-
Code:
This is what i get. Also account.js?4 is in line 56 on my source, you have it in line 57. The modal.js? also differs if you look.
Topic: MyMonero.com - Security Issues - page 2. (Read 8246 times)
-
This is what i get. Also account.js?4 is in line 56 on my source, you have it in line 57. The modal.js? also differs if you look.
Fluffy / Smooth - thanks for your direct response and coming here to explain yourselves in a reasoned fashion.
Fluffy - Just on the cookie issue because that's what i'm looking at, MyMonero is definitely serving the account.js?2 verison *with* the priv key being sent to the server in the cookie on every http request (so like 10 times on every page refresh and I think there is even a keep alive to send it up too...)
View source on index.html gives this...
...same on Firefox / Chrome / Tor and from a few different locations so it is being served, for whatever reason, at least for me.
And on the web-archive you linked that's indexed today, it's there too if you just change the query string to a 2:
https://web.archive.org/web/20150604040007/https://mymonero.com/js/services/account.js?2
accountService.setAccountCookie = function() {
if (accountService.loggedIn()) {
ipCookie('account', {
address: accountService.getAddress(),
view_key: accountService.getViewKey(),
spend_key: accountService.getSpendKey(),
seed: accountService.getSeed()
}, {
expires: config.accountCookieTimeout,
expirationUnit: 'minutes'
});
}
};
Maybe some other users can do a 'view source' on the homepage from their end and see which account.js they are getting but I can only get the cookie one above?
Seems like something that should be fixed pretty quick e.g. just delete that code from the server and I would guess existing users need to be alerted that they may have had cookies with their priv key stored in clear-text on disk that can be recovered potentially unless it's been manually shredded?
One question about your comment: "As mentioned, there's little to no useful information I can gleam from MyMonero that would give me some edge in trading."
...but with the private keys being sent up to the server, that could be used to get a picture on distribution / richlist, plus if you see some of the large balances going up or down with withdrawals / deposits, wouldn't that be good for predicting pumps and dumps? (as statistically most of it I guess would be to Poloniex)
I appreciate what you are saying, but MyMonero has been live for what a year now (?) with the private keys going up to the server so assuming you fix it now, it has been happening up to this point.. at least for some people.......
...So potentially some accounts are compromised and need to have funds moved because if those keys were intercepted in transit (like man in the middle / cross domain cookie hack / server breach / data retained on server was hacked) then those coins can be stolen at some point in the future too?
How come there is the secrecy too, why is the backend closed source, and also why no indication of how many people use MyMonero - yes its private but you know yourself as do Google Analytics so why not share this with everyone?
Do you plan to keep MyMonero going and as the #1 option for a wallet presented to users? - how does that tie in with Monero being designed for untraceability / security, it doesn't seem to be achieving that?
Fluffy - Just on the cookie issue because that's what i'm looking at, MyMonero is definitely serving the account.js?2 verison *with* the priv key being sent to the server in the cookie on every http request (so like 10 times on every page refresh and I think there is even a keep alive to send it up too...)
View source on index.html gives this...
...same on Firefox / Chrome / Tor and from a few different locations so it is being served, for whatever reason, at least for me.
And on the web-archive you linked that's indexed today, it's there too if you just change the query string to a 2:
https://web.archive.org/web/20150604040007/https://mymonero.com/js/services/account.js?2
accountService.setAccountCookie = function() {
if (accountService.loggedIn()) {
ipCookie('account', {
address: accountService.getAddress(),
view_key: accountService.getViewKey(),
spend_key: accountService.getSpendKey(),
seed: accountService.getSeed()
}, {
expires: config.accountCookieTimeout,
expirationUnit: 'minutes'
});
}
};
Maybe some other users can do a 'view source' on the homepage from their end and see which account.js they are getting but I can only get the cookie one above?
Seems like something that should be fixed pretty quick e.g. just delete that code from the server and I would guess existing users need to be alerted that they may have had cookies with their priv key stored in clear-text on disk that can be recovered potentially unless it's been manually shredded?
One question about your comment: "As mentioned, there's little to no useful information I can gleam from MyMonero that would give me some edge in trading."
...but with the private keys being sent up to the server, that could be used to get a picture on distribution / richlist, plus if you see some of the large balances going up or down with withdrawals / deposits, wouldn't that be good for predicting pumps and dumps? (as statistically most of it I guess would be to Poloniex)
I appreciate what you are saying, but MyMonero has been live for what a year now (?) with the private keys going up to the server so assuming you fix it now, it has been happening up to this point.. at least for some people.......
...So potentially some accounts are compromised and need to have funds moved because if those keys were intercepted in transit (like man in the middle / cross domain cookie hack / server breach / data retained on server was hacked) then those coins can be stolen at some point in the future too?
How come there is the secrecy too, why is the backend closed source, and also why no indication of how many people use MyMonero - yes its private but you know yourself as do Google Analytics so why not share this with everyone?
Do you plan to keep MyMonero going and as the #1 option for a wallet presented to users? - how does that tie in with Monero being designed for untraceability / security, it doesn't seem to be achieving that?
Wow I get in a plane and Bitcointalk goes nuts in my absence:)
I think I'm going to start by addressing some of the concerns in BlockaFett's first post. I'd like to note, having read through this thread, that BlockaFett has not contacted me at all to discuss his concerns. I would really have appreciated that as being the first step here, but no matter.
It is absolutely correct that I can see information on MyMonero accounts that others obviously cannot.
