Damelon
Legendary
 Offline
Activity: 1092
Merit: 1010
|
 |
January 18, 2014, 10:09:07 PM |
|
@punkrock
Oh look, an actual original stakeholder seen in the wild
and busy forging away like a good 'un. I just got the image of a blacksmith that becomes progressively more lazy the poorer his patron is  |
|
|
|
|
|
|
|
|
You can see the statistics of your reports to moderators on the "Report to moderator" pages.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
davethetrousers
|
|
January 18, 2014, 10:13:02 PM |
|
Hittin' dat horseshoe since Nov 2013
|
|
|
|
TwinWinNerD
Legendary
Offline
Activity: 1680
Merit: 1001
CEO Bitpanda.com
|
|
January 18, 2014, 10:30:03 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again?  |
|
|
|
|
relm9
|
|
January 18, 2014, 10:36:34 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? Well the second and third accounts had no outgoing transactions, if you haven't sent any NXT out all it takes is a collision to access the account which means they don't need the actual passphrase. What about the first, was it you that sent 1 NXT out on 09.01.2014 ? Actually, just noticed you forged a block on that account so it would have been protected with a 256-bit key then. |
|
|
|
|
|
bidji29
|
|
January 18, 2014, 10:36:46 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? The fact 3 of your account were compromised is important. It make it obvious your PC was infected. If NXT account were bruteforced, you wouldn't have lost 3 of your account at the same time. Please check the sha256 of your NRS version |
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 18, 2014, 10:38:13 PM |
|
Windows
problem discovered |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1132
|
|
January 18, 2014, 10:38:21 PM |
|
I think the other people who got hacked also said they used keypass.
What do we know about this keypass?
James
|
|
|
|
|
Secondleo
|
|
January 18, 2014, 10:38:44 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. |
|
|
|
|
|
Bitventurer
|
|
January 18, 2014, 10:39:32 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? had you used online wallet? or local client? |
SP8DE - The Game of Chance. Changed.
|
|
|
coolmist
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 18, 2014, 10:39:42 PM |
|
Hittin' dat horseshoe since Nov 2013
it is nice and predictable isn't it? Working on a long message NXT client for Mac with encryption. Here is the code for dispatching a message, I commented off the encryption so it can easily be run and proven as functional. Paths to pubkey and privkey will be changed, just a temporary fix. script AppDelegate
property parent : class "NSObject"
property textField : missing value
property secretPhrase : missing value
property messageFee : missing value
property accountReceiver : missing value
property messageEncrypted : missing value
property keyReceiver : missing value
set rsaPrivate to "/Library/rsaprivkey.pem"
set rsaPublic to "/Library/rsapubkey.pub"
tell application "Finder"
if not exists rsaPrivate as POSIX file then
do shell script "openssl genrsa -out " & rsaPrivate & " 16384"
end if
if not exists rsaPublic as POSIX file then
do shell script "openssl rsa -in " & rsaPrivate & " -pubout > " & rsaPublic
end if
end tell
set rsapubkey to (do shell script "cat " & quoted form of rsaPublic) as text
tell application "Finder"
set theName to name of file 1
end tell
on buttonClicked_(sender)
set feeMessage to (stringValue() of messageFee)
set receiveraccount to (stringValue() of accountReceiver)
set textCipher to "/Library/ciphertext.txt"
-- write receiver's public key to a file--
set rpubPath to "/Library/pubreceiver.key"
set rpubKey to (stringValue() of keyReceiver)
tell application "System Events"
set file_ref to open for access rpubPath with write permission
set eof of file_ref to 0
write ((stringValue() of keyReceiver) as text) to file_ref
close access file_ref
end tell
-- write receiver's public key to a file--
--write plaintext to a file--
set textPlain to "/Library/plaintext.txt"
set message to (stringValue() of textField)
tell application "System Events"
set file_ref2 to open for access textPlain with write permission
set eof of file_ref2 to 0
write ((stringValue() of textField) as text) to file_ref2
close access file_ref2
end tell
--write plaintext to a file--
set ciphertext to do shell script "cat " & quoted form of textPlain
--encrypt plaintext to ciphertext--
-- do shell script "openssl rsautl -encrypt -pubin -inkey " & RpubPath & " -in " & textPlain & " -out " & textCipher
-- set ciphertext to (do shell script "cat " & textCipher)
--encrypt plaintext to ciphertext--
--cipher to hex
set thelist to "0123456789ABCDEF"
set hexvalue to ""
repeat with i in ciphertext
set theAscii to ASCII number of i
set hexvalue to hexvalue & character (theAscii div 16 + 1) of thelist & character (theAscii mod 16 + 1) of thelist
end repeat
set finalText to (hexvalue as text)
--cipher to hex
set messageLength to the length of finalText
set var_a to messageLength / 4
set var_b to var_a / 200
set iterations to round var_b rounding up
set counter to 1
repeat iterations times
if messageLength is less than 800 then
set charnumberalpha to 1
set charnumberbeta to messageLength
else
set charmaximum to messageLength
if counter is equal to iterations then
set charnumberalpha to 1 + 800 * (counter - 1)
set charnumberbeta to charmaximum
else
set charnumberalpha to 1 + 800 * (counter - 1)
set charnumberbeta to 800 + 800 * (counter -1)
end if
end if
set messageFinal to (text charnumberalpha thru charnumberbeta of finalText)
if counter is less than 10 then
set identifierLength to 1
else
set identifierLength to the length of counter
end if
set completeMessage to identifierLength & "000" & counter & "000" & messageFinal
set urlMassive to "http://localhost:7874/nxt?requestType=sendMessage&secretPhrase=" & (stringValue() of secretPhrase) & "&recipient=" & (stringValue() of accountReceiver) & "&fee=" & (stringValue() of messageFee) & "&deadline=1440" & "&message=" & completeMessage
do shell script "open " & quoted form of urlMassive
set counter to counter + 1
end repeat
end buttonClicked_
on applicationWillFinishLaunching_(aNotification)
-- Insert code here to initialize your application before any files are opened
end applicationWillFinishLaunching_
on applicationShouldTerminate_(sender)
-- Insert code here to do any housekeeping before your application quits
return current application's NSTerminateNow
end applicationShouldTerminate_
I'm adapting this to upload files onto the blockchain. zip will be converted to hex in python this looks like with open(filename, 'rb') as f: content = f.read() print(binascii.hexlify(content)) hex will be truncated and given identifiers individual messages will be dispatched master message(s) will be dispatched containing "directory" of information signature message(s) will be sent to validate master message (s) to get file master messages are loaded and checked with signature messages if true then identifiers will be read and messages will be parsed in ascending order hex will be converted to zip posted script contains method of using identifiers. |
|
|
|
|
|
punkrock
|
|
January 18, 2014, 10:40:14 PM |
|
@TwinWinNerD: I don't want to be an asshole, but how do we know, that 696356957947686421 isn't your account?
