Rucknium: bounty 4.2 ~xmr sent to MAGICs wallet @ btcpay.monerofund.org/i/4BdGbZvYQRKx44uYqqjs21

Hey Guys, does anyone have an idea why monerujo pocketchange sends the always 10x the amount of xmr for each bucket? Wouldn't that make it more fingerprintable on the block change? And also, does it send the xmr to each bucket in the same interval?

I think randomizing the number of buckets (individual transactions) and intervals between that would make it less obvious that a group of transactions originated through pocketchange

<unkn8wn69[m]> "I think randomizing the number..." <- No

<unkn8wn69[m]> "Hey Guys, does anyone have an..." <- Arbitrary and bad number

yes it does

i dont know

s/i dont know/i dont understand the question

if you mean "in the same transaction", yes

Oh I'm dumb it generates a transaction with 10 outputs not 10 transactions.

I think pocket change is very great, i usually send my xmr to a new wallet frequently to make all into one input again, and therefore i think I'd get into the problem more often when trying to spent small amounts in a frequent manner.

jonjones2000

<r4v3r23[m]> "twitter.com/ShrtCrct6102..." <- Very cool. Can you share a screenshot of this in the app?

cryptogrampylmk if you can see this video

UI is minimal and a proper UX is being worked on

tested & compatible with CLI wallet

Wow very nice

you can now burn your ledger/trezor and use old androids as a hww

r4v3r23[m]: How safe is that? Can you cellebrite* it?

factory reset the phone and keep it on airplane mode

unless mossad is actively targetting you, youre good

I mean, if I steal you're phone and plug it on my PC to extract the data.

android phones are encrypted

"Old phone", I mean.

Once you boot it, if I can get to it I can bypass the encryption.

The encryption protect the storage on boot, but if you boot it then it go to sleep, afaik I only have to bypass the pin lock (or whatever you got set)

But I assume the wallet part is encrypted

yes app is also encrypted

so only risk could be someone tempering with it

id trust an android phone over a trezor/ledger in case a hacker had physical access

Like replacing the app with the same one, recompiled with an extra backdoor.

so it leak you're key when you use it

Adb backup db > restore db to a custom cersion

Yeah, for backup it's nice

but yeah, android is soo insecure...

RavFX[m]: > <@gfdshygti53:monero.social> Like replacing the app with the same one, recompiled with an extra backdoor.

> so it leak you're key when you use it

how are you gonna do that when the phone is encrypted at rest?

Oh wait, you probably mean to extract the db and crack it later.

r4v3r23[m]: Old phone, you really think you can't bypass them.

It's probably safer if you leave the phone OFF forever, except when you use the wallet, at least the encryption might actually protect the data

RavFX[m]: beincrypto.com/cybersecurity-hacks-trezor-wallet-old-exploit

old already booted phone you can't trust it to be secure

so are trezor.ledgers

r4v3r23[m]: I know that old exploit, patched long time ago.

RavFX[m]: its not the only one

just compare the codebase you have in a phone and in a hardware wallet

if youre actively targetted, no hww is gonna keep you safe

the quantity of code, what can go wrong

And I can easily get into encrypted phone that are already booted.

old phone

old android version....

if you want to talk niche hypothetical attack vectors, sure lets go

RavFX[m]: yeah?

things like that, software is available on torrent and usenet

Yeah, use an old phone...

brute forcing a 4 digit pin? lol

let me store my wealth on a device secured by "6969"

One of the thing it can do.

it depend of the phone brand/model.

It use released exploits... But new exploit are getting founds ... And old phone don't **always** get update.

xd

you can set longer pins THOUGH

mine is 8 digits

or long ass password

having your wealth protected on a phone is retarded though

You can yes, But you really think there is only "one" exploit ;)

That was random video.

setting long ass pins and passwords gets very annoying

if you use that device daily

this is an advanced feature. it assumes youre taking basic precautions and dont use "Dogname123" as your password on every service

naphtha[m]: cold storage isnt daily use

The pass protect the boot. Once it's booted, well.

If you can reach the target, just put a sim in his phone and use a SMS 0 day (available on some phone). Then you get to install what you want on the phone, or dump data.

exceptions dont invalidate the rule, they affirm it. there will always be edge cases

right but still i'd imagine the crypto algorithms arent made to be very difficult

Get a new phone or something, or something well supported

RavFX[m]: > <@gfdshygti53:monero.social> The pass protect the boot. Once it's booted, well.

>

> If you can reach the target, just put a sim in his phone and use a SMS 0 day (available on some phone). Then you get to install what you want on the phone, or dump data.

*airgapped device*

so you can unlock your phone without waiting 30 seconds for the weak arm cpu to decrypt shit

lets not strawman now

RavFX[m]: > <@gfdshygti53:monero.social> The pass protect the boot. Once it's booted, well.

>

> If you can reach the target, just put a sim in his phone and use a SMS 0 day (available on some phone). Then you get to install what you want on the phone, or dump data.

depends what os

and how you have it configured

my pixel on graphene encrypts itself after a couple of hours automatically

naphtha[m]: this is the recommended setup for this feature

and old pixel running graphene/AOSP

naphtha[m]: Yeah, not everyone do proper research.... (full message at <libera.ems.host/_matrix/media/v3/do…7a3161d27007a2071b25ffe134a5a46c661>)

airgapped devices can be vulnerable still.

Ideally you could make a stipped down rom

remove the modem driver....

the idea of a feature like this is to make the attack as hard as possible

but again there is still the issue if someone take it.

if you want to be super paranoid then memorize your seed and forget it

<Disciiple> old?

but with enough force you can brute force a brain

s/forget/thats/

r4v3r23[m]: like a 5$ wrench ;)

duh

<Disciiple> why old pixel instead of new?

too much force is the problem

yeah, use new devices...

meanwhile in reality

xkcd is soy but this is one of the rare times hes right

There are way to protect again 5$ wrench attacks, but... lets not go into that

bridgerton[m]: new is fine

why would a money printer not just wait

naphtha[m]: exactly

Ideally you want a phone made by an politically opposed faction... (full message at <libera.ems.host/_matrix/media/v3/do…da69cd2921db08fc6e8daf4dbf47da34668>)

I don't know if it's still possible to have phone without radio drivers, aka, no phone/wifi capability (so one could not take over a phone by adding a sim and injecting an exploit that way.

RavFX[m]: That. Titan phone had hardware toggles iirc

Maybe a different phone. I remember one where you could physically remove the camera etc, easily

ofrnxmr[m]: That won't protect you if someone take ownership of you're phone.

But yes, it's good to have.

<RavFX[m]> "I don't know if it's still..." <- its possible. but for the vast majority of cases, unnecessary

r4v3r23[m]: indeed