08:03:11 https://www.themoneromoon.com/p/the-monero-moon-issue-48 09:13:51 .usd 11:39:31 If monero would become forbidden, would it still have a bright futute in the darknet? 11:40:40 if the darknet was forbidden we'd screwed! 11:47:40 "EU bodies agree to phase out anonymous crypto payments " 11:48:32 I could ln 11:48:51 I could link to a non english newspaper site about that 11:57:08 i assume fiat on / off could be 'forbidden' but if they can't 'ban crypto' then people can always exchange 1 crypto coin for another on the 'darknet'? is this something that worries you? 12:03:28 speaking of anonymity networks, there was a 1500$ bounty opened yesterday to allow passing username:password to the --proxy flag of (if im not mistaken) monero-wallet-rpc 12:07:01 https://repo.getmonero.org/monero-project/ccs-proposals/-/merge_requests/327, another incompetent developer will get more for "6. As UkoeHB suggested, figure out a better directory structure for the Seraphis code" 12:10:04 don't worry, he is going to fix monero , monero-gui and monero-site, get your cheque books out 12:12:11 are you joking ? 12:12:49 yes 12:13:04 "I am open to implement anything else the community finds necessary." why 1-2 years for Seraphis ? it should be possible within 6 months 12:13:10 everything isn't important 12:13:54 "8. Review pull requests on monero-site, monero, and monero-gui" without knowledge of current code ? 12:15:59 "9. Implement other issues on monero and monero-gui if there is time" how is it possible to do useful work without knowledge of code and what is important/unimportant currently ? 12:21:49 the proposer has energy , motivation. im sure the scope of his work / rates could be made more realistic for a first ccs (and he even offers 1 month). more importantly we have someone willing to contribute to monero, can't blame him for trying to market himself 12:23:25 it's just general purpose programming: get task -> read code -> edit code -> test code -> submit PR 12:23:34 there is not so much monero related 12:31:03 what happened to the prerequisite of having contributed / worked on mooonero voluntarily before opening a CCS? 12:33:32 "the proposer has energy , motiva..." <- bullshit, remove requirement for "social influencing" and there will be a lot of participants 12:34:19 it all requires 'time' - time that could be spent on important things that makes us happy (reading reddit / eating). if i need my fence to be painted .. its easy, i've done it before but , my neck and back would probably be hurt after it, so i'll pay someone to do it for me, and when they are here, they'll have a choice of coffee/tea and a selection of reasonably priced biscuits 12:36:04 nioc: it's better than nothing, but this prerequisite isn't sufficient 12:36:45 before opening a ccs i want to see that youve had atleast 1 mental breakdown from slave labour contributions 12:37:18 "1 mental breakdown from slave labour contributions" any examples of those who had ? 12:39:20 plowsof: What prerequisite would you add for auditors ? 12:39:45 (im just typing mine out now lol) 12:40:55 cryptography / audits , i have no idea so i can't offer an opinion 12:45:11 if i paid 10?k for an audit that reads like a wikipedia article and states publicly known issues (or so im told) i wouldnt be happy , but , what can you do 13:27:20 ""I am open to implement anything..." <- why do you say this? is koe working on a monero-specific implementation? 13:40:47 "why do you say this? is koe..." <- It would be pretty stupid to work on Seraphis implementation not monero-specific 13:41:35 https://github.com/UkoeHB/monero/tree/seraphis_lib 13:42:24 > <@r4v3r23:matrix.org> why do you say this? is koe working on a monero-specific implementation? 13:42:24 * It would be pretty stupid to work on Seraphis implementation that isn't monero-specific 14:00:52 "Take it to -community if you want to continue the convo ...", Seth For Privacy , what's your suggestion ? 14:20:03 "funny how you all are ignoring problems in monero repo, but attacking me personally; at the same time no one was attacking that scammer;"... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/06db12e0aa2b3074ff7abcca9acead6cf4bf3b1d) 14:34:39 "It would be pretty stupid to..." <- seraphis is a framework and isnt monero specific. koe said it would be needed to be passed onto devs to be implemented specifically to monero. are you saying that he's doing that himself? 16:33:45 ooo123ooo1234567: 16:33:45 plowsof: resigned so ccs complaints need to be paid up front 16:33:45 /s 16:57:46 plowsof: "before opening a ccs i want to see that youve had atleast 1 mental breakdown from slave labour contributions" Well said. 16:58:30 It's character building 19:28:12 ooo123ooo1234567:... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/9b7c7d8f1794e399601d96cf6b7d342d643f857f) 19:33:05 > <@w:monero.social> ooo123ooo1234567:... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/cd45dd8b621a4e58a999577475bdd39200e56e29) 19:34:11 Yeah, say "I approve. Merge 7760" 19:34:11 Or "we cant merge 8149 because it needs _redacted_. Im working on it. Should have something to show by xyz date" 19:34:22 But no, you just whine 19:34:27 And then we vote 19:39:11 Meanwhile everybody is willing to do ask you ask. You just wont say what to do. Just complaining. Its weird. 19:39:11 I dont mean to call you out in public.. but pretty sure you dont check your messages. 19:39:11 All of us just want progress. 19:39:11 We were working on ccs but plowsof had to step away. Luigi had to step away. People have shit going on and are volunteering their time and energy to trying to figure out what you want 19:39:29 w[m]: jberman's review is not wasted time, we will merge 7760 for v0.18 19:41:44 I want fair compensation for spent time on that security analysis + wrap it into multisig paper + do the same with bulletproofs++ and then seraphis 19:41:47 Usually people want their stuff merged, sometimes they even long for it, not the other way round. 19:42:35 and you instead of paying to someone who would do the same, paid for useless audit and trying to convince me that security analysis isn't needed 19:42:47 it's kind of shows that that work costs 0 19:42:47 ooo123ooo1234567: So lets get it done! 19:42:47 Step 1? 19:43:52 "path forward : admit the above scenario -> ..." it was posted in -dev, but no one replied 19:44:07 just admit that it's important 19:44:31 "it" being ... 