Seems counterproductive to post about there being XMR apparel then show DASH and ETH images?
Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 566. (Read 4671924 times)
I understand you trying to promote your business on this forum, but you can't even pay with Monero..?? I mean really.
not 2-3 sentences
yeop, still not any clearer what exactly you are asking.
Yeah...Hueristic, man, it wasn't/isn't very clear what you want. You express concern about the wire protocol, but then go back into cryptography in 0MQ?
As for Curve25519, that is a birationally equivalent curve of what Monero *currently* uses for its crypto. It's one of the "safest" out there, Bruce's comments nothwithstanding.
Write succinct questions instead of walls of text demanding answers to vague "questions" and sounding angry and entitled when they aren't forthcoming (sorry if you didn't mean to come off like that).
I'll go back over the conversation when I have some time and see if I can be more specific. I am asking these questions to better understand the rational and decision making that is going into these changes and have not gotten any answers to that. Is it so hard to show dev logs of the discussions of these decisions? AFA what protocols to use I have just started researching them and i'm aware curve25519 (I plan on in the future if i ever get time to see if it uses the set commonly used points or not) is already used but this question was a primer for my next question on which of those points used (I.E. how are they chosen). And I did not want to go there before I understood the answer to the questions I had listed. From what I understand the weakness of curve25519 is only when the common points are used and I am not even sure if that common point set is already being ignored for XMR and I have no clue if it's hard baked into ZMTP.
Is that any clearer? My memory is really bad these days so I have to reread alot of stuff (including my own conversations) and retracing my thought process can be tedious. That's probably why I come off as being terse. My apologies guys.
not 2-3 sentences
yeop, still not any clearer what exactly you are asking.
Yeah...Hueristic, man, it wasn't/isn't very clear what you want. You express concern about the wire protocol, but then go back into cryptography in 0MQ?
As for Curve25519, that is a birationally equivalent curve of what Monero *currently* uses for its crypto. It's one of the "safest" out there, Bruce's comments nothwithstanding.
Write succinct questions instead of walls of text demanding answers to vague "questions" and sounding angry and entitled when they aren't forthcoming (sorry if you didn't mean to come off like that).
Also if you are running a service that needs to use simplewallet in RPC mode to check if payments are received but you have no need to send funds remotely, it's good to enable this flag: --restricted-rpc: Restricts RPC to view-only commands
for example:
Then you can check to see if payments are received.
In addition to other things such as firewall restriction you should read this post by Fluffypony on some basic ways to secure your network if you need to use RPC for sending and receiving:
https://www.reddit.com/r/Monero/comments/4atg0d/monero_rpc_no_password/d13io7e
for example:
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 --restricted-rpc
Then you can check to see if payments are received.
In addition to other things such as firewall restriction you should read this post by Fluffypony on some basic ways to secure your network if you need to use RPC for sending and receiving:
https://www.reddit.com/r/Monero/comments/4atg0d/monero_rpc_no_password/d13io7e
...
Thank you for this.
Although I don't personally run a monero in server mode it is good to see we have good intentionedwhitehat hackers Security Professionals around.
Good work!!
Thank you for this.
Although I don't personally run a monero in server mode it is good to see we have good intentioned
Good work!!
FTFY.
BTW Most Security Pro's wear a grey hat.
lol potato potah-toe.
Don't both categories have some overlap?
UPDATE: cryptonic.net is no longer compromised. All funds has been returned to the owner.
Thanks a lot, TheKoziTwo! That's great that YOU have found this bug!
As a temporary fix I have changed the payment address (the new one is not bound to our node yet) so we can process payments manually while repairing our automatic payment processing.
...
Thank you for this.
Although I don't personally run a monero in server mode it is good to see we have good intentionedwhitehat hackers Security Professionals around.
Good work!!
Thank you for this.
Although I don't personally run a monero in server mode it is good to see we have good intentioned
Good work!!
FTFY.
BTW Most Security Pro's wear a grey hat.
UPDATE: cryptonic.net is no longer compromised. All funds has been returned to the owner.
IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
Thank you for this.
Although I don't personally run a monero in server mode it is good to see we have good intentioned whitehat hackers around.
Good work!!
BTW, thought I'd mention to you guys 6 is a chinese lucky number that alot of them believe holds power, second only to 8 in some parts (I'm not an expert). I know this because of the Chinese hoard of poker players. So if you see the coin being propped up at a 666 or if it goes to 888 it is more than likely chinese. Of course as this becomes more well know (for instance someone like me pointing it out), it can be used for manipulation. But thats the same with everything ground floor knowledge is power.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
That's a bug. It's supposed to bind to loopback if you don't supply --rpc-bind-ip with another one. I will fix.
Edit: works fine here. Either that server was specifically told to listen inbound, or if you can repro it, file a bug with full command line and OS etc.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
That's a bug. It's supposed to bind to loopback if you don't supply --rpc-bind-ip with another one. I will fix.
Edit: works fine here. Either that server was specifically told to listen inbound, or if you can repro it, file a bug with full command line and OS etc.
IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
Nice find, I'm not sure why this info is not more widely known. Maybe because the RPC layer is just not discussed in open forum enough. :rolleyes:
IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.
This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.
When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:
Code:
./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082
Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.
The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.
This does not affect normal wallets, only if you run it in server mode like I explained above.
As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.
It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.
Looking forward to this. XMR + STEEM could very well be the best investments of 2016.
To me, an important difference (among many important differences) is that XMR could very well be the best investment of the third millennium. STEEM, not so much.
just wait for the GUI and you will see monero pumping.
Looking forward to this. XMR + STEEM could very well be the best investments of 2016.
To me, an important difference (among many important differences) is that XMR could very well be the best investment of the third millennium. STEEM, not so much.
Crossposting this from Smooth-selfmoderated-thread over here, for Safety.
Sounds interesting, especially the link pointing at the balances. iamnotback is Anonymint?
You fools enjoy being kept in the cage by your thread moderator whilst he escapes to partake of the fruits you are told to reject?
Then again, maybe you should feel happy that he is perhaps buying XMR with his proceeds of stripping the n00bs of their money via the Streemit pyramid.
I suppose reiterating here is good for disclosure, given you are somewhat a public figure.
I just wish you had made me aware of your open mind about profiting any way we want to, because I thought you were much more dogmatic in the past.
I am actually a free market anarchist, so I can't fault you for what you've done. Actually I must admire it. But I just feel you need to be consistent, so that we know how to interface with you.
Also I think you could help by speaking frankly about the meritocracy of the fact that you could get $50,000 a week for basically a very minimal effort. You could perhaps influence some speculators and newbies to think carefully about what types of projects they want to support. Without being too dogmatic, just about the value of meritocracy.
What is the merit of Steem? It is a premeditated pyramid. Designed to be so. How can we reach an alternative conclusion? By what math and analysis? Dan et al are not dumb. They computed all this.
Then again, maybe you should feel happy that he is perhaps buying XMR with his proceeds of stripping the n00bs of their money via the Streemit pyramid.
I did not ever tell anyone to invest in Steem. I think the long term prospects for the value of the token are not great. I've told the developers of Steem that. I've told people on my crypto social circle that. I've posted that. I don't know what more I can do.
I suppose reiterating here is good for disclosure, given you are somewhat a public figure.
I just wish you had made me aware of your open mind about profiting any way we want to, because I thought you were much more dogmatic in the past.
I am actually a free market anarchist, so I can't fault you for what you've done. Actually I must admire it. But I just feel you need to be consistent, so that we know how to interface with you.
Also I think you could help by speaking frankly about the meritocracy of the fact that you could get $50,000 a week for basically a very minimal effort. You could perhaps influence some speculators and newbies to think carefully about what types of projects they want to support. Without being too dogmatic, just about the value of meritocracy.
I did not support the sneaky-mine and said at the time that I would not promote the coin to crypto speculators (although kind of an easy promise to make since I never promote any crypto coins -- my best guess is all going to zero, though at different rates). It was, however, far more transparent and than the Dash instamine or the Bytecoin hidden premine. For the record, when I first stated that opinion (after the initial mining) it was worth approximately nothing, so the the alleged current market value has changed nothing here.
That said, I also do not think it necessarily will with certainty go to zero, and people can do their own analysis and reach their own conclusions. Hell, even Auroracoin and other pure garbage (nothing person to Auroracoin devs) still has some value. Steem has more merit than that.
That said, I also do not think it necessarily will with certainty go to zero, and people can do their own analysis and reach their own conclusions. Hell, even Auroracoin and other pure garbage (nothing person to Auroracoin devs) still has some value. Steem has more merit than that.
What is the merit of Steem? It is a premeditated pyramid. Designed to be so. How can we reach an alternative conclusion? By what math and analysis? Dan et al are not dumb. They computed all this.
New development in this story that I did not anticipate:
He acquired nearly 1% back during the "sneaky mine" phase. You can understand why he wasn't willing to attack this coin the way he normally attacks pump and dump scams. That $millions bought his "I am not omniscient about the potential future not being a disaster" attitude.
