Bitcoin Forum
October 22, 2020, 07:10:58 PM *
News: Latest Bitcoin Core release: 0.20.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 [622] 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 ... 2560 »
  Print  
Author Topic: NXT :: descendant of Bitcoin - Updated Information  (Read 2760075 times)
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2128
Merit: 1009

Newbie


View Profile
January 02, 2014, 11:56:46 AM
 #12421

What part doesnt make sense?

What stops attacker from doing exactly the same thing?
1603393858
Hero Member
*
Offline Offline

Posts: 1603393858

View Profile Personal Message (Offline)

Ignore
1603393858
Reply with quote  #2

1603393858
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1603393858
Hero Member
*
Offline Offline

Posts: 1603393858

View Profile Personal Message (Offline)

Ignore
1603393858
Reply with quote  #2

1603393858
Report to moderator
1603393858
Hero Member
*
Offline Offline

Posts: 1603393858

View Profile Personal Message (Offline)

Ignore
1603393858
Reply with quote  #2

1603393858
Report to moderator
1603393858
Hero Member
*
Offline Offline

Posts: 1603393858

View Profile Personal Message (Offline)

Ignore
1603393858
Reply with quote  #2

1603393858
Report to moderator
intel
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
January 02, 2014, 12:01:27 PM
 #12422

Just catching up for the unfortunate happenings of the past 24 hours with the NXT Client.

Both clients link used recently on nextcoin.org (the MEGA and nxcrypto ones) main thread seem fine, as I had avised the mod replacing Drexme to use only links originating from CfB.

However, the hash checker link that leaded to http://hashtab.ru/ downloads a file that reports backdoor on 1/49 scans on Virustotal:

https://www.virustotal.com/en/file/56d18a52eb728807cb399d606eb5a127962684134b9923d62ed76b87c0d41a8f/analysis/1388661917/

I have not been able to verify whether that is a false positive or not.

Can anyone confirm that hashtab.ru serves a legit version of the hash checker?

You better use the real hashtab:

http://www.addictivetips.com/windows-tips/hashtab-calculate-compare-hash-checksum-values-from-file-properties/

[!] 24.7 NXT News Portal. Real-Time Update. Share your own news with NXT community and get FREE NXT!
newcn
Full Member
***
Offline Offline

Activity: 143
Merit: 100


View Profile
January 02, 2014, 12:02:19 PM
 #12423

In summary,what I found from Chrome history:
from download history, the malware link was:
http://162.243.246.223/nxt-client-0.4.8.zip
sha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06

the creation time and modification time of the zip file on my local disk was:
Code:
creation time:2013‎.‎12‎.‎31‎,‏‎20:31:14
‎modified time:2013‎.‎12‎.‎31,‏‎20:35:16

in that time period, I only accessed two pages:
Code:
20:29 https://bitcointalk.org/index.php?topic=345619.11740
20:30 https://bitcointalk.org/index.php?topic=345619.0

from the download history, I probably downloaded the malware from the first page,that is:
http://info.nxtcrypto.org/nxt-client-0.4.8.zip
(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page)
the thief might changed the link directly,
 or he might changed IP address of info.nxtcrypto.org
current IP of info.nxtcrypto.org is 46.28.204.121,
which is different from 162.243.246.223


the following are some clues about the accounts where my nxt goes:
2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account.

another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account:6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex!

BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1090


View Profile WWW
January 02, 2014, 12:02:57 PM
 #12424

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
smartwart
Full Member
***
Offline Offline

Activity: 171
Merit: 100


View Profile
January 02, 2014, 12:12:14 PM
 #12425


I am not a cryptographer and ...

James


so please, don't try to be one.

NxT: 13574045486980287597
landomata
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000


View Profile WWW
January 02, 2014, 12:14:33 PM
 #12426


I am not a cryptographer and ...

James


so please, don't try to be one.

I don;t think he is trying to be one.

CoinBuzz
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
January 02, 2014, 12:15:27 PM
 #12427

Why we should move our coins to new accounts while  i have not used my pass on other public nodes and only i my local node?

smartwart
Full Member
***
Offline Offline

Activity: 171
Merit: 100


View Profile
January 02, 2014, 12:15:49 PM
 #12428

is there any time (time zone) for the source release?
I need to be sure the drinks will have the right temperature ;-)

