-
sgp_[m]
<john_r365 "During the Monero community meet"> Sunday Aug 8 is during Defcon fwiw
-
john_r365
thanks sgp_[m], forgot about that! Would have liked to be there! Travel via europe still isn't easy - even vaccinated - border rules mean you have to spend 14 days outside europe before entering USA.
-
-
ajs_[m]
hi everyone. I am thinking about taking over the monero.fm ccs proposal and would like your feedback.
repo.getmonero.org/monero-project/c…als/-/merge_requests/165#note_11219
-
sgp_[m]
How does everyone feel about the tone of the Twitter thread and Blockfolio announcement? Someone has advised me that they feel it was too extreme but I disagree
-
sethsimmons
It leans a little heavy for the actual impact possibly, but absolutely needs to be the PSA that it was.
-
sethsimmons
I don't think it's worth changing at this point.
-
sethsimmons
Just could have been a little less ominous, maybe?
-
selsta
I usually would prefer a blog post so that everyone can add their feedback on how things are formulated.
-
sgp_[m]
A blog post would still be good
-
sgp_[m]
I wasn't expecting the GitHub issue to be made public; blog post could be done and published as the GitHub wilent live I suppose?
-
sgp_[m]
*went
-
selsta
I was a bit surprised to see the twitter post that quickly.
-
dEBRUYNE
Yes, should have been discussed in the community imo
-
jtgrassie
agreed
-
selsta
If a bug affects less than 1% of transactions it should be made clear so that users can understand the impact of it.
-
sethsimmons
Especially with the media coverage being as poor as it is in CC, I'm a bit worried this is being blown out of proportion.
-
sethsimmons
It is an issue, but it needs to be clear that it likely won't affect you, the user.
-
selsta
Yes, not making the impact of a bug clear will just result in bad reporting of the bug.
-
jackmonerouk[m]
I Was Explaining To A Few People In Clubhouse How Insignificant This Bug In Regards To What It Exposed. However How Significant That It Was Spotted And Soon To Be Rectified, Out Of Interest Is This Something That Would Have Been “Replaced/Modified” Upon The Introduction Of Triptych?
-
sethsimmons
AFAICT it would have been made less impactful but not nullified.
-
sethsimmons
Good to catch and remedy now 🙂
-
jackmonerouk[m]
For Sure ✌️
-
selsta
Would have added the Addendum underneath the tweets, otherwise people who get linked to the tweet series don't see it.
-
chad[m]
What tweet is everyone talking about?
-
selsta
-
selsta
There were some tweets on the official monero twitter account about it.
-
jtgrassie
and now Coindesk is running a story with lots of "Monero said" quotes (of course cherry picking the most devastating sounding)
-
jtgrassie
I think there's a few lessons to be learnt here:
-
jtgrassie
1) the bug should probably not have been publically disclosed until the impact verified and ideally fixed
-
jtgrassie
2) a write up should have been coordinated with the primary purpose being explaining:
-
jtgrassie
a. the cause
-
jtgrassie
b. what's needed for users to mitigate
-
jtgrassie
Users privacy being the primary concern (and not scare-mongering)
-
jtgrassie
Truth be told, we've responded better than this in the past (to bugs/weaknesses).
-
selsta
Agree.
-
selsta
At least a write up should be coordinated if it has to be disclosed before a fix if released.
-
sgp_[m]
<jtgrassie "1) the bug should probably not h"> Well, this was something apparently Luigi approved to be public
-
sgp_[m]
<jtgrassie "Users privacy being the primary "> Fwiw, this is something a user can fuck up now, so the earlier the education the better all else equal
-
sgp_[m]
It is a little weird to me that devs are wanting to hold back information from users who can ruin their privacy in the meantime for optics reasons
-
sgp_[m]
I understand discussing drafts, but delaying makes no sense to me when it was already public
-
selsta
I don't have issues with it being disclosed as it was on Github, as it isn't a bug that can be abused by attackers.
