ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:12:53 PM |
|
I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW.
THIS IS A DISASTER.
WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO.
ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW?
There is no such thing as bad publicity Ah, yeah.
|
|
|
|
godt
Member
Offline
Activity: 87
Merit: 10
|
|
March 09, 2014, 11:13:13 PM |
|
Why shouldn't it be? But it is very unlikely that somebody has control over this account. What are the chances?
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:16:15 PM |
|
How do you want to prevent people creating pools?
It seems to me that the comprehension problem I have right now is why would anybody want a PoS coin not to be secured by TF.
Until now, there is no such thing as TF => NXT has no TF. With TF, every node can decide without any doubt what is wrong and what is right. TF would not be gameable. TF would not allow cheating. You have to read the whole dialog from today to understand my post. You put my quote out of context. 1. I asked why some parallel chains would not want to choose TF 2. I asked how to prevent pools in these chains without TF Why should pools be prevented at all?
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:22:46 PM |
|
In my thinking there are two balances, - apologies if this is a bit long....
The Reserve Balance which is an amount of NXT you cannot withdraw and you can initiate instant transactions up to that level - this is a permanent reserve until cancelled.
The other balance is the Instant Balance which is updated as soon as an instant transaction is broadcast by a node i.e. 0 confirmations. This reflects the liability the account has created with an instant transaction. The node the transaction is broadcast through will have an realtime view of this because it will update the accounts instant balance before broadcasting the tx, all nodes seeing the TX will also update the instant balance for that account. If the account tries to initiate more TX that would make Instant Balance > Reserve Balance this would create an error.
An attack vector such as you describe would rely on being able to send the TX through a node which had not yet updated its instant balance total for the account in question.
For instant transactions to work I would want to ensure that both accounts had to be connected to a node and both nodes had the same view of the instant transaction balance of the sending account. If the seller is logged into the buyer node then this is a possible edge case attack.
This means that the sellers account can confirm that there are sufficient reserved funds for the instant purchase because it also has a view of the buyers instant balance that it can verify with other nodes - this would be a possible client verification/check during the purchasing process, the seller NRS node is passive in this process other than providing data to the sellers software client.
Even if the buyer switches nodes, the seller doesn't and the sellers node reconciles the instant balance of the sellers account using normal time line rules.... So unless the buyer can get the seller onto a node that doesn't know the buyers balance or initiate trades with lots of sellers which it knows are connected to nodes which won't get the instant balance update then an attack will fail ( I think)
Once the instant TX is confirmed the liability reduces and the instant balance can be reduced.
Me, as a bad buyer could easily game the system by replaying all the transactions over and over again, in order let nodes delete all (except one). I can play this game over and over again. I would rather have a combination of http://qubic.boards.net/thread/9/fighting-scam (hope CfB does not mind) and CCT. One part we missing so far is that the seller can cheat as well. We should have a refunding transaction instead of arbitrary limits.
|
|
|
|
Fern
|
|
March 09, 2014, 11:25:20 PM |
|
Guys, relax!Password generator will get implemented in Wesleyh's installer (NRS + nice GUI). And now, move on. Please read this monster thread before you post Thank you. OK,cool. I was just checking up on progress for this week coming. I think Pinarello was helping to make sure it happens. That is, Wesley's client becoming the official one. I'm going to keep banging on about it until it's done. I pretty sure this Alvin Lee character is a woman from Netherlands. It's hard to believe she used a short password with 20% of her portfolio. Hopefully she tweets about the new client next week.
|
|
|
|
StuartGT
Member
Offline
Activity: 104
Merit: 10
|
|
March 09, 2014, 11:27:57 PM |
|
There is no such thing as bad publicity Agreed!
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:29:19 PM |
|
Until now, there is no such thing as TF => NXT has no TF.
Not 100% correct. We have 50% of it. You made me smile. ----- You have seen my analysis: as far as I can tell, the 90%-deterministic approach would be susceptible to the puppet-account attack as would be the 100%-deterministic approach.
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:36:45 PM |
|
@CfB
It would be advisable to have 51%-attack protection in place rather than the 34%-attack protection.
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
March 09, 2014, 11:40:53 PM |
|
Crazy idea, someone has already thought of it? A coin as the NXT might have similar features with ebay?
1 - I own the account 111111 2 - I want to buy something from the seller who has the account 22222 3 - I send 100NXT, which would be trapped in blockchain at to confirm that I received my purchase. 4 - If I receive the product unlock the 100NXT account for 222. 5 - If not receive but gets stuck and only come back to me if the account venderdor 222 mark as not completed. 6 - Upon completion of the deal or not, we could both evaluate and add 1 point to the "reputation system" of accounts. 7 - Accounts with high reputation, could mediate situations where there was no agreement.
So instead of being added to ebay, etc ... that is the dream of any currency, would replace. To facilitate the exchange of NXT for other currencies without using exchange.
What if acct 111111 receives the product, but doesnt mark it as so? acct 22222 will not be happy. If you can solve that part, this could work James
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
March 09, 2014, 11:42:18 PM |
|
So, using guid we can lookup the txid to verify that Evil Bob's txid he submits is different than the real one and reject him. There is no way for Evil Bob to change the GUID. 10 confirmations is recommended.
Anyone can change transaction. All that u need is to rely on guid. OK, so I change all my code to treat GUID as txid and just ignore the current txid's when this is available and all will be well
|
|
|
|
ChuckOne
Sr. Member
Offline
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
|
|
March 09, 2014, 11:42:55 PM |
|
|
|
|
|
EvilDave
|
|
March 09, 2014, 11:43:25 PM |
|
I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW.
THIS IS A DISASTER.
WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO.
ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW?
Er...yes.
There is no such thing as bad publicity This is pretty close to being as bad as bad publicity can get. At least AlvinLee has acknowledged her (?) role in the loss, but losing 20% in one pop......ouch. Anyone want to give her some compensation and a copy of Wesleys shiny, more secure, client when it comes out?
|
|
|
|
VanBreuk
|
|
March 09, 2014, 11:44:26 PM |
|
I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW.
THIS IS A DISASTER.
WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO.
ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW?
Er...yes. There is no such thing as bad publicity This is pretty close to being as bad as bad publicity can get. At least AlvinLee has acknowledged her (?) role in the loss, but losing 20% in one pop......ouch. Anyone want to give her some compensation and a copy of Wesleys shiny, more secure, client when it comes out? +1
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
March 09, 2014, 11:45:57 PM |
|
Why shouldn't it be? But it is very unlikely that somebody has control over this account. What are the chances? getAccountPublicKey.10388 {"errorCode":5,"errorDescription":"Unknown account"} If somebody knows the key, they havent used it yet
|
|
|
|
pandaisftw
|
|
March 09, 2014, 11:50:37 PM |
|
Still catching up to the thread (at least 20 pages behind), but reiterating what I said earlier: Now that I think about it, parallel chains is a very nice way to achieve the 1000 TPS goal. It is highly unlikely that everyone needs to use all the parallel chains at once, so by providing many, many chains, people would only have to secure the ones they are interested in. NXT as a whole could have 1000 TPS, but a regular user would probably only need to secure at most 100 TPS on the chains he/she is interested in.
It is unlikely someone in India using NXTIndia will need to secure the NXTChina parallel chain (although both would secure the master chain). So with just 10 countries using NXT at 100 TPS, you got your 1000 TPS without the entire network having to have super-mega-fast internet speeds. Add in specialized services with their own chain, and this number could be much higher than 1000 TPS. Pandaisftw Why are people so concerned with a single "super-duper-high-speed-secured-by-super-hubs"-chain?100 parallel chains at 10 TPS each is equivalent to 1 chain at 1000 TPS. 10 TPS can be done easily with even the lowest-end hardware and internet connections. Case 1 (Assumptions): These chains use NXT as their base currency, and the total NXT between all of these chains remains 1 bil. There is a way for NXT to transfer across chains without having to create new NXT or destroying NXT (presumably atomic transactions). If not, why can't NXT transactions have a "chain-destination" field, allowing seamless cross-NXTchain transactions? Case 2: Even if Case 1 is not true, then each chain would simply have it's own "coin", but still secured by the master chain, thus part of the NXT ecosystem. Why is this practical? Because no one needs to use all 100 chains at once. People only need to secure the chains they use (in addition to the master chain) - think NXTUSA or NXTChina. Thus, there is less waste (infrastructure costs) than creating a single chain that can do 1000 TPS, but only during spike periods. It may only do 100 TPS normally, or even less. And then there's the fact that only super-hubs (centralization) can secure this network. By letting people choose what chains they want to secure, this gives nodes the flexibility to support as many chains as their hardware and bandwidth allows. Therefore, average users with Pi's can support maybe 10 chains, while those running VPSs with high bandwidth connections can support hundreds. They can also dynamically allocate their resources depending on network load via switching chains they support. This also gives us the flexibility to go beyond 1000 TPS without needing to upgrade any hardware or internet speeds. More users = more chains = more users to support more chains. Additionally, more chains means less bloat per chain. A single 1000 TPS chain would have immense bloat, and would have to be trimmed at a rapid pace. Imagine trying to catch up to a 1000 TPS chain, the chain will be rapidly growing while you're trying to download it. At this rate, the chain would be growing at 460 megabytes per hour. With many, many parallel chains, you would only have to worry about the blockchains you are securing. So a raspi user securing 10 chains at 10 TPS each would only need to worry about 100 TPS worth of bloat... much more manageable. So I'll ask again, why is there a need for a single 1000 TPS chain when you can have hundreds of 10 TPS chains?
|
NXT: 13095091276527367030
|
|
|
crazybonkers
Member
Offline
Activity: 75
Merit: 10
|
|
March 09, 2014, 11:51:51 PM Last edit: March 10, 2014, 12:11:26 AM by crazybonkers |
|
We know that a weak password is the user's responsibility, but it's also true that the current base client is not user friendly in that sense, at all. Regardless, in this case, contacting @onemanatatime, finding the related blockchain information and trying to perhaps partially or fully compensate the leeching would be a VERY smart PR move. Edit: I just saw the amounts. 400K+. I'm sorry for him, but buying and transferring that amount without doing your homework is beyond reckless. I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW. THIS IS A DISASTER. WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO. ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW? I agree. Developers must make the clients as easy and as fool proof as possible for the unaware user who doesn't quite grasp how important a very long passphrase is when using Nxt brain wallet. +infinity
|
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
March 09, 2014, 11:59:29 PM |
|
Still catching up to the thread (at least 20 pages behind), but reiterating what I said earlier: Now that I think about it, parallel chains is a very nice way to achieve the 1000 TPS goal. It is highly unlikely that everyone needs to use all the parallel chains at once, so by providing many, many chains, people would only have to secure the ones they are interested in. NXT as a whole could have 1000 TPS, but a regular user would probably only need to secure at most 100 TPS on the chains he/she is interested in.
It is unlikely someone in India using NXTIndia will need to secure the NXTChina parallel chain (although both would secure the master chain). So with just 10 countries using NXT at 100 TPS, you got your 1000 TPS without the entire network having to have super-mega-fast internet speeds. Add in specialized services with their own chain, and this number could be much higher than 1000 TPS. Pandaisftw Why are people so concerned with a single "super-duper-high-speed-secured-by-super-hubs"-chain?100 parallel chains at 10 TPS each is equivalent to 1 chain at 1000 TPS. 10 TPS can be done easily with even the lowest-end hardware and internet connections. Case 1 (Assumptions): These chains use NXT as their base currency, and the total NXT between all of these chains remains 1 bil. There is a way for NXT to transfer across chains without having to create new NXT or destroying NXT (presumably atomic transactions). If not, why can't NXT transactions have a "chain-destination" field, allowing seamless cross-NXTchain transactions? Case 2: Even if Case 1 is not true, then each chain would simply have it's own "coin", but still secured by the master chain, thus part of the NXT ecosystem. Why is this practical? Because no one needs to use all 100 chains at once. People only need to secure the chains they use (in addition to the master chain) - think NXTUSA or NXTChina. Thus, there is less waste (infrastructure costs) than creating a single chain that can do 1000 TPS, but only during spike periods. It may only do 100 TPS normally, or even less. And then there's the fact that only super-hubs (centralization) can secure this network. By letting people choose what chains they want to secure, this gives nodes the flexibility to support as many chains as their hardware and bandwidth allows. Therefore, average users with Pi's can support maybe 10 chains, while those running VPSs with high bandwidth connections can support hundreds. They can also dynamically allocate their resources depending on network load via switching chains they support. This also gives us the flexibility to go beyond 1000 TPS without needing to upgrade any hardware or internet speeds. More users = more chains = more users to support more chains. Additionally, more chains means less bloat per chain. A single 1000 TPS chain would have immense bloat, and would have to be trimmed at a rapid pace. Imagine trying to catch up to a 1000 TPS chain, the chain will be rapidly growing while you're trying to download it. At this rate, the chain would be growing at 460 megabytes per hour. With many, many parallel chains, you would only have to worry about the blockchains you are securing. So a raspi user securing 10 chains at 10 TPS each would only need to worry about 100 TPS worth of bloat... much more manageable. So I'll ask again, why is there a need for a single 1000 TPS chain when you can have hundreds of 10 TPS chains?Could the network automatically adapt and support the chains that they are able to? I doubt most users will know enough to properly select what chains to support. If the network can be smart and reallocate resources where it is needed, then that would be really cool. semi-intelligent emergent behavior?
|
|
|
|
SZZT
|
|
March 10, 2014, 12:02:07 AM |
|
+1 User end = paralytic amoeba
+1
|
1HceYnNAUv5zBjJUhEncmmvxU1C7yjWoX8
|
|
|
jl777
Legendary
Offline
Activity: 1176
Merit: 1134
|
|
March 10, 2014, 12:06:01 AM |
|
We know that a weak password is the user's responsibility, but it's also true that the current base client is not user friendly in that sense, at all. Regardless, in this case, contacting @onemanatatime, finding the related blockchain information and trying to perhaps partially or fully compensate the leeching would be a VERY smart PR move. Edit: I just saw the amounts. 400K+. I'm sorry for him, but buying and transferring that amount without doing your homework is beyond reckless. I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW. THIS IS A DISASTER. WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO. ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW? I agree. Developers must make the clients as easy and as fool proof as possible for the unaware user who doesn't quite grasp how important a very long passphrase is when using Nxt brain wallet. +infinity I suggested to Wesley adding a reverse steganographic password generator combined with PIN I think that makes it super easy.
|
|
|
|
crazybonkers
Member
Offline
Activity: 75
Merit: 10
|
|
March 10, 2014, 12:11:54 AM |
|
We know that a weak password is the user's responsibility, but it's also true that the current base client is not user friendly in that sense, at all. Regardless, in this case, contacting @onemanatatime, finding the related blockchain information and trying to perhaps partially or fully compensate the leeching would be a VERY smart PR move. Edit: I just saw the amounts. 400K+. I'm sorry for him, but buying and transferring that amount without doing your homework is beyond reckless. I agree his actions are beyond reckless, but HIS ACTIONS ARE KILLING NXT. When one guy loses 20% of his portfolio on NXT due to poor password security and tweets it out to *** 2100 *** followers, WE JUST LOST 2100 PEOPLE WHO WON'T TOUCH NXT NOW. THIS IS A DISASTER. WE COULD HAVE AVOIDED THIS DISASTER IF WE HAD IMPLEMENTED INTEGRATED AUTOMATIC STRONG PASSWORD GENERATION IN ALL CLIENTS A MONTH AGO. ARE WE IN AGREEMENT TO IMPLEMENT IT ACROSS THE BOARD NOW? I agree. Developers must make the clients as easy and as fool proof as possible for the unaware user who doesn't quite grasp how important a very long passphrase is when using Nxt brain wallet. +infinity I suggested to Wesley adding a reverse steganographic password generator combined with PIN I think that makes it super easy. Jus an added thought... Is there not a way that we could add a maximum number of tries to unlock an account? After the maximum number of tries you have to wait 1 minute before you can try again (or however long is a good time). I'm not sure how hackers hack a passphrase. Im assuming they need to keep entering a different passphrase until they hit one? Having a max limit to the number of times you can enter your passphrase would slow a hacker down? This is just a thought and I don't know if this could be implemented to the clients or if im understanding things correctly as im neither a hacker or a coder Just trying to help.
|
|
|
|
|