NXT :: descendant of Bitcoin - Updated Information

[smartwart]

I am not a cryptographer and ...

James

so please, don't try to be one.

[landomata]

I am not a cryptographer and ...

James

so please, don't try to be one.

I don;t think he is trying to be one.

[CoinBuzz]

Why we should move our coins to new accounts while  i have not used my pass on other public nodes and only i my local node?

[smartwart]

is there any time (time zone) for the source release?
I need to be sure the drinks will have the right temperature ;-)

[swartzfeger]

There is one serious security issue which is not completely fixed in 0.4.9e. All requests URLs are being cached by the browser, and even though they don't appear in the browsing history (which is why we didn't discover the problem earlier), they are still in the browser cache. Check for yourself using about:cache on firefox.
This is bad, as it means your secret phrase is being written out to disk as plain text in the browser cache. And I am sure javascript exploits will appear which will try to extract it from there. To really fix that, all API requests from the browser that include the secret phrase have to be sent as POST, rather than GET requests. But this will require some significant changes to the javascript client, which will take some time. As we don't plan to maintain the current javascript client, I am not sure if such rewriting should even be undertaken now. In 0.4.9e I at least added the response headers which prevent caching to disk. Firefox honors those, but still caches the request URLs to memory. To be safe, I strongly suggest using a separate browser profile only for accessing your Nxt client, or private browsing mode. Everybody using 0.4.8 and earlier should immediately delete their browser cache.

Just quoting and bolding this so it doesn't get lost, particularly after the rogue client affair. Thanks for the update, Captain.

[Come-from-Beyond]

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

[jl777]

I am not a cryptographer and ...

James

so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

[landomata]

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Edit: Many would most likely input 2 x 50 char random passwords.

[jl777]

What part doesnt make sense?

What stops attacker from doing exactly the same thing?

That is why i specified that once you do this to an acct, it cannot be changed
This is why it needs protocol level support and not just client side
Like an alias belongs to first acct, sendmoney public key cannot be changed once it is set

People who want to secure their acct could set this up before they put big money into it

How could the hacker set sendmoney public key before the acct is fully funded?

James

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

CfB

Did you miss my post aboutp the client automatically generating maximum entropy private keys? Do you think jean-luc will generate 1234 as a private key

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

James

[swartzfeger]

Why we should move our coins to new accounts while  i have not used my pass on other public nodes and only i my local node?

See my previous post where I quoted/bolded Jean-Luc's update from the previous page.

1. Delete your browser cache
2. Enable private browsing
3. Use a separate, dedicated browser/profile for NXT client

[Come-from-Beyond]

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.

[salsacz]

In summary,what I found from Chrome history:
from download history, the malware link was:
http://162.243.246.223/nxt-client-0.4.8.zip
sha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06

the creation time and modification time of the zip file on my local disk was:

Code:

creation time:2013‎.‎12‎.‎31‎，‏‎20:31:14
‎modified time:2013‎.‎12‎.‎31，‏‎20:35:16

in that time period, I only accessed two pages:

Code:

20:29 https://bitcointalk.org/index.php?topic=345619.11740
20:30 https://bitcointalk.org/index.php?topic=345619.0

from the download history, I probably downloaded the malware from the first page,that is:
http://info.nxtcrypto.org/nxt-client-0.4.8.zip
(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page)
the thief might changed the link directly,
 or he might changed IP address of info.nxtcrypto.org
current IP of info.nxtcrypto.org is 46.28.204.121,
which is different from 162.243.246.223

the following are some clues about the accounts where my nxt goes:
2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account.

another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account:6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex!

this is only account with very weak password and people were 3x stealing Nxt from it probably
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801
(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)

[landomata]

I doubt that if someone logs with "1234" password they will use a strong 2nd password.

This line of reasoning is not correct....who said anyone would use 1234 as password

Sorry, maybe my English is not so good, I can't get his idea. I suspect that his approach will lead to overcomplicated system with a lot of bugs, that won't really work as intended.

I'm not saying your english is bad....im just saying if the option was there many people would make use of it.

Edit: i'm also a bit confused

[jl777]

So the objection to my solution is that it is difficult
Good, at least we are off the impossible mantra

Founders give me million nxt and i will implement this myself

James

[Come-from-Beyond]

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?

[smartwart]

I am not a cryptographer and ...

James

so please, don't try to be one.

I am very good at creative solutions to so called impossible problems. I have extensive software expertise. I am trying to make nxt the most secure crypto at the architectural level. I am not proposing any new cryptographic algorithms, just using standard public private key in a way that has not been done before

Maybe i am totally offbase on this, but until i get a clear explantion about how this is wrong, i am apt to believe it is possible to add second layer of security to nxt

Why do you want me to stop?

James

its not wrong.
but its not more secure too.
there is no difference between using one or two passwords for the probability getting hacked.

the only way is to have a long (31+ character) pass-phrase with high entropy and only use the download links (signed) from NxT dev. crew.

[jl777]

Why all this resistance. I am not hearing valid objections to my proposed solution. Don't you want the option for people to be able to add second layer of security?

Second layer should be added on client side, not in the protocol. Bitcoin works without such workarounds, why Nxt can't?

How can client side enforce one time setting of sendmoney public key?

[plasticAiredale]

So what happened here? I see my NXT have been stolen as well. I only downloaded the client from this thread. Is there any plans to revert the blockchain? Honestly if there is no plans to somehow correct this, I am giving up on this. This is very disappointing.



Account: 8439060069775407509

[Come-from-Beyond]

How can client side enforce one time setting of sendmoney public key?

API v2 won't have sendMoney. Client soft will prepare transaction and sign it locally. Then the transaction will be broadcasted. This is 100% secure if client provides 100% security.

[xyzzyx]

this is only account with very weak password and people were 3x stealing Nxt from it probably
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801
(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)

This one is for the null password:
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=3791936988034107349

And I set this next one up with a purposefully weak password mostly as a joke, and I was curious what people would do with it.  I was hoping people would mark it with alias registrations, perhaps.  Perhaps later using it like a geo-cache site once NXT storage was implemented.  So far, it has been kinda disappointing to see it was merely plundered for the 2 NXT that were transferred in.
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=2980315497189667873

I'm sure there are lots of others with weak passwords, but I've not taken the time myself to look for any.  Others likely have.