plasticAiredale
|
|
January 02, 2014, 03:07:11 PM |
|
The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex. That ain't gonna happen.
This is a major crime in the tens of thousands of dollars range and we know who did it. People go to prison for years for this kind of crap. (Are you reading this, EpicThomas? I know you are.)
You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city.
Do you feel lucky, punk?
A MESSAGE TO EPIC THOMAS:Dude, I'm coming for you. You had better put back the NXT where it belongs before I find out who you are and go to the police. I will stop if you repay the NXT you have taken from others. Once I find out a name and address and turn it over to law enforcement, things are out of my hands. Until that time you can save yourself. Do it. My email to customer service at Digital Ocean: Can you identify the real name, email address, mailing address, and telephone number of the user renting a cloud server from you at 162.243.246.233 for the past several days? This person is involved in illegal activities and has stolen over $23,000 that we know of so far through unauthorized transfers of assets. When you have obtained this information, please let me know the name and location of the representative who may be contacted by local law enforcement. This is not a prank or joke. My name is X. I am a resident of X and you can contact me at my cell number of X if needed. Thank you, and I look forward to your prompt response. I too am willing to chalk it up to an unfortunate mistake by you EpicThomas if you return EVERYONES' NXT.
|
|
|
|
Buratino
Legendary
Offline
Activity: 1151
Merit: 1003
|
|
January 02, 2014, 03:07:25 PM |
|
rickyjames, you have made good investigation work to tracing thief! Thank you.
|
|
|
|
wesleyh
|
|
January 02, 2014, 03:10:38 PM |
|
Isn't there a javascript library to check sha256 sums? If so, somebody more fluent than me in javascript can easily add an update.html page to the client. It can request the value of the NRSversion alias from localhost, which contains the latest stable version and sha256, and I can also start putting the download url as a value of NRSrelease alias. Then download the zip file from that url, check if sha256 matches, and notify the user whether the downloaded zip file is legitimate or not. No need to trust a third party or manually check sha256 sums. Only the first time you download a client need to verify manually.
Great idea! Anyone fit in javascript? I'll get working on this!
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 03:11:36 PM |
|
I too am willing to chalk it up to an unfortunate mistake by you EpicThomas if you return EVERYONES' NXT.
Make sure he pays interest for holding these coins.
|
|
|
|
mcjavar
|
|
January 02, 2014, 03:12:16 PM |
|
Isn't there a javascript library to check sha256 sums? If so, somebody more fluent than me in javascript can easily add an update.html page to the client. It can request the value of the NRSversion alias from localhost, which contains the latest stable version and sha256, and I can also start putting the download url as a value of NRSrelease alias. Then download the zip file from that url, check if sha256 matches, and notify the user whether the downloaded zip file is legitimate or not. No need to trust a third party or manually check sha256 sums. Only the first time you download a client need to verify manually.
Great idea! Anyone fit in javascript? I'll get working on this!I love you.
|
|
|
|
gbeirn
|
|
January 02, 2014, 03:13:34 PM |
|
...
Paying back stolen Nxt is not realistic. Shit happends. However PaulyC (and for a smaller extent newcn) should (and did) get bounty for uncovering the method of the theft, saving others.
Yeah, the amount of NXT stolen is quite a lot of money at this point, I can't imagine everyone being made whole. I'd love to be proved wrong, but I'm not expecting any compensation for what was my mistake in the end. Outside of EpicThomas refunding the NXT, or DGEX blacklisting/rerouting any attempts to sell the NXT, I'm not seeing this ending well for us. Any chance some big holders want to cash out and crash the price a little? I'd love to buy back in at my original price. I received a PM from someone who plans to send me some NXT to help divide up among those who lost NXT. Can we get a comprehensive list of who lost what as of right now.
|
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting.
|
|
|
wesleyh
|
|
January 02, 2014, 03:13:58 PM |
|
New version of the Nxt Mac Client is available here: http://nxtra.org/mac/ Sha256 for the zip file is also included on the page. New features: 1) Ability to check for updates for beta releases. (0.4.9e) - enable in preferences. 2) Auto-updates now check the sha256 and won't continue if it does not match what is said in the blockchain.
|
|
|
|
plasticAiredale
|
|
January 02, 2014, 03:17:14 PM |
|
...
