NXT :: descendant of Bitcoin - Updated Information

[laowai80]

Someone's buying up all NXTs they can get their greedy hands on at dgex   despite all this hack talk too.

[landomata]

You mean account spikes?.....in a linear fashion....as if someone was artificially opening accounts in a fixed amount across a specific time interval?

Nxt (and Bitcoin) doesn't work such the way.

doesn't each new passphase entered unlock a new account?

[PaulyC]

What if not everyone trusts that trusted third-party and still will believe the account was hacked or not.
The password should be in public.

Everybody trusts c-f-b!

In this situation, I don't see huge tangible benefits to the hackee of putting his/her password in public; whereas keeping the password out of a public forum may still save the aliases. The hacker might be offline if/when alias transfer is enabled (and, indeed, sitting on a tropical beach or a private yacht not caring about a few aliases). The hacker might have discarded the password. Or maybe never had it; who's to say the hacker's hacking tools ever actually send the password back to him?

That's my exact same thoughts, maybe I can salvage something here!

[Come-from-Beyond]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

[landomata]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

We haven't looked at this possibility...updating client from the blockchain would solve this.

[utopianfuture]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.

[Patel]

Another possibility is that the global mod that went rogue from the nxtforum, he could have changed the download link to a infected copy of NRS and people who used that link from the forum were using a compromised version

[Come-from-Beyond]

doesn't each new passphase entered unlock a new account?

U don't need to unlock an account. This is how I would brute force accounts:

1. Got all non-empty account ids
2. Launched my GPUs (they r unprofitable to mine BTC but still useful)
3. Each GPU generated an account id and checked it matches one of the 7000 already existing ones (repeat zillion times)

[Come-from-Beyond]

We haven't looked at this possibility...updating client from the blockchain would solve this.

It's enough to modify only JavaScript part to send entered passphrases to adversary's server.

Edit: It's only 10 lines of JS code.

[EvilDave]

@PaulyC :

Have u scanned yr PC for malware? Trojan/key logger looks like a very good possiblility at this moment.

And how is yr off-line security ? Anyone else have acess to yr PC?

[BloodyRookie]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address of you computer is the specified one, the transaction is executed. Just an idea.

[Come-from-Beyond]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

[landomata]

We haven't looked at this possibility...updating client from the blockchain would solve this.

It's enough to modify only JavaScript part to send entered passphrases to adversary's server.

Edit: It's only 10 lines of JS code.

so how do we protect again this.

[laowai80]

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

0.0000000000000000001%
1-10%
80-90%
1-10%

about that kind of probability for each explanation.
Keylogger is the main suspect of course.

[PaulyC]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

[ferment]

price on dgex to da moon!

if litecoin is a chikun. what's nxt?

[laowai80]

price on dgex to da moon!

if litecoin is a chikun. what's nxt?

chikun killer, by summer for sure )

[BloodyRookie]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

why?

[landomata]

Keylogger is the main suspect of course.

There is really no way to protect against keyloggers except proper vigilance....yet malware is still everywhere and not going away anytime soon.


This is where Rickyjames/Opti-carriers idea comes in handy

[intel]

offline mining of all NXT accounts in parallel
problem gets worse the more NXT accounts there are
this attracts more hackers the more NXT is worth
This will create an equilibrium effect like a boat anchor to a hot air balloon. The more NXT succeeds, the more it will be hacked.

CfB, tell me there is a solution that is more effective than the user needs to not be unlucky

James

I can tell you some ideas.

Currently there is only a password. Lets also add login field when registering for account access.

This 'll require NO changes in protocol:

FINALPASSWORD = [LOGIN][PASSWORD]

So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is   "mrbober777Alisa"     which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.

CfB ?