00:00:35 Revuo Monero Issue 191: October 26 - November 2, 2023. https://revuo-xmr.com/issue-191.html 00:01:00 once getmonero.org also hacked and spread malware 00:02:04 I vote we host on majestics server 00:02:11 Uptime 66% 00:02:18 this is the annoying thing 00:03:52 people not claiming their funds. If you do the work, get your money. 00:04:46 More annoying 00:05:03 there were people I was chasing down to get money before I left. Now plowsof. 00:05:16 Ppl who start things without intent on finishing 00:05:21 many of these should be defunct 00:05:34 diego 00:05:45 Monero Outreach Round 3, Monero payment gateways, tipxmr.live, etc. 00:05:45 Those are called purgatorybccs 00:05:59 Plowsof has a big list 00:06:02 https://ccs.getmonero.org/proposals/haveno-frontend.html - 453XMR - the front end team downed tools after $ price drop / they didnt want the moneros, gonezo. 00:06:15 I call it "jet fund" 00:06:26 https://ccs.getmonero.org/proposals/staff91-Translation%20and%20review%20of%20GUI%20Wallet,%20monero-site,%20Monero%20Means%20Money%20(subtitles)%20and%20Sound%20Money,%20Safe%20Mode%20(subtitles)%20to%20Italian.html - 28XMR - no sign of proposer (talk of 'google translations used' but not confirmed) 00:06:35 My time with core was partly chasing people down to take their money 00:06:38 https://ccs.getmonero.org/proposals/xmrhaelan-monero-outreach-round-3.html - 36.67XMR - a recent attempt to resolve by ajs but not successful. close/gone 00:06:51 https://ccs.getmonero.org/proposals/36c3.html - 280XMR - core has invoices totalling ~24k euros to resolve this. which could be brought if looked into by those who gave money to pay things at that time. 00:06:52 and then after a year when nobody remembers anything, they come by and say work has been done y no payment 00:07:06 https://ccs.getmonero.org/proposals/utxobr-monero-k8s-operator.html - 22.86XMR - multiple attempts to contact over the years, gone. 00:07:19 Soloptxmr 00:07:27 https://ccs.getmonero.org/proposals/cypherstack-sarang-triptych-research.html - 12.65XMR - should have been closed / sent to the GF a long time ago. IT was STILL in the CCS wallet -> byebye 00:07:39 https://ccs.getmonero.org/proposals/anon-perfect-peer-to-peer-protocol.html - 160.12XMR - has had years to ask luigi for payout and didnt, strike if off the record. 00:07:51 https://ccs.getmonero.org/proposals/xiphon-7.html - 120XMR - Xiphon is AWOL for _years_ , strike off the record. 00:08:00 we're still far of 2600 00:08:31 My beautiful jet 00:08:49 245 XMR from the jet fund / overfunding - gone 00:08:59 have we made a dint yet 00:09:21 perfect time for element to stop connecting to IRC 00:09:39 anyways, I said at least 36C3 supplies have had movement in recent days 00:09:54 The 36C3 supplies at least has had movement in recent days. 00:09:58 i was so happy to finally have that alllmost resolved.. the invoices.. everything 00:10:02 oh lol there it goes 00:10:09 would have freed funds up for the project 00:10:13 But, its been gone for 60 😭 00:11:07 ye 00:11:09 <1​23bob123:matrix.org> 60 day breach disclosure 00:11:10 how many years ago was 36C3? 00:11:18 nioc it was 2019 00:11:28 <1​23bob123:matrix.org> Bc 00:11:36 Lololol 00:11:46 the above tings i linked total ~ 1358.3 xmr 00:11:47 Maybe this is the moment we realize it's probably not a bad idea to add time locks or other types of scripts for extra protections 00:11:53 🦕 00:12:07 <1​23bob123:matrix.org> Or multisig 00:12:07 1358.3xmr that we where not using any time soon 00:12:27 Lock it for 6 yrs? 00:12:30 Time lock doesn’t help here when attacker has remote access for a month unattended 00:12:33 I think this should be considered 00:12:38 ASAP 00:12:40 Depends on the multisig, opcodes for multisig are more secure than key aggregation ultimately 00:12:51 I mean there are more 00:13:02 xmrSale? German translation? Douglas Tuman? OSPEAD? 00:13:02 <1​23bob123:matrix.org> Anything older then a year and movement, goes to monero hacked fund 00:13:18 <1​23bob123:matrix.org> Anything older then a year and no movement, goes to monero hacked fund 00:13:31 netrik. Three months of translation coordination. December 2021 00:13:35 They help with coin control, some utxos with small time locks, bigger ones with large time locks 00:13:38 Xmrsale is resolved 00:13:48 Netrik needs pay, no? 00:13:55 ah. Core just dragging their feet on implementing/updating? 00:13:59 What happenef there 00:14:16 netrik was around some weeks ago, claims to have completed the work but not yet claimed it (this can be debated) 00:14:17 I don't think netrik finished his thing. He was not very satisfactory in the role I had imagined either 00:14:24 funny, everything I donate to gets competed :) 00:14:36 ok, close netriks 00:14:41 plowsof are you kicking core's shins every day? 00:14:44 Acceptxmr absorbed xmrsale, right? 00:14:50 they literally will not move from their slumber unless you yell at them daily 00:14:56 Lol 00:14:57 <1​23bob123:matrix.org> Nioc has foresight 00:15:02 nioc can run everything from a google sheets with protected ranges 00:15:11 Diego, no 00:15:13 luigi be like: "yeah we'll get to it" 00:15:15 I kick plowsofs 00:15:28 <1​23bob123:matrix.org> Monero community and fckn google 00:15:34 I only use paper, pen and my subconscious 00:15:36 Diego: monday at the latest 00:15:46 > nioc can run everything from a google sheets with protected ranges 00:15:46 You mean midi 00:17:13 *completed 00:27:25 I'll bring my D20s 00:28:55 I have an idea 00:28:59 _**ok can you guys stop trading**_ 00:29:16 lets hard fork into monero classic and monero dao fork 00:29:40 ☠️ 00:29:44 <1​23bob123:matrix.org> 2gb block size 00:29:51 <1​23bob123:matrix.org> For quake 00:30:56 Why no one updates CCS site to state that core fucked up and funds gone. Also where does the 888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H lead to? 00:31:22 <1​23bob123:matrix.org> Jetfund 00:31:28 Core team is responsible for the CCS site and getmonero.org infrastructure afaik 00:31:28 888t leads to general fund wallet 1 00:31:35 Not much activity other than "we are talking" 00:31:50 Aka. Sink hole 00:32:12 GF1 is kept 'near empty' / sweeped into GF2 00:33:14 louis.signet: i'm down with dao fork 00:33:54 This isn't ethereum sir 00:34:16 Are there any PRs open to Monero-site that would inform users of the CCS breach? 