NXT :: descendant of Bitcoin - Updated Information

[xyzzyx]

Nxt introduction video with Cantonese
http://v.youku.com/v_show/id_XNjcwNTEyMzAw.html

Nice!

[jl777]

I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need  thorough  code rechecking from many more independent sources , finishing already announced projects, and other basic stuff.  

I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account
 https://nextcoin.org/index.php/topic,3884.0.html

How many more flaws exist? We don't know, but yet we want to implement "plugins" Wow.

Seriously. Forget plugins and send more resources on code auditing and finishing the announced features.

+1 for some kind of odd reason we always drift away from the initial plan and features, they are still NOT implemented.

We cant even walk and already try to run.

finish what is promissed and started.

What features are not being worked on? What do you mean by walking?

[pandaisftw]

I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need  thorough  code rechecking from many more independent sources , finishing already announced projects, and other basic stuff.  

I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account
 https://nextcoin.org/index.php/topic,3884.0.html

How many more flaws exist? We don't know, but yet we want to implement "plugins" Wow. This isn't firefox.

Seriously. Forget plugins and spend more resources on code auditing and finishing the announced features.

Do realize that the stuff here is =/= to the work the main devs are doing. I'm pretty sure most of us are not able to find flaws, so we can contribute to other parts in the meantime.

Also, we are looking for people to audit the code, but beyond that, there is nothing I can do personally, so I'm helping out in other ways.

[CIYAM]

I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?

Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.

Wouldn't it make more sense for such things to be services instead?

About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).

[jl777]

I am a bit concerned that there has been very little feedback on my recent proposals, blockchain FIFO and NXT plugin architecture.

This either means its Friday night and nobody has had a chance to think about them, or it is so ridiculous nobody bothered to comment, or maybe I am on everyone's ignore list?

Please, if you see anything wrong, now is the time to find it. Also, if you think it is mostly right, just +1 it or short comment. I feel like I am in a vacuum here...

James

P.S. I just cant believe that I got everything right as that is the fourth possibility.

You have more energy than a toddler that has found her mother's diet pills.

Blockchain FIFO:  I was thinking along similar lines:
https://bitcointalk.org/index.php?topic=345619.msg4981325#msg4981325

But it's only a general idea, and incomplete.

NXT plugins: you could sign the plugin with the issuer's private key and publish the public key for verification purposes in an Alias.  Have the client check the signature before  loading of the plugin. Or something similar <waves hands.>

I am not too concerned about the signatures, more about the logistics of validating the signature for the executable code under all the different OS the plugins will be compiled and run under. This is why hardcoded plugins are much cleaner, but I figured if we can solve the external plugin issue, it really opens things up.

Yes, I am worried about Evil Bob, he is quite clever. What can he do with an NXTsmtp plugin? He could change the email that is being sent and this could be very bad. NXTsmtp is just a proof of concept of this methodology and would not really be useful for anything more than a twitter like feed. Now it is possible for the NXTsmtp messages to be signed and that would add a lot more trust in the content of the feed. Keep in mind, nothing stops Evil Bob from sending any email to anyone, so I dont see the big security hole created by NXTsmtp.

OK, I have an idea for another plugin. Sorry Pin! We can have a plugin that broadcasts data. It would be like the XCP broadcast function, but we have the data signed so it can be trusted as to the source. The plugin is validated as untampered. The source code will show where and how it is getting its data. This way we can create trusted data feeds for various price data. That in turn can be used to implement betting, options, CFD, etc. This is pretty significant!

James

[pinarello]

I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need  thorough  code rechecking from many more independent sources , finishing already announced projects, and other basic stuff.  

I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account
 https://nextcoin.org/index.php/topic,3884.0.html

How many more flaws exist? We don't know, but yet we want to implement "plugins" Wow.

Seriously. Forget plugins and send more resources on code auditing and finishing the announced features.

+1 for some kind of odd reason we always drift away from the initial plan and features, they are still NOT implemented.

We cant even walk and already try to run.

finish what is promissed and started.

What features are not being worked on? What do you mean by walking?

I am eager to see NXT first implementation in a working client (a side from messages and aliasses)

[tman10]

Has anybody seen NxtChg lately??...Thanks

[pinarello]

Has anybody seen NxtChg lately??...Thanks

No, please read his last posts.

[salsacz]

NxtChg left us, withdraw from the exchange. He had another of his emotional breakdowns caused by his Obsessive–compulsive disorder and left, althought we asked him to stay

a) I am a programmer with OCD, most of you here know what I mean: we obsess about tiniest details and double, triple check everything, especially something as important as sending a big chunk of money.

[jl777]

I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?

Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.

Wouldn't it make more sense for such things to be services instead?

About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).

NXTsmtp is just for proof of concept that incorporates something everybody is familiar with. I want to verify the peer verifiability of hardcoded NXTplugin followed by external NXTplugin. I am not worried about NXTsmtp for anything other than proving that NXTplugins work and are peer verified. At first I couldnt understand how on earth a DAC could be implemented. When I started thinking about email plugin, it became not as hard.

If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach.

The problem is that I see all of the things I am posting about as connected. Like the elephant described by different people. All sounds very different, but it is all the same elephant. If I described the elephant in its entirety, it wouldnt fit in posts. I feel a great sense of urgency due to competitive pressures.

James

P.S. I usually dont post when I am sleeping or flying

[jl777]

I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need  thorough  code rechecking from many more independent sources , finishing already announced projects, and other basic stuff.  

I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account
 https://nextcoin.org/index.php/topic,3884.0.html

How many more flaws exist? We don't know, but yet we want to implement "plugins" Wow.

Seriously. Forget plugins and send more resources on code auditing and finishing the announced features.

+1 for some kind of odd reason we always drift away from the initial plan and features, they are still NOT implemented.

We cant even walk and already try to run.

finish what is promissed and started.

What features are not being worked on? What do you mean by walking?

I am eager to see NXT first implementation in a working client (a side from messages and aliasses)

Who doesnt? How do you suggest I help nexern out?

[tman10]

Has anybody seen NxtChg lately??...Thanks

No, please read his last posts.

Where might I find his last post?...Thanks

[nxtru]

25000 NXT bounty for a method and Java implementation that verifies NXTplugin process has not changed. Need an OS independent way of finding the executable code of a previously registered NXTplugin. This means we can constrain the creation method (linker output), probably need to do this for unix, Mac and Windows separately.

I am looking for a practical solution that will allow realtime verification by the NXTcore to make sure that the NXTplugin has not been tampered with. NXTplugins will have to be opensourced and publish signatures for specific compilers. This signature is then verified prior to any usage of that plugin by the NXTcore.

BEFORE we would ever consider submitting this to jean-luc, we of course need to test it like crazy. If the code is changed at all, we assume it is tampered. This probably means we cant do any dynamic linking, and need either static or relative jumps. Not sure though. Just finding where the code is might not be so easy. Figuring out how to get a ptr to the Java process will probably be pretty difficult. Any reasonable one way hash function is fine for this bounty, just want to get the system issues out of the way so we can validate in realtime that a plugin has not been tampered with.

As long as the source is reviewed for Evil Bobness and the code that is executing generates the same signature, I think we are getting close to where we can trust it almost as much as a hardcoded plugin where the plugin is actually part of the NXT core. Once we have the ability to have NXT plugins that are external to the NXT core, that is when things can really take off. We still need a formal validation process before it is approved for inclusion in the approved list of plugins, but maybe we can sidestep that issue by just having web.xml entries?

PLEASE if anybody can find a security flaw in this method, post ASAP. Remember Evil Bob is very evil

James

Are these NXTplugins jar files? We could use jar signing feature. See Oracle docs:
- signing: http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html
- verification: http://docs.oracle.com/javase/tutorial/deployment/jar/verify.html

[erik__]

I am a bit concerned that there has been very little feedback on my recent proposals, blockchain FIFO and NXT plugin architecture.

I've been reading your posts with interest and trying to digest them.  Much of it sounds good, but is mostly over my head so it's hard to give good feedback.  My biggest concern is security right now especially after the recent scare.  New features often bring new security holes, so I'd rather not be in too much of a rush to beat the competition for every little thing.  Nxt already has a strong niche (zero inflation, proof-of-stake) and just needs steady, but not rushed, development to bring in the new features which may or may not be embraced by the market.

