t.me/monero/853787. Hotshop (with Shrum, Tor browser and Feather wallet) being tested/used out in the wild 😎👀😅

<cryptogrampy[m]> "t.me/monero/853787..." <- You should really have the first and last few characters of the addresses shown, can't trust qr codes anymore

I was planning on generating a unique, but reproducible avatar/image using a users primary address/view key to make it easy to compare (thought not sure where I would put it- perhaps at center of QR)

I do like the idea of first/last characters as well, though I would question how often a merchant will verify those

either way, with enough time, a nefarious person could just generate an address that matches or an avatar that looks very similar

the only true way to be sure is to go through every character

Okay brain just turned on, yeah it probably does make sense to scan a QR and see that an address matches

<cryptogrampy[m]> "the only true way to be sure..." <- Its easy to get the first few characters generated but way harder to get the first +last few

This is also just supposed to be a safeguard against malware or something like googles ai cam messing with qr codes

<monerobull[m]> "Its easy to get the first few..." <- Iirc there was a clipboard malware that matched up to the first+last 6

So I would go for a visual fingerprint, like something with emojis

Like element does when you register a new device

Or like telegram does when calling someone

i was probably going to use this guys library

Yeah, that works too

merope: it's still a problem for the payer though, but at the end of the day, no store is validating that there is or isn't malware on a customer's device

Hmmm, we would need that same library to be used in the customer's walletn though... otherwise they'll have nothing to compare with

correct

s/walletn/wallet/

there's probably a need for an emoji like verification system

would be really slick in a wallet- does this shape match the image on the screen?

it could actually be added in as part of the monero uri

&security_code=293abc

The library you linked works too - although I'm not sure if colorblind people will have issues with its color range

&security_code=🍕👴

I was thinking you just generate the image from the receiving wallet address

It's essentially a visual representation of the pubkey fingerprint

Same image == correct wallet address

merope: if everyone could agree on a protocol for that, it would be amazing

something like Urbit

merope: yep. that's how i was going to do it in hotshop- base it on the primary address

urbit's sigil thingy

Otherwise, if it's a code separate from the address, it would be easy to attack (generate the same image, but replace the address - unless you take extra care in generating the code in some specific way that depends on the address

i do think using a visual representation is probably not the way to go

* the address)

it would either need to be emoji's or text to be accessible

cryptogrampy[m]: Not as good imo - only two colors, and too many tiny details

Emojis are definitely the best option imo - many different colors and familiar shapes, so easy to recognize and describe and spot any differences

i think it should be like 2fa- the payment generator creates a 6 digit code and the payer needs to see it on their device

they just send it as part of the uri

merope: not everyone can see though

2fa proves that you own a certain secret, kind of a different application - though I think it would work, incidentally

cryptogrampy[m]: Hence the "describe" part: still easy to describe "poop emoji, baseball, car, fire, raindrops, rocket"

* work, incidentally (but you don't need the time component - it could just be a static code)

could probably just be 1 emoji

tbh

yat is using 5 for an entire address scheme

1 might be too "coarse" - telegram and matrix do 4, iirc

🍆

To represent a 64-byte public key

does that make you feel comfortable buying your prescription medication at the pharmacy

"please validate that the peni- eggplant emoji matches what you see on the screen, sir'

<merope> "2fa proves that you own a..." <- Although... with static fingerprints, once you know an address's static code, a malware could be extra sneaky and try to show you the same code when you resend to the same address, but change the address

ah. yeah, i still think it should be random per tx

But that would imply that the wallet sofrware you're using has been compromised, so it's a moot point

that's more 2fa-ery

(Because if that were the case, then the hacker could just steal your seed)

i guess the question is who are we protecting- the merchant or the customer

The sender, so the customer

Making sure they don't send money into the void, or a clipbpard malware's address

okay. yeah, i think a random value displayed on the payment QR and sent as part of the URI would be my choice

👮

That value must be generated in a deterministic way off of the recipient's address, no need to extend the uri scheme

merope: yeah that does make sense, doesn't it

we assume the merchant has their shit together

so 1 or 3, and how do we generate

s/clipbpard/clipboard/

🫃

to finalize your bible purchase, please verify the pregnant man matches the pregnant man in your wallet