00:34:32 but but but ;-; 00:35:04 We shouldn’t keep those addresses up 00:35:38 i think uh.. we shuld do a blog post 00:36:11 wait... that's gonna create fud and speculations 00:36:18 afaict there are no ccs addresses on site 00:36:23 if it took the core peeps like a month to find out... maybe we keep it under wraps? 00:36:25 We need something on the CCS page 00:36:28 as far as I know there's nothing to donate to anyway currently? 00:36:37 loveras is open still 00:36:51 https://ccs.getmonero.org/proposals/Lovera-Create-educational-content-Spanish.html can click contribute 00:37:13 I will move it 00:37:35 thnx, and as for announcing something / somewhere on the ccs itself... im not sure how 00:37:43 getmonero blog is all i can think of 00:38:09 We should also make sure that hardcoded GF addresses are changerd 00:38:12 We should also make sure that hardcoded GF addresses are changed 00:38:26 Someone should search on github and gitlab and the sorts 00:38:43 GF is not effected 00:39:26 not currently. It would still be good to rotate it, but unsure what its structure should be (not my thing) 00:40:05 we did rotate it already - GF2 and funds are sweeped 00:40:10 but yeye 00:40:44 yeah the risk if if someone is waiting and watching and a big donation comes in 00:40:54 the ccs primaey wallet address exists in 2 places afaict 00:41:10 escapethe3ra: https://monero.observer/haveno-frontend-ccs-proposal-fully-funded/ and on a GH repo which ive made a PR to have deleted 00:41:39 Totally... :D 00:41:59 Oops, sorry, misread 00:43:15 luigi1111w: That is why I recommend to form the Monero Security Workgroup (or something similar) so this can be discussed there formally 00:44:01 Meetings should be coordinated. I think that community should investigate current issue, and the new MSW can look into new solution 00:45:40 the monero security workgroup could have its communication be in embedded blockchain messages xd 00:45:50 there's official 00:45:59 😄 00:46:06 I think it can just be discussed here unless it gets too noisy 00:46:09 <1​23bob123:matrix.org> Do i get a badge too? 00:46:15 It's getting pretty noisy 00:46:20 for investigation stuff it will be a bit 00:46:33 what can the community investigate? 00:46:37 Currently, transactions, opsec with the machines, etc. 00:46:53 well not currenlty opsec with machines, as I'm not present 00:46:55 take our shoes off when entering luigis home, and make some forensically sound copies of hard drives etc? 00:46:56 New solution involves changes to the CCS system, multisig, new opsec, security hardening measures 00:46:57 <1​23bob123:matrix.org> Opsec there are community that offer that 00:47:29 No, gather as much information on situation and try to make the best out of it 00:47:42 The timeline, for example, is very helpful 00:48:46 It's already possible to affect Fungibility with mordinals / tx_extra 00:48:46 Why not offer the option for a few locking scripts op_codes? 00:49:08 I'm sure large treasuries will make the trade-off 00:49:26 that doesn't sound fit for this purpose 00:50:05 What louis said? Or my idea? 00:50:13 louis 00:50:23 OP_MULTISIG > MPC ( specially with flawed setups ) 00:50:24 Oh, ok 00:50:52 New solution is to upgrade to windows 11 00:51:03 service pack 2 minimum 00:51:07 vaults, velocity limits, etc 00:51:14 lol 00:51:27 In all seriousness I think that an effort should be taken 00:51:32 I will go back to XPsp3 00:51:39 +1 00:51:55 What about actually OPSEC of GF2 ? 00:52:08 "Direct fund or die" 00:52:21 OP_VAULT > SIGNATURES 00:52:23 I'm not sure, it should be discusses 00:52:26 I'm not sure, it should be discussed 00:52:34 GF2 is binaryFate's domain. Can be discussed as well. 00:52:39 Es actualmente BinaryFate 00:52:54 I think his timezone is relatively opposite 00:53:09 Is BunaryFate actually behind it control right? 00:53:22 Core pays what they owe. Everyone's happy. 00:53:49 Yep, should be discussed 00:54:06 full details of GF2 can be found here (after wallet access) https://www.reddit.com/r/Monero/comments/11fslu9/monero_general_fund_transparency_report_march_2023/ 00:55:04 Reddit is our official news outlet? Maybe post the news on ccs.getmonero.org? 00:57:36 there isn't a news section there. You want a banner or something? 00:57:43 I remember this post, well, full details about OPSEC is not clear… Maybe Binary created the GF2 Wallet in Windows 7 00:57:43 He said Multisig is not an option… time 00:57:43 To reevaluate this now 00:57:51 Yes, banner is needed 00:58:53 https://repo.getmonero.org/monero-project/ccs-front can probably be done there 00:58:54 For large treasuries 00:58:54 OP_MULTISIG > OP_CHECKSIG 00:58:54 OP_VAULT > OP_CHECKSIG 00:58:56 Just those two 00:59:25 He can use their own project RINO wallet 00:59:32 opcodes are out of scope unless I'm misunderstanding their implementation 00:59:51 i think here https://repo.getmonero.org/monero-project/ccs-front/-/blob/master/index.md?ref_type=heads uhm .. would we link to reddit (our official news outlet) though? 01:00:07 the meta issue* lol 01:00:12 Meta issue 01:00:19 Reddit link should be in the meta issue 01:00:25 meta is officialest 01:00:32 https://matrix.monero.social/_matrix/media/v1/download/monero.social/VIuKxrJbVYUplWdcUJvcdtKB 01:00:42 truth 01:00:43 That's also not a bad idea 01:06:18 For large treasuries 01:06:18 OP_VAULT > CHECK_RING_SIGNATURE 01:06:18 OP_MULTISIG > CHECK_RING_SIGNATURE 01:06:56 louis we're not hard forking monero for this 01:07:04 Lol 01:07:34 Completely new threat model and opsec should be done 01:07:47 I will repeat again, this should be discusses separately 01:10:04 I will repeat again, this should be discussed separately 01:19:45 <1​23bob123:matrix.org> Or people with high pokemon threat models re-evaluate 01:29:34 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/sUWZhGHGDIvsWgslsUAZazLf 01:29:34 jeffro256 something like that? 01:29:58 <1​23bob123:matrix.org> Need to add 01:30:05 <1​23bob123:matrix.org> THE FOUND ME! 01:30:12 <1​23bob123:matrix.org> THEY FOUND ME! 01:31:26 plowsof: CCS is empty now, maybe a blog post is better suited? 