NXT :: descendant of Bitcoin - Updated Information

[PaulyC]

How could we implement email confirmation for sending of NXT?

A service provider watching the blockchain could do this easily.

This should be implemented...it would remove the possibility all together of Nxt being stolen...would also be another advantage for Nxt

Can we go back in time and implement this like 2 hours ago!? yes!

[wesleyh]

1. I've decided to join forces with ferment (owner of 22k.io), as it's import to cooperate on one of the best features of Nxt and not confuse users with multiple extensions and what not.

Alright! I think we can go really fast this way. The clock is ticking!

2. Now, there is a bit of a difference between my extensions and what 22k.io currently has. I would like some community input on which approach is best.

- 22k.io extensions are "thin clients".

- My extensions are "thick clients".

Which approach is technically best? I don't know. Perhaps a combination of the two could also be done; if the alias is a simple URI or email address, the client handles it, otherwise it's sent to 22k.io which can then show account info, etc...

I think a hybrid model would be good. Like an option where one could choose "public nxt nodes" or "22k.io" as the source of info. So there will naturally be a trade off on trust vs features.

Thick clients (extensions, native apps, mobile apps with code) are more of a long term investment for the community as they require significant overhead of multiple codebases, releases, distribution, etc.

Thin clients will allow us to test the functionality and progress rapidly.

Both are necessary.

3. We also have to be careful about security. Especially when it comes to aliases that refer to an account.

If a node is compromised, it could return the attacker's ID instead of the real account ID. This could result in stolen coins if you send to that ID.

That's why it's perhaps better to connect to multiple nodes (3 or more, from different geographical ares) and ask all of them for the alias info, and only if all of them return the same information show the user the result. We also have to make sure that 22k.io is not compromised.

A valid point that supports the hybrid thin/thick model. Sensitive information should be handled in the thick client (or javascript in browser). One idea is the thick client could handle "verification" of 22k.io by providing a function to check localhost and public nodes (but not nxtbase nodes!).

4. I think it's best if this entire project would be handled as a community effort, with some kind of official sanctioning so that users know they can trust the extension/website.

I'll respectfully disagree on this point. NXT market adoption doesn't have time to wait this. My strategy is to build cool stuff and address trust issues as they arise. Sanctioning is implicit in adoption.

All code, both client side (browser extensions), as well as server side, should also be available for peer review, open-source and hosted on github. I haven't yet got word back from ferment on this.

I'm all for client stuff being open source. However, I would prefer to keep the "special sauce" closed and then open source libraries based on the work. I'm still trying to figure out how to make the NXTs off this work. If the community wants to invest, then open sourcing everything is certainly an option I'd consider. I have a 5 person dev/ops team at my disposal, but I can't pull them off paying gigs without revenue generation.

If we follow a model where security related things are always handled on the client side, then this shouldn't be an issue. If we follow a "trust, but verify" approach, the need for open sourcing as test of trustworthiness is not required (besides, I could run different code and not tell anyone).

5. We also need some kind of agreement on the json syntax and other new features.

My strategy is to just start defining stuff and implementing. If someone doesn't like the format, they're free to implement it differently.  History has shown that adoption is the best form of "agreement". Let the market decide.

So, would I propose, is that we start publishing an API and spec for 22k.io as we implement support for advanced alias features and other things.

Exciting stuff!

Cool, I'll start working soon on some proof of concept hybrid browser extension for you to review before I port it over to the other browsers.

Regarding your other remarks, these are valid. We'll keep the server-side source closed for now unless there is a major investment of some kind.

[landomata]

Regarding your other remarks, these are valid. We'll keep the server-side source closed for now unless there is a major investment of some kind.

Would you guys be interested in wrapping the server side source up in some form of NxtAlias Company....you could pitch the idea and see if the market would want to invest.

We do need a prototype for an IPO on the Nxt Asset Exchange....anyhow something to think about.

[rickyjames]

Hello Nxters

Welcome to the FINAL LOGO RUN OFF!


https://nextcoin.org/index.php/topic,1927.0.html

Hash

Bump.  This is ONLY OPEN 24 HOURS and is a TOTALLY NEW logo vote for JUST AMONG THE FINAL TWO.  Vote now!

[PGPpfKkx]

email service provided watching the blockchain.. this is very centralized

[utopianfuture]

email service provided watching the blockchain.. this is very centralized

One company is centralized but many companies providing similar services and competing against each other. That process is decentralization. You still needs one person taking initiatives and responsibility. Decentralization is different from collectivism.

[wesleyh]

Regarding your other remarks, these are valid. We'll keep the server-side source closed for now unless there is a major investment of some kind.

Would you guys be interested in wrapping the server side source up in some form of NxtAlias Company....you could pitch the idea and see if the market would want to invest.

We do need a prototype for an IPO on the Nxt Asset Exchange....anyhow something to think about.

Can you explain this concept in a bit more detail or is there a link to read up on this?

[PGPpfKkx]

email service provided watching the blockchain.. this is very centralized

One company is centralized but many companies providing similar services and competing against each other. That process is decentralization. You still needs one person taking initiatives and responsibility. Decentralization is different from collectivism.

it is centralized in a sense that if two or three companies exist and it is required to use them to send a transaction, then it breaks the whole concept. no need to worry about 90% attacks then , you can have 3 people break it.

[utopianfuture]

email service provided watching the blockchain.. this is very centralized

One company is centralized but many companies providing similar services and competing against each other. That process is decentralization. You still needs one person taking initiatives and responsibility. Decentralization is different from collectivism.

it is centralized in a sense that if two or three companies exist and it is required to use them to send a transaction, then it breaks the whole concept. no need to worry about 90% attacks then , you can have 3 people break it.

You can't have an economy unless individuals taking initiative. But why restricted in 2-3 companies. These are peripheral services, you are not required to use them and if they don't do a good jobs, then others will and replace them .

[ferment]

How could we implement email confirmation for sending of NXT?

A service provider watching the blockchain could do this easily.

This should be implemented...it would remove the possibility all together of Nxt being stolen...would also be another advantage for Nxt

Oh, I misunderstood what you were asking. I was thinking about notifying after you got robbed.

Nxt behaves just like bitcoin in this respect.

[landomata]

Regarding your other remarks, these are valid. We'll keep the server-side source closed for now unless there is a major investment of some kind.

Would you guys be interested in wrapping the server side source up in some form of NxtAlias Company....you could pitch the idea and see if the market would want to invest.

We do need a prototype for an IPO on the Nxt Asset Exchange....anyhow something to think about.

Can you explain this concept in a bit more detail or is there a link to read up on this?

We'll clarify the concept over the coming weeks...also Nxt Asset Exchange has to be launch first....I'm hoping before end of January.....will keep you updated.


EDIT:
Dear James

Do you have any suggestions regarding this Alias Initiative?

[Come-from-Beyond]

How could we implement email confirmation for sending of NXT?

Tell me WHO will send this email.

How long would google authenticator support take to implement?

The same issue as with email confirmation - it's impossible.

[brooklynbtc]

Regarding your other remarks, these are valid. We'll keep the server-side source closed for now unless there is a major investment of some kind.

Would you guys be interested in wrapping the server side source up in some form of NxtAlias Company....you could pitch the idea and see if the market would want to invest.

We do need a prototype for an IPO on the Nxt Asset Exchange....anyhow something to think about.

Can you explain this concept in a bit more detail or is there a link to read up on this?

We'll clarify the concept over the coming weeks...also Nxt Asset Exchange has to be launch first....I'm hoping before end of January.....will keep you updated.


EDIT:
Dear James

Do you have any suggestions regarding this Alias Initiative?

Wesley, Ferment and Landomata, I want to put my voice in as an investor. I think you guys are doing great stuff.

[landomata]

Wesley, Ferment and Landomata, I want to put my voice in as an investor. I think you guys are doing great stuff.

How do you think this Alias company thing could work?

[coolfish]

How could we implement email confirmation for sending of NXT?

Tell me WHO will send this email.

How long would google authenticator support take to implement?

The same issue as with email confirmation - it's impossible.

Adding a secondary password?

[salsacz]

just wanted to add. this is found for the recipient's address in google cached view of the NXT blockchain.
16204974692852323982

not that it will help me get my NXT back I'm sure..
real lame, how my PW was cracked is beyond me.. really.

http://webcache.googleusercontent.com/search?q=cache:xOs0TPi1UPcJ:87.230.14.1/nxt/nxt.cgi%3Faction%3D3000%26acc%3D3727742886551973110+&cd=2&hl=en&ct=clnk&gl=us

if it's a thief, then there are more thefts:
http://22k.io/-account/16204974692852323982

[Come-from-Beyond]

Adding a secondary password?

1 password is enough, just make it stronger.

[landomata]

Adding a secondary password?

1 password is enough, just make it stronger.

Just a password to send....The function can be optional.

[chanc3r]

How could we implement email confirmation for sending of NXT?

Tell me WHO will send this email.

How long would google authenticator support take to implement?

The same issue as with email confirmation - it's impossible.

Can we add a second password inside NXT?

An account should be able to submit a transaction to store / update a secondary password - Fee 1 NXT
If this transaction exists - the nodes don't confirm the transaction unless a node logged with the sending account has re-authenticated the transaction with this secondary password.

[rickyjames]

Well. Thought for sure it couldn't happen to me. but just had all of NXT stolen out of my account. yey..

Complete NIGHTMARE!  

It's a nightmare I have often.  

I am terrified of keystroke loggers.  The more widespread NXT becomes, the more keystroke loggers are going to be deployed to steal it.  That's a fact.

I am only running my main NXT account on an old XP laptop that I sanitized by doing a zero bit overwrite of the hard drive and reinstalling the OS from a Dell reinstall disk followed by the minimal add-ons like Java etc being brought over on a CD instead of via online downloads.   This laptop is now used for NXT and that's it.  I'm working on creating a second identical sanitized laptop as a backup.  I have a hidden and uncommented local handwritten copy of my random password generated offline on the laptop using Awesome Password Generator 1.4 from Google (you know, the guys that are secretly partnered with the NSA) and another handwritten copy in my bank vault safe deposit box.  

I still worry.

I understand that the user space is unimaginably huge at something like (I think I remember seeing) 10^70 - but still.  One lucky hit by somebody else miskeying their own password under the current scheme, and it's all over for you.  That's a fact, too, mitigated only by just how much luck the thief would need to have.  I've got a degree in math and I understand probability and it still doesn't do much to calm the reptilian fear in my brain.

Is there a separate white paper PDF someplace that goes over in detail from scratch / first principles the entire NXT security scheme and just the security scheme?  If not, there needs to be.  We are going to have to point specifically to that information over and over and over as more and more people come to risk larger and larger sums that the security scheme is adequate - particularly when single colored coins are made that could be worth millions of regular NXT.

So, bottom line, I think we need a security whitepaper PDF and a link to it.