NXT :: descendant of Bitcoin - Updated Information

[rickyjames]

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was.  But this security stuff is serious with major psychological/political overtones for the acceptance of NXT.  I really want to get a consensus here on a proposed course of action.  Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features.  Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

Would your solution help from keyloggers and trojans?

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unfreeze code.  

[Come-from-Beyond]

Hey CfB... shouldn't Page 1 client download link agree with the one given by Jean-Luc?

Thought I had this under control... but getting confused myself.   

Since we all respect your opinion, please inform where we should be downloading the client from.

thnx   

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

[BloodyRookie]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

why?

Coz it's unknown what MAC address a transaction was sent from.

No, you misunderstood me. I don't claim that other nodes have to verify the MAC address. It's just a test that the server on your computer locally performs before he releases the transaction to other nodes. The MAC address is a fingerprint of the device you are using to send nxt coins.

Edit: OK, I think I see your point.

[laowai80]

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.  

There are remote control trojans that can print screen and send it to the hacker.

[nadrimajstor]

Coz it's unknown what MAC address a transaction was sent from.

And nobody ever spoofed a MAC address. 

[opticalcarrier]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok.

well the link could have been changed since his download.  but most likely not.  to be 100% sure paulyc will need to get the .zip from his PCs download folder and post it for us.

But most likely it was either a keylogger or he put his password into a remote node, with the latter being most likely IMO.

[Come-from-Beyond]

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

And they'll be entering 1234 into the login field all the time

[landomata]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

[2X84]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

[laowai80]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

by the way, there are new custom automatic installer packages coming into light every day, I am sure nobody is checking those before recommending

[Come-from-Beyond]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

{"balance":350997600,"effectiveBalance":350997600,"unconfirmedBalance":350997600}

[opticalcarrier]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

[2X84]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

Thanks CFB and Optical, I almost had a heart attack when I heard about the hack.

[rickyjames]

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.  

There are remote control trojans that can print screen and send it to the hacker.

This is true.  I suggest the client software could display it as an animated gif perhaps  with random 3 to 5 second intervals between key fragment displays, so that a single screen grab or even multiple screen grabs wouldn't get it.  Whereupon the Trojan could be written to...

We can go a long way down this hall of mirrors.  I still think it is worthwhile to implement user account withdrawal freeze codes as I have described in the blockchain, for the psychological comfort aspect as well as the undeniable increased security aspect, hypothetical screengrabber Trojans or no.  

I will keep parrying about if this then that if you want.  Deciding as a community whether or not  to actually implement it is a completely separate issue that I still would like resolution upon.

[intel]

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

And they'll be entering 1234 into the login field all the time

Most people 'll not. Better than nothing Requires only UI JS changes.

[landomata]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

Please expand landomata.

meaning the average user shouldn't have to run this check.

Edit: there should one secured official source for client updates...preferably Blockchain to clients

[laowai80]

Isn't the party line not to use the word 'official' any more? 

[intel]

Isn't the party line not to use the word 'official' any more? 

Ignoring official download locations may lead to heart-attacks and loss of trust.

[Jean-Luc]

I literally saw my client a few moments after it happened (it was open) so how this happened is odd!

My actual User account that has been stolen from is
NXT
16821029889165561706

I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct?

Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction.

And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.

Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random?

[utopianfuture]

How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .