Nxt Coins stolen/ Hacked be warned

[Brangdon]

Here you have these pro-devs and uber-geeks...
SCOLDING you that to use NXT you must become an amateur cryptologist...

He doesn't have to be come an amateur cryptologist - quite the reverse. We discourage that. What he needed to do was use the password the default client provided. That would have been 12 words, with over 128 bits of entropy. It's because he chose to use his own password that he needs to know how to make a strong one. His refusal to say what his password actually was makes it impossible to say whether he did that. He is refusing because he's used similar passwords, with many of the same words, elsewhere. That too is a weakness. We discourage amateur cryptology because they so often get it wrong.

Sort of sad that one has to generate some crazy password in order to secure an account.

You don't. Just use the password the default client generates for you.

Cause it seems to me NXT gets a lot of stolen NXT reports and would point to a fundamental problem with NXT.

The problem isn't fundamental; it'd be easy to fix in the client. I'd rather it used a wallet.dat, same as Bitcoin. Some Nxt clients do. The downside is that if you lose the wallet.dat file, you lose access to your coins; and that has happened to people. Swings and roundabouts. It would help if the client didn't allow users to pick their own passwords at all. (I also think the client should ask for the account code, and only ask for the password when they actually make a transaction.)

[e-coinomist]

If that isn't secure enough then what is?

Here are a few examples of strong passphrases, these are impossible to bruteforce:

• u4xJU7F#E>?MZ6z{g&MrX9ePu6)yKPEcd4]8^)FJzJ28q^4Cwc
• Wm3&F,y;pFQm4GRc26Pr4tM,[4mW>Kr=$4c4X*M4BT+JtVQ2zx
• }ZL4.yph}.g4AUHPFp}n9$4H9W43EqLXN#8W6=j,4r]uWeVAaQ
• H8+D/rqrA&?cK3xw82KoWC^Z#=ptjvTaqML968TA,43B&>dQF8
• }FczoDRt*wmGJ8QL7>47BNqZ{a4c,>BQ>9VG9*p;62RH3bLaB&

Please use KeePass or 1Password to generate secure passwords like the above or use the password generator built-in the wallet. I'm using passwords like these, generated by 1Password, and I've never had issues. Again sorry for your loss mate, I know that sucks.

If they rip off those types of customers first who are "at their own fault due to weakness in passphrasing" then it gives you longer security using some like the above,

... before they empty your wallet, too.

Highly likely that there's something fishy here.

[Viper1]

Here you have these pro-devs and uber-geeks...
SCOLDING you that to use NXT you must become an amateur cryptologist...

He doesn't have to be come an amateur cryptologist - quite the reverse. We discourage that. What he needed to do was use the password the default client provided. That would have been 12 words, with over 128 bits of entropy. It's because he chose to use his own password that he needs to know how to make a strong one. His refusal to say what his password actually was makes it impossible to say whether he did that. He is refusing because he's used similar passwords, with many of the same words, elsewhere. That too is a weakness. We discourage amateur cryptology because they so often get it wrong.

Sort of sad that one has to generate some crazy password in order to secure an account.

You don't. Just use the password the default client generates for you.

Cause it seems to me NXT gets a lot of stolen NXT reports and would point to a fundamental problem with NXT.

The problem isn't fundamental; it'd be easy to fix in the client. I'd rather it used a wallet.dat, same as Bitcoin. Some Nxt clients do. The downside is that if you lose the wallet.dat file, you lose access to your coins; and that has happened to people. Swings and roundabouts. It would help if the client didn't allow users to pick their own passwords at all. (I also think the client should ask for the account code, and only ask for the password when they actually make a transaction.)

Well actually, it is a fundamental problem. It doesn't matter what password anyone generates. If you receive NXT and have not sent any out, a hacker doesn't even have to know your exact password to steal them.  All they have to do is have a pregenerated key (based on some alternate password) that match your account number (part of the issue here is that this is only 64 bits long instead of 128+ like other coins) and they can steal them. That's why NXT implemented that "hack" to put your public key into the blockchain once you do your first send of coins and that makes it so a hacker then needs your full password to get access to your account.

In other words, in order to secure your account, you have to first generate a strong password, receive some NXT and then send some out. Only then is your account going to be truly "secure".

There are people on the nxt forum right now trying to generate keys to get access to accounts that have NXT sitting in them but have never had any outputs. https://nxtforum.org/general-discussion/darknxt-up-for-grabs-first-come-first-serve!/

People should educate themselves before they start saying it's someones fault for not having a strong password.

[Nullu]

Nullu no one is blaming anyone really it is merely a warning to people wanting to invest in Nxt. If they see it as a trust worthy coin then they must use a 3rd party random character generating app. Simple as that and if they dont they could well lose all their coin.

It's possible that the dictionary the NXT wallet uses is a bit too small, or that the wallet is using crude pseudo-random number generation to determine the password, but If that were the case, I'd expect this to be a widespread problem.

[Brangdon]

In other words, in order to secure your account, you have to first generate a strong password, receive some NXT and then send some out. Only then is your account going to be truly "secure".

That used to be true, but isn't any more. Nowadays the transaction that sends NXT to a new account also attaches a 256-bit public key. If someone else got there first, the transaction fails and the funds aren't lost. If the transaction succeeds, then you need to break the 256-bit cryptography to steal the funds.

Whether this core change was necessary is a moot point. I don't think it was a real-world danger. Breaking 64 bits is possible, but hard, and I don't believe there's any evidence anyone has actually done it to hack a Nxt account. It's certainly not what happened to the original poster. Check the transactions, eg here. You'll notice there were outgoing transactions before the funds got taken. So this theft was not due to the issue you describe. It was due to the password being compromised, almost certainly because it was too weak.

[EvilDave]

A good password/passphrase is pretty much unbreakable, the only quick way to get thru a good password is to sniff it with a keylogger, brute force and rainbow table attacks simply take too damn long. (Like, until the Sun explodes sort of timescale).

A bad password (cat, comeasyouare, showmethemoney, 1234567890!@#$%^&*(), TheLordIsMySaviour) will be broken almost immediately. This is not only an important point for NXT security, but for all crypto. We have seen the rise of wallet.dat stealing malware:

http://www.forbes.com/sites/andygreenberg/2014/02/26/nearly-150-breeds-of-bitcoin-stealing-malware-in-the-wild-researchers-say/
http://resources.infosecinstitute.com/how-to-profit-illegally-from-bitcoin-cybercrime-and-much-more/

This means that if your wallet.dat is protected by a bad/no password, once its stolen/copied from your PC, your funds are gone.
If you protect the file with a strong password, the thief may have your wallet, but cannot access it. And you may not even notice that your wallet has been lifted.

Don't forget, btw, that crypto addresses are forever, so make sure that you don't leave old copies of your wallet.dat lying around.
If a thief finds an old wallet from 5 years ago, with no encryption, he can access any funds that are currently on the addresses contained within that wallet, even if the current version of the wallet is password-protected.

[bluemeanie1]

Just want to note here briefly the NXT project has been embroiled in scandals lately and possibly even a lawsuit.

I had recently contacted New York Department of Financial Services regarding them.  Ive made a number of submissions to this site recently regarding them.

[Come-from-Beyond]

Just want to note here briefly the NXT project has been embroiled in scandals lately and possibly even a lawsuit.

I had recently contacted New York Department of Financial Services regarding them.  Ive made a number of submissions to this site recently regarding them.

Could you tell when you contacted them, please? The date should be enough. Thank you.

PS: Don't forget to send your lawyer contact info to come-from-beyond@mail.ru, less than 24 of 72 hours left.

[SZZT]

Just want to note here briefly the NXT project has been embroiled in scandals lately and possibly even a lawsuit.

I had recently contacted New York Department of Financial Services regarding them.  Ive made a number of submissions to this site recently regarding them.

Just want to note here briefly the NXT project and jl777 have been embroiled in scandals lately and possibly even a lawsuit.

I had recently contacted New York Department of Financial Services regarding them.  Ive made a number of submissions to this site recently regarding them.

Also the cryptocurrency promoter Edward DeLeon Hickman was outed as a shareholder in SuperNet.

People, dont forget moneroman88 = bluemeanie1 = Joshua zeidner


The moneroman88 persona has been used extensively for FUD circulation and posting.
Joshua is a well known scammer and thief, now turned to a self appointed crusader to "end all crypto"

oops

One thing I want to point out quickly regarding the chance that jl777 is pulling some sort of scam(I posted something similar in another thread):

The superNET funds are going to be held in distributed escrow. And it's actually worked out right now, due to the quickness of the launch that James currently holds a very large amount of NXT. And this amount of money is currently more then he's ever likely to hold again during the course of the project.