Paying back stolen Nxt is not realistic. Shit happends. However PaulyC (and for a smaller extent newcn) should (and did) get bounty for uncovering the method of the theft, saving others.
Yeah, the amount of NXT stolen is quite a lot of money at this point, I can't imagine everyone being made whole. I'd love to be proved wrong, but I'm not expecting any compensation for what was my mistake in the end. Outside of EpicThomas refunding the NXT, or DGEX blacklisting/rerouting any attempts to sell the NXT, I'm not seeing this ending well for us. Any chance some big holders want to cash out and crash the price a little? I'd love to buy back in at my original price. I received a PM from someone who plans to send me some NXT to help divide up among those who lost NXT. Can we get a comprehensive list of who lost what as of right now. salsacz posted this a page or two back: Thief EpicThomas: https://bitcointalk.org/index.php?action=profile;u=172850;sa=showPostsOwner of "epicdices.com" ( http://domain-kb.com/www/epicdices.com) Thief posts made by nick EpicThomas (originally with a link to the hacked client): 31-12-2013, 14:23:22: https://bitcointalk.org/index.php?topic=345619.msg4237883#msg423788331-12-2013, 12:53:39: https://bitcointalk.org/index.php?topic=345619.msg4236707#msg423670728-12-2013, 13:28:54: https://bitcointalk.org/index.php?topic=345619.msg4184582#msg4184582Since there were other thefts before these posts, older posts were deleted or posted by other account. Thefts from block: http://87.230.14.1/nxt/nxt.cgi?action=1000&blk=17240155162180650056: 01.01.2014 12:56:54 18,665 Nxt from plasticAiredale http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=1518256620173872793301.01.2014 12:58:03 7,808 Nxt from PaulyC http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=16204974692852323982 (more older thefts here) A 01.01.2014 13:01:45 18,197 Nxt from newcn http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=979382817553609650201.01.2014 13:03:39 92 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 (more older thefts here) B 01.01.2014 13:05:06 147,690 Nxt from sparta_cuss http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=12152013998194592943Thefts from block: http://87.230.14.1/nxt/nxt.cgi?action=1000&blk=1172735746385728989229.12.2013 08:21:32 99 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=16204974692852323982 A 29.12.2013 08:20:26 55 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=16204974692852323982 A 29.12.2013 08:19:32 502 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=16204974692852323982 A 29.12.2013 08:19:00 499 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=16204974692852323982 A Single thefts (blocks checked): 27.12.2013 00:03:22 509 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 26.12.2013 20:26:15 499 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 26.12.2013 18:39:14 500 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 26.12.2013 12:53:07 98 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B block: http://87.230.14.1/nxt/nxt.cgi?action=1000&blk=705868445948277247025.12.2013 18:25:25 999 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 25.12.2013 18:24:54 705 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B Single thefts (blocks checked): 25.12.2013 14:59:46 499 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B block: http://87.230.14.1/nxt/nxt.cgi?action=1000&blk=1590498369140819199623.12.2013 19:06:16 255 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 23.12.2013 19:08:26 1,004 http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=10543042600713097314 (?? - not sure if theft) 23.12.2013 19:05:48 499 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542 B 22.12.2013 09:22:08 999 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542&offset=11&filter=1 B 16.12.2013 15:48:56 3,874 Nxt http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=6164081464868000542&offset=11&filter=1 B
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
January 02, 2014, 03:17:47 PM |
|
2) Auto-updates now check the sha256 and won't continue if it does not match what is said in the blockchain.
How do u check it if u have not caught recent blocks yet?
|
|
|
|
landomata
Legendary
Offline
Activity: 2184
Merit: 1000
|
|
January 02, 2014, 03:18:07 PM |
|
Congratulations to HASH!
