Zahlen
Member
 Offline
Activity: 98
Merit: 10
|
 |
January 02, 2014, 04:56:21 AM |
|
Distribute new releases on the blockchain?
+1. This also removes the hassle of manually updating. |
|
|
|
|
gbeirn
|
|
January 02, 2014, 04:57:03 AM |
|
Now that we seem to have figured out this breach, we need to warn anybody that downloaded that version, but I guess we can't broadcast message yet...
Still there will be concerns about the offline parallel attack. I am still waiting for CfB's answers on my architecture question. We don't need an immediate solution as long as there is a clear roadmap to higher security. both perceived and actual.
If the hacker has to search a space 2^256, then even with petahashes it will take a long time. However, I am worried about clustering especially with user selected passwords without maximum entropy. Realistically, if anybody uses alphanumeric passwords of a short length or just combines common words, a hacker running a simple brute force search of these combos will unlock all these accounts pretty quickly. Our opponents will intentionally use reasonable looking but weak passwords to intentionally get hacked and give us black PR.
I want to proactively attack this issue. How does NXT security compare to BTC or to Ripple security? These are critical questions for mass adoption of NXT. I want to hear that NXT is better than all the rest, but what I need is an independent cryptographic expert to analyze this objectively.
Not sure how much this will cost, but it will go a long ways toward eliminating this as an issue if indeed NXT is as secure or more secure than BTC (and Ripple). Does anybody know how much it will cost to get an independent cryptographic analysis?
James
P.S. also maybe a bounty to PaulyC of 7808 NXT for finding this?
Agree. PaulyC deserves a bounty to uncover this type of thief. PaulyC if you haven't received any NXT yet, please post your new address here and I will reimburse your missing funds from my account. |
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting. |
|
|
|
|
|
newcn
|
|
January 02, 2014, 05:04:56 AM |
|
another account of mine was also stolen, it happened exactly the same time as former one, but only 93 nxt lost.
the accounts my money goes:
9793828175536096502 balance 18197, contains all my stolen nxt
6164081464868000542 balance 9528, my 92 nxt goes here
the transactions happend at 2014.1.1 12:04:50 GMT
|
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
|
|
|
|
PaulyC
|
|
January 02, 2014, 05:05:37 AM |
|
I think I downloaded the bad client zip from here: http://www.nxtcrypto.org/I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page. EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download. Not that I don't think you could have DL'ed yours there. I'm pretty much positive (I don't have the browser proof since i've cleared my history probably 10x since then!) mine was DL'd from nextcoin.org, via the Mega link that was there at the time I DL'd it. The only reason I mention it is I DL'd that client.zip from nxtcrypto.org as well, and never touched it. Btw. that's awesome you got yours out. |
Doge Mars Landing Foundation
(founder) Coined the phrase, "Doge to the Mars" and "Check that Hash!". Discoverer of the 2013 NXT nefarious wallet. Admin. FameMom [FAMOM]
|
|
|
|
MadCow
|
|
January 02, 2014, 05:08:46 AM |
|
Can anyone confirm the download link on the first page of this thread is good? I think it is, but I'm not taking anything for granted now.
|
|
|
|
|
bitcoinrocks
Legendary
Offline
Activity: 1372
Merit: 1000
|
|
January 02, 2014, 05:11:57 AM |
|
I think I downloaded the bad client zip from here: http://www.nxtcrypto.org/I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page. EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download. Not that I don't think you could have DL'ed yours there. I'm pretty much positive (I don't have the browser proof since i've cleared my history probably 10x since then!)
mine was DL'd from nextcoin.org, via the Mega link that was there at the time I DL'd it.
The only reason I mention it is I DL'd that client.zip from nxtcrypto.org as well, and never touched it. I take it back. With a little help from the timestamp on my post here: https://bitcointalk.org/index.php?topic=345619.msg4240566#msg4240566I figure I downloaded it from a link on this page: https://bitcointalk.org/index.php?topic=345619.11920What an idiot I am for doing that. To reiterate, I DO NOT think I downloaded the bad client zip from nxtcrypto.org. |
|
|
|
|
|
mnightwaffle
|
|
January 02, 2014, 05:12:23 AM |
|
sent a few coins to pauly Can anyone confirm the download link on the first page of this thread is good? I think it is, but I'm not taking anything for granted now.
https://nextcoin.org/index.php?topic=1858.0added up fine EC7C30A100717E60D8ABE50EEDB23641952847D91FF90B9B05A74FF98D8A4CF2 |
|
|
|
|
|
lophie
|
|
January 02, 2014, 05:13:31 AM |
|
Guys I will post a proper thread but I just wanted to get the news out. I am selling 34 ASICMINER direct shares for NXT! PM me your best offer. I repeat I do not accept BTC for those shares only NXT. PM your best offer.
