NXT :: descendant of Bitcoin - Updated Information

[rriky92]

Code:

<form action="" method="post">
   <p>Amount: <input type="text" name="amount" /></p>
   <p>Fee: <input type="text" name="fee" /></p>
   <br>
   <p>Address:
   <textarea name="addresses" cols=40 rows=4></textarea></p>
   <input type="submit" name="submit" value="Submit" />
</form>
<?php
   if(isset($_POST['submit']) )
   {
      $array = preg_split ('/$\R?^/m', $_POST['addresses']);
      $countaddress = count($array);
      for($i=0;$i<$countaddress;$i++){
      	$array[$i] = preg_replace('/\s+/', '', $array[$i]);
      	$jsonurl = "http://localhost:7874/nxt?requestType=sendMoney&secretPhrase=SECRET&recipient=".$array[$i]."&amount=".$_POST['amount']."&fee=".$_POST['fee']."&deadline=1440";
		$json = file_get_contents($jsonurl);
		var_dump(json_decode($json));
		}
   }
?>

I tried different times to send money using this script. I'm running XAMPP local on my machine. I tried http @ port 7874 and https @ port 7875. I think it's a problem with my passphrase. I have some quotes and other special characters in it. I also tried to make a backslash (\) before a quote (") because it's a PHP-string and maybe it doesn't like special characters like quotes. Doesn't work. I click the button and the page reloads and the form is empty. Any ideas?

Short question: Do API calls work with SSL? Eg. https://localhost:7875/nxt?requestType=sendMoney&secretPhrase=SECRET&recipient=...

You have to put * in web.xml under AllowedBotHost or something like this... i think it's not an error from the script cause in that case it should return an error, so maybe it's local host that can't handle API try with an online one or configure your local one,  or also local PHP is not working (maybe) cause something has to write when i insert a wrong server address php (in an online server) return me that he can't connect to that server address)

[Zahlen]

http://www.nxtcrypto.org/

I don't know everyone who is behind this site - all of the contributors...

but, you have made it into something to be proud of.

Lots of hardworking shibes digging quietly behind the scenes to make Nxt shinier. We're proud, but we could also use some Nxt  

Let's try to mention, and tip more people. I think QBTC is keeping servers running? But I don't hear her mentioned a lot.

[rickyjames]

Stolen NXT Now On Bitcoin Blockchain...And Gone!?!

As previously discussed here  ( https://bitcointalk.org/index.php?topic=345619.msg4656340#msg4656340 ), stolen NXT went on the move Jan 21 and Graviton said it was laundered thru Dgex by a "well known and reputable NXT community member".  As radio commentator Paul Harvey used to say, here's "the rest of the story"...

First of all, my apologies for Graviton for rushing into print using the juicy shock-value phrase "well known and reputable NXT community member".   Graviton didn't know I was going to do that, and I should not have.  As graviton later wrote to me, "I don't want to make it look like I'm suspecting or even setting up XYZ by assuming the identity instantly so strong as it looked like. My position is neutral - the wording about the thief being a prominent community member was wrongly chosen in haste, not anticipated for public distribution."  So...I'm sorry, Graviton.  

A forensic investigation should deal solely with facts and purge emotion as much as possible.  I fell short of that standard.

So here are the facts as gathered by Graviton on Dgex use in laundering the stolen NXT:

******** BEGIN GRAVITON PM TO OPTICALC, RICKYJAMES AND SALSACZ ***********************

I do not expect a reply from the NXT thief any more after 30+ hours have passed from my contact, so here is the data I have available. I trust you make of it what you can, if anything;

Account number: 9550
Account established: Jan 19th
IP Address: 188.132.251.194 (did not change)
Account holder email: salsacz@outlook.com (is delivered to, but does not reply - not surprisingly)
Deposited 284634 NXT from 2647797480528736696 on Jan 19th
Quick sold everything after deposit confirmed 2014-01-20 09:23 to 2014-01-20 09:34
Withdrew through instant cashout when it came available 2014-01-20 11:37 to 2014-01-20 12:22 in 7 payments (max system limit 3 BTC at once) to bitcoin address 13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH
---
I hope the information helps you some forward, although you were probably expecting more than this.

The content of this message is ok for public release.

Regards,
Graviton

******** END GRAVITON PM TO OPTICALC, RICKYJAMES AND SALSACZ ***********************

So, do I believe Salsacz distributed Trojan clients weeks ago and opened up a new Dgex account in his own name to launder stolen NXT?  No, I do not.  Way too obvious.

I believe this is a setup or frame job, a last twist-of-the-knife joke by somebody who is a reader of this forum.  So in that sense, it is still an inside job.

I've checked a few other things and I'm pretty much at a dead end.  

Epic Thomas has not been on Bitcointalk since Jan 16, so if he's watching all of this and laughing, he's not using his old username.  Somehow I don't think he's that smart.  So I personally don't think this is EpicThomas any more than I think it is Salsacz.