TOTAL VOTE:
HASH: 79 QTBC: 65
Disqualified (Accounts were open after Vote started): nebina - Hash mayat - Hash nexter - Hash chindit - QTBC Permafrost -Hash Bezy - Hash
POSTED TWICE: Attack-in- front - HASH Punkrock - Hash & QTBC (I think he meant to change his vote but rules are rules) https://nextcoin.org/index.php/topic,1927.0.html
|
|
|
|
S3MKi
Legendary
Offline
Activity: 1540
Merit: 1016
|
|
January 02, 2014, 03:18:52 PM |
|
...
Paying back stolen Nxt is not realistic. Shit happends. However PaulyC (and for a smaller extent newcn) should (and did) get bounty for uncovering the method of the theft, saving others.
Yeah, the amount of NXT stolen is quite a lot of money at this point, I can't imagine everyone being made whole. I'd love to be proved wrong, but I'm not expecting any compensation for what was my mistake in the end. Outside of EpicThomas refunding the NXT, or DGEX blacklisting/rerouting any attempts to sell the NXT, I'm not seeing this ending well for us. Any chance some big holders want to cash out and crash the price a little? I'd love to buy back in at my original price. I received a PM from someone who plans to send me some NXT to help divide up among those who lost NXT. Can we get a comprehensive list of who lost what as of right now. I think this story with stolen nxt is specially surfaced the day before release source code. And i think we will new users who lose nxt because a holiday now/
|
|
|
|
gbeirn
|
|
January 02, 2014, 03:19:30 PM |
|
If anyone else wants to contribute anything to helping reimburse those who were affected my account is: 7692313866255280204 I just received 35K NXT from neer.g. Once we get some confirmations on that I will begin sending it out. Someone else PMd me that would like to contribute 1K. In the spirit of transparency: http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=7692313866255280204 I love the community support here. Thank you everyone.
|
NXT VPS Server Donations can be sent here: 6044921191674841550At the end of each month I will donate some of them back to the community. This is separate from my main wallet so you can keep track of them. I will keep them in there and only use them for hosting.
|
|
|
wesleyh
|
|
January 02, 2014, 03:20:02 PM |
|
2) Auto-updates now check the sha256 and won't continue if it does not match what is said in the blockchain.
How do u check it if u have not caught recent blocks yet? If the app version is bigger or same as in blockchain then we won't proceed with downloading anyway. only when a new version is found in the blockchain will we check the sha256. If nothing is found in blockchain (or not yet caught up) the user will not get an update notice.
|
|
|
|
BitcoinForumator
Legendary
Offline
Activity: 1120
Merit: 1000
|
|
January 02, 2014, 03:20:50 PM |
|
One thing that hasn't been mentioned (I don't think), how are we going to vet/verify future client downloads?
As much as I don't share some users' level of conviction when it comes to user adoption vs. difficulty (I think this is rickyjames point), regular users having to worry about 1) brain wallet, 2) clunky client installer PLUS having to verify SHA256 for every update might drive people away.
I also think a permanent solution should be found the above issues. To be honest, if the quality of software and all the ecosystem does not improve significantly, people will go away very soon. Now I guess most people here are attracted by the insanely fast growing price. Once it is stabilized, we will see more and more complains about the user experience. For example, could you imagine an organization having millions of dollars does not have a reliable downloading service for frequent software upgrading? Is it so expensive to get a reliable VPS and setup a downloading server, or simply as a temporary solution just pay dropbox to get an official account with larger bandwidth? This is so true.
|
|
|
|
bitcoinrocks
Legendary
Offline
Activity: 1372
Merit: 1000
|
|
January 02, 2014, 03:24:08 PM |
|
To be honest, if the quality of software and all the ecosystem does not improve significantly, people will go away very soon. Now I guess most people here are attracted by the insanely fast growing price. Once it is stabilized, we will see more and more complains about the user experience.
For example, could you imagine an organization having millions of dollars does not have a reliable downloading service for frequent software upgrading? Is it so expensive to get a reliable VPS and setup a downloading server, or simply as a temporary solution just pay dropbox to get an official account with larger bandwidth? I'm an Nxt believer but this is very true.
|
|
|
|
rickyjames
|
|
January 02, 2014, 03:25:35 PM |
|
If anyone else wants to contribute anything to helping reimburse those who were affected my account is: 7692313866255280204
I just received 35K NXT from neer.g. Once we get some confirmations on that I will begin sending it out.