19:44:48 security analysis for cryptography changes 19:45:28 Done by? Cost? Timeline? 19:51:38 The End. 19:53:01 cost - I don't even know how to calculate it, timeline - spent ~2 months, done by - few months ago ? 19:53:11 rbrunner: ? 19:53:50 6 minutes elapsed 19:54:57 ooo123ooo1234567: And you did the analysis? Its completed? And you've fixed further issues ready to be reviewed? 19:54:57 So whats the holdup? Why dont you request compensation and submit the work instead of letting scammers drain the well? 19:56:35 How much to request ? 19:57:56 Most people write their own invoices. Do you want the decentralized community to vote on your compensation? 19:58:11 Cost of problems will rise in case if they will be overlooked and reach mainnet 19:58:26 As plowsof said, nobody wants you to burn yourself out. 19:58:27 * Cost of discovered problems will 19:58:59 "Its completed?" Well, is it? 20:00:16 Revuo Monero. Issue 126: June 23 - 30, 2022. http://revuo-xmr.com/issue-126.html 20:03:03 "Most people write their own..." <- I want environment changes so that similar problems will not appear again, in this case I will be able to disappear and become just monero user again 20:03:26 But for some reason I don't know how to do it 20:03:39 everyone either wants me to do this work or not do this work at all 20:04:38 I honestly don't understand the last statement 20:06:22 And, well, you did not yet answer whether you did or did not a multisig security analysis on your own, and if yes, how far it is 20:07:19 > <@w:monero.social> And you did the analysis? Its completed? And you've fixed further issues ready to be reviewed? 20:07:19 > 20:07:19 > So whats the holdup? Why dont you request compensation and submit the work instead of letting scammers drain the well? 20:07:19 it's completed enough for code changes to know how to fix or write exploit, everything optional was skipped to save time 20:09:40 And the problems for making it public are the possible exploits? 20:10:26 And this analysis is of 8149? Finds issues the audit missed? And can be fixed by someone else? If youre the only one that knows of the issues, are you going to fix as well? Have anyone in mind to fix or review? 20:12:40 it's multisig analysis end-to-end, not only 8149 20:14:28 If you try hard, trying to put yourself into our shoes, are you able to see how it might confuse to no end that you hold that, but don't want to show anybody? 20:15:52 "Have anyone in mind to fix or review?" My naive plan was to write cool paper that could be reviewed just due to it's interest 20:16:25 Why was that naive? 20:16:54 Did anybody speak out against you writing a cool paper? 20:17:10 Because of everyone voted against importance of security analysis 20:17:20 if it isn't needed then what's the purpose of paper ? 20:17:53 ooo123ooo1234567: my plan step said that we don't remove experimental flag before security analysis 20:17:57 I'm not crazy to spent time on useless papers 20:17:59 either through you or we fund someone else to do it 20:18:04 it's either useful or useless, 20:18:27 s/spent/spend/ 20:18:29 I am pretty sure you won't agree, but IMHO with our voting we did *not*, repeat, *not* vote against importance of security analysis 20:18:56 We just weighted things very differently than you 20:20:18 I interpret you to say that importance of security analysis trumps almost everything else. We don't agree. 20:21:25 <+selsta> merge 8149 -> merge burning bug -> keep experimental -> try to get more formal security proofs before removing experimental flag 20:21:31 that was my suggestion most people agreed with 20:21:41 it's the hardest part, if someone can do this then everything else is much easier 20:21:42 Thanks, you were faster to find it than me :) 20:23:10 Seems to me your point of view leads to either A) no hardfork now, or B) Monero without multisig at all for months. Seems to me we could not agree on either A) nor B) 20:23:32 i mean b) will be the case either way for real word applications 20:23:36 world* 20:23:42 unless they are okay with the risk 20:24:23 Well, you know, if I look what other teams for other cryptos are doing, our torments inflicted on ourselvers are ... pretty special :) 20:24:47 Torments of doubts, taking care, and being careful 20:24:52 ooo might disagreee ... 20:28:40 I know what: Put a gigantic "Experimental" label over the whole of Monero software, asking at every start "Experimental? Really want to continue?" Problem solved :) 20:29:30 rbrunner: i mean it's different here, ooo told us there are remaining issues and they would be found with security analysis (if done correctly) 20:29:32 It's good to be careful, wouldn't want the team to act in any other way, but you can overdo even that 20:30:24 Yes, understood. That's why I ask the fact they don't seem ready to publish *anything* to *anybody* seems pretty confusing 20:31:23 They are making it really, really easy to people who are sceptical to feel confirmed: All smoke and mirrors 20:31:28 Unfortunately 20:31:40 If multisig is known to be dangerously broken, even after 8149, then ooo only need to make that clear to someone 20:32:11 And multisig will be fully disabled. 20:32:11 No vote will override an exploit.. 20:32:23 One would think, yes. But somehow it seems, well, more complicated, although I don't understand much 20:32:38 ofrnxmr[m]: it's fine if you use multisig internally where all involved people are trusted 20:33:23 ofrnxmr[m]: i'm quite sure he has said it multiple times now, there are issues remaining that are found with security analysis, ow i don't know about the severity 20:33:46 Thats what I thought, but ooo makes it sound as though they have proof of something worse 20:34:01 So, if that is the case.. let someone know.... 20:34:02 what do you mean with worse? 20:34:35 a malicious person can steal funds from multisig if he participates 20:34:44 that's what's i imagine, similar to now 20:36:04 what are the worst real world implications of this multi sig 'bug' - for example for projects like RINO who use 'multi sig' in some way? 20:36:11 does this effect the average monero enjoyer 20:36:54 are there serious funds at risk now? or only later - if people assume its safe? 20:38:14 something like haveno would be at risk 20:38:46 so i buy monero on haveno , and there is some escrow thing but i can just bypass it and 'unlock the funds' ? 20:39:02 something like this, yes 20:39:33 rino less, but it would destroy their trustless claim, and basically make it a custodial wallet 20:39:46 Haveno is changing to 2/2 right 20:40:20 But is it signed using the monero multisig? 20:41:26 > <@w:monero.social> Meanwhile everybody is willing to do ask you ask. You just wont say what to do. Just complaining. Its weird.... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/75f83801ec188c023b617856a2732eb31c0e9491) 20:44:39 For a couple weeks ^ 20:44:39 He's back now 20:45:03 Not sure if hes back 100%, but he was here for the meeting 20:45:03 it calls vacation 20:45:15 * it's called vacation 20:45:50 Plowsof, dont you dare take a vacation. Work 24/7 for free 20:47:47 > <@w:monero.social> ooo123ooo1234567:... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/0ce1a7bbeea0690abc23dc9b1eb4a2605bff64bd) 20:48:59 Ok. Maybe not as big ♥️ 20:49:51 What im saying to you, is if jberman opens a ccs to review your PR's, and you wont approve them.... how is this a good thing 20:50:56 If mj opens a ccs and charges to attend meetings OBVIOUSLY that is bullshit. You dont need ooo123 to explain that. 20:51:08 is there a "hacker one" bounty for the 'multi sig' vulnerabilities that ooo knows about ? 20:51:37 Do you know what was the cost of exploits for multisig ? 20:51:56 NO! 20:51:56 Only you do 20:52:03 actually no 20:52:15 100xmr 20:52:32 xmrsale got 85 xmr 20:52:33 fantastic 20:52:49 do you know who reviewed those exploits ? 20:53:09 Ping pong 20:53:12 no 😳 20:53:13 And the answer issaa 20:53:21 UkoeHB / luigi1111 20:53:44 Who not ooo 20:53:50 * Why not ooo 20:54:04 Where were ya?? Sleeping? 20:54:09 yes, but both currently are against mandatory security analysis 20:54:33 Who cares is they are Lol 20:54:41 s/is/if/ 20:54:48 They arent the CEO and president 20:54:59 Plowsof is CEO and Selsta ia head manager 20:55:08 i don't understand the 100 xmr and ' exploits reviewed ' ? you mean they review exploits submitted to hacker one? 20:55:16 yes 20:55:31 the one that were fixed in my PRs and then in resubmitted 8149 20:55:35 s/PRs/PR/ 20:55:57 so you are owed '100xmr' even though it is a tiny sum? 20:56:27 plowsof: he got 100xmr for submitting the bugs 20:56:37 and fixing them 20:56:38 and that kayabanerve said "I'll add 10xmr for new exploit" 20:56:48 ahh ok ok, thanks 20:56:49 selsta: Not fixing 20:57:01 for fix there was a promise with 100xmr, but I didn't take it 20:57:08 and fix was pushed upfront into repo 20:57:14 ah ok i didn't know 20:57:16 * promise with additional 100xmr, but 20:57:30 is it because 100 xmr is a joke? for the impact of such an exploit? 20:58:03 I said 10 for a previously unknown one leading to loss of funds/keys, from the meeting, until the hard fork. Therefore, it's not yet relevant to this discussion unless you have submitted something new to koe 20:58:08 it's probably max currenly across all hacker one bounties 20:58:30 As a side note, bug bounties generally pay the discloser, not the correcter. I couldn't comment on the specific terms here 20:59:15 I've spent 1 month on that fix and no one submitted anything else in parallel 20:59:22 so 100 xmr is '11k USD for a critical? exploit in a cryptocurrency? 20:59:37 also I've said everything I knew about it at that time to UkoeHB in order to stall anything and went to do work on security analysis 20:59:41 but 85 xmr will get you xmrsale 20:59:47 ooo123ooo1234567: So why did you submit to hackerone 20:59:54 In the worst case if you wouldn't find anything then it would be ok to resubmit my patch and merge it 20:59:58 Instead of coming here and requesting 1000 xmr 21:00:04 But I've found something and it means those who are merging it as is are incompetent 21:00:35 ooo123ooo1234567: selsta: this^ 21:00:35 I dont know what he's referring to 21:00:41 w[m]: because 2 months ago everyone was happy with that scammer 21:01:00 * found something (via security analysis) and it, * merging it (resubmit via 8149)as is 21:01:04 * found something (via security analysis) and it, * merging it (resubmit via 8149) as is 21:01:11 ooo123ooo1234567: Fk that scammer. Cmon now. People are fish and scammers catch fish. 21:01:11 Dont worry about him so much 21:02:13 1000 xmr is more reasonable though , for 700 you can get a pretty front end 21:02:29 plowsof: Hahahahaha no you cant. More like 1400 now 21:02:41 ohhh sorry , true 21:02:58 funny that kaybanerve was in similar situation with report to polynetwork with comp-sci fix (not even cryptography) where he was treated unfair, but anyway he is against me currently in this env 21:03:18 s/anyway// 21:03:36 comparing monero bounty rewards to other cryptocurrencies , we can show all the graphs we want of adoption , but the reality is the max we will pay for an exploit is 10kusd? 21:04:52 plowsof: Easier to make money exploiting donators via ccs than find code exploits 21:06:14 * order to not stall anything 21:08:20 "I said 10 for a previously..." <- yes, 10 for new vulnerability, are you joking ? 21:08:44 If all you want is fair compensation, remember this isnt a company. You're an entrepreneur. 21:08:44 If you accept 100xmr.. that on you.. 21:08:44 Request more. 21:09:38 lets see that 10 xmr be donated to a pot on monero bounties ? under a well written / defined bounty? 21:09:38 And dont request in private and complain about how someone said no. Make your funding request and eventually it will be funded. 21:09:46 Why? Businesses RELY on the fixes 21:10:07 > <@w:monero.social> If all you want is fair compensation, remember this isnt a company. You're an entrepreneur.... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/a675eb1f9c4ea59214b3a4a6d285acd6e6afe51c) 21:10:09 it was one of my reply, didn't use it 21:10:15 * see you all on rekt.news; R.I.P. monero 21:10:41 and you can not complain about 10xmr as it is kayabas personal money 21:11:09 While I definitely believe moneros bug bounty is incompetent, I offered that from my personal funds. I'm not a millionaire 21:11:26 "funny that kaybanerve was in..." <- You weren't promised funds you were later denied, from what I've read 21:11:27 kaybanerve should know how it's hard to find something interesting, it's really like a joke 21:12:00 I don't hate monero for having a low bounty. I was frustrated poly for misclassifying a critical exploit though 21:12:11 kayabanerve[m]: what did you read ? 21:12:14 But I am frustrated with our bounty... 