NEM Beta 0.6.26 - SECURITY UPDATE


#1

As some of you already noticed, there's serious issue in nis 0.6.25

You should update to 0.6.26 as soon as possible.

Bug was truly dumb, /shutdown command had @ClientApi annotation instead of @TrustedApi

https://forum.ournem.com/technical-discussion/nis-shutdown/new/#new

NEM requires Java 8
Remember installer requires 64-bit java
You can download java from official page: http://java.com/en/download/manual.jsp

You can start NCC and NIS with an installer from the following link:
http://bob.nem.ninja/installer/
Standalone version: http://bob.nem.ninja/


#2

Cheers for the quick bugfix release


#3

thanks for the quick update.


#4

That was a fast fix^^


#5

Checked harvested blocks, seems total sum of harvested XEM is wrong, when I manually add all fees of harvested blocks.


#6

Could someone please point to the upgrade instructions for someone running the .25 standalone .zip? I want to preserve my wallet through the upgrade, obviously.


#7

Could someone please point to the upgrade instructions for someone running the .25 standalone .zip? I want to preserve my wallet through the upgrade, obviously.


the wallet files reside in a path other than the nis/ncc files
linux/mac os x: ~/nem/ncc
windows: http://blog.nem.io/how-to-find-export-or-delete-your-wallet-and-address-book-file

Just unpack the zip and fire up the software -- it will load your wallet.
If you delete/overwrite/change the folder nothing will happen to your wallet.

#8

If the wallet files are destroyed some day for some random reason, is the access to wallet lost then forever?


#9

Checked harvested blocks, seems total sum of harvested XEM is wrong, when I manually add all fees of harvested blocks.

You not looking at total for last 25 blocks no?

#10


Checked harvested blocks, seems total sum of harvested XEM is wrong, when I manually add all fees of harvested blocks.

You not looking at total for last 25 blocks no?


No, I'm looking all harvested blocks. Nembex shows correct total harvested sum, client- no.

#11

If the wallet files are destroyed some day for some random reason, is the access to wallet lost then forever?


if you don't have private key backed-up somewhere - then yes

#12



Checked harvested blocks, seems total sum of harvested XEM is wrong, when I manually add all fees of harvested blocks.

You not looking at total for last 25 blocks no?


No, I'm looking all harvested blocks. Nembex shows correct total harvested sum, client- no.


nembex does not understand delegated harvesting, are you using it?

#13




Checked harvested blocks, seems total sum of harvested XEM is wrong, when I manually add all fees of harvested blocks.

You not looking at total for last 25 blocks no?


No, I'm looking all harvested blocks. Nembex shows correct total harvested sum, client- no.


nembex does not understand delegated harvesting, are you using it?


No, harvesting locally. Maybe I'm wrong, but client writes "Fees earned from the last 25 harvested blocks". It's a little confusing. In any case, calculating last 25 blocks fees manually, I calculate 882 XEM, but client shows 882.46314 XEM. Don't know from where are these numbers after comma :)

#14

If the wallet files are destroyed some day for some random reason, is the access to wallet lost then forever?


The private key(s) of your account(s) is/are more important than your wallet file.
If you have these then you'll be able to access your funds by importing an existing account in a new wallet. It doesn't really matter all that much if your wallet is destroyed as long as you have the private key(s).

#15


If the wallet files are destroyed some day for some random reason, is the access to wallet lost then forever?


The private key(s) of your account(s) is/are more important than your wallet file.
If you have these then you'll be able to access your funds by importing an existing account in a new wallet. It doesn't really matter all that much if your wallet is destroyed as long as you have the private key(s).


I believe a good practice would be to safely store your private keys as well as wallet and addressbook files. I use KeePass and it can store all of this without issues.. Even files.
I have copies of my KeePass db on several places (even printed - so my family members can access all my funds in case of emergency.)

Addressbook I believe needs to be backed up everytime when you add someone. And wallet file when you create a new account.

#16

I believe a good practice would be to safely store your private keys as well as wallet and addressbook files. I use KeePass and it can store all of this without issues.. Even files.


Yeah, I use 1Password for that.
I can only agree with you and advise anyone to use KeePass/1Password or similar.

#17

is it possible for future to make an update with one click like we can do it with the nxt client??


#18


I believe a good practice would be to safely store your private keys as well as wallet and addressbook files. I use KeePass and it can store all of this without issues.. Even files.


Yeah, I use 1Password for that.
I can only agree with you and advise anyone to use KeePass/1Password or similar.


I do the same but used LastPass with additional two-factor authentication in the form of a Yubikey

KC

#19

As some of you already noticed, there's serious issue in nis 0.6.25

You should update to 0.6.26 as soon as possible.

Bug was truly dumb, /shutdown command had @ClientApi annotation instead of @TrustedApi

https://forum.ournem.com/technical-discussion/nis-shutdown/new/#new


Since may NIS went Down. Couldn't the attacker take over Control of NEM Network ? Do some bad things on the block chain. Like removing blocks and to a fork ?

Is it possible to run NIS without allowing incoming connections to port 7890 and still be part of Network?

Do we (Do the devs) have any emergency plan if some cracker will try to mess blockchain ?


FireF

#20

Couldn't the attacker take over Control of NEM Network ? Do some bad things on the block chain. Like removing blocks and to a fork ?

While a lot of nodes where down (not all) it would have been easier to start a fork, but still very hard. Anyway, it didn't happen, so everything is fine now.


Is it possible to run NIS without allowing incoming connections to port 7890 and still be part of Network?

Yes, you can run NIS without opening your port 7890, of course and you will be part of the network. Other nodes just cant contact you to get information (new blocks etc.). You only contact them, nobody can contact you. You are still supporting the network, but not a lot.


Do we (Do the devs) have any emergency plan if some cracker will try to mess blockchain?

Nobody can "mess" the blockchain (fork) as long as he doesnt have > 50% POI. If somebody does, nothing can be done about it but a hard fork with an updated client software. I wonder, did that ever happen to Bitcoin in the early days? Should have been way easier with POW than with POI at NEM now.