Btw, smooth is cashing out roughly $50,000 per week. (assuming your $5m valuation of his SP is correct)
Is that a meritocracy
You can see why he would have an incentive to not speak about how it will be a disaster for those who invest in SP now (requires a 2 year lock up cashed out over 104 weeks), while he is cashing out every week. Chaching. Fools please buy Steemit and give your money to smooth.
Is smooth - core member and one of the lead community managers of Monero - a hypocrite?
Smooth seems to have found a way to game the system
Look at his balance https://steemit.com/@smooth/transfers
He already owns $ 5 Millions at today's market price. Insane.
Look at his balance https://steemit.com/@smooth/transfers
He already owns $ 5 Millions at today's market price. Insane.
He acquired nearly 1% back during the "sneaky mine" phase. You can understand why he wasn't willing to attack this coin the way he normally attacks pump and dump scams. That $millions bought his "I am not omniscient about the potential future not being a disaster" attitude.
Btw, smooth is cashing out roughly $50,000 per week. (assuming your $5m valuation of his SP is correct)
Is that a meritocracy
You can see why he would have an incentive to not speak about how it will be a disaster for those who invest in SP now (requires a 2 year lock up cashed out over 104 weeks), while he is cashing out every week. Chaching. Fools please buy Steemit and give your money to smooth.
You are turning the s/w industry into lies and scams. I want nothing to do with you if you are going to on the one hand be so dogmatic even leading me entirely away from doing what Dan has done (I originally was talking ICOs and no no no don't you dare do anything but PoW distribution). I had more respect for you than this, that at least some consistency of your position.
I don't have a problem with Dan doing this. Everyone should be free. I just have a problem with feeling like I been jerked around, some people telling me to be idealistic, then telling me as long as you build adoption through lying to people's emotions, then that is positive.
I don't feel there is any consistency of anything. Everyone should do what ever in the hell they want.
...
Steemit is taking money from new investors and redistributing it to those with the most rep power. And fooling bloggers to join by hyping payouts most of them will never receive. That doesn't sound to me like building a good long-term business model.
Bernie Madoff must be proud.
I don't have a problem with Dan doing this. Everyone should be free. I just have a problem with feeling like I been jerked around, some people telling me to be idealistic, then telling me as long as you build adoption through lying to people's emotions, then that is positive.
I don't feel there is any consistency of anything. Everyone should do what ever in the hell they want.
...
Steemit is taking money from new investors and redistributing it to those with the most rep power. And fooling bloggers to join by hyping payouts most of them will never receive. That doesn't sound to me like building a good long-term business model.
Bernie Madoff must be proud.
Smooth never bribed me and in fact he helped me and I am grateful, but I did put a lot of weight into his opinions:
smooth may I ask what is the incentive for you to promote steem? Are you now affiliated with the Larimers?
]It is bizarre given when we first spoke about the state-of-altcoins some many moons ago in 2015, and I had stated that maybe Bitshares and Dan Larimer were credible and you tried to convince me that their mcap was all manipulation and to discourage me from taking them seriously.
Now suddenly you jump on their boat and I've noted you stated some where you were able to mine 1+% of the coins during the stealth mining phase.
I respected you and followed your lead to admonish ICOs, premines, instanmines, and I would assume that would include stealthmining launches. But in the end, all this did was mess up my own degrees-of-freedom to make my project come to fruition because I was trying to bend over backwards to find a way to fit into that impossible set of requirements. And now after all that, it ends up you don't even follow your own ethics.
Hey I am happy with letting the altcoin market be free of Sheriffs. So more power to your newly discovered ethics. I just feel slightly jaded for receiving bad advice from you. I am sorry to bring this out in public, and I must presume you have a good explanation. So I'll await to read your take on this. Thanks.
smooth may I ask what is the incentive for you to promote steem? Are you now affiliated with the Larimers?
]It is bizarre given when we first spoke about the state-of-altcoins some many moons ago in 2015, and I had stated that maybe Bitshares and Dan Larimer were credible and you tried to convince me that their mcap was all manipulation and to discourage me from taking them seriously.
Now suddenly you jump on their boat and I've noted you stated some where you were able to mine 1+% of the coins during the stealth mining phase.
I respected you and followed your lead to admonish ICOs, premines, instanmines, and I would assume that would include stealthmining launches. But in the end, all this did was mess up my own degrees-of-freedom to make my project come to fruition because I was trying to bend over backwards to find a way to fit into that impossible set of requirements. And now after all that, it ends up you don't even follow your own ethics.