|
|
|
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1132
|
|
January 18, 2014, 10:41:09 PM |
|
I don't want to be an asshole, but how do we know, that 696356957947686421 isn't your account?
Does the acct have a public key? This could be related to the previous unsolved mystery |
|
|
|
|
punkrock
|
|
January 18, 2014, 10:42:20 PM |
|
Come on, guys. KeePass is safe. I'm using it since years! Don't spread rumors about it. |
|
|
|
|
|
relm9
|
|
January 18, 2014, 10:42:32 PM |
|
I don't want to be an asshole, but how do we know, that 696356957947686421 isn't your account?
Yes, he should post the actual passphrase. No harm in doing so since it's been compromised anyway. |
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1132
|
|
January 18, 2014, 10:43:07 PM |
|
Web based password generator?? Is the password sent in plain text at any point? It could be packet sniffers or somebody that knows the keypass algorithm (hacker or insider) We need a verified random password generator for Windows that can be run locally |
|
|
|
|
EvilDave
|
|
January 18, 2014, 10:43:21 PM |
|
Gone quiet all of a sudden....
That was an interesting day, to say the least.
Good moment for my 2 cents worth:
Unclaimed 10 million NXT: like the idea of giving it to 10 unknown accounts, don't like the idea of putting a lock mechanism into the code.
Unless the lock is actually a properly planned feature, we shouldn't finagle the code just for one-off situations.
Be a good idea for the 10 accounts to submit their real-world identities to an trusted Nxt'er, such as Anon136 or rickyjames.
Destroying the 10 mill is such a bad idea, i could cry. (Just give it to me, I'll see how quickly I can burn thru it)
Amsterdam Bitcoin conferences: I'm up to help, maybe with getting promo material sorted out. We need to form a working group to get moving on this. Maybe even a real-world meet-up in the not-to-distant future.....no clowns allowed, tho'
Love the price at the moment, but keep looking to the long term, guys. NXT has not arrived yet, but we do have a very good start.
Onwards and upwards.
|
|
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 18, 2014, 10:43:35 PM |
|
Come on, guys. KeePass is safe. I'm using it since years! Don't spread rumors about it. I'm not spreading rumours, I am answering a question. I use KeePass, too |
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 18, 2014, 10:43:43 PM |
|
Omg, someone cleared 3 of my accounts.... I used 256bit keys generated by Keepass 2. I am using NRS 0.5.8 that installed today and downloaded from nxtcrypto.org. I am using Windows 7 Professional and am running Avira and Microsoft Security Essentials. The NXT was transferred about half an hour ago, also while i was forging. My PC was running unlocked but i can be 99.99% sure that no one had access to it physically. So I don't really know how this happend?!? It can't be bruteforce right? My accounts: 8423671173148912884 107,217 12345678612257264594 71 13486646175575465553 998 The NXT are now in this account: 696356957947686421 Balance Total : 108,286 NXT Fuck me... Btw the password of the third account was for example: af5c73ca7cf5f25ffa3b6b1689f40aaf60fd040b0de298c1ca661f8602d38311 Any chance of seeing these NXT again? This is not a fully secure password. This looks very much like a Hex number. Only lower case a to f and Numbers. Something like that, even as long as it is, is cracked rather fast. It seems someone out there is brute forcing with number chains. I had an account which had another rather serious flaw in choice of password. It was luckily not hacked. There is no way this can be right. If that was a true random hex number with that many digits there is no way it could be cracked easily. Can someone else input on this? |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 18, 2014, 10:44:55 PM |
|
Web based password generator?? Is the password sent in plain text at any point? It could be packet sniffers or somebody that knows the keypass algorithm (hacker or insider) We need a verified random password generator for Windows that can be run locally KeePass is a locally run application. Not web based. |
|
|
|
|
