[ANN][BURST] Burst | Efficient HDD Mining | New 1.2.3 Fork block 92000

[bloodDiamond]

My password is a random string of numbers and letters, caps and no caps, 30 symbols long. So weak password is not an issue.

It's unlikely that the password was bruteforced, but I think 30 symbols doesn't provide maximum security.
Please correct me if I'm wrong: 256 bits are used in the hash, that's 32 bytes. But we aren't using the full 0-255 character range in passwords, so they should be much much longer. 26 (a-z) + 26 (A-Z) + 10 (numbers) = only 62 chars subset is used for passwords. Using words instead of random letters raises bruteforcing chances even more. The passwords need to be 4.2 times longer: at least 134 symbols!

You're on the right track, but your math is not quite right. If you choose a password from a set of 62 characters, then each character is providing 5.95 bits of entropy (ln(62) / ln(2)). So, if you want to achieve 256 bits of entropy, your password should be at least 43 characters long.

i have'nt looked into the code on how the pk is used to sign transactions but i think it is ecdh based.
doing a google search for the included java code from nxt to do the signing brought up a site stating the sign function is not as secure as the original code where it was ported from to java. this is because java uses different size integers and a c big int variable has only the maximum size of an unsigned int in java (https://gist.github.com/doctorevil/9521116).
someone with java knowledge maybe can verify that the described flaw applies or hopefully does'nt apply to the code in src/java/nxt/crypto/Curve25519.java file or finds out this whole function is only included due to forking reasons.

this in combination with the wallet which offers 12 words OUT OF 1626 by default (html/ui/js/crypto/passphrasegenerator.js) makes it in my opinion attackable.
within an bruteforce attack this is less than 11 bit for each word which sums up to about 105 bits of combinations.
if the ecdh implementation shows the mentioned flaw it cuts internal 256 bit variables at 64 bit.
without further analysis this provides a option to bruteforce wallet generated keys by software designed to utilize this flaw by testing less than 32 bit of combinations. i am no crypto specialist and if someone with knowledge about all this could take a look into it would be great. i think as long as someone uses custom generated private keys even if the flaw exists in the code the required energy to break 105 bits is much more than what you get for the coins in the wallets. on the other hand it may be possible to bruteforce all known wallet addresses in one run without much more costs...

i currently do not understand why someone did'nt empty the whole account and only took 40k.
i dont want to make people panic sell and drive the price down but if you hold a certain amount of coins within one wallet think about all this if you used the wallet to generate your private key.

The signing issue isn't due to integer size differences, but due to java's lack of unsigned integer types. The proposed patch on the page you linked has been applied to the Curve25519.java file, so this hasn't been an issue for quite a while.

Regarding the passphrase generator, I don't know where the cut-off would be for considering it bruteforceable, however 105 bits does seem very low compared to what you would get from the recommended 35+ characters alphanumeric with symbols.

I think you're looking at the wrong account. Stacy's account had all 9.8k transfered, however they didn't continue to transfer new coins that came in from mining.

+1

nice to read this answer who clear up any possible doubt!!!

[Nevril]

Update v1.0.3

Burst Long Term Price Support project
(BLTPS)

Changelog
v1.0.3 - 06/nov/2014
Given the possibility to send a PM also on BitcoinTalk, check "How to Participate - Phase 1" for the correct link
Postponed the end of Phase 1 by one day, given the downtime experienced by Burstforum

Remember that Phase 1 ends in three days! Make sure you give at least a look at this project!

I've also made a complete backup of the entire thread and received PMs, just in case burstforum.com goes down again, so your information are safe

[crowetic]

I tried joining the http://burst-pool.cryptoport.io/ and I set the recipient, but there is no confirmations, there is only a "/" displayed at the end! If I understand correctly I am supposed to get 4 confirmations before I can join the pool?

come join us at http://burst.ga


on a side note... I just got the pool back to the original backup server, installed with VMWare ESXi for expandability and awesomeness. I may also try to route a completely different backup connection for internet to it as well, we'll see. But we are doing well now on this server.

Within a couple days I will be purchasing and setting up the new main server which will be hosted at a data center. Then re-implementing the failover (possibly in a different way, we shall see. Hopefully to avoid the miners ever having to change IP addresses.)

I will continue to keep everyone updated on the status and progress of the pool. Thank you all for your continued support.

Also know that we have quite a few ideas in the works that will be coming out within the next month, stay tuned!

[Blago]

I tried joining the http://burst-pool.cryptoport.io/ and I set the recipient, but there is no confirmations, there is only a "/" displayed at the end! If I understand correctly I am supposed to get 4 confirmations before I can join the pool?

yes. and change URL to pool.burstcoin.io (port 80)    [burst-pool.cryptoport.io - it's old address]

[cad_cdn]

any idea how to search a transaction from 6 weeks ago? The current wallet doesn't seem to go back that far. Block explorer also, not that far back.

[callmejack]

any idea how to search a transaction from 6 weeks ago? The current wallet doesn't seem to go back that far. Block explorer also, not that far back.

you can use the account api function.
replace 127.0.0.1 with your walltet ip if it differs and enter your account (BURST-XXX.... or numeric) in the "getAccountTransactions" section.
http://127.0.0.1:8125/test?requestTag=ACCOUNTS

this should return all transactions as json into the output area.
to retrieve it directly as json you can use this as url (replace XXX with your account): http://127.0.0.1:8125/burst?requestType=getAccountTransactions&account=XXX

this is a json response and therefore not readable like the transaction list in the wallet ui but it contains all data the wallets blockchain supplies.

[cad_cdn]

thx!
any way to filter? or just see payments sent for Sept 23?
(my poloniex is locked, I need TXid to unlock)

any idea how to search a transaction from 6 weeks ago? The current wallet doesn't seem to go back that far. Block explorer also, not that far back.

you can use the account api function.
replace 127.0.0.1 with your walltet ip if it differs and enter your account (BURST-XXX.... or numeric) in the "getAccountTransactions" section.
http://127.0.0.1:8125/test?requestTag=ACCOUNTS

this should return all transactions as json into the output area.
to retrieve it directly as json you can use this as url (replace XXX with your account): http://127.0.0.1:8125/burst?requestType=getAccountTransactions&account=XXX

this is a json response and therefore not readable like the transaction list in the wallet ui but it contains all data the wallets blockchain supplies.

[ltcnim]

http://pool3.burstcoin.io down? at least it's not responding :/

[callmejack]

you can only limit by the timestamp which expresses seconds passed since the genesis block.
if you use a timestamp around 3600000 the last entries in the list should be around the Sept 23.
to get it more precisely you have to find out the exact date of the genesis block and then convert the days which have passed since then into seconds.
i have'nt worked on my mysql based blockchain backend for a while now cause i wanted to wait for the latest updates. if i would have it ready i could simply look it up 

thx!
any way to filter? or just see payments sent for Sept 23?
(my poloniex is locked, I need TXid to unlock)

any idea how to search a transaction from 6 weeks ago? The current wallet doesn't seem to go back that far. Block explorer also, not that far back.

you can use the account api function.
replace 127.0.0.1 with your walltet ip if it differs and enter your account (BURST-XXX.... or numeric) in the "getAccountTransactions" section.
http://127.0.0.1:8125/test?requestTag=ACCOUNTS

this should return all transactions as json into the output area.
to retrieve it directly as json you can use this as url (replace XXX with your account): http://127.0.0.1:8125/burst?requestType=getAccountTransactions&account=XXX

this is a json response and therefore not readable like the transaction list in the wallet ui but it contains all data the wallets blockchain supplies.

[cad_cdn]

thx for help

you can only limit by the timestamp which expresses seconds passed since the genesis block.
if you use a timestamp around 3600000 the last entries in the list should be around the Sept 23.
to get it more precisely you have to find out the exact date of the genesis block and then convert the days which have passed since then into seconds.
i have'nt worked on my mysql based blockchain copy for a while now. if i would have it ready i could simply look it up 

thx!
any way to filter? or just see payments sent for Sept 23?
(my poloniex is locked, I need TXid to unlock)

any idea how to search a transaction from 6 weeks ago? The current wallet doesn't seem to go back that far. Block explorer also, not that far back.

you can use the account api function.
replace 127.0.0.1 with your walltet ip if it differs and enter your account (BURST-XXX.... or numeric) in the "getAccountTransactions" section.
http://127.0.0.1:8125/test?requestTag=ACCOUNTS

this should return all transactions as json into the output area.
to retrieve it directly as json you can use this as url (replace XXX with your account): http://127.0.0.1:8125/burst?requestType=getAccountTransactions&account=XXX

this is a json response and therefore not readable like the transaction list in the wallet ui but it contains all data the wallets blockchain supplies.

