01:23:51 https://monero.observer/monero-observer-blitz-may-2022/ 03:54:56 https://t.me/monero/853787. Hotshop (with Shrum, Tor browser and Feather wallet) being tested/used out in the wild 😎👀😅 05:16:04 "https://t.me/monero/853787..." <- You should really have the first and last few characters of the addresses shown, can't trust qr codes anymore 05:34:41 I was planning on generating a unique, but reproducible avatar/image using a users primary address/view key to make it easy to compare (thought not sure where I would put it- perhaps at center of QR) 05:36:13 I do like the idea of first/last characters as well, though I would question how often a merchant will verify those 05:36:52 either way, with enough time, a nefarious person could just generate an address that matches or an avatar that looks very similar 05:40:01 the only true way to be sure is to go through every character 05:44:02 Okay brain just turned on, yeah it probably does make sense to scan a QR and see that an address matches 06:49:54 "the only true way to be sure..." <- Its easy to get the first few characters generated but way harder to get the first +last few 06:50:37 This is also just supposed to be a safeguard against malware or something like googles ai cam messing with qr codes 06:59:58 "Its easy to get the first few..." <- Iirc there was a clipboard malware that matched up to the first+last 6 07:00:53 So I would go for a visual fingerprint, like something with emojis 07:01:24 Like element does when you register a new device 07:01:35 https://lnquy065.github.io/react-katar/ 07:01:38 Or like telegram does when calling someone 07:02:07 i was probably going to use this guys library 07:02:58 Yeah, that works too 07:03:21 merope: it's still a problem for the payer though, but at the end of the day, no store is validating that there is or isn't malware on a customer's device 07:04:53 Hmmm, we would need that same library to be used in the customer's walletn though... otherwise they'll have nothing to compare with 07:05:06 correct 07:05:08 s/walletn/wallet/ 07:05:16 there's probably a need for an emoji like verification system 07:06:02 would be really slick in a wallet- does this shape match the image on the screen? 07:06:21 it could actually be added in as part of the monero uri 07:06:53 &security_code=293abc 07:06:56 The library you linked works too - although I'm not sure if colorblind people will have issues with its color range 07:07:24 &security_code=🍕👴 07:07:31 I was thinking you just generate the image from the receiving wallet address 07:07:53 It's essentially a visual representation of the pubkey fingerprint 07:08:30 Same image == correct wallet address 07:08:30 merope: if everyone could agree on a protocol for that, it would be amazing 07:08:42 something like Urbit 07:09:07 merope: yep. that's how i was going to do it in hotshop- base it on the primary address 07:09:28 * cryptogrampy[m] uploaded an image: (56KiB) < https://libera.ems.host/_matrix/media/r0/download/monero.social/ikanhCKjCwLHNJAMuUMttINV/image.png > 07:09:38 urbit's sigil thingy 07:10:19 Otherwise, if it's a code separate from the address, it would be easy to attack (generate the same image, but replace the address - unless you take extra care in generating the code in some specific way that depends on the address 07:10:27 i do think using a visual representation is probably not the way to go 07:10:29 * the address) 07:10:57 it would either need to be emoji's or text to be accessible 07:11:08 cryptogrampy[m]: Not as good imo - only two colors, and too many tiny details 07:11:54 Emojis are definitely the best option imo - many different colors and familiar shapes, so easy to recognize and describe and spot any differences 07:11:56 i think it should be like 2fa- the payment generator creates a 6 digit code and the payer needs to see it on their device 07:12:05 they just send it as part of the uri 07:14:00 merope: not everyone can see though 07:14:11 2fa proves that you own a certain secret, kind of a different application - though I think it would work, incidentally 07:15:34 cryptogrampy[m]: Hence the "describe" part: still easy to describe "poop emoji, baseball, car, fire, raindrops, rocket" 07:16:19 * work, incidentally (but you don't need the time component - it could just be a static code) 07:16:32 could probably just be 1 emoji 07:16:37 tbh 07:17:32 yat is using 5 for an entire address scheme 07:17:42 1 might be too "coarse" - telegram and matrix do 4, iirc 07:18:09 🍆 07:18:14 To represent a 64-byte public key 07:18:26 does that make you feel comfortable buying your prescription medication at the pharmacy 07:19:49 "please validate that the peni- eggplant emoji matches what you see on the screen, sir' 07:20:16 "2fa proves that you own a..." <- Although... with static fingerprints, once you know an address's static code, a malware could be extra sneaky and try to show you the same code when you resend to the same address, but change the address 07:20:52 ah. yeah, i still think it should be random per tx 07:20:54 But that would imply that the wallet sofrware you're using has been compromised, so it's a moot point 07:20:56 that's more 2fa-ery 07:21:47 (Because if that were the case, then the hacker could just steal your seed) 07:21:58 i guess the question is who are we protecting- the merchant or the customer 07:22:18 The sender, so the customer 07:22:54 Making sure they don't send money into the void, or a clipbpard malware's address 07:23:02 okay. yeah, i think a random value displayed on the payment QR and sent as part of the URI would be my choice 07:23:55 👮 07:23:58 That value must be generated in a deterministic way off of the recipient's address, no need to extend the uri scheme 07:24:33 merope: yeah that does make sense, doesn't it 07:24:41 we assume the merchant has their shit together 07:25:31 so 1 or 3, and how do we generate 07:25:34 s/clipbpard/clipboard/ 07:25:46 🫃 07:26:28 to finalize your bible purchase, please verify the pregnant man matches the pregnant man in your wallet 07:26:42 Lol 07:27:36 emoji's are probably too controversial and not sexy enough for a global payment system 07:28:11 > riccardo spagni has entered the chat 07:28:22 Only because nobody has made them yet 😎 07:28:57 I mean, the goal is to have something with familiar shapes and colors 07:29:20 Because you can immediately recognize them, without even thinking 07:29:39 true 07:29:41 Hell, you're even helping dyslexic people 07:29:50 and you're more likely to look at one than a random number or string 07:30:04 Yep 07:31:06 so will main and subaddresses have different emojis 07:31:21 Soooo who's gonna make a pr to include this emoji fingerprint system inside wallet2? 07:31:38 cryptogrampy[m]: Sure: different address, so different fingerprint 07:33:56 what are we emojiing? 07:34:00 and why 07:34:16 (im too lazy to read the text above) 07:35:12 Using emojis as fingerprints for the recipient's address in the wallet, to allow the sender easy verification that the destination is correct 07:36:29 Okay one more problem. If it's not part of the URI... &validate=true, the wallet won't know whether or not the PoS / merchant supports the emoji thing 07:37:28 That's why I'm saying to include it into wallet2 - afaik it's the base library used in the main wallets (cli, gui, feather, monerujo, cake, and maybe some of the other ones) 07:38:19 but what if i don't display the emoji in my QR? 07:38:24 So the wallets themselves would only need to include a field to show the emoji fingerprint when/before asking confirmation 07:38:45 cryptogrampy[m]: No need 07:39:10 The recipient shows you the qr and the emojis next to it 07:39:40 The recipient scans the qr, their wallet generated the emoji fingerprint, and they visually check that it matches 07:40:03 so hotshop for example doesn't use a standard qr 07:40:36 Though I guess you could steal the central part of the qr and replace it with 4 emojis 07:41:04 Dunno about their size or how accurate the image would be though 07:41:29 But that might be solvable by just increasing the resolution of the image? 07:50:30 merope: feather wallet has a 'special' address viewing mode for this reason, it shows it like "blabla .... blabla" 07:51:02 emojis is an interesting idea 07:51:42 Separating the characters into groups definitely helps 07:52:19 Emojis would be the "next step" in that regard - even easier to identify, and works well for dyslexic people too 07:52:24 but why would someone need to double check the QR code? 07:52:47 if the wallet was able to scan the QR code, it implies it already passed the address regex validation step 07:53:00 They wouldn't check the qr code, it would just be a way to transmit the emojis along with the qr 07:54:53 But as I was saying, I don't really think it's necessary 07:56:00 dsc_: It’s a validation that they haven’t been clipboard hijacked 07:56:17 ah got it 07:56:24 I think 07:57:57 QR code alone doesn’t provide any address numbers visually so there’s a lot of room for mischief. 08:03:19 But that qr would be generated directly by the recipient's wallet or pos software, so the assumption would be that their software isn't compromised 08:04:32 But emojis would indeed help the recipient too, in the case where they are copy-pasting their address to share it with the sender 08:26:56 https://www.themoneromoon.com/p/the-monero-moon-issue-45?sd=fs&s=r 08:40:17 I guess the shop owner could use unstoppable domains/yats 08:44:24 Not sure if that works with HotShop though 15:56:36 emojis? yes 🥹 btw, reguarding the multi sig fix, RINO have funded it "The contract has been signed and the audit will start on Monday" full details in monero-dev or here https://libera.monerologs.net/monero-dev/20220602#c103760 15:57:01 Funded the Audit* 16:12:39 I missed the conversation, but feel free to message me to claim 3k for multi-sig audit 16:19:56 oh my bad 16:20:51 Nice MajesticExchange , i suppose that would be a direct payment to RINO (as they are funding it all) arnuschky would handle that, he's active there now in dev 16:22:05 yes, thanks for pointing out 16:51:36 Regarding the emoji thing... Don't most people just memorize the last 8 or so characters of their address anyway? The chances of a hacker generating a valid address with the same ending as mine is pretty astronomical, right? 17:03:42 Let's see... 58^8 = 1.280631e+14, which is about 128 trillion. Storing that many addresses in a remote server that is called when a compromised user pastes a Monero address seems feasible. 17:10:37 they can store much less addresses (orders of magnitude less) if they use rainbow tables 17:14:38 generate 128 trillion addresses, store every 10,000th address in pairs (address N*10000, (N+1)*10000). Addresses in between are generated based on the last 8 digits of the previous address. 17:15:18 when you get a query for some 8 digits, keep generating using your algorithm until you find some address in the DB. Then go back 10000 addresses and start generating until you find your 8 digits 17:15:40 if the generating algortihm is quick, it can be more than 10000 19:32:41 Whelp. Thanks Rucknium[m] sech1. Knowing that is possible is just great. Haha. 23:57:13 Hello, again, guys! 23:57:45 So I finally successfully created a folder that the antivirus doesn't capture, and downloaded the WIndows GUI Wallet. 23:59:52 If I want to run a private full node, do I just launch the "Monero gui-install0-win"? And then that will prompt me for private or remote node?