Topic: [XMR] Monero - A secure, private, untraceable cryptocurrency - page 783. (Read 4671575 times)

"It is not sent to the server"

For the sake of the Monero community I think I have to point out here that this is actually a lie that is told repeatedly by Fluffypony & Smooth and other core members.

As I showed back in June, and Smooth is fully aware of, MyMonero.com had code specifically inserted to send private keys to the server, and was doing so successfully (and as far as I know, still is) https://bitcointalksearch.org/topic/m.11529538

Fluffypony provided an explanation that it was used for 'testing' on that thread, but as far as I know, the Monero community was never told about it officially, apart from my post in the alt section.

So if you have used MyMonero, it's likely your private keys *have* been sent to the server, and also stored in clear text on your own HD in a cookie.

I never saw an announcement that this as fixed, or that the vulnerability exists - if it's fixed and you still want to use MyMonero, the safe thing to do is move your funds from any old addresses to new addresses, as the old ones are potentially compromised.

"It is not sent to the server"

"It is not sent to the server"

For the sake of the Monero community I think I have to point out here that this is actually a lie that is told repeatedly by Fluffypony & Smooth and other core members.

As I showed back in June, and Smooth is fully aware of, MyMonero.com had code specifically inserted to send private keys to the server, and was doing so successfully (and as far as I know, still is) https://bitcointalksearch.org/topic/m.11529538

Fluffypony provided an explanation that it was used for 'testing' on that thread, but as far as I know, the Monero community was never told about it officially, apart from my post in the alt section.

So if you have used MyMonero, it's likely your private keys *have* been sent to the server, and also stored in clear text on your own HD in a cookie.

I never saw an announcement that this as fixed, or that the vulnerability exists - if it's fixed and you still want to use MyMonero, the safe thing to do is move your funds from any old addresses to new addresses, as the old ones are potentially compromised.

This is 100% correct, but it is also old (as in it predates MyMonero's official launch). Why you're seeing a very old version of the main page is beyond me, but that version of account.js hasn't been around for many, many months. I've confirmed on multiple systems that index.html is passing the correct account.js, and that account.js does not contain that old code. Additionally, you're passing ?2, which is a cachebuster value that we use to ensure nobody is receiving a cached version. Whilst this doesn't match the cachebuster value right now (?4) it still shouldn't have served up such a very, very old file. This could very well be an issue introduced when we were deploying a Phonegap-based QR code scanner on Tuesday morning, but that was rolled back after an hour as it caused endless issues in its detection of mobile devices. To make doubly-sure that this isn't occurring anymore I've cleared every possible server-side cache that could have been serving it.

In order to confirm that this functionality was indeed accidental (in that it was poorly thought through) and also removed ages ago I checked archive.org. The most recent capture of MyMonero is from May 13th, 2015 (https://web.archive.org/web/20150513233042/https://mymonero.com/#/) and has the following account.js: https://web.archive.org/web/20150513233042/https://mymonero.com/js/services/account.js?1 - you can confirm in that, and older versions, that there is no cookie-storage code.

It is important to note JavaScript-based wallets are never going to be really safe, and MyMonero is no exception. I've said before that MyMonero is merely a stopgap solution until we have libraryise completed (so that third-party GUI developers can better hook into core functions) and/or we've found an SPV-style solution (our current work is on using a bloom filter for viewkeys instead of passing the raw viewkey) for lightweight wallets. In fact, the website even says quite clearly: "The clients below are ideal if you are using Monero for the first time".

The spend key (and therefore one-time private key for each output on the chain) are derived by Javascript in the browser when you type in your login key. It is not sent to the server. Any transactions you send are likewise created and signed in the browser before being sent to the server.

What is sent to the server is your view key which the server uses to identify your incoming transactions. That key alone does not allow spending.

It is great if someone can explain why "only you know your private keys." is true and how mymonero.com can check balance and send transactions on behalf of user without exposing his private key to mymonero.com owner. I think that it would be a FAQ.

I agree with the other posters. The engine is more important than the body. This is not to say that the body (GUI wallet) is not important. It's been said that it's coming, although technically there are GUIs now. The one that seems most easy to use is:

https://mymonero.com/#/

Since it's web-based, it can be used virtually anywhere and only you know your private keys.

Opinions needed about increasing the blocktime -> https://forum.getmonero.org/20/general-discussion/2401/increasing-the-block-time

Will we ever see an official GUI wallet for Monero? How do you expect non-tech savvy people to use this coin without an easy wallet? Is it really too hard to make a wallet for 1.5 years?

The developers made non crowd pleasing hard decisions, but they were the right ones.

Soon.

How do you expect non tech-savy people to use a coin that has flawed software inherited from its primary implementation (bytecoin)? Is it really hard to move the blockchain to a database format without causing undesired hardforks? Is it really hard to otherwise maintain and improve upon software that was purposely stripped of any inline documentation by the original developers, even though its COMPLETELY NOVEL CRYPTOCURRENCY SOFTWARE?

Yes, the core developers could have focused their efforts on a GUI, and then the database implementation would be another year off instead of a matter of weeks or months. And then the increased usage due to whatever widespread adoption that is guaranteed to occur with a GUI would have made the blockchain huge so that only people with 12 gigs of ram could run it. So then the network would be maintained by like 5 people instead of the hundred or so it is now.

monero development history visualization: https://www.youtube.com/watch?v=TLjAQJqghRI

I just added the music to make it a bit more lively.  

Probably not.

http://www.coinwrite.org/coinfires-scuttlebutt-radar-locked-on-cryptsy/

http://blog.cryptsy.com/post/130547612142/re-coinfire

monero development history visualization: https://www.youtube.com/watch?v=TLjAQJqghRI

I just added the music to make it a bit more lively.  

Probably not.

http://www.coinwrite.org/coinfires-scuttlebutt-radar-locked-on-cryptsy/

http://blog.cryptsy.com/post/130547612142/re-coinfire

The author claims that Fincen has discovered that Cryptsy is involved in “terrorism funding”.

Will we ever see an official GUI wallet for Monero? How do you expect non-tech savvy people to use this coin without an easy wallet? Is it really too hard to make a wallet for 1.5 years?

Is it really too hard to make a wallet for 1.5 years?

Will we ever see an official GUI wallet for Monero? How do you expect non-tech savvy people to use this coin without an easy wallet? Is it really too hard to make a wallet for 1.5 years?