This attack on XMR was meant to distract bears attention from BTC, so the bulls can do their job lol jk.
Still, I hope we will capture this BTC bull moment (if its not over already)...
Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 1485. (Read 4670622 times)
September 04, 2014, 01:02:38 PM
September 04, 2014, 01:00:22 PM
1) Can you already rule out that the same (or similar) attack can be mounted again?
2) Can you already rule out conclusively that no lasting damage was done (as in: according to the pre-attack ownership situation)? Any chance that some subtle damage was done that'll be discovered only later?
2) Can you already rule out conclusively that no lasting damage was done (as in: according to the pre-attack ownership situation)? Any chance that some subtle damage was done that'll be discovered only later?
I'll answer both at the same time. This particular attack can't be mounted again. We haven't pushed out the official fix yet, but exploit it requires growing the blocks sizes, which takes time. We'd never let that happen. The full fix will be out soon. This hole is plugged.
Any software can have vulnerabilities and exploits. This is exacerbated by the fact that we got the code from a bunch of lying scammers who despite that character flaw, happen to have some talent when it comes to cryptography and to a lesser extent coding. We are reviewing the code and paying qualified people to review the code in order to identify and correct problems to the greatest extent possible. Further we will be restructuring, refactoring, and/or replacing some of the code in order to further increase its robustness and trustworthiness (removing obfuscation for example).
I think you need to take a break. You are unintentionally saying stupid things.
Quote
This particular attack can't be mounted again.
Implies - so other attacks are still possible?
Quote
Any software can have vulnerabilities and exploits.
Implies - don't trust Monero with your anonymity just yet.
Quote
we got the code from a bunch of lying scammers who despite that character flaw, happen to have some talent when it comes to cryptography and to a lesser extent coding.
Where do you start with this statement.
Implies
- We didn't have the technical skill in the first place, so we are just using anything we could find
- Quality assurance in the code was never a priority
Quote
We are reviewing the code and paying qualified people to review the code in order to identify and correct problems
Implies - We haven't got a clue. So we are paying for temporary help.
Get some sleep. For investors, this sort of loose talk, from someone that is an established part of the team, gives zero confidence in the project.
This isn't stupid at all - he's being accurate. If you heard someone from the dev team saying anything except what smooth just posted, you should be running.
Yes, of course there are other attacks that can, and, if the coin continues to be successful, will be mounted against Monero and the other cryptonote coins.
It's a new codebase, and it was inherited from an unknown set of developers whose motivations, competence, and trustworthiness are unknown.
If you're buying Monero or any other coin based on the codebase, you'd damn well better be doing it with your eyes open: These coins are new. They're not based on a fork of the bitcoin codebase. They're different, and they come will all sorts of attendant risks of bugs and vulnerabilities. That's also part of what makes them interesting, and not just a blah-blah "i cp'd bitcoin and tweaked a parameter".
Don't rail at the developers for being honest with you. Thank them for assuming you're adult enough to deal with reality, and thank them for not misrepresenting what they're working on.
You're criticizing the developers for bringing in external expertise? Give me a break. Taking over a foreign codebase that's got interesting cryptography and implements a distributed system is hard.
As I said about an earlier Monero bug: https://bitcointalksearch.org/topic/m.7988816
the test is how the team responds, whether they're able to identify and fix the bug, and whether the quality of the code and the process for preventing bugs improves over time.
So I have a very concrete suggestion for you: Shut up for a moment. Give all of the devs involved a day or two to recover from what must have been an annoying and stressful bug hunt. And then ask *politely* if they'll include in the next Missives a summary of the things they're doing to improve the codebase and the development process for the coin, such as progress on regression testing and the ability to do things on testnets, elimination of buggy coding patterns, etc. See what's been changed, if anything, from the previous bugs, and if there's improvement going on, and then decide for yourself whether the trajectory is good or not.
September 04, 2014, 12:59:23 PM
Mintpal price is about 0.00415 now, HitBTC was frozen at 0.00380 after some had dumped on low volume (2,500 XMR) at the last moment.
All I ask is that the most reputable and highest-volume exchange, Poloniex, would:
- announce the resumption of trading at least 1 hour in advance;
- allow traders to enter orders during this time;
- arrange a market-clearing procedure at the moment when the trading starts, so that the existing bids and asks that coincide, would be matched with each other at the midprice that clears all of them, to not favor sellers or buyers.
All I ask is that the most reputable and highest-volume exchange, Poloniex, would:
- announce the resumption of trading at least 1 hour in advance;
- allow traders to enter orders during this time;
- arrange a market-clearing procedure at the moment when the trading starts, so that the existing bids and asks that coincide, would be matched with each other at the midprice that clears all of them, to not favor sellers or buyers.
Code:
<@fluffypony> busoni: also, thoughts on this - https://bitcointalk.org/index.php?topic=583449.msg8672104#msg8672104 ?
fluffypony: I can announce in advance, but the other things are not possible
<@fluffypony> 100%
The new trading engine does not allow crossed orderbooks
Okay, I'll announce an unfreeze in about an hour... the wallet should be finished resyncing by then.
<@fluffypony> 100%
Trading should be resumed in hours.
September 04, 2014, 12:56:04 PM
Devs, when will you give exchanges the green light to trade?
https://twitter.com/Poloniex/status/507571637214920704
Thanks
September 04, 2014, 12:55:02 PM
sounds more like you were? are? considering changing the codebase entirely.
Not a core dev here, just a very experienced one commenting from observation:
It is necessarily an incremental process, in the context of a working system. Breaking things that people depend on is anathema. And you would be surprised at the sort of unsupported edge cases that people come to depend upon.
Removing functionality which is not actively causing a more serious problem is very undesirable. Sometimes it is practically unavoidable, however.
The evolution of the XMR codebase will be a long series of focused refactorings (think of replacing a hip with titanium) and cross-cutting ones (think of chemotherapy to kill a blood cancer circulating throughout the body). It's not a large codebase, but it is an (often unduly) complex one. The cost and time are sunk mostly into the links between the parts, the interfaces. The more there are and the more complex those interfaces are, the longer it takes and the more it costs.
If you try to basically rewrite the thing before rolling out a big gem, maintenance costs can bankrupt your development effort, and the released feature set is stagnant. Although it takes longer, as long as it is viable, it is wise to choose the incremental refactoring path. Then incremental features which are practically necessary can be released as the improvements in infrastructure allow.
In general, refactoring is the process of performing correctness-preserving transformations on the code, until the interfaces fall along the boundaries necessary to contain the complexities inherent in the feature requirements into modules which have more managable size and complexity. It is slower than rewriting, but far less risk.
In crypto, as in embedded vehicle or weapon controls, minimizing risks takes on profound importance.
September 04, 2014, 12:54:54 PM
XMR is the future.
September 04, 2014, 12:53:02 PM
Devs, when will you give exchanges the green light to trade?
https://twitter.com/Poloniex/status/507571637214920704
September 04, 2014, 12:49:59 PM
Devs, when will you give exchanges the green light to trade?
September 04, 2014, 12:48:21 PM
What does all of these users have in common?
Hint: no avatar
SCAM? Too many big headed hero members telling you noobs to buy a shitcoin. Karma is a bitch. 
Obvious shitcoin, James.
[XMR] Monero - A secure, private, untraceable cryptocurrency ?? wtf
[XMR] Monero - A secure, private, untraceable cryptocurrency ?? wtf
Or maybe the price will tank and you will end up a bagholder... hero members endorsing this shit should be slapped.
Boolberry is doomed also. CryptoNote coins are now officially shit because of Monero and insiders.
All cryptonote coins offline on Bittrex. RIP CryptoNote.
We should make a blacklist of all Senior and Hero Members who were promoting this shitcoin. Monero and Boolberry threads should be moved to the Trashcan.
Seems that Monero is totally broken.
And this is why adoption for cryptonote is at least 5 years behind bitcoin API.....all you hero shills love talking it up....
its untested - no business in their right mind would accept this technology when flaws like this exist.
Back to the drawing board...maybe you can look at the bloat / scalability issue while you are at it!
its untested - no business in their right mind would accept this technology when flaws like this exist.
Back to the drawing board...maybe you can look at the bloat / scalability issue while you are at it!
Monero devs took CryptoNote protocol and tried to implement some changes without any understanding of what they're doing. Probably XMR’s devs questionable modifications lead to this kind of attack. That is what you get when you steal the code you are not capable of maintaining.
Remember kids: you should not modify a code if you’re not completely sure what it will cause. Currently people are paying with their funds because of the incompetent Monero devs. Reminds me too much of a real world situation, when the bank closes people loose funds they've invested. I hoped we wouldn't see it in the crypto world.
Remember kids: you should not modify a code if you’re not completely sure what it will cause. Currently people are paying with their funds because of the incompetent Monero devs. Reminds me too much of a real world situation, when the bank closes people loose funds they've invested. I hoped we wouldn't see it in the crypto world.
https://twitter.com/petertoddbtc/status/507407230204125184
"First time I'm compiling #monero, and its consensus is broken :/ "
HAHAHAHAH RIP MONERO
"First time I'm compiling #monero, and its consensus is broken :/ "
HAHAHAHAH RIP MONERO
Why do you keep throwing good money after bad? Monero developers have confirmed their incompetence numerous times, and you still continue investing in XMR. I understand that you’ve put a lot of effort and money in it but you should not be tied up to the sunk costs.
It seems that you've been lured into thinking that Monero is going to the moon when actually it is doomed. I think you should rethink your commitment before you've lost even more.
It seems that you've been lured into thinking that Monero is going to the moon when actually it is doomed. I think you should rethink your commitment before you've lost even more.
Hint: no avatar
September 04, 2014, 12:41:58 PM
Well, Peter Todd was right. It's politically incorrect, but he's not known for tact and charm. He's known for creative technical solutions.
And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
His assessment of CN code is correct imho. It's a mess. Shouting "Cryptonote code is terribad" on twitter is extremely foolish.