[uray]

http://pool3.burstcoin.io down? at least it's not responding :/

looking good here, which one is not responding, ur miner or pool website?

[stacey2911]

My password is a random string of numbers and letters, caps and no caps, 30 symbols long. So weak password is not an issue.

By random, do you mean randomly machine generated, or chosen manually by you?

OS is Windows 8.1, so it stores the password in an unencrypted text file :/

https://www.virustotal.com/en/file/d3992c3d8be28d99b4f58b17a1d7eccbb04ba18e6471bcc3321a82b8011e0475/analysis/1413153796/

Either a false positive or  a very obscure trojan. After initial scam, this is hard to swallow and keep faith. Any insight into why this has shown up Dev?

no threat found on my end. false positive, its common with windows-qt and that particular antivirus


its scanned with 53 virus protectors and only 1/53 come up with a false positive

Alright, just thought I would check, have recently had some malware problems on the machine that hosts my wallets.

It looks like you have recently had security issues.  What steps have you taken to mitigate them?

I've been working hand in hand with a few experts over at Malwarebytes to clean my machine out, which ended in a clean reinstall because I didn't trust a "dirty" machine. So no previous malware should be infecting my machine anymore.

[uray]

http://pool3.burstcoin.io down? at least it's not responding :/

looking good here, which one is not responding, ur miner or pool website?

i think i see something weird going on here on the blockchain

[Billyboy402]

i think there is a hacker that is stealing ppl burst coin

BURST-FRNC-8G44-FNQP-AEQFS

not my wallet but now my account is empty

Full Hash:   a3ef1a22011c2f4c4dec7422d84c3cb6a73c03f991642c49c0aac159ac0e8711
Confirmations:   734
Signature Hash:   db82653bca0f90868b8e8e277c82f98c68e1c46a2590a854001e2667048627e4
Amount NQT:   15'075 BURST
ec_block_height:   30549
Block:   1723633751819466101
Recipient RS:   BURST-FRNC-8G44-FNQP-AEQFS
Type:   0
Fee NQT:   1 BURST
Recipient:   10103487335684824714
Version:   1
Sender:   You
Timestamp:   7419262
ec_block_id:   13420289258326036281
Height:   30562
Subtype:   0
Sender Public Key:   e53096f42bedc9434fa311fec0f008e4a749a79fa7a53c149f1f6f14f426174e
Deadline:   1440
Block Timestamp:   7419271
Sender RS:   You
signature:   5c783709d6d12bbb8689051d62e56a5cb08814f0db1b26847b22b04ffbe9de00ee3a2379d2a00d0 f87bdfe70ebd4273b91b398e5a5316b0446586f04782306b1

[Billyboy402]

i think there is a hacker that is stealing ppl burst coin

BURST-FRNC-8G44-FNQP-AEQFS

not my wallet but now my account is empty

can you change ur wallet password or not

[mmmaybe]

i think there is a hacker that is stealing ppl burst coin

BURST-FRNC-8G44-FNQP-AEQFS

not my wallet but now my account is empty

can you change ur wallet password or not

No, your password is your private key connected to your specific account.

You can of course make a new account with a stronger password tho.

[Billyboy402]

BURST-68JV-2EAW-WDRB-FKZ4Y
 is the new hacker adress hast a few burst in there now

[Billyboy402]

i think there is a hacker that is stealing ppl burst coin

BURST-FRNC-8G44-FNQP-AEQFS

not my wallet but now my account is empty

can you change ur wallet password or not

No, your password is your private key connected to your specific account.

You can of course make a new account with a stronger password tho.

how do you make it with ur own password , and not the one they give you ?

[majere]

i think there is a hacker that is stealing ppl burst coin

BURST-FRNC-8G44-FNQP-AEQFS

not my wallet but now my account is empty

can you change ur wallet password or not

Googled it up and this account was already active on Aug 26. Could be a trojan in one of the first third-party binaries.
Which software were you using?

No, password cannot be changed. You'll have to create a new wallet and replot.

[majere]

how do you make it with ur own password , and not the one they give you ?

There's a link at the bottom of page, or simply specify that you're returning user and enter another passphrase.
Do not use these pre-generated words.