intel
Member
 Offline
Activity: 98
Merit: 10
|
 |
January 01, 2014, 08:41:00 PM |
|
Isn't the party line not to use the word 'official' any more?  Ignoring official download locations may lead to heart-attacks and loss of trust. |
|
|
|
|
Jean-Luc
|
|
January 01, 2014, 08:41:18 PM |
|
I literally saw my client a few moments after it happened (it was open) so how this happened is odd!
My actual User account that has been stolen from is
NXT
16821029889165561706
I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct? Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction. And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again. Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random? |
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 08:41:29 PM |
|
How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 08:41:38 PM |
|
Isn't the party line not to use the word 'official' any more? Official doesn;t have to mean centralized  |
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:43:26 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip |
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 01, 2014, 08:44:24 PM |
|
Are these randomly generated passwords stored by the generating service in some centralized database?
|
|
|
|
|
rickyjames
|
|
January 01, 2014, 08:45:14 PM |
|
Look, ask Graviton about all of the Other People's NXT from Dgex he's got combined for storage into one of the biggest NXT accounts in the blockchain. Graviton, which would let you sleep better at night - the current NXT account setup, or the current NXT account setup plus an additional account withdrawal freeze code capability?
|
|
|
|
|
|
opticalcarrier
|
|
January 01, 2014, 08:46:10 PM |
|
I have devised a method for us VPS admins to maintain a running list of wellKnownPeers. We can do it outside the scope of this thread over on forums.nxtcrypto.org https://forums.nxtcrypto.org/viewtopic.php?f=39&t=229The gist of the method The last post with "SIGNOFF" in the thread will have the latest list.
So basically, if you wish to update the running list we will maintain here, don't ever hit QUOTE on the last post in this topic to do so unless that last poster has gone back and verified that their post is 100% current by going back and editing their post and putting SIGNOFF at the bottom outside of the quote. Then you quote their post, add your data, remove their SIGNOFF message, hit submit, then go see if you should edit your message with SIGNOFF or if you should replace your post with NOT IN TIME. |
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 08:46:17 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? |
|
|
|
|
NxtChg
|
|
January 01, 2014, 08:49:01 PM |
|
I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check? What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly. And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat. |
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:49:06 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? I only have windows 8 around, but looks like it doesn't have sha256sum.exe program, have to download it from somewhere, you could google it, but then again, make sure you don't download a trojan  There are online services too, that you can upload the file too and they'll provide the sha256sum. |
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:49:13 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? Download HashTab |
|
|
|
|
eid
|
|
January 01, 2014, 08:49:23 PM |
|
Am I right in thinking that the person who runs the Nxt install thread which this thread links to, is the same guy who stole some of the Nxt bounty funds recently?
Also, can someone point me towards a safe place to download the next client. I'd like to sell my small stake.
Thanks.
|
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 08:50:30 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? Download HashTabWhat should I expect when run the file ? |
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:51:30 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? Download HashTabWhat should I expect when run the file ? There 'll be a new tab when clicking right-mouse -> properties  Also, you can select required checksum algorithms:  |
|
|
|
xyzzyx
Sr. Member
Offline
Activity: 490
Merit: 250
I don't really come from outer space.
|
|
January 01, 2014, 08:53:11 PM
Last edit: January 02, 2014, 04:53:10 AM by xyzzyx |
|
How to check SHA256 checksum ? and what should I expect ? I want to check my client right now .
If you're running Windows, an online calculator would be easiest: Edit: http://onlinemd5.com/ (thanks to utopianfuture) or http://hash.online-convert.com/sha256-generatorIf you're running OS X, a SHA-256 can be calculated using the openssl command in an open terminal (the terminal is located in /Applications/Utilities). The openssl command would look something like this: openssl sha256 [FILE_NAME] If you're running GNU/Linux, the program sha256sum is standard on most versions of the OS. Using the sha256sum command in a terminal would look something like this: sha256sum [FILE_NAME] |
"An awful lot of code is being written ... in languages that aren't very good by people who don't know what they're doing." -- Barbara Liskov
|
|
|
|
rickyjames
|
|
January 01, 2014, 08:56:41 PM |
|
I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again.
So can the client itself send money if the wallet is unlocked? Without that additional check? What worries me most is the possibility of a bug in the client, which would allow the attacker to instruct it to send money directly. And since the client is already exposed to the outside world through firewall and its IP is known, it can be a really nasty threat. If a hacker has ALREADY gotten your main account password once to get in the account in the first place, having to type it AGAIN is no additional security at all. This only prevents somebody physically in front of your keyboard from ripping you off. This is absolutely a concern and why a withdrawal verification/unfreeze password shouldn't enable the LOCAL CLIENT/SERVER do something, it should be COMBINED WITH SOMETHING PERVIOUSLY PUT ON BLOCKCHAIN that is processed by THE REMOTE SERVER PROCESSING THE BLOCK to enable the withdrawal. The latter is MUCH MORE SECURE. The first time a local client is hacked in NXT (and you should assume this WILL happen) then NXT has a HUGE PR problem.... |
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 08:57:16 PM |
|
How to check SHA256 checksum ? and what should I expect ? I and to check my client right now .
in linux type: sha256sum filename.zip In Window 7 ? Download HashTabWhat should I expect when run the file ? There 'll be a new tab when clicking right-mouse -> properties Also, you can select required checksum algorithms: What's hash comparison ? the hash of the authentic file ? |
|
|
|
|
opticalcarrier
|
|
January 01, 2014, 08:57:20 PM
Last edit: January 01, 2014, 10:01:32 PM by opticalcarrier |
|
Isn't the party line not to use the word 'official' any more? Official doesn;t have to mean centralized Regardless, at this point all client dev is in 1 place, so it is currently centralized. They may as well for now just post 1 place. We are trying to use the NXT Foundations' sites for this purpose (www/info/forums). The goal right now is for the latest client to always be posted at info.nxtcrypto.org/client.zip www.nxtcrypto.org/client.zipforums.nxtcrypto.org/client.zip Not all links have been updated yet though, so continue to use http://info.nxtcrypto.org/nxt-client-0.4.8.zipMaybe the announcement for new client releases can be in this thread with the sha256 checksum and a link to those 3 downloads, then someone at admin/forums/www can then update the sites with the sha256 info? |
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 08:59:09 PM |
|
What's hash comparison ? the hash of the authentic file ?
This guide 'll help you. |
|
|
|
|