-
sgp_[m]
Yeah that's a good point of distinction, it's a user education issue before being patched not a "hopefully attackers don't do this" problem
-
mcfranko[m]
<selsta "I don't have issues with it bein"> Couldn't an attacker use this to eliminate decoys? An attacker could go through the chain and find outputs that were spent very quickly after being made, and then know which output was the real one. By disclosing this, it allows for attackers to do that
-
selsta
Yes but we can't change that anyway.
-
jtgrassie
sgp_[m]: "so the earlier the education the better" <- I don't disagree with this and it was not what I was suggesting
-
sgp_[m]
Well they could do that whenever it was eventually disclosed for all the past transactions anyway
-
sgp_[m]
Okay, well if you have suggestions for better wording I will consider it for next time
-
jtgrassie
sgp_[m]: "It is a little weird to me that devs are wanting to hold back information from users" <- again, not what I was suggesting
-
jtgrassie
In the past, there would be discussion about a public response.
-
selsta
Now there multiple articles now about "significant privacy bug" and no where is the impact (1%) mentioned. A casual user will simply be scared now.
-
sgp_[m]
I did DM another Twitter account user for feedback and it took 16 hours for a response fwiw. I didn't run the draft here or elsewhere first though
-
selsta
Specifying the impact of a bug isn't "saving optics" IMO. It helps the user to categorize the bug.
-
sgp_[m]
Well, it is in my view a significant privacy bug if people can reveal the real spend using the official software accidentally
-
sgp_[m]
The 1% only means there isn't a chain reaction impact really
-
jtgrassie
selsta: 100% agree
-
jtgrassie
sgp_[m]: I'n not pointing fingers or anything, merely raising a frustration that this episode lacked some of the prior coordination of disclosure
-
sgp_[m]
If I had the data on the % I would have included it in the intiial tweets, but I didn't have that when I sent it out. In hindsight I should have asked for the %
-
jtgrassie
hindsight's a beautiful thing ;-)
-
selsta
FWIW the % number still isn't visible if you click on the tweet series as it was posted as a separate tweet.
-
sgp_[m]
Yeah I assume that was done for greater visibility but im not 100% sure. I didn't add the follow up
-
selsta
Yep but now it has worse visibility as all the articles link to the tweet series and not the follow up :S
-
sgp_[m]
I can add the link to the bottom of the original chain but then I think it will change the order of the tweets at the top of the account
-
sgp_[m]
I can revisit making a group chat for disclosures; that was left behind on Freenode. I'd much rather do all this on Matrix though
-
sgp_[m]
Seems odd to me to be sending unencrypted messages about sensitive stuff. Matrix rooms are encrypted
-
jtgrassie
Both this selection bug and the div0 bug, the ideal would have been responsible disclosure (the VRP)
-
jtgrassie
Followed by a coordinated public response.
-
jtgrassie
Both of these unfortunately not done.
-
jtgrassie
And both now misreported.
-
selsta
the VRP process was mostly done by anonimal
-
jtgrassie
luigi, moo and fp
-
jtgrassie
-
jtgrassie
Anyway, as I mentioned, lessons to be learnt is all.
-
selsta
right but I think this was talked about with some of the above people and they didn't redirect to the VRP
-
jtgrassie
that's right
-
selsta
so that's why I meant ideally we would have someone replacing anonimal who specializes on this
-
jtgrassie
and there was no discussion for a post from monero-announce⊙lgo
-
sgp_[m]
I wonder why this didn't get sent to the VRP, maybe just because they felt activity was stale
-
sgp_[m]
They = the devs that were contacted
-
sgp_[m]
Because Justin did reach out to some relevant people directly afaik
-
jtgrassie
I don't think there was a clear understanding of the impact at first.
-
jtgrassie
(with both bugs)
-
jtgrassie
both bugs were kind of found by accident whilst jberman was discussing something else with secparam and sech (as I understand following the chat)
-
jtgrassie
So somewhat understandable VRP was missed
-
selsta
sgp_[m]: one last thing, I think we should always prioritize a blog post over tweets if the time allows it
-
selsta
we can't change tweets and information often changes
-
sgp_[m]
I agree
-
kinghat[m]
tweets pointing to blog posts