smartwart
|
|
January 02, 2014, 12:12:14 PM |
|
I am not a cryptographer and ...
James
so please, don't try to be one.
|
NxT: 13574045486980287597
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 12:14:33 PM |
|
I am not a cryptographer and ...
James
so please, don't try to be one. I don;t think he is trying to be one.
|
|
|
|
CoinBuzz
|
|
January 02, 2014, 12:15:27 PM |
|
Why we should move our coins to new accounts while i have not used my pass on other public nodes and only i my local node?
|
|
|
|
smartwart
|
|
January 02, 2014, 12:15:49 PM |
|
is there any time (time zone) for the source release? I need to be sure the drinks will have the right temperature ;-)
|
NxT: 13574045486980287597
|
|
|
swartzfeger
|
|
January 02, 2014, 12:17:49 PM |
|
There is one serious security issue which is not completely fixed in 0.4.9e. All requests URLs are being cached by the browser, and even though they don't appear in the browsing history (which is why we didn't discover the problem earlier), they are still in the browser cache. Check for yourself using about:cache on firefox. This is bad, as it means your secret phrase is being written out to disk as plain text in the browser cache. And I am sure javascript exploits will appear which will try to extract it from there. To really fix that, all API requests from the browser that include the secret phrase have to be sent as POST, rather than GET requests. But this will require some significant changes to the javascript client, which will take some time. As we don't plan to maintain the current javascript client, I am not sure if such rewriting should even be undertaken now. In 0.4.9e I at least added the response headers which prevent caching to disk. Firefox honors those, but still caches the request URLs to memory. To be safe, I strongly suggest using a separate browser profile only for accessing your Nxt client, or private browsing mode. Everybody using 0.4.8 and earlier should immediately delete their browser cache.
Just quoting and bolding this so it doesn't get lost, particularly after the rogue client affair. Thanks for the update, Captain.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 12:19:30 PM |
|
What part doesnt make sense?
What stops attacker from doing exactly the same thing? That is why i specified that once you do this to an acct, it cannot be changed This is why it needs protocol level support and not just client side Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set People who want to secure their acct could set this up before they put big money into it How could the hacker set sendmoney public key before the acct is fully funded? James I doubt that if someone logs with "1234" password they will use a strong 2nd password.
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 02, 2014, 12:20:29 PM |
|
I am not a cryptographer and ...
James
so please, don't try to be one. I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt Why do you want me to stop? James
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 12:22:11 PM |
|
I doubt that if someone logs with "1234" password they will use a strong 2nd password.
This line of reasoning is not correct....who said anyone would use 1234 as password Edit: Many would most likely input 2 x 50 char random passwords.
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 02, 2014, 12:23:09 PM |
|
What part doesnt make sense?
What stops attacker from doing exactly the same thing? That is why i specified that once you do this to an acct, it cannot be changed This is why it needs protocol level support and not just client side Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set People who want to secure their acct could set this up before they put big money into it How could the hacker set sendmoney public key before the acct is fully funded? James I doubt that if someone logs with "1234" password they will use a strong 2nd password. CfB Did you miss my post aboutp the client automatically generating maximum entropy private keys? Do you think jean-luc will generate 1234 as a private key Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security? James
|
|
|
|
swartzfeger
|
|
January 02, 2014, 12:24:13 PM |
|
Why we should move our coins to new accounts while i have not used my pass on other public nodes and only i my local node?
See my previous post where I quoted/bolded Jean-Luc's update from the previous page. 1. Delete your browser cache 2. Enable private browsing 3. Use a separate, dedicated browser/profile for NXT client
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 12:25:24 PM |
|
I doubt that if someone logs with "1234" password they will use a strong 2nd password.
This line of reasoning is not correct....who said anyone would use 1234 as password Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.
|
|
|
|
salsacz
|
|
January 02, 2014, 12:26:29 PM |
|
In summary,what I found from Chrome history: from download history, the malware link was: http://162.243.246.223/nxt-client-0.4.8.zipsha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 the creation time and modification time of the zip file on my local disk was: creation time:2013.12.31,20:31:14 modified time:2013.12.31,20:35:16 in that time period, I only accessed two pages: 20:29 https://bitcointalk.org/index.php?topic=345619.11740 20:30 https://bitcointalk.org/index.php?topic=345619.0 from the download history, I probably downloaded the malware from the first page,that is: http://info.nxtcrypto.org/nxt-client-0.4.8.zip(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page) the thief might changed the link directly, or he might changed IP address of info.nxtcrypto.org current IP of info.nxtcrypto.org is 46.28.204.121, which is different from 162.243.246.223the following are some clues about the accounts where my nxt goes: 2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account. another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account: 6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex! this is only account with very weak password and people were 3x stealing Nxt from it probably http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 12:27:13 PM |
|
I doubt that if someone logs with "1234" password they will use a strong 2nd password.
This line of reasoning is not correct....who said anyone would use 1234 as password Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended. I'm not saying your english is bad....im just saying if the option was there many people would make use of it. Edit: i'm also a bit confused
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 02, 2014, 12:27:53 PM |
|
So the objection to my solution is that it is difficult Good, at least we are off the impossible mantra
Founders give me million nxt and i will implement this myself
James
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 12:28:11 PM |
|
Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?
Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?
|
|
|
|
smartwart
|
|
January 02, 2014, 12:28:52 PM |
|
I am not a cryptographer and ...
James
so please, don't try to be one. I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt Why do you want me to stop? James its not wrong. but its not more secure too. there is no difference between using one or two passwords for the probability getting hacked. the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.
|
NxT: 13574045486980287597
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
January 02, 2014, 12:30:15 PM |
|
Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?
Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't? How can client side enforce one time setting of sendmoney public key?
|
|
|
|
plasticAiredale
|
|
January 02, 2014, 12:31:39 PM |
|
So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.
Account: 8439060069775407509
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 12:32:40 PM |
|
How can client side enforce one time setting of sendmoney public key?
API v2 won't have sendMoney. Client soft will prepare transaction and sign it locally. Then the transaction will be broadcasted. This is 100% secure if client provides 100% security.
|
|
|
|
xyzzyx
Sr. Member
Offline
Activity: 490
Merit: 250
I don't really come from outer space.
|
|
January 02, 2014, 12:35:26 PM |
|
This one is for the null password: http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3791936988034107349And I set this next one up with a purposefully weak password mostly as a joke, and I was curious what people would do with it. I was hoping people would mark it with alias registrations, perhaps. Perhaps later using it like a geo-cache site once NXT storage was implemented. So far, it has been kinda disappointing to see it was merely plundered for the 2 NXT that were transferred in. http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=2980315497189667873I'm sure there are lots of others with weak passwords, but I've not taken the time myself to look for any. Others likely have.
|
"An awful lot of code is being written ... in languages that aren't very good by people who don't know what they're doing." -- Barbara Liskov
|
|
|
|