Lol

emoji's are probably too controversial and not sexy enough for a global payment system

> riccardo spagni has entered the chat

Only because nobody has made them yet 😎

I mean, the goal is to have something with familiar shapes and colors

Because you can immediately recognize them, without even thinking

true

Hell, you're even helping dyslexic people

and you're more likely to look at one than a random number or string

Yep

so will main and subaddresses have different emojis

Soooo who's gonna make a pr to include this emoji fingerprint system inside wallet2?

cryptogrampy[m]: Sure: different address, so different fingerprint

what are we emojiing?

and why

(im too lazy to read the text above)

Using emojis as fingerprints for the recipient's address in the wallet, to allow the sender easy verification that the destination is correct

Okay one more problem. If it's not part of the URI... &validate=true, the wallet won't know whether or not the PoS / merchant supports the emoji thing

That's why I'm saying to include it into wallet2 - afaik it's the base library used in the main wallets (cli, gui, feather, monerujo, cake, and maybe some of the other ones)

but what if i don't display the emoji in my QR?

So the wallets themselves would only need to include a field to show the emoji fingerprint when/before asking confirmation

cryptogrampy[m]: No need

The recipient shows you the qr and the emojis next to it

The recipient scans the qr, their wallet generated the emoji fingerprint, and they visually check that it matches

so hotshop for example doesn't use a standard qr

Though I guess you could steal the central part of the qr and replace it with 4 emojis

Dunno about their size or how accurate the image would be though

But that might be solvable by just increasing the resolution of the image?

merope: feather wallet has a 'special' address viewing mode for this reason, it shows it like "blabla .... blabla"

emojis is an interesting idea

Separating the characters into groups definitely helps

Emojis would be the "next step" in that regard - even easier to identify, and works well for dyslexic people too

but why would someone need to double check the QR code?

if the wallet was able to scan the QR code, it implies it already passed the address regex validation step

They wouldn't check the qr code, it would just be a way to transmit the emojis along with the qr

But as I was saying, I don't really think it's necessary

dsc_: It’s a validation that they haven’t been clipboard hijacked

ah got it

I think

QR code alone doesn’t provide any address numbers visually so there’s a lot of room for mischief.

But that qr would be generated directly by the recipient's wallet or pos software, so the assumption would be that their software isn't compromised

But emojis would indeed help the recipient too, in the case where they are copy-pasting their address to share it with the sender

I guess the shop owner could use unstoppable domains/yats

Not sure if that works with HotShop though

emojis? yes 🥹 btw, reguarding the multi sig fix, RINO have funded it "The contract has been signed and the audit will start on Monday" full details in monero-dev or here libera.monerologs.net/monero-dev/20220602#c103760

Funded the Audit*

I missed the conversation, but feel free to message me to claim 3k for multi-sig audit

oh my bad

Nice MajesticExchange , i suppose that would be a direct payment to RINO (as they are funding it all) arnuschky would handle that, he's active there now in dev

yes, thanks for pointing out

Regarding the emoji thing... Don't most people just memorize the last 8 or so characters of their address anyway? The chances of a hacker generating a valid address with the same ending as mine is pretty astronomical, right?

Let's see... 58^8 = 1.280631e+14, which is about 128 trillion. Storing that many addresses in a remote server that is called when a compromised user pastes a Monero address seems feasible.

they can store much less addresses (orders of magnitude less) if they use rainbow tables

generate 128 trillion addresses, store every 10,000th address in pairs (address N*10000, (N+1)*10000). Addresses in between are generated based on the last 8 digits of the previous address.

when you get a query for some 8 digits, keep generating using your algorithm until you find some address in the DB. Then go back 10000 addresses and start generating until you find your 8 digits

if the generating algortihm is quick, it can be more than 10000

Whelp. Thanks Rucknium[m] sech1. Knowing that is possible is just great. Haha.

Hello, again, guys!

So I finally successfully created a folder that the antivirus doesn't capture, and downloaded the WIndows GUI Wallet.

If I want to run a private full node, do I just launch the "Monero gui-install0-win"? And then that will prompt me for private or remote node?