Wow I get in a plane and Bitcointalk goes nuts in my absence:)
I think I'm going to start by addressing some of the concerns in BlockaFett's first post. I'd like to note, having read through this thread, that BlockaFett has not contacted me at all to discuss his concerns. I would really have appreciated that as being the first step here, but no matter.
So Fluffypony can technically access distribution / what funds are moving around for all MyMonero wallets which could give him leading info on the market and pumps / dumps etc, whilst no-one else can (being a Cryptonote coin you can't see anything on the blockchain like distribution).
It is absolutely correct that I can see information on MyMonero accounts that others obviously cannot.
On it's own this might be innocent / incompetent in terms of centralizing / deanonimizing Monero users and transactions whilst simultaneously claiming your coin is the most anonymous and decentrazlied coin.
I think you're misunderstanding how the viewkey works. I can see funds that are received, but I can't see which signature in an input is the correct one, so there's very little information I can exploit. At best I can see funds moving between MyMonero accounts, but I have no way of determining whether funds have been transferred out to an exchange or anything like that.
Thus I cannot possibly use the information to give me information on dumps, and I cannot possibly know about "pumps" without simultaneously having access to everyone's BTC wallets.
I'd also like to point out that we have never claimed that Monero is the "most decentrazlied coin" (
sic), and we definitely don't claim it is the "most anonymous". I'd be hard-pressed to define "most decentralised", but clearly Bitcoin is the only cryptocurrency with enough hashpower and a sufficient distribution of nodes to be called "most decentralised". In terms of anonymity, the ZeroCoin/ZeroCash cryptocurrency (as and when it is released) will offer privacy that is nearly absolute, and is thus would earn the crown of "most anonymous". It has other issues (such as cryptography that is untested and not yet sufficiently reviewed), but Monero definitely does not lay claim to that.
I think this may be your misinterpretation of what people are claiming.
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
I'm not sure the relevance of this or what connection you're trying to make here. Are you implying that it is bad for me to be building out services for the cryptocurrency ecosystem? Or is the implication that trying to publicly raise funds is bad? I don't see an issue with either - I/we didn't raise any funds in the end with VertPay, and we pivoted off that and repositioned ourselves to create a more generalised solution. I'm still not understanding what your implication is.
Next thing is that 95% of XMR volume is through one exchange, meaning open-season on price-manipulation, and bigger profits from anyone with leading info on what users are doing - and this has been the case for 1 year already, still no other exchanges
You are 100% correct on this. As has been pointed out in this thread already, though, I have made an effort, through MyMonero, to host a giveaway on Bittrex and try and shift some volume there. This is at odds with your implication that somehow I am in cahoots with Poloniex, profiting off their dominance.
So just connecting the dots but what if it's no accident that Monero wallet is dysfunctional after one year (crippled?) and so most wallets are on MyMonero.com and under the sole visibility of the core team, that all volume is still on Poloniex giving whales their a single place to manipulate after one year, that the GUI wasn't added even now Cryptonote has made an open source one so most people go to MyMonero.com, and all on the "most secure and untraceable coin".
The core team does not have visibility on MyMonero's data. Additionally, there are several GUI wallets that the website links to and that plenty of people use. And, too, the CLI wallet is not particularly difficult. Lastly, we put work on the GUI on the back-burner last year after the block 202612 attack, and we indicated publicly why we had to do this. It is imperative that we work to ensure everyone's funds are secure, rather than prematurely shove out some GUI.
Nonetheless, the code for the work we had done on the GUI has been made public:
https://github.com/monero-project/monero-core so anyone can work on it and release it.
The CryptoNote GUI wouldn't work with Monero as our code is too differentiated, and there are fundamental changes we've made to the way wallets work and store data, and the way they communicate with the daemon.
Again, we have never claimed to be the "most secure and untraceable coin". Bitcoin is the most secure. ZeroCoin/ZeroCash will be the "most untraceable" (to its detriment, when coupled with the whiz-bang cryptography).
Plus we know that Monero did launch a crippled miner with things like useless loops inserted to slow the mining down, although we don't know if this was innocently copied in from Bytecoin or not.
No, we do know. Git is an amazing tool for being able to step back and look at where code comes from. You can use git-blame yourself on the crippled code, and you can also check where we caught the issues and updated them:
https://github.com/monero-project/bitmonero/commit/3cc45e9324a402aee91e2f46861b2ca393d711aahttps://github.com/monero-project/bitmonero/commit/44f61c3965d569c288520b75356ad3bdc68b47d1And correlate that with mining hashrate at the time. You will observe that there was a rise in hashrate when we released those changes, not days/weeks before.
Let me ask you something: why would we have made those changes to the hashing algorithm that quickly and released them publicly, when we could instead have quietly mined for weeks or months before making those changes public?
Potentially, are we are looking at a coin *setup* as a scam here, with various parts crippled to make sure the core team are the only ones with access to the key 'behind the scenes' market information and are also actually big investors / traders, that all trade is through Poloniex, and then they go around accusing everyone else of being a scam whilst scamming XMR volume behind the scenes?
By the same token, Bitcoin is "potentially *setup* as a scam", as the core developers have access to information that nobody else does. Bitcoin's core maintainers know about features before they're even announced / released, and they could trade on that information. There is no fix for this, other than (I guess) to treat it as insider trading and regulate it accordingly. Trying to fix this problem right now is truly out of scope for Bitcoin, and is dramatically out of scope for us.
Maybe Cryptnote is a prime target for this kind of stuff because everything is hidden - in such an environment, MyMonero / Poloniex owners can go wild if they make use of the info that no one else can have....
As mentioned, there's little to no useful information I can gleam from MyMonero that would give me some edge in trading.
Every exchange can make use of their internal state, and they have WAY more access to information than MyMonero does. They can have their systems automatically pull their orders if there's a buy that will hit them, they can do all sorts of stuff. One need only look at Mtgox's Willy bot to see what exchanges can get up to. We have no way of verifying that Coinbase, Bittrex, btc-e, Bitstamp, Cryptsy, BitFinex, etc. *don't* abuse their internal state / information. So what are we going to do about it? Never use an exchange again?
I'm sure a lot of the Fluffypony fans will be outraged at this suggestion. And I could be totally wrong. But if your argument is "I know Fluffy wouldn't do that" then lol because you should no in crypto now anything like this can and does happen, regularly..
I've also said that it's a dumb argument to say "he's such a nice guy", because the best scammers *are* nice guys. That's precisely what con men do for a living. Knowing me is largely irrelevant and I would recommend that any trust is given based on my history and dealings with people. Sources of information could include, for example, the Bitcoin OTC web of trust:
http://bitcoin-otc.com/viewratingdetail.php?nick=fluffyponyAdditionally, one could consider that I had access to the Mintpal funds. Ferdous asked me for assistance because he couldn't gain access to the wallet (he was struggling to get it restored because it was in an older wallet format, and 0.8.8.6 didn't have the ability to restore that format, which is something we've subsequently fixed). Ferdous had no idea if the funds were still in that wallet. I could easily have told him that they were unfortunately stolen, and then just kept them for myself. It is no wonder that
Ferdous said on Twitter: "IMO @fluffyponyza is one of the most honest, smartest and hardest working individuals in this space."
Now to answer some other things that have popped up:
But then we find out that Fluffypony has done this before in trying to setup the same type of site for Vertcoin (Vertpay.com) and raising $200,000 to develop that from VTC users. And that he is also working on Paybee.com, another payment site.
Do you have any background on this? When were the funds raised, how long the website has been in development, where the funds went etc?
At that stage when we wanted to raise funds there was quite a bit of backend development that had been done, all self-funded. We raised $0 because we cancelled the fund-raising as it was clear it was too controversial. This lead to some internal changes and a complete refocus of what we wanted to achieve, and a bit of a state of flux for a few months. After this was resolved we began working on the project again in the 2nd half of 2014.
BlockaFett's timing seems to be a little off, as by the time the VertPay funding was scrapped (middle of May, 2014) the Monero core team had already been formed, and we had forked the project away from thankful_for_today (after he refused to accede to the community's wishes). Thus I didn't "move on" to Monero, I was doing both simultaneously (as I continue to do).
OK so I check some of the JS and the first thing that jumps out is this:
(src:
https://mymonero.com/js/services/account.js?2)
So looks like spend key and seed are being stored in the user's browser cookie which is
sent to the server with every HTTPrequest.
...which would give 2 main problems:
1) Any browser you log into MyMonero.com will store an unencrypted copy of your spend key and seed (plus address / viewkey) in a cookie file on the disk
2) The spend key and seed are sent to the server on *every HTTP request* meaning that the data is there on the server, you just need one line of code to put that in a DB if you want.
This is 100% correct, but it is also old (as in it predates MyMonero's official launch). Why you're seeing a very old version of the main page is beyond me, but that version of account.js hasn't been around for many, many months. I've confirmed on multiple systems that index.html is passing the correct account.js, and that account.js does not contain that old code. Additionally, you're passing ?2, which is a cachebuster value that we use to ensure nobody is receiving a cached version. Whilst this doesn't match the cachebuster value right now (?4) it still shouldn't have served up such a very, very old file. This could very well be an issue introduced when we were deploying a Phonegap-based QR code scanner on Tuesday morning, but that was rolled back after an hour as it caused endless issues in its detection of mobile devices. To make doubly-sure that this isn't occurring anymore I've cleared every possible server-side cache that could have been serving it.
In order to confirm that this functionality was indeed accidental (in that it was poorly thought through) and also removed ages ago I checked archive.org. The most recent capture of MyMonero is from May 13th, 2015 (
https://web.archive.org/web/20150513233042/https://mymonero.com/#/) and has the following account.js:
https://web.archive.org/web/20150513233042/https://mymonero.com/js/services/account.js?1 - you can confirm in that, and older versions, that there is no cookie-storage code.
It is important to note JavaScript-based wallets are never going to be really safe, and MyMonero is no exception. I've said before that MyMonero is merely a stopgap solution until we have libraryise completed (so that third-party GUI developers can better hook into core functions) and/or we've found an SPV-style solution (our current work is on using a bloom filter for viewkeys instead of passing the raw viewkey) for lightweight wallets. In fact, the website even says quite clearly: "The clients below are ideal if you are using Monero for the first time".
BlockaFett, I appreciate very much that you have clearly indicated your bias. I understand, too, that you have an inherent desire to ensure people don't get screwed over, and I applaud that. But this is going to become a mud-slinging session and you know it. Whatever answers and responses I've provided above you won't be satisfied with, and eventually it is going to become a frustrating "shouting" match that will only leave things more confusing for the casual reader. I would like to suggest that we find some time for a Skype chat or a phone call to discuss this using a medium that is a little more immediate than Bitcointalk, and you or I can report back afterwards. I understand that you lack time and energy to invest into this, and I understand that. Having just arrived back home from Europe I can assure you that I don't have much time for a back-and-forth on Bitcointalk, but I do absolutely want you to be able to flesh this out and discuss it with me. I am more than happy to make myself available to you for discussion, and if there's anything specific in my answers above that you'd like me to clarify publicly I am also happy to do so.