Complete bullshit, jl777 has now collected over 27000000 NXT (that's 2100 BTC or over 1 MILLION US DOLLARS) from selling the shady TOKEN assets in his NXT account to that only he, I repeat, ONLY HE HIMSELF has access.

http://www.nxtreporting.com/?ac=NXT-MRBN-8DFH-PFMK-A4DBM

He has this amount and can run away at any given time, unexpectedly and suddenly. Don't dare to state fairytales. He said his aim is 10000 BTC so don't expect him to run away before that date (I don't). *Mark my words*, once 10k BTC is full jl777 is going to be *vanished*. You SuperNET cult members will all cry like little babies then mourning for your losses that will never come back because the smart one took it. Do people ever learn? Do they ever learn? It's horrendous...

So many NxT people trust jl777, but ask your self why ?

They do trust jl777 and Nxt because that's what Nxt is all about - *draining money of poor investors for their own financial benefit*. That's the very core essence of the SuperNET and jl777 admitted this several times on his own. It is very shady for sure and the scale of this hoax is remarkable. jL777 undoubtedly is a very smart fellow, my respect for the intellectual part of it. But morally totally and entirely unacceptable by any possible measure.

It amazes me to understand how people can make up conclusion about something they not even took their time or researched what a escrow is. He can't run away with all the BTC because he don't have them.

This is like saying that Etherum people would run away with the BTC their got even tho they didn't used a escrow i think people behind those projects really have more inside their brain then to steal people Bitcoins.

Complete bullshit, the scammer jl777 has over 27000000 NXT (that's 2100 BTC or 1 MILLION US DOLLARS) from selling those TOKEN assets in his NXT account to that only he, I repeat, ONLY HE HIMSELF has access.

http://www.nxtreporting.com/?ac=NXT-MRBN-8DFH-PFMK-A4DBM

He has this amount and can run away at anytime. He said his aim is 10000 BTC so don't expect him to run away before that date. Mark my words, once 10k BTC is full jl777 is going to be vanished. You guys will all cry like little babies then mourning for your losses that will never come back because the smart one took it. People never learn. If you don't believe then you'll have to feel, it was your brainless decision after all.

Burn in hell with all ur moronic threads

~CfA~

You're just a NXT-shill, I don't even take you serious. All you really are is a piece of shit supporting the NXT AE scams pull-off promoted by jl777.

MONEROMAN, OP OF jl777 asset scammer EXPOSED . . . buy XMR instead (real future):

good summary:

jl777 seems to be a really smart thief. Stealing from his investor of all assets he hold.
I am glad I am on the "good" side. The only thing rpietila is pumping is Monero, nothing else from what I can tell by any of his post. He is not advocating any other altcoin, while this jl777 have 50 different pumps going on probably where he hold everything. It's like he built 50 castles of promises, while rpietila have 1 castle promoting financial privacy.

How easy it is to make money once you have a reputation. jl777 is going to take over the world (atleast he thinks) by having people buy all his crap assets. Compare BTCD, is it even working? Is the tech good? Are many people actively working on it? By my study, by going to check out the IRC channels I see nothing happening in #bitcoindark, around 21 people here, while there is 100+ in #monero-dev including core bitcoin developers.

The reason why Bitcoin Core developers is in #monero-dev and not #bitcoindark or #darkcoin? You should be able to read between my lines, but I will tell you right here, it is probably because the anonymity tech provided is really good.

Now with so many people believing in this crazy baseless hype - don't lose sight of the real crypto future: Monero

Don't lose your hard earned money with this JLH crap guys. Monero doesn't need this jl777 asset scamming scheme. Monero already is by far the number one, technology-wise, community-wise, best coin hands down number one above all / except the price that's gonna follow gradually. If you want a lot of money (you probably do) and become a millionaire along the line (you probably want that) buy Monero while it is cheap as fuck. It's hands down the best possible coin, even Bitcoin is nothing against Monero. We have real privacy and real developers, world adoption imminent. All other altcoins are scams at their best and just outright ridiculously crappy. Needless to say if you invest in other coins you will lose your invested money whereas you will be rich buying Monero. This is the very law of success.

Everyone can become multimillionaire with Monero, I'd argue 1-2 BTC investment is enough to become millionaire through XMR. And the best about it is that you won't have to convert to FIAT because it will be accepted all over the world within 5 years. Yes you read that right, even your mother will use it. No matter where, Monero will be all around the world payable via NFC.

