elective-stereophonic
elective-stereophonic
Show Posts - Gr4ssh0pper
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Gr4ssh0pper

Pages: [1] 2 3 4
1
Nxt General Discussion / Re: Coming Soon: Trezor for NXT
« on: January 29, 2015, 06:35:02 pm »
I think using the trezor hardware with a complete custom firmware together with a different pc client should be no problem and should also avoid the warning messages...

But what about our own nxt signing hardware? I really would like to build something like this, but didn't manage to port the signing code... Again, I would be very happy to try running the signing code on my nxtKey hardware!

 

2
Nxt General Discussion / Re: Coming Soon: Trezor for NXT
« on: January 20, 2015, 09:59:17 pm »
This is what my boss has asked when I told him about the bounty. Looks like they are not interested in messing with alts.
Also they are not very interested since it is pretty easy to make a clone. For example I'm working with very different board - actually any board with MCU and USB will fit.

If you do alternate hardware, you should use the nxtkey design. Maybe with a transparent case... and millions will buy it just for the looks ;)

lol, thanks :D If a hardware guy is needed in this project I will be lucky to help. Maybe when blacky has ported the transaction signing code from java to c and it is running on the cortex m3 I could try to run it on my hardware. This is where I failed :/

3
I like the app! Nice animations!

Does it save the selected currency or do I have to select it again after restart of the app?

I found one error: I switched to EUR and after swiping a little bit over the display the EUR text is missing in the big label in the bottom left corner. Then touching refresh is showing the string 'null' on all five value labels (Last, Low, High, Ask and Bid)

4
13 and Thanks a lot :D

5
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 09, 2014, 01:43:43 pm »
I would like to give the discussion a slight bump. Does the community feel comfortable with the goals and the "price" of each goal? Also I hope that I could dispel the concerns regarding the safety of this device!

@Damelon Do you need more information? What do you think about funding the first goal (20k NXT) from InfCom?  https://nxtforum.org/infrastructure-committee/nxtkey/

7
Nxt General Discussion / Re: Paranoid about security
« on: June 07, 2014, 06:13:56 am »
Yeah, it is a cheaper Trezor. I see what you mean with air gapped. Could a bluetooth connected device be called air gapped? Or has it to be a QR-Code "data transmission"?

9
Trading & Exchanges / Re: Mintpal and NXT
« on: June 06, 2014, 10:50:07 am »
Shit happens, don't worry about it.

10
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 06, 2014, 08:01:34 am »
Can you go through the mechanics of how it works?

What does "absolutely secure." actually mean? What happens if you lose the device? How is it tied to your wallet, or is it hardware wallet?

Loosing the device is not good (-; It is safe against key loggers and spyware which is trying to get your passphrase! The passphrase will not leave the NXTkey. Transactions are send to the device over USB, signed in the device with the passphrase and then send back to the client. The device itself is not secured with a password. It should be a reference design to show how USB transaction signing should be implemented.

Scary. So, there is no way to deauthorize this key. It basically holds your password? How does the password get on there? Is it possible to read the password from the device? Is it possible to create a virus that sees this USB devices and installs a payload on it when it is connected to a computer so it can redirect/modify transactions?

What are the plans to do security audits on this device?
Scary indeed. Can anyone snatch your NXTkey and just use it to spend your NXTs?


Ongoing discussion about the security:

https://nxtforum.org/infrastructure-committee/nxtkey/

11
Infrastructure Fund Committee / Re: NXTkey
« on: June 06, 2014, 07:57:41 am »
Cross post...

Wouldn't it be simple to add password protection by encrypting the NXT key in the ROM. The user would need to input the encryption password in the client, the client would send it to the USB stick together with the transaction data and the microcontroller would decrypt the key to do the transaction.
Bob would need the hardware stick AND the password to get Alice funds.

Should make it safer against simple attacks like stealing the device! Keyloggers are still able to check this password but I will think about this making it an option!

12
Infrastructure Fund Committee / Re: NXTkey
« on: June 06, 2014, 07:46:25 am »
Sorry, but right now I don't agree with this.
To me this is actually a step back in security. It's a digital form of a post-it in a nice package.

Anyone with access to your nxtkey has totall control over your account.

There should be an option to type an extra password somewhere and on 3 mistakes the key locks and needs a "master unlock".

If that's not implemented I see this key as security threat...





My goal is to implement a reference design showing the USB communication and how to implement transaction signing on a microcontroller! Others can do the super secure burn-the-device after 3 wrong access attempts!


13
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 05, 2014, 08:54:51 pm »
This should be funded by InfCom IMHO.

Or TechDev, I'm not sure... But community fund is not a wrong place...

14
Nxt General Discussion / Re: NXT Mintpal donations
« on: June 05, 2014, 08:50:54 pm »
Why the fuck are we paying Mintpal again?

The earlier we get rich the earlier we can buy mintpal and fire the person responsible for those weird policies.   :D

What they do is a bad business style. Yes, they get ONE BTC (!1) but lose so much sympathy. It is like the kiosk owner next to your house not giving you a small credit when you want to buy something and dont have enough cash.

+1440  And I've never posted this before :D

15
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 05, 2014, 08:46:28 pm »
Wouldn't it be simple to add password protection by encrypting the NXT key in the ROM. The user would need to input the encryption password in the client, the client would send it to the USB stick together with the transaction data and the microcontroller would decrypt the key to do the transaction.
Bob would need the hardware stick AND the password to get Alice funds.

