 07:46:02 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
We haven't looked at this possibility...updating client from the blockchain would solve this. |
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 07:46:13 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself. |
|
|
|
Patel
Legendary
Offline
Activity: 1321
Merit: 1007
|
|
January 01, 2014, 07:48:22 PM |
|
Another possibility is that the global mod that went rogue from the nxtforum, he could have changed the download link to a infected copy of NRS and people who used that link from the forum were using a compromised version
|
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 01, 2014, 07:49:05 PM |
|
doesn't each new passphase entered unlock a new account?
U don't need to unlock an account. This is how I would brute force accounts: 1. Got all non-empty account ids 2. Launched my GPUs (they r unprofitable to mine BTC but still useful) 3. Each GPU generated an account id and checked it matches one of the 7000 already existing ones (repeat zillion times) |
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 01, 2014, 07:51:22 PM |
|
We haven't looked at this possibility...updating client from the blockchain would solve this.
It's enough to modify only JavaScript part to send entered passphrases to adversary's server. Edit: It's only 10 lines of JS code. |
|
|
|
|
|
EvilDave
|
|
January 01, 2014, 07:51:43 PM |
|
@PaulyC :
Have u scanned yr PC for malware? Trojan/key logger looks like a very good possiblility at this moment.
And how is yr off-line security ? Anyone else have acess to yr PC?
|
|
|
|
|
BloodyRookie
|
|
January 01, 2014, 07:54:48 PM |
|
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address of you computer is the specified one, the transaction is executed. Just an idea.
|
Nothing Else Matters
NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ
NXT: 11095639652683007953
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
January 01, 2014, 07:56:24 PM |
|
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.
It's impossible. |
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 07:57:15 PM |
|
We haven't looked at this possibility...updating client from the blockchain would solve this.
It's enough to modify only JavaScript part to send entered passphrases to adversary's server. Edit: It's only 10 lines of JS code. so how do we protect again this. |
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 07:57:20 PM |
|
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
0.0000000000000000001% 1-10% 80-90% 1-10% about that kind of probability for each explanation. Keylogger is the main suspect of course. |
|
|
|
|
|
PaulyC
|
|
January 01, 2014, 07:57:23 PM |
|
I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or? just so we don't go on a tangent here, this is the client I used. 4.8 https://nextcoin.org/index.php/topic,4.0.htmlnxt-client-0.4.8.zip |
Doge Mars Landing Foundation
(founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
ferment
Full Member
Offline
Activity: 168
Merit: 100
IDEX - LIVE Real-time DEX
|
|
January 01, 2014, 07:57:31 PM |
|
price on dgex to da moon!
if litecoin is a chikun. what's nxt? |
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 07:58:56 PM |
|
price on dgex to da moon!
if litecoin is a chikun. what's nxt? chikun killer, by summer for sure ) |
|
|
|
|
|
BloodyRookie
|
|
January 01, 2014, 07:59:41 PM |
|
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.
It's impossible. why? |
Nothing Else Matters
NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ
NXT: 11095639652683007953
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 08:02:10 PM |
|
Keylogger is the main suspect of course.
There is really no way to protect against keyloggers except proper vigilance....yet malware is still everywhere and not going away anytime soon. This is where Rickyjames/Opti-carriers idea comes in handy |
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:03:24 PM |
|
offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.
CfB, tell me there is a solution that is more effective than the user needs to not be unlucky
James
I can tell you some ideas. Currently there is only a password. Lets also add login field when registering for account access. This 'll require NO changes in protocol: FINALPASSWORD = [LOGIN][PASSWORD] So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is "mrbober777Alisa" which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field. CfB ? |
|
|
|
|
BloodyRookie
|
|
January 01, 2014, 08:04:11 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
He should calculate the SHA256 Hash of the class files, no need to decompile. |
Nothing Else Matters
NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ
NXT: 11095639652683007953
|
|
|
2X84
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 01, 2014, 08:04:30 PM |
|
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address of you computer is the specified one, the transaction is executed. Just an idea.
Even if it were possible I'm afraid that would cause more problems than it would solve  ... |
|
|
|
|
|
rickyjames
|
|
January 01, 2014, 08:04:35 PM |
|
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases
0.0000000000000000001% 1-10% 80-90% 1-10% about that kind of probability for each explanation. Keylogger is the main suspect of course. I totally agree with these ballpark estimates. I would note that if my proposed public / private key account freeze page were implemented in the client, it would be virtually immune to a keylogger since the private part of the unfreeze key would be written down manually, and the one time it's typed in is to unlock the account anyway. Presumably the user would send NXT out of a high value account and immediately refreeze it once the transaction was gone. Tho just to stay paranoid, there's also screengrab loggers that could get a visual unfreeze private key in my scheme... |
|
|
|
|
|