01:31:52 i was leaning toward a blog post of the meta issue (with a link to it) 01:32:00 yep 01:32:13 the ccs website changes feels a bit out of place 01:33:07 <1​23bob123:matrix.org> Still also need to plug the hole too, by working out how it happened 01:33:17 agree 01:34:56 well, the holes should be plugged with better setup. We should also like to know how it happened. 01:51:35 why was the general fund wallet with 8k xmr not drained? different setup? 01:57:42 different person. 02:10:56 preview of the proposed blog post https://deploy-preview-2208--barolo-time-757cf9.netlify.app/blog/ on site 02:11:32 uff 02:12:01 announcement* :) 02:17:35 luigi: > Seed was only on paper on my end. 02:17:35 you mean it was on devices(wire/pgp so two?) when received and then put on paper? 02:34:15 Yeah 02:34:58 Well I don't remember what devices. I didn't note it down on any device though 02:38:51 For the record I would like to collect my funds. Reading some of the chat here and it looks like people are saying people who have not claimed funds over a certain time period will no longer have a claim. It was always my intention to claim the funds. I was told I needed to write up an explanation of work performed to receive my funds. So I needed to find time to do that. I spend 02:38:51 my time doing many other monero related things plus day job and family so I never made it a priority to write up the post. But I told luigi1111 on multiple occasions we would be claiming the funds. It was always my intention. I just wanted to make sure I achieved enough progress before making my claim, which i certainly think I now have. I recently started collecting the stats to 02:38:51 write up my post on what I have achieved and Sunita told Plowsof a few weeks ago that we would be posting something before October ended. Would have just sent an address to get paid out but that was never offered to me. It seemed like a submission on my end was owed. 02:41:01 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/rzToPdcCctYQRZmMVgoGjxNE 02:43:06 Oh yes that's right I told you to submit a write-up not confirm your address, sorry 02:43:21 plowsof: please see above. 02:44:04 yes, i confirm a write up and not simply an address was requested 02:49:07 Yes , and we were literally getting to it this week …. I will submit something this weekend. Obviously I realize the funds are now gone, but hoping the ccs’s owed will somehow be paid for the work completed. 02:50:31 They will be 02:55:53 work done, is work paid, it appears that core are insuring everything with the general fund 02:59:54 🙏👍👍. Greatly appreciative of that. So unfortunate this happened. 03:32:48 luigi1111: Are you going to give the two machines to forensic analysts to be imaged and analyzed? 04:26:04 <1​23bob123:matrix.org> Tbh i would image all the pcs for analysis and nuked it. Then after fresh install move other funds just in case. 04:29:08 all of this is so fucking embarrassing. why do we need this weird cult like behavior around a big stash of money? 04:31:02 were monkeys? 05:08:39 It might be right now, but we as a community need to view this for what it is--A yuge opportunity for improvement. You don't learn much from your wins, but what of your losses? 05:08:39 I pray we bounce back with some honest resolve 05:14:24 lets hope so. Maybe it is time to shut down "core" what ever the hell this is anyway. They clearly lost all credibility ... but similar events happened before and the sheep still follow ... because they just can't help themselves. 05:14:40 so lets see ... 05:14:54 but probably the mess will just continue 05:21:19 I believe there's a light at the end of the tunnel 05:21:19 ... Just might be another train tho 05:21:53 spirobel: wouldn't that require like, a fork? 05:29:39 no. It would just require not acting like a cult 05:29:57 and establishing a direct relationship between the donors and the workers. 05:30:09 where there is mutual trust 05:30:39 right now this is sidestepped by putting trust into luigi, core etc ... 05:30:48 entities that clearly cant be trusted 06:08:22 I agree to some extent 06:08:26 I agree 06:19:35 <4​rkal:monero.social> The fact that core has worse opsec than your average monero user is pretty disappointing to see. 06:20:12 <1​23bob123:matrix.org> not just core 06:30:25 <4​rkal:monero.social> Core seems a bit like a joke rn. 06:30:58 Who is in core ? 06:33:27 <4​rkal:monero.social> The people that make monero can't store it securely. Not the best look... 06:35:03 <4​rkal:monero.social> Means that any bad actor with even the smallest resources can attack and actually damage monero 06:36:10 Just so that it doesnt go off the rails here, this was one guy in core, not the entire core team. For example, Ric has been a long time user and recommender of Qubes. 06:36:46 > with even the smallest resources 06:36:57 How on Earth do you know that? 06:39:35 <4​rkal:monero.social> Who else is holding funds rn? 06:41:25 <4​rkal:monero.social> Maybe they should disclose their setup? 06:42:47 Yeah I think that's a reasonable ask. 07:07:04 <1​23bob123:matrix.org> as in process of how ccs funds are transferred or logs? 07:41:14 Wonder what happened to `Don't trust. Verify` 🤔 08:12:52 I trust that Redmond has verified my keys... 08:19:39 going a bit extreme but, could a fresh QubesOS VM have low enough entropy to be cracked? 08:51:33 vdo: no, it uses haveged (well at least prior to 4.0 you had to), as of 4.1 that's baked into the kernel 08:58:00 dont beat yourself up over it, you didnt miss it by a week, funds were gone for a long time already 😅 08:58:46 also, i like the timelock idea for truly abandoned projects 08:59:18 "didnt claim in 6 months, it's going in the freezer. see you in 4 years!" 09:04:37 <1​23bob123:matrix.org> Yeep 09:06:14 <1​23bob123:matrix.org> 90 day disclosure 09:16:50 60 no? 09:51:02 https://matrix.monero.social/_matrix/media/v1/download/kyun.host/TAYWjFSDrDaTzpAuNFSnbgQD 09:51:04 why is this room called this 10:06:01 yeah but why put all the burden and risk on the people that do the work? that is just unfair. Also: who watches the watchers? seems like they stole it. 10:06:54 this whole "core" thing is just a grift and posturing to build a personality cult around people that don't really deserve it. 10:07:45 i only know the pseudonyms for like half of core, they arent exactly looking for attention 10:08:49 uwwww how mysterious like satoshi 10:09:40 satoshi has an actual cult though 10:10:32 Question re Matrix + IRC. On Matrix it's possible to type long messages. After how many characters do they get cut off on IRC? 10:10:39 "core" in monero is the same kind of bullshit 10:11:08 Well, I have been around for a long time, and I have no clue about who's member of the core team. Also, I don't really care. 10:11:08 As long as you don't present proof, you should not throw around accusations. 10:11:09 So far, it looks like embarrassing bad OPSEC could be the culprit, but I don't know. 10:12:15 okay please send money to this wallet I control I will help vet the people that actually do the work. (also everyone please bow to me, that is part of the tradition) 10:12:21 owww the money is gone 10:12:22 sorry 10:12:26 please donate more 10:12:31 better luck next time 10:12:58 😂 10:13:18 are there any projects without a core team? 10:13:49 there are many 10:14:01 many people do stuff and get nothing in return 10:14:17 because everyone is dancing like a retard around the ccs and "core" 10:16:05 i meant other crypto projects 10:17:41 good question 10:18:09 there are many projects that are at a point where no single entity controls them. 10:18:22 bitcoin is there for example 10:18:40 also outside of the crypto world there are projects that are like this 10:19:08 like the webstandards / browser or operating systems like linux, bsd etc 10:23:23 Good morning 10:23:48 hii 10:24:17 bitcoin still has a core team 10:24:38 browsers are mainly funded by google 10:25:14 but they cant unilaterally decide things. 10:25:19 Idk why ppl think core are dictators 10:25:25 They dont even vote anymore 10:25:59 randomx? Was that the last time core "made a decision?" 10:26:03 same for browsers. It is simplistic to think google can do what they want with the browser. At a certain scale software is "discovered" and not engineered 10:26:16 isnt core literally people doing unpaid work donating their time 10:26:34 they got paid good this time 10:26:41 yeah right 10:26:53 Nah 10:26:58 Google does what they want frfr 10:27:03 artic donated 4500 xmr to corral reef, i dont think core needs 2.6k 10:27:08 And ppl get r#ally mad, ans try to use firefox 10:27:16 Artic d(nated 50+k xmr 10:27:24 At a time wheb it was 4$ 10:27:27 which is funded by google 10:27:32 When you could mine 10 a day 10:28:17 Nioc also donated more then 2500xmrin his time 10:28:53 i recently donated 0.02 xmr to monero.vegas 10:29:08 I donated to the oscar 10:29:22 PPV 10:32:21 www.w3.org, https://github.com/torvalds/linux spirobel: ??? core teams 10:32:53 "team" haha 10:33:17 the dictator who wants you to get vaxxed 10:34:14 Idk why ppl so afraid of oppression 10:34:30 Its called "punch the bully in the mouth" 10:35:05 sirs 10:35:06 Nobody can tell ofrn "get vaxxed oR ElSe!!" 10:35:06 threats only work on weak ppl 10:35:40 Get vaxxed if i want to, not cuz some old man trying to win an oscar told me drinking meth is for kids. 10:36:06 So far, nobody tried to get me vaxxed. My surroundings are smarter than that. 10:36:13 imagine getting the jab 10:36:14 Same 10:36:18 i dont think he is afraid. He is just a smug retard who thinks he knows everything. 10:36:26 my entire family tried to get me 10:36:57 Yeah, nah. Nobody ever asked me 10:37:01 Not even hospital 10:37:18 i couldnt go to the gym if i wasnt vaxxed 10:37:22 #superspreader 10:37:25 but i "borrowed" a certificate 10:37:57 If i did get asked, i wasnt listening 10:38:10 Self checkouts worked 10:38:15 you couldnt even go outside 10:38:23 Says who, mom?? 10:38:24 imagine trusting any kind of authority 10:38:25 after that bullshit 10:38:31 I dont listen to the tv 10:38:34 so much about muh tovalds rants are so based .... then he shills for the vax lol what a clown 10:39:04 is that the only thing that made you not like him 10:39:40 the police would grab you and hand you a nice fine 10:39:42 I wouldn't know. I don't follow Torvalds. 10:40:57 Lmao 10:41:28 The police arent that dumb 10:41:39 you could probably just run from them since most officers here are fat as fuck and they never shoot 10:41:42 I missed the XMR event in Portugal because I did not want to comply with the vaxx mandates 10:42:06 they dont even shoot when its a life or death situation 10:42:07 lost airplane ticket money and event ticket, very sad! 10:42:08 fuckin cowards 10:42:20 ouch dsc 10:42:59 Posting link in offtopic 10:44:38 anyway .... so I guess we have to continue obeying the core team then 10:45:56 what a terrible fate 10:47:21 ive never obeyed a core team 10:47:31 anyways can someone qrd me i still havent fully woken up 10:47:31 Cant continue what i havent started 10:47:43 do you really think luigi and fluffy stole the money 10:47:47 no 10:48:10 i think the setup was borderline insane though 10:48:25 or just a charade to launder money 10:48:41 launder what nigga its monero 10:48:57 it by definition launders the money for you 10:49:02 That ssh password thing got me go WTF out loud. 10:49:19 yeah i remember reading that wasnt the password secure though 10:49:24 or was it like 10:49:25 password123 10:49:57 im just saying... 10:50:26 this wouldnt have happened if they were using Kyun™️.... w- i mean they only allow key authentication 11:01:24 is it not absolutely necessary that Luigi step down--whether carelessness or dishonesty, no honestly run business would just be like "huh, well, we must just move on." 11:07:14 i was baking my head today, each core team member is an active target, i am kind of glad it's just the money that we are missing 11:07:28 because that's the thing we can replace 11:07:52 yes because there's no proof that they were hacked 11:08:00 luigi is also a volunteer 11:08:03 why would you default to believing that they were hacked when there's no proof and the disclosure timeline is this shit? 11:08:08 <1​23bob123:matrix.org> Guilty unless proven innocent 11:08:16 working for free 11:08:55 he does it for free 11:09:15 can I have his job? 11:09:19 i will do it for free too 11:09:21 shitty volunteers are not helpful 11:09:48 the new wallet address is: .... 