21:12:27 that bounty has lasted quite a few years, perhaps more fundraising should occur 21:12:49 ooo123ooo1234567: That the original submitter was offered 100? You were also offered some and turned it down? Feel free to correct me if I'm wrong? I haven't really been paying attention 21:13:15 luigi1112: I personally think in this game of online dick measuring we should offer 5m. There's just no way we can 21:13:25 I'm 100% that UkoeHB / luigi wouldn't be able to write that fix as needed 21:13:31 That's why separate bounty for a fix 21:13:54 What is going on here, since when do we have 100 xmr bug bounties 21:13:56 Because we can't, if we're discussing what we can, we'd want to get rid of the current structure 21:14:12 monerobull[m] this is just high severity hackerone bounty 21:14:13 It's set to pay out 10 criticals. Why tf do we expect 10 21:14:30 So not monero? 21:14:33 Ideally, we'd raise 1m and have two 500k blocks 21:14:41 monerobull[m]: It is monero 21:14:53 kayabanerve, what are you talking about ? 21:15:03 Is this about a recent bug 21:15:09 ooo123ooo1234567: A better bug bounty program? 21:15:11 monerobull[m]: Multisig 21:15:17 Ah ok 21:15:27 monerobull[m]: Both multisig and ooo's claims they're hiding one 21:15:34 I don't believe them, personally 21:15:52 kayabanerve[m]: Did you catch me at least lying here ? 21:15:58 * at least once lying here 21:15:59 kayabanerve[m]: hiding what? 21:16:08 Regardless, if the previous bounty was 100, I'd imagine the next bounty to be worth a similar amount due to pay out its structure? 21:16:10 selsta: An exploit 21:16:14 So what's the issue there? 21:16:30 ooo123ooo1234567: I can't prove it but I assume you are since you refuse to provide evidence 21:16:42 kayabanerve[m]: you're talking too much about things that you don't understand 21:17:11 kayabanerve[m]: I have unresolved conflict with UkoeHB, but in current environment he knows more than others probably 21:17:20 luigi1112: interesting, i think the open ended monero bounties site would be ideal? ... but at this point i dont know what issue / PR is being reviewed / fixed.. im totally lost. a well written / defined bounty (but we need 'some' social influencing to advertise the real world impact of the problem i guess) such a bounty can be shilled and hopefully funded to a more acceptable number ( delivering pizzas for several months will earn you 21:17:20 more than 100xmr) 21:17:23 If you have a new critical, you're eligible under hackerone and under any supplementary programs. If you want to discuss raising further funds, you should be clear about the amount on the table and the amount you want 21:17:31 I don't want to leak another vulnerability, I wasn't satisfied with previous treatment of vulnerability 21:17:48 ooo123ooo1234567: Personal conflict? 21:17:55 Hiding it leaves it unresolved. If you plan to make a public pr, as you've claimed, you'll leak it then 21:18:11 Leading to you dont want to tell UKoeHB? 21:18:22 Either be responsible, and disclose it responsibly now, before the hard fork, with whatever financial arrangements you can get 21:18:33 Or admit this is an ego/extortion trip with no relation to actually helping 21:18:40 The end 21:19:30 It doesn't matter what humans internally use as a motivation to solve technical problems; your work on serai - is it ego trip or not ? 21:19:31 I'd consider koe, selsta, jberman responsible parties for disclosure. Officially, from that list, I believe it's selsta. Practically, it's koe 21:19:39 UkoeHB work on Seraphis - is it ego trip or not ? 21:20:11 kayabanerve[m]: it could be both for better result 21:20:12 Sitting on an exploit because you dont like someone 21:20:12 Not an ego trip 21:20:12 Straight up kid shit 21:20:19 i'm not a useful party to disclose lol i would forward it to koe 21:20:42 I'm going to leave unless the discussion actually continues. I do believe the current bug bounty program is malformed and needs further funds though 21:20:44 selsta: Yeah but if they won't talk to koe you'll forward it lol 21:20:55 > <@ofrnxmr:monero.social> Sitting on an exploit because you dont like someone 21:20:55 > Not an ego trip 21:20:56 > Straight up kid shit 21:20:56 Eh. I'd get it if it's for money 21:21:06 Like you can pull a hyc and say it's merc bs 21:21:12 The point forwarding the disclosure isnt to have the person understand it 21:21:13 Its to acknowledge there is an issue. 21:21:25 I know what it's like to be broke, underrepresented, and have work with X yet unappreciated 21:21:41 But they haven't said an X nor clarified what they say on the table, so we can't even have that discussion 21:21:43 kayabanerve[m]: why are you against me then ? 21:21:48 You don't even know full context 21:21:53 Read my most recent message 21:22:20 You haven't told me how you've personally been wronged by a bounty. If you said it earlier, I either skipped it or misread it. Sorry if so 21:22:30 the problem is lack of funding / reward for the bounty / thing thats broken , pls fix 21:22:38 If you were wronged, sure, I'll advocate for you. You have to explain that though 21:22:51 kayabanerve[m]: I was have to communicate with UkoeHB and explaining what was the problem in those exploits 21:23:02 s/was/had/, s/have// 21:23:09 If you weren't wrongef, just underappreciated, that's a separate discussion where you need to post numbers 21:23:45 hackerone paid 100, and IIRC the genfund was going to offer another 100 for timely fix 21:24:41 And didn't they say they turned it down? 21:24:48 So tbc, correct me if I'm wrong 21:25:02 Someone else reported and was paid. Ooo was offered 100 to fix and turned it down. 21:25:09 "for fix there was a promise with..." <- ^ 21:25:14 no ooo reported 21:25:17 and received 100 21:25:19 In that case, even if ooo now wants payments, they weren't wrong 21:25:42 luigi1112: Got it. So they were paid the agreed upon amount which was fully acknowledged as a crit 21:25:54 Offered +100 to fix. Turned it down. Fixed anyways 21:25:58 there isn't an agreed upon amount really 21:26:04 kayabanerve[m]: Yes, I had to explain to UkoeHB why is it critical 21:26:04 just a % of pot 21:26:09 and now this situation with 8149 21:26:10 which is loose 21:26:16 While I think 100 is too low in general, I'd say ooo has no claim to being wronged 21:26:31 luigi1112: Right, that's one of my issues. There's multiple pots yet we only display sum pot balance 21:26:37 There's no way to know which pot is where 21:27:07 ooo123ooo1234567: so you explained it and got paid. How do you feel wronged? 