NxT: 13574045486980287597
swartzfeger
Full Member
***
Offline Offline

Activity: 350
Merit: 100


View Profile
January 02, 2014, 12:17:49 PM
 #12429

There is one serious security issue which is not completely fixed in 0.4.9e. All requests URLs are being cached by the browser, and even though they don't appear in the browsing history (which is why we didn't discover the problem earlier), they are still in the browser cache. Check for yourself using about:cache on firefox.
This is bad, as it means your secret phrase is being written out to disk as plain text in the browser cache. And I am sure javascript exploits will appear which will try to extract it from there. To really fix that, all API requests from the browser that include the secret phrase have to be sent as POST, rather than GET requests. But this will require some significant changes to the javascript client, which will take some time. As we don't plan to maintain the current javascript client, I am not sure if such rewriting should even be undertaken now. In 0.4.9e I at least added the response headers which prevent caching to disk. Firefox honors those, but still caches the request URLs to memory. To be safe, I strongly suggest using a separate browser profile only for accessing your Nxt client, or private browsing mode. Everybody using 0.4.8 and earlier should immediately delete their browser cache.

Just quoting and bolding this so it doesn't get lost, particularly after the rogue client affair. Thanks for the update, Captain.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2128
Merit: 1009

Newbie


View Profile
January 02, 2014, 12:19:30 PM
 #12430

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James

I doubt that if someone logs with "1234" password they will use a strong 2nd password.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1090


View Profile WWW
January 02, 2014, 12:20:29 PM
 #12431


I am not a cryptographer and ...

James


so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
landomata
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000


View Profile WWW
January 02, 2014, 12:22:11 PM
 #12432


I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Edit: Many would most likely input 2 x 50 char random passwords.

jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1090


View Profile WWW
January 02, 2014, 12:23:09 PM
 #12433

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James


I doubt that if someone logs with "1234" password they will use a strong 2nd password.

CfB

Did you miss my post aboutp the client automatically generating maximum entropy private keys? Do you think jean-luc will generate 1234 as a private key

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
swartzfeger
Full Member
***
Offline Offline

Activity: 350
Merit: 100


View Profile
January 02, 2014, 12:24:13 PM
 #12434

Why we should move our coins to new accounts while  i have not used my pass on other public nodes and only i my local node?

See my previous post where I quoted/bolded Jean-Luc's update from the previous page.

1. Delete your browser cache
2. Enable private browsing
3. Use a separate, dedicated browser/profile for NXT client
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2128
Merit: 1009

Newbie


View Profile
January 02, 2014, 12:25:24 PM
 #12435


I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.
salsacz
Hero Member
*****
Offline Offline

Activity: 490
Merit: 501


View Profile
January 02, 2014, 12:26:29 PM
 #12436

In summary,what I found from Chrome history:
from download history, the malware link was:
http://162.243.246.223/nxt-client-0.4.8.zip
sha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06

the creation time and modification time of the zip file on my local disk was:
Code:
creation time:2013‎.‎12‎.‎31‎,‏‎20:31:14
‎modified time:2013‎.‎12‎.‎31,‏‎20:35:16

in that time period, I only accessed two pages:
Code:
20:29 https://bitcointalk.org/index.php?topic=345619.11740
20:30 https://bitcointalk.org/index.php?topic=345619.0

from the download history, I probably downloaded the malware from the first page,that is:
http://info.nxtcrypto.org/nxt-client-0.4.8.zip
(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page)
the thief might changed the link directly,
 or he might changed IP address of info.nxtcrypto.org
current IP of info.nxtcrypto.org is 46.28.204.121,
which is different from 162.243.246.223


the following are some clues about the accounts where my nxt goes:
2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account.

another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account:6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex!


this is only account with very weak password and people were 3x stealing Nxt from it probably
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801
(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)

Nxt tips: NXT-R67P-6BZ2-XWAK-8RHZR | Nxt forum | Nxt Academy | Donate for Nxt at the Universities // BTCD: RVMLrnxYYy7uy8YZo9FcGfXbk1ZMnNifdg
landomata
Legendary
*
Offline Offline

Activity: 2058
Merit: 1000


View Profile WWW
January 02, 2014, 12:27:13 PM
 #12437


I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.

I'm not saying your english is bad....im just saying if the option was there many people would make use of it.

Edit: i'm also a bit confused

jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1090


View Profile WWW
January 02, 2014, 12:27:53 PM
 #12438

So the objection to my solution is that it is difficult
Good, at least we are off the impossible mantra

Founders give me million nxt and i will implement this myself

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2128
Merit: 1009

Newbie


View Profile
January 02, 2014, 12:28:11 PM
 #12439

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?
smartwart
Full Member
***
Offline Offline

Activity: 171
Merit: 100


View Profile
January 02, 2014, 12:28:52 PM
 #12440


I am not a cryptographer and ...

James


so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James


its not wrong.
but its not more secure too.
there is no difference between using one or two passwords for the probability getting hacked.

the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.

NxT: 13574045486980287597
Pages: « 1 ... 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 [622] 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 ... 2560 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!