06:47:06 <sgp_[m]> <john_r365 "During the Monero community meet"> Sunday Aug 8 is during Defcon fwiw
07:45:39 <john_r365> thanks sgp_[m], forgot about that! Would have liked to be there! Travel via europe still isn't easy - even vaccinated - border rules mean you have to spend 14 days outside europe before entering USA.
13:43:53 * vikrantCake[m]  < https://libera.ems.host/_matrix/media/r0/download/libera.chat/6e8ab261f84f15923d4051d22f7bade5cef1c969/message.txt >
15:06:19 <ajs_[m]> hi everyone. I am thinking about taking over the monero.fm ccs proposal and would like your feedback. https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/165#note_11219
18:53:32 <sgp_[m]> How does everyone feel about the tone of the Twitter thread and Blockfolio announcement? Someone has advised me that they feel it was too extreme but I disagree
18:55:10 <sethsimmons> It leans a little heavy for the actual impact possibly, but absolutely needs to be the PSA that it was.
18:55:17 <sethsimmons> I don't think it's worth changing at this point.
18:55:25 <sethsimmons> Just could have been a little less ominous, maybe?
19:02:27 <selsta> I usually would prefer a blog post so that everyone can add their feedback on how things are formulated.
19:04:22 <sgp_[m]> A blog post would still be good
19:04:30 <sgp_[m]> I wasn't expecting the GitHub issue to be made public; blog post could be done and published as the GitHub wilent live I suppose?
19:04:39 <sgp_[m]> *went
19:04:55 <selsta> I was a bit surprised to see the twitter post that quickly.
19:13:21 <dEBRUYNE> Yes, should have been discussed in the community imo
19:44:45 <jtgrassie> agreed
20:07:26 <selsta> If a bug affects less than 1% of transactions it should be made clear so that users can understand the impact of it.
20:08:24 <sethsimmons> Especially with the media coverage being as poor as it is in CC, I'm a bit worried this is being blown out of proportion.
20:08:40 <sethsimmons> It is an issue, but it needs to be clear that it likely won't affect you, the user.
20:09:22 <selsta> Yes, not making the impact of a bug clear will just result in bad reporting of the bug.
20:16:51 <jackmonerouk[m]> I Was Explaining To A Few People In Clubhouse How Insignificant This Bug In Regards To What It Exposed. However How Significant That It Was Spotted And Soon To Be Rectified, Out Of Interest Is This Something That Would Have Been “Replaced/Modified” Upon The Introduction Of Triptych?
20:17:21 <sethsimmons> AFAICT it would have been made less impactful but not nullified.
20:17:48 <sethsimmons> Good to catch and remedy now 🙂
20:19:24 <jackmonerouk[m]> For Sure ✌️
20:31:58 <selsta> Would have added the Addendum underneath the tweets, otherwise people who get linked to the tweet series don't see it.
20:38:18 <chad[m]> What tweet is everyone talking about?
20:38:37 <selsta> https://github.com/monero-project/monero/issues/7807
20:38:53 <selsta> There were some tweets on the official monero twitter account about it.
21:54:41 <jtgrassie> and now Coindesk is running a story with lots of "Monero said" quotes (of course cherry picking the most devastating sounding)
21:56:41 <jtgrassie> I think there's a few lessons to be learnt here:
21:57:25 <jtgrassie> 1) the bug should probably not have been publically disclosed until the impact verified and ideally fixed
21:58:12 <jtgrassie> 2) a write up should have been coordinated with the primary purpose being explaining:
21:58:25 <jtgrassie> a. the cause
21:58:44 <jtgrassie> b. what's needed for users to mitigate
21:59:31 <jtgrassie> Users privacy being the primary concern (and not scare-mongering)
22:02:02 <jtgrassie> Truth be told, we've responded better than this in the past (to bugs/weaknesses).
22:08:41 <selsta> Agree.
22:12:15 <selsta> At least a write up should be coordinated if it has to be disclosed before a fix if released.
22:50:05 <sgp_[m]> <jtgrassie "1) the bug should probably not h"> Well, this was something apparently Luigi approved to be public
22:50:31 <sgp_[m]> <jtgrassie "Users privacy being the primary "> Fwiw, this is something a user can fuck up now, so the earlier the education the better all else equal
22:52:07 <sgp_[m]> It is a little weird to me that devs are wanting to hold back information from users who can ruin their privacy in the meantime for optics reasons
22:53:51 <sgp_[m]> I understand discussing drafts, but delaying makes no sense to me when it was already public
22:55:22 <selsta> I don't have issues with it being disclosed as it was on Github, as it isn't a bug that can be abused by attackers.
22:57:42 <sgp_[m]> Yeah that's a good point of distinction, it's a user education issue before being patched not a "hopefully attackers don't do this" problem
22:59:42 <mcfranko[m]> <selsta "I don't have issues with it bein"> Couldn't an attacker use this to eliminate decoys? An attacker could go through the chain and find outputs that were spent very quickly after being made, and then know which output was the real one. By disclosing this, it allows for attackers to do that
22:59:57 <selsta> Yes but we can't change that anyway.
23:00:07 <jtgrassie> sgp_[m]: "so the earlier the education the better" <- I don't disagree with this and it was not what I was suggesting
23:00:14 <sgp_[m]> Well they could do that whenever it was eventually disclosed for all the past transactions anyway
23:00:35 <sgp_[m]> Okay, well if you have suggestions for better wording I will consider it for next time
23:00:46 <jtgrassie> sgp_[m]: "It is a little weird to me that devs are wanting to hold back information from users" <- again, not what I was suggesting
23:01:39 <jtgrassie> In the past, there would be discussion about a public response.
23:01:46 <selsta> Now there multiple articles now about "significant privacy bug" and no where is the impact (1%) mentioned. A casual user will simply be scared now.
23:02:01 <sgp_[m]> I did DM another Twitter account user for feedback and it took 16 hours for a response fwiw. I didn't run the draft here or elsewhere first though
23:02:30 <selsta> Specifying the impact of a bug isn't "saving optics" IMO. It helps the user to categorize the bug.
23:02:38 <sgp_[m]> Well, it is in my view a significant privacy bug if people can reveal the real spend using the official software accidentally
23:03:29 <sgp_[m]> The 1% only means there isn't a chain reaction impact really
23:03:30 <jtgrassie> selsta: 100% agree
23:04:49 <jtgrassie> sgp_[m]: I'n not pointing fingers or anything, merely raising a frustration that this episode lacked some of the prior coordination of disclosure
23:05:04 <sgp_[m]> If I had the data on the % I would have included it in the intiial tweets, but I didn't have that when I sent it out. In hindsight I should have asked for the %
23:05:41 <jtgrassie> hindsight's a beautiful thing ;-)
23:05:53 <selsta> FWIW the % number still isn't visible if you click on the tweet series as it was posted as a separate tweet.
23:06:51 <sgp_[m]> Yeah I assume that was done for greater visibility but im not 100% sure. I didn't add the follow up
23:07:17 <selsta> Yep but now it has worse visibility as all the articles link to the tweet series and not the follow up :S
23:08:11 <sgp_[m]> I can add the link to the bottom of the original chain but then I think it will change the order of the tweets at the top of the account
23:10:04 <sgp_[m]> I can revisit making a group chat for disclosures; that was left behind on Freenode. I'd much rather do all this on Matrix though
23:13:08 <sgp_[m]> Seems odd to me to be sending unencrypted messages about sensitive stuff. Matrix rooms are encrypted
23:13:31 <jtgrassie> Both this selection bug and the div0 bug, the ideal would have been responsible disclosure (the VRP)
23:13:50 <jtgrassie> Followed by a coordinated public response.
23:14:17 <jtgrassie> Both of these unfortunately not done.
23:14:44 <jtgrassie> And both now misreported.
23:15:37 <selsta> the VRP process was mostly done by anonimal
23:17:04 <jtgrassie> luigi, moo and fp 
23:17:14 <jtgrassie> https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md
23:17:53 <jtgrassie> Anyway, as I mentioned, lessons to be learnt is all.
23:18:40 <selsta> right but I think this was talked about with some of the above people and they didn't redirect to the VRP
23:19:31 <jtgrassie> that's right
23:20:20 <selsta> so that's why I meant ideally we would have someone replacing anonimal who specializes on this
23:22:21 <jtgrassie> and there was no discussion for a post from monero-announce⊙lgo
23:22:55 <sgp_[m]> I wonder why this didn't get sent to the VRP, maybe just because they felt activity was stale
23:23:04 <sgp_[m]> They = the devs that were contacted
23:23:23 <sgp_[m]> Because Justin did reach out to some relevant people directly afaik
23:23:43 <jtgrassie> I don't think there was a clear understanding of the impact at first. 
23:24:01 <jtgrassie> (with both bugs)
23:32:24 <jtgrassie> both bugs were kind of found by accident whilst jberman was discussing something else with secparam and sech (as I understand following the chat)
23:33:15 <jtgrassie> So somewhat understandable VRP was missed
23:39:48 <selsta> sgp_[m]: one last thing, I think we should always prioritize a blog post over tweets if the time allows it
23:40:02 <selsta> we can't change tweets and information often changes
23:40:17 <sgp_[m]> I agree
23:42:42 <kinghat[m]> tweets pointing to blog posts