Someone apparently has lost a half million nxt and more than 1000BTCs after his computer was broken in yesterday. (Don’t click on external links provided by the victim, KLee, whose forum account may have been compromized, unless you are sure the link is clean.)
Some of the lost fund is public. Members of nxt community are making a good point that the public fund keepers should make it public what security measure has been taken for the fund under their care. As we are starting to establish Peercoin fund, I think this incident is a timely reminder.
At today’s prices, that’s $23000 of NXT and over $600000 of BTC!! :omg:
Are the Marketing funds stored using multisig between Cybnate and River333? What about the rest of the Peer4Commit funds? Any multisig between the site and the project owners?
Peer4commit funds are partially stored in cold storage. You can get the details here: http://peer4commit.com/audit
Multisig between the site and the fundraiser is planned but not implemented yet. It’s the next thing I’ll do when I have time.
According to update posts, the stolen NXT is almost 3 million. About 1,000,000 USD worth of coins are lost. All NXT infrastructure dev fund is wiped out as the victim is the treasurer of it (a high-value target). To quote the details here as a reminder of how bad things can get
I have just spoken by video to klee on Skype.He has confirmed the messages earlier were from him.
He confirms that all his Nxt and all his Bitcoin have been taken.
He acknowledges that his security measures were not as good as they should be:
- passes kept in a plaintext file
- On a dropbox account that was not repassworded after heartbleed.
- Possibility of open wifi at Vienna conference (long time ago, but a possibility, as his home wifi is passworded).
- There were also irregulatities with his FB group page, where someone could suddenly post admin level posts.
- Apparently his other accounts have not been compromised (mail, forum etc).
I would like to ask everyone when commenting to take into account the situation here. Feel free to comment, but if it descends into personal attacks, that will have consequences, as everyone knows.
Seems like the total losses amount to $ 1,000,000.
Wow, that’s a lot. Their entire development fund was wiped out?
People have been known to do really stupid things for a lot less than $1M.
No. As I understand only the infrastructure development (“InfCom”) fund. I am really sorry for KLee, not only for the money losses, but also that he is apparently an active and highly respected community member.
No. As I understand only the infrastructure development (“InfCom”) fund. I am really sorry for KLee, not only for the money losses, but also that he is apparently an active and highly respected community member.[/quote]
Another reason why I should only have a small number of funds on my name (video fund is now drained, Marketing Fund is now active) at the moment. I think FB and Sigmike are the most vulnerable. Hope we can get multisig rather sooner than later. My passwords are not kept in plain text anywhere. Shortest passwords are 12+ characters with a nice mix of odd characters.
well you better have as password 20 simple words without strange characters easy to remember
like from a poem or a theatrical play 
[quote=“seki, post:9, topic:2652”]well you better have as password 20 simple words without strange characters easy to remember
like from a poem or a theatrical play ;)[/quote]
Mix different languages and dialect, together with strange spelling, chars and numbers. But make sure you can remember.
[quote=“mhps, post:10, topic:2652”][quote=“seki, post:9, topic:2652”]well you better have as password 20 simple words without strange characters easy to remember
like from a poem or a theatrical play ;)[/quote]
Mix different languages and dialect, together with strange spelling, chars and numbers. But make sure you can remember.[/quote]
If you have a keylogger on your machine then all is lost no matter how long or complicated your password is IF you are typing it in.
Unfortunately, we don’t have secure hardware wallets for Peercoin yet. I have been thinking about hardware wallet designs but that is a different subject.
Here is a general password scheme that you can personalize and make specific to yourself that I think would defeat any key logger and any other malware that I am aware of at this time.
Step One: take any type of text creation program, Notepad, MS Word, Open Office, etc. etc. and create a text file with your password(s) in it.
Optional: If you are worried about having a key logger right now then type in lots of and all kinds of extraneous key strokes and out of order characters, etc. Go back and cut, paste and delete until you have your password intact.
Additional Option: Your password does not have to be saved exactly, it only has to be sufficiently complete that it is easy for you to remember how to reconstruct your password from the data in the file. for example, when you open the file to retrieve your password you might have to change a spelling or reorder two words or whatever to create your intact password. If you do this, keep it simple so you can always accurately recreate your password.
Step Two: save the file as a .txt or .doc or whatever format your text creation program can save as.
Step Three: rename the .txt or .doc to .gif or .jpg or any other common file type ending.
Step Four: Place your newly disguised password file which is now a .jpg in a folder with lots of other legit .jpg files. Only you know what and where it is.
Option: If you are advanced you could secret your password(s) in an actual .jpg or .gif or any other type of file.
Step Five: To access your password(s): go to the file, change it back to the original correct format e.g. .txt, .doc etc. and open your file.
Optional: If you are really fearful of key loggers (but I think you have defeated all current malware by now) then you could type in for example “Testing exact parameters” and then select and cut away everything but “txt” to put your file name back in the correct format to open with your original program.
Step Six: Copy your password and paste it into where you need it.
Walla! Now you have never typed in your password and no key logger can have stolen it.
This sounds kind of complicated but it is really pretty easy and there are millions of variants on it. Customize it. Make it personal and specific to yourself. Use your imagination.
If you are handling big bucks, to me, something along these lines is worth it.
I don’t think it is as good as having a well designed hardware wallet, but for now it seems secure to me.
Anybody see any serious flaws?
Well this is a rather unique idea, but I’m afraid that malware can quite easily detect and copy clipboard changes along with recording the active program (e.g. wallet) where the pasted text is copied/placed. Now you could paste your password and then alter it in some easy-to-remember way, but unfortunately now you’re susceptible to keyloggers again. It’s not even hard to track and count pixels of mouse movement to detect “secret” cut points. Basically your first statement is correct. If you’re vulnerable to already having keylogger on your machine “all is lost” 
In fact, if there is a keylogger installed on your system the application you think looks just like you wallet could be something else entirely!
Yep, I do, haha.
The malware could read the password out of your clipboard! 
This should circumvent clipboard and keylogger malware for the wallet. I’m very keen to get this into the wallet, but we can’t find anyone to implement it, despite the bounty from Jordan Lee here: http://www.peercointalk.org/index.php?topic=2740.msg28251#msg28251
Have you posted it anywhere else besides this forum, like Reddit?