Robbed more than 100,000 NXT

[Brokers]

Did you recovered it back  ?

[Zer0Sum]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

Can you post a link to something he has written about this.

https://twitter.com/jgarzik/status/511866795582427136

Garzik Sept 16, 2014:
 
"It is telling that #NXT devs push back hard when asked to prove there are no backdoors.
That's on top of closed dev process, anon devs, ..."

"Multiple devs must publicly verify (w/ PGP) build output matches source, before release."

"Must build a system that includes checks before-the-fact, not hope & pray on 'anyone can compile'.

"Build trust with users by having non-core-devs in community also verify hashes match."

-------------------------------------------------------------------------------

Even though there have been threads on NXT Forum saying just do it, why not?
All this has been shot down by anon NXT devs led by Come-from-Beyond.

Would you password protect your $800,000 house...
Then come home to your family one day and find the house has been sold with no explanation? 

Of course not, no civilized society operates on such flimsy principles, but NXT does.

[EvilDave]

Jeff Garzik (Bitcoin core developer) thinks there could be a backdoor in NXT that is resulting in all these thefts.

Sorry but I'm not buying it that some brute forcer is inserting every quotation from the bible into the password generator, or that they can crack 125 character passwords consisting of gibberish.

Ever heard of a Rainbow Table ?
Running a RT attack using Bible quotes is a trivial operation, a few seconds work.

The 125 char gibberish will be a lot harder to crack, but not impossible.

Anyhow, if you trace the transactions, we can see that the 2 most recent NXT thefts were carried out by the same guy, and that the NXT is sitting on:
http://nxtreporting.com/?ac=NXT-WTCT-N6HZ-CCKY-4MLJF

The 104,946 transaction is from Donn, the 188650 is from:
http://nxtreporting.com/?ac=NXT-WCZN-DGQL-XM69-62L3N
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg105712/#msg105712
And this happened at the end of August.

[TinEye]

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

In Bitcoin the hacker has to steal your wallet and the passphrase to gain access. Here just the passphrase and its gone.

If you still can't see the serious lack of security then this a big problem.

[EvilDave]

Even though there have been threads on NXT Forum saying just do it, why not?
All this has been shot down by anon NXT devs led by Come-from-Beyond.

Would you password protect your $800,000 house...
Then come home to your family one day and find the house has been sold with no explanation? 

Of course not, no civilized society operates on such flimsy principles, but NXT does.

Zer0Sum: there is no back door. We have one obvious weak password (the bible line from 27/08) and one possibly weak password here.
If there was a back door, we'd see much more exploitaion, not just 3 tiny thefts and 2 medium, as we see on the thief account.
We know that RT attacks are happening constantly, and thats why we stress password security.

And that's why Account Control (including 2FA) is coming soon.

[megashira1]

Even though there have been threads on NXT Forum saying just do it, why not?
All this has been shot down by anon NXT devs led by Come-from-Beyond.

Would you password protect your $800,000 house...
Then come home to your family one day and find the house has been sold with no explanation? 

Of course not, no civilized society operates on such flimsy principles, but NXT does.

Zer0Sum: there is no back door. We have one obvious weak password (the bible line from 27/08) and one possibly weak password here.
If there was a back door, we'd see much more exploitaion, not just 3 tiny thefts and 2 medium, as we see on the thief account.
We know that RT attacks are happening constantly, and thats why we stress password security.

And that's why Account Control (including 2FA) is coming soon.

2FA? Can you link me please.

[EvilDave]

Oh, not Bible but russian constitution?  

UGOLOVNYI KODEKS, tam ishi parol.  

TBH, mate, it looks as if your password was not very good. Not as bad as the first line of the Bible, but not good enough.  
But you're the guy who's been stolen from, so I'm not going to blame you for it.

Lets keep watch on the thief account, and see where it all goes. Everything is on the blockchain, so the thief isn't going anywhere with it that we can't see.

On the 2FA:
https://nxtforum.org/general-discussion/help!-my-nxt-account-stolen-account-for-nxt-wczn-dgql-xm69-62l3n/msg105791/#msg105791

(sorry about the URL, the ! breaks it, so copy and paste...)

[donn2012]

Thank you all for your support and help. I realize that I look like a beggar, but I stole all my cryptocurrency. I made a new account, send as NXT think it is possible for my new account NXT-7FCR-N8SX-D7BB-AE7F4. Public Key 16b15ef11a7594c8777267f32af63c02b700ab5a6001ba474bc2bb21c4f4a56f
I hope to help the community.

[TheMage]

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

In Bitcoin the hacker has to steal your wallet and the passphrase to gain access. Here just the passphrase and its gone.

If you still can't see the serious lack of security then this a big problem.

At the risk of sounding newbie, is this true? O_o

[devphp]

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

In Bitcoin the hacker has to steal your wallet and the passphrase to gain access. Here just the passphrase and its gone.

If you still can't see the serious lack of security then this a big problem.

At the risk of sounding newbie, is this true? O_o

NXT default client implements a brain wallet concept, meaning the password you enter is your private key. When you need to create a new account, a pass phrase of 12 random words is suggested. If you use it, you're safe. If you choose your own pass phrase and ignore the one suggested by the software, you're on your own, you must know how to create a complex pass phrase.