Has Dr. Evil been hired to continue to looking for exploits and weaknesses and consult?  I saw a couple posts requesting this, but it should be a priority.  He's proven himself by brute forcing something like 3% of Nxt accounts (including genesis) and discovering an x-spend attack.  If we have community funds available then I think we should try to keep him on board as long as we can.

[lucky88888]

I am a bit concerned that there has been very little feedback on my recent proposals, blockchain FIFO and NXT plugin architecture.

This either means its Friday night and nobody has had a chance to think about them, or it is so ridiculous nobody bothered to comment, or maybe I am on everyone's ignore list?

Please, if you see anything wrong, now is the time to find it. Also, if you think it is mostly right, just +1 it or short comment. I feel like I am in a vacuum here...

James

P.S. I just cant believe that I got everything right as that is the fourth possibility.

or people don't understand what you talking about like me

Yeb.. a lot of us don't understand anything that is a little technical..
I started reading a few sentences then i got lost on the third sentence. sorry
Most people are more active in 2-3 hours from now, time zone difference maybe?

Another reason would be this huge thread need to be more organised. Maybe we shall start the great NXT migration to a proper forum with proper topic sections. eg. forums.nxtcrypto.org i have started to promote it for this very reason with my forging competition.

I do not feel confident with the idea of "plugins" and "turing compete" scripting implementation before more basic stuff is complete. We need  thorough  code rechecking from many more independent sources , finishing already announced projects, and other basic stuff.  

I am surprised how little reaction there is to the fact that a guy who discovered a fatal flaw with Nxt code two days ago could have stolen 40 million from bter Nxt account
 https://nextcoin.org/index.php/topic,3884.0.html

How many more flaws exist? We don't know, but yet we want to implement "plugins" Wow.

Seriously. Forget plugins and send more resources on code auditing and finishing the announced features.

+1 for some kind of odd reason we always drift away from the initial plan and features, they are still NOT implemented.

We cant even walk and already try to run.

finish what is promissed and started.

I would think this would be the more organized way as well.
Finish what is already been promised and you will have developers flying in from all over the world to help implement new features.
Right now, i can say a lot of potential devs arn't taking too much notice on nxt for this reason,
because most devs are paid pretty well and their time = lots of money.
Of-course you have to remember that some devs are limited to their field of expertise and may not be able to help with the promised features but is able to put their time in other new features which is a good thing.

[nxtru]

I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?

Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.

Wouldn't it make more sense for such things to be services instead?

About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).

NXTsmtp is just for proof of concept that incorporates something everybody is familiar with. I want to verify the peer verifiability of hardcoded NXTplugin followed by external NXTplugin. I am not worried about NXTsmtp for anything other than proving that NXTplugins work and are peer verified. At first I couldnt understand how on earth a DAC could be implemented. When I started thinking about email plugin, it became not as hard.

If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach.

The problem is that I see all of the things I am posting about as connected. Like the elephant described by different people. All sounds very different, but it is all the same elephant. If I described the elephant in its entirety, it wouldnt fit in posts. I feel a great sense of urgency due to competitive pressures.

James

P.S. I usually dont post when I am sleeping or flying

I've been working with SNMP on Java but I don't get what tasks you want to solve with NXTsnmp.

[pinarello]

I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?

Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.

Wouldn't it make more sense for such things to be services instead?

About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).

NXTsmtp is just for proof of concept that incorporates something everybody is familiar with. I want to verify the peer verifiability of hardcoded NXTplugin followed by external NXTplugin. I am not worried about NXTsmtp for anything other than proving that NXTplugins work and are peer verified. At first I couldnt understand how on earth a DAC could be implemented. When I started thinking about email plugin, it became not as hard.

If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach.

The problem is that I see all of the things I am posting about as connected. Like the elephant described by different people. All sounds very different, but it is all the same elephant. If I described the elephant in its entirety, it wouldnt fit in posts. I feel a great sense of urgency due to competitive pressures.

James

P.S. I usually dont post when I am sleeping or flying

James,

First of all thank you for all your great ideas, but ...

My background is IT project manager and I am going crazy by you.

You throw 10 projects on the table but have not one worked out.

Please for starters pick on project, work it out from start to finish, than pick another.

As of now your way of working getting us nowhere.

You are ddossing us.

[ChuckOne]

Updates - 07/02/2014
- Shows multiple balances.
- Shows node status (Green = ON, Blue = OFF)

Now effective balance 136'722.00 NXT!!!

NXTCoin first automated forging platform!
Website: http://www.nxtio.org/

Is that really what we want? Centralization?

[jl777]

25000 NXT bounty for a method and Java implementation that verifies NXTplugin process has not changed. Need an OS independent way of finding the executable code of a previously registered NXTplugin. This means we can constrain the creation method (linker output), probably need to do this for unix, Mac and Windows separately.

I am looking for a practical solution that will allow realtime verification by the NXTcore to make sure that the NXTplugin has not been tampered with. NXTplugins will have to be opensourced and publish signatures for specific compilers. This signature is then verified prior to any usage of that plugin by the NXTcore.

BEFORE we would ever consider submitting this to jean-luc, we of course need to test it like crazy. If the code is changed at all, we assume it is tampered. This probably means we cant do any dynamic linking, and need either static or relative jumps. Not sure though. Just finding where the code is might not be so easy. Figuring out how to get a ptr to the Java process will probably be pretty difficult. Any reasonable one way hash function is fine for this bounty, just want to get the system issues out of the way so we can validate in realtime that a plugin has not been tampered with.

As long as the source is reviewed for Evil Bobness and the code that is executing generates the same signature, I think we are getting close to where we can trust it almost as much as a hardcoded plugin where the plugin is actually part of the NXT core. Once we have the ability to have NXT plugins that are external to the NXT core, that is when things can really take off. We still need a formal validation process before it is approved for inclusion in the approved list of plugins, but maybe we can sidestep that issue by just having web.xml entries?

PLEASE if anybody can find a security flaw in this method, post ASAP. Remember Evil Bob is very evil

James

Are these NXTplugins jar files? We could use jar signing feature. See Oracle docs:
- signing: http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html
- verification: http://docs.oracle.com/javase/tutorial/deployment/jar/verify.html

Not necessarily

This might work for NXTplugins written in Java, but we need to support more than just code written in Java. For example I am wanting to run bitcoind as one of the external NXTplugins. I dont want to rely on versions that are behind latest bitcoind's and I would imagine that any java implementation of bitcoind will not be totally up to date.

Also, not sure if verification can be done inside Java code and how long it takes, but the general idea is what we need for all the supported executable formats. If we can support the bitcoind and other crypto daemons, then that gives hope to a DAC that does the fancy cross chain algos.

James

[jl777]

I don't see why you would want a Nxt VM script to "output an email" (or do anything else outside of the blockchain for that matter) - you do understand that whether such email was actually even really sent simply *cannot be proven* (as you are dealing with SMTP rather than a blockchain)?

Also SMTP is going to require accounts that need to be signed into and you don't want to end up with people effectively running "relay servers" or they'll end up on email blacklists.

Wouldn't it make more sense for such things to be services instead?

About walking vs. running - you are getting far too excited jl777 - can you just take something to slow down to a pace that we can keep up with (by the time we've tried to discuss one of your ideas you typically have posted 3 others).

NXTsmtp is just for proof of concept that incorporates something everybody is familiar with. I want to verify the peer verifiability of hardcoded NXTplugin followed by external NXTplugin. I am not worried about NXTsmtp for anything other than proving that NXTplugins work and are peer verified. At first I couldnt understand how on earth a DAC could be implemented. When I started thinking about email plugin, it became not as hard.

If the source to SMTP server is reviewed that it does send the email (backed up with test results) and as part of the sending process it adds a hash value of email to the blockchain. I think that allows peer verification, please explain where I am wrong. I am certain I have made mistakes somewhere and I am still coming up to speed with this whole decentralized blockchain approach.

The problem is that I see all of the things I am posting about as connected. Like the elephant described by different people. All sounds very different, but it is all the same elephant. If I described the elephant in its entirety, it wouldnt fit in posts. I feel a great sense of urgency due to competitive pressures.

James

P.S. I usually dont post when I am sleeping or flying

I've been working with SNMP on Java but I don't get what tasks you want to solve with NXTsnmp.

SMTP not SNMP