There are a few interesting things I've learned about 188.132.251.194.  It's in Turkey, but it seems to be owned by a Czech company called Mars Global Datacenter Services located at Probrezni 118, Prauge, Czech Republic.  This is where you would have to go for the  server logs to determine who was behind the Turkish proxy on the day of the Dgex withdrawal...

It's curious to me that the computer used in the heist is owned by a company in the same city/country as the suspect it fingers.  Even moreso that they would try to frame a white-hat with experience in catching hackers who has dealt with thousands of cheaters ( https://bitcointalk.org/index.php?topic=345619.msg4322484#msg4322484 ).  

My own personal opinion is that Salsacz has done WAY too much for the NXT community to rob others of their NXT.  However, the way things sometimes work is that somebody around him could have seen Salsacz's enthusiasm for NXT and hatched a plot of their own.  But that is just rank speculation on my part, I will never know.

So much for the getaway vehicle's license plate number.  On to following the money.

Bitcoin address 13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH is registered at Blockchain.info, which is one of the biggest online Bitcoin wallets.  So the stolen NXT has been laundered into BTC, and here it sits, all $17,371.76 of it:

https://blockchain.info/address/13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH

So I wrote Blockchain.info an email:

************ BEGIN RICKYJAMES EMAIL TO BLOCKCHAIN.INFO ***************

My name is Ricky X and I am a resident of X, X, USA. My
 cell phone number is X.

I have been investigating the theft of large numbers of NXT coins through
 use of a Trojan software package that was used by at least five users. On
 Jan 20 the thief finally laundered the money through dgex.com to the
 following Blockchain.info address:


https://blockchain.info/address/13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH

I formally request that you freeze all funds this account until you can
 examine my chain of evidence and verify that I am telling you the truth.
 Once you have done so, I ask that you release to me the email address and
 cell number of the owner of this account.

Please let me know a direct email address to your security department and a
 ticket number for this request and I will provide further details
 immediately. Thanks for your help in investigating this theft.

-Ricky J. X

************ END RICKYJAMES EMAIL TO BLOCKCHAIN.INFO ***************

to which I got this response...


************ BEGIN BLOCKCHAIN.INFO EMAIL TO RICKYJAMES ***************

Ricky, Blockchain.info only deals in bitcoin, and no other altcoin. We also don't have any access to the funds in a user's wallet. This is due to the way our wallets work. A user controls his or her passwords and private keys, and Blockchain.info only stores the encrypted backups. We don't even know what public address are in a wallet, and a user doesn't even need to provide any type of personal information to setup a wallet. Sorry to hear of this, but Blockchain.info is unable to do any type of freeze on an account, especially since a user could easily import those private keys into any other wallet service available.

Mandrik | Blockchain.info Support


************ END BLOCKCHAIN.INFO EMAIL TO RICKYJAMES***************

As an aside, I never heard back from Bter.com.

So I am out of ideas and I think it is the end of the line for me.  I gave it my best shot.

As salsacz has noted, ( https://bitcointalk.org/index.php?topic=345619.msg4649481#msg4649481 ) I still haven't caught 1 thief or thief's Bitcointalk account or didn't find any new theft except of those who were found by others.  

That's kinda like Yoda's "Do or do not, there is no try".

Sigh, sometimes the bad guys win.  

A loss for us all, and a lesson to start from this point and do everything we can to strengthen NXT security, especially for new users that don't check SHA-256 of a client file or make a password longer than 11 characters.

[google98]

In the last few days i'm seeing a lot of newcomers to this thread, more than in the past.

Yes... and most importantly they are NOT trolls!!!   

As far as I am concerned, you're right

Would like to hear some vircurex news today...

[evanxxx]

got a error with NRS 0.5.9, don't know whether it is a bug.

DEBUG: Failed to analyze hallmark for peer geodreieck.redirectme.net

[okaynow]

Sigh, sometimes the bad guys win.  

NOOOOOOOOOOOOOOOOOOOO

got a error with NRS 0.5.9, don't know whether it is a bug.

DEBUG: Failed to analyze hallmark for peer geodreieck.redirectme.net

I'm also getting this with .5.10. Is it something serious?

[kunibopl]

There are a few interesting things I've learned about 188.132.251.194.  It's in Turkey, but it seems to be owned by a Czech company called Mars Global Datacenter Services located at Probrezni 118, Prauge, Czech Republic.  This is where you would have to go for the  server logs to determine who was behind the Turkish proxy on the day of the Dgex withdrawal...

is IP address known to bitcointalk.org?
BTW: who hosts bitcointalk.org?

[Jean-Luc]

got a error with NRS 0.5.9, don't know whether it is a bug.

DEBUG: Failed to analyze hallmark for peer geodreieck.redirectme.net

No, this is not a bug. Ignore. The peer geodreieck.redirectme.net has a malformed hallmark and is being blacklisted because of that.

[Jean-Luc]

Is there a lock in 5.10 in editing any *.html files in webapps? I always add a new title for the wallet (address of my site) and it wasn't possible to launch the client after this.

If there is, it's pretty smart of them!

No, there is no such change. The difference between 0.5.9 and 0.5.10 is extremely small, just a few lines of code related to the bugs mentioned in the changelog, nothing more.

