| Nxt | Blockchain Platform | Proof of Stake | Official

[Eadeqa]

Ugh... Are you kidding me? Are there bots prowling the network with a boatload of password-account combinations stored watching the for transactions to known addresses or something?

I got some NXT a long time ago and kept it tucked away, but with the updated client it seems I didn't have a public key, so I sent a message.. easy enough... my balance was there, but I couldn't forge because it was unconfirmed... so I figure this has something to do with old balances being 'unconfirmed' under the updated protocol until it's seen activity.. So I flip my NXT into another account that I used in the past (tx 3603756272827733121), wait for it to confirm, and as soon as it does the NXT has moved on to an account out of my control (tx 10738856805317237622)...!!!

WTF? I sat here waiting for a confirm to flip it right back, and it vanishes before my very eyes! We're talking within 2 seconds of the first confirmation!

If the network is this compromised, how do you ever expect mainstream adoption... I've had an eye on NXT since the beginning and was really into the new look and feel, the asset exchange, etc.. My interest was building in NXT again (initially less than impressed by the distribution, but it seemed a lot of great work had gone into the protocol..) Too bad.. Nxt looked cool, but as it stands I'm out.. Not sure that this can be called a 2nd generation crypto when it's this vulnerable to theft. I'd say the target audience is even more specialized than bitcoin; the average joe can hardly remember "Password1"!

Sorry for your loss.  Can you share the password of your second account?  I also find it weird that someone compromised your account that fast.

I would rather not share my 'passphrase' or unique key or whatever you want to call it because it has elements of a common password that I use for low security purposes (i.e. one-use account on random forums). It was admittedly a meager 21 chars including dictionary words and spaces.. Much better than a laymans password but not the level of security I usually use (thus why it was a depreciated account/wallet). I haven't been in that account for about 4-5 months and was just using it to bounce my nxt to see if that would get it properly recognized (effective balance was 0 despite having NXT).

The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.

The amount is irrelevant in this case - about 250 nxt (all I had), but the fact that it was so rapidly snagged is concerning to say the least.. it made me realize a major flaw for NXT and the layman.. A bot can easily collect a massive list of  account keys and related 'security phrases' via brute force (offline so it's undetected), store these, and watch the blockchain for transactions to accounts that fall within it's dictionary, then instantly log in and with bot-like speed, snipe those NXT on the first transaction...

One simple question: If you google your password (with the quotes "" , i.e " blah blah my pass") , how many hits do you get?

If it's in thousands you just as well post it here and change your other password

The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.

That's because the hacker had pre calculated the hash for it as it well known password already in his database. When his computer saw the transaction to that account, it did immediate transaction in 2 seconds.

[1715005862]

1715005862

[1715005862]

1715005862

[1715005862]

1715005862

[1715005862]

1715005862

[1715005862]

1715005862

[Daedelus]

I would rather not share my 'passphrase' or unique key or whatever you want to call it because it has elements of a common password that I use for low security purposes (i.e. one-use account on random forums). It was admittedly a meager 21 chars including dictionary words and spaces.. Much better than a laymans password but not the level of security I usually use (thus why it was a depreciated account/wallet). I haven't been in that account for about 4-5 months and was just using it to bounce my nxt to see if that would get it properly recognized (effective balance was 0 despite having NXT).

*snip*

In this case the theif used NXT-X6AP-V3S7-RBHA-GQW8Z, which I'm sure will see no activity for some time before it goes through a wash.. I remember from the get-go there were countless issues with theft, looks like this has gotten worse. Enough to scare me off NXT. GL.

Yes, there are Bots monitoring the blockchain for transactions related to accounts with weak passwords.

****
Bots

A Bot in general is an automated computer program. In the case of Nxt, the bots have been programmed to find the account numbers to all accounts associated with Weak Passphrases (such as ‘Dog’, ‘12345’ and ‘opensesame’). They continuously scan the Blockchain looking for Transactions happening in these accounts. Once a Transaction is detected, the Bots then automatically log into the account and move the NXT to an account they control. This often only takes a matter of minutes from the transaction into the account and nothing can be done to retrieve the stolen NXT. It is therefore VERY IMPORTANT to use a Strong Passphrase to ensure that your NXT is not stolen. Also see Brainwallet.