Hey I am happy with letting the altcoin market be free of Sheriffs. So more power to your newly discovered ethics. I just feel slightly jaded for receiving bad advice from you. I am sorry to bring this out in public, and I must presume you have a good explanation. So I'll await to read your take on this. Thanks.
Is smooth - core member and one of the lead community managers of Monero - a hypocrite?
not 2-3 sentences
yeop, still not any clearer what exactly you are asking.
2 WEEK BUMP. Still waiting.
Here's a good one.
https://www.youtube.com/watch?v=Ik4DpbVQxlA
fluffypony is going to be speaking about this in the upcoming missive, which should be out in the next week or so.
FTFY.
So I get ignored until then? I'd rather have answers then listen to an hour long answer/question podcast that may or may not answer my questions. Did the community somehow stop being a part of the development and I didn't notice along the way? Are the Devs just calling the shots now without input or recourse?
Sorry but "The Cult of Fluffy" is getting a little out of hand here. I think 2 weeks is long enough to wait for an answer.
Any DEV can answer this unless he's the only one. And if he is the only one then there is something rotten in Denmark.
Why don't you hop on IRC and ask in #monero-dev? I am sure someone will provide you with an answer rather quickly.
I like having the info here so I don't have to keep logs. Not to mention IRC doesn't show up on google searches. Many times with my shitty memory I have googled stuff and found answer from my own past posts! That is weird.
Honestly I forget what the question was. If you concatenate it to about 2-3 sentences I'll post it on IRC and relay the response back. I'm a relay bot. Beep boop.
https://bitcointalksearch.org/topic/m.15434910
This is what I really want answered.
Quote
Quote
The current home-grown Boost::ASIO wire protocol is significantly more risky than switching to something that is standard. It's entirely possible that there's some weirdness under the hood that we haven't uncovered yet, so swapping it out for something that is well-known and widely used in FOSS projects is extremely desirable. Complexity is the enemy of good security, and in this case custom protocols way worse than well-known standards.
Perhaps more importantly, though, the wire protocol is hardly an attack surface. The major risk it represents is an MITM attack revealing what transactions you were the first to broadcast (mitigated by end-to-end encryption in ZMTP), and fingerprinting attacks being able to correlate your clearnet IP with your i2p address (mitigated by introducing some execution randomness to the i2p connectivity, and completely separating the information shared with nodes on both interfaces). Beyond that, a compromised or poisoned wire protocol won't be able to "do" anything particularly bad. The daemon has no idea what your private keys are. It has some information about your transactions you send out, and the ones you're interested in, but if it were revealing that it would be spotted very quickly.
Perhaps more importantly, though, the wire protocol is hardly an attack surface. The major risk it represents is an MITM attack revealing what transactions you were the first to broadcast (mitigated by end-to-end encryption in ZMTP), and fingerprinting attacks being able to correlate your clearnet IP with your i2p address (mitigated by introducing some execution randomness to the i2p connectivity, and completely separating the information shared with nodes on both interfaces). Beyond that, a compromised or poisoned wire protocol won't be able to "do" anything particularly bad. The daemon has no idea what your private keys are. It has some information about your transactions you send out, and the ones you're interested in, but if it were revealing that it would be spotted very quickly.
This is actually my top concern, I want to see how this has been vetted. Call me paranoid but changing a core protocol with off hand remarks is worrisome and I just want to verify that we are not just taking anyone's word on the fact that the crypto in 0MQ is sound and safe when it comes to a currency that cannot be checked for manipulation.
http://arstechnica.com/security/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/
BTW we are very close to losing beta status correct? How long will this be tested within the beta phase?
I don't know anything about this so I wanted to see a peer review or a word from our scientists that they have verified this is bulletproof.
Looking into ZeroMq I see it uses Curve25519 correct?
http://zeromq.org/topics:encryption
Quote
ZeroMQ 4.x has extensible encryption, and comes with CurveZMQ as a built-in security mechanism. Pieter Hintjens has some articles that explain how this works. The only extra dependency is libsodium, which provides the Curve25519 security functions.
https://www.reddit.com/r/programming/comments/1ms5fu/new_zeromq_4_does_strong_encryption_and_perfect/
Quote
CURVE - secure authentication and encryption based on elliptic curve cryptography, using the Curve25519 algorithm from Daniel Bernstein and based on CurveCP's security handshake. See http://rfc.zeromq.org/spec:25, http://rfc.zeromq.org/spec:26, and http://curvecp.org.
https://en.wikipedia.org/wiki/Curve25519
Quote
I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry
— Bruce Schneier, The NSA Is Breaking Most Encryption on the Internet (2013)
Jump to: