Revuo Monero Issue 191: October 26 - November 2, 2023. revuo-xmr.com/issue-191.html

<h​ardenedsteel:monero.social> once getmonero.org also hacked and spread malware

<o​frnxmr:monero.social> I vote we host on majestics server

<o​frnxmr:monero.social> Uptime 66%

<d​iego:cypherstack.com> this is the annoying thing

<d​iego:cypherstack.com> people not claiming their funds. If you do the work, get your money.

<o​frnxmr:monero.social> More annoying

<d​iego:cypherstack.com> there were people I was chasing down to get money before I left. Now plowsof.

<o​frnxmr:monero.social> Ppl who start things without intent on finishing

<d​iego:cypherstack.com> many of these should be defunct

<o​frnxmr:monero.social> diego

<d​iego:cypherstack.com> Monero Outreach Round 3, Monero payment gateways, tipxmr.live, etc.

<o​frnxmr:monero.social> Those are called purgatorybccs

<o​frnxmr:monero.social> Plowsof has a big list

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/haveno-frontend.html - 453XMR - the front end team downed tools after $ price drop / they didnt want the moneros, gonezo.

<o​frnxmr:monero.social> I call it "jet fund"

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/staff91…e%20(subtitles)%20to%20Italian.html - 28XMR - no sign of proposer (talk of 'google translations used' but not confirmed)

<d​iego:cypherstack.com> My time with core was partly chasing people down to take their money

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/xmrhaelan-monero-outreach-round-3.html - 36.67XMR - a recent attempt to resolve by ajs but not successful. close/gone

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/36c3.html - 280XMR - core has invoices totalling ~24k euros to resolve this. which could be brought if looked into by those who gave money to pay things at that time.

<d​iego:cypherstack.com> and then after a year when nobody remembers anything, they come by and say work has been done y no payment

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/utxobr-monero-k8s-operator.html - 22.86XMR - multiple attempts to contact over the years, gone.

<o​frnxmr:monero.social> Soloptxmr

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/cypherstack-sarang-triptych-research.html - 12.65XMR - should have been closed / sent to the GF a long time ago. IT was STILL in the CCS wallet -> byebye

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/anon-perfect-peer-to-peer-protocol.html - 160.12XMR - has had years to ask luigi for payout and didnt, strike if off the record.

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/xiphon-7.html - 120XMR - Xiphon is AWOL for _years_ , strike off the record.

<p​lowsof:matrix.org> we're still far of 2600

<o​frnxmr:monero.social> My beautiful jet

<p​lowsof:matrix.org> 245 XMR from the jet fund / overfunding - gone

<p​lowsof:matrix.org> have we made a dint yet

perfect time for element to stop connecting to IRC

anyways, I said at least 36C3 supplies have had movement in recent days

<d​iego:cypherstack.com> The 36C3 supplies at least has had movement in recent days.

i was so happy to finally have that alllmost resolved.. the invoices.. everything

oh lol there it goes

would have freed funds up for the project

<o​frnxmr:monero.social> But, its been gone for 60 😭

<d​iego:cypherstack.com> ye

<1​23bob123:matrix.org> 60 day breach disclosure

how many years ago was 36C3?

<d​iego:cypherstack.com> nioc it was 2019

<1​23bob123:matrix.org> Bc

<o​frnxmr:monero.social> Lololol

<p​lowsof:matrix.org> the above tings i linked total ~ 1358.3 xmr

<l​ouis.signet:monero.social> Maybe this is the moment we realize it's probably not a bad idea to add time locks or other types of scripts for extra protections

<o​frnxmr:monero.social> 🦕

<1​23bob123:matrix.org> Or multisig

<p​lowsof:matrix.org> 1358.3xmr that we where not using any time soon

<o​frnxmr:monero.social> Lock it for 6 yrs?

<j​effro256:monero.social> Time lock doesn’t help here when attacker has remote access for a month unattended

<r​ecanman:agoradesk.com> I think this should be considered

<r​ecanman:agoradesk.com> ASAP

<l​ouis.signet:monero.social> Depends on the multisig, opcodes for multisig are more secure than key aggregation ultimately

<d​iego:cypherstack.com> I mean there are more

<d​iego:cypherstack.com> xmrSale? German translation? Douglas Tuman? OSPEAD?

<1​23bob123:matrix.org> Anything older then a year and movement, goes to monero hacked fund

<1​23bob123:matrix.org> Anything older then a year and no movement, goes to monero hacked fund

<d​iego:cypherstack.com> netrik. Three months of translation coordination. December 2021

<l​ouis.signet:monero.social> They help with coin control, some utxos with small time locks, bigger ones with large time locks

<o​frnxmr:monero.social> Xmrsale is resolved

<o​frnxmr:monero.social> Netrik needs pay, no?

<d​iego:cypherstack.com> ah. Core just dragging their feet on implementing/updating?

<o​frnxmr:monero.social> What happenef there

<p​lowsof:matrix.org> netrik was around some weeks ago, claims to have completed the work but not yet claimed it (this can be debated)

I don't think netrik finished his thing. He was not very satisfactory in the role I had imagined either

funny, everything I donate to gets competed :)

<p​lowsof:matrix.org> ok, close netriks

<d​iego:cypherstack.com> plowsof are you kicking core's shins every day?

<o​frnxmr:monero.social> Acceptxmr absorbed xmrsale, right?

<d​iego:cypherstack.com> they literally will not move from their slumber unless you yell at them daily

<p​lowsof:matrix.org> Lol

<1​23bob123:matrix.org> Nioc has foresight

nioc can run everything from a google sheets with protected ranges

<o​frnxmr:monero.social> Diego, no

<d​iego:cypherstack.com> luigi be like: "yeah we'll get to it"

<o​frnxmr:monero.social> I kick plowsofs

<1​23bob123:matrix.org> Monero community and fckn google

I only use paper, pen and my subconscious

<p​lowsof:matrix.org> Diego: monday at the latest

<o​frnxmr:monero.social> > <l​uigi1111w> nioc can run everything from a google sheets with protected ranges

<o​frnxmr:monero.social> You mean midi

*completed

<x​mrscott:monero.social> I'll bring my D20s

<l​ouis.signet:monero.social> I have an idea

<l​ouis.signet:monero.social> _**ok can you guys stop trading**_

<l​ouis.signet:monero.social> lets hard fork into monero classic and monero dao fork

<l​ouis.signet:monero.social> ☠️

<1​23bob123:matrix.org> 2gb block size

<1​23bob123:matrix.org> For quake

<s​tnby:kernal.eu> Why no one updates CCS site to state that core fucked up and funds gone. Also where does the 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H lead to?

<1​23bob123:matrix.org> Jetfund

<r​ecanman:agoradesk.com> Core team is responsible for the CCS site and getmonero.org infrastructure afaik

<p​lowsof:matrix.org> 888t leads to general fund wallet 1

<r​ecanman:agoradesk.com> Not much activity other than "we are talking"

<s​tnby:kernal.eu> Aka. Sink hole

<p​lowsof:matrix.org> GF1 is kept 'near empty' / sweeped into GF2

louis.signet: i'm down with dao fork

<l​ouis.signet:monero.social> This isn't ethereum sir

<j​effro256:monero.social> Are there any PRs open to Monero-site that would inform users of the CCS breach?

but but but ;-;

<j​effro256:monero.social> We shouldn’t keep those addresses up

<p​lowsof:matrix.org> i think uh.. we shuld do a blog post

wait... that's gonna create fud and speculations

<p​lowsof:matrix.org> afaict there are no ccs addresses on site

if it took the core peeps like a month to find out... maybe we keep it under wraps?

<j​effro256:monero.social> We need something on the CCS page

as far as I know there's nothing to donate to anyway currently?

<p​lowsof:matrix.org> loveras is open still

<p​lowsof:matrix.org> ccs.getmonero.org/proposals/Lovera-…te-educational-content-Spanish.html can click contribute

I will move it

<p​lowsof:matrix.org> thnx, and as for announcing something / somewhere on the ccs itself... im not sure how

<p​lowsof:matrix.org> getmonero blog is all i can think of

<r​ecanman:agoradesk.com> We should also make sure that hardcoded GF addresses are changerd

<r​ecanman:agoradesk.com> We should also make sure that hardcoded GF addresses are changed

<r​ecanman:agoradesk.com> Someone should search on github and gitlab and the sorts

<p​lowsof:matrix.org> GF is not effected

not currently. It would still be good to rotate it, but unsure what its structure should be (not my thing)

<p​lowsof:matrix.org> we did rotate it already - GF2 and funds are sweeped

<p​lowsof:matrix.org> but yeye

yeah the risk if if someone is waiting and watching and a big donation comes in

<p​lowsof:matrix.org> the ccs primaey wallet address exists in 2 places afaict

<p​lowsof:matrix.org> escapethe3ra: monero.observer/haveno-frontend-ccs-proposal-fully-funded and on a GH repo which ive made a PR to have deleted

<s​tnby:kernal.eu> Totally... :D

<r​ecanman:agoradesk.com> Oops, sorry, misread

<r​ecanman:agoradesk.com> luigi1111w: That is why I recommend to form the Monero Security Workgroup (or something similar) so this can be discussed there formally

<r​ecanman:agoradesk.com> Meetings should be coordinated. I think that community should investigate current issue, and the new MSW can look into new solution

the monero security workgroup could have its communication be in embedded blockchain messages xd

there's official

<r​ecanman:agoradesk.com> 😄

I think it can just be discussed here unless it gets too noisy

<1​23bob123:matrix.org> Do i get a badge too?

<r​ecanman:agoradesk.com> It's getting pretty noisy

for investigation stuff it will be a bit

<p​lowsof:matrix.org> what can the community investigate?

<r​ecanman:agoradesk.com> Currently, transactions, opsec with the machines, etc.

well not currenlty opsec with machines, as I'm not present

<p​lowsof:matrix.org> take our shoes off when entering luigis home, and make some forensically sound copies of hard drives etc?

<r​ecanman:agoradesk.com> New solution involves changes to the CCS system, multisig, new opsec, security hardening measures

<1​23bob123:matrix.org> Opsec there are community that offer that

<r​ecanman:agoradesk.com> No, gather as much information on situation and try to make the best out of it

<r​ecanman:agoradesk.com> The timeline, for example, is very helpful

<l​ouis.signet:monero.social> It's already possible to affect Fungibility with mordinals / tx_extra

<l​ouis.signet:monero.social> Why not offer the option for a few locking scripts op_codes?

<l​ouis.signet:monero.social> I'm sure large treasuries will make the trade-off

that doesn't sound fit for this purpose

<r​ecanman:agoradesk.com> What louis said? Or my idea?

louis

<l​ouis.signet:monero.social> OP_MULTISIG > MPC ( specially with flawed setups )

<r​ecanman:agoradesk.com> Oh, ok

<s​tnby:kernal.eu> New solution is to upgrade to windows 11

service pack 2 minimum

<l​ouis.signet:monero.social> vaults, velocity limits, etc

<r​ecanman:agoradesk.com> lol

<r​ecanman:agoradesk.com> In all seriousness I think that an effort should be taken

I will go back to XPsp3

+1

<b​tclovera:matrix.org> What about actually OPSEC of GF2 ?

<s​tnby:kernal.eu> "Direct fund or die"

<l​ouis.signet:monero.social> OP_VAULT > SIGNATURES

<r​ecanman:agoradesk.com> I'm not sure, it should be discusses

<r​ecanman:agoradesk.com> I'm not sure, it should be discussed

GF2 is binaryFate's domain. Can be discussed as well.

<b​tclovera:matrix.org> Es actualmente BinaryFate

I think his timezone is relatively opposite

<b​tclovera:matrix.org> Is BunaryFate actually behind it control right?

<s​tnby:kernal.eu> Core pays what they owe. Everyone's happy.

<b​tclovera:matrix.org> Yep, should be discussed

<p​lowsof:matrix.org> full details of GF2 can be found here (after wallet access) reddit.com/r/Monero/comments/11fslu…fund_transparency_report_march_2023

<s​tnby:kernal.eu> Reddit is our official news outlet? Maybe post the news on ccs.getmonero.org?

there isn't a news section there. You want a banner or something?

<b​tclovera:matrix.org> I remember this post, well, full details about OPSEC is not clear… Maybe Binary created the GF2 Wallet in Windows 7

<b​tclovera:matrix.org> He said Multisig is not an option… time

<b​tclovera:matrix.org> To reevaluate this now

<r​ecanman:agoradesk.com> Yes, banner is needed

repo.getmonero.org/monero-project/ccs-front can probably be done there

<l​ouis.signet:monero.social> For large treasuries

<l​ouis.signet:monero.social> OP_MULTISIG > OP_CHECKSIG

<l​ouis.signet:monero.social> OP_VAULT > OP_CHECKSIG

<l​ouis.signet:monero.social> Just those two

<b​tclovera:matrix.org> He can use their own project RINO wallet

opcodes are out of scope unless I'm misunderstanding their implementation

<p​lowsof:matrix.org> i think here repo.getmonero.org/monero-project/c…blob/master/index.md?ref_type=heads uhm .. would we link to reddit (our official news outlet) though?

<p​lowsof:matrix.org> the meta issue* lol

<r​ecanman:agoradesk.com> Meta issue

<r​ecanman:agoradesk.com> Reddit link should be in the meta issue

meta is officialest

<l​ouis.signet:monero.social> matrix.monero.social/_matrix/media/…ero.social/VIuKxrJbVYUplWdcUJvcdtKB

<p​lowsof:matrix.org> truth

<l​ouis.signet:monero.social> That's also not a bad idea

<l​ouis.signet:monero.social> For large treasuries

<l​ouis.signet:monero.social> OP_VAULT > CHECK_RING_SIGNATURE

<l​ouis.signet:monero.social> OP_MULTISIG > CHECK_RING_SIGNATURE

louis we're not hard forking monero for this

<r​ecanman:agoradesk.com> Lol

<r​ecanman:agoradesk.com> Completely new threat model and opsec should be done

<r​ecanman:agoradesk.com> I will repeat again, this should be discusses separately

<r​ecanman:agoradesk.com> I will repeat again, this should be discussed separately

<1​23bob123:matrix.org> Or people with high pokemon threat models re-evaluate

<p​lowsof:matrix.org> matrix.monero.social/_matrix/media/…matrix.org/sUWZhGHGDIvsWgslsUAZazLf

<p​lowsof:matrix.org> jeffro256 something like that?

<1​23bob123:matrix.org> Need to add

<1​23bob123:matrix.org> THE FOUND ME!

<1​23bob123:matrix.org> THEY FOUND ME!

plowsof: CCS is empty now, maybe a blog post is better suited?

<p​lowsof:matrix.org> i was leaning toward a blog post of the meta issue (with a link to it)

yep

the ccs website changes feels a bit out of place

<1​23bob123:matrix.org> Still also need to plug the hole too, by working out how it happened

<p​lowsof:matrix.org> agree

well, the holes should be plugged with better setup. We should also like to know how it happened.

<m​dmazing:matrix.org> why was the general fund wallet with 8k xmr not drained? different setup?

different person.

preview of the proposed blog post deploy-preview-2208--barolo-time-757cf9.netlify.app/blog on site

<l​ouis.signet:monero.social> uff

announcement* :)

<k​inghat:matrix.org> luigi: > Seed was only on paper on my end.

<k​inghat:matrix.org> you mean it was on devices(wire/pgp so two?) when received and then put on paper?

Yeah

Well I don't remember what devices. I didn't note it down on any device though

<c​howbungaman:matrix.org> For the record I would like to collect my funds. Reading some of the chat here and it looks like people are saying people who have not claimed funds over a certain time period will no longer have a claim. It was always my intention to claim the funds. I was told I needed to write up an explanation of work performed to receive my funds. So I needed to find time to do that. I spend <clipped message>

<c​howbungaman:matrix.org> my time doing many other monero related things plus day job and family so I never made it a priority to write up the post. But I told luigi1111 on multiple occasions we would be claiming the funds. It was always my intention. I just wanted to make sure I achieved enough progress before making my claim, which i certainly think I now have. I recently started collecting the stats to <clipped message>

<c​howbungaman:matrix.org> write up my post on what I have achieved and Sunita told Plowsof a few weeks ago that we would be posting something before October ended. Would have just sent an address to get paid out but that was never offered to me. It seemed like a submission on my end was owed.

<c​howbungaman:matrix.org> matrix.monero.social/_matrix/media/…matrix.org/rzToPdcCctYQRZmMVgoGjxNE

Oh yes that's right I told you to submit a write-up not confirm your address, sorry

<c​howbungaman:matrix.org> plowsof: please see above.

<p​lowsof:matrix.org> yes, i confirm a write up and not simply an address was requested

<c​howbungaman:matrix.org> Yes , and we were literally getting to it this week …. I will submit something this weekend. Obviously I realize the funds are now gone, but hoping the ccs’s owed will somehow be paid for the work completed.

They will be

work done, is work paid, it appears that core are insuring everything with the general fund

<c​howbungaman:matrix.org> 🙏👍👍. Greatly appreciative of that. So unfortunate this happened.

<a​ck-j:matrix.org> luigi1111: Are you going to give the two machines to forensic analysts to be imaged and analyzed?

<1​23bob123:matrix.org> Tbh i would image all the pcs for analysis and nuked it. Then after fresh install move other funds just in case.

<s​pirobel:monero.social> all of this is so fucking embarrassing. why do we need this weird cult like behavior around a big stash of money?

<k​inghat:matrix.org> were monkeys?

<t​isktisk:monero.social> It might be right now, but we as a community need to view this for what it is--A yuge opportunity for improvement. You don't learn much from your wins, but what of your losses?

<t​isktisk:monero.social> I pray we bounce back with some honest resolve

<s​pirobel:monero.social> lets hope so. Maybe it is time to shut down "core" what ever the hell this is anyway. They clearly lost all credibility ... but similar events happened before and the sheep still follow ... because they just can't help themselves.

<s​pirobel:monero.social> so lets see ...

<s​pirobel:monero.social> but probably the mess will just continue

<t​isktisk:monero.social> I believe there's a light at the end of the tunnel

<t​isktisk:monero.social> ... Just might be another train tho

spirobel: wouldn't that require like, a fork?

<s​pirobel:monero.social> no. It would just require not acting like a cult

<s​pirobel:monero.social> and establishing a direct relationship between the donors and the workers.

<s​pirobel:monero.social> where there is mutual trust

<s​pirobel:monero.social> right now this is sidestepped by putting trust into luigi, core etc ...

<s​pirobel:monero.social> entities that clearly cant be trusted

<r​ecanman:agoradesk.com> I agree to some extent

<r​ecanman:agoradesk.com> I agree

<4​rkal:monero.social> The fact that core has worse opsec than your average monero user is pretty disappointing to see.

<1​23bob123:matrix.org> not just core

<4​rkal:monero.social> Core seems a bit like a joke rn.

<p​olar9669:matrix.org> Who is in core ?

<4​rkal:monero.social> The people that make monero can't store it securely. Not the best look...

<4​rkal:monero.social> Means that any bad actor with even the smallest resources can attack and actually damage monero

<b​awdyanarchist:matrix.org> Just so that it doesnt go off the rails here, this was one guy in core, not the entire core team. For example, Ric has been a long time user and recommender of Qubes.

<r​brunner7:monero.social> > with even the smallest resources

<r​brunner7:monero.social> How on Earth do you know that?

<4​rkal:monero.social> Who else is holding funds rn?

<4​rkal:monero.social> Maybe they should disclose their setup?

<b​awdyanarchist:matrix.org> Yeah I think that's a reasonable ask.

<1​23bob123:matrix.org> as in process of how ccs funds are transferred or logs?

<t​rasherdk:monero.social> Wonder what happened to `Don't trust. Verify` 🤔

<b​it_thanos:matrix.org> I trust that Redmond has verified my keys...

going a bit extreme but, could a fresh QubesOS VM have low enough entropy to be cracked?

vdo: no, it uses haveged (well at least prior to 4.0 you had to), as of 4.1 that's baked into the kernel

<m​onerobull:matrix.org> dont beat yourself up over it, you didnt miss it by a week, funds were gone for a long time already 😅

<m​onerobull:matrix.org> also, i like the timelock idea for truly abandoned projects

<m​onerobull:matrix.org> "didnt claim in 6 months, it's going in the freezer. see you in 4 years!"

<1​23bob123:matrix.org> Yeep

<1​23bob123:matrix.org> 90 day disclosure

<h​bs:matrix.org> 60 no?

<n​aphtha:kyun.host> matrix.monero.social/_matrix/media/…/kyun.host/TAYWjFSDrDaTzpAuNFSnbgQD

<n​aphtha:kyun.host> why is this room called this

<s​pirobel:monero.social> yeah but why put all the burden and risk on the people that do the work? that is just unfair. Also: who watches the watchers? seems like they stole it.

<s​pirobel:monero.social> this whole "core" thing is just a grift and posturing to build a personality cult around people that don't really deserve it.

<m​onerobull:matrix.org> i only know the pseudonyms for like half of core, they arent exactly looking for attention

<s​pirobel:monero.social> uwwww how mysterious like satoshi

<m​onerobull:matrix.org> satoshi has an actual cult though

<j​ohn_r365:monero.social> Question re Matrix + IRC. On Matrix it's possible to type long messages. After how many characters do they get cut off on IRC?

<s​pirobel:monero.social> "core" in monero is the same kind of bullshit

<t​rasherdk:monero.social> Well, I have been around for a long time, and I have no clue about who's member of the core team. Also, I don't really care.

<t​rasherdk:monero.social> As long as you don't present proof, you should not throw around accusations.

<t​rasherdk:monero.social> So far, it looks like embarrassing bad OPSEC could be the culprit, but I don't know.

<s​pirobel:monero.social> okay please send money to this wallet I control I will help vet the people that actually do the work. (also everyone please bow to me, that is part of the tradition)

<s​pirobel:monero.social> owww the money is gone

<s​pirobel:monero.social> sorry

<s​pirobel:monero.social> please donate more

<s​pirobel:monero.social> better luck next time

<t​rasherdk:monero.social> 😂

<m​onerobull:matrix.org> are there any projects without a core team?

<s​pirobel:monero.social> there are many

<s​pirobel:monero.social> many people do stuff and get nothing in return

<s​pirobel:monero.social> because everyone is dancing like a retard around the ccs and "core"

<m​onerobull:matrix.org> i meant other crypto projects

<s​pirobel:monero.social> good question

<s​pirobel:monero.social> there are many projects that are at a point where no single entity controls them.

<s​pirobel:monero.social> bitcoin is there for example

<s​pirobel:monero.social> also outside of the crypto world there are projects that are like this

<s​pirobel:monero.social> like the webstandards / browser or operating systems like linux, bsd etc

<o​frnxmr:monero.social> Good morning

<s​pirobel:monero.social> hii

<m​onerobull:matrix.org> bitcoin still has a core team

<m​onerobull:matrix.org> browsers are mainly funded by google

<s​pirobel:monero.social> but they cant unilaterally decide things.

<o​frnxmr:monero.social> Idk why ppl think core are dictators

<o​frnxmr:monero.social> They dont even vote anymore

<o​frnxmr:monero.social> randomx? Was that the last time core "made a decision?"

<s​pirobel:monero.social> same for browsers. It is simplistic to think google can do what they want with the browser. At a certain scale software is "discovered" and not engineered

<m​onerobull:matrix.org> isnt core literally people doing unpaid work donating their time

<e​udaimon36:matrix.org> they got paid good this time

<m​onerobull:matrix.org> yeah right

<o​frnxmr:monero.social> Nah

<o​frnxmr:monero.social> Google does what they want frfr

<m​onerobull:matrix.org> artic donated 4500 xmr to corral reef, i dont think core needs 2.6k

<o​frnxmr:monero.social> And ppl get r#ally mad, ans try to use firefox

<o​frnxmr:monero.social> Artic d(nated 50+k xmr

<o​frnxmr:monero.social> At a time wheb it was 4$

<m​onerobull:matrix.org> which is funded by google

<o​frnxmr:monero.social> When you could mine 10 a day

<o​frnxmr:monero.social> Nioc also donated more then 2500xmrin his time

<m​onerobull:matrix.org> i recently donated 0.02 xmr to monero.vegas

<o​frnxmr:monero.social> I donated to the oscar

<o​frnxmr:monero.social> PPV

<t​rasherdk:monero.social> www.w3.org, github.com/torvalds/linux spirobel: ??? core teams

<o​frnxmr:monero.social> "team" haha

<s​pirobel:monero.social> the dictator who wants you to get vaxxed

<o​frnxmr:monero.social> Idk why ppl so afraid of oppression

<o​frnxmr:monero.social> Its called "punch the bully in the mouth"

<n​aphtha:kyun.host> sirs

<o​frnxmr:monero.social> Nobody can tell ofrn "get vaxxed oR ElSe!!"

<o​frnxmr:monero.social> threats only work on weak ppl

<o​frnxmr:monero.social> Get vaxxed if i want to, not cuz some old man trying to win an oscar told me drinking meth is for kids.

<t​rasherdk:monero.social> So far, nobody tried to get me vaxxed. My surroundings are smarter than that.

<n​aphtha:kyun.host> imagine getting the jab

<o​frnxmr:monero.social> Same

<s​pirobel:monero.social> i dont think he is afraid. He is just a smug retard who thinks he knows everything.

<n​aphtha:kyun.host> my entire family tried to get me

<o​frnxmr:monero.social> Yeah, nah. Nobody ever asked me

<o​frnxmr:monero.social> Not even hospital

<n​aphtha:kyun.host> i couldnt go to the gym if i wasnt vaxxed

<o​frnxmr:monero.social> #superspreader

<n​aphtha:kyun.host> but i "borrowed" a certificate

<o​frnxmr:monero.social> If i did get asked, i wasnt listening

<o​frnxmr:monero.social> Self checkouts worked

<n​aphtha:kyun.host> you couldnt even go outside

<o​frnxmr:monero.social> Says who, mom??

<n​aphtha:kyun.host> imagine trusting any kind of authority

<n​aphtha:kyun.host> after that bullshit

<o​frnxmr:monero.social> I dont listen to the tv

<s​pirobel:monero.social> so much about muh tovalds rants are so based .... then he shills for the vax lol what a clown

<n​aphtha:kyun.host> is that the only thing that made you not like him

<n​aphtha:kyun.host> the police would grab you and hand you a nice fine

<t​rasherdk:monero.social> I wouldn't know. I don't follow Torvalds.

<o​frnxmr:monero.social> Lmao

<o​frnxmr:monero.social> The police arent that dumb

<n​aphtha:kyun.host> you could probably just run from them since most officers here are fat as fuck and they never shoot

I missed the XMR event in Portugal because I did not want to comply with the vaxx mandates

<n​aphtha:kyun.host> they dont even shoot when its a life or death situation

lost airplane ticket money and event ticket, very sad!

<n​aphtha:kyun.host> fuckin cowards

<o​frnxmr:monero.social> ouch dsc

<o​frnxmr:monero.social> Posting link in offtopic

<s​pirobel:monero.social> anyway .... so I guess we have to continue obeying the core team then

<m​onerobull:matrix.org> what a terrible fate

<o​frnxmr:monero.social> ive never obeyed a core team

<n​aphtha:kyun.host> anyways can someone qrd me i still havent fully woken up

<o​frnxmr:monero.social> Cant continue what i havent started

<n​aphtha:kyun.host> do you really think luigi and fluffy stole the money

<m​onerobull:matrix.org> no

<m​onerobull:matrix.org> i think the setup was borderline insane though

<s​pirobel:monero.social> or just a charade to launder money

<n​aphtha:kyun.host> launder what nigga its monero

<n​aphtha:kyun.host> it by definition launders the money for you

<t​rasherdk:monero.social> That ssh password thing got me go WTF out loud.

<n​aphtha:kyun.host> yeah i remember reading that wasnt the password secure though

<n​aphtha:kyun.host> or was it like

<n​aphtha:kyun.host> password123

<n​aphtha:kyun.host> im just saying...

<n​aphtha:kyun.host> this wouldnt have happened if they were using Kyun™️.... w- i mean they only allow key authentication

<e​udaimon36:matrix.org> is it not absolutely necessary that Luigi step down--whether carelessness or dishonesty, no honestly run business would just be like "huh, well, we must just move on."

i was baking my head today, each core team member is an active target, i am kind of glad it's just the money that we are missing

because that's the thing we can replace

<s​iren:kernal.eu> yes because there's no proof that they were hacked

luigi is also a volunteer

<s​iren:kernal.eu> why would you default to believing that they were hacked when there's no proof and the disclosure timeline is this shit?

<1​23bob123:matrix.org> Guilty unless proven innocent

working for free

<n​aphtha:kyun.host> he does it for free

<s​pirobel:monero.social> can I have his job?

<s​pirobel:monero.social> i will do it for free too

<e​udaimon36:matrix.org> shitty volunteers are not helpful

<s​pirobel:monero.social> the new wallet address is: ....

<n​aphtha:kyun.host> i don't default to believing anything, i just have a certain level of respect for him and believe that if he really needed that money he could've gotten it other ways

I would not like to be in the skin of the human with identity known that I hold at least 500k in monero

<1​23bob123:matrix.org> I think you cant accuse unless there is proof

<e​udaimon36:matrix.org> no default belief is necessary: he is negligent either way

<n​aphtha:kyun.host> why is everyone so afraid now

<1​23bob123:matrix.org> On that note my theory of ofrn doing it is geonic doesnt get paid out is plausible

<n​aphtha:kyun.host> you have 500k you have money to hire security

<1​23bob123:matrix.org> On that note my theory of ofrn doing it so geonic doesnt get paid out is plausible

<1​23bob123:matrix.org> Thats foe chair security

<n​aphtha:kyun.host> theres people out there rocking 500k jewlery which is basically as untraceable as monero

<1​23bob123:matrix.org> For*

having security makes it only worse anyway

<n​aphtha:kyun.host> tell that to mcafee

I see this as great lesson to further improve our community systems

and for plowsof to make sure those watchdogs monitor outgoing transactions

<s​iren:kernal.eu> most likely we will not get any more information about this infra of theirs and no internal discussions will be disclosed

<s​iren:kernal.eu> it might as well be made up

welp lets think of something better.

<s​packle_xmr:matrix.org> Any volunteers for a non-core CCS multisig?

<n​aphtha:kyun.host> the ccs wallet should be owned by someone with a public real life identity

<n​aphtha:kyun.host> that way if he does something shady theres a target on his back

ccs worked perfectly for everyone and a lot of people are feeding their families of this fund for years

<n​aphtha:kyun.host> in gta

i mean in theory we don't actually need a central wallet. ppl can just commit to pay a certain amount. when the work gets done, individuals send the funds.

its not like ccs contributors usually fall off the face of the earth and don't follow the projects

er, ccs donators

if you think ccs donators are random people from internet

if you check donations history it's couple of community people giving most of the money

<m​onerobull:matrix.org> arent most proposals always like 90% funded by 1 peson

dEcEnTrAlIzE aLl tHe tHiNgS

<s​packle_xmr:matrix.org> I can't imagine someone undertaking a large effort based on the professed commitments of Internet anons.

<n​aphtha:kyun.host> decentralize my nuts lmao

<m​onerobull:matrix.org> can we do this on another blockchain

<n​aphtha:kyun.host> i think allark.io would be up to the task

<n​aphtha:kyun.host> with their wrapped xmr

<m​onerobull:matrix.org> you commit to funding on that chain and then milestones can be voted as complete via a DAO :D

<s​packle_xmr:matrix.org> What is the issue with setting up a non-core CCS multisig? Are there not enough capable people who are willing? It doesn't seem like a bad alternative to me.

<c​trej:matrix.org> some escrow is needed imo. Wouldn't want to start working without the assurance of funds, and I wouldn't donate without the assurance that the work will be done

<h​bs:matrix.org> value of wrapped assets goes to zero if wrapping counterparty suffers a hack

<c​trej:matrix.org> smaller amounts (wishlist style) are fine, but if we're talking about amounts that exceed my life savings for one proposal yoloing and hoping for the best is suboptimal

<c​trej:matrix.org> yes multisig would be good, if its in a usable state on our chain

<n​aphtha:kyun.host> what happens if a party goes missing or dies or just stops responding

could also design it with 100%+ commitment, in case ppl flake out or cop out

<n​aphtha:kyun.host> ill tell you what happens the funds become unusable

<n​aphtha:kyun.host> i was jk

<s​packle_xmr:matrix.org> naphtha: Multisig is M of N. People can go missing, just not all people.

like, the ccs grantee requests 140%. the folks over 100% are sort of backup in case the folks in the 100% don't end up paying

oh goody, scrollback

outsource scrollback reading to cat, we need you here right now

<c​trej:matrix.org> Its a full time job to keep up with all the messages

i mean shit, some ccs contributors in this system could send funds before the work is completed if they wanted to

<n​aphtha:kyun.host> feed the log to chatgpt version 9.12.5

<n​aphtha:kyun.host> 20 usd a month

<n​aphtha:kyun.host> its, like, the future n shiiieeeet

does it work with my abacus?

<1​23bob123:matrix.org> Ai cyber security

<n​aphtha:kyun.host> if you have enough abacuses

<n​aphtha:kyun.host> you need like at least 3 iirc

multisig for this is still centralized imo. less centralized, but centralized nonetheless

eVeRyThInG cEnTrAlIzEd bEcOmEs a tArGet....

<n​aphtha:kyun.host> so true

check what happened in my case, one of the colleagues made a minus -20k trade in a day by mistake

as a manager what would you do? he doesn't make even 1/3 of that

so should I said to him, I am removing 20k from your salary?

Almost everyone was up to that except me

next 3 months his kids are not gonna eat ?

In last 2 years he made to mb 100s of thousands and probably more (track record)

I told him: you moron and just let it be as there was not intention

as I believe in this case there was no intention

<s​packle_xmr:matrix.org> ceetee: Is it? I am imagining that once things are set up it is a couple hours per meeting to sync and approve payments.

<n​aphtha:kyun.host> i wouldve made him work 24 hour days complementary adderall

<m​onerobull:matrix.org> Majestic but this was core, the only people you'd truly expect to not fuck up, and it turned out the security setup was insane

everyone is here now, some people come to collect payment 12 months overdue but we hadn't seen them in 6 months

<e​udaimon36:matrix.org> is using a password, rather than ssh keys not insanely irresponsible? Intention is not all that matters for god's sake

<m​onerobull:matrix.org> I bet most of us in here have some seriously shizophrenia level of security for a fraction of the lost funds

<m​onerobull:matrix.org> Meanwhile core holds 420k in a hotwallet

speculation but; what percentage of 420k would you reckon came from core anyway, as previously many proposals are funded by only a few people, I can imagine the bulk of it coming from core

<1​23bob123:matrix.org> Maybe they can ping someone from citizen labs for forensic analysis

as previouly mentioned*

<o​frnxmr:monero.social> I think he means.. ofrn has to use all of his alts/timezones to keep up with this chat

<h​bs:matrix.org> As far as I know no one questioned the security before today, so the community as a whole is responsible no?

<o​frnxmr:monero.social> Re spackle

<o​frnxmr:monero.social> Hbs, nah

<o​frnxmr:monero.social> Just ppl are quiet

<e​udaimon36:matrix.org> there are basic expectation

<e​udaimon36:matrix.org> there are basic expectations

<o​frnxmr:monero.social> And dont like conflict

<m​onerobull:matrix.org> Dsc, doesn't really matter. The funds were donated to projects and now the gf has to cover it

<n​aphtha:kyun.host> ill be the one to say what we are all thinking

<n​aphtha:kyun.host> the nsa used their backdoors in intel me and the proprietary blobs in the ubuntu kernel to steal the funds

<1​23bob123:matrix.org> What am i thinking

<n​aphtha:kyun.host> it was nice meeting you

<n​aphtha:kyun.host> but i have to go into hiding now

<1​23bob123:matrix.org> With your node?

monerobull: I agree it is pointless speculation, I'm not sure about gf covering it but it would surely be welcome.

<o​frnxmr:monero.social> that too

<o​frnxmr:monero.social> Why in thr world was he running a node on the same machine

<m​onerobull:matrix.org> The NSA gets way more out of closing down DNMs

<n​aphtha:kyun.host> yeah but dnms use linux-libre on corebooted machines

<m​onerobull:matrix.org> They use AWS

<o​frnxmr:monero.social> Something wrong with selsta or plowsof onion nodes?

<o​frnxmr:monero.social> exposing the vm to the internet is crazy

<o​frnxmr:monero.social> We even have a setuo guide on getmonero for making an airgapped wallet

<1​23bob123:matrix.org> Tldr

<o​frnxmr:monero.social> And the paper wallet generator credits luigi as helping create it

we currently have a few contributors that are most likely dependent on CCS income which can create troubles for them

so whatever the solution, that needs solving

<o​frnxmr:monero.social> @dsc theyll cover it

<n​aphtha:kyun.host> replenish from the general fund

<1​23bob123:matrix.org> Core is covering it

okay

<o​frnxmr:monero.social> What good if generalfund, if not to cover rainy days

<1​23bob123:matrix.org> For active projects

<o​frnxmr:monero.social> Since my fkn rainy day fund was stolen

<o​frnxmr:monero.social> @dan core is covering 2675xmr

<o​frnxmr:monero.social> Not a pico less

<o​frnxmr:monero.social> Thats out raint day fund

<o​frnxmr:monero.social> Not our "bed gf to cover" fund

<o​frnxmr:monero.social> Begi*

<o​frnxmr:monero.social> Beg***

<n​aphtha:kyun.host> 2675xmr is a drop in the bucket for the general wallet anyways no

<1​23bob123:matrix.org> Then they can claim against cyber insurance

<o​frnxmr:monero.social> Nah its like 35% of it

<o​frnxmr:monero.social> 8kxmr in gf

<n​aphtha:kyun.host> no ones gonna insure for xmr not even ransomware insurers

<n​aphtha:kyun.host> they only insure for btc because they have a chance of tracing it

ccs need re-start asap

<m​onerobull:matrix.org> Active proposals are only about 600 xmr

<o​frnxmr:monero.social> @majestic ill talk to plow and luigi and try to get it going today

<1​23bob123:matrix.org> System reboot

<1​23bob123:matrix.org> Clear cache

<1​23bob123:matrix.org> Nothing to see here

<o​frnxmr:monero.social> rm -rf ccs wallet

<1​23bob123:matrix.org> Hopefully its a multi sig

<o​frnxmr:monero.social> Maybe check recyclebin?

<1​23bob123:matrix.org> On google vps

<o​frnxmr:monero.social> Tobby might implement in feather

<o​frnxmr:monero.social> To make it easy for ua

<o​frnxmr:monero.social> Us

for ua also

<o​frnxmr:monero.social> Feather Wallet

<1​23bob123:matrix.org> No one tries to hack google

<1​23bob123:matrix.org> Thats asking for trouble

i am more concerned about luigi physical security / opsec then internet setup and from my position don't see other good fit

<m​onerobull:matrix.org> Once I accidentally did that on my monero node when I wanted to remove monero.fail folder

<o​frnxmr:monero.social> Regarding Luigi physical security. Maybe hes married

how much rino is ready to be easy to use in this case?

<o​frnxmr:monero.social> Rino is proprietary

<o​frnxmr:monero.social> Aint it?

non custodial still ?

does it happen fully in browser ?

<o​frnxmr:monero.social> Id prefer feather/gui/cli to any proprietary measure by someone who may have poorly implemented things

<1​23bob123:matrix.org> Tbh if i was him, i’d try and csi it, cause if it was breached on his side that means hes doxed

as I understand rino was made for larger exchanges

<o​frnxmr:monero.social> Still cant get acxess to msvb getmonero emails

<o​frnxmr:monero.social> But someone got the whole wallet :D

<1​23bob123:matrix.org> Lol

<1​23bob123:matrix.org> This is the way

<m​onerobull:matrix.org> rino wont work

<m​onerobull:matrix.org> its a frontend

<m​onerobull:matrix.org> the multisig is only for the recovery as far as i can tell

w/e solution is must be more robust but still easy, we are often waiting for one singer, multi-sig beyond 2 people

<m​onerobull:matrix.org> you can restore a rino wallet in CLI and have full access

will make it very slow

<o​frnxmr:monero.social> fearherwallet is the fasted possible, probably

<o​frnxmr:monero.social> vik (Cake): can you implement too?

<o​frnxmr:monero.social> (multisig)

it's slow right now, imagine making it slower

<m-relay> <m​onerobull:matrix.org> the multisig is only for the recovery as far as i can tell <- no it's for every spend. The wallet is a 2-of-3, you can't be just partially multisig "for recovery".

from my point I would never want to be in charge of ccs wallet, it's really big responsibility

<1​23bob123:matrix.org> High threat model too

<1​23bob123:matrix.org> Seems exciting

<m​onerobull:matrix.org> binaryFate, true but it doesnt add any extra security in terms of protecting against people with access to the rino wallet

<1​23bob123:matrix.org> 2 of 3 for a transaction?

yeah being custodian for the community is shit. Opsec and known target on your back has a *huge* impact on personal life, travels etc. You can only lose in case of problems, when things are ok, people just take it for granted :)

<1​23bob123:matrix.org> Tbh i think it was just complacency

<s​pirobel:monero.social> it is like being the idiot who builds the roads and bridges in the libertarian city

<o​frnxmr:monero.social> But hey, they hit us too early. Wont happen again

<m-relay> <m​onerobull:matrix.org> binaryFate, true but it doesnt add any extra security in terms of protecting against people with access to the rino wallet <-- I would not advocate its use for sizeable community savings. For smaller, hot wallets that need more frequent access, it might be a useful approach. But obviously I'm not gonna advocate anything too specifically :)

I am understanding right that fluffy had unilateral access to the ccs wallet?

after we like, revoked his github access and shit

<m​onerobull:matrix.org> i think he didnt and then the funds were moved back to the wallet where he did lol

what. the everliving fuck

honestly who did that

No the funds weren't moved back, they just continued accumulating there. Ccs churns 1000s of XMR per year

<s​pirobel:monero.social> keeping your hands out of the cookie jar is not easy for some people

I'm not trying to levy accusations but I am saying that if you think it's prudent to revoke someone's github access it seems insane to then give them acceess to funds

if we add plowsof to true multi-sig, what are chances we lose that funds in the protocol?

<o​frnxmr:monero.social> Depends who he signs with

<o​frnxmr:monero.social> As low as 0

Like when it was announced that his permissions were revoked I definitely assumed that included donation wallets

<s​pirobel:monero.social> what ever man it is just money and is a thing of the past now. the cookie monster got its fill lets move on and think how we can do better in the future

well no

is our multi-sig safe for keeping million usd?

we literally don't know it wasn't an inside job

<s​pirobel:monero.social> yeah and there is no way to tell because this setup is just super fishy

<s​pirobel:monero.social> and anyone who couldnt tell and still donated is goofy

nonetheless we need to think how the people who found themselves in these very fishy positions are to be handled

I assume fluffy is out of everything now (righht?!?!?) and god knows I'd hate to lose Luigi but like.... you know??

Fp will not be part of whatever the solution is. I don't know who will be

<o​frnxmr:monero.social> spirobel @spirobel:monero.social: on that note, id like to add: whoever stole the money, feel free to share 83BgP7EP8YcAV52rxgvKuaRUsYKbnJ7bFWJ98CD5q7ESLKTdWGQa7x2iuz8B6Tm9aY41x2by52T56S6LCu2xrJ1mJy5XW3s

<m​onerobull:matrix.org> monero.town has a dono address too :)

<s​pirobel:monero.social> me too please give me monez me poor

restart ccs asap in more robust way, figure what happened after

<o​frnxmr:monero.social> +1

<n​aphtha:kyun.host> my personal opinion on all this is that you should all get a server from kyun.host

<s​pirobel:monero.social> no shut it down. Donors should donate directly to people who work

+2

<s​pirobel:monero.social> this stupid ccs and core charade has got to stop

I think we should be able to figure out how not to put two to three people in charge of half a million dollars

<r​brunner7:monero.social> That will only produce scams with people who *don't* work

unless one of them is me

Core more or less doesn't do anything anymore so not quite getting the charade part

<s​pirobel:monero.social> so just donate small amounts while building trust

<1​23bob123:matrix.org> We’ll rotate the people once a week so everyone gets a go

<n​aphtha:kyun.host> i read this as

<n​aphtha:kyun.host> ><l​uigi1111> Cry more

<m​onerobull:matrix.org> exhibit a: kuno.anne.media/search

bro want .com to become official domain

<n​aphtha:kyun.host> wouldve been pretty funny ngl

<r​brunner7:monero.social> Oh those young people with their idealistic worldviews. Signed, boomer

<s​pirobel:monero.social> help meeee buy <insert appliance name here>

If I lost half a million dollars I'd repalce as much as I could from my personal stack then disapepar into the night in shame but that's just me

<m​onerobull:matrix.org> at least those guys are honest

<s​pirobel:monero.social> btw I seriously thought about getting funding for my mini pizza oven there

I am pretty sure we are taking a lot of stuff here for granted

<m​onerobull:matrix.org> "help me get boob surgery" was also a good one

<1​23bob123:matrix.org> What type of pizzas

not knowing what effort is put into

<1​23bob123:matrix.org> Yest

all around

I'd donate to the boobs

<r​brunner7:monero.social> Yeah, that kuno thing is cool. Much better than a CCS

<r​brunner7:monero.social> Har har

<m​onerobull:matrix.org> Lyza kuno.anne.media/donate/4ofb

<o​cean:matrix.thisisjoes.site> no because gluten bad

nah actually I like em how they are

<1​23bob123:matrix.org> What size

<m​onerobull:matrix.org> wownerochan

<s​pirobel:monero.social> I mean the thing is people can judge by themselves if they want to donate or not. we just need to make it a thing. we dont need to ask daddy core for their permission just to raise some funds every time

<n​aphtha:kyun.host> 🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤

this is currently most transparent funding on internet I've seen

<s​pirobel:monero.social> 🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛

yeah but it is ultiamtely like, convincing one dude to approve your PR

<1​23bob123:matrix.org> ( . )( . )

<m​onerobull:matrix.org> real devs would get drowned out by grifters

<o​cean:matrix.thisisjoes.site> u want bigger tits? get pregnant

<1​23bob123:matrix.org> Easier too apple walled garden too

<s​pirobel:monero.social> yes. so we need the people with clout to point out what is worthwhile and what isnt.

<m​onerobull:matrix.org> and even real devs might just... start CCS, apply at google, take an extended vacation

ocean I tried dude :(

<r​brunner7:monero.social> It's already now pretty hard to finance a substantial part of your life by working for Monero, which some people want to do, and which gives very good devs, if it works out. Imagine being at the mercy of small donations coming in directly - or not - for that. Awfully realistic.

<s​pirobel:monero.social> yes then people can adapt their donation patterns ... it is a back and forth

<s​pirobel:monero.social> instead of the ccs struggle sessions

<s​packle_xmr:matrix.org> I'd like to continue exploring a community held multisig CCS.

<n​aphtha:kyun.host> cunny.jpg

<s​pirobel:monero.social> I would like to do it if there was an opportunity, but it just feels too unsafe the way things currently work.

honestly just send me the money and I'll decide what projects are worth it

very good system

<s​pirobel:monero.social> yeah that is how the ccs worked until now

exactly

<1​23bob123:matrix.org> ?

<s​pirobel:monero.social> but with one guy for the whole community as the bottleneck

good system, just need someone that can be trusted. like me =P

<s​pirobel:monero.social> that is also super inefficient from a parralelism / concurrency standpoint

<s​pirobel:monero.social> or me hihi

I agree spirobel seems chill

<1​23bob123:matrix.org> All i saw was luigi this is approved pay the man

I vote we share responsibilities

<s​iren:kernal.eu> Only if you agree on splitting it with me later 😋

nah the ironic thing is I'm actually trustworthy

<m​onerobull:matrix.org> spiroble, plow, do we want to do the multisig together? 🤔

Lyza: sure you are

:)

<m​onerobull:matrix.org> spirobel, plow, do we want to do the multisig together? 🤔

<n​aphtha:kyun.host> you want to multisig eachother in the multibutts?

<1​23bob123:matrix.org> Only if you use winxp

<m​onerobull:matrix.org> id also invite geonic and ofrn

<1​23bob123:matrix.org> Lol

<1​23bob123:matrix.org> Conflict of interest

2 of 9 multi-sig in that case

<s​pirobel:monero.social> lets go to the hotspring together to share the keys

<m​onerobull:matrix.org> not at all

<m​onerobull:matrix.org> on the contraty

<m​onerobull:matrix.org> i bet you 100 XMR ofrn and geonic would never collude to steal funds

in all seriousness getting 2-3 people to conspire isn't that much harder is it, esp. if they're all psuedonymous and like, who would want to attach their real name to this wallet

<n​aphtha:kyun.host> my wifes boyfriend wants to join you

<1​23bob123:matrix.org> What does magic funds do?

<a​js_:matrix.org> monero multisig is still an experimental feature

securing the new key is easy, ironically, it's getting the trust back that's the real challenge here

<o​frnxmr:monero.social> says us bcuz ooo warned us we'd end up on rekt

<o​frnxmr:monero.social> But look

thanks ajs

<o​frnxmr:monero.social> We didnt use it, and got rekt

<a​js_:matrix.org> and RINO would be better suited for hot wallet situations

yes they are suggesting an experiment

:)

<m​onerobull:matrix.org> i think we convert most into more stable and insured assets pretty quickly

<n​aphtha:kyun.host> oh theyre experimentin galright

<n​aphtha:kyun.host> oh theyre experimenting alright

how long have you been watching this experiment?

<s​pirobel:monero.social> the thing is it also solves nothing. The core problem of: what to fund? how to keep a good relationship and mutual trust with them still remains ... Every community member and potential donor should make this decision themselves instead of pooling the funds all up front.

<m​onerobull:matrix.org> we should do IRL signing sessions

monerobull you would need a person or organization to custody that still

<system> file image.png too big to download (3743145 > allowed size: 1000000)

<m​onerobull:matrix.org> image.png

<s​pirobel:monero.social> the thing is it also solves nothing. The core problem of: what to fund? how to keep a good relationship and mutual trust with the devs / creators still remains ... Every community member and potential donor should make this decision themselves instead of pooling the funds all up front.

can we keep cold ccs wallet with bF and he gives us tiny amounts when payment is due ?

<n​aphtha:kyun.host> cake wallet should do it

lol

<o​frnxmr:monero.social> Cake has insurance haha /s

<o​frnxmr:monero.social> Imagine if luigi was ceo of monero ccs llc

<o​frnxmr:monero.social> Ouch

he is anyway keeping most of the money

the service of the CCS was that it gave lesser known developers a shot by holding the funds with an, ahem, trusted third party, who could dole it out in units. And I think that's a useful thing to have! But it either needs to be decentralized or.... I'm not sure we have enough of a trusted third party left

<o​frnxmr:monero.social> The biggest issue i see here

<o​frnxmr:monero.social> If devs have been requesting pay

<o​frnxmr:monero.social> Starving themselves

<n​aphtha:kyun.host> Screenshot from 2023-11-03 14-34-35.png

<o​frnxmr:monero.social> We have a PAID ccs coordinator

<o​frnxmr:monero.social> The info that "ccs was drained" was available 30 days ago

<o​frnxmr:monero.social> And the CCS coordinator was wasting community funds, asking peopke to collect their money

<o​frnxmr:monero.social> When the money was gone

<o​frnxmr:monero.social> Thats a major "wtf is wrong with you" moment

hmmm, the compromised wallet has been open for donations for the past 30 days??

is that what you mean

No

<o​frnxmr:monero.social> You DIDNT tell plowsof? OR the cryptographers and researchers and hackers who the money belongs to?

Oh I see

what is meant

<o​frnxmr:monero.social> Why was jeffro left in the dark

<o​frnxmr:monero.social> Looking like a starved child asking regularly, and the COORDINATOR doesnt have answers

<o​frnxmr:monero.social> But the anawers were there?

<o​frnxmr:monero.social> Why fkn make us look like retards

monthly or w/e bF transfer to luigi

he make payments and job done

<o​frnxmr:monero.social> Its almost disrespectful that core would think us to now be a part of the "need to know basis"

I don't think bf wants to take on more

<o​frnxmr:monero.social> Bf doesnt need to take on more, i agree. Not even fair to him

Payments should go out today

<o​frnxmr:monero.social> for RIGHT NOW

<o​frnxmr:monero.social> Bf needs to pay the devs

<o​frnxmr:monero.social> Please

<o​frnxmr:monero.social> Thank you

<1​23bob123:matrix.org> Co-ordination disclosure

<m​onerobull:matrix.org> id be happy to be part of a big multisig for big proposals, anything smaller, idk, like, 20 XMR can probably go to a hotwallet run by plowsof

<m​onerobull:matrix.org> like, 6-10

<o​frnxmr:monero.social> 250xmr to hotwallet run by plowsof

luigi1111> Payments should go out today <<>> thank you

<m​onerobull:matrix.org> like, 6 out of 10 musig

<1​23bob123:matrix.org> Do all 6 meet up

<1​23bob123:matrix.org> And then cia drone strike

<m​onerobull:matrix.org> btw can xmr even do that?

<s​packle_xmr:matrix.org> That is my understanding. Reading through this now: web.getmonero.org/resources/user-gu…ides/multisig-messaging-system.html

activating the GUI auto updater already always takes a while, and that only requires 2 people / core team members that don't have to be simultaneously online

keep that in mind when suggesting fancy multisig setups

I've been around, pinging people that are around 6 years

<r​ucknium:monero.social> monerobull: 6 of 10 multisig? IIRC, the multisig in Monero's C++ codebase requires...something like N^2 signing rounds for N signers. IIRC Serai has a more efficient Monero multisig implementation in Rust....maybe based on FROST.

to do multi-sig

would be weeks time

<m​onerobull:matrix.org> i know plow ofrn and me are terminally on here

<r​ucknium:monero.social> I can't remember all the details. It's a pain to have a large number of signers. Serai needs efficient multisig to operate, so kayabaNerve built it.

thing is singers need to be people who are here to protect monero market cap

<k​ayabanerve:matrix.org> Rucknium: It's not N**2, it's N!

and not for their own

things

<r​ucknium:monero.social> Ouch....

<m​onerobull:matrix.org> we can also just stall and wait for serai multisig wallet :D

<k​ayabanerve:matrix.org> (hand-waving, there's more terms but that's the most notable comment)

N factorial? Wow

<k​ayabanerve:matrix.org> That's why Monero caps at 16. Serai is n^2. I don't love n^2 but it's acceptable even at ~100-150 signers.

<k​ayabanerve:matrix.org> 150! wouldn't be acceptable in the slightest.

<k​ayabanerve:matrix.org> Also, Serai does offer a O(n) n-of-n key generation algorithm (MuSig). The above commentary is on threshold keys. I'm unsure if Monero offers a dedicated n-of-n algorithm which isn't superlinear.

<a​ck-j:matrix.org> Are you planning to give the two machines to forensic analysts to be imaged and analyzed? luigi1111

<s​iren:kernal.eu> The reports should be public

<1​23bob123:matrix.org> Are you going to give your pc’s image to use too?

<m​onerobull:matrix.org> image and send it to the feds :3

<1​23bob123:matrix.org> Better of asking citizen labs for help

<m​onerobull:matrix.org> "biden, north korea might buy nukes with it, please help!"

<o​frnxmr:monero.social> plot twist: biden stole it and we need nk's help

<1​23bob123:matrix.org> To fund the wall

<p​lowsof:matrix.org> morning

<s​packle_xmr:matrix.org> Realizing there are drawbacks, can anyone attest to the user experience for a large Monero multisig setup?

<s​packle_xmr:matrix.org> I would volunteer for doing a many(10+) person test setup this weekend to see what it is like.

happy to do whatever with the server the wallet was on.

hi plowsof

i said plowsof is sleeping on the job

<o​frnxmr:monero.social> Too big is too much red tape

<1​23bob123:matrix.org> Give everyone teamviewer access :0

<1​23bob123:matrix.org> Or google remote desktop

<s​pirobel:monero.social> redeem?

<s​pirobel:monero.social> sirs

<n​aphtha:kyun.host> bloody benchod basterd

<s​pirobel:monero.social> jai hind

<r​brunner7:monero.social> > doing a many(10+) person test setup

<r​brunner7:monero.social> That's almost impossible.

<r​brunner7:monero.social> You would have to exchange literally hundreds of messages to just build those 10 wallets.

<r​brunner7:monero.social> I made once a 5/7 wallet or so and don't think somebody went higher than that, ever.

<r​brunner7:monero.social> Except maybe kayabanerve with this quite different system to build multisig wallets

rbrunner how useable is a 5/7?

<r​brunner7:monero.social> Once built, it's kind of ok

<k​ayabanerve:matrix.org> Local generations of 16 have occurred. I'm unsure the round complexity and real world impact.

<r​brunner7:monero.social> Still hard sending a tx to all those 5 peoples in a row.

<k​ayabanerve:matrix.org> I didn't prior recommend monero-serai as I assumed the core multisig would meet the requirements in a non-performance constrained environment. If the newly proposed multisig is to have 7 signers, it sounds like monero-serai *may* be a valid recommendation.

<r​brunner7:monero.social> But maybe no sense in going overboard. I think already a 2/3 would be much, much better than the current, or sadly, past setup.

<k​ayabanerve:matrix.org> Agreed, yet I think the ideal would be 3-of-5.

<t​igerbalm:matrix.org> Sounds like a fkn disaster. 3 letter agencies would be salivating at the possibilities to co-opt it

<m​onerobull:matrix.org> literally why havent they done so with core

<m​onerobull:matrix.org> if thats apparently a "valid" argument

<t​igerbalm:matrix.org> Because core devs have a higher probability of being principled than community members.

<t​igerbalm:matrix.org> Would you give your signature up for $10M?

<t​igerbalm:matrix.org> I can say that I wouldn’t, but do you trust me?

<m​onerobull:matrix.org> lol

<o​frnxmr:monero.social> Core team =/= core devs

<m​onerobull:matrix.org> lets drain 400k by paying 50 million

<o​frnxmr:monero.social> Core devs = the ppl who got robbed

<o​frnxmr:monero.social> The ccs proposers who do the work

<t​igerbalm:matrix.org> All right, core team* my b

<o​frnxmr:monero.social> Why wpuld being a member of a club that doesnt dev, make you more principled?

<t​igerbalm:matrix.org> You’re stuck in the present. With enough time $XMR could be worth a lot more

<s​tnby:kernal.eu> Pretty sure Core are the ones who robbed the CCS. They gotta pay up

<m​onerobull:matrix.org> ok, then id wager most community memebers have even less of an incentive

<o​frnxmr:monero.social> I mean, the money belonged to devs

<o​frnxmr:monero.social> The devs are the ones who got robbed

<o​frnxmr:monero.social> money was taken from core team, but it didnt belong to core team

<o​frnxmr:monero.social> meito seems to think core team = devs

<s​tnby:kernal.eu> Core cult devs robbed regular devs :D

<t​igerbalm:matrix.org> No I corrected myself above

<o​frnxmr:monero.social> Meito, how is this "more principled"

<o​frnxmr:monero.social> Lets assume no foul play

<o​frnxmr:monero.social> Opsec was worse than niocs cat

<o​frnxmr:monero.social> Communication too

<o​frnxmr:monero.social> What principles is mr/mrs meito referring to?

<o​frnxmr:monero.social> Complacency?

<o​frnxmr:monero.social> Core isnt paid. Has no dog in the fight

<o​frnxmr:monero.social> Why would they bend over backwards for us anymore?

<o​frnxmr:monero.social> At any point in time, bf can have a boating accident

<p​lowsof:matrix.org> to detect spends from a view only wallet we need 'the thing that does the herustic things'. an example would be generic xmr scanner, whicih i tried and failed to compile 2 weeks ago moneroexamples/generic-xmr-scanner #11

<o​frnxmr:monero.social> Core used to steer the ship. now core got out of the way. Were supposed to be steering it

<o​frnxmr:monero.social> But we still rely on them bcuz we need somebody to blame

+1 for out-going scanner

<r​ucknium:monero.social> plowsof: The heuristic doesn't work if there is no change going back to the wallet. The theft would not create change.

<t​igerbalm:matrix.org> My point is that if you were to pick from the community at random vs core team at random,

<t​igerbalm:matrix.org> then the likelihood of the random pick from the community acting ethically is lower than the likelihood of the random core team pick acting ethically

<p​lowsof:matrix.org> ah understood, thanks, makes sense

<o​frnxmr:monero.social> they swept in 9 tx

<o​frnxmr:monero.social> are we sure there was no change?

<o​frnxmr:monero.social> Who's doing random?

<o​frnxmr:monero.social> We chose plowsof

<o​frnxmr:monero.social> Hes more ethical than mary poppins

<o​frnxmr:monero.social> Wait.. wrong mary

<p​lowsof:matrix.org> plowsof sadly is neither anon or rich

<o​frnxmr:monero.social> plowsof is well known to be ofrnxmr's original acct

<t​igerbalm:matrix.org> How do we pick?

<p​lowsof:matrix.org> 5$ wrench attack

<m​onerobull:matrix.org> lets be real here for a second, CCS wallet isnt even supposed to have that much money in it

<o​frnxmr:monero.social> Out of a hat

<t​igerbalm:matrix.org> I think a mix of core team and community could work. But not community only

<o​frnxmr:monero.social> Pull straws

<o​frnxmr:monero.social> Randomly /s

<r​ucknium:monero.social> I don't think we're sure there is no change. The thief could have made a mistake. I can check...

<o​frnxmr:monero.social> I have ideas

<p​lowsof:matrix.org> yes, if we turn back time, and asked someone to custody a CCS wallet - the idea was for it to never have nearly 3000xmr in it

<p​lowsof:matrix.org> people complete work and are paid, happy

<m​onerobull:matrix.org> yes

<o​frnxmr:monero.social> 3000xmr is supposed to be the _jet fund_

<m​onerobull:matrix.org> and in the future this should be prevented

<m​onerobull:matrix.org> by putting a time on when funds get sent to the shadowrealm (gf)

<o​frnxmr:monero.social> Somehow it was left with luigi / ccs wallet for like 9 months after she g(t prego

<o​frnxmr:monero.social> Then the baby was stolen

<m​onerobull:matrix.org> by putting a timer on when funds get sent to the shadowrealm (gf)

<o​frnxmr:monero.social> JET FUND

<o​frnxmr:monero.social> tldr again, by "jet fund" it doesnt mean a real airplane

<o​frnxmr:monero.social> It means "rainy day dev fund"

separate wallet for each proposal

time-locked

<o​frnxmr:monero.social> We'd still have 2000+ xmr if we did the jetfund

<o​frnxmr:monero.social> I quit

<o​frnxmr:monero.social> Dont get paid enuff to handle that shit

until first milestone

<o​frnxmr:monero.social> Go kuno

on which server does ccss script is running ?

does / is

<o​frnxmr:monero.social> > <s​ech1> full timeline: reddit.com/r/Monero/comments/17m6w9e/psa_ccs_wallet_incident

<o​frnxmr:monero.social> .

<r​ucknium:monero.social> If anyone wants to have the CCS wallet view key and doesn't have it, it is:

<r​ucknium:monero.social> Address: 43H2k6iDgyfNo4HzgQKF8ABALWGpRz9Ez6uexXLGFyuC32SevoaGUiKWbebSkqy5EzdkviwJ4NQwDHkxVxHceUtLBzBjoTV

<r​ucknium:monero.social> Secret view key: 645936bdbb2e13830f587351b73b226c7c107ff94e5db0e0dd19c661cd657b0a

<o​frnxmr:monero.social> Tyvm

<r​ucknium:monero.social> The earliest tx I see is 2020-04-21. You can use that as the restore height date.

<r​ucknium:monero.social> I don't think we're sure there is no change. The thief could have made a mistake. I can check... <= there is no change

<r​ucknium:monero.social> From what I see, the theft transactions did not produce any change

<r​ucknium:monero.social> Thanks. Just checked.

<p​lowsof:matrix.org> luigi became aware of it on the 28th september, if i found out about this hack, i would first endure the stages of grief whilst trying to set up calls/meetings with other member of core

<p​lowsof:matrix.org> 1~ month is an impressive turn around

<p​lowsof:matrix.org> again, i am not anon, or rich. i have watched the docus on how putin will make ya commit espionage

<m​onerobull:matrix.org> image.png

<p​lowsof:matrix.org> double checking timeline

<m​onerobull:matrix.org> what

<p​lowsof:matrix.org> can elon musk attatch a community note to monerobulls image .. September 28th it should be

<m​onerobull:matrix.org> i just thought this comment form /xmr/ is fitting in regards to your stages of grief comment

<p​lowsof:matrix.org> ohhh lol

<p​lowsof:matrix.org> my brain sees >green text, it reads

<m​onerobull:matrix.org> didnt you get that wrong too

<m​onerobull:matrix.org> that date is referring to which hight the wallet was previously synced

<p​lowsof:matrix.org> yes, let me pass the laptop to my evil maid who is more awake

<m​onerobull:matrix.org> that date is referring to which height the wallet was previously synced

<m​onerobull:matrix.org> image.png <<>> was this supposed to be an image? lol

<p​lowsof:matrix.org> sorry . and johnfoss68 i just tested, 260 chars seems to be the line limit for irc messages

<p​lowsof:matrix.org> uhh john_r365

<o​frnxmr:monero.social> 1. Hacked sept 1

<o​frnxmr:monero.social> 2. Sept 28 found out, contacted core

<o​frnxmr:monero.social> 3. Sept 29 contacted plowsof

<o​frnxmr:monero.social> 4. Sept 29, plowsof contacts devs like jeffro, selsta, tobtoht, berman, siren, rucknium, sgp, because they are owed $ and/or because we need solutions and investigations

<o​frnxmr:monero.social> 5. Oct 4th we have disclosure

<o​frnxmr:monero.social> Were a month late and in a wtf situation bcuz everybody who should hsve been told as a part of "need to know basis", was not

<o​frnxmr:monero.social> Self admitting that core "doesnt do much", so why would core try to solve this withiht us?

<o​frnxmr:monero.social> This isnt 2016

<o​frnxmr:monero.social> Bad judgement call. Thats why we have plowsof. Because core doesnt need to make these decisions for us, and then lambasted over it

<j​ohn_r365:monero.social> Thanks plowsof! Useful to know for when breaking up larger messages into smaller chunks

<j​effro256:monero.social> I wasn’t contacted Sep 29th about this. On Monday, I was told that binaryfate would be handling payments , but not why

<o​frnxmr:monero.social> Oh yeah, im saying thats what SHOULD have happened

clear as mud ofrn lol

just use mutisig monero-project/monero #9050

<o​frnxmr:monero.social> > luigi became aware of it on the 28th september, if i found out about this hack, i would first endure the stages of grief whilst trying to set up calls/meetings with other member of core

<o​frnxmr:monero.social> Was a response to this

<s​iren:kernal.eu> I wasn't contacted on Sept 29 I only learned about the incident yesterday

<o​frnxmr:monero.social> ❤️ sorry, ill be more clear next time

ofrnxmr: promises promises

<t​rasherdk:monero.social> I'm leaning that way too.

<t​rasherdk:monero.social> And here I thought monero offered some level of anonymity. Damn...

<t​rasherdk:monero.social> Isn't that where the multi part kicks in?

<p​lowsof:matrix.org> a moment of silence for the IRC side who have no idea what quotes are being replied to

<o​frnxmr:monero.social> (reply = doesnt work. Quote = does work)

<p​lowsof:matrix.org> > (reply = doesnt work. Quote = does work)

<p​lowsof:matrix.org> thanks!

<t​rasherdk:monero.social> Don't worry. I'm on the late shift.

<p​lowsof:matrix.org> matrix.monero.social/_matrix/media/…matrix.org/HfkoJIbwtNaytsAlQSkJRnSz

<p​lowsof:matrix.org> litmus test for all matrix users who see the above image and continue using reply

<c​trej:matrix.org> test

<o​frnxmr:monero.social> Haha

<t​rasherdk:monero.social> I'm pretty sure, had anybody been aware of the setup, they would have objected. I would have. Password, WTF.

<p​lowsof:matrix.org> i thought you where manually retyping the commment yourself, instead of clicking "quote"

<o​frnxmr:monero.social> Hahahaha, hahahaha. Hahaha.

<p​lowsof:matrix.org> yeah trasherdk the setup is quite simple, you just click the 3 dots and then quote.. real simple

password vs key does not plausibly solve much

<p​lowsof:matrix.org> the ccs node was "broken" a while ago, and "fixed"

<o​frnxmr:monero.social> cant get in without access to the key, which should have not been on the same device

jeffro256: sent

<p​lowsof:matrix.org> could information have leaked there?

<o​cean:matrix.thisisjoes.site> > > <@plowsof:matrix.org> litmus test for all matrix users who see the above image and continue using reply

<o​cean:matrix.thisisjoes.site> > test

<o​cean:matrix.thisisjoes.site> boop

plowsof afaik only the viewkey should be at risk there

<o​frnxmr:monero.social> Isnt the node on same device as the ccs cokd wallet. That got drained?

no

<p​lowsof:matrix.org> ok ok

well _a_ node is on there. Nothing to do with CCS tracking

<o​frnxmr:monero.social> Oh ok

<o​frnxmr:monero.social> Probably shouldnt expose that to the internet

<o​frnxmr:monero.social> Otherwise its, uh, a hot wallet

<p​lowsof:matrix.org> but 4rkal said we need more nods

<o​frnxmr:monero.social> And more windows

<o​frnxmr:monero.social> Luigi had 5 different os, didnt help

<p​lowsof:matrix.org> exactly

it's not exposed to the internet, unless router compromised, which is possible

<p​lowsof:matrix.org> diversified for the ecosystem and this is how he is thanked

otherwise it requires some monerod RCE or so

<o​frnxmr:monero.social> iptables? Ufw?

<o​frnxmr:monero.social> Not sure why the jump to router

<o​frnxmr:monero.social> Unless firewall wasnt config

it doesn't have a public IP. You can't access it unless you get through the router

<p​lowsof:matrix.org> so we have no idea yet if this was a targetted attack or random / fishnet attack where router firmware is vulnerable

<o​frnxmr:monero.social> And there was a cve RavFX @gfdshygti53:monero.social: that allowed firewalld to escalate iirc

<o​frnxmr:monero.social> Csnt debiced do adhoc mode

<o​frnxmr:monero.social> Why even use a router or run a node

you mean why not full offline? Convenience

clearly wrong choice

<g​fdshygti53:monero.social> That's neat!

<g​fdshygti53:monero.social> When you use the firewall to get root 😂

<o​frnxmr:monero.social> couldnt put the wallet on a thumbdrive or something?

how do you access it?

<o​frnxmr:monero.social> By booting into it?

then it's online?

<o​frnxmr:monero.social> No, its offline

<o​frnxmr:monero.social> Why would you need net to boot?

<o​frnxmr:monero.social> getmonero.org/resources/user-guides/securely_purchase.html

<g​fdshygti53:monero.social> the two person who had access could have done just that.

<g​fdshygti53:monero.social> Each with a usb key with TailOS with the monero stuff.

<g​fdshygti53:monero.social> ofr is right, so easy to setup, and the remove the need of sshshing

ok then we are back to the same thing

<o​frnxmr:monero.social> offline sign the tx from a cold distro..

<p​lowsof:matrix.org> convenience of paying 11+ people every month

yes I agree that would be obviously more secure

<o​frnxmr:monero.social> Could have been 1

<p​lowsof:matrix.org> for x years

<o​frnxmr:monero.social> But plowsof aint bout that life

<p​lowsof:matrix.org> :(

<p​lowsof:matrix.org> putin can be very, very persuasive

<p​lowsof:matrix.org> x % of multisig signers will attend a conference every year together

<p​lowsof:matrix.org> same place, same time

<p​lowsof:matrix.org> they wont have the keys/devices on them of course

<o​frnxmr:monero.social> Kaboom

<o​frnxmr:monero.social> Nah

<o​frnxmr:monero.social> My proposed, only 1 went

<o​frnxmr:monero.social> The rest were cleaning up the mess and guarding the house

<t​rasherdk:monero.social> Dude, watch it! Signed, boomer 🧐

vtnerd , i thought you had been paid, sincere apologies - there was a merge, but your payouts where not updated, i failed to notice this. this is being solved now MY BAD

<o​frnxmr:monero.social> vtnerd @vtnerd:monero.social:

<p​lowsof:matrix.org> where is the animated video on how to do offline signing

<o​frnxmr:monero.social> Who cares

<o​frnxmr:monero.social> we need videos on randomx /s

<v​tnerd:monero.social> plowsof: sounds good. I contacted Luigi separately anyway, and I've been following this room so I know why there's been a delay

thanks (its just that ive been sharing a list of people awaiting payouts for a while and didnt include you, sorry)

<b​awdyanarchist:matrix.org> I like the idea of CCS via escrow. Or another idea, instead of a 2/3 multisig, could we have a few different custodians of CCS funds, and people submitting to CCS could choose one of them to custody the funds while they achieve milestones?

luigi do you have access to the GF wallet too or just binary?

just bf

<b​awdyanarchist:matrix.org> In other words, when you submit a proposal, you also select the person you prefer to handle your future funds.

<v​tnerd:monero.social> I have to admit, I never considered this as a possible outcome beforehand. I was more worried about my own machines

<k​inghat:matrix.org> BawdyAnarchist: why not just a musig between the ccs community leader, core and the ccs recipient?

creating a multisig wallet for every proposal requiring 3 people will slow things down even more

i don't think it's realistic

if there is multisig involved it should be something that has to be touched only once in a while to fill up the hot wallet

should probably just be one person managing each fund

<c​harutocafe:matrix.org> does managing mean having access to?

<c​harutocafe:matrix.org> as in, do you believe only one person should have access to each fund? or only one should actively perform transactions with it?

<c​harutocafe:matrix.org> (while potentially many have the access to do so if required)

one person having write-access to the wallet, yeah

<c​harutocafe:matrix.org> well what if they get hit by a bus?

<c​harutocafe:matrix.org> you have to consider the bus factor.

<k​inghat:matrix.org> selsta, slow down in what way? technically or managerial?

pay 11+ people every month, on the dot, offline signing from a multisig wallet

the CCS already moves a bit slowly with payouts due to limited time availability of core time

well, this bus factor is often a problem in regular companies too.

and with a regular company you have way more options to cover risks and liability

Monero is just some guys sitting in their underwear in a basement

so if you want to 100% protect yourself to all threats, either setup a company and do it the legal way, or make sure multi-sig works properly (also a bus factor there?)

for example, if this were a traditional fund, it would also be insured against theft

kinghat: basically i don't see core managing lots of multisig wallets with different people involved

most pragmatic solution is to find thrustworthy people

luigi is trustworthy in my book

it doesn't need to be core managing it but setting up lots of new wallets is going to be a nightmare surely

that would be 50+ wallets / year

no idea how many proposals we get exactly

<n​aphtha:kyun.host> free tay k man

<k​inghat:matrix.org> why does core need to be involved again? can the community elect ccs members to steward the funds via their own musig setup?

<r​brunner7:monero.social> Well, trustworthy *and* able to keep up good opsec longtime ...

<j​effro256:monero.social> Yeah, additionally I would explicitly put a warning against sending XMR to any address found on the site until the issue is resolved. Thanks for working on that!

core doesn't have to be involved

<a​ck-j:matrix.org> Luigii, was the first half of the seed persistent in your Wire chat with fluffy? Or was it deleted from the chat history. If a new device signs into a wire account are the historical messages sync’d? Did you store your wire credentials within Lastpass? (I’m not that familiar with wire)

<a​ck-j:matrix.org> I have a suspicion that the lastpass breach is highly likely to be involved here one way or another. Did you store any passwords in lastpass that could allow someone into your home network? (Maybe ssh set up with reverse dns or something)

the lastpass breech has been so widely known about for so long D: crazy to have been using it and not change everything

I know that's not a helpful comment but gd

this has probably been addressed so apologies but what's the situation with the general fund right now? who is known to have access? does it have any of the same security issues? are we talking about setting up a new one?

<a​ck-j:matrix.org> Sorry for the barrage of questions, but what router are you using for your home network and do you have segmentation, vlans, or anything else like that or is it a flat network? Just trying to get a good idea of possible scenarios

<a​ck-j:matrix.org> Lyza, Changing all your passwords is a real PITA, especially if you have hundreds or thousands of accounts. Its understandable how that could be procrastinated. Not ideal but understandable

evening boys

<r​brunner7:monero.social> My speculation would also be on LastPass. Somehow, "around two corners", working their way towards the end goal, the Monero wallet

why in the world does anybody use lastpass when keepassxc exists... blows my mind

<c​howbungaman:matrix.org> Would anyone here like to be the MoneroTopia special guest tomorrow to chat about the incident? Obviously all are welcome join during the “viewers on stage” portion of the show to have a group chat but first would like to have one guest jump on to give people the low down on what happened, and likely path forward etc.

i'll do it

<c​howbungaman:matrix.org> monerobull: plowsof ofrnxmr geonic spirobel ??

<o​frnxmr:monero.social> Keepass had its own exploit

not keepassxc though

<r​brunner7:monero.social> Yes, and it's not a complete solution. If you want it on your PC, on your Android phone, on your iPad, and have it synced, you need 4 or 5 different apps from 4 or 5 different teams.

ack-j: wire doesn't sync for new devices.

<r​brunner7:monero.social> Otherwise known as "PITA"

rbrunner7: yes it's the spectrum between security and convenience, but you still don't need a centralized service rofl there's ways to set up keepassxc as a local web server

you may have a point though idk i don't use phones or tablets

<r​brunner7:monero.social> Yeah, as "normal" people routinely set up local webservers :)

<o​frnxmr:monero.social> I use google password manager

<o​frnxmr:monero.social> Thats safest, right? /s

<r​brunner7:monero.social> Suuure.

not like a full apache server lol it's just a web interface for your passwords

<r​brunner7:monero.social> But still better than nothing, I would say. It's all relative.

<r​brunner7:monero.social> But we are speaking here about pros that have to manage half a million USD in XMR. I agree that's a different starting point.

All we need is user-friendly offline (=airgapped) wallet

We should CCS that :D

<r​brunner7:monero.social> Lol

<a​ck-j:matrix.org> Thanks luigii, what about the other questions

<o​frnxmr:monero.social> Sech1 anonero

I did have a few crypto (not xmr) accounts in lastpass, mostly small and/or hard to migrate. I'm pretending they are a honeypot now. Anyway they are untouched so far.

<g​fdshygti53:monero.social> Imajin storing keys and seed in other people computers

<o​frnxmr:monero.social> Not your keys,.

Lyza binaryFate is the only one with access to the big genfund wallet

<o​frnxmr:monero.social> Not your coins?

<g​fdshygti53:monero.social> something like that yeah

there was no rdns or ssh on at the router

<o​frnxmr:monero.social> Router is running stock firmware, i assume

<o​frnxmr:monero.social> From service provider?

<j​effro256:monero.social> luigi1111w: received, thanks

<o​frnxmr:monero.social> "This isnt an investigation, this is an interrogation!" 😆

<o​frnxmr:monero.social> "dont bring problems, being solutions"

I think so. I will have to check.

<o​frnxmr:monero.social> Bring

<g​fdshygti53:monero.social> ISP router where know to have a LOT of flaws, depending which one and when

it's a netgear, not ISP

but probably still lots of flaws

<g​fdshygti53:monero.social> But if lastpass is the leak then it does not matter, no need to connect to actual wallet, just restore it from the seed

seed was definitely not in lastpass

is the GF wallet still >8k XMR as per reddit.com/r/Monero/comments/11fslu…fund_transparency_report_march_2023

<r​brunner7:monero.social> <l​uigi1111w> seed was definitely not in lastpass: Yes, I understood that. But maybe contained something else that allowed them to prepare a trap for you in some way that enabled them to watch you do so something. That's what I meant with "around two corners"

<o​frnxmr:monero.social> Even a home address

sorry that was in response to name I can't type

<o​frnxmr:monero.social> Login to a travel website to know when youre OT or on a boat

<p​lowsof:matrix.org> when i was looking around for bad nodes, i found some unrestricted ones, i then went to their ip's directly and was greeted with router login pages. a quick search reveals default admin/usernames for those routers

<o​frnxmr:monero.social> Haxx0r

<o​frnxmr:monero.social> what did you do once inside, mr plow 🤣

<p​lowsof:matrix.org> an automated monero peer list checker which sees if the routers are running vulnerable firmware or default user/password is not outside the realm of reality

<o​frnxmr:monero.social> Not even that

<o​frnxmr:monero.social> A checker in the code to check from user side

<o​frnxmr:monero.social> My peers arent my problem, my own setup is

<p​lowsof:matrix.org> there is a constant backgroud noise of login attempts to my nodes which have ssh login only .... where they attempt to login as "ubuntu" "odoo" "vbox" etc etc

<o​frnxmr:monero.social> "privacy checkup"

<o​frnxmr:monero.social> "bro, yur password is default. Noob"

Should we create a form/questionnaire that BOTH luigi and fluffy can answer to try and understand the attack vector?

<g​fdshygti53:monero.social> The trick is to disable password authentification

<o​frnxmr:monero.social> Yea

<g​fdshygti53:monero.social> and to put the SSH service behind tor hidden service

<g​fdshygti53:monero.social> Have fun to find it... Then no password trying will work, you need the SSH key

<o​frnxmr:monero.social> Keys only

<k​inghat:matrix.org> should the opsec of the GF be considered? being controlled by one person?

<p​lowsof:matrix.org> yes i have ssh key for convenience , not security lol

<p​lowsof:matrix.org> coincidentally is better for securiyt

<o​frnxmr:monero.social> :D rav lmao, i do that cuz im a loser, not cuz of opsec

At the moment we have a stream of questions and answers from only one party, and it could have equally been either

kinghat: yes, that is definitely a concern also

<o​frnxmr:monero.social> Or neither

<g​fdshygti53:monero.social> As soon as you have convenience setted up, you turn password auth off...

<g​fdshygti53:monero.social> I hope you use password on you're keys, just in case someone steal then!!

<p​lowsof:matrix.org> i do not

<o​frnxmr:monero.social> Leaving password on is senseless

I just never log in to my home connection remotely, that shit can wait

disable all remote login, done

<p​lowsof:matrix.org> i forgot the password to my pgp file once :(

just once? :D

<o​frnxmr:monero.social> Whats the diff if you forget acct oassword?

<o​frnxmr:monero.social> With keys, even if they yur pw, they need the key too

<o​frnxmr:monero.social> You can also limit active sessions and login attempts

<g​fdshygti53:monero.social> with fail2ban

<g​fdshygti53:monero.social> easy setup

<o​frnxmr:monero.social> So if im logged in, nobody else can even try

<o​frnxmr:monero.social> Even with ssh setup

A naked brute force attack through router compromise is not realistic. Key entropy way too high.

<g​fdshygti53:monero.social> but with key, there is no login attemps, if password auth is off and you try to login, you just get insta-disconnected

<o​frnxmr:monero.social> MaxAuthTries 1

<o​frnxmr:monero.social> This will allow only 1 login attempt per connection.

<o​frnxmr:monero.social> serverfault.com/questions/275669/ddg#563794

<g​fdshygti53:monero.social> But That does really work

<g​fdshygti53:monero.social> I mean, by default if you type wrong password in one session, you have to wait like 3 second before next try.

<g​fdshygti53:monero.social> Instead it's better to open many ssh session in parallel

<o​frnxmr:monero.social> ```

<o​frnxmr:monero.social> Find the MaxStartups option and set the value to the maximum simultaneous connections to allow: MaxStartups 1

<o​frnxmr:monero.social> ```

<g​fdshygti53:monero.social> oh, nice. could be a good idea to add that, plus they keys

<o​frnxmr:monero.social> I also restrict my firewall to only allow ip ranges that i use myself

<g​fdshygti53:monero.social> Yeah, ideally you want that indeed

<o​frnxmr:monero.social> chowbungaman: not ignoring you. I'm not sure i can commit yet, and im sure the others are exhausted as well. We need to form a solution first. Perhaps if we get that done, we can come speak about it

<s​iren:kernal.eu> matrix.monero.social/_matrix/media/…/kernal.eu/DFplkOWyyueMKwfXSUEgjhuq

<s​iren:kernal.eu> good advice

<1​23bob123:matrix.org> The Agent ofrn find the hole

<1​23bob123:matrix.org> Also i use crowdsec instead of fail2ban

<1​23bob123:matrix.org> Also you can try cisofy.com/lynis

<1​23bob123:matrix.org> Dis Agent ofrn find  the hole

<1​23bob123:matrix.org> Also mentioned tinyssh.org

<1​23bob123:matrix.org> medium.com/@truvis.thornton/command…erver-and-environments-2fcd361142ef

<1​23bob123:matrix.org> Also

<4​rkal:monero.social> Hate to be that guy, but what proof has been given that this wasn't an inside job? I mean no malware or anything...

<4​rkal:monero.social> Bad opsec doesn't mean shit without the malware

<1​23bob123:matrix.org> Dunno

<1​23bob123:matrix.org> They need to audit the pcs

<4​rkal:monero.social> Should really have a third party audit it

<4​rkal:monero.social> Also was this windows machine a daily driver or just a random laptop?

<1​23bob123:matrix.org> Lynis will run tests for cve and security vul

as has been answered it was not a daily driver, only used for this one purpose

<1​23bob123:matrix.org> The real question is how did you go with mineswepper

<p​lowsof:matrix.org> solitaire and minesweeper can be played on an airgapped machine

<o​frnxmr:monero.social> Gameboy color

<o​frnxmr:monero.social> I prefer to solitaire online. Sir

<g​fdshygti53:monero.social> It does not really matter at the end as long as there is not a extra malware installed (or vulnerable software)

<g​fdshygti53:monero.social> NSA & friend can just look on github for all glibc devs, check which one have almost dry bank account, check his code quality and offer him 1M for a nicely coded "bug".

<g​fdshygti53:monero.social> * Bounty should be adjusted proportionally to the dev bank account quality

<g​fdshygti53:monero.social> * Replace glibc by every crap in the know dependency tree

<g​fdshygti53:monero.social> But yeah, airgapped, multisig...

<g​fdshygti53:monero.social> While we don't have multisig officially and it's going to get there soon I think, we have hardware and cold wallets since a long time :/

<g​fdshygti53:monero.social> And Ubuntu is often the prime candidate to dev and test CVE POC to later dump on github for other to cook exploits (that will often work on Ubuntu first)

<1​23bob123:matrix.org> matrix.monero.social/_matrix/media/…matrix.org/EluBBoETVsMvyErcDMqDxmrM

<g​fdshygti53:monero.social> And when exploiting Linux in general, Ubuntu is often the prime candidate to dev and test CVE POC to later dump on github for other to cook exploits (that will often work on Ubuntu first)

<1​23bob123:matrix.org> at least use kicksecure if you want debian based

<g​fdshygti53:monero.social> I have to test that NixOS eventually

<g​fdshygti53:monero.social> Mint is also based on Ubuntu / Debian

<g​fdshygti53:monero.social> and MX Linux is now on the top in distrowatch.. 🤨

lol

@ ofrn and geonic multisig idea

<1​23bob123:matrix.org> tried voidlinux?

<g​fdshygti53:monero.social> Installed it one time but I did not allocate time to play with it. Got replaced by something else after

<t​isktisk:monero.social> Mx been top but I'm told they're a paid sponsor and that's the only reason why

<g​fdshygti53:monero.social> Oh, interesting...

<t​isktisk:monero.social> Uncomfirmed tho. I want a vimOS

<1​23bob123:matrix.org> so meeting this week?

<1​23bob123:matrix.org> on next steps

<1​23bob123:matrix.org> jet has been down graded to cessna

<o​frnxmr:monero.social> Jet taking off soon dw

<o​frnxmr:monero.social> No delays noted

<t​rasherdk:monero.social> Just figured out, I have to highlight/select the text to get the `forward` option 😳

Cessna makes a jet right

<x​mrscott:monero.social> Bit confining to have such a discussion limited to just 60 minutes and a particular timeblock when folk in parts of the world are going to be asleep. The GitHub Issue already has conversation around the two questions most pressing for -community and be discussed by anyone at any time:

<x​mrscott:monero.social> - How do we achieve CCS continuity for existing contributors? Core team is in favor of covering existing liabilities from the General Fund.

<x​mrscott:monero.social> - How do we structure the CCS going forward?

<x​mrscott:monero.social> monero-project/meta #916

<1​23bob123:matrix.org> yeah,but needs to be discussed in a meeting also. realtime

What happened to the Monero Outreach website?

doesn't even load in web archive anymore

is there a repository?

found it github.com/monero-ecosystem/outreac…s/en/transcriptions/breaking_monero

<1​23bob123:matrix.org> your welcome please come again :)

<1​23bob123:matrix.org> also you can pcap dump the m$ pc for network traffic if its still running, but i would isolate these two pcs asap

<r​ecanman:agoradesk.com> selsta: It disappeared a while ago. I made an issue on github a few months ago

<r​ecanman:agoradesk.com> I've read all of the messages, and it seems that the current design of the CCS is not viable.

<r​ecanman:agoradesk.com> Even with transparency, multisig, and whatnot. Maybe something else should be considered

<1​23bob123:matrix.org> Think they are

<1​23bob123:matrix.org> Cause if it was targeted then luigi might be doxxed?

Why is it not viable? It has funded a lot of developers and projects over the years.

If someone doesn't like the CCS system then they can do setup their own funding.

<c​omradeblin:matrix.org> Join us to discuss the Monero CCS hack! labitconf & Monero Argentina meetup, DragonXchain to chat about the Hurricane #Otis Monero fundraiser in Acapulco + 📈(BawdyAnarchist_), 🗞 (tony_huszar) & 🔩 (GergelyGombai) & MORE! Join us TMRW at 11AM-EDT/5PM-CET! !

<c​omradeblin:matrix.org> 👀➡️: youtube.com/watch?v=ZDJqbIEJnSI

<c​omradeblin:matrix.org> Join ➡️: streamyard.com/h6ke6gmzu8

<c​omradeblin:matrix.org> 🙏🏽

<c​omradeblin:matrix.org> monero.com

<c​omradeblin:matrix.org> cakewallet.com

<c​omradeblin:matrix.org> localmonero.co

<4​rkal:monero.social> This makes it even more sus

<4​rkal:monero.social> I mean a dedicated machine is a lot harder to hack than a machine you use daily

<4​rkal:monero.social> I just find it very hard to believe that an experienced monero dev somehow got his DEDICATED machine hacked.

<1​23bob123:matrix.org> Complacency!

<t​rasherdk:monero.social> Complacency. It that a nicer word for laziness ?

<1​23bob123:matrix.org> Also where very reactive here

<p​lowsof:matrix.org> that machine was one of the most dedicated workers around

<1​23bob123:matrix.org> On another note never seen so much community action

<1​23bob123:matrix.org> People please contribute to community meetings!

<t​rasherdk:monero.social> Any chance to sling some mud bring out the peanut gallery.

<1​23bob123:matrix.org> Probably they want the money now?

I want a refund

<1​23bob123:matrix.org> First it was monerokon chairs and now this

<t​rasherdk:monero.social> "monerokon chairs" what's up with that? Did I miss some drama?

<p​lowsof:matrix.org> several weeks after monerkon (with another cyrptocurrency event taking place at the same venue) - monerokon staff where asked about a few missing chairs

<p​lowsof:matrix.org> the meme was born

<c​howbungaman:matrix.org> No worries. If you change your mind jump via the streamyard link. As alway, all are welcome to join the “viewers on stage” segment. Chatting here in the room is a bit hard to follow. Would be nice to see a bunch of community members jump on stage to discuss their different takes and opinions on the incident.

<c​howbungaman:matrix.org> x.com/monerotopia/status/1720548304…90358?s=46&t=WeY1AyuT6Ir1FNBKKq_Beg

<o​frnxmr:monero.social> Google drive

<o​frnxmr:monero.social> Present!

<1​23bob123:matrix.org> Please dont say the G word, it triggers me!

<s​gp:magicgrants.org> moonstoneresearch.com/2023/11/03/Postmortem-of-Monero-CCS-Hack

<1​23bob123:matrix.org> Some reason i thought it had stoner in it

<p​lowsof:matrix.org> they use the word "enote" <3

<1​23bob123:matrix.org> Ima wait for ruck to trackem down

<o​frnxmr:monero.social> Pocketchange ftw

<o​frnxmr:monero.social> sorry monerujo, but i swear i told ya so 600x

<p​lowsof:matrix.org> sweep_all created those 9 tx's automagically