opticalcarrier
|
|
January 01, 2014, 09:11:56 PM |
|
What's hash comparison ? the hash of the authentic file ?
This guide 'll help you. I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ? http://info.nxtcrypto.org/nxt-client-0-4-8-released/You 'll find SHA256 sum provided by developer with every release of NXT Client. Compare it with a hash of downloaded file. yes, but would be smart to do external verify of checksum in this thread. So info/www/forums site should provide a link back to the post here that announces the new client and its checksum
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 01, 2014, 09:14:45 PM |
|
What's hash comparison ? the hash of the authentic file ?
This guide 'll help you. I understand about comparing hash. But I can't locate the hash of the authentic file ? is the hash from the first page of this thread good ? http://info.nxtcrypto.org/nxt-client-0-4-8-released/You 'll find SHA256 sum provided by developer with every release of NXT Client. Compare it with a hash of downloaded file. Looks good, the download file and its hash in the font page of this thread is safe also. Thanks Intel, It is good to learn these things.
|
|
|
|
fehen
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 01, 2014, 09:18:10 PM |
|
NXT episode-32 [ opoZdun ] EN http://youtu.be/DZpf_he41vc------------------------------------- true today NXT episode-33 Crazy [ aTTack ] EN http://youtu.be/WDK53ly-6Pw Support for the work and to "further figachit" NXT - 5708493317559318384
|
|
|
|
pandaisftw
|
|
January 01, 2014, 09:18:41 PM |
|
What I think everyone missed about this security thing is that c-f-b mentioned that this can easily be fixed client-side: e.g. a 3rd party client (perhaps the one in development by nexern), can take your particular passphrase and run it through SHA256 (or whatever hash function you want to use) and uses that to generate your account number.
No need to modify anything in the base code. We can even implement wallet.dat files client-side, for increased security (public + private keys can be generated by the client), if the user so desires.
EDIT: This gives NXT users the unique choice of a) using NRS and generating their own complex 30+ char passphrase, so they can use their account anywhere in the world through brainwallet or b) simpler security for average users, but you have to go through a hashfunction/particular client if you want to access your account.
|
NXT: 13095091276527367030
|
|
|
xibeijan
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
January 01, 2014, 09:21:22 PM |
|
Do you think NXT value will reach $1 this year? is it a realistic prediction?
Your prediction is extremely conservative. +1
|
|
|
|
NxtChg
|
|
January 01, 2014, 09:25:02 PM |
|
The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole. And again, since it's open to the world and its IP is well known, this is scary. So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct? I didn't like that and this is why I removed that possibility and added the requirement for secret phrase on the send money dialog too.
That was a good addition, thanks.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 09:31:56 PM |
|
And again, since it's open to the world and its IP is well known, this is scary.
Access to API and interface is blocked by default. Someone has to edit web.xml and put * into allowedUserHosts and allowedBotHosts.
|
|
|
|
Jean-Luc
|
|
January 01, 2014, 09:35:09 PM |
|
The server (the java process) stores the user secret phrase for as long as your account is unlocked. But there is no API request that you can make to force it to use that phrase for sending money, unless you also send the secret phrase in the request again.
That's what I thought. So if there is a bug or an exploit it is quite possible that the client can be instructed to send money. Not via API, but via some exploitable hole. And again, since it's open to the world and its IP is well known, this is scary. So to be sure a big account has to be locked most of the time, but this means it won't generate any blocks and won't get any fees, correct? Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right? We should focus on finding out how his account was hacked. It is not likely to be a remote exploitable hole exactly because it was not a big public node. I mine on a machine with a public IP that is on almost all the time with an account of a few million, why wasn't I attacked? I just don't think it is a remote exploit at work here. More likely something in his browser or computer. A javascript cross-site scripting exploit? Was he browsing any other sites at the moment, possibly Nxt - related?
|
|
|
|
bitcoinpaul
|
|
January 01, 2014, 09:35:35 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?) - Someone distributes modified NRS (someone should decompile PaulyC's software) - Keylogger - He used online node that records entered passphrases
While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.
What about this? Nobody?
|
|
|
|
NxtChg
|
|
January 01, 2014, 09:42:39 PM |
|
Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?
As I understand, this applies to all machines, not only big, hallmarked nodes, right? And since exploits usually depend on a particular environment, they might not work in all cases. So some bot scans the network and tries this exploit on every machine it can find. In some particular combination of OS/soft it works. Boom, money stolen.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 09:44:56 PM |
|
Yes. But PaulyC was not running a big account with a well-known and hallmarked IP, right?
As I understand, this applies to all machines, not only big, hallmarked nodes, right? And since exploits usually depend on a particular environment, they might not work in all cases. So some bot scans the network and tries this exploit on every machine it can find. In some particular combination of OS/soft it works. Boom, money stolen. Let's just ask PaulyC if his computer was accessible from the Internet (no NAT, ports r open). PaulyC?
|
|
|
|
NxtChg
|
|
January 01, 2014, 09:49:50 PM |
|
Also, some detailed logging should probably be implemented, precisely to quickly check this sort of thing.
User says money stolen - ask to send his log.
|
|
|
|
S3MKi
Legendary
Offline
Activity: 1540
Merit: 1016
|
|
January 01, 2014, 09:51:32 PM |
|
Hack account spoils nxt's release
|
|
|
|
swartzfeger
|
|
January 01, 2014, 09:53:56 PM |
|
I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:
- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?) - Someone distributes modified NRS (someone should decompile PaulyC's software) - Keylogger - He used online node that records entered passphrases
While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.
What about this? Nobody? I don't understand why more isn't being made of this. Sorry, that came off wrong... it's the new year, we're all busy, etc. I grok 1% of the technicals of NXT. And no distrust intended for PaulyC, but Occam's Razer tells me "PaulyC- xfer-->new account". What's stopping me from coming in here crying "all 7091 of my NXT have been **HACKED**! Here's the address it went to." We have no way of knowing if I have the passphrase for the second account. Right? edit: am I missing part of the story/salient data here?
|
|
|
|
S3MKi
Legendary
Offline
Activity: 1540
Merit: 1016
|
|
January 01, 2014, 09:53:59 PM |
|
Hack account spoils nxt's release NOT in my eyes! what about new investors?
|
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 09:57:06 PM |
|
Hack account spoils nxt's release No, it doesn't. There'll be many more theft cases, just like in bitcoin, just like in banks, just like in anything in life. Human factor is usually the weakest link in any best designed system, and is accountable for 90-ish% of all crime cases.
|
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 01, 2014, 10:02:13 PM |
|
96.236.149.74 leeched more than 18 GiB of data... Anyone sees this zombie in their active peers? What r the numbers?
|
|
|
|
laowai80
Member
Offline
Activity: 98
Merit: 10
|
|
January 01, 2014, 10:11:18 PM |
|
96.236.149.74 leeched more than 18 GiB of data... Anyone sees this zombie in their active peers? What r the numbers?
nope, apparently your bandwidth tastes the best to that zombie )
|
|
|
|
marcus03
|
|
January 01, 2014, 10:14:49 PM |
|
Maybe the announcement for new client releases can be in this thread with the sha256 checksum and a link to those 3 downloads, then someone at admin/forums/www can then update the sites with the sha256 info?
What about putting the sha256 checksum into the block chain? The NXT software could then update itself.
|
|
|
|
|