****
Source: Nxt Glossary >>> https://wiki.nxtcrypto.org/wiki/Glossary


Allowing people to use weak passwords was a flaw, client's now create strong diceware passwords for users (you can still enter any password you want but there are extra steps). Sorry for you loss, I'll send you 250 NXT when I get home if no one else has done it before me, just post the address you want it to go to.

[devphp]

One simple question: If you google your password (with the quotes "" , i.e " blah blah my pass") , how many hits do you get?

It's probably a bad idea to google your password, as it would then be stored in google's database

[Eadeqa]

One simple question: If you google your password (with the quotes "" , i.e " blah blah my pass") , how many hits do you get?

It's probably a bad idea to google your password, as it would then be stored in google's database

True, but his password is already in hackers database. It's not as if it's some secret  

[Daedelus]

... (effective balance was 0 despite having NXT)...

Relating to this, your effective balance can be thought of as your forging balance. To forge, you need to wait for 1440 confirmations (roughly 1.5 days).

Until you get 1440 confirmations, effective balance remains at 0 no matter how many Nxt you have in the account. Had you just moved it when you saw this?

(I could probably check most of this on the blockchain but can't right now)

[durerus]

Can I be clear here?  Is this like a Mt. Gox that I don't have to trust with my money?  Is there anyway I could be using this service and get all my coins stolen?  Maybe not in the same way Gox stole, but maybe in a different way?  

Yes, it is happening. NxtPrivacy comes later  

NxtServices, which Multigateway forms a part, basically links you BTC and Nxt addresses together. You don't store your coins on Multigateway like you did with MTGox.

It is almost trustless at the moment based on three multigateway servers agreeing with each other before allowing the cross chain transaction. jl777 admins 2 of them and bithaus will admin the third, the idea is that each new prominent business will admin another server. jl777 originally planned 100 servers but there will be a bootstrapping phase to get up to this. You would then have to compromise them all to crack multigateway.

This is my understanding, james will probably correct me if I am out of date  

Really exciting feature. But what I don't understand is this: Who has control over the private keys of the deposit addresses when people deposit for example btc? Are they stored on each of the 3 servers? If there will be 100 servers one day, wouldn't that increase the risk of one server with all the privkeys of the deposit addresses getting hacked?

Generally, private keys are handled on the client side and don't go to the servers. But I don't know for sure, so...

I asked jl777 here:  https://nxtforum.org/nxtventures/mgw-multigateway/msg43744#msg43744

Edit: Multisig! Yes.

Great! If each server stores only one out of multiple private keys of a multisig address than the deposits are as safe as possible IMO

[qbd1313]

https://bter.com/trade/NXT_USD

Go go go!

Is this the first large NXT/USD market or are there other smaller ones?

This is the first AFAIK.

bter just needs to add OKPAY now 

OKPAY is great.

[Eadeqa]

Can I be clear here?  Is this like a Mt. Gox that I don't have to trust with my money?  Is there anyway I could be using this service and get all my coins stolen?  Maybe not in the same way Gox stole, but maybe in a different way?  

Yes, it is happening. NxtPrivacy comes later  

NxtServices, which Multigateway forms a part, basically links you BTC and Nxt addresses together. You don't store your coins on Multigateway like you did with MTGox.

It is almost trustless at the moment based on three multigateway servers agreeing with each other before allowing the cross chain transaction. jl777 admins 2 of them and bithaus will admin the third, the idea is that each new prominent business will admin another server. jl777 originally planned 100 servers but there will be a bootstrapping phase to get up to this. You would then have to compromise them all to crack multigateway.

This is my understanding, james will probably correct me if I am out of date  

Really exciting feature. But what I don't understand is this: Who has control over the private keys of the deposit addresses when people deposit for example btc? Are they stored on each of the 3 servers? If there will be 100 servers one day, wouldn't that increase the risk of one server with all the privkeys of the deposit addresses getting hacked?

EDIT: Or do they use multisig?

Yes, I think three signatures are required for it to be a valid transaction. One server itself (if hacked) can't do the transaction. I haven't followed  Multigateway thing that closely though. It's jl77 project.

[Daedelus]

jl777 discussed the way it is setup somewhere but I can find it. It went something like this (my words from memory, not his ):

"As there is no central clearing there is no spotlight continuously shining on a nice vault to attack. Instead getting into one server would be time consuming and very difficult, like looking for a penny in the desert. It you did manage to find one, it would actually be a piece of a penny with that you couldn't spend until you found the other piece(s) and these have been scattered randomly on the ocean floor".

He has set it up to make it not even worth trying to attack. Sounds like you are a better judge than me as to how successful it will be 

[Cassius]

jl777 discussed the way it is setup somewhere but I can find it. It went something like this (my words from memory, not his ):

"As there is no central clearing there is no spotlight continuously shining on a nice vault to attack. Instead getting into one server would be time consuming and very difficult, like looking for a penny in the desert. It you did manage to find one, it would actually be a piece of a penny with that you couldn't spend until you found the other piece(s) and these have been scattered randomly on the ocean floor".

He has set it up to make it not even worth trying to attack. Sounds like you are a better judge than me as to how successful it will be 

It sounds like momentum is building on the MGW. I'd like to write an article on this too. (Might borrow that quote if so.)
Question is, would that be more valuable now to trail it and maybe get some testers on board, or is it worth waiting until it's launched - when I imagine there will be more publicity anyway?
Will test the water over at the NXTForum too when I have a moment but wanted to get some initial thoughts here.

[farl4web]

I just want to attract more people to Nxt, so I started a small campaign.

Follow @Nxtgids on twitter and get 10 NXT for free

https://twitter.com/Nxtgids/status/477360863385747456


(only active accounts receive the 10 free NXT)

[Daedelus]

I'll try and find the original quote. It was better and probably more accurate, mine is paraphrased  

Testers now, lots of them  

I don't think it will need much promoting. Mention mtgox/sharexcoin etc etc can't happen and let people have one go and they will be hooked

Then, with Monetary System, people will be able to build coins (POW or POS) on top of Nxt and then not only will it be decentralised, their coin will be secured by the Nxt blockchain so even POW coins (assuming anyone is still interested in them) can't be attacked by big pools with a lot of power. Good ideas won't be killed at birth so let the good times roll  

[Cassius]

I'll try and find the original quote. It was better and probably more accurate, mine is paraphrased  

Testers now, lots of them  

I don't think it will need much promoting. Mention mtgox/sharexcoin etc etc can't happen and let people have one go and they will be hooked

Then, with Monetary System, people will be able to build coins (POW or POS) on top of Nxt and then not only will it be decentralised, their coin will be secured by the Nxt blockchain so even POW coins (assuming anyone is still interested in them) can't be attacked by big pools with a lot of power. Good ideas won't be killed at birth so let the good times roll  

Everything is uncertain and permanently in flux in crypto world (which is why, amongst other reasons, I never recommend any crypto as a good investment).
But I can't help but feel that now is a very good time to be a part of NXT and that it has an extremely bright future. Some very talented devs doing stuff no one has done before and some great people promoting it all.
Very pleased that I was invited to do some copywriting for the community 6 weeks or so back, otherwise all this would have passed me by.

[zachamo]

Ugh... Are you kidding me? Are there bots prowling the network with a boatload of password-account combinations stored watching the for transactions to known addresses or something?

