NXT :: descendant of Bitcoin - Updated Information

[bitcoinpaul]

I've got PaulyC's password. It's uncrackable and matches the account. If he is not trolling then we have 4 explanations:

- Someone cracked SHA256 and Curve25519 (why then multi-million accounts not hacked?)
- Someone distributes modified NRS (someone should decompile PaulyC's software)
- Keylogger
- He used online node that records entered passphrases

While I may give PaulyC the benefit of doubt, it can't be ruled out that it is a legit transaction authorized by PaulyC himself.

What about this?

[nadrimajstor]

Please consider running a non-proprietary OS...
There are many flavours of Linux/BSD that one can easily run live from a CD / USB drive.
It is not a panacea for all attack vectors but it is helpful.

[intel]

So, even password "Alisa" 'll be quite secure when using with login "mrbober777", so the final password is   "mrbober777Alisa"     which is much more protected thay plain "Alisa". Attacker should spend MUCH more resources for brute-forcing passwords with a login added to the password field.

CfB ?

We can start prepending "Alisa" to our passphrases right now. (Need to create a new account though. And don't use "Alisa" plz.)

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

[rickyjames]

OK, look, I'm not a heavy hitter coder to pitch in and help here, and I wish I was.  But this security stuff is serious with major psychological/political overtones for the acceptance of NXT.  I really want to get a consensus here on a proposed course of action.  Many pages back on this thread there was a prioritized list of what was to be added to NXT in the way of features.  Where does my proposed account withdrawal freeze code idea (or something similar) rank on this in the eyes of the community, and what is the path we take to either reject it from consideration as an add-on or agree that yes, it will be implemented?

Not trying to be pushy, I just think this is too important to let it fade out when we go off chasing the next squirrel topic ten pages from now (an allusion to the dog in Up).

Would your solution help from keyloggers and trojans?

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unfreeze code.  

[Come-from-Beyond]

Hey CfB... shouldn't Page 1 client download link agree with the one given by Jean-Luc?

Thought I had this under control... but getting confused myself.   

Since we all respect your opinion, please inform where we should be downloading the client from.

thnx   

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

[BloodyRookie]

Wouldn't it be pretty easy to restrict transactions to a specific MAC address? You register a MAC address for your account via a transaction. Only if the MAC address is the specified one, the transaction is executed. Just an idea.

It's impossible.

why?

Coz it's unknown what MAC address a transaction was sent from.

No, you misunderstood me. I don't claim that other nodes have to verify the MAC address. It's just a test that the server on your computer locally performs before he releases the transaction to other nodes. The MAC address is a fingerprint of the device you are using to send nxt coins.

Edit: OK, I think I see your point.

[laowai80]

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.  

There are remote control trojans that can print screen and send it to the hacker.

[nadrimajstor]

Coz it's unknown what MAC address a transaction was sent from.

And nobody ever spoofed a MAC address. 

[opticalcarrier]

I agree it could be any of those 4 reasons CfB gave, but curiously why hasn't the hacker or whoever done anything with those stolen NXT? Isn't that a weird behavior or?

just so we don't go on a tangent here,
this is the client I used.
4.8
https://nextcoin.org/index.php/topic,4.0.html

nxt-client-0.4.8.zip

Hmm... post by Drexme.

The SHA256 Hash from the forum file is the same as the SHA256 Hash from the zip I used. That file is ok.

well the link could have been changed since his download.  but most likely not.  to be 100% sure paulyc will need to get the .zip from his PCs download folder and post it for us.

But most likely it was either a keylogger or he put his password into a remote node, with the latter being most likely IMO.

[Come-from-Beyond]

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

And they'll be entering 1234 into the login field all the time

[landomata]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

[2X84]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

[laowai80]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

by the way, there are new custom automatic installer packages coming into light every day, I am sure nobody is checking those before recommending

[Come-from-Beyond]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

{"balance":350997600,"effectiveBalance":350997600,"unconfirmedBalance":350997600}

[opticalcarrier]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

[2X84]

Could someone with an updated blockchain check on my account for me?

5341635214821841695

I'm in a developing country at the moment  ...

It would be very much appreciated as the explorer is still down.

http://localhost:7874/nxt?requestType=getBalance&account=5341635214821841695
or
http://22k.io/-account/5341635214821841695

Thanks CFB and Optical, I almost had a heart attack when I heard about the hack.

[rickyjames]

I think that if you requested withdrawals from your account be frozen until you reenter the private key code, and the client software generates internally and displays to you that private key code for you to write down on paper with a pencil for use at a later date, then yes, I do not see how either a keylogger or a Trojan could get the private key unlock code.  

There are remote control trojans that can print screen and send it to the hacker.

This is true.  I suggest the client software could display it as an animated gif perhaps  with random 3 to 5 second intervals between key fragment displays, so that a single screen grab or even multiple screen grabs wouldn't get it.  Whereupon the Trojan could be written to...

We can go a long way down this hall of mirrors.  I still think it is worthwhile to implement user account withdrawal freeze codes as I have described in the blockchain, for the psychological comfort aspect as well as the undeniable increased security aspect, hypothetical screengrabber Trojans or no.  

I will keep parrying about if this then that if you want.  Deciding as a community whether or not  to actually implement it is a completely separate issue that I still would like resolution upon.

[intel]

Nobody prepend now, but with additional login field, they 'll be forced to prepend.

And they'll be entering 1234 into the login field all the time

Most people 'll not. Better than nothing Requires only UI JS changes.

[landomata]

We can download client from anywhere. Just make sure SHA256 checksum matches the one provided by Jean-Luc.

not everyone can run this setup

Please expand landomata.

meaning the average user shouldn't have to run this check.

Edit: there should one secured official source for client updates...preferably Blockchain to clients

[laowai80]

Isn't the party line not to use the word 'official' any more?