Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 570. (Read 4671920 times)

You should think of public wifi as a card skimmer

My understanding is that this was an attack against https rather than an attack against MyMonero itself. I stand to be corrected on this. As for attacking https: here are some possibilities I can think of:

1) Man in the middle attacks that downgrade the connection to http:
Some possible  culprits here can be:
a) A network provider.
b) An ISP
c) An Internet backbone provider
d) A VPN provider
e) A Tor exit node (If Tor is used)
etc.
Countermeasure: Check that one has https: at every stage of the transaction

2) Malicious software running on the client computer. For example key loggers etc. This is one of the most common causes of loss.
Countermeasures:
a) Replace Microsoft Windows or even Mac OS X with GNU/Linux or another Free Libre Open Source Software (FLOSS) OS. R
b) If you really must use Microsoft Windows or Mac OS X then there are all the "safe" computing solutions that are promoted by big proprietary software vendors at a cost. Anti virus software, anti malware software, using only genuine non pirated software etc.
c) Replace IOS with Android. For Android see 4 below or simply do not trust the mobile device.
d) In addition to a) b) or c) above: Avoid high risk sites, installing software one does not trust, html email, clicking on malicious, email links
 
3) Attack against the certificate issuer or a malicious certificate issuer.
Countermeasures:
This one can be tricky if the attacker for example is a government, The answer is make sure you trust the certificate vendor, and in a extreme case use self signed certificates.

4) Attacks by so called "legitimate" players. These typically are proprietary operating system vendors, including Microsoft, hardware vendors and "premium" content vendors. The primary motivations here are:
a) DRM (Digital restrictions / rights management, digital locks, copy protection etc.)
b) Spying for the purpose of marketing.
c) Government spying is typically a much lower risk and in many cases piggybacks on a) and b) above.
Examples:
a) DRM: The infamous Sony rootkit. The culprit was Sony BMG https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal . One can also argue that the design of the Microsoft Windows registry was in fact motivated by DRM since it does frustrate the copying of installed windows applications. The side effect of this is that the Microsoft Windows registry is also the perfect breeding ground for malware.
b) Spying for the purpose of marketing: Superfish https://en.wikipedia.org/wiki/Superfish The culprits here were Lenovo and Microsoft. (Microsoft is accountable here since it licensed the use of its trademarks in the sale of the infected computers).  In this case Lenovo placed a rouge certificate in the operating system that broke SSL in order to decrypt the the connection to obtain marketing data from https browsing. Basically to break initiatives such as Encrypt the Web. https://www.eff.org/encrypt-the-web. Lenovo has been caught repeatedly doing this and is still licensing trademarks from Microsoft to sell computers.
c) Government spying. Most of these attacks tend to be highly targeted and in many cases rely on a) and b) above. https://en.wikipedia.org/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)
Countermeasures:
Large corporations cannot be trusted here since they are the main adversary; however their products if they have a FLOSS OS can in many cases be made safe.
a) Use only a FLOSS OS that does not support DRM at the OS level. The most popular are GNU/Linux on the laptops / desktops and Android (see b below) on mobile.
b) Ensure you have full control of the computer of device (this mean root access) and lock down the computer or device using only FLOSS tools. This is critical for Android or Chromebooks since they are typically sold with the manufacturer, a telco or OS vendor having root access. Note: Rooting an Android device or putting a Chromebook in "developer mode" will break the DRM on the device. This makes sense because a computer or device cannot serve two masters. It can protect the paranoia and business models of "big content" such as the MPAA or your moneroj but not both.
c) Avoid software or content that infected with DRM unless you can break the DRM. Breaking the DRM may be illegal in your jurisdiction depending on the circumstances, in that case the only legal option is to avoid the DRM infected software or content or see d below
d) As alternative to c put the DRM infected software or content in a FLOSS controlled sandbox. This can be another computer or device, a virtual machine, or some other kind of sandbox. This is also a good strategy with proprietary software even if it not infected with DRM. The key here is the security of the sandbox. A very good analogy is biological containment labs. The degree of security is determined by the risk posed by the pathogens. Watch out for shares on your network, software bugs in the virtual machine or sandbox etc.
e) As a mitigation measure avoid proprietary software and operating systems targeted to consumers. Many large proprietary software vendors, including Microsoft, take the point of view that consumers are fair game for these shenanigans while business users are not. Take a look at Lenovo's response to Superfish. http://news.lenovo.com/news-releases/lenovo-statement-on-superfish.htm They avoided attacking their business customers, by not infecting products that were meant for business customers with their Superfish malware.  

