NXT :: descendant of Bitcoin - Updated Information

[rickyjames]

[quote rickyjames=msin link=topic=345619.msg4255905#msg4255905 date=1388594564]
  We have to do more that just say, "Well, if you used a strong password, it wasn't hacked by brute force".
[/quote]

Yeah, these posts are just trolls, if you have a 35 character random password, you are not getting hacked.
[/quote]

If I say it again, do I start an infinite loop here?

I agree they probably didn't get brute force hacked - but it's theoretically possible.  Maybe somebody else hit the powerball jackpot - that's theoretically possible, however unlikely, too.  Keystroke loggers and Trojans are sure as hell possible.

Having an option to tell the world an account is locked for withdrawals, period, until further notice via a second one-use password, addresses these problems.  This option will address a public fear.  Calming public worries about NXT is good.  Let's do it.

[brooklynbtc]

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

That's basically what I did. Create an account with very strong pass (even a 160 bit pass is enough). Name it saving and transfer all your fund there. Never put the password online again.
Nothing can break this account unless they can break down the whole NXT network.

This kills NxT if people can't forge in a secure way. If no-one wants to forge because system is not secure enough (like having cold wallets) this is wtf.

Exactly. Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation. I'm done participating. Just going to sit on the remaining investment and cash out when it reaches a decent price. But I won't be using this system.

Going to be sick now. Or punch someone.

hey Sparta_cuss

MUCH LARGER chance dgex will be hacked. It is not a bank. You are choosing to trust other people with your money. Make a new account, write it in PEN ON PAPER and run anti keylogging software.
Move you next to the new account, send a few coins to your old account to play with. Put the piece of paper in a safe. Save for later.

[ImmortAlex]

attempts to unlock the account for withdrawals are publically seen on the blockchain and can be monitored

Okey, let's narrow the problem.
What do you mean when speak "unlock the account for withdrawal"?

[opticalcarrier]

can someone asnwer why sometimes ann account forges 2 consecutive blocks??  This happens more frequently that I would think it should

[brooklynbtc]

alright dude. sell us your coins and you are free to go

happy new year.

[bitcool]

Is the OPEN source code still scheduled to be opened on January 3rd?

To qualify as a descendant of Bitcoin, these principles need to be adhered to:  
  Open sourced
  Decentralized
  Fair

No amount of greed should overcome these criteria, IMHO.

[laowai80]

then it will not have widespread adoption.

Probably not until banks start bailing-in their depositors around the world (all mechanisms and laws are already in place for that). But that's equally true for bitcoin and other cryptos.

[ImmortAlex]

it will not have widespread adoption.

It is not differ from Bitcoin in sense of public/private keys, transaction authorisation and so on.

[ImmortAlex]

can someone asnwer why sometimes ann account forges 2 consecutive blocks??  This happens more frequently that I would think it should

This is accounts with very big stake, so they have a lot of chances to forge.

[utopianfuture]

As a public key on a colored coin?

Your account number is public key already. You're constantly trying to create unnecessary entities.
Want to "freeze" some coins with some new private key? Just create new account with this key, trasfer coins to it, and then use this key only when you need to spend this coins.

The problem is that the "lucky gold strike" loophole for somebody else to hit this new account when miskeying their own password exists just like it exists for the old one.  Psychologically to the public this is always going to be perceived as a flaw because they don't understand how unlikely it is.  You haven't increased security one iota, you have only created a different winning lottery number.  

Publically announcing to the world not to accept withdrawals from an account closes this loophole.  That will make a huge psychological difference to the public.  And I am telling you, for NXT to succeed with the public, irrational psychological issues are going to have to be addressed.

You still need a pass at some point to make an announcement like "I want to spend this money again" right ? you would still need to enter this pass into the network right ? It is essentially the same thing as current implementation.

No.  If it is a dual colored coin scheme, attempts to unlock the account for withdrawals are publically seen on the blockchain and can be monitored and throw up warnings that an account is under attack.  If somebody hits the powerball jackpot and gets into an account through a miskey of another password, that is a one-time private event that is all over in under a minute and nobody even realizes it has happened until the next time they open their account or check it on the block chain.

I understand the math on how unlikely it is that a miskeyed password could open the fattest wallet by accident.  This isn't about math.  It's about public psychology.  Saying as a programmer it isn't necessary ignores the popularity of Powerball in the public mind and the psychology bias it introduces against brain wallets.

If you use a random generator, the chance of someone mis-types and get your pass is zero. Because the pass will use a lot of special characters and not-well-placed keys. Pass like that cannot be accidentally typed. No humanly possible guess is a random. So no mis-type is not possible even in a billion year.

I only worried about hacking. But just educated myself with some current articles on password picking, I can say that it is already extremely time- consuming and impossible at current state of art to pick a 10 character pass if they are truly random.  

Now key logger is another topic and definitely a risk. As long as you connect to Internet, there is a risk.

[instacalm]

Just transferred everything back to Dgex. Forging is done for me. If I can be hacked because of some security hole that Nxt cannot plug (key-loggers, for instance) than, though it's not Nxt's fault, it will hurt adoption and participation.

Hey, what if they will hack Dgex? Or founder of Dgex will disappear in the dust?

Like I said, cashing out as soon as I can.

It's like you guys are building a really high-performance car, and then criticizing the roads for being too bumpy and drivers for being unskilled. It's a great car, and it can do amazing things, but if it isn't adapted to the world as it is or drivers as they are (and not as you want them to be), then it will not have widespread adoption.

What? Your argument can be applied to anything. How do you expect NEXT to safe you from keyloggers? A password is a password and it is up to you to choose and keep it safe.

[Damelon]

 This isn't about math.  It's about public psychology.

I think this neatly summarises everything that I was trying to point out.

To expand on that: for NXT to be succesful and truly added value, it will need to go mainstream at some point. Arguably not now, and I'm not in any way suggesting that.
But it needs to be on the cards and taken seriously.

How that will be achieved is a different matter. Third parties seems logical. It's not something that is the sole responsibility of the NXT devs.

NXT and any crypto that wants to survive, needs the general public. Those is also a fact.

Also, in a more productive vein, I'd like to add a security page to the wiki. I now have the following items:

- Making a secure password with keepass (does other software need to be added?) (50-60 characters long enough?)
- Treat your wallet pass like it was your PIN.
- Keep your computer malware/virus free!
- never post pass.

Does anything else need adding. If it isn't obvious already, I am not a techie (although I know enough to keep myself protected). Can anyone suggest other easily implemented safety precautions?
Might as well help people out as much as we can

[opticalcarrier]

@2Kool4Skewl
Please replace direct download links with links to cfb's posts with them.
Nothing personal, just security

All, JeanLuc has agreed to start posting releases at info.nxtcrypto.org and they will also be posted at forums.nxtcrypto.org as well as at the www.nxtcrypto.org site.

[starik69]

This happens more frequently that I would think it should

Have you any math for this? Or only fud?

[smartwart]

There is no matter if you use one, two, or ten different passwords in sequence - or just one.

To be constructive, a password manager and generator (maybe like keypass2) could be integrated to NxT Client?
That would simplify it for causal user.

[fmiboy]

This isn't about math.  It's about public psychology.

I think this neatly summarises everything that I was trying to point out.

To expand on that: for NXT to be succesful and truly added value, it will need to go mainstream at some point. Arguably not now, and I'm not in any way suggesting that.
But it needs to be on the cards and taken seriously.

How that will be achieved is a different matter. Third parties seems logical. It's not something that is the sole responsibility of the NXT devs.

NXT and any crypto that wants to survive, needs the general public. Those is also a fact.

Also, in a more productive vein, I'd like to add a security page to the wiki. I now have the following items:

- Making a secure password with keepass (does other software need to be added?) (50-60 characters long enough?)
- Treat your wallet pass like it was your PIN.
- Keep your computer malware/virus free!
- never post pass.

Does anything else need adding. If it isn't obvious already, I am not a techie (although I know enough to keep myself protected). Can anyone suggest other easily implemented safety precautions?
Might as well help people out as much as we can

keepass 2 has expire date for every generated key/pass, I think, one must mention that as well. if it expire than users blame you to not posting about it so generate key/pass and write that to paper or something similar

[BitAddict]

Hey there, i started an NXT forging pool, for poeople that want to forge nxt with some reliability or dont want the NXT client running all day long

Website: http://nxt-pool.uk.to/

Nextcoin.org thread: https://nextcoin.org/index.php/topic,1783.0.html

If you send small amounts consider you will need to pay total 2 NxT fee for sending and return, so this is probably more than the NxT you're going to forge in years.

Every 24h currently you can forge about:

100k= 1NxT
10k= 0,1NxT
1k= 0,01NxT
100= 0,001NxT

So if you send 1k you will need 200 days just to breakeven the 2 NxT fee when you're risking your money in a 3rd party.

Also you can't use your coins when you want (you need to wait manual cashout), and now there is no decimals so is imposible to pay out under 1NxT.

And what about if your next forum account/email gets hacked and tell him to send coins to another new wallet? You also lose everything.

IMO is no point using this, and less with current 1NxT fee.

[opticalcarrier]

Id like these people claiming thefts to post their password.  If the account has been emptied please post the password.

I want to tell the world to never accept a withdrawal from my NXT account.  To do this I click a button on my client and go to a special page.  I pay a NXT fee and the page generates two numbers, a public key and a private key.  I attach the public key to a colored coin.  THis is my announcement to the world to lock my account...

This can be done with existing functionality.
Just create new account, send coins to it and never use this account until NXT costs $500.
This is absolutely the same scheme as yours. And it's free

yes but I'd like to be able to forge and also have functionality of a 2nd password in order to send funds.
This way, for forging, Id just use my regular PC.  But to ever send NXT, Id boot to a pupply linux usb drive and enter the password in that, with security from virus/keylogger/etc

[Kodoka]

Any chance Google Authenticator could be worked into the code, for everyone calling for extra security? Also, I wanted to see just how brute force resistant Nxt is, so I threw together some code and ran it. Unless a hacker is working with a ridiculously powerful rig, brute force is NOT an option. Even a 7 character pass-phrase would take several weeks to check all combinations of a mixed alpha-numeric set. So if your account has been hacked, you probably need to clean up your computer.

[EmoneyRu]

Any actual roadmap? What would happen @ 32k?