A completely random pass phrase of 20-25 chars is enough, provided it's completely random. The few cases of hacks that were reported (around five cases on nxtforum.org), most were due to people using either quotations from known books or very simple pass phrases like a 3-char string multipled 10 times (adradradradradradradradradradr).

Bitcoin doesn't implement the brain wallet concept by default, but you can have brain wallets in Bitcoin too. The default option in Bitcoin is a pregenerated wallet.dat. NXT also has this third-party client developed that implements wallet.dat as a proof of concept, and in the future these clients will be created more and more since there is obviously demand (desktop clients and mobile apps). Both approaches have their pros and cons.

Brain wallet pros:
- no need to take your wallet.dat with you, can access your account from any online computer;
- trojans or people can't steal your wallet.dat, because there is no wallet.dat;

cons:
- have to choose a 20+ char completely random pass phrase (no quotations from books or any dictionary words) or better use the one suggested by the software;

[devphp]

NXT is scam, I have been warning people since forever;

Of course it is, because you say so. How else could it be

[achimsmile]

There probably is a backdoor, too many NXT coins have been stolen with No explanation as to how.


NXT is hacked.

Task of the day: Find the mistake in logical consistency.

[ShroomsKit_Disgrace]

NXT is scam, I have been warning people since forever;

Go back to your Monero cave bro! BTW, How many hours 'till monero gets destroyed? 24h? L-O-L

[juicyjuice87]

There probably is a backdoor, too many NXT coins have been stolen with No explanation as to how.



What? You want an explanation for why your backdoor gets done in by your uncle. That must be who comes-in-from behind

[TaunSew]

It's curious that pass phrases from hacked accounts are almost never posted, as if the victims know it's their fault they chose a weak password. Posting a pass phrase also helps confirm that the the claim is legitimate, anyone can use the pass phrase to log in to the hacked account to check whether the pass phrase really matches the account.

In Bitcoin the hacker has to steal your wallet and the passphrase to gain access. Here just the passphrase and its gone.

If you still can't see the serious lack of security then this a big problem.

That is where NXT and even NODE fails, imho.  I have no idea why people are doing this mandatory brain wallet stuff..  it's always going to be a bad idea in the long run.  NXT is bringing an *optional* wallet.dat but I strongly suspect being optional that it'll really just be cosmetic (people would still be able to access your brain wallet equivalent).

NEM is weeks from launch and I think that's the most secured wallet due to wallet.dat, username login and password requirement.

[TaunSew]

Aren't they different targeted audiences?  I thought the anonymity coins NXTers only care about is Boolberry or BitcoinDark.

[PL_CoinTrader]

If you really think that Nxt can be hacked pls go hack this account and make yourself a very rich man. -.-

I personally like the idea of a brain wallet really very much but in the end Nxt will have to change to a system with a local wallet.dat file because people are obviously too stupid to create save passphrase.

Btw: How many bitcoins are stolen? https://bitcointalk.org/index.php?topic=83794.0#post_toc_17
Is it bitcoins fault? No, either people are naive and sending stranger people bitcoin without escrow or they downloading so much porn on the same pc where they use the bitcoin wallet.

[ShroomsKit_Disgrace]

Thanks for your post PL_CoinTrader!

I suppose that FUD meisters as Nekomata, Come-in-Behind, darkota, Spoetnik, even Jeff Garzik! will not  hack the NXT richest account. Not because  it is impossible, but because NXT is doomed and they don't want some free million dollars coming from a POS [piece of shit] 

[ThomasVeil]

I personally like the idea of a brain wallet really very much but in the end Nxt will have to change to a system with a local wallet.dat file because people are obviously too stupid to create save passphrase.

And I think any security that relies on that people can keep a file hidden on their harddrive is bound to fail too.
Consider that someone can steal your bitcoin wallet even in 20 years ... in many cases even some old file you left somewhere. And if you felt safe to use an easy password, then it will be broken in no time.

NXT's system is bad for short term PR, but better in the long term. Just wait for the day when some hacker sweeps all google-drives for wallet.dat's - that will be one big splash of hundreds of thousands of coins stolen.
If it's really just about 3 public cases where likely it was a brute force attack, then it doesn't seem a bad payoff. Time will tell.

[TaunSew]

I personally like the idea of a brain wallet really very much but in the end Nxt will have to change to a system with a local wallet.dat file because people are obviously too stupid to create save passphrase.

And I think any security that relies on that people can keep a file hidden on their harddrive is bound to fail too.
Consider that someone can steal your bitcoin wallet even in 20 years ... in many cases even some old file you left somewhere. And if you felt safe to use an easy password, then it will be broken in no time.

NXT's system is bad for short term PR, but better in the long term. Just wait for the day when some hacker sweeps all google-drives for wallet.dat's - that will be one big splash of hundreds of thousands of coins stolen.
If it's really just about 3 public cases where likely it was a brute force attack, then it doesn't seem a bad payoff. Time will tell.

Yeah but this starting to be slippery.  Keeping all your money under your mattress or in a trash bag is bound to fail too.  This is why in the long run crypto currencies, ironically, will probably result in crypto banks and these crypto banks will probably engage in fractional reserve banking (ironically we create these cryptos but end up back at square 1)