11:09:50 i don't default to believing anything, i just have a certain level of respect for him and believe that if he really needed that money he could've gotten it other ways 11:10:22 I would not like to be in the skin of the human with identity known that I hold at least 500k in monero 11:10:25 <1​23bob123:matrix.org> I think you cant accuse unless there is proof 11:10:29 no default belief is necessary: he is negligent either way 11:11:02 why is everyone so afraid now 11:11:05 <1​23bob123:matrix.org> On that note my theory of ofrn doing it is geonic doesnt get paid out is plausible 11:11:07 you have 500k you have money to hire security 11:11:20 <1​23bob123:matrix.org> On that note my theory of ofrn doing it so geonic doesnt get paid out is plausible 11:11:32 <1​23bob123:matrix.org> Thats foe chair security 11:11:37 theres people out there rocking 500k jewlery which is basically as untraceable as monero 11:11:39 <1​23bob123:matrix.org> For* 11:11:55 having security makes it only worse anyway 11:17:11 tell that to mcafee 11:17:38 I see this as great lesson to further improve our community systems 11:18:38 and for plowsof to make sure those watchdogs monitor outgoing transactions 11:18:55 most likely we will not get any more information about this infra of theirs and no internal discussions will be disclosed 11:19:02 it might as well be made up 11:20:10 welp lets think of something better. 11:20:28 Any volunteers for a non-core CCS multisig? 11:21:01 the ccs wallet should be owned by someone with a public real life identity 11:21:20 that way if he does something shady theres a target on his back 11:21:25 ccs worked perfectly for everyone and a lot of people are feeding their families of this fund for years 11:21:27 in gta 11:21:50 i mean in theory we don't actually need a central wallet. ppl can just commit to pay a certain amount. when the work gets done, individuals send the funds. 11:22:09 its not like ccs contributors usually fall off the face of the earth and don't follow the projects 11:22:15 er, ccs donators 11:23:23 if you think ccs donators are random people from internet 11:24:15 if you check donations history it's couple of community people giving most of the money 11:24:28 arent most proposals always like 90% funded by 1 peson 11:25:31 dEcEnTrAlIzE aLl tHe tHiNgS 11:27:25 I can't imagine someone undertaking a large effort based on the professed commitments of Internet anons. 11:28:07 decentralize my nuts lmao 11:28:35 can we do this on another blockchain 11:28:58 i think allark.io would be up to the task 11:29:04 with their wrapped xmr 11:29:13 you commit to funding on that chain and then milestones can be voted as complete via a DAO :D 11:31:00 What is the issue with setting up a non-core CCS multisig? Are there not enough capable people who are willing? It doesn't seem like a bad alternative to me. 11:31:03 some escrow is needed imo. Wouldn't want to start working without the assurance of funds, and I wouldn't donate without the assurance that the work will be done 11:32:01 value of wrapped assets goes to zero if wrapping counterparty suffers a hack 11:32:42 smaller amounts (wishlist style) are fine, but if we're talking about amounts that exceed my life savings for one proposal yoloing and hoping for the best is suboptimal 11:33:17 yes multisig would be good, if its in a usable state on our chain 11:33:37 what happens if a party goes missing or dies or just stops responding 11:33:48 could also design it with 100%+ commitment, in case ppl flake out or cop out 11:33:50 ill tell you what happens the funds become unusable 11:33:59 i was jk 11:34:27 naphtha: Multisig is M of N. People can go missing, just not all people. 11:34:31 like, the ccs grantee requests 140%. the folks over 100% are sort of backup in case the folks in the 100% don't end up paying 11:35:19 oh goody, scrollback 11:35:58 outsource scrollback reading to cat, we need you here right now 11:36:07 Its a full time job to keep up with all the messages 11:36:09 i mean shit, some ccs contributors in this system could send funds before the work is completed if they wanted to 11:36:20 feed the log to chatgpt version 9.12.5 11:36:30 20 usd a month 11:36:50 its, like, the future n shiiieeeet 11:37:09 does it work with my abacus? 11:37:18 <1​23bob123:matrix.org> Ai cyber security 11:37:24 if you have enough abacuses 11:37:37 you need like at least 3 iirc 11:37:42 multisig for this is still centralized imo. less centralized, but centralized nonetheless 11:38:09 eVeRyThInG cEnTrAlIzEd bEcOmEs a tArGet.... 11:38:22 so true 11:39:51 check what happened in my case, one of the colleagues made a minus -20k trade in a day by mistake 11:39:51 as a manager what would you do? he doesn't make even 1/3 of that 11:39:51 so should I said to him, I am removing 20k from your salary? 11:39:51 Almost everyone was up to that except me 11:39:51 next 3 months his kids are not gonna eat ? 11:39:52 In last 2 years he made to mb 100s of thousands and probably more (track record) 11:39:54 I told him: you moron and just let it be as there was not intention 11:39:56 as I believe in this case there was no intention 11:41:00 ceetee: Is it? I am imagining that once things are set up it is a couple hours per meeting to sync and approve payments. 11:41:08 i wouldve made him work 24 hour days complementary adderall 11:43:40 Majestic but this was core, the only people you'd truly expect to not fuck up, and it turned out the security setup was insane 11:43:50 everyone is here now, some people come to collect payment 12 months overdue but we hadn't seen them in 6 months 11:43:51 is using a password, rather than ssh keys not insanely irresponsible? Intention is not all that matters for god's sake 11:45:05 I bet most of us in here have some seriously shizophrenia level of security for a fraction of the lost funds 11:45:07 Meanwhile core holds 420k in a hotwallet 11:46:28 speculation but; what percentage of 420k would you reckon came from core anyway, as previously many proposals are funded by only a few people, I can imagine the bulk of it coming from core 11:46:30 <1​23bob123:matrix.org> Maybe they can ping someone from citizen labs for forensic analysis 11:46:40 as previouly mentioned* 11:46:47 I think he means.. ofrn has to use all of his alts/timezones to keep up with this chat 11:47:04 As far as I know no one questioned the security before today, so the community as a whole is responsible no? 11:47:04 Re spackle 11:47:27 Hbs, nah 11:47:31 Just ppl are quiet 11:47:32 there are basic expectation 11:47:36 there are basic expectations 11:47:37 And dont like conflict 11:47:46 Dsc, doesn't really matter. The funds were donated to projects and now the gf has to cover it 11:47:53 ill be the one to say what we are all thinking 11:48:17 the nsa used their backdoors in intel me and the proprietary blobs in the ubuntu kernel to steal the funds 11:48:19 <1​23bob123:matrix.org> What am i thinking 11:48:26 it was nice meeting you 11:48:32 but i have to go into hiding now 11:48:47 <1​23bob123:matrix.org> With your node? 11:48:53 monerobull: I agree it is pointless speculation, I'm not sure about gf covering it but it would surely be welcome. 