It is nonetheless important that everyone upgrade to 0.5.10.

[plasticAiredale]

Sigh, sometimes the bad guys win.  

Thanks yet again for looking into all this rickyjames. If anything it has been fun watching the chase even though it was fruitless. It is disappointing that they get away without consequence, but at least I can have some closure on the matter. Though the thief may want to keep an eye on his rear-view mirror, as who knows who is watching him and his trails.  It also is quite comforting that they laundered the stolen NXT at roughly $0.01 each, which means they couldn't hold onto the NXT long enough to cash out much later when it has reached its true potential, and worth much more. A thanks once again to the community who donated NXT and lessened the blow of the theft.

Hopefully we can put all this talk of hacks behind us now, as we move onto bigger and better things.

[nexern]

Nexern,

Are we on schedule for the 26th?


Pin

quick update.

client dev is fine so far but i am 3 days behind schedule. try to catch up. client size is within promised boundaries
atm ~850 kb. no external libs needed until now so click and run. tested on win7 and linux ubuntu, waiting
for a mac mini to deliver to test the mac port, so this is untested now but i don't expect problems here, perhaps
some font and clipboard adjustments (i am no native osx user).
msin came up with a very nice idea how to add a usefull reputation system based on AM, try to add this.

have refactored and externalized some modules like the language resource and settings file to enable multilanguage
more easy later just by adding the translations into a simple textfile.

the only part i am not satisfied is the data update structure. atm i choosed a complete unbuffered update struc but
for very large accounts (transfers/aliases) with thousands of entries the complete loading consumes much time.
while a average account is fully loaded within ~1 minutes on startup, a big one takes much longer.
therefore i am testing for partial updates, controlled by settings to allow enabling partial data download.
the best solution would be to store no data to the disk at all and keep everything within ram.

the logic for the asset exchange is already coded but no gui atm. start testing the assets on tuesday.

[Passion_ltc]

Please vote which feature you want to see next on nxtion.com!

[Fatih87SK]

Nexern,

Are we on schedule for the 26th?


Pin

quick update.

client dev is fine so far but i am 3 days behind schedule. try to catch up. client size is within promised boundaries
atm ~850 kb. no external libs needed until now so click and run. tested on win7 and linux ubuntu, waiting
for a mac mini to deliver to test the mac port, so this is untested now but i don't expect problems here, perhaps
some font and clipboard adjustments (i am no native osx user).
msin came up with a very nice idea how to add a usefull reputation system based on AM, try to add this.

have refactored and externalized some modules like the language resource and settings file to enable multilanguage
more easy later just by adding the translations into a simple textfile.

the only part i am not satisfied is the data update structure. atm i choosed a complete unbuffered update struc but
for very large accounts (transfers/aliases) with thousands of entries the complete loading consumes much time.
while a average account is fully loaded within ~1 minutes on startup, a big one takes much longer.
therefore i am testing for partial updates, controlled by settings to allow enabling partial data download.
the best solution would be to store no data to the disk at all and keep everything within ram.

the logic for the asset exchange is already coded but no gui atm. start testing the assets on tuesday.

Nice! We are waiting for your screenshots as you promised. =)

[pinarello]

13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH
                                            zC   CHURCH  

[bitcoinpaul]

Salsacz has a different mail address. And, hell, would he be dumb if he used the same nickname for a fraud mail address 

[CIYAM]

13BDBCHyd916pTAyAXK4hYyjViqSzCuRcH
                                            zC   CHURCH  

I would find it hard to believe that the "checksum" characters are relevant.

[google98]

Do you guys have an explanation why the NXT trading volume is comparatively low over the last 2-3 days?

[pinarello]

my digital ocean VPS Node IP 198.211.127.34 is being managed by laowai80  

I have not seen him on the forum for quite sometime....I also sent him an e-mail and he has not responded till now.

I know we have to upgrade Nodes to 0.5.10 by Jan 26th to avoid a network fork....I was planning to power off the droplet until I can sort this out.


Should I power the VPS off till I get it upgraded?

why cant he just upgrade?

[barbierir]

So negative   Welcome all new shibes nxters!  

EDIT: barbierir, thanks for suggesting Diceware. I've added a link to it from the wiki page. If folks prefer such methods to be more prominent, you can format the page, or comment in the page's Discussion page. Just register and edit.

I've been lurking this thread since last week when I first read about Nxt

Just to make a comparison: the Electrum wallet for bitcoin generates a 12-words long passphrase using an internal dictionary of 1600 words, with Diceware you have 7776 possible words and you can make the passphrase as long as you like.

So math says that a 10-words Diceware passphrase is stronger than a 12-words Electrum wallet passphrase.

A possible option is to use a 20 words passhprase as a "safe" account to keep most of one's nexts and another one with 12 words as a "spending" account with a lesser amount, tough rationally speaking 12 is already an overkill!

[aorith]

Do you guys have an explanation why the NXT trading volume is comparatively low over the last 2-3 days?

hoarding currency