I think you're misunderstanding how the viewkey works. I can see funds that are received, but I can't see which signature in an input is the correct one, so there's very little information I can exploit. At best I can see funds moving between MyMonero accounts, but I have no way of determining whether funds have been transferred out to an exchange or anything like that. Thus I cannot possibly use the information to give me information on dumps, and I cannot possibly know about "pumps" without simultaneously having access to everyone's BTC wallets.
I'd also like to point out that we have never claimed that Monero is the "most decentrazlied coin" (sic), and we definitely don't claim it is the "most anonymous". I'd be hard-pressed to define "most decentralised", but clearly Bitcoin is the only cryptocurrency with enough hashpower and a sufficient distribution of nodes to be called "most decentralised". In terms of anonymity, the ZeroCoin/ZeroCash cryptocurrency (as and when it is released) will offer privacy that is nearly absolute, and is thus would earn the crown of "most anonymous". It has other issues (such as cryptography that is untested and not yet sufficiently reviewed), but Monero definitely does not lay claim to that.
I think this may be your misinterpretation of what people are claiming.
I'm not sure the relevance of this or what connection you're trying to make here. Are you implying that it is bad for me to be building out services for the cryptocurrency ecosystem? Or is the implication that trying to publicly raise funds is bad? I don't see an issue with either - I/we didn't raise any funds in the end with VertPay, and we pivoted off that and repositioned ourselves to create a more generalised solution. I'm still not understanding what your implication is.
You are 100% correct on this. As has been pointed out in this thread already, though, I have made an effort, through MyMonero, to host a giveaway on Bittrex and try and shift some volume there. This is at odds with your implication that somehow I am in cahoots with Poloniex, profiting off their dominance.
The core team does not have visibility on MyMonero's data. Additionally, there are several GUI wallets that the website links to and that plenty of people use. And, too, the CLI wallet is not particularly difficult. Lastly, we put work on the GUI on the back-burner last year after the block 202612 attack, and we indicated publicly why we had to do this. It is imperative that we work to ensure everyone's funds are secure, rather than prematurely shove out some GUI.
Nonetheless, the code for the work we had done on the GUI has been made public: https://github.com/monero-project/monero-core so anyone can work on it and release it.
The CryptoNote GUI wouldn't work with Monero as our code is too differentiated, and there are fundamental changes we've made to the way wallets work and store data, and the way they communicate with the daemon.
Again, we have never claimed to be the "most secure and untraceable coin". Bitcoin is the most secure. ZeroCoin/ZeroCash will be the "most untraceable" (to its detriment, when coupled with the whiz-bang cryptography).
No, we do know. Git is an amazing tool for being able to step back and look at where code comes from. You can use git-blame yourself on the crippled code, and you can also check where we caught the issues and updated them:
https://github.com/monero-project/bitmonero/commit/3cc45e9324a402aee91e2f46861b2ca393d711aa
https://github.com/monero-project/bitmonero/commit/44f61c3965d569c288520b75356ad3bdc68b47d1
And correlate that with mining hashrate at the time. You will observe that there was a rise in hashrate when we released those changes, not days/weeks before.
Let me ask you something: why would we have made those changes to the hashing algorithm that quickly and released them publicly, when we could instead have quietly mined for weeks or months before making those changes public?
By the same token, Bitcoin is "potentially *setup* as a scam", as the core developers have access to information that nobody else does. Bitcoin's core maintainers know about features before they're even announced / released, and they could trade on that information. There is no fix for this, other than (I guess) to treat it as insider trading and regulate it accordingly. Trying to fix this problem right now is truly out of scope for Bitcoin, and is dramatically out of scope for us.
As mentioned, there's little to no useful information I can gleam from MyMonero that would give me some edge in trading.
Every exchange can make use of their internal state, and they have WAY more access to information than MyMonero does. They can have their systems automatically pull their orders if there's a buy that will hit them, they can do all sorts of stuff. One need only look at Mtgox's Willy bot to see what exchanges can get up to. We have no way of verifying that Coinbase, Bittrex, btc-e, Bitstamp, Cryptsy, BitFinex, etc. *don't* abuse their internal state / information. So what are we going to do about it? Never use an exchange again?
I've also said that it's a dumb argument to say "he's such a nice guy", because the best scammers *are* nice guys. That's precisely what con men do for a living. Knowing me is largely irrelevant and I would recommend that any trust is given based on my history and dealings with people. Sources of information could include, for example, the Bitcoin OTC web of trust: http://bitcoin-otc.com/viewratingdetail.php?nick=fluffypony
Additionally, one could consider that I had access to the Mintpal funds. Ferdous asked me for assistance because he couldn't gain access to the wallet (he was struggling to get it restored because it was in an older wallet format, and 0.8.8.6 didn't have the ability to restore that format, which is something we've subsequently fixed). Ferdous had no idea if the funds were still in that wallet. I could easily have told him that they were unfortunately stolen, and then just kept them for myself. It is no wonder that Ferdous said on Twitter: "IMO @fluffyponyza is one of the most honest, smartest and hardest working individuals in this space."
Now to answer some other things that have popped up:
Do you have any background on this? When were the funds raised, how long the website has been in development, where the funds went etc?
At that stage when we wanted to raise funds there was quite a bit of backend development that had been done, all self-funded. We raised $0 because we cancelled the fund-raising as it was clear it was too controversial. This lead to some internal changes and a complete refocus of what we wanted to achieve, and a bit of a state of flux for a few months. After this was resolved we began working on the project again in the 2nd half of 2014.