11:48:55 that too 11:49:07 Why in thr world was he running a node on the same machine 11:49:09 The NSA gets way more out of closing down DNMs 11:49:34 yeah but dnms use linux-libre on corebooted machines 11:50:02 They use AWS 11:50:11 Something wrong with selsta or plowsof onion nodes? 11:50:11 exposing the vm to the internet is crazy 11:50:24 We even have a setuo guide on getmonero for making an airgapped wallet 11:50:36 <1​23bob123:matrix.org> Tldr 11:50:53 And the paper wallet generator credits luigi as helping create it 11:51:05 we currently have a few contributors that are most likely dependent on CCS income which can create troubles for them 11:51:24 so whatever the solution, that needs solving 11:51:33 @dsc theyll cover it 11:51:45 replenish from the general fund 11:51:46 <1​23bob123:matrix.org> Core is covering it 11:51:47 okay 11:51:53 What good if generalfund, if not to cover rainy days 11:52:00 <1​23bob123:matrix.org> For active projects 11:52:01 Since my fkn rainy day fund was stolen 11:52:16 @dan core is covering 2675xmr 11:52:26 Not a pico less 11:52:47 Thats out raint day fund 11:52:55 Not our "bed gf to cover" fund 11:53:03 Begi* 11:53:06 Beg*** 11:53:07 2675xmr is a drop in the bucket for the general wallet anyways no 11:53:10 <1​23bob123:matrix.org> Then they can claim against cyber insurance 11:53:20 Nah its like 35% of it 11:53:29 8kxmr in gf 11:53:34 no ones gonna insure for xmr not even ransomware insurers 11:53:47 they only insure for btc because they have a chance of tracing it 11:53:49 ccs need re-start asap 11:54:11 Active proposals are only about 600 xmr 11:54:15 @majestic ill talk to plow and luigi and try to get it going today 11:54:32 <1​23bob123:matrix.org> System reboot 11:54:41 <1​23bob123:matrix.org> Clear cache 11:54:46 <1​23bob123:matrix.org> Nothing to see here 11:54:50 rm -rf ccs wallet 11:55:23 <1​23bob123:matrix.org> Hopefully its a multi sig 11:55:35 Maybe check recyclebin? 11:55:36 <1​23bob123:matrix.org> On google vps 11:55:46 Tobby might implement in feather 11:55:51 To make it easy for ua 11:55:52 Us 11:56:01 for ua also 11:56:03 Feather Wallet 11:56:08 <1​23bob123:matrix.org> No one tries to hack google 11:56:15 <1​23bob123:matrix.org> Thats asking for trouble 11:56:22 i am more concerned about luigi physical security / opsec then internet setup and from my position don't see other good fit 11:56:24 Once I accidentally did that on my monero node when I wanted to remove monero.fail folder 11:56:43 Regarding Luigi physical security. Maybe hes married 11:56:51 how much rino is ready to be easy to use in this case? 11:57:03 Rino is proprietary 11:57:10 Aint it? 11:57:41 non custodial still ? 11:57:47 does it happen fully in browser ? 11:58:00 Id prefer feather/gui/cli to any proprietary measure by someone who may have poorly implemented things 11:58:27 <1​23bob123:matrix.org> Tbh if i was him, i’d try and csi it, cause if it was breached on his side that means hes doxed 11:58:36 as I understand rino was made for larger exchanges 12:00:04 Still cant get acxess to msvb getmonero emails 12:00:13 But someone got the whole wallet :D 12:00:29 <1​23bob123:matrix.org> Lol 12:00:44 <1​23bob123:matrix.org> This is the way 12:01:38 rino wont work 12:01:43 its a frontend 12:01:59 the multisig is only for the recovery as far as i can tell 12:02:08 w/e solution is must be more robust but still easy, we are often waiting for one singer, multi-sig beyond 2 people 12:02:16 you can restore a rino wallet in CLI and have full access 12:02:24 will make it very slow 12:02:29 fearherwallet is the fasted possible, probably 12:02:41 vik (Cake): can you implement too? 12:02:49 (multisig) 12:02:57 it's slow right now, imagine making it slower 12:03:14 the multisig is only for the recovery as far as i can tell <- no it's for every spend. The wallet is a 2-of-3, you can't be just partially multisig "for recovery". 12:04:04 from my point I would never want to be in charge of ccs wallet, it's really big responsibility 12:04:40 <1​23bob123:matrix.org> High threat model too 12:04:45 <1​23bob123:matrix.org> Seems exciting 12:05:37 binaryFate, true but it doesnt add any extra security in terms of protecting against people with access to the rino wallet 12:06:17 <1​23bob123:matrix.org> 2 of 3 for a transaction? 12:06:21 yeah being custodian for the community is shit. Opsec and known target on your back has a *huge* impact on personal life, travels etc. You can only lose in case of problems, when things are ok, people just take it for granted :) 12:07:04 <1​23bob123:matrix.org> Tbh i think it was just complacency 12:08:15 it is like being the idiot who builds the roads and bridges in the libertarian city 12:08:36 But hey, they hit us too early. Wont happen again 12:08:52 binaryFate, true but it doesnt add any extra security in terms of protecting against people with access to the rino wallet <-- I would not advocate its use for sizeable community savings. For smaller, hot wallets that need more frequent access, it might be a useful approach. But obviously I'm not gonna advocate anything too specifically :) 12:09:59 I am understanding right that fluffy had unilateral access to the ccs wallet? 12:10:16 after we like, revoked his github access and shit 12:11:09 i think he didnt and then the funds were moved back to the wallet where he did lol 12:11:31 what. the everliving fuck 12:11:46 honestly who did that 12:11:48 No the funds weren't moved back, they just continued accumulating there. Ccs churns 1000s of XMR per year 12:11:54 keeping your hands out of the cookie jar is not easy for some people 12:12:15 I'm not trying to levy accusations but I am saying that if you think it's prudent to revoke someone's github access it seems insane to then give them acceess to funds 12:12:19 if we add plowsof to true multi-sig, what are chances we lose that funds in the protocol? 