NXT :: descendant of Bitcoin - Updated Information

[Come-from-Beyond]

But if the bug has been fixed you sure could tell us which part of the code was altered.
I am interested in taking a look at the changes.

Jean-Luc altered it. I'm not so familiar with the refactored version to find this change.

[CIYAM]

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

Why the rush?  Oh - let me take a guess - a bunch of new accounts praising another new account that is trying to get "investment".

[xyzzyx]

rofl. i completely missed that thread where i was mentioned like a dozen times

U should monetize ur reputation. If u were a fiat gateway operator for Asset Exchange, u would help the community a lot. I would accept dollars issued by u without any doubt. Think of such a business plz...

Anon136,

If you do consider fiat gateway, iDeal might be something to look into for accepting Euros. 

http://www.ideal.nl/banken/?lang=eng-GB

I had asked in this thread earlier if anyone had any experience with it, and a member did PM me to tell me that he used it and that it was awesome.  If you're interested, I can ask him to PM you, also, to get an idea of how it is used.

He gave me this link:

http://www.bitcoinvergelijker.nl/

But I don't speak Dutch so I only got a vague idea of what is said there.

[Jesse James]

Critical bug disclosure

Few days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm.

...

I can't explain details of the flaw, coz it's out of my area of expertise. U can contact him directly via nextcoin.org forum.

I'm the guy.  I just created a thread providing more technical details https://nextcoin.org/index.php/topic,3884.0.html and to answer questions.  I don't really check this forum/thread so posting there is the best way to reach me.

[BitcoinForumator]

NXT-E.COM  IPO

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

[Anon136]

rofl. i completely missed that thread where i was mentioned like a dozen times

U should monetize ur reputation. If u were a fiat gateway operator for Asset Exchange, u would help the community a lot. I would accept dollars issued by u without any doubt. Think of such a business plz...

I was planning on being the silver bullion gateway but I could also do fiat.

[IveBeenBit]

Although the Nxt Asset Exchange will be a useful addition I think that we are missing something that could be much more useful (and perhaps a "killer" addition) and that is "atomic cross-chain crypto-currency transfers" (some of you would recall I've already mentioned it).

...

It wouldn't work fast enough to do "day trading" but for those not in a huge rush the promise of 100% secure transactions with only minimal blockchain fees would be pretty appealing.

What do you guys think?

Given the history of crypto exchanges failing or stealing money, and what's happening with Mt Gox right now, you are right that this would be a killer app.

I know JL777 was really pushing it, but he seems like he really pushes a lot of ideas, so not sure if he's still interested.

I'm not all that technical so I can't help build such a thing. What can we do to make this happen?

[dimirfu]

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

Why the rush?  Oh - let me take a guess - a bunch of new accounts praising another new account that is trying to get "investment".

new accounts?  you guess? oh !donot  be  so  Sensitive!! befor you say that  ,you should test it first.All this  are not what you think

[Passion_ltc]

NXT-E.COM  IPO

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

CAUTION! Might be a scam! I risked it, but you never know..

[pinarello]

rofl. i completely missed that thread where i was mentioned like a dozen times

U should monetize ur reputation. If u were a fiat gateway operator for Asset Exchange, u would help the community a lot. I would accept dollars issued by u without any doubt. Think of such a business plz...

I was planning on being the silver bullion gateway but I could also do fiat.

THAT would be interesting silver for NXT!

[brooklynbtc]

rofl. i completely missed that thread where i was mentioned like a dozen times

U should monetize ur reputation. If u were a fiat gateway operator for Asset Exchange, u would help the community a lot. I would accept dollars issued by u without any doubt. Think of such a business plz...

I was planning on being the silver bullion gateway but I could also do fiat.

Does anyone have any thoughts on US based fiat exchange? Seems you have all the FINCEN registration to go through.
What does localbitcoins do? Fly under the radar? I bought my first Btc in person from localbitcoins, from a daytrader literally on wall street.

I will gladly make myself available as a New York based fiat exchange, but trying to sort the legality.

[msin]

Weekend project, let's build a DNS system guys!

Here is what I propose, we encode HTML webpages in base64, the base64 is then truncated and sent. the transaction ID's are retrieved and a master file with the locations (and format) of the truncated html is formed. The masterfile is returned and can be used to access the data.

Multiple master files can be formed (due to 1k data limit) and put into one, etc... unlimited amounts of data could be stored this way.

If a dynamic webpage is needed an account could be created and reserved for "hosting" the latest message sent by this account could be the updated website data. Accounts could be used as domain names in a customized browser.

I already have the truncation programs written, but who wants to join me and make this work?

I have a 100k nxt budget for this project (can be increased).

PM me if you are interested.

+1, this would be great if we can get a few people helping.

[Anon136]

rofl. i completely missed that thread where i was mentioned like a dozen times

U should monetize ur reputation. If u were a fiat gateway operator for Asset Exchange, u would help the community a lot. I would accept dollars issued by u without any doubt. Think of such a business plz...

I was planning on being the silver bullion gateway but I could also do fiat.

Does anyone have any thoughts on US based fiat exchange? Seems you have all the FINCEN registration to go through.
What does localbitcoins do? Fly under the radar? I bought my first Btc in person from localbitcoins, from a daytrader literally on wall street.

I will gladly make myself available as a New York based fiat exchange, but trying to sort the legality.

yea idk anything about governments and their crazy edicts. im definitely not going to try to comply with the ever changing whims of thousands of disorganized but well armed sociopaths. if there is a big risk associated with being a fiat gateway than ill just do silver bullion only.

[dimirfu]

NXT-E.COM  IPO

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

CAUTION! Might be a scam! I risked it, but you never know..

know what?  donot say invest it until  you  like the Experience of the Transaction。

[Passion_ltc]

NXT-E.COM  IPO

wow!!! try it quickly!

https://bitcointalk.org/index.php?topic=453580.0

CAUTION! Might be a scam! I risked it, but you never know..

know what?  donot say invest it until  you  like the Experience of the Transaction。

Please what?

[achimsmile]

Below is the message doctorevil sent to inform captain picard, cfb, and opticalc!

We must get this guy to join us as dev!

The disclosure CfB recently announced on the BCT thread might leave some with questions regarding the exact details.  Here's what I sent CfB, Jean-Luc, and OpticalC earlier:

-Gentlemen-

All versions of NXT are currently vulnerable to a transaction replay attack.

I've tested this exploit successfully (TXs 16383865633576457223 and 6120913904145250080).

This message has only been sent to you 3 (Jean-Luc, opticalc and CfB); however, I plan to eventually make a public disclosure.

Specifics:

Anyone on the network can create 15 replicas of a transaction that verify OK but which have distinct transaction ids.  This has to do with a phenomenon called signature malleability.  Given a valid signature X₀, anyone (not just the original signer) can create 15 additional distinct signatures X₁, X₂ ... X₁₅ which all verify correctly. 

The only circumstances in which a transaction can not be replayed are if:

(1) the sender's balance is too low or
(2) the transaction deadline has expired

Example exploit scenario:

BTER currently has a 40M+ NXT wallet it sends withdrawals from.  If I was evil, I could transfer 100k NXT back and forth between myself and BTER.  Lets say I do this 10 times.  A few hours later I could create 15 replays of each withdrawal transaction, netting 1.5M NXT.  If I was super evil I could send the replays immediately after each withdrawal, redepositing the new NXT and growing the heist exponentially.  One could drain their entire 40M wallet in 3 round trips starting with just 12500 NXT.  Eviler still, one could also replay recent transactions flowing into BTER from depositors in order to steal their funds as well, swelling the total catch beyond 40M.

Several possible fixes come to mind:

(1) define a canonical signature representation (bitcoin's approach)
(2) exclude the signature field when calculating the transaction id (probably too sweeping a change at this point)
(3) explicitly check for replays in processTransactions (a bit of a kludge)

The math:

The output of Curve25519.sign is v.  This value essentially acts like an element in a finite field who's order is the same as the curve group order (2²⁵²+2¹²⁴).  So for any v, you can add 2²⁵²+2¹²⁴ and arrive at a value that is equivalent as far as the underlying field math is concerned.  NXT encodes v using 256 bits (32 bytes).  Since 2²⁵⁶ is significantly larger than the group order, there are ~16 distinct 256-bit encodings of each field element.  Because everyone knows the group order and v is part of the signature, anyone can generate the other encodings to perform this attack.

In closing, I just want to say that it hurts my evil heart not to exploit this.

-Dr. Evil-

This was quickly followed up with some back and forth with CfB where I provided him actual code for the exploit (which I'll elide here for obvious reasons) and a discussion of the plan for how to rollout a fix (which they implemented within hours of initially communicating with them).

He also threw me 10 BTC, which I didn't really expect but greatly appreciated.  I got all of jack shit (other than a warm fuzzy) when I privately revealed to blockchain.info a RNG bug that had already lead to multiple documented thefts.

I'm happy to answer in this thread any remaining technical questions the community might have about the nature of the flaw.

[greyw00lf]

... Right now is not quite the right time, but when nexern releases his client (along with the AE), we should have a very simple to install client as well as be able to show off the power of decentralized exchanges. ...

btw. anyone knows the status of nexerns client?

edit: ok found some info about it:

correct, this is not a problem for new users or users without unicode keyphrases but don't know how many e.g. chinese users we have now using chinese symbols as keyphrase.
anyway, i am finishing apphub now. it was already planed to include unicode into hive and apphub is part of this.

Is it possible to postpone release a little so other AE client devs catch u?

it's already postponed because i need a little more time to test AE and include the DNA i mentioned before
but since i intend to start 1. march with hive my intension is to realease apphub latest end month, better
a week earlier.

[greyw00lf]

Below is the message doctorevil sent to inform captain picard, cfb, and opticalc!

We must get this guy to join us as dev!

+1

[Passion_ltc]

... Right now is not quite the right time, but when nexern releases his client (along with the AE), we should have a very simple to install client as well as be able to show off the power of decentralized exchanges. ...

btw. anyone knows the status of nexerns client?

edit: ok found some info about it:

correct, this is not a problem for new users or users without unicode keyphrases but don't know how many e.g. chinese users we have now using chinese symbols as keyphrase.
anyway, i am finishing apphub now. it was already planed to include unicode into hive and apphub is part of this.

Is it possible to postpone release a little so other AE client devs catch u?

it's already postponed because i need a little more time to test AE and include the DNA i mentioned before
but since i intend to start 1. march with hive my intension is to realease apphub latest end month, better
a week earlier.

Are there more info regarding DNA and hive? What are those?

[opticalcarrier]

ok ill go ahead and ask the question, what does "Failed to accept block received from X, blacklisting" mean?  What if it is a peer that I have very good reason to suspect is not evil?