I got some NXT a long time ago and kept it tucked away, but with the updated client it seems I didn't have a public key, so I sent a message.. easy enough... my balance was there, but I couldn't forge because it was unconfirmed... so I figure this has something to do with old balances being 'unconfirmed' under the updated protocol until it's seen activity.. So I flip my NXT into another account that I used in the past (tx 3603756272827733121), wait for it to confirm, and as soon as it does the NXT has moved on to an account out of my control (tx 10738856805317237622)...!!!

WTF? I sat here waiting for a confirm to flip it right back, and it vanishes before my very eyes! We're talking within 2 seconds of the first confirmation!

If the network is this compromised, how do you ever expect mainstream adoption... I've had an eye on NXT since the beginning and was really into the new look and feel, the asset exchange, etc.. My interest was building in NXT again (initially less than impressed by the distribution, but it seemed a lot of great work had gone into the protocol..) Too bad.. Nxt looked cool, but as it stands I'm out.. Not sure that this can be called a 2nd generation crypto when it's this vulnerable to theft. I'd say the target audience is even more specialized than bitcoin; the average joe can hardly remember "Password1"!

Sorry for your loss.  Can you share the password of your second account?  I also find it weird that someone compromised your account that fast.

I would rather not share my 'passphrase' or unique key or whatever you want to call it because it has elements of a common password that I use for low security purposes (i.e. one-use account on random forums). It was admittedly a meager 21 chars including dictionary words and spaces.. Much better than a laymans password but not the level of security I usually use (thus why it was a depreciated account/wallet). I haven't been in that account for about 4-5 months and was just using it to bounce my nxt to see if that would get it properly recognized (effective balance was 0 despite having NXT).

The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.

The amount is irrelevant in this case - about 250 nxt (all I had), but the fact that it was so rapidly snagged is concerning to say the least.. it made me realize a major flaw for NXT and the layman.. A bot can easily collect a massive list of  account keys and related 'security phrases' via brute force (offline so it's undetected), store these, and watch the blockchain for transactions to accounts that fall within it's dictionary, then instantly log in and with bot-like speed, snipe those NXT on the first transaction...

One simple question: If you google your password (with the quotes "" , i.e " blah blah my pass") , how many hits do you get?

If it's in thousands you just as well post it here and change your other password

The thing that concerns me is that the transaction occurred within 2 seconds of the first confirmation.. It's not like I left nxt sitting around in an unsecure account, this was just a brief bounce to try to 'reactivate' my nxt.

That's because the hacker had pre calculated the hash for it as it well known password already in his database. When his computer saw the transaction to that account, it did immediate transaction in 2 seconds.

Clearly the pass phrase was in his database. Googling it provides just over 10,000 results, though most include other punctuation. Admittedly more than I expected, but at 21 chars it's still a hell of a lot better than an average joe's "password1". Again - I figured a couple minutes would be safe - more concerned about barriers to usability for the layman than the paltry sum of NXT lost. Wasn't going to take over the world with 250 NXT, it was really just to play with and get a feel for the system / participate in some way.

... (effective balance was 0 despite having NXT)...

Relating to this, your effective balance can be thought of as your forging balance. To forge, you need to wait for 1440 confirmations (roughly 1.5 days).

Until you get 1440 confirmations, effective balance remains at 0 no matter how many Nxt you have in the account. Had you just moved it when you saw this?

(I could probably check most of this on the blockchain but can't right now)

That NXT had been sitting in my wallet since 2013.

Yes, there are Bots monitoring the blockchain for transactions related to accounts with weak passwords.

****
Bots

A Bot in general is an automated computer program. In the case of Nxt, the bots have been programmed to find the account numbers to all accounts associated with Weak Passphrases (such as ‘Dog’, ‘12345’ and ‘opensesame’). They continuously scan the Blockchain looking for Transactions happening in these accounts. Once a Transaction is detected, the Bots then automatically log into the account and move the NXT to an account they control. This often only takes a matter of minutes from the transaction into the account and nothing can be done to retrieve the stolen NXT. It is therefore VERY IMPORTANT to use a Strong Passphrase to ensure that your NXT is not stolen. Also see Brainwallet.