12:12:37 Depends who he signs with 12:12:42 As low as 0 12:13:07 Like when it was announced that his permissions were revoked I definitely assumed that included donation wallets 12:13:18 what ever man it is just money and is a thing of the past now. the cookie monster got its fill lets move on and think how we can do better in the future 12:13:29 well no 12:13:39 is our multi-sig safe for keeping million usd? 12:13:39 we literally don't know it wasn't an inside job 12:14:19 yeah and there is no way to tell because this setup is just super fishy 12:14:34 and anyone who couldnt tell and still donated is goofy 12:14:44 nonetheless we need to think how the people who found themselves in these very fishy positions are to be handled 12:15:02 I assume fluffy is out of everything now (righht?!?!?) and god knows I'd hate to lose Luigi but like.... you know?? 12:15:09 Fp will not be part of whatever the solution is. I don't know who will be 12:15:19 spirobel @spirobel:monero.social: on that note, id like to add: whoever stole the money, feel free to share 83BgP7EP8YcAV52rxgvKuaRUsYKbnJ7bFWJ98CD5q7ESLKTdWGQa7x2iuz8B6Tm9aY41x2by52T56S6LCu2xrJ1mJy5XW3s 12:16:09 monero.town has a dono address too :) 12:16:47 me too please give me monez me poor 12:16:57 restart ccs asap in more robust way, figure what happened after 12:17:07 +1 12:17:14 my personal opinion on all this is that you should all get a server from kyun.host 12:17:26 no shut it down. Donors should donate directly to people who work 12:17:39 +2 12:17:40 this stupid ccs and core charade has got to stop 12:18:05 I think we should be able to figure out how not to put two to three people in charge of half a million dollars 12:18:14 That will only produce scams with people who *don't* work 12:18:15 unless one of them is me 12:18:22 Core more or less doesn't do anything anymore so not quite getting the charade part 12:18:31 so just donate small amounts while building trust 12:18:47 <1​23bob123:matrix.org> We’ll rotate the people once a week so everyone gets a go 12:18:53 i read this as 12:18:53 > Cry more 12:18:55 exhibit a: https://kuno.anne.media/search/ 12:18:55 bro want .com to become official domain 12:19:04 wouldve been pretty funny ngl 12:19:05 Oh those young people with their idealistic worldviews. Signed, boomer 12:19:34 help meeee buy 12:19:49 If I lost half a million dollars I'd repalce as much as I could from my personal stack then disapepar into the night in shame but that's just me 12:19:51 at least those guys are honest 12:19:54 btw I seriously thought about getting funding for my mini pizza oven there 12:20:19 I am pretty sure we are taking a lot of stuff here for granted 12:20:22 "help me get boob surgery" was also a good one 12:20:24 <1​23bob123:matrix.org> What type of pizzas 12:20:30 not knowing what effort is put into 12:20:33 <1​23bob123:matrix.org> Yest 12:20:35 all around 12:20:37 I'd donate to the boobs 12:20:49 Yeah, that kuno thing is cool. Much better than a CCS 12:20:58 Har har 12:21:07 Lyza https://kuno.anne.media/donate/4ofb/ 12:21:38 no because gluten bad 12:21:40 nah actually I like em how they are 12:21:50 <1​23bob123:matrix.org> What size 12:21:59 wownerochan 12:22:08 I mean the thing is people can judge by themselves if they want to donate or not. we just need to make it a thing. we dont need to ask daddy core for their permission just to raise some funds every time 12:22:25 🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤🤤 12:22:46 this is currently most transparent funding on internet I've seen 12:23:21 🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛🥛 12:23:30 yeah but it is ultiamtely like, convincing one dude to approve your PR 12:23:32 <1​23bob123:matrix.org> ( . )( . ) 12:23:34 real devs would get drowned out by grifters 12:24:16 u want bigger tits? get pregnant 12:24:19 <1​23bob123:matrix.org> Easier too apple walled garden too 12:24:21 yes. so we need the people with clout to point out what is worthwhile and what isnt. 12:24:23 and even real devs might just... start CCS, apply at google, take an extended vacation 12:24:36 ocean I tried dude :( 12:24:51 It's already now pretty hard to finance a substantial part of your life by working for Monero, which some people want to do, and which gives very good devs, if it works out. Imagine being at the mercy of small donations coming in directly - or not - for that. Awfully realistic. 12:24:55 yes then people can adapt their donation patterns ... it is a back and forth 12:25:02 instead of the ccs struggle sessions 12:25:23 I'd like to continue exploring a community held multisig CCS. 12:25:24 cunny.jpg 12:25:52 I would like to do it if there was an opportunity, but it just feels too unsafe the way things currently work. 12:25:55 honestly just send me the money and I'll decide what projects are worth it 12:26:04 very good system 12:26:35 yeah that is how the ccs worked until now 12:26:39 exactly 12:26:46 <1​23bob123:matrix.org> ? 12:26:47 but with one guy for the whole community as the bottleneck 12:26:53 good system, just need someone that can be trusted. like me =P 12:27:04 that is also super inefficient from a parralelism / concurrency standpoint 12:27:12 or me hihi 12:27:22 I agree spirobel seems chill 12:27:23 <1​23bob123:matrix.org> All i saw was luigi this is approved pay the man 12:27:29 I vote we share responsibilities 12:27:52 Only if you agree on splitting it with me later 😋 12:28:05 nah the ironic thing is I'm actually trustworthy 12:28:09 spiroble, plow, do we want to do the multisig together? 🤔 12:28:18 Lyza: sure you are 12:28:22 :) 12:28:27 spirobel, plow, do we want to do the multisig together? 🤔 12:28:34 you want to multisig eachother in the multibutts? 