I think this is a great effort but I urge you to hold off for a day or two and see if we can get EpicThomas to rethink the wisdom of keeping his ill-gotten gains and put the money back that he stole. Worth a shot. And I am 99.99% sure I will have the law on his tail if he doesn't. I am a persistent fellow once I take up a cause.
|
|
|
|
bitcoinrocks
Legendary
Offline
Activity: 1372
Merit: 1000
|
|
January 02, 2014, 03:25:51 PM |
|
I read talk of 4.9e but it isn't posted on the first page of this thread. Is it available?
|
|
|
|
timmyd
|
|
January 02, 2014, 03:27:45 PM |
|
You guys need to rethink this. The evidence shows pretty conclusively that Sparta_cuss was actually robbed and reported it before either PaulyC or newcn. Plus Framewood beat them all to it by a couple of days.
So - we gonna create a loss fund to cover 300K NXT and counting?
I'm relatively NXT poor, but I'll contribute 1k to a theft fund if it's set up. The fact is that the stolen NXT from all five of these guys is sitting stuck in the five thief accounts and it can't get converted to BTC without going thru Dgex. That ain't gonna happen. This is a major crime in the tens of thousands of dollars range and we know who did it. People go to prison for years for this kind of crap. (Are you reading this, EpicThomas? I know you are.) You know, if the NXT were somehow to be magically transferred back into the accounts where it is supposed to be, maybe just maybe I won't personally make it my mission to find your home address and phone number, post it right here on this forum, and call the police in your local town or city. Do you feel lucky, punk? Door kicking crew grouped and ready for a visit in the uk if needed. Just need an adress
|
|
|
|
EpicThomas
Newbie
Offline
Activity: 19
Merit: 0
|
|
January 02, 2014, 03:32:21 PM |
|
I have just read the last 50 pages of this topic and wow this is crazy.
First of all yes the client was posted by me and I added some code that would send the secrets to my server. A week ago there were all the ddos issues and billions created which led to a lot of client updates. During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated. So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour. The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.
Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked. The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it. To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.
Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength. That point has been made very clear now in an unfortunate way.
To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.
I know there are other modified clients around whether they use the same type of attack I don't know. Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account. Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know.
People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.
|
|
|
|
rickyjames
|
|
January 02, 2014, 03:35:57 PM |
|
I have just read the last 50 pages of this topic and wow this is crazy.
First of all yes the client was posted by me and I added some code that would send the secrets to my server. A week ago there were all the ddos issues and billions created which led to a lot of client updates. During these updates I noticed a lot of those clients had different hashes which made me wondering how easy it would be to modify the client and get it circulated. So that is what I did. I quoted the official post made by jean-luc on 31/12 and changed the url. Setting this all up took less then an hour. The server was only online for about an hour and I decided to shut it down after I had gotten access to about 10 accounts.
Now here is what is odd. Yes I got access to some accounts but not those people here who are claiming they got hacked. The accounts that I got access to never had more then 1000 nxt in them and I never had the intention of taking it. To the people who got hacked before 0.4.8 I can say that it was definetly not me who could have stolen your coins.
Normally at this point I was going to post details about how easy it is to steal nxt and how people have to be aware about where they download their client instead if only focussing only on their pass strength. That point has been made very clear now in an unfortunate way.
To be honest if I had found an account containing a 50 million next I would have probably taken it and diseappeared but that was not the case. I am human after all.
I know there are other modified clients around whether they use the same type of attack I don't know. Digitalocean has also contacted me that people here have sent complaints and that different IP's have logged in on my account. Whether someone else had access to my vps, people downloaded a different infected client or someone is playing it smart letting me take the blame I do not know.
People are angry and ofcourse I can understand that but the only thing I can do is tell my story and hope a correct explanation for these thefts will appear.
Nice to meet you. I haven't received a response from Digital Ocean yet. The clock is ticking. I don't back down. Ask my wife.
|
|
|
|
|