Regarding the recent theft of Burst accounts



  • I recently started using KeePass and I love it. I ordered some cheap flash drives from newegg and I will be creating separate Burst accounts to be stored in a KeePass encrypted database, then duplicating those databases onto the flash drives to be stored in multiple safe locations. These passwords will never touch a cloud and all transactions will be handled by my own local wallet.

    In my opinion, the password should be encrypted anywhere and everywhere it can be encrypted - even when doing local wallet transactions, even when storing it in a properties file for the miners. Security is all about taking precautions you don't necessarily HAVE to take and since attacks can come from places you can't think of, I take the philosophy of plug every hole you can even if you don't think you need to.

    For me, it's important to note that both of these successful attacks circumvented the encrypted password by gaining access to the password at a point where it was not encrypted. Neither attack was able to break or compromise the encryption of the Burst network itself in any way.


  • admin

    This post is deleted!

  • admin

    This post is deleted!

  • admin

    @Focus The topic here: "Regarding the recent theft of Burst accounts "
    Discussion about "court data technologies" here: https://forums.burst-team.us/topic/3853/court-data-technologies


  • admin

    @croydan1 I missed this post earlier, but having the dictionary words listed is not a problem.

    There are from memory 1664 words in the list it uses, the number of permutations of 12 of those words ( Permutation = ordered list ) is 433,086,275,460,543,172,562,465,902,777,223,577,600 (4.3 x 10 ^ 37).

    Testing 100,000 pass phrases per second would take on average 6,817,605,276,509,386,098,427,194.3176053 Years to find a specific pass phrase.

    You'd need to be able to test 100 Quadrillion (10 ^ 15) passphrases/second to get it down to the 6 Billion years range .....

    Adding numbers, upper case and symbols increases that exponentially as you can no longer test just the 1664 words.



  • @haitch and to @all I know that this is correct but i was very tired I had a rough day and the theft just set me off into a poor mood, with that said yes I agree that with that many words it makes it almost impossible I was in some way just trying to get across to just take more precaution and I did not convey that thought in a logical written way so I do truly apologize I want all of you to know that I am not here to create or cause panic in anyway shape or form.

    Apologies,

    Croydan


  • admin

    @croydan1 Nothing to apologize for.



  • @Lexicon
    I sent a little New silver over to you, get you back on track again so to speak. :)



  • the auto generate pass phrase is secure , it's tec not impossible to be brutforce hacked but the luck factor of a prog hiting the right combo of words would be like going out and buying a million lotto tickets and all million of them being winner's. no one would ever try to use this method to traget a single account as that is even more difficult by a huge factor. anyone who would attempt it would only be leting it run in the hopes of hitting the lotto.
    for our wallets security they are far more at risk from leaving info as word doc's on your comp and open to key logger's virus's or people who you personaly know that may see it as a fact buck.
    if you do want even more security like i do follow the guide lines of the auto generator but use words not in the list and give it some complexity with number's cap's symbols , just never use a shorter pass phrase than recomended



  • @Mr_Purple thanks buddy thats much appreciated. im hoping to get back up there again and it might happen eventually.

    it might even happen faster than the it took me over the previous 5 months. and to prevent something happening like this agan ill probably spread out my portfolio across multiple accounts for damage control.



  • @rds said in Regarding the recent theft of Burst accounts:

    Right now, the only way I know how to generate a Burstwallet address is to use the AIO wallet software.

    If the algorithm for address generation was public knowledge, then I could write a program to generate that address on an air gapped computer and either store that passphrase on that air gapped machine (hardware wallet) or a piece of paper (paper wallet).

    I wrote a 30 line python program to do just that. To generate Bitcoin and Ether paper wallet addresses. I use them exclusively to store the bulk of my BTC and ETH. I use online wallets for small amounts, shopping money etc., but the bulk amounts are stored in addresses that have never touched the internet.

    https://github.com/damncourier/burst-address.py
    not exactly 30 lines but well commented and includes RS address encoding (which is not commented at all)

    note that accounts with out public keys on the blockchain can be accessed if there is a collision with another key pair.

    transaction signing on air gapped machine should be possible using
    https://nxtwiki.org/wiki/The_Nxt_API#Sign_Transaction

    followed by broadcasting on network
    https://nxtwiki.org/wiki/The_Nxt_API#Broadcast_Transaction

    not an easy solution right now, but seems possibility is there.



  • @damncourier yes it is possible :) you would still need at some point to enter your passphrase, so if that system is compromised your screwed :D


Log in to reply
 

Looks like your connection to Burst - Efficient HDD Mining was lost, please wait while we try to reconnect.