-Lophie
|
Will take me a while to climb up again, But where is a will, there is a way...
|
|
|
|
opticalcarrier
|
|
January 02, 2014, 05:14:14 AM |
|
I think I downloaded the bad client zip from here: http://www.nxtcrypto.org/I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page. EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download. this is extremely disconcerting to me.. As far as I know there is only 1 person who has access to do stuff on www.nxtcrypto.orgKeep in mind we have www.nxtcrypto.org and also we host the files at info.nxtcrypto.org and at forums.nxtcrypto.org So please be 100% sure you got it at the www site because then we will be in a bind as to what do do about the person who runs it (QBTC at nextcoin). Ive had to reason so far to mistrust her. I notice that paulyc says he did not get his from nxtcrypto.org but that he got it from a mega link. So basically we have 4 different people saying they got it from 3 different places. 1 person on a wget using the IP address 1 person from mega.co 1 person from nxtcrypto.org 1 person from nextcoin.org What a mess. Hopefully you guys can figure out where it really came from? |
|
|
|
|
|
opticalcarrier
|
|
January 02, 2014, 05:16:05 AM |
|
Are you sure? that page has a post about you upgrading your VPSs to 0.4.8, so I would think it happened before that |
|
|
|
|
|
gbeirn
|
|
January 02, 2014, 05:24:50 AM |
|
I think I downloaded the bad client zip from here: http://www.nxtcrypto.org/I can't be sure yet and I still don't understand some of my timestamps, but I see in my browser logs that I accessed that page at around the time I updated to 0.4.8 and I'm pretty sure I remember using the link on that page. EDIT: I think I even remember laughing about how silly it was that that page pointed to an IP address for the download. Not that I don't think you could have DL'ed yours there. I'm pretty much positive (I don't have the browser proof since i've cleared my history probably 10x since then!) mine was DL'd from nextcoin.org, via the Mega link that was there at the time I DL'd it. The only reason I mention it is I DL'd that client.zip from nxtcrypto.org as well, and never touched it. Btw. that's awesome you got yours out. Is 17480583094667840121 your new account? |
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting. |
|
|
|
newcn
|
|
January 02, 2014, 05:25:02 AM |
|
About my another account that was stolen:
this account is my first account,and it has a weaker passphrase,
so I left it, and almost never use it.
the last time I logon with this account, if I remember it right, was 2013.12.30 09:05:27 GMT, when I assigned a few aliases. and at that time, the client I used should be 0.4.7e!!!
so, friends, be careful about your account!!!!
|
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
|
|
|
bitcoinrocks
Legendary
Offline
Activity: 1372
Merit: 1000
|
|
January 02, 2014, 05:26:00 AM |
|
Are you sure? that page has a post about you upgrading your VPSs to 0.4.8, so I would think it happened before that My post on that page was at 4:07PM and the first post on that page was at 3:19PM which is much more than enough time to upgrade. I wish we could see the edit history of those posts. But I can't be sure at all. Firefox is making this really difficult. I realized halfway through my investigation that it removes pages from your history once you access them again and it puts them back at the top of the list. How stupid. It also could have been nxtcrypto.org since I accessed it during my investigation because that means it wouldn't appear in its proper place in my history any more. It looks like it also could have been one page back on this forum from the post of mine I linked to above: https://bitcointalk.org/index.php?topic=345619.11900 |
|
|
|
|
bitcoinrocks
Legendary
Offline
Activity: 1372
Merit: 1000
|
|
January 02, 2014, 05:26:49 AM |
|
Is 17480583094667840121 your new account? That is not my account. |
|
|
|
|
Uniqueorn
Full Member
Offline
Activity: 182
Merit: 100
NXT.org
|
|
January 02, 2014, 05:27:09 AM |
|
About my another account that was stolen:
this account is my first account,and it has a weaker passphrase,
so I left it, and almost never use it.
the last time I logon with this account, if I remember it right, was 2013.12.30 09:05:27 GMT, when I assigned a few aliases. and at that time, the client I used should be 0.4.7e!!!
so, friends, be careful about your account!!!!
When did you download the client? |
|
|
|
|
|
gbeirn
|
|
January 02, 2014, 05:27:52 AM |
|
Is 17480583094667840121 your new account? That is not my account. Sorry that was directed to PaulyC. |
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting. |
|
|
xyzzyx
Sr. Member
Offline
Activity: 490
Merit: 250
I don't really come from outer space.
|
|
January 02, 2014, 05:28:07 AM |
|
another account of mine was also stolen, it happened exactly the same time as former one, but only 93 nxt lost.
the accounts my money goes:
9793828175536096502 balance 18197, contains all my stolen nxt
6164081464868000542 balance 9528, my 92 nxt goes here
the transactions happend at 2014.1.1 12:04:50 GMT
I see your signature still has 16886318053889080545 listed. You can't use that address again -- it belongs to the thief now. You should consider all of your old addresses as compromised. Do a fresh install of the NXT client that has the correct SHA-256 hash and select a new passphrase. You have to start new. Sorry man. |
"An awful lot of code is being written ... in languages that aren't very good by people who don't know what they're doing." -- Barbara Liskov
|
|
|
|
newcn
|
|
January 02, 2014, 05:36:55 AM |
|
thank you for remind! I just changed it
|
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
|
|
|
|
EmoneyRu
|
|
January 02, 2014, 05:37:49 AM |
|
Any actual roadmap? What would happen @ 32k?
|
|
|
|
|
