Bitcoin Forum
May 22, 2019, 08:10:13 PM *
News: Latest Bitcoin Core release: 0.18.0 [Torrent] (New!)
 
   Home   Help Search Login Register More  
Pages: « 1 ... 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 [2059] 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 ... 2567 »
  Print  
Author Topic: NXT :: descendant of Bitcoin - Updated Information  (Read 2750637 times)
Jean-Luc
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250



View Profile WWW
March 06, 2014, 09:48:12 AM
 #41161

any date set for launch of AE yet?? or still to be decided?
I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.
March 13th is not possible. I posted my plan some time ago:
https://bitcointalk.org/index.php?topic=345619.msg5449690#msg5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.

lead Nxt developer, gpg key id: 0x811D6940E1E4240C
Nxt blockchain platform | Ardor blockchain platform | Ignis ICO
1558555813
Hero Member
*
Offline Offline

Posts: 1558555813

View Profile Personal Message (Offline)

Ignore
1558555813
Reply with quote  #2

1558555813
Report to moderator
1558555813
Hero Member
*
Offline Offline

Posts: 1558555813

View Profile Personal Message (Offline)

Ignore
1558555813
Reply with quote  #2

1558555813
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
igmaca
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
March 06, 2014, 09:51:08 AM
Last edit: March 06, 2014, 10:03:18 AM by igmaca
 #41162

I dont know if this is relevant...but there is someone who is stealing nxtcoins from "bad-protected" accounts.

I've just created an account with the pass: "mtvraps" to check and play. I made the nxtra.org faucet and they sent me 2nxt to this account "14345877598619007537". One minute after, someone sent these 2nxtcoins to other account (of course it was not me). The account was: "1413811113623034318".  I suppose there is a bot checking all the possible weak passwords...

It could be funny but......TAKE CARE!

I'm not a coder and I have no knowledge of softwaresecurity....but is there an option to use a 2w-factor-verification? Securityweakness could be the most dangerous problem to NXT mass adaption.

I agree
would be necessary to encourage any client developer to implement 2 factor authentication


What would you like to protect with 2FA? The startup of a client or do you think you can protect the secret with 2FA?

If the later, could you please list the steps how that would work?


it will be do the same that i do in my kee pass database. see this

then after reading a lot about the key generation choose to use absurd and nonsensical phrases formed by not less than 50 characters memorize words and 2 phrases from roughly 50 characters for the master password kee pass .

Install the plugin otpkeyprov keepass password and activate two factors to open kee pass with google authenticator

the first 50 characters of a sentence and the second sentence of 48 characters to activate google autenthicator 48 characters and match the standard b32 . the advantage of two-factor master password is if you can not make all phishing password .

Within keepass generate passwords you want including accounts of nxt ( nxt also advise to memorize words and not less than 50 characters consisting of nonsensical words )

Enable tools options " change master key in a secure desktop " every time you open your nxt account using automatic writing
Enable automatic writing on the flap of each password " Obfuscation 2 channel automatic writing"

I hope you can help with these tips. in any case you can write me for any questions in kee pass and handle the "plug in" otpkeyprov .

Finally the technique of two-factor authentication for passwords nxt would be a good option against phishing . I leave it open to discussion forum .

The difficulty arises with the user authenticator Google documentation . One Base32 ( secret ) key is expected . You must set the secret key to Base32 in KeePass and restrict your secret key to the base 32 character set : az, 2-7. KeePass allows "= " but not Google authenticator . Base32 length secret key Apart expressed in multiples of 8 characters.
A configuration that works :
Adjust the settings OTP Lock :
Long: 6
Secret key : abcdefghxz234567 ( Base32 )
Counter : 0 ( Dec)
OTP Number 3
Looking forward 9 (allows 3 failed attempts to unlock using KeePass newly generated OTPs before a recovery is needed because the counters have become too out of sync. )
Set Google Authenticator
secret key : abcdefghxz234567
counter : counter based
The first 6 OTPs are:
442843
724600
994 767
847 513
160505
583 080
Make sure you never lose the secret key or it will be permanently locked out of KeePass if counters lose synchronization. It also recognizes that the real secret is the secret key is not the OTP .

OtpKeyProv
Plugin Author: Dominik Reichl, Plugin Language: English

http://keepass.info/plugins.html#keeotp

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database.

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

Download plugin: [v2.2 for KeePass 2.20 and higher]
Download source code: [v2.2 for KeePass 2.20 and higher]

If you instead want KeePass to generate one-time passwords, see the {HMACOTP} placeholder. For generating time-based OTPs, see the KeeOtp and Tray TOTP plugins.
mcjavar
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
March 06, 2014, 09:51:14 AM
 #41163

Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

Maybe somebody that is not a dev can do the research for this?

That´s what I am doing Smiley
This was the first step, asking the community Smiley
Jean-Luc
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250



View Profile WWW
March 06, 2014, 09:52:26 AM
 #41164

Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom


"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.

lead Nxt developer, gpg key id: 0x811D6940E1E4240C
Nxt blockchain platform | Ardor blockchain platform | Ignis ICO
Fatih87SK
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500



View Profile
March 06, 2014, 09:53:07 AM
 #41165

I think people are complaining about forging because maybe we we're marketing forging wrong in the beginning.

We had to tell everyone that forging was for securing the network instead of earning money like mining Bitcoin or other coins.
We even made a video with someone on a boat forging comparing with Bitcoin.

What we're we thinking? So all those complaints we get now are our fault.

But...

James was so great to deliver those promise we made to the mass; Nodecoin.

Now, we can secure the network and earn something with it.

ChuckOne
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

☕ NXT-4BTE-8Y4K-CDS2-6TB82


View Profile
March 06, 2014, 09:54:20 AM
 #41166

any date set for launch of AE yet?? or still to be decided?

Nobody seems interested to step up and launch.

I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.

no reactions.


How many AE tests have you run?
It is easy complaining about why isnt is ready yet, when is it going to be ready.

NXT peoples, please stop complaining. It is annoying to those of us that are working. If you want to help speed things up, then HELP!

There is a web interface that lets ANYBODY test. You can issue assets, hold trading competitions, all stuff any end user can do.

STOP COMPLAINING
START TESTING

James


Thank you, James.

We need different kind of test:
 - feature tests
 - load tests
 - border case tests (malicious tests)
verymuchso
Sr. Member
****
Offline Offline

Activity: 413
Merit: 250


HEAT Ledger


View Profile
March 06, 2014, 09:55:10 AM
 #41167

Code:
import org.apache.commons.lang3.RandomStringUtils;

private String generatePassphrase() {
    // No space, backslash, newline, tab
    String symbols = "!\"$%^&*()-_=+[{]};:'@#~|,<.>/?"; //$NON-NLS-1$
    String alphaNum = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890"; //$NON-NLS-1$
    int low = 70;
    int high = 90;
    Random random = new Random();
    int count = random.nextInt(high - low) + low;
    return RandomStringUtils.random(count, symbols + alphaNum);
}


Java.util.Random is not cryptographically secure.

Change it to SecureRandom or people using Offspring to create Nxt accounts would be vulnerable

http://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom


"Random only has a 48-bit internal state and will repeat after 2^48 calls to nextLong() which means that it won't produce all possible long or double values."

This means all passwords created by OffSpring should be crackable.

It's not secure at all

In this case he is only using java.util.Random to pick up the length of the password, between 70 and 90 chars, so it does not need to be SecureRandom. Of course I hope the apache RandomStringUtils internally uses SecureRandom, this is where it would matter.


I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Fatih87SK
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500



View Profile
March 06, 2014, 09:58:06 AM
 #41168

James,

Some of us (me too) are feeling the danger of the competition.
It's normal to react like this. The reason why we are pushing is the same reason why you are working on NXT right now.

Because we love NXT and we want it to be the best.

Don't get us wrong by asking when it is ready.  Wink

We will be patiently waiting for a date.

jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 06, 2014, 09:59:19 AM
 #41169

antanst, aka Evil Bob impersonator, has raised a security weak spot in the current gateway design.
Each gateway currently generates a custom deposit address and when a deposit comes in, it immediately sweeps it to the main multisig acct. The duration of exposure is less than a second (could be set to 50 milliseconds), but it is exposure.

So, I am changing things so that there is no sweeping into a main account. All custom deposit addresses will be 2 of 3 multisig. This will require a fair amount of internal changes, but it eliminates the in transit deposit exposure. Now, all deposits will go directly into a multisig account and stay there until a withdraw request needs the funds.

The multigateway isnt perfect, but I will do everything possible to make sure it is as safe as I can make it.

Does anybody know how to setup google authenticator? I think it works by having a seed value associated with each user. I can put the encrypted value of this seed in the AM response to the user. Then for people who choose to activate this feature, they would need to go to a webpage, input their NXT acct # and authenticator token

With such a setup, can anybody think of how Evil Bob can attack the gateway? All I can think of it a spite DDos attack that would just slow things down, but no money lost. Any other attack vectors? Can someone forge the NXT acct # in the "sender" field in a confirmed AM transaction?

James


http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Jean-Luc
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250



View Profile WWW
March 06, 2014, 10:00:02 AM
 #41170

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...


lead Nxt developer, gpg key id: 0x811D6940E1E4240C
Nxt blockchain platform | Ardor blockchain platform | Ignis ICO
verymuchso
Sr. Member
****
Offline Offline

Activity: 413
Merit: 250


HEAT Ledger


View Profile
March 06, 2014, 10:02:11 AM
 #41171

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...

Releasing now would be mad.

jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 06, 2014, 10:03:22 AM
 #41172

any date set for launch of AE yet?? or still to be decided?
I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.
March 13th is not possible. I posted my plan some time ago:
https://bitcointalk.org/index.php?topic=345619.msg5449690#msg5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.

fractional assets also? If the comment field is not possible, I can work around that, but please let me know so I can plan accordingly.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
mcjavar
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
March 06, 2014, 10:03:59 AM
 #41173

@Jean-Luc: Could you please have a look at the PM I´ve sent you yesterday? Thanks!
Eadeqa
Hero Member
*****
Offline Offline

Activity: 644
Merit: 500


View Profile
March 06, 2014, 10:07:10 AM
 #41174


I did my research on random string generator libraries, it seems apache RandomStringUtils is not compromised.

Why aren't you using SecureRandom random = new SecureRandom()?

Simpler version from web

char[] allowedCharacters = {'a','b','c','1','2','3','4'};

SecureRandom random = new SecureRandom();
StringBuffer password = new StringBuffer();

for(int i = 0; i < PASSWORD_LENGTH; i++) {
    password.append(allowedCharacters[ random.nextInt(allowedCharacters.length) ]);
}


NXT-GZYP-FMRT-FQ9K-3YQGS
https://nxtforum.org
mcjavar
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
March 06, 2014, 10:07:29 AM
 #41175

Nxt :: Asset Exchange Testing
Let´s get things organized!

I´ve created a project for Nxt AE on TestPad.

https://nxt.ontestpad.com

Anyone willing to test AE please join the site so I can add you to the project.

What is TestPad for and why to join?

We can

- write test cases
- run tests step-by-step
- track tests step-by-step
- track bugs
- track bugfixing progress


Please PM me your username after registration.

Edit: TestPad is charging $9/month for every new user. I will pay for the subscription from my own pocket, so please, only join if you are serious about testing.
Eadeqa
Hero Member
*****
Offline Offline

Activity: 644
Merit: 500


View Profile
March 06, 2014, 10:08:42 AM
 #41176

Just throw AE in the water... it will either swim or drown!

best test is production, if it breaks we can fix it.

If it drowns it will take the whole Nxt ecosystem with it. We cannot just roll back the production blockchain, the way we had to do yesterday with the test blockchain - I asked test nodes to delete their copies.

We may have cosmetic bugs, but things like calculating account and asset balances have to be rock solid, otherwise it is free money for the lucky ones that first discover the bugs and run away after converting to Bitcoins. We had a bug where cancelling an asset order would give you back twice the original amount, imagine this on main net...


Yes, don't release anything until it has been thoroughly tested on testNet

NXT-GZYP-FMRT-FQ9K-3YQGS
https://nxtforum.org
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 06, 2014, 10:10:00 AM
 #41177

10000 NXT BOUNTY for google authenticator help


I am announcing a 10000 NXT bounty for someone to help me integrate google authenticator to the gateway. It will be paid when the gateway passes the community created test plan for multigateway.

I need someone that can do the webpages needed for account # and token input and the server side code that properly correlates that. along with whatever other help I need. Especially making sure the process is secure.

James

Edit: I hope somebody knows where to update the list of bounties and will do so

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Jean-Luc
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250



View Profile WWW
March 06, 2014, 10:10:08 AM
 #41178

Is there an open source software with an online interface which we could use for logging testcases and bugs?
Something like JIRA?

For just keeping track of bugs, now we all should use the issue tracker on bitbucket, where the public source it.

There are tools like Jenkins and Hudson, to do continuous integration, but we don't have automated tests yet so it is a bit early to look into those.

For manual testing, writing test plans and keeping track of test results, somebody with more QA experience should speak up, I don't know what is out there.

We need an organized QA team and testing more urgently than we need java devs. The QA people can start contributing productively much faster than a new java dev can get familiar with the code, so we would see real results from getting a QA immediately.

lead Nxt developer, gpg key id: 0x811D6940E1E4240C
Nxt blockchain platform | Ardor blockchain platform | Ignis ICO
VanBreuk
Sr. Member
****
Offline Offline

Activity: 460
Merit: 250



View Profile
March 06, 2014, 10:11:38 AM
 #41179

any date set for launch of AE yet?? or still to be decided?
I proposed the 13th march, and asked if not some one should step up and take ownership for the launch of AE.
March 13th is not possible. I posted my plan some time ago:
https://bitcointalk.org/index.php?topic=345619.msg5449690#msg5449690

The test network is ready, the known asset exchange bug looks fixed, but more testing is needed to make sure there are no others.

Now I need to start working on increasing the divisibility of amounts and fees, to allow for fractional amounts in the future, and I want to have this ready and tested before Asset Exchange is enabled on main net, because this type of transition would be really more difficult after AE is live. There is no time to do that before March 13th, end of March is more likely.


If that is realistic, it deserves full support. Let us grease the machines for the next 3 weeks then. I am testing.

In the meantime, looks like a great time to place an official client distribution for the average windows user on the table. NRS+wesleyh+mistafreeze installer. What's the status of this?

Do we need a name redux for the package?
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 06, 2014, 10:12:54 AM
 #41180

Nxt :: Asset Exchange Testing
Let´s get things organized!

I´ve created a project for Nxt AE on TestPad.

https://nxt.ontestpad.com

Anyone willing to test AE please join the site so I can add you to the project.

What is TestPad for and why to join?

We can

- write test cases
- run tests step-by-step
- track tests step-by-step
- track bugs
- track bugfixing progress


Please PM me your username after registration.
Fantastic!
Everybody can help with this as long as you can use wesley's web GUI

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Pages: « 1 ... 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 [2059] 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 ... 2567 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!