NEM (XEM) Official Thread - 100% New Code - Easy To Use APIs

[tongokongo]

I made a full explanation video on this situation:
https://youtu.be/SCzQ-GiDd7Q

[ruletheworld]

700k coins will do that to you. I really believe/believed in this one and all this is rather depressing. I’m of the belief that reputation/marketing are of huge importance and this just doesn’t help.

Pah. It's a rite of passage.

And note that Lon Wong's statements took the time to emphasize the on chain security features that Coincheck pointedly failed to use.

Question is whether those features would deter any hack.

Also I didn’t realize a fork was happening for catapult...speaking of which is catapult ever happening?

Thanks

Of course those features would have reduced the probability of a hack. There is nothing called perfect security. However, what Coincheck was using was quite bad indeed.

Two of the very basic security practices that every single exchange should use for every single crypto that they handle are -

• Multi-sig wallets: If one key is compromised, the attacker cannot steal all the funds
• Cold Storage: Majority of the funds need to be stored on a device that has never been connected to the internet

Then, the exchange needs to create processes around these basic security requirements. For example, how many key holders exist in the multi-sig wallet? Where do they store their keys? How do they communicate if they believe they are compromised, and what steps do every one else take if this happens? Where are the cold storage keys located? Who authorizes transfer of funds from cold storage to hot wallet? How often can this happen?
You get the point.

If you're running an exchange without Multi-sig and Cold Storage, then you're at fault.

This hack isn't a problem with NEM. It is a problem with the exchange practices. The NEM foundation has offered to help, but there is only so much they can do in this situation.

One would think this exchange has been around long enough to have learned from other exchange hacks to know how important these security steps are..

The more reason to use some of the exchanges that are actively communicating how much effort they put into security.

I am shocked they've been operating since 2012 apparently. That's 5+ years of bad security. Unbelievable.

I am afraid all the newbies would think somehow this means 'NEM got hacked'. Seriously, people need to do some homework here.

[gentlemand]

[fragout]

Update::: Inside Nem twitter

1/ @coincheckjp hack update: NEM is creating an automated tagging system that will be ready in 24-48 hours. This automated system will follow the money and tag any account that receives tainted money. NEM has already shown exchanges how to check if an account has been tagged.

What happens if he sends tainted Nem to the community fund or such though?

2/ So the good news is that the money that was hacked via exchanges can't leave. So please share this info. The largest hack in history was solved for by NEM in a matter of hours. That is the power of the NEM platform and NEM team.

In other words 523 million Nem burned.. unless they catch the hacker and somehow get the funds back.
Perhaps a bounty deal will be done? who knows

[ruletheworld]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

[jnet1.co]

NEM is one of the few coins which will be adapted i real life for buying and selling.Things could go faster but I still prefer solid and stable progress.

[xeman34]

sorry dudes this is fucked up, hope none of you are affected by this.

Reports suggest that 526 million NEM (XEM) ($400 million) was stolen in the alleged Coincheck hack. Wong told media outlets that it was a single account that siphoned the funds, adding that NEM is not forking and that its technology is “intact.” He called it: “The biggest theft in the history of the world.”

It isn't the first time that one of the "Nem Team" hacked an exchange.

[iCEBREAKER]

The largest hack in history was solved for by NEM in a matter of hours. That is the power of the NEM platform and NEM team.

What a novel use of the word "solved."  I wonder if the people who lost their coins feel this is an appropriate usage of the term.

Nice spin job though.  Lots of self-congratulation and hype to distract from the fact that NEM is not fungible (can't even do coinjoin-style mixing hacks?) and centrally controlled.

This fiasco (and especially the response) demonstrates exactly why I wouldn't even touch this dog shit coin with a pooper-scooper and clothespin on my nose to keep the stench out.

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this

There is a reason cryptos need fungibility.

LMFAO.  Stupid mondkinder derps get #REKT.  Learn to crypto you greedy noobs.

[thorRJ]

NEM is one of the few coins which will be adapted i real life for buying and selling.Things could go faster but I still prefer solid and stable progress.

Could you tell me why XEM will be adapted to our daily lives? I do not follow this project and I would like to invest in it, but why such an affirmation?

[abaumgar]

"...automated system will follow the money and tag any account that receives..."
This sounds really ugly

Article about fungibility: https://www.coindesk.com/ensuring-bitcoin-fungibility-in-2017-and-beyond/

[jkoil]

Update::: Inside Nem twitter

1/ @coincheckjp hack update: NEM is creating an automated tagging system that will be ready in 24-48 hours. This automated system will follow the money and tag any account that receives tainted money. NEM has already shown exchanges how to check if an account has been tagged.

What happens if he sends tainted Nem to the community fund or such though?

2/ So the good news is that the money that was hacked via exchanges can't leave. So please share this info. The largest hack in history was solved for by NEM in a matter of hours. That is the power of the NEM platform and NEM team.

In other words 523 million Nem burned.. unless they catch the hacker and somehow get the funds back.
Perhaps a bounty deal will be done? who knows

Perhaps ...  wasn't there also some kind of deal, when NXTs were stolen from one person's account in 2014 or 2015 ?

When reading the comments and web sites (coincheck has been operating since 2012, Coincheck provides Two-Factor Authentication and Cold Storage),
cannot avoid a thought, whether it was an "accident" or not.

[jkoil]

The largest hack in history was solved for by NEM in a matter of hours. That is the power of the NEM platform and NEM team.

What a novel use of the word "solved."  I wonder if the people who lost their coins feel this is an appropriate usage of the term.

Nice spin job though.  Lots of self-congratulation and hype to distract from the fact that NEM is not fungible (can't even do coinjoin-style mixing hacks?) and centrally controlled.

This fiasco ...

sounds like an old school comment

Wasn't the cause of the hack
a) Coincheck did not use multi-sig and not use real cold storage
or
b) Coincheck had an internal issue.


Either ot those is not depending on NEM system. Right?

[ruletheworld]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

[jkoil]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

How many transactions is made in a day?
Isn't it possible to track the paths, to where the 500M is splitted?
And so keep the track of which accounts have the most of the 500M.

What are the reasons, why you see the problem so big that it cannot be broken?

[abaumgar]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

How many transactions is made in a day?
Isn't it possible to track the paths, to where the 500M is splitted?
And so keep the track of which accounts have the most of the 500M.

What are the reasons, why you see the problem so big that it cannot be broken?

What is the most of the 500M? The attacker can split the account in uneven pieces and sell the smaller pieces.
He could also hold an account with coins that are not tagged (clean coins) and send dirty coins it to this account in order to do coin laundry.
I do not see how this can work. It will be a mess.

[ruletheworld]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

How many transactions is made in a day?
Isn't it possible to track the paths, to where the 500M is splitted?
And so keep the track of which accounts have the most of the 500M.

What are the reasons, why you see the problem so big that it cannot be broken?

Because the attacker can create 100,000 new addresses. Send 5,000 XEM to each address, but also send 5,000 XEM to each of the top 100 addresses. Now which accounts have most of the 500MM XEM?

[jkoil]

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

How many transactions is made in a day?
Isn't it possible to track the paths, to where the 500M is splitted?
And so keep the track of which accounts have the most of the 500M.

What are the reasons, why you see the problem so big that it cannot be broken?

What is the most of the 500M? The attacker can split the account in uneven pieces and sell the smaller pieces.
He could also hold an account with coins that are not tagged (clean coins) and send dirty coins it to this account in order to do coin laundry.
I do not see how this can work. It will be a mess.

most of the 500M is e.g. 450M.

If he sends some XEMs (10000 XEM) to an account of clean coins (90 000 XEM),
then it so that after that the account is "dirty". Right?
It has 10% dirty coins.

well, maybe I'm too optimistic   but somehow I do trust the Devs and becoz have also seen complex sw projects to be implemented, I think that this tracking sw is not impossible. It may need good co-operation between biggest exchanges, but I wish that it would not be the unbeatable issue.

[iCEBREAKER]

The largest hack in history was solved for by NEM in a matter of hours. That is the power of the NEM platform and NEM team.

What a novel use of the word "solved."  I wonder if the people who lost their coins feel this is an appropriate usage of the term.

Nice spin job though.  Lots of self-congratulation and hype to distract from the fact that NEM is not fungible (can't even do coinjoin-style mixing hacks?) and centrally controlled.

This fiasco (and especially the response) demonstrates exactly why I wouldn't even touch this dog shit coin with a pooper-scooper and clothespin on my nose to keep the stench out.

sounds like an old school comment

Wasn't the cause of the hack
a) Coincheck did not use multi-sig and not use real cold storage
or
b) Coincheck had an internal issue.

Either ot those is not depending on NEM system. Right?

We don't know whether the so-called hack was

a. an inside job by a Coincheck worker
b. an inside job by a NEM dev (hidden exploit in the code)
c. Coincheck incompetence (didn't use cold storage, multi-sig, etc.)
d. Spectre/Meltdown/Rowhammer attack by a state-level TLA adversary

or a combination of two, three, or all four.  We may never know, as happened with MtGox.

But that's all just a hand-waving distraction from the point of my post.


The real issue here is the incompetent, dishonest, misleading, and 100% self-serving response of the NEM devs.  The NEM system depends on the competency and honesty of the NEM devs.  Right?

The Official NEM response is to tout this fiasco as some kind of great victory for NEM because they wrote a Tattletale Bot that narcs on Bad Coins, as if that "solved" the many issues created.

That approach does not in reality solve anything because the attacker may simply choose to taint the NEM rich list to whatever extent they require to moot the issue of taint.

That approach also emphasizes NEM is centralized and possession/utility of NEM coins is de facto arbitrarily decided by a NEM Central Committee composed of NEM Core and NEM exchange bosses.

That is not how a fungible currency works.  That is not how a permissionless system works.

The response and fake solution of NEM Core is crafted to appease greedy low-information moonchildren who don't understand these issues and induce them to simply buy back their bags of this centralized, non-fungible shitcoin.

[jkoil]

[img...

Automated tagging doesn't work. All the attacker needs to do is send some NEM to all the richlist addresses. Please be careful trying to implement something like this. There is a reason cryptos need fungibility.

The NEM/Coincheck teams need to try and get in touch with the hacker and see if they can negotiate something. The attacker will find it hard to sell out with the exchanges closing/blocking transfers.

of course the tracking algorithm should notice the amount of XEMs.
There are millions to be tracked; so no use to track 10 - 100 XEMs.

The amount doesn't matter mate. You cannot really 'taint' certain coins without a more systemic risk. The attacker has 500 million XEM. That's a lot. Here's some math for you.

1000 XEM to the top 500 richlist = 500,000 XEM spent.
Total the attacker has = 500,000,000 XEM
% used for this purpose = 500,000/500,000,000*100% = 0.1%

So with just 0.1% of the hacked funds, the top 500 richlist can become 'tainted'. If you automate this, it can be worse, since it will end up tagging most legitimate addresses and therefore make the original tagging useless.

How many transactions is made in a day?
Isn't it possible to track the paths, to where the 500M is splitted?
And so keep the track of which accounts have the most of the 500M.

What are the reasons, why you see the problem so big that it cannot be broken?

Because the attacker can create 100,000 new addresses. Send 5,000 XEM to each address, but also send 5,000 XEM to each of the top 100 addresses. Now which accounts have most of the 500MM XEM?

yea, I was guessing that ...
Those 100 000 accounts do decrease the usefulness of the tagging/mosaics.

Maybe the tracking cannot be a plain automate, or it must have some intelligence in it.

How fast those 100 000 transactions can be done ?
Possibly not so fast that the "genius plan" is not noticed by the Trackers (software + humans) ?

[LiteMag]

Why is there such a rich list? Why was it created?