12:28:34 <1​23bob123:matrix.org> Only if you use winxp 12:28:49 id also invite geonic and ofrn 12:28:58 <1​23bob123:matrix.org> Lol 12:29:12 <1​23bob123:matrix.org> Conflict of interest 12:29:13 2 of 9 multi-sig in that case 12:29:15 lets go to the hotspring together to share the keys 12:29:22 not at all 12:29:25 on the contraty 12:29:54 i bet you 100 XMR ofrn and geonic would never collude to steal funds 12:30:18 in all seriousness getting 2-3 people to conspire isn't that much harder is it, esp. if they're all psuedonymous and like, who would want to attach their real name to this wallet 12:30:21 my wifes boyfriend wants to join you 12:30:51 <1​23bob123:matrix.org> What does magic funds do? 12:30:51 monero multisig is still an experimental feature 12:31:05 securing the new key is easy, ironically, it's getting the trust back that's the real challenge here 12:31:07 says us bcuz ooo warned us we'd end up on rekt 12:31:09 But look 12:31:15 thanks ajs 12:31:15 We didnt use it, and got rekt 12:31:17 and RINO would be better suited for hot wallet situations 12:31:19 yes they are suggesting an experiment 12:31:27 :) 12:31:33 i think we convert most into more stable and insured assets pretty quickly 12:31:36 oh theyre experimentin galright 12:31:39 oh theyre experimenting alright 12:32:17 how long have you been watching this experiment? 12:32:53 the thing is it also solves nothing. The core problem of: what to fund? how to keep a good relationship and mutual trust with them still remains ... Every community member and potential donor should make this decision themselves instead of pooling the funds all up front. 12:32:59 we should do IRL signing sessions 12:33:00 monerobull you would need a person or organization to custody that still 12:33:21 file image.png too big to download (3743145 > allowed size: 1000000) 12:33:21 image.png 12:33:22 the thing is it also solves nothing. The core problem of: what to fund? how to keep a good relationship and mutual trust with the devs / creators still remains ... Every community member and potential donor should make this decision themselves instead of pooling the funds all up front. 12:33:26 can we keep cold ccs wallet with bF and he gives us tiny amounts when payment is due ? 12:33:28 cake wallet should do it 12:33:33 lol 12:34:13 Cake has insurance haha /s 12:34:38 Imagine if luigi was ceo of monero ccs llc 12:34:57 Ouch 12:35:08 he is anyway keeping most of the money 12:35:48 the service of the CCS was that it gave lesser known developers a shot by holding the funds with an, ahem, trusted third party, who could dole it out in units. And I think that's a useful thing to have! But it either needs to be decentralized or.... I'm not sure we have enough of a trusted third party left 12:36:04 The biggest issue i see here 12:36:19 If devs have been requesting pay 12:36:23 Starving themselves 12:36:25 Screenshot from 2023-11-03 14-34-35.png 12:36:29 We have a PAID ccs coordinator 12:36:43 The info that "ccs was drained" was available 30 days ago 12:37:01 And the CCS coordinator was wasting community funds, asking peopke to collect their money 12:37:06 When the money was gone 12:37:22 Thats a major "wtf is wrong with you" moment 12:37:34 hmmm, the compromised wallet has been open for donations for the past 30 days?? 12:37:38 is that what you mean 12:37:47 No 12:37:53 You DIDNT tell plowsof? OR the cryptographers and researchers and hackers who the money belongs to? 12:38:04 Oh I see 12:38:09 what is meant 12:38:27 Why was jeffro left in the dark 12:38:56 Looking like a starved child asking regularly, and the COORDINATOR doesnt have answers 12:39:07 But the anawers were there? 12:39:13 Why fkn make us look like retards 12:39:34 monthly or w/e bF transfer to luigi 12:39:44 he make payments and job done 12:39:47 Its almost disrespectful that core would think us to now be a part of the "need to know basis" 12:39:57 I don't think bf wants to take on more 12:40:22 Bf doesnt need to take on more, i agree. Not even fair to him 12:40:30 Payments should go out today 12:40:37 for RIGHT NOW 12:40:40 Bf needs to pay the devs 12:40:44 Please 12:40:51 Thank you 12:42:18 <1​23bob123:matrix.org> Co-ordination disclosure 12:43:25 id be happy to be part of a big multisig for big proposals, anything smaller, idk, like, 20 XMR can probably go to a hotwallet run by plowsof 12:43:41 like, 6-10 12:43:47 250xmr to hotwallet run by plowsof 12:44:02 luigi1111> Payments should go out today <<>> thank you 12:44:08 like, 6 out of 10 musig 12:44:30 <1​23bob123:matrix.org> Do all 6 meet up 12:44:37 <1​23bob123:matrix.org> And then cia drone strike 12:44:39 btw can xmr even do that? 12:46:46 That is my understanding. Reading through this now: https://web.getmonero.org/resources/user-guides/multisig-messaging-system.html 12:47:02 activating the GUI auto updater already always takes a while, and that only requires 2 people / core team members that don't have to be simultaneously online 12:47:13 keep that in mind when suggesting fancy multisig setups 12:48:10 I've been around, pinging people that are around 6 years 12:48:14 monerobull: 6 of 10 multisig? IIRC, the multisig in Monero's C++ codebase requires...something like N^2 signing rounds for N signers. IIRC Serai has a more efficient Monero multisig implementation in Rust....maybe based on FROST. 12:48:15 to do multi-sig 12:48:29 would be weeks time 12:49:02 i know plow ofrn and me are terminally on here 12:49:16 I can't remember all the details. It's a pain to have a large number of signers. Serai needs efficient multisig to operate, so kayabaNerve built it. 12:49:40 thing is singers need to be people who are here to protect monero market cap 12:49:47 Rucknium: It's not N**2, it's N! 12:49:53 and not for their own 12:49:57 things 12:49:59 Ouch.... 12:50:07 we can also just stall and wait for serai multisig wallet :D 12:50:08 (hand-waving, there's more terms but that's the most notable comment) 12:51:12 N factorial? Wow 12:51:13 That's why Monero caps at 16. Serai is n^2. I don't love n^2 but it's acceptable even at ~100-150 signers. 12:51:31 150! wouldn't be acceptable in the slightest. 12:52:17 Also, Serai does offer a O(n) n-of-n key generation algorithm (MuSig). The above commentary is on threshold keys. I'm unsure if Monero offers a dedicated n-of-n algorithm which isn't superlinear. 12:54:09 Are you planning to give the two machines to forensic analysts to be imaged and analyzed? luigi1111 12:54:36 The reports should be public 12:55:10 <1​23bob123:matrix.org> Are you going to give your pc’s image to