Should make it safer against simple attacks like stealing the device! Keyloggers are still able to check this password but I will think about this making it an option!

16
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 05, 2014, 08:27:05 pm »
Can you go through the mechanics of how it works?

What does "absolutely secure." actually mean? What happens if you lose the device? How is it tied to your wallet, or is it hardware wallet?

Loosing the device is not good (-; It is safe against key loggers and spyware which is trying to get your passphrase! The passphrase will not leave the NXTkey. Transactions are send to the device over USB, signed in the device with the passphrase and then send back to the client. The device itself is not secured with a password. It should be a reference design to show how USB transaction signing should be implemented.

Scary. So, there is no way to deauthorize this key. It basically holds your password? How does the password get on there? Is it possible to read the password from the device? Is it possible to create a virus that sees this USB devices and installs a payload on it when it is connected to a computer so it can redirect/modify transactions?

What are the plans to do security audits on this device?


It holds your private key. Software updates are done over a usb boot loader. The boot loader is started with holding the x key while plugging the device into the usb port. The NXTkey is mounted as a flash drive and the binary of the new software is simply drag-dropped onto this flash drive. I will implement a java based software which builds a .bin file including the software update and the passphrase. So the passphrases are stored in the internal flash of the microcontroller. If you accidentally start the bootloader during plugging in the device you can't read out the flash content because it is read protected. Should be safe enough, it is a build in functionality of the controller. Also flashing a new (harmful) software on the NXTkey will not expose your private key, because you can only erase the complete flash which will delete your stored keys.

Good questions by the way! What I would like to achieve with my project is a reference design showing the USB communication to sign transactions. Others could build a more complex device with touch display to input your private key without a pc. An security audit is not planned at the moment, but this is going to be open source so you can do it if you like to (-;


17
Nxt General Discussion / Re: NXTkey - Community fund bounty request
« on: June 05, 2014, 08:02:48 pm »
Can you go through the mechanics of how it works?

What does "absolutely secure." actually mean? What happens if you lose the device? How is it tied to your wallet, or is it hardware wallet?

Loosing the device is not good (-; It is safe against key loggers and spyware which is trying to get your passphrase! The passphrase will not leave the NXTkey. Transactions are send to the device over USB, signed in the device with the passphrase and then send back to the client. The device itself is not secured with a password. It should be a reference design to show how USB transaction signing should be implemented.

18
Nxt General Discussion / NXTkey - Community fund bounty request
« on: June 05, 2014, 07:46:47 pm »
1. Nxt account and userID/contact info for submitter

userID: gr4ssh0pper
NXT account: NXT-8573-EJTH-JSWS-GH5FG


2. Submission date

05th June 2014


3. A short description of the project with your goals very clearly specified(three sentences max.)

Developing an open source USB transaction signing device which makes sending NXT absolutely secure.


3b. Long description as needed

I will develop an open source USB transaction signing device to make NXT transaction signing absolutely secure. The first version of the NXTkey is already build and the basic functionality is working. (USB communication / OLED driver etc.) By funding my development I will be able to build a second generation hardware with a more capable microprocessor which can also handle the transaction signing. The hardware is going to be an open source reference design which shows how to implement USB transaction signing. Im planning to build at least 10 prototypes from the first funding. I will give them for free to the community and beta testers. Maybe the community could start an auction for these 10 prototypes and return the earned money back to the community fund. I'm in contact with Graviton to implement USB communication into offspring which will be the first client supporting the NXTkey.

I'm not planing to sell these devices on my own. Everyone is free to sell them after I released the open source production data.

The actual project status can be found here:

https://nxtforum.org/nxtkey/nxtkey-project-status/
https://nxtforum.org/nxtkey/nxtkey-some-pictures-and-i-think-they-look-great-d/





4. Specify the target audience

Anyone and everyone!


5. Budget

Goal 1: 20k NXT immediatley for building 10 prototypes based on the second generation hardware

Goal 2: 75k NXT for a) open sourcing all documents necessary to produce the NXTkey and b) a working software which enables yubikey style passphrase handling (not super-secure)

Goal 3: 150k NXT for a working USB transaction signing software based on the NXTkey and supported by Offspring


6. Specify deadlines

Deadline tbd but at least 6 weeks. I will post updates and pics as soon as possible. Please check my last timeline I think I've managed it pretty well.


7. Personal Information

I'm a hardware engineer with over 10 years experience. I'm invested in NXT since february and started reading the btt monster thread on a daily basis. This forum is the best thing that happened to the NXT community and it is a joy to be a part of it!

Feel free to ask what ever you like about my project!


 

19
NXTkey / Re: NXTkey - Project Status
« on: June 02, 2014, 05:51:57 am »
go for a bounty!

+1

Also agree in advance how things will work once you have got the working version done. I.e. when you come to sell them, possibly for profit  ;D will the bounty just be money for you as this is awesome, will be popular and you put a lot of work in  ;D or will you give x amount of money for each unit sold or repay the bounty as a loan later or ... etc etc

Clarity upfront, don't let things get messy later so neither party feels they got burned ;D ;D

I guess I have to do my paperwork  ;)

20
NXTkey / Re: NXTkey - Some pictures and I think THEY LOOK GREAT :D
« on: June 01, 2014, 06:21:44 pm »


Actual status and bad news can be found here: https://nxtforum.org/index.php?topic=753.msg33504#msg33504

Pages: [1] 2 3 4
elective-stereophonic
elective-stereophonic
assembly
assembly