Don't put your faith in JL777's asset scamming through NXT, buy in a real coin a real community the real future instead and be on the safe side.

holy smack I LUV Bryce Weiner, he's a fucking fat moron but he sure as fuck puts the right badass message across. SuperNET is a scam by known scammer jl777... who fucking cares about if explanation is right or not. scam is scam I don't care how Bryce Weiner argues as long as the result is the right one:  jl777 is a scammer and superNET is a NXT insider scam profiting on you guys endless greed. Bryce Weiner thanks again for your fucking efforts you filthy son of a bitch

Again, and again, gals you got scammed hard and harder by JL, my condolences. Here's the cold truth and reality about JL777: https://bitcointalk.org/index.php?topic=781323.msg8807178#msg8807178

Return the stolen funds joshua
http://cointelegraph.com/news/112643/the-mystery-of-the-missing-1000000-nxt

[CryptoCarmen]

Did this guy got his 2 BTC back?

[TinEye]

Insteading of fighting can you all go back to fixing it? My wallet has been sitting for hours and not downloading the blockchain.

[Nullu]

The plot thickens indeed. I'll have to go over recent developments.

[gravitate]

Well I know I havent got my Bitcoin back yet 

[Daedelus]

Have you posted your passphrase? The bits have seen you have shown to be quite evasive.


The constant barrage of Nxt FUD in this nest of vipers (good description btw  ) on BitcoinTrashTalk makes me wary. I'm tempted to take the hard line and point out that, AFAIK, you haven't proven beyond doubt that you actually have used this account yet... you can do this by posting the passphrase and showing you have access...


If you have done that, I will apologise for doubting you and Eadeqa, Brangdon, devphp et al can take it from there.

[gravitate]

Hi. The problem is. even though my pass phrase isa mixture between chinese pinyin and english and I haven't used it anywhere else I still don't want to post it as some of it I have used in encryption. Never entered it online just off line and it was only like 60% the same.

If some one does find my funds I will disclose it to that individual to prove who I am .

[Daedelus]

Please post your passphrase.

Have you done this? https://nxtforum.org/general/have-i-been-hacked/msg101195/#msg101195

This is circular and won't be resolved until you post your passphrase, one way or the other. I could pick any zero balance abandoned account with outgoing transactions and say that it was my money that was in there and I have been hacked. But without proving ownership first, why should anyone believe me?

Posting your passphrase means that I don't have to trust you, the facts speak for themselves.

[gravitate]

Daedelus I can easily prove it was me as I stated questions about buying nxt coins and posted my account ID at the same time publically on the nxt forum. Now if you think I chose a random account and fabricated all of this up over a period of 2 mionths for the sake of 'potentially' getting 2 bitcoins then its just not going to happen. Sorry but I am not posting it. If you want me to track down the thread from the nxt forum I can which confirms I have ownership over the account

[Daedelus]

If you want me to track down the thread from the nxt forum I can which confirms I have ownership over the account

Please do. But doesn't the signature update all posts and not just the ones post the change? This may not be the proof you hope it is. Posting your passphrase would stop all speculation.

My offer of apology still stands.

[gravitate]

no it was actually in the post written by someone else noit me... I will find it tonight

[Daedelus]

no it was actually in the post written by someone else noit me... I will find it tonight

Don't worry, I found it. Apologies for doubting you, you are in control of the account.


That still doesn't explain what happened and posting your passphrase would allow us to eliminate that possibility. If you refuse to do this, I don't think it is fair to say things like:

1000usd flushed down the toilet from no fault of my own
It is the security of the coins ' brain wallet'  that I question.
I got hacked after being scammed
If you want to call me a liar by not posting MY pass phrase to cover up security issues with nxt then carry on please.

And especially:

The fact is I was hacked and no body has said there is a problem with the pass phrase

You might have been angry and frustrated but the reason for ^this^ is that nobody else knows the passphrase. Until we do, nobody can comment and it will remain a probable case of weak passphrase as that is the most probable cause.



You say that your password is random to "any normal person". Would it be random to someone translating different combinations of pinyin and English dictionaries into well known phrases/literature/ordinary sentence at 'x' million attempts a second?

I don't know any pinyin but for all I know, the sample password you posted "tim cum sim prawn gin yuk bim rarl per tip pop from" could translate to "I cum in prawn salad dressing d!ck is where I pop from"   And you just change the subject "prawn salad dressing" for each use. A bad example but you get the idea. To re-cap, no full sentences in mixed languages used?