<john_r365 "During the Monero community meet"> Sunday Aug 8 is during Defcon fwiw

thanks sgp_[m], forgot about that! Would have liked to be there! Travel via europe still isn't easy - even vaccinated - border rules mean you have to spend 14 days outside europe before entering USA.

hi everyone. I am thinking about taking over the monero.fm ccs proposal and would like your feedback. repo.getmonero.org/monero-project/c…als/-/merge_requests/165#note_11219

How does everyone feel about the tone of the Twitter thread and Blockfolio announcement? Someone has advised me that they feel it was too extreme but I disagree

It leans a little heavy for the actual impact possibly, but absolutely needs to be the PSA that it was.

I don't think it's worth changing at this point.

Just could have been a little less ominous, maybe?

I usually would prefer a blog post so that everyone can add their feedback on how things are formulated.

A blog post would still be good

I wasn't expecting the GitHub issue to be made public; blog post could be done and published as the GitHub wilent live I suppose?

*went

I was a bit surprised to see the twitter post that quickly.

Yes, should have been discussed in the community imo

agreed

If a bug affects less than 1% of transactions it should be made clear so that users can understand the impact of it.

Especially with the media coverage being as poor as it is in CC, I'm a bit worried this is being blown out of proportion.

It is an issue, but it needs to be clear that it likely won't affect you, the user.

Yes, not making the impact of a bug clear will just result in bad reporting of the bug.

I Was Explaining To A Few People In Clubhouse How Insignificant This Bug In Regards To What It Exposed. However How Significant That It Was Spotted And Soon To Be Rectified, Out Of Interest Is This Something That Would Have Been “Replaced/Modified” Upon The Introduction Of Triptych?

AFAICT it would have been made less impactful but not nullified.

Good to catch and remedy now 🙂

For Sure ✌️

Would have added the Addendum underneath the tweets, otherwise people who get linked to the tweet series don't see it.

What tweet is everyone talking about?

There were some tweets on the official monero twitter account about it.

and now Coindesk is running a story with lots of "Monero said" quotes (of course cherry picking the most devastating sounding)

I think there's a few lessons to be learnt here:

1) the bug should probably not have been publically disclosed until the impact verified and ideally fixed

2) a write up should have been coordinated with the primary purpose being explaining:

a. the cause

b. what's needed for users to mitigate

Users privacy being the primary concern (and not scare-mongering)

Truth be told, we've responded better than this in the past (to bugs/weaknesses).

Agree.

At least a write up should be coordinated if it has to be disclosed before a fix if released.

<jtgrassie "1) the bug should probably not h"> Well, this was something apparently Luigi approved to be public

<jtgrassie "Users privacy being the primary "> Fwiw, this is something a user can fuck up now, so the earlier the education the better all else equal

It is a little weird to me that devs are wanting to hold back information from users who can ruin their privacy in the meantime for optics reasons

I understand discussing drafts, but delaying makes no sense to me when it was already public

I don't have issues with it being disclosed as it was on Github, as it isn't a bug that can be abused by attackers.

Yeah that's a good point of distinction, it's a user education issue before being patched not a "hopefully attackers don't do this" problem

<selsta "I don't have issues with it bein"> Couldn't an attacker use this to eliminate decoys? An attacker could go through the chain and find outputs that were spent very quickly after being made, and then know which output was the real one. By disclosing this, it allows for attackers to do that

Yes but we can't change that anyway.

sgp_[m]: "so the earlier the education the better" <- I don't disagree with this and it was not what I was suggesting

Well they could do that whenever it was eventually disclosed for all the past transactions anyway

Okay, well if you have suggestions for better wording I will consider it for next time

sgp_[m]: "It is a little weird to me that devs are wanting to hold back information from users" <- again, not what I was suggesting

In the past, there would be discussion about a public response.

Now there multiple articles now about "significant privacy bug" and no where is the impact (1%) mentioned. A casual user will simply be scared now.

I did DM another Twitter account user for feedback and it took 16 hours for a response fwiw. I didn't run the draft here or elsewhere first though

Specifying the impact of a bug isn't "saving optics" IMO. It helps the user to categorize the bug.

Well, it is in my view a significant privacy bug if people can reveal the real spend using the official software accidentally

The 1% only means there isn't a chain reaction impact really

selsta: 100% agree

sgp_[m]: I'n not pointing fingers or anything, merely raising a frustration that this episode lacked some of the prior coordination of disclosure

If I had the data on the % I would have included it in the intiial tweets, but I didn't have that when I sent it out. In hindsight I should have asked for the %

hindsight's a beautiful thing ;-)

FWIW the % number still isn't visible if you click on the tweet series as it was posted as a separate tweet.

Yeah I assume that was done for greater visibility but im not 100% sure. I didn't add the follow up

Yep but now it has worse visibility as all the articles link to the tweet series and not the follow up :S

I can add the link to the bottom of the original chain but then I think it will change the order of the tweets at the top of the account

I can revisit making a group chat for disclosures; that was left behind on Freenode. I'd much rather do all this on Matrix though

Seems odd to me to be sending unencrypted messages about sensitive stuff. Matrix rooms are encrypted

Both this selection bug and the div0 bug, the ideal would have been responsible disclosure (the VRP)

Followed by a coordinated public response.

Both of these unfortunately not done.

And both now misreported.

the VRP process was mostly done by anonimal

luigi, moo and fp

Anyway, as I mentioned, lessons to be learnt is all.

right but I think this was talked about with some of the above people and they didn't redirect to the VRP

that's right

so that's why I meant ideally we would have someone replacing anonimal who specializes on this

and there was no discussion for a post from monero-announce⊙lgo

I wonder why this didn't get sent to the VRP, maybe just because they felt activity was stale

They = the devs that were contacted

Because Justin did reach out to some relevant people directly afaik

I don't think there was a clear understanding of the impact at first.

(with both bugs)

both bugs were kind of found by accident whilst jberman was discussing something else with secparam and sech (as I understand following the chat)

So somewhat understandable VRP was missed

sgp_[m]: one last thing, I think we should always prioritize a blog post over tweets if the time allows it

we can't change tweets and information often changes

I agree

tweets pointing to blog posts