****
Source: Nxt Glossary >>> https://wiki.nxtcrypto.org/wiki/Glossary

Allowing people to use weak passwords was a flaw, client's now create strong diceware passwords for users (you can still enter any password you want but there are extra steps). Sorry for you loss, I'll send you 250 NXT when I get home if no one else has done it before me, just post the address you want it to go to.

We're talking about a 21 char password - not 'dog' or 'opensesame', more like 'dog opensessame 12345'. I moved away from it BECAUSE it was unsecure, but figured it was secure enough for a quick bounce of NXT. Clearly a bad call on my part, didn't expect that bot exploitation was nearly that bad.

I appreciate your offer Daedelus, and will take you up on it.. Moving over to NXT-ZNL5-2A7Q-G5GJ-7K4SX.. I've always had an interest in NXT, would love to see it thrive despite my personal lack of NXT, but I see some serious barriers to broader adoption.. LOVE the asset exchange, and would love to see live web portals, though that brings a slew of new security concerns along with it.. The benefit of the passphrase is portability, but the down-side is security.. Always hard to find a balance between usability and security, and I certainly hope NXT can find that balance

Cheers
Z

[Daedelus]

ok, no problem. One last question, for curiosity Strange about the effective balance, which version of the software were you using?

I take it the blockchain was up to date to allow the transaction... I'll have to look at the transaction IDs closer later on.

[zachamo]

I just downloaded a new client last night -- the recommended client from http://www.nxtclient.org/.

Had to wait for blocks to update before I could transact.. Feel free to PM me if you need to get in touch - can provide all the TXIDs etc / any other details.. I hadn't touched that balance since 2013, so it was sent to an old numeric account, before the switch over.. I was assuming that it wasn't considered an effective balance because it had no activity prior to a fork and somehow got 'archived', so I figured bouncing it off another address would help wake it up.. Wasn't going to be generating many blocks with it, but again - my NXT balance was more an experiment for me than an investment. Again - PM me if you need to get in touch, too many threads to follow all of them closely

[CryptKeeper]

You should use 2 passwords. One that you save locally or on the cloud that has back ups and redundancies and that you dont actually memorize, and one that you do memorize and never save on any computer that touches the internet. Then simply concatenate the two passwords when entering your wallet. The first will protect you against rainbow tables (thats what got you) and the second will protect you against hackers. Its a pretty simple concept but it really should be spelled out, its certainly not peoples fault for not knowing this. Heck the client should even come with two password fields and concatenate them for people imo.

Quite clever! Reminds me of a yubikey with a static password...

The downside is that it gives no protection against keyloggers, because both parts of the password are entered one after the other into the edit control of the client. I recommend using keepass, it's free and it has anti-keylogger-functions built-in, though not perfectly safe, but better than nothing.

[Este Nuno]

What do NXT people think about NEM?

What are the advantages that NXT has over NEM?

If you were to advise someone like myself who is interested but doesn't own any alts, what would you recommend?

[CryptKeeper]

Payexpo - Thanks
...
And if you want to thank me, that would be for organising 2 conferences in 2 weeks, leading the payexpo funding, persuading Lee to stay with Nxt, redesigning the business cards, flyers and booths for both events (Vienna business cards only for me, but 3 personal for London crew); gathering both teams, some video editing and tons of media/web stuff, like press releases, their sharing (like sending it to 200 important people), providing some materials for cointropolis presentation... I am sorry for not being a big social hero prince, not self-promoting my every single step, but being an introvert geek has always some negatives, there are still worse dudes, like Simcoin guy

I highly appreciate your work, Salsa! You did such a good job, dude!

100 LOVEs to you!!! 

[msin]

What do NXT people think about NEM?

What are the advantages that NXT has over NEM?

If you were to advise someone like myself who is interested but doesn't own any alts, what would you recommend?

Nxt has been in use for over 6 months, we have several very advanced features being released the next 3 months and thousands of users.  NEM hasn't launched yet.