NXT :: descendant of Bitcoin - Updated Information

[sussex]

need help urgently!

I downloaded 0.4.8 client from xxxttps://xxxxxxxxx.html
as you guys told, i probably lose Nxt for this. so i must transfer Nxt to another account
now i have download new client from first page of this thread, but the client doesn't sync.
What should i do?

Don't repeat dodgy links on forums, someone is likely to click it.......

[utopianfuture]

I ended up with the bad client on 3 out of 3 VPS nodes.  FOR SURE I downloaded the bad client like this:

wget http://162.243.246.223/nxt-client-0.4.8.zip

It's as plain as day in my bash history.  The weird part is I had about 2000 Nxt in the 3 accounts and none of it was transferred out.  I just transfered it out myself and I'm shutting down the nodes.

Where was it posted ? Why did you go to a private ip address to download the client ?

[relm9]

I wonder where the modified client was posted originally, I can't find any record of it on Google using the links provided in this thread, odd... maybe the main NXT site was compromised briefly?

I think it's very important that SHA-256 hashes are provided with any release builds posted from now on. They aren't visible on the main site anywhere which isn't a good thing

[tk808]

Was the client on the offical Nxt forums safe? Anyone get jacked from that yet?

I downloaded it an hour or two after it got uploaded. I do not have the ZIP file anymore to check the hash.

[bitcoinrocks]

I ended up with the bad client on 3 out of 3 VPS nodes.  FOR SURE I downloaded the bad client like this:

wget http://162.243.246.223/nxt-client-0.4.8.zip

It's as plain as day in my bash history.  The weird part is I had about 2000 Nxt in the 3 accounts and none of it was transferred out.  I just transfered it out myself and I'm shutting down the nodes.

Where was it posted ? Why did you go to a private ip address to download the client ?

I don't know how I could find out where it was posted.  I'm sure I copied and pasted it from a page in the browser to wget in the console.

EDIT: I have a lot of experience with IT security so it would have been made to look legit.

[allwelder]

the max bit length of NXT Password is  ?

[opticalcarrier]

can you get a timestamp from the file or some autid log that you can correlate in your web browser?

[utopianfuture]

the max bit length of NXT Password is  ?

Don't know. But 256 bit pass is already impossible to crack at the current state of science and technology. I use 35 character and it already 240 bit.

[bitcoinrocks]

can you get a timestamp from the file or some autid log that you can correlate in your web browser?

I'm actually working on that right now.

[bitcoinrocks]

When was 0.4.8 released?

[tk808]

When was 0.4.8 released?

Yesterday

[Uniqueorn]

Are we sure it is Drexme?
If so, I have his real name. Pretty stupid if he really did it.

[bitcoinrocks]

I'm confused.  The timestamp on my bad client zip is Dec 31 11:43.  That VPS runs on UTC time and I can see that its time is correct.  Converting that to my local time, that would put me on the computer really early in the morning which my browser logs tell me I was not.  I just checked with my wife to confirm and she says I was not up that early yesterday.  I'm still thinking this over.

[opticalcarrier]

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems.  Maybe dev team needs to run a dedicated VPS to host releases on?  Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

[tk808]

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems.  Maybe dev team needs to run a dedicated VPS to host releases on?  Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

[Uniqueorn]

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems.  Maybe dev team needs to run a dedicated VPS to host releases on?  Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

but aren't the hashes different in every release?

[xyzzyx]

http://onlinemd5.com/

That's a much nicer SHA-256 checker than the one I linked to -- everything in yours is done in the browser.  Nice.

[xyzzyx]

Any more thoughts on how to best mitigate this theft risk?

Distribute new releases on the blockchain?

[bitcoinrocks]

I think I downloaded the bad client zip from here:

http://www.nxtcrypto.org/

(EDIT: No I didn't.  See my post below.)

I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page.

EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download.

[tk808]

well at this point I think we all need to stop and take a step back and determine how to best handle new client releases moving forwards.
CfB had to stop using his DL link due to bandwidth problems.  Maybe dev team needs to run a dedicated VPS to host releases on?  Maybe the unused coins can go to fund that?

Obviously all WWW/info/forums/WIKI sites need to be updated with VERY STRONG LANGUAGE regarding checksums

My suggestion is for when dev team releases a new client, to post in this thread a reply with a link and checksums. then any site out there that wishes to host the file should also post a link back to the thread where the new client was released so the downloader can see the checksum?

Any more thoughts on how to best mitigate this theft risk?

Always check the HASH of the zip file before you unzip it. Match it with the hash of the posters download.
If the person doesn't post the original hash, i'm not downloading.

That's what i've learned and going to start doing every new release.

but aren't the hashes different in every release?

On the Nxt Forums, the client download thread always has the new SHA-1 hash, of every release.