The above is not meant to be a comprehensive list. I am sure members of the community can find other attack vectors. We now come to one more attack vector:

5) Attacking the server. This is in reality the only aspect under the control of the server operator. In the case of MyMonero, this would be fluffypony.

The reality is that the attacks 1) - 4) I mentioned above have little if anything  to do with the security of a particular server, and are equally applicable to any other secure online activity, for example fiat banking. In addition many of these attacks will also work against a Monero or other cryptocurrency wallet stored  on one's own computer or device and even against a brain. paper, off line, etc wallet that was created or used, using a compromised computer or device.

My take is that with MyMonero a very a significant part if not most of the risk lies with client computer or device.

Edit: Disclosure. As of this date I do not have a MyMonero wallet although I may get one in the future.

And don't forget you guys using Mymonero it is not safe to leave large amounts on. MIM attack (was presumed) has already cost someone 16,000 XMR (IIRC).

Hey guys, just wanted to let you know that https://monerohash.com/ now supports mining directly to an exchange address using a payment ID.

Although I don't encourage mining to an exchange, I know there are some miners out there that prefer it that way, so feel free to give it a try.

Minimum payout is 7 XMR. Payments are run twice per day.

EDIT: To clarify, the mininum of 7 XMR and the frequency of 2 payments per day is for exchanges addresses. Normal minimum payout is 0.3 XMR.

^^ I like it! Let's do a coin vote.

as lead troll dev I'm happy to announce that Monero is unoffically being rebranded as

I know this it not news but it was nice that it worked.

My crazed cat ended up pulling the plug out of the wall and I had to restart my comp.  When I restarted the daemon the blockchain was saved up to the point the comp was turned off so no need to sync more than the few blocks.  0.9.4.0

Yes that is correct, specifically:

and


The quotes above are specifically for computing the block identifier (hash) with keccak. The POW hash input is exactly the same, minus the leading sizeof wrapper.

EDIT (fixed link): CryptoNight web version available here: https://xmr.llcoins.net/slowhash.html

Sample block for you enjoyment:
Block: 1,000,000
Hash: a886ef5149902d8342475fee9bb296341b891ac67c4842f47a833f23c00ed721 (hash the below with keccak_256 to get this)
Identifier: CryptoNight hash: 675f9c8d902e664c91b0bde794a4f3078947bc324c273ffd3cdc365c00000000 (hash above sans leading "4c" with CryptoNight)
Decoded:

Ah yeah, I forgot about the MyMonero added fee. Someone reminded me of this on IRC yesterday after I posted. The remaining contradiction may be a truncation thing.

https://www.reddit.com/r/Monero/comments/27zo46/simple_payment_tutorial/

Yeah, looks like they must not have fixed the problem, but at least I got my refund!

help!     How to transfer

I think this might help https://cryptonote.org/cns/cns003.txt

But I'm not sure.

Why

i think we will see a decent rise in price during the halving, as people want to exit btc and enter alts.

I noticed that ShapeShift has recently turned off all monero trades again so maybe they're actually trying to fix this now.

$ 1,202,630 - 24h Volume on Monero!

That's a topic best reserved for the XMR Speculation thread here bitcointalk.org/index.php?topic=753252.new#new

That looks really good. Sleek and simple, I like it. But really, is it the only reason that XMR is rising right now? Are we sure the devs aren't hiding anything good from the public?

It would really be nice to have a nice surprise. Not much good news in the cryptosphere lately.

Hello! Can somebody explain me how hash target works on monero?

in cpu-miner.c see this
       memset(work->target, 0xff, sizeof(work->target));
       work->target[7] = rpc2_target;

i see this in scanhash
   cryptonight_hash_ctx(hash, pdata, persistentctx);
   if (unlikely(hash[7] < ptarget[7])) {

so we are only concerned for hash[7] and target[7] really.

the way I understand target is 0xffffffff/diff, so it should be 1 at current diff right?
what happens when diff is over 0xffffffff ? we also check hash[6] or what?

and it's not obvious where this hash appears in the blockhash (like if I browser an explorer). for satoshi it's obvious where this is.

and how does monero actually validate this. could someone point me to the code that does this in the daemon?

Thanks!