(Edited to remove funny, put possibly insulting last line)
September 04, 2014, 12:40:47 PM
Well, Peter Todd was right. It's politically incorrect, but he's not known for tact and charm. He's known for creative technical solutions.
And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
I am curious if the cryptonote code base is intentionally done with crayons and monkeys. What is to be gained from this?And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
Simple things like their reference code didnt compile for me. Now I am always having problems getting all the modules installed, but I would think a supposed reference code should compile. So if it doesnt compile, then what other problems are there?
Didnt make sense to me and I didnt have time to investigate
James
It is a bit of a bastard to get up and running in my experience. also hi james. unexpected to see you over here.
September 04, 2014, 12:38:24 PM
Well, Peter Todd was right. It's politically incorrect, but he's not known for tact and charm. He's known for creative technical solutions.
And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
I am curious if the cryptonote code base is intentionally done with crayons and monkeys. What is to be gained from this?And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
Simple things like their reference code didnt compile for me. Now I am always having problems getting all the modules installed, but I would think a supposed reference code should compile. So if it doesnt compile, then what other problems are there?
Didnt make sense to me and I didnt have time to investigate
James
I haven't looked at it (we are forked from bytecoin, though the copyrights on the code still say cryptonote) but from what I remember, their reference code is more of a toolkit and probably requires some edits to turn into a working coin.
Any of the working cryptonote forks should be easiler to build. I've never done anything other than (install dependencies and) type make.
September 04, 2014, 12:36:48 PM
I would have thought that Peter Todd (previously a core bitcoin dev) would have enough on his plate as he recently (few weeks ago) joined the Viacoin dev team.
We had already talked to Peter about consulting for us before that. He does various consulting work, especially open source projects. He explained on reddit (go find it if you care) that one of his consulting clients happens to be Viacoin, and he didn't even know much about what they are doing. In typical pump-and-dump fashion, Viacoin quickly turned that consulting gig into him being their "chief scientist" and promptly put out a slicked up press release about it.
In short you are reading too much into it, and for what its worth we won't be wasting any of our donation money writing press releases and trying to promote a consulting gig as something more than what it is.
Peter Todd is the new CEO of Monero! That's great news!
September 04, 2014, 12:35:59 PM
Well, Peter Todd was right. It's politically incorrect, but he's not known for tact and charm. He's known for creative technical solutions.
And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
I am curious if the cryptonote code base is intentionally done with crayons and monkeys. What is to be gained from this?And frankly, if IBM were doing its accounting with crayons and monkeys, and you didn't inform the stakeholders, you'd be very irresponsible.
Simple things like their reference code didnt compile for me. Now I am always having problems getting all the modules installed, but I would think a supposed reference code should compile. So if it doesnt compile, then what other problems are there?
Didnt make sense to me and I didnt have time to investigate
James
September 04, 2014, 12:34:58 PM
I don't know who Peter Todd is but if he was HIRED to be a consultant for Monero it is really really unprofessional for him to be publicly defaming the code on twitter before privately giving his input to the devs. In the corporate world if say IBM were having some issues with their books and hired an outside accounting firm to come audit and straighten things out, then said firm went on twitter and publicly went "Hoo Boy! It's amazing IBM functions at all considering they basically use monkeys with crayons to do their accounting!" That would not fly and would immediately tank the price of the stock. When people have money on the line, why would this guy be publicly slandering the code when he has been hired as a consultant???
I agree with this position. I am disappointed at that display. I think it can be said, but this was a bad way to do it.
September 04, 2014, 12:32:12 PM
... kind of begs for a comment from the dev team.
I agree that the C in the codebase in insane and dangerous. In the least, we need to refactor to C++ and comment the code.
Whatever works.
But:
"glad to hear the devs had the same idea" sounds more like you were? are? considering changing the codebase entirely.
There is no plan to replace the codebase entirely. We are open to input and considering ideas. Two very different things.
Thanks for the answers to my questions. I have nothing to add.
September 04, 2014, 12:30:30 PM
... kind of begs for a comment from the dev team.
I agree that the C in the codebase in insane and dangerous. In the least, we need to refactor to C++ and comment the code.
Whatever works.
But:
"glad to hear the devs had the same idea" sounds more like you were? are? considering changing the codebase entirely.
There is no plan to replace the codebase entirely. We are open to input and considering ideas. Two very different things.
September 04, 2014, 12:30:17 PM
words
other trolls could learn a thing or two from you.
September 04, 2014, 12:28:16 PM
... kind of begs for a comment from the dev team.
I agree that the C in the codebase in insane and dangerous. In the least, we need to refactor to C++ and comment the code.
Whatever works.
But:
"glad to hear the devs had the same idea" sounds more like you were? are? considering changing the codebase entirely.
September 04, 2014, 12:27:57 PM
... kind of begs for a comment from the dev team.
We've discussed this through and through, and the general consensus is that the effort it would take to port everything over is huge, and then we'd be stuck inheriting a lot of other stuff that would make what we want to do in future more difficult.
Jump to: