rickyjames
|
|
January 01, 2014, 08:23:48 PM |
|
OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was. But this security stuff is serious with major psychological/political overtones for the acceptance of NXT. I really want to get a consensus here on a proposed course of action. Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features. Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?
Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).
Would your solution help from keyloggers and trojans? I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unfreeze code.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 08:24:19 PM |
|
Hey CfB... shouldn't Page 1 client download link agree with the one given by Jean-Luc? Thought I had this under control... but getting confused myself. Since we all respect your opinion, please inform where we should be downloading the client from. thnx We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.
|
|
|
|
BloodyRookie
|
|
January 01, 2014, 08:24:33 PM |
|
Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.
It's impossible. why? Coz it's unknown what MAC address a transaction was sent from. No, you misunderstood me. I don't claim that other nodes have to verify the MAC address. It's just a test that the server on your computer locally performs before he releases the transaction to other nodes. The MAC address is a fingerprint of the device you are using to send nxt coins. Edit: OK, I think I see your point.
|
Nothing Else Matters NEM: NALICE-LGU3IV-Y4DPJK-HYLSSV-YFFWYS-5QPLYE-ZDJJ NXT: 11095639652683007953
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:25:10 PM |
|
I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.
There are remote control trojans that can print screen and send it to the hacker.
|
|
|
|
nadrimajstor
Newbie
Offline
Activity: 30
Merit: 0
|
|
January 01, 2014, 08:27:01 PM |
|
Coz it's unknown what MAC address a transaction was sent from.
And nobody ever spoofed a MAC address.
|
|
|
|
opticalcarrier
|
|
January 01, 2014, 08:27:23 PM |
|
I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or? just so we don't go on a tangent here, this is the client I used. 4.8 https://nextcoin.org/index.php/topic,4.0.htmlnxt-client-0.4.8.zip Hmm... post by Drexme. The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok. well the link could have been changed since his download. but most likely not. to be 100% sure paulyc will need to get the .zip from his PCs download folder and post it for us. But most likely it was either a keylogger or he put his password into a remote node, with the latter being most likely IMO.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 08:28:05 PM |
|
Nobody prepend now, but with additional login field, they 'll be forced to prepend.
And they'll be entering 1234 into the login field all the time
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 08:28:19 PM |
|
We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.
not everyone can run this setup
|
|
|
|
2X84
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 01, 2014, 08:28:33 PM |
|
Could someone with an updated blockchain check on my account for me? 5341635214821841695 I'm in a developing country at the moment ... It would be very much appreciated as the explorer is still down.
|
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:29:22 PM |
|
We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.
not everyone can run this setup by the way, there are new custom automatic installer packages coming into light every day, I am sure nobody is checking those before recommending
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 08:30:24 PM |
|
Could someone with an updated blockchain check on my account for me? 5341635214821841695 I'm in a developing country at the moment ... It would be very much appreciated as the explorer is still down. {"balance":350997600,"effectiveBalance":350997600,"unconfirmedBalance":350997600}
|
|
|
|
|
2X84
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 01, 2014, 08:34:07 PM |
|
Thanks CFB and Optical, I almost had a heart attack when I heard about the hack.
|
|
|
|
rickyjames
|
|
January 01, 2014, 08:35:10 PM |
|
I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.
There are remote control trojans that can print screen and send it to the hacker. This is true. I suggest the client software could display it as an animated gif perhaps with random 3 to 5 second intervals between key fragment displays, so that a single screen grab or even multiple screen grabs wouldn't get it. Whereupon the Trojan could be written to... We can go a long way down this hall of mirrors. I still think it is worthwhile to implement user account withdrawal freeze codes as I have described in the blockchain, for the psychological comfort aspect as well as the undeniable increased security aspect, hypothetical screengrabber Trojans or no. I will keep parrying about if this then that if you want. Deciding as a community whether or not to actually implement it is a completely separate issue that I still would like resolution upon.
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:35:48 PM |
|
Nobody prepend now, but with additional login field, they 'll be forced to prepend.
And they'll be entering 1234 into the login field all the time Most people 'll not. Better than nothing Requires only UI JS changes.
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 08:36:20 PM |
|
We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.
not everyone can run this setup Please expand landomata. meaning the average user shouldn't have to run this check. Edit: there should one secured official source for client updates...preferably Blockchain to clients
|
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:39:44 PM |
|
Isn't the party line not to use the word 'official' any more?
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:41:00 PM |
|
Isn't the party line not to use the word 'official' any more? Ignoring official download locations may lead to heart-attacks and loss of trust.
|
|
|
|
Jean-Luc
|
|
January 01, 2014, 08:41:18 PM |
|
I literally saw my client a few moments after it happened (it was open) so how this happened is odd!
My actual User account that has been stolen from is NXT 16821029889165561706
I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct? Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction. And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again. Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random?
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 08:41:29 PM |
|
How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .
|
|
|
|
|