BlockaFett's timing seems to be a little off, as by the time the VertPay funding was scrapped (middle of May, 2014) the Monero core team had already been formed, and we had forked the project away from thankful_for_today (after he refused to accede to the community's wishes). Thus I didn't "move on" to Monero, I was doing both simultaneously (as I continue to do).
This is 100% correct, but it is also old (as in it predates MyMonero's official launch). Why you're seeing a very old version of the main page is beyond me, but that version of account.js hasn't been around for many, many months. I've confirmed on multiple systems that index.html is passing the correct account.js, and that account.js does not contain that old code. Additionally, you're passing ?2, which is a cachebuster value that we use to ensure nobody is receiving a cached version. Whilst this doesn't match the cachebuster value right now (?4) it still shouldn't have served up such a very, very old file. This could very well be an issue introduced when we were deploying a Phonegap-based QR code scanner on Tuesday morning, but that was rolled back after an hour as it caused endless issues in its detection of mobile devices. To make doubly-sure that this isn't occurring anymore I've cleared every possible server-side cache that could have been serving it.
In order to confirm that this functionality was indeed accidental (in that it was poorly thought through) and also removed ages ago I checked archive.org. The most recent capture of MyMonero is from May 13th, 2015 (https://web.archive.org/web/20150513233042/https://mymonero.com/#/) and has the following account.js: https://web.archive.org/web/20150513233042/https://mymonero.com/js/services/account.js?1 - you can confirm in that, and older versions, that there is no cookie-storage code.
It is important to note JavaScript-based wallets are never going to be really safe, and MyMonero is no exception. I've said before that MyMonero is merely a stopgap solution until we have libraryise completed (so that third-party GUI developers can better hook into core functions) and/or we've found an SPV-style solution (our current work is on using a bloom filter for viewkeys instead of passing the raw viewkey) for lightweight wallets. In fact, the website even says quite clearly: "The clients below are ideal if you are using Monero for the first time".
BlockaFett, I appreciate very much that you have clearly indicated your bias. I understand, too, that you have an inherent desire to ensure people don't get screwed over, and I applaud that. But this is going to become a mud-slinging session and you know it. Whatever answers and responses I've provided above you won't be satisfied with, and eventually it is going to become a frustrating "shouting" match that will only leave things more confusing for the casual reader. I would like to suggest that we find some time for a Skype chat or a phone call to discuss this using a medium that is a little more immediate than Bitcointalk, and you or I can report back afterwards. I understand that you lack time and energy to invest into this, and I understand that. Having just arrived back home from Europe I can assure you that I don't have much time for a back-and-forth on Bitcointalk, but I do absolutely want you to be able to flesh this out and discuss it with me. I am more than happy to make myself available to you for discussion, and if there's anything specific in my answers above that you'd like me to clarify publicly I am also happy to do so.
I think I'm going to start by addressing some of the concerns in BlockaFett's first post. I'd like to note, having read through this thread, that BlockaFett has not contacted me at all to discuss his concerns. I would really have appreciated that as being the first step here, but no matter.
So Fluffypony can technically access distribution / what funds are moving around for all MyMonero wallets which could give him leading info on the market and pumps / dumps etc, whilst no-one else can (being a Cryptonote coin you can't see anything on the blockchain like distribution).
It is absolutely correct that I can see information on MyMonero accounts that others obviously cannot.
On it's own this might be innocent / incompetent in terms of centralizing / deanonimizing Monero users and transactions whilst simultaneously claiming your coin is the most anonymous and decentrazlied coin.
I think you're misunderstanding how the viewkey works. I can see funds that are received, but I can't see which signature in an input is the correct one, so there's very little information I can exploit. At best I can see funds moving between MyMonero accounts, but I have no way of determining whether funds have been transferred out to an exchange or anything like that. Thus I cannot possibly use the information to give me information on dumps, and I cannot possibly know about "pumps" without simultaneously having access to everyone's BTC wallets.
I'd also like to point out that we have never claimed that Monero is the "most decentrazlied coin" (sic), and we definitely don't claim it is the "most anonymous". I'd be hard-pressed to define "most decentralised", but clearly Bitcoin is the only cryptocurrency with enough hashpower and a sufficient distribution of nodes to be called "most decentralised". In terms of anonymity, the ZeroCoin/ZeroCash cryptocurrency (as and when it is released) will offer privacy that is nearly absolute, and is thus would earn the crown of "most anonymous". It has other issues (such as cryptography that is untested and not yet sufficiently reviewed), but Monero definitely does not lay claim to that.
I think this may be your misinterpretation of what people are claiming.
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
I'm not sure the relevance of this or what connection you're trying to make here. Are you implying that it is bad for me to be building out services for the cryptocurrency ecosystem? Or is the implication that trying to publicly raise funds is bad? I don't see an issue with either - I/we didn't raise any funds in the end with VertPay, and we pivoted off that and repositioned ourselves to create a more generalised solution. I'm still not understanding what your implication is.
Next thing is that 95% of XMR volume is through one exchange, meaning open-season on price-manipulation, and bigger profits from anyone with leading info on what users are doing - and this has been the case for 1 year already, still no other exchanges
You are 100% correct on this. As has been pointed out in this thread already, though, I have made an effort, through MyMonero, to host a giveaway on Bittrex and try and shift some volume there. This is at odds with your implication that somehow I am in cahoots with Poloniex, profiting off their dominance.
So just connecting the dots but what if it's no accident that Monero wallet is dysfunctional after one year (crippled?) and so most wallets are on MyMonero.com and under the sole visibility of the core team, that all volume is still on Poloniex giving whales their a single place to manipulate after one year, that the GUI wasn't added even now Cryptonote has made an open source one so most people go to MyMonero.com, and all on the "most secure and untraceable coin".
The core team does not have visibility on MyMonero's data. Additionally, there are several GUI wallets that the website links to and that plenty of people use. And, too, the CLI wallet is not particularly difficult. Lastly, we put work on the GUI on the back-burner last year after the block 202612 attack, and we indicated publicly why we had to do this. It is imperative that we work to ensure everyone's funds are secure, rather than prematurely shove out some GUI.
Nonetheless, the code for the work we had done on the GUI has been made public: https://github.com/monero-project/monero-core so anyone can work on it and release it.
The CryptoNote GUI wouldn't work with Monero as our code is too differentiated, and there are fundamental changes we've made to the way wallets work and store data, and the way they communicate with the daemon.
Again, we have never claimed to be the "most secure and untraceable coin". Bitcoin is the most secure. ZeroCoin/ZeroCash will be the "most untraceable" (to its detriment, when coupled with the whiz-bang cryptography).
Plus we know that Monero did launch a crippled miner with things like useless loops inserted to slow the mining down, although we don't know if this was innocently copied in from Bytecoin or not.
No, we do know. Git is an amazing tool for being able to step back and look at where code comes from. You can use git-blame yourself on the crippled code, and you can also check where we caught the issues and updated them:
https://github.com/monero-project/bitmonero/commit/3cc45e9324a402aee91e2f46861b2ca393d711aa
https://github.com/monero-project/bitmonero/commit/44f61c3965d569c288520b75356ad3bdc68b47d1
And correlate that with mining hashrate at the time. You will observe that there was a rise in hashrate when we released those changes, not days/weeks before.
Let me ask you something: why would we have made those changes to the hashing algorithm that quickly and released them publicly, when we could instead have quietly mined for weeks or months before making those changes public?
Potentially, are we are looking at a coin *setup* as a scam here, with various parts crippled to make sure the core team are the only ones with access to the key 'behind the scenes' market information and are also actually big investors / traders, that all trade is through Poloniex, and then they go around accusing everyone else of being a scam whilst scamming XMR volume behind the scenes?
By the same token, Bitcoin is "potentially *setup* as a scam", as the core developers have access to information that nobody else does. Bitcoin's core maintainers know about features before they're even announced / released, and they could trade on that information. There is no fix for this, other than (I guess) to treat it as insider trading and regulate it accordingly. Trying to fix this problem right now is truly out of scope for Bitcoin, and is dramatically out of scope for us.
Maybe Cryptnote is a prime target for this kind of stuff because everything is hidden - in such an environment, MyMonero / Poloniex owners can go wild if they make use of the info that no one else can have....
As mentioned, there's little to no useful information I can gleam from MyMonero that would give me some edge in trading.
Every exchange can make use of their internal state, and they have WAY more access to information than MyMonero does. They can have their systems automatically pull their orders if there's a buy that will hit them, they can do all sorts of stuff. One need only look at Mtgox's Willy bot to see what exchanges can get up to. We have no way of verifying that Coinbase, Bittrex, btc-e, Bitstamp, Cryptsy, BitFinex, etc. *don't* abuse their internal state / information. So what are we going to do about it? Never use an exchange again?
I'm sure a lot of the Fluffypony fans will be outraged at this suggestion. And I could be totally wrong. But if your argument is "I know Fluffy wouldn't do that" then lol because you should no in crypto now anything like this can and does happen, regularly..
I've also said that it's a dumb argument to say "he's such a nice guy", because the best scammers *are* nice guys. That's precisely what con men do for a living. Knowing me is largely irrelevant and I would recommend that any trust is given based on my history and dealings with people. Sources of information could include, for example, the Bitcoin OTC web of trust: http://bitcoin-otc.com/viewratingdetail.php?nick=fluffypony
Additionally, one could consider that I had access to the Mintpal funds. Ferdous asked me for assistance because he couldn't gain access to the wallet (he was struggling to get it restored because it was in an older wallet format, and 0.8.8.6 didn't have the ability to restore that format, which is something we've subsequently fixed). Ferdous had no idea if the funds were still in that wallet. I could easily have told him that they were unfortunately stolen, and then just kept them for myself. It is no wonder that Ferdous said on Twitter: "IMO @fluffyponyza is one of the most honest, smartest and hardest working individuals in this space."
Now to answer some other things that have popped up:
Quote
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
Do you have any background on this? When were the funds raised, how long the website has been in development, where the funds went etc?
At that stage when we wanted to raise funds there was quite a bit of backend development that had been done, all self-funded. We raised $0 because we cancelled the fund-raising as it was clear it was too controversial. This lead to some internal changes and a complete refocus of what we wanted to achieve, and a bit of a state of flux for a few months. After this was resolved we began working on the project again in the 2nd half of 2014.
BlockaFett's timing seems to be a little off, as by the time the VertPay funding was scrapped (middle of May, 2014) the Monero core team had already been formed, and we had forked the project away from thankful_for_today (after he refused to accede to the community's wishes). Thus I didn't "move on" to Monero, I was doing both simultaneously (as I continue to do).
OK so I check some of the JS and the first thing that jumps out is this:
(src: https://mymonero.com/js/services/account.js?2)
So looks like spend key and seed are being stored in the user's browser cookie which is sent to the server with every HTTPrequest.
...which would give 2 main problems:
1) Any browser you log into MyMonero.com will store an unencrypted copy of your spend key and seed (plus address / viewkey) in a cookie file on the disk
2) The spend key and seed are sent to the server on *every HTTP request* meaning that the data is there on the server, you just need one line of code to put that in a DB if you want.
(src: https://mymonero.com/js/services/account.js?2)
So looks like spend key and seed are being stored in the user's browser cookie which is sent to the server with every HTTPrequest.
...which would give 2 main problems:
1) Any browser you log into MyMonero.com will store an unencrypted copy of your spend key and seed (plus address / viewkey) in a cookie file on the disk
2) The spend key and seed are sent to the server on *every HTTP request* meaning that the data is there on the server, you just need one line of code to put that in a DB if you want.
This is 100% correct, but it is also old (as in it predates MyMonero's official launch). Why you're seeing a very old version of the main page is beyond me, but that version of account.js hasn't been around for many, many months. I've confirmed on multiple systems that index.html is passing the correct account.js, and that account.js does not contain that old code. Additionally, you're passing ?2, which is a cachebuster value that we use to ensure nobody is receiving a cached version. Whilst this doesn't match the cachebuster value right now (?4) it still shouldn't have served up such a very, very old file. This could very well be an issue introduced when we were deploying a Phonegap-based QR code scanner on Tuesday morning, but that was rolled back after an hour as it caused endless issues in its detection of mobile devices. To make doubly-sure that this isn't occurring anymore I've cleared every possible server-side cache that could have been serving it.
In order to confirm that this functionality was indeed accidental (in that it was poorly thought through) and also removed ages ago I checked archive.org. The most recent capture of MyMonero is from May 13th, 2015 (https://web.archive.org/web/20150513233042/https://mymonero.com/#/) and has the following account.js: https://web.archive.org/web/20150513233042/https://mymonero.com/js/services/account.js?1 - you can confirm in that, and older versions, that there is no cookie-storage code.
It is important to note JavaScript-based wallets are never going to be really safe, and MyMonero is no exception. I've said before that MyMonero is merely a stopgap solution until we have libraryise completed (so that third-party GUI developers can better hook into core functions) and/or we've found an SPV-style solution (our current work is on using a bloom filter for viewkeys instead of passing the raw viewkey) for lightweight wallets. In fact, the website even says quite clearly: "The clients below are ideal if you are using Monero for the first time".
BlockaFett, I appreciate very much that you have clearly indicated your bias. I understand, too, that you have an inherent desire to ensure people don't get screwed over, and I applaud that. But this is going to become a mud-slinging session and you know it. Whatever answers and responses I've provided above you won't be satisfied with, and eventually it is going to become a frustrating "shouting" match that will only leave things more confusing for the casual reader. I would like to suggest that we find some time for a Skype chat or a phone call to discuss this using a medium that is a little more immediate than Bitcointalk, and you or I can report back afterwards. I understand that you lack time and energy to invest into this, and I understand that. Having just arrived back home from Europe I can assure you that I don't have much time for a back-and-forth on Bitcointalk, but I do absolutely want you to be able to flesh this out and discuss it with me. I am more than happy to make myself available to you for discussion, and if there's anything specific in my answers above that you'd like me to clarify publicly I am also happy to do so.
BlockaFett just as technical matter, you can't reverse stealth addresses even with private keys. So in order to see that coins are moving to Poloniex to allow front-running the market, the MyMonero client would have to send the public destination address to the server before performing ECDH on it. I don't think it does that, or at least there wouldn't be a good reason to do it.
If you find something like that in the code, you are on to something here, otherwise, that aspect of your presentation is debunked.
I don't really think there is anything wrong with the scrutiny here, but I don't see any major problems either, based on what you've shown so far. The cookies thing is interesting, I'd like to hear what the MyMonero developers or other JavaScript experts (I'm not) have to say about it.
The vertpay/paybee connection seems particularly pointless. If he raised money and stole it, that would be one thing, but he didn't. You say it is now self-funded (i.e. he's spending his own money to build a business). I see nothing wrong with it at all based on what you've stated.
If you find something like that in the code, you are on to something here, otherwise, that aspect of your presentation is debunked.
I don't really think there is anything wrong with the scrutiny here, but I don't see any major problems either, based on what you've shown so far. The cookies thing is interesting, I'd like to hear what the MyMonero developers or other JavaScript experts (I'm not) have to say about it.
The vertpay/paybee connection seems particularly pointless. If he raised money and stole it, that would be one thing, but he didn't. You say it is now self-funded (i.e. he's spending his own money to build a business). I see nothing wrong with it at all based on what you've stated.
Ah - I remember that drama over on Vertcoin's reddit although I wasn't paying that much attention.
So he began by trying to raise the money - but eventually shuttered the entire thing without raising it if I understand correctly.
Didn't realize that was fluffypony. Thank you for the background.
I tend to agree with you on the webwallet. I still think it's the least of the compromises with anon tech in this space. But I understand those who feel differently.
So he began by trying to raise the money - but eventually shuttered the entire thing without raising it if I understand correctly.
Didn't realize that was fluffypony. Thank you for the background.
I tend to agree with you on the webwallet. I still think it's the least of the compromises with anon tech in this space. But I understand those who feel differently.
Yes, its morphed into PayBee.com now apparently which is self-funded i think.
Webwallet is one thing but on a Cryptonote coin, that relies on opaque blockchain where no one has access to distribution info / rich list / fund movements, if it can be used to give one entity that information it seems like a big compromise.