21:27:08 there's only 1 pot 21:27:17 the monero network is secured by 10kusd (currently) this sucks 21:27:19 Having to explain a bug to receive acknowledgement isn't being wronged 21:27:23 kayabanerve[m]: I also explained a lot of details in fix too 21:27:40 plowsof I guess like 90k 21:27:41 luigi1112: It's written as 10% of 60% and I believe it's written as a 60% pot of initial funds raised 21:27:43 either way not a lot 21:27:53 ooo123ooo1234567: ... right, but you said that you turned the fix payment down 21:27:58 It was important to tell to UkoeHB since he is working on Seraphis, and this kind of knowledge might be helpful, but this situation with 8149 21:27:59 kayabanerve[m] ok. Again that's loose. 21:28:09 luigi1112: one critical cryptography vulnerability = 10k 21:28:11 So if you still want it, I'd say you should get it, but I won't say you were wronged there 21:28:18 luigi1112: Right, different comment, not relevant now 21:29:36 kayabanerve[m]: If you wouldn't deny importance of security analysis, then I would probably get it anyway 21:29:52 ooo123ooo1234567: to be clear, I'm not against you here. You just haven't successfully explained to me the issue 21:29:57 since exploit -> fix -> security analysis -> deeper issues -> one more fix 21:30:00 ... so are you still trying to claim the bounty for the fix? 21:30:08 selsta yeah but I can imagine far worse vulnerabilities. You could say this should be 20% or something, but much higher is hard to justify IMO. 21:30:11 or are you saying you were paid for one bounty when there was multiple? 21:30:12 ooo123ooo1234567: Im confused. Why did you write the multisig pr if it should not be merged yet? 21:30:32 Because you explicitly said you turned down the payment for the fix IIRC. 21:30:44 kayabaNerve: I wanted to keep this whole situation in private, I'm not fully exposed here like you (with real name) 21:30:55 If you want, we can PM on Matrix 21:31:08 kayabaNerve: I don't trust you enough to PM about it 21:31:13 I've tried reaching out to you before. As much as I don't appreciate your attitude, I do respect your skill and do want to work with you 21:31:23 Not the new exploit. Your comments on the historical bounty payment 21:31:43 ooo123ooo1234567: You trust nobody though 21:32:00 No need to disclose any security issues, though I assume they're known. If you believe you're owed money, you're welcome to explain, here or in PM, what action(s) you did, what payment(s) were expected accordingly, and what payment(s) you received 21:32:32 And nobody knows you. 21:32:32 You could post it on Reddit tomoorow morning. Might has well get a move on. E 21:32:32 You said you want to go back to just being a monero user.. so pass kaya the ball 21:32:54 kayabaNerve: I would be satisfied with changes in CCS, that way I would be able to earn via new work and competing with others without underpayment 21:33:01 * in CCS process, that 21:33:32 it will also eliminate a lot of development process issues 21:33:32 Others like who 🥲 21:33:33 It's even more important hackerone 21:33:35 Also, just because my submitted vulnerabilities have been comp-sci doesn't mean I'm a bad cryptographer. Sure, koe is better, and I have a guess you are too (though I couldn't say for certain), yet I'm able to implement proofs, see their effects, and reason through their part in a system 21:34:20 Again, Hackerone is a mess. luigi1112: My comment was I believe it's written as 60% of the initial funds raised would be for criticals (as in, if a critical happens, the sum balance drops yet so does the amount for criticals). Then it's 10% for that 21:34:20 kayabaNerve: implementing cryptography designed and proven by others isn't hard, koe don't want yet to learn how to do security analysis 21:34:42 I may have misread it, but regardless, it's an unclear system that should be moved to fixed amounts. 21:34:55 And Luigi just said hackerone has ~90k in the pot. 21:34:59 And then 10%? We seriously expecting 10 criticals? 21:35:04 w[m]: Different comment, again 21:35:20 10% of the total pot not the 60% 21:35:23 shall we trick everyone to funding the hacker one pot and call it a payment processor and start a ccs? 21:35:29 Because luigi1112 acknowledges one pot, so it may be used as 6% of the pot per critical, yet then the comment is the math here is confusing because I never had that assumption 21:35:38 luigi1112: In that case, I've constantly misread whatever the fuck the spec is 21:35:47 Thanks for clarifying 21:36:12 > <@w:monero.social> And nobody knows you.... (full message at https://libera.ems.host/_matrix/media/r0/download/libera.chat/bc73b5bc86870e10c8c2bc6f3b00f5abc7f65e21) 21:36:17 * kaybanerve voted aganist importance of security analysis, not ready to catch the ball probably 21:36:22 I'd like to move it to fixed amounts, where criticals get up to 500k. While I believe it should be 10x that, I don't believe we can raise 10m. I think there's a small chance we could raise 1m. 21:37:06 ooo123ooo1234567: I can't do security analysis. If koe is uninterested, that's their decision. If you're able to, and interested, the CCS exists, and I'd donate. I'd not two issues though 21:37:16 The general fund had like 1 million last time i checked 21:37:22 The CCS is largely about popularity, one of its flaws. Accordingly, you may not get funded. 21:37:23 monerobull[m]: not with current price 21:37:23 ooo123ooo1234567: Kaya didnt vote against. 21:37:23 Can speak for themselves, but pretty sure they've said multiple times that all they want to see is some sort of proof that the analysis needs to be completed before merge 21:37:34 kayabaNerve I wouldn't read that much into the spec. There's a pot, which from memory was around 1k xmr. Various vulnerabilities got various payouts with very loose agreement on what is reasonable. 21:37:41 How the hell do you expect us to raise a million for bugbounty 21:37:45 I said I don't believe a formal spec + proof is necessary. I would still love to see one. 21:37:51 (as a % of the total, NOT as a $) 21:38:11 Beyond that, even if you were popular, you're actively trying to hold the community hostage 21:38:18 selsta: Yeah :/ 21:38:40 > <@w:monero.social> Kaya didnt vote against. 21:38:40 > Can speak for themselves, but pretty sure they've said multiple times that all they want to see is some sort of proof that the analysis needs to be completed before merge 21:38:41 the difference between me and kaybanerve: I did that work to be sure that there is flaws, kaybanerve wants to see this work done by others to prove that it's necessary 21:38:51 * the difference between me and kaybanerve: I did that work to be sure that there are no flaws, kaybanerve wants to see this work done by others to prove that it's necessary 21:38:52 So we need to resolve any known vulnerabilities, and then we could discuss funding work. I'd personally contribute to a bounty/CCS on the matter, and if you feel wronged, and I agree, I'd be happy to advocate for you. 21:39:01 we need monero marketing department on the phone asap. need hacker one ccs 21:39:02 necessity of this isn't a question for me 21:39:04 I still don't have evidence for that despite trying to ask questions to figure out how you were. 21:39:18 And then if you don't want X, and you don't want Y, we need to discuss what you do want :/ 21:39:29 Yet you frequently harp on bs without moving the convo forward 21:39:35 So we need to work through that 21:39:41 kayabaNerve: Did you see changes suggested by me with multiple stages and competition ? This way it wouldn't be about poularity 21:39:53 s/poularity/popularity/ 21:39:57 Uhhhhhhh probably not? Have a gist available? 21:39:59 Who is competing. 21:40:10 Again, I don't read everything, but I would be interested in CCS reform 21:40:15 It's why we lost the noethers :/ 21:40:26 And we do have MAGIC, yay, but you need to KYC to the charity (not the committee) 21:40:31 Cmon ooo. You said you were the only one to submit a fix. Our dev community isnt exactly big. 21:40:35 I don't believe you'd consider that a potential 21:41:10 w[m]: I believe I could fix any noted problems in the Monero multisig if needed. While no, I wouldn't be able to do the work Drijver did myself, nor review the Musig proofs completely, I can still reason with this as needed 21:41:18 "project goal -> the next..." <- @kaybanerve, this 21:41:21 Issue is I need to actually know of issues to do so. Problem there is, I've locked. 21:41:24 *looked 21:41:58 This just sounds like stricter review on proposals with more explicit milestones and no advance funding? 21:42:06 Do we even have advance funding right now? 🤔 21:42:12 kayabaNerve: If they would be here then it wouldn't be needed to prove importance of security analysis 21:42:18 And no manpower for all of that 21:42:24 Agreed 21:42:28 Ploooowwsooooofffff get your ass to work 21:42:35 I have asked what it'd take for one to come back. It's... a lot :/ 21:42:41 But I do believe it'd be worth it without question. 21:42:50 Regardless, I won't name or drag them into this conversation rn. 21:43:05 And it's a lot for us @ Monero. It's not a penny less than they deserve and incredibly reasonable overall. 21:43:08 kayabaNerve: environment changes or purely money cost ? 21:43:24 For the noether in question to return? I'm referring to paying their salary 21:44:26 kayabaNerve: is it private info ? 21:44:45 Kaya, say yes. DM only 21:45:07 I don't care to drag them into this discussion when they're not relevant. I more meant to comment that valuable people deserve a lot, and Monero needs to find a way to successfully maintain them 21:45:28 I don't care to post their name accordingly, nor do I care to post the amount. If they want to come back, they can post it. The end. 21:45:33 Dev tax let's go 21:45:42 -_- 21:46:08 I'd be very interested in increasing the bug bounty, and I'd hope we could successfully offer 500k per critical with a total bounty fund of ~1.2m. I don't know the state of the current bounty pot/general fund/donation abilities though. 21:46:17 kayabaNerve: profit oriented and research oriented work are different workflows 21:46:22 But even that, while ensuring security, doesn't help with the dev exodus 21:46:44 I don't think it's profit oriented. It wasn't 250k when I wouldn't be surprised if multiple historical contributors could get that on the market 21:47:08 im going to make a CCS to fund my round the world boat trip for 2000 xmr. enjoy fixing monero-core and staying poor losers 21:47:25 kayabanerve[m]: My brother in Christ we have like 500k$ worth of xmr in reserve for the whole project. 21:47:43 monerobull: If it makes you feel better, it'd be per economic damage. 21:47:46 monerobull[m]: Needs to change 21:48:09 So DoS alone wouldn't be a full crit. Multisig, while critical, would probably me a minimal crit amount, NOT 500k. 21:48:15 Donate? Make Ponzi coins and pump xmr with the profits? 21:48:21 Issue being you actually need to be in a multisig to attack those... 21:48:27 kayabanerve[m]: Do you understand that bounties are needed to hide overlooked vulnerabilities, but not reduce their number ? Only changes in development may help with better quality of code 21:48:50 But even the minimum, which would include a DoS to bring down the net, would have to be ~100. 21:48:50 s/bounties/hackerone/, s/are/is/ 21:49:11 ooo123ooo1234567: Bounties catch vulnerabilities, they don't prevent, you're right. They don't hide though. Public disclosure is the way forward 21:49:38 monerobull[m]: Zcash paid 250k for cake wallet integration.. 21:49:38 If haveno would collect some money from these for profit blockchains, they could pump the fund 21:49:40 And while again, this wouldn't help with devs, and you're right there (and not just with devs but with what devs working on, I'm considering writing sec proofs devs), that'd be next priority 21:50:00 they hide since private communication of hackerone doesn't motivates developers to fix their development process 21:50:08 s/motivates/motivate/ 21:50:13 Monero crits are disclosed AFAIK 21:50:23 We've disclosed multiple, even the recent unresolved stat work 21:50:29 And current case with 8149 without security analysis is perfect example 21:50:29 But here's the issue. At the end of the day, I can send a lot of messages, so can you, I can sound responsible, you can sound appropriately frustrated, and it's all fucking hollow. 21:50:33 Not because I don't want to fix this 21:50:39 Not because you don't have reasons to be frustrated 21:50:45 but because what the fuck are we supposed to do 21:50:58 We either need to get a concrete plan or acknowledge this is pointless. 21:51:18 kayabanerve[m]: are you about 8149 now ? 21:51:38 So we have three points here. 1) CCS reform/developer maintenance. 2) Bug bounty. 3) You disclosing/writing security proofs/people writing security proofs in general, under #1. 21:51:50 No. I'm on about these 3 points ^ 21:52:08 So if you actually want to make a plan, great. Let's pick an order and work through it 21:52:13 need more moneys for the pot :( 21:52:24 but please let me sleep first. I've been up 22 hours 21:52:46 kayabanerve[m]: Never... you work til your drop. For free. 21:53:17 But yes. If you legitimately want to create plans on these discussions, to actually move forward, I'll spend a few hours tomorrow doing what I can to discuss actual steps and create something we can present to parties as needed. We can even discuss it here, not in PM, or in a new channel to limit how much we spam 21:53:30 I'm just glad we don't have some stupid bridge thing holding a bazillion dollars worth of crypto only to be taken by north korea 21:54:15 But 1) Please let me sleep. 2) There's an agenda above. I'd like you to agree to the bones, feel free to suggest adds/removes/edits of course, and then agree to discuss where we want the systems to be so we can discuss literal actions to accomplish this. Because I agree all three are important, and I'm willing to advocate for you here 21:54:30 But I can't even properly advocate for myself right now beyond begging for sleep 21:54:38 monerobull[m]: it was marvelous target, hopefully broken multisig will create another one 21:55:33 * (it was, * another one) 21:55:48 Also, I do plan on offering a notable bug bounty for my work when it's sufficiently far along. While I'd hate to have a submission in my inbox, I'd love for it to be from you. 21:56:20 Though that still isn't technically announced yet, and I don't appreciate you frontrunning me there as you try to manipulate what I spend my time volunteering on :/ 21:56:39 So I'd appreciate if you drop it for a few more days while I fight off more bug bounty assholes because I have my own bs there still 21:56:51 w[m]: Monero lives in my head rent free 22:00:45 I haven't gotten a response. Feel free to take your time to think on it. I do get why you'd be frustrated, even if I don't know why you are yet (beyond your important PRs being left untouched for months which is horrible. Not contesting that, just noting it seems like there's another rabbit hole here). If we can talk it through, I'd be happy to give an opinion, and yes, happy to fight for you if proper. But I'm still missing 22:00:45 pieces, because even if you tried/thought it's clear, I don't have them. So I'd want to pick this up tomorrow, getting the picture from the start, and discussing action, if you're willing. Else, I go back to being the best dev I can, even if it turns out I'm wrong, and you go back to being the know-it-all holding back I get annoyed with :p 22:01:04 Also, I never advocated 8149 as an end-all be-all secure solution. I advocated for it as a greater good. I believe in maintaining "experimental" until we get formality involved. 22:01:34 While yes, that's a "game of words", it's the real life decision we have to make when we're so invalid already. At worst, we're back where we are. At best, we drop "experimental" in 6 months to a year. 22:02:08 Though yes, I frequently consider practicality over formality, which you're welcome to hold against me. I'd just rather we counter balance instead of you being an anchor there. 22:03:29 Night everyone. Even if I read something from here, waiting till tomorrow to respond, unless it's crit 22:11:23 https://www.reddit.com/r/CryptoCurrency/comments/voizd1/basicswap_an_upcoming_fully_private_crosschain 22:11:40 How legit do you think this is 22:16:55 * monerobull[m] uploaded an image: (107KiB) < https://libera.ems.host/_matrix/media/r0/download/matrix.org/WtSnUCZJhYHDOigqUqMHKmJn/BasicSwap_DTECT-1.jpg > 22:17:20 I love how haveno is on there 😂 22:43:57 "I haven't gotten a response..." <- "... happy to fight for you if proper. ..." why do you have vote while others don't ? 22:44:14 no fees, thats what rug pulls are for? 22:45:41 it sounds amazing / too good to be true though 22:52:53 "Who is competing." <- everyone judging by the fact that I can't get reward for my work and had to fight with that scammer, now with others who are merging after shitty audit 22:57:29 "it sounds amazing / too good..." <- They mention monero compatibility a suspicious amount of times as well 22:57:50 "But 1) Please let me sleep. 2..." <- " ... Because I agree all three are important, and I'm willing to advocate for you here ..." it would be enough to advocate for mandatory security analysis (the one that was done by previous researchers) of cryptography changes (8149 including) 22:59:11 it looks like you're just earning some popularity for future (MAGIC board / your future project / something else) and you've proven it when in some cases you're against incorrect code, but in other cases you are not against it 22:59:18 I'm against incorrect code everywhere 23:01:18 you want to raise bug bounty reward, do some changes in ccs that would prevent loss of prev researchers, but you're against security analysis that helps to catch vulnerabilities more efficiently than bug bounty and prev researchers were mostly busy with this kind of work 23:01:22 contradiction 23:08:10 "you want to raise bug bounty..." <- Kaya isnt against the security analysis... 23:08:37 this 'security analysis' think, is that like a 'deluxe' version of an audit where they show 1+1 is always 2 for the cryptography? how much did the one for bulletproofs cost? 23:08:53 thing* 23:17:35 * you're against mandatory security analysis 23:21:48 "rino less, but it would destroy..." <- what is the business plan of rino with experimental multisig ? why they don't want not experimental right with hardfork ? 23:23:38 funny that I didn't ask them to waste money on audit, didn't ask to help in anyway, but they appreciated shitty audit + 8149 + experimental flag 23:23:43 why ? 23:25:03 you didn't say what you want compensated for your security proof and if you want to share it in the first place 23:25:17 so the audit was the next best thing to move multisig forward 23:26:01 i don't think the audit was worth it, but it was their funds 23:27:33 they would obviously prefer non experimental multisig at fork 23:28:03 "meh. mercenaries have no place here." funny to read but not see any replies in direction to that scammer 23:28:18 * "meh. mercenaries have no place here." funny to see this but not see any replies in direction to that scammer 23:28:43 This aint twitter 23:30:33 "Are we doing to have a closed source ooo monero daemon?" funny that there is no similar reply in direction to that statistical defense 23:30:35 Dont change the subject 😆😆 and accuse others of doing so 23:30:35 Defending you doesnt go as far as your feelings 23:30:56 ooo123ooo1234567: That was sarcasm 23:31:13 "whoever you would give your updated PR to review, then why not tell these people now what the issues are?" because I can't find even 1 human that would insist on proper cryptography changes 23:31:25 Insinuating that you have a private repo of monero 6.0 23:32:04 ooo123ooo1234567: You dont _want_ to find one, and if you do, you dont trust them anyway 23:33:16 "ooo is then invited to propose a new PR on top of it if he wants to prove that there's more to fix" it's clear desire to justify thrown money on audit 23:33:19 and nothing else 23:33:43 ooo123ooo1234567: Nobody is justifying the audit 23:34:11 "you didn't say what you want..." <- Selsta JUST finished explaining 23:34:25 "I truly believe they're just a pissed off obstructionist, not that I believe there's anyone else left to convince " indeed 23:34:42 Correct road was closed for unknown reasons 23:34:42 So we climbed a mountain for no reason and are back to square one. 23:34:57 "While leaving the community in a known critically vulnerable state in the meantime" this argument was even used by that scammer and his friends 23:35:39 The one who charges for meetings? 23:35:49 You really take stock in what he says? 23:36:39 "If you shoot ooo, you famous. If ooo shoots you, he's brainless. Whats an ooo12 to do" 23:36:39 - Jay z 23:37:35 "If ooo123ooo1234567 can't convince anyone that 8149 should be stalled further by the end of the meeting, I would like to squash and merge 8149 this week." How is it possible to convince those who don't use critical thinking and don't care about security of changes ? 23:37:59 Who are "those"? 23:38:38 "8149 has been thoroughly reviewed, audited, and Koe already implemented everyone's remarks", "once 8149 is merged, we can use this as a new basis of discussion for further improvments" again clear desire to justify thrown money on audit 23:39:08 If there are problems, where is your review 23:39:15 Aside from "im angry" 23:39:24 Btw, that meething is supposed to have unbiased chairperson, which didn't serve role properly 23:39:34 Supposed to? 23:40:12 ofrnxmr[m]: meething participants 23:40:17 This isnt a company. It would be nice but last time I checked it was an informal meeting without an agenda 23:40:56 The meeting was to decide whether to merge 8149 and you didnt say anything aside from "its insecure" 23:41:04 it's like visiting judge in a country with total corruption with the hope they will take right decision 23:41:20 Saying you dont have a vote is crazy. You hold a 99% vote but you abstain 23:41:34 s/judge/court/ 23:42:02 when/where did I have vote ? 23:42:13 When you didnt speak up 23:43:06 You have a vote right this second 23:43:07 somebody here complained about big tech companies hi-jacking bitcoin meeting in order to push whatever they want 23:43:30 and in that meeting somebody is pushing for a merged based on shitty audit 23:43:32 facepalm 23:43:43 s/merged/merge/ 23:44:17 ooo123ooo1234567: You can hijack this shit. Why tweet so much instead of hijacking? Place your vote already 23:44:37 Jberman literally said he was with you on 7760 and multisig 23:45:44 if it was about arguments then I would win even alone 23:46:01 https://matrix.to/#/!LmpzSzbSMKFmPbCpHe:monero.social/$Osluk7vDlhBZwsi5AYd3yCKZuT3byp9CeybmT6xf8Lk?via=monero.social&via=libera.chat&via=matrix.org 23:46:05 if it's about crowd voting then it's already defeat 23:46:14 ooo123ooo1234567: Its not 23:46:14 facepalm 23:46:43 Crowd voting votes tech guy throwing temper tantrum without solutions 23:46:46 I was answering to questions of different people, after some point +1/+1 and end 23:46:54 no unbiased chairperson 23:46:56 s/votes/trumps/ 23:47:08 There is no chairperson, period 23:47:35 This is monero, not an Amazon board meeting 23:47:36 without chairperson it's chaos 23:47:40 Yep 23:48:15 Hard to hold anons accountable. 23:49:35 I dont care who chairs a meeting. 23:49:35 I pushed for 7760 and the dns fixes. Both will make 0.18 where previously the answer was no. 23:50:26 Does the chair decide whether they get merged? No. You and Jberman do. But in your absence, voting and Jberman did 23:50:34 how did you push for dns ? 23:50:53 I asked for it to be prioritized. 23:51:09 As I did 7760 23:52:04 "selsta: I'd say it wasn't as thorough as my own review, but at the same time the auditor(s) brought a different set of expertise/experience to the table, which always improves the venn-diagram of concept coverage (e.g. hightlighting the bias issue in hash_to_scalar(), which prompted me to update my seraphis lib)." game of words 23:53:57 "playing devil's advocate but where do we draw the line between "experimental" or not? There is surely more to Monero crypto and code that isn't as security proved as 23:53:58 ooo123ooo1234567 would wish for to deserve being non-experimental" it looks like rino is going to enable multisig based on that audit 23:54:00 So... no multisig? 23:54:16 since the line between experimental and non-experimental is unclear 23:54:23 otherwise what's the reason to push for merge of 8149 23:54:36 How about if we have a game of words and call it "dangerous" 23:56:26 ooo123ooo1234567: Why not tell someone why its a bad idea. "Rip monero" is the type of response that is a self fulfilling prophecy 23:56:39 "kayabanerve: Based. I just want to iterate I don't believe they have anything" funny that I didn't submit that multisig vulnerabilities before having working exploit 23:56:50 * I didn't even submit that 23:57:02 while others can't even verify their non-cryptographic code in repo 23:57:39 Nice. 23:57:39 So 23:57:42 No multisig? 23:57:55 Jeopardy music 23:59:01 "sech1: Can we just be done with disussing 8149 now (in this meeting)?" it's interesting how monero users don't care about code correctness 23:59:20 ooo123ooo1234567: who should be the chairperson of Monero ? 23:59:37 jeffro256[m]: Me. Pft. No other options.