Topic: [SDC] ShadowCash | Welcome to the UMBRA - page 102. (Read 1289635 times)

It wasn't entirely based on a quote, but also on some discussions I've had with people who understand the cryptography better than I do. I read the section of the paper coins101 posted and the modification to provide privacy against unbounded opponents seems to require a private (and guaranteed secure) side channel. I'm not sure how that is going to work in practice; it seems like a significant deviation from how cryptocurrencies normally operate. I'm not saying it couldn't be worthwhile, but many details would need to be worked out.


I can confirm they have stated this is various (public) discussions with me over the past couple of years. Of course having a goal and actually implementing it are two different things, but I wish them the best with it. I expect there will be quite a few people working on different Zerocash implementations, not just the Zcash one that seems to be getting a bit of hype now.

There is a community project to create a fork of Open Bazaar supporting Monero natively. So far the project hasn't gone very well, but some of that may be related to delays in the underlying Open Bazaar development. That's probably off topic here though. You know where to find us if you want to discuss more.

I'll accept that as an official bounty award. I'm happy to wait until formal confirmation of the swtich before expecting to collect  

@smooth : Is a quote from 2 years ago still worth something now ?

@coins101 : To answer coins101 on zerocash implementation, it looks the good way to go yes.

From start it has been announced that shadow would prefer a zerocoin implementation over ring signs when that tech will be ready.

I wasn't familiar with what they said about the proposed modification so I can't comment on it further. Sounds interesting.

I would be interested to debate this, but, on my part, it would be based on personal opinions and not backed by scientific facts. So for now, I'll defer to the zerocash peer reviewed paper that tackles quantum computing resistance. They seem to indicate that zerocash users would be able to dodge quantum chips going through their blockchain and unmixing / clear texting transactions:



http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf

I got a question to you smooth, will monero provide an marketplace for its users 

Zerocash is not quantum safe by any means. If that is your concern, do not go there.

(Nor are any of these other coins, so please don't take this as FUD or pumping of anything.)

Quantum-safe cryptographic methods are a current area of research. Zerocash may or may not be desirable for other reasons. Quantum computers are not one of them.

So I'm going to be a broken record on this issue. I'll repeat it a few more times, probably, until it sinks in or someone from the dev team tells me to piss off. Feel free to use those words.

People are actively working on quantum computer chips. As far as I can tell, only zerocash users have some level of comfort that they won't be affected.    Users may have to do a little more work to protect themselves, but they would be the only crypto users that would sleep relatively well at night.

On the flip side. Where quantum chips are put into production, other mathematically protected mixing currencies would have a problem.

The obvious responses are - zerocash is vaporware; it has an issue with trusted set-up; etc. In addition, the usual response is quantum chips don't exist and if they do they will take years to develop.

These are valid responses, but they are just temporary issues.  I don't think this is controversial:


https://moneroeconomy.com/faq/can-cryptography-behind-monero-be-broken


If SDC users thus far are at risk, imagine the damage that would be done in 3, 5, 10, 15 years time. As has been previously noted, historical transactions are the issue. With quantum chips, this is an issue for other anon coins.  Telling people to use alternatives is one thing, but it needs to be done with a health warning.

In my personal view, mainly because of the brains / team behind zerocash's technical development (which I would distinguish from the zcash implementation), Zerocash is the better longer-term route for SDC.

The market is the main use case, the decision on which token is used has to be: the best option over the longer-term.

Get a road map to switch to zerocash that ties with the end of Alpha testing and start of beta and SDC will have dodged a future bullet. Something Bitcoin users and some other anon coins can't.

I'm not losing any sleep over SDC, but I would be keen to follow the project, from a technical point of view, if it tries to implement zerocash.

Glad that from everything I wrote you were able to find something else to use as ammunition smooth. You're nothing if not efficient. The project is open source and community-driven so if you, or better yet - someone actually qualified would like to join us and help in that department they'd be made most welcome.

Very true. Just the idea of reporting it privately is stupid.

So, you don't, at present, have any cryptographer at all? Does this seem like it might be a problem?

Who is in charge of these decisions/bounties? 

There is no way to minimize the "financial damage" by reporting it privately, except to allow insiders to trade ahead of everyone else. Brilliant idea.

If the report were untrue, that would be a different matter. It certainly was true. If anything, more financial damage was caused by the false "Deanonymized? Nope" statement put out by the Shadowcash team about the report being incorrect and that it couldn't be reproduced after 10 hours of work by your core developers. That may have misled people into making trades on the basis of a false statement (yours). That's what I call financial damage.

Maybe you guys should have worked on it privately instead of making a statement to (falsely) calm the market when you didn't know what you were talking about.

code: You're wrong about the minimizing the damage. I get what you're trying to say, but you occasionally leave out the possibility that such disclosures can cause (financial) damage without even having to be true. Something which we had to assume until proven because the formal requirements of reporting had not been fulfilled and we were caught off the hook by a bug. That's why they are in place, and lots of bug bounty programs have this mechanism in place to push people to report and investigate privately. I deduce his intentions based on the fact that he chose to ignore the formal requirement. We don't weasel out of shit, I speak for myself and I'm not in charge of the bounties.

I have given my research to sdcdev, I too figured out it was vulnerable after investigating the code. We started work on fixing this bug as soon as possible.

I appreciate the more constructive tone of your posts now Child_Harold, but your frustration over the way the peer review was handled is causing you to wrongly attribute things to maliciousness or bad faith. The below is just my personal response to some of your points and the current situation. I don't presume to speak for the team or anyone else here.


SHADOWCHAT

Unfortunately I don't have the technical know-how to speak authoritatively on this, but from my understanding the code is substantially different from Bitmessage's because there was no C++ implementation of it. It wasn't converted from Java/Python, but written from scratch based on an overview of their system.

Part of the problem with Ryno withdrawing from public forums such as Bitcointalk (a decision I can understand) is that these debates have predominantly been conducted on a superficial level, with the focus on hastily put together marketing materials such as the whitepaper rather than on analysis of the code itself. But if the intention was to hide the fact that ShadowChat drew upon Bitmessage's system it wouldn't have been referenced in the whitepaper or, more importantly, unambiguously in the code comments. Cries of "plagiarism" are nonsensical.


TECNOVERT

Tecnovert is real but isn't actively contributing to development at present.


ZEUNER REVIEW

From what I know of the situation, with each fresh request for further documentation the suspicion grew that Isidor Zeuner simply wasn't properly qualified to carry out the kind of peer review Shadow required. Had he been, we surely would have known about this issue sooner. There was real clamour for some kind of review at the time, presumably because some hoped that it would remedy what was seen as the market's lukewarm response to the ShadowSend v2 release. However, you're re-writing history by suggesting he was hired to carry out the review. Zeuner was suggested and afterwards there was a donation drive to raise 5 BTC as a token of gratitude. Obviously in hindsight he should have been properly vetted first and the BTC shouldn't have been transferred to him until it was reasonably certain that he'd deliver. But like I said, there was a real clamour for some kind of review to be done. I think it could have been dealt with better - it seems that for some time it was believed the review could be salvaged but too much of the discussion was held behind closed doors. Had it all been conducted publicly it would have saved a lot of trouble and wouldn't have left room for baseless conspiracies to take root.


As an aside, it's pretty sad seeing the way some people (on both sides of the fence) have reacted to the current situation. I can't imagine anywhere else in the open source world where people from different projects would take so much satisfaction in, and would be so keen to gloat about, a vulnerability being found in another project's code. This behaviour seems to be considered reasonable because it's so common here, but in most other situations it'd be considered completely beyond the pale. At best they look like children. At worst like troops of warring monkeys. There's probably a pretty interesting sociological/zoological study there for anyone with the stomach to sift through the crapflood of invective. The project's goal is to allow people to transact online privately because we believe they have a right to do so. It's hard to reconcile other purported advocates of a right to privacy taking such sadistic pleasure in a bug being found.


Anyway, several good things have come out of this. Firstly, the conversation is now actually about the code. Obviously it's regrettable that there's a vulnerability, but this is exactly how open source software is supposed to work. A vulnerability was found, it was reported and it will be fixed. Shadow is no more irreparably damaged by this than Bitcoin was by the bug that allowed someone to create several billion BTC in a single transaction. It's experimental software and once fixed, the SDC codebase will be strengthened and will hopefully receive further scrutiny.

While we await a full formal response to it, I'd like to thank Shen for his contribution (regardless of how it was reported). Perhaps since he's likely to be receiving a significant amount of Shadow he'd consider contributing to the project in other ways going forward given that our aims our pretty well-aligned.

First of all you don't know his incentives. I would submit to you that his incentives as a mathematician are to publish (what he sees as) interesting math stuff, including identifying math errors in cryptocurrencies.

As far as "the first rule of ethical disclosure is to minimalize damage" what you do not seem to understand in this instance is that there is no way to further minimize the damage, aside from informing users as quickly as possible so they stop using the broken code (and take whatever measures are possible to mitigate the damage that might exist from thinking their transactions were untraceable when they in fact were not). The damage is already done and is already on the blockchain, out there forever.

This is not a case of an "exploit" that can be reported privately to developers to fix it before anyone can use it. The blockchain is there and can't be fixed.

If you guys want to weasel out of a bounty on the basis of the mechanism of reporting, then do what you're gonna do. You'll be known as the scam devs who didn't pay out on a bounty after someone fully deanonymized their chain instead of just the coin that had its chain deanonymized due to a math error. Pick your poison.

For day job, I have worked with very highly skilled and professional pen testers. Top of their profession level of skills.

Pen testers all disclose bugs privately and most of them then publish their findings publicly about 6 months later. This gives the vendor / software provider time to fix any bugs; and gives users / customers disclosure on anything they may wish to investigate.

I don't know anything about the SDC bounty requirements.

code: That would indeed be the worst case scenario. I've already stated that for the disclosure on itself there are grounds for a bounty. To put it simple, in every procedure there are material requirements (eg. a bug) and formal requirements (eg how you report it). The formal requirements are just as important as the material ones and weren't fully met.

If someone wanted to wreck havoc*, wouldn't it be better to just make a list of all the unmasked transactions and upload it somewhere, saying "SDC deanonymized", without even leaving a clue as to how it was done - with the vulnerabilities speculation in the air being more corrosive than the known-bug situation as it is right now?

* Not that the monero people aren't enjoying this, sure they do.