And looks like user's private keys are being sent to the server on MyMonero.com in which case all that would be possible plus spending the coins but waiting for validation on that.
Ah - I remember that drama over on Vertcoin's reddit although I wasn't paying that much attention.
So he began by trying to raise the money - but eventually shuttered the entire thing without raising it if I understand correctly.
Didn't realize that was fluffypony. Thank you for the background.
I tend to agree with you on the webwallet. I still think it's the least of the compromises with anon tech in this space. But I understand those who feel differently.
So he began by trying to raise the money - but eventually shuttered the entire thing without raising it if I understand correctly.
Didn't realize that was fluffypony. Thank you for the background.
I tend to agree with you on the webwallet. I still think it's the least of the compromises with anon tech in this space. But I understand those who feel differently.
Quote
Also some of you know me from lots of confrontations with core Monero supporters / devs on various threads with my Dash investor hat on, which I recently moved most of my alts into.
So I am not the person to be unbiased / neutral when discussing Monero - it's one of several competitors to my main investment so this gives me a conflict of interest when criticizing it.
So I am not the person to be unbiased / neutral when discussing Monero - it's one of several competitors to my main investment so this gives me a conflict of interest when criticizing it.
I really appreciate this honesty.
Quote
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
Do you have any background on this? When were the funds raised, how long the website has been in development, where the funds went etc?
As someone interested in following and owning some Moneros I appreciate the contribution. Just like I appreciate the Monero supporters concerns over Darkcoin's premine. People need to grow some skin and decide discovering the truth & negative opinions are your friend in a world that consists of 95% scams.
The Monero inflation really isn't setup to scam unless it's a long term (multi year) setup. The price seems pretty stable stable compared to most currencies - probably due to inflation.
sure, there is an interview with Fluffypony where he describes vertpay & the funds he was trying to raise https://soundcloud.com/zerofiat/zero_fiats-vertcoin-update-05-06-2014
but it never got off the ground...there was a lot of pushback from the vertcoin community e.g. https://www.reddit.com/r/vertcoin/comments/2590id/hello_members_of_the_cryptocurrency_community/
and Fluffy cancelled it before joining Monero and setting up MyMonero.com:
To get back to this. For those that missed it, over the past ~48 hours (from Saturday night our time) there's been a systemic attack of VertPay by smearing me and alluding that VertPay is a scam-by-association. While this is blatantly untrue, it would appear that the Vertcoin community as a whole either do not want this IPO to continue or are unsure and swing this way and that. Thus we have decided to shutter the IPO and switch VertPay back to the original focus on launching with several currencies.
You can read more about the decision here.
Those that are still interested in investing in their private capacity under similar terms to the IPO, please contact me via PM or using the details / form on the site. We will continue unabated and unstopped:)
You can read more about the decision here.
Those that are still interested in investing in their private capacity under similar terms to the IPO, please contact me via PM or using the details / form on the site. We will continue unabated and unstopped:)
Here is some info on the latest payment site Paybee.com: https://bitcointalksearch.org/topic/m.10964605
My issue with it is the pattern has been used by scammers to get in the middle of coins and take advantage, like Ryan Kennedy in the Moolah / DOGE scandal - the DOGE co-creator gave a good interview about it here https://soundcloud.com/mindtomatter/ltb-e156-the-moolah-story
Not saying that is definately what's happening here, and if it isn't then no harm in asking because it means they have been checked out / some due diligence has been done. Although I think a web-wallet is totally inappropriate in an anon-coin like Monero though either way
Quote
Also some of you know me from lots of confrontations with core Monero supporters / devs on various threads with my Dash investor hat on, which I recently moved most of my alts into.
So I am not the person to be unbiased / neutral when discussing Monero - it's one of several competitors to my main investment so this gives me a conflict of interest when criticizing it.
So I am not the person to be unbiased / neutral when discussing Monero - it's one of several competitors to my main investment so this gives me a conflict of interest when criticizing it.
I really appreciate this honesty.
Quote
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
Do you have any background on this? When were the funds raised, how long the website has been in development, where the funds went etc?
As someone interested in following and owning some Moneros I appreciate the contribution. Just like I appreciate the Monero supporters concerns over Darkcoin's premine. People need to grow some skin and decide discovering the truth & negative opinions are your friend in a world that consists of 95% scams.
The Monero inflation really isn't setup to scam unless it's a long term (multi year) setup. The price seems pretty stable stable compared to most currencies - probably due to inflation.
I dont mind people like BlockaFett with their usual BS and lies, he said on two occasions, that I can remember, he would leave the forums for months after being publicly humiliated only to return the next day to troll more, so we are dealing with pathological liar here, the worst are the ones that say to hate both Monero and dash/darkcoin as if it makes them look special or something, they are the real joy of the thread.
Btw since BlockaFett is so worried about Mintpal et al he should at least note the effort fluffy did to recover the users funds:
Btw since BlockaFett is so worried about Mintpal et al he should at least note the effort fluffy did to recover the users funds:
Important update for those that had funds on MintPal
We worked with the former MintPal developers who managed to get the wallet from the server, and we're happy to confirm that we have assisted them in recovering the *full* balance that was on MintPal. If you had Monero on it, you will have received an email from them, and you will be able to withdraw it. Not a single Monero was lost, which really is very fortunate.
We worked with the former MintPal developers who managed to get the wallet from the server, and we're happy to confirm that we have assisted them in recovering the *full* balance that was on MintPal. If you had Monero on it, you will have received an email from them, and you will be able to withdraw it. Not a single Monero was lost, which really is very fortunate.
Yes XMR was 100% safe on Mintpal, Ryan Kennedy went straight for the BTC and darkcoins. Fluffy didn't need to do any 'work' unless there was a problem with the XMR wallet, Ferdous was already on the case refunding various coins.
Like your take on things Kazuki, typically twisted-reality like most of your ramblings. Although I did say twice I would take a backseat on BCT, but everytime I did when I checked the forum there were the usual throngs of XMR trolls filling every page in the alt section with FUD and trying to bully people to buy Monero and slandering everything in your path so I feel like someone should stand up to your kind of behavior, if that's ok with you?
Like I keep saying, you have no idea what you are talking about. The JS is just a wrapper to the api which is the backend which is closed source.
You seems not to know what people are trying to tell you.... yes, the API to interact with the blockchain are on the server side, but everything is done on client side.... the server side have only your viewkey, dont have your spend key, the onlything that mymonero knows about your monero wallet is your inputs... when you want to spend anything the encription is maded on client side... If you know "WEB" as you say you know be my guest and check the code...
OK so I check some of the JS and the first thing that jumps out is this:
(src: https://mymonero.com/js/services/account.js?2)
So looks like spend key and seed are being stored in the user's browser cookie which is sent to the server with every HTTPrequest.
...which would give 2 main problems:
1) Any browser you log into MyMonero.com will store an unencrypted copy of your spend key and seed (plus address / viewkey) in a cookie file on the disk
2) The spend key and seed are sent to the server on *every HTTP request* meaning that the data is there on the server, you just need one line of code to put that in a DB if you want.
I couldn't get past the create account page to grab the actual cookie, it was like this 2 days ago when I tried too...
So I can't generate the 'account' cookie from above to validate this code....and I can't try transactions to see what else might be sent up to the server....can someone from Monero who can login validate this? - i mean login successfully and then pull the actual 'account' cookie from a get request and paste it here so we can have a look? (obviously on a test account not on your actual XMR account if it contains your spend key)
BTW cookies are stored using Angular JS IPCookie: https://github.com/ivpusic/angular-cookie/blob/master/angular-cookie.js
I don´t mind you investigating, when there is a flaw it needs to be fixed... if its a flaw.
But what i mind is that i do not understand that you call Monero a scam... but are perfectly fine about Dash´s shady past ( which we don´t need to get into because all has been said plenty of times )
But what i mind is that i do not understand that you call Monero a scam... but are perfectly fine about Dash´s shady past ( which we don´t need to get into because all has been said plenty of times )
It's reply-bait. The only purpose of this thread is so the words 'Investigate Monero' can be perpetually alive in the altcoin section, thus subtly insinuating that it's some kind of scam. The actual dialogue is meaningless.
Well, and it certainly worked because my mind automatically associated this thread with a Monero FUD thread.
As far as this goes, from what i've seen about fluffypony he seems like a legit hard working guy trying to make the coin better, let's hope he isn't another letdown. Personally I trust him more than Duffield.
That is really shitty man. We aren't children on the playground gossiping about each other. Why would you post on the forum without first talking to the person you are accusing and asking them wtf is going on? You are no better than every fucking whiteknight SJW posting on tumblr. People like you make me sick.
Grow up and stop acting like a kid. Just send the dude a message and tell him what you're worried about. Are you so scared of him that you're posting this shit on a forum thread first? Coward.
Grow up and stop acting like a kid. Just send the dude a message and tell him what you're worried about. Are you so scared of him that you're posting this shit on a forum thread first? Coward.
You could've posted that on a whole lot of threads before this one, what made you to decide to get all concerned just now?
I dont mind people like BlockaFett with their usual BS and lies, he said on two occasions, that I can remember, he would leave the forums for months after being publicly humiliated only to return the next day to troll more, so we are dealing with pathological liar here, the worst are the ones that say to hate both Monero and dash/darkcoin as if it makes them look special or something, they are the real joy of the thread.
Btw since BlockaFett is so worried about Mintpal et al he should at least note the effort fluffy did to recover the users funds:
Btw since BlockaFett is so worried about Mintpal et al he should at least note the effort fluffy did to recover the users funds:
Important update for those that had funds on MintPal
We worked with the former MintPal developers who managed to get the wallet from the server, and we're happy to confirm that we have assisted them in recovering the *full* balance that was on MintPal. If you had Monero on it, you will have received an email from them, and you will be able to withdraw it. Not a single Monero was lost, which really is very fortunate.
We worked with the former MintPal developers who managed to get the wallet from the server, and we're happy to confirm that we have assisted them in recovering the *full* balance that was on MintPal. If you had Monero on it, you will have received an email from them, and you will be able to withdraw it. Not a single Monero was lost, which really is very fortunate.
Like I keep saying, you have no idea what you are talking about. The JS is just a wrapper to the api which is the backend which is closed source.
You seems not to know what people are trying to tell you.... yes, the API to interact with the blockchain are on the server side, but everything is done on client side.... the server side have only your viewkey, dont have your spend key, the onlything that mymonero knows about your monero wallet is your inputs... when you want to spend anything the encription is maded on client side... If you know "WEB" as you say you know be my guest and check the code...
You are wasting your time. The only reason he is spewing this nonsense is because there are about a dozen threads by a dozen different people criticizing his precious DASH about the myriad of fallacies and shortcomings inherent in that scam coin. I believe he is well aware of how factually unfounded his accusations are.
First of all, the whole premise for this monero ""vulnerability"" is he states that most monero transactions go through mymonero which is an outrageous assumption. Mymonero is simply a web wallet used mostly by noobs who don't want to download the blockchain and run their own wallets.
Even the rest of the DASH DEFENDERS™ are too embarrassed to join him in this ridiculous discussion about unfounded allegations based on absurd assumptions.
Like I keep saying, you have no idea what you are talking about. The JS is just a wrapper to the api which is the backend which is closed source.
You seems not to know what people are trying to tell you.... yes, the API to interact with the blockchain are on the server side, but everything is done on client side.... the server side have only your viewkey, dont have your spend key, the onlything that mymonero knows about your monero wallet is your inputs... when you want to spend anything the encription is maded on client side... If you know "WEB" as you say you know be my guest and check the code...
For some reason I think certain people are not happy with this thread and would like it to go away......can't think why.
Neither can I: AFAIK only one of those thread starters is a Monero supporter (generalizethis).
For some reason I think certain people are not happy with this thread and would like it to go away......can't think why.
Othe - can't deal with the eye-bleed from trying to decode the word salad you made of my posts so I just paste in your points here:
"Without the spendkey you don´t see what outputs have been spend etc.
MyMonero users are less private, obviously, but that doesn´t endanger the others."
I think on an opaque blockchain coin, having users do their transactions on the devs personal closed-source website is a danger. we are going round in circles....
"Another lie - MoneroX works fine on Linux, Windows and OSX.
Works and looks the same as Bitcoin QT, aka Dashcoin QT."
So I am a liar because MoneroX works fine, then what is this?
"Obviously because you are an idiot who wasn´t even able to check the sourcecode :-) No i am not talking to someone who knows sth. Definately not.
You see in the JS what is send to the server and what not, no need to make stupid speculations. Just go and check it."
Like I keep saying, you have no idea what you are talking about. The JS is just a wrapper to the api which is the backend which is closed source.
To save the tediousity Othe of you having to shout for the next 50 posts that everything is open source on MyMonero - maybe take a deep breath go read some basic Javascript / web dev tutorials, learn what a backend is aka what 'server side' means. Or if you want to insist that it's open source, then please post me the API / backend source.
Honestly you act like a proper thug hyperventilating over every point and calling it a lie when a 5 year old can go and paste a link to show you you are wrong...and you call me a liar lol. MyMonero is 100% closed source apart from the client-side javascript (obviously), meaning anything of any importance to security or privileged financial information. MoneroX is not a viable alternative to MyMonero as the thread is full of users complaining it doesn't work. I seriously hope you are not a Monero dev for their sake.
EDIT: Lets not argue Othe, there is nothing more that I want to say...what I presented was a theory about how you have a structural problem, I honestly am not bothered what you do with that info and no point in repeating myself. If you don't agree, no skin off my nose.
"Without the spendkey you don´t see what outputs have been spend etc.
MyMonero users are less private, obviously, but that doesn´t endanger the others."
I think on an opaque blockchain coin, having users do their transactions on the devs personal closed-source website is a danger. we are going round in circles....
"Another lie - MoneroX works fine on Linux, Windows and OSX.
Works and looks the same as Bitcoin QT, aka Dashcoin QT."
So I am a liar because MoneroX works fine, then what is this?
It's been a few days now that Monero-X wont start anymore.
It's crashing with
System is Linux Mint 17.1
It had been working well before. Any hint on what could be provoking this?
Thanks!
It's crashing with
Code:
Unhandled Exception:
System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies.
File name: 'System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
[ERROR] FATAL UNHANDLED EXCEPTION: System.IO.FileNotFoundException: Could not load file or assembly 'System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies.
File name: 'System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
System is Linux Mint 17.1
It had been working well before. Any hint on what could be provoking this?
Thanks!
"Obviously because you are an idiot who wasn´t even able to check the sourcecode :-) No i am not talking to someone who knows sth. Definately not.
You see in the JS what is send to the server and what not, no need to make stupid speculations. Just go and check it."
Like I keep saying, you have no idea what you are talking about. The JS is just a wrapper to the api which is the backend which is closed source.
To save the tediousity Othe of you having to shout for the next 50 posts that everything is open source on MyMonero - maybe take a deep breath go read some basic Javascript / web dev tutorials, learn what a backend is aka what 'server side' means. Or if you want to insist that it's open source, then please post me the API / backend source.
Honestly you act like a proper thug hyperventilating over every point and calling it a lie when a 5 year old can go and paste a link to show you you are wrong...and you call me a liar lol. MyMonero is 100% closed source apart from the client-side javascript (obviously), meaning anything of any importance to security or privileged financial information. MoneroX is not a viable alternative to MyMonero as the thread is full of users complaining it doesn't work. I seriously hope you are not a Monero dev for their sake.
EDIT: Lets not argue Othe, there is nothing more that I want to say...what I presented was a theory about how you have a structural problem, I honestly am not bothered what you do with that info and no point in repeating myself. If you don't agree, no skin off my nose.
Oh my god this is getting ridiculous, let's close this discussion.
Come to talk on IRC #monero & #monero-dev if you found any real bug or real exploit.
I am not discussing a bug or exploit, and if it's ok with you I would rather remain here on a public forum.
When I use the word 'exploit' I mean someone might be exploiting the opaque blockchain nature of Monero, by setting things up to have a view right inside it.
If you don't want to comment on that, your choice, but probably best not to try to misconstrue what is being discussed here.
Oh my god this is getting ridiculous, let's close this discussion.
Come to talk on IRC #monero & #monero-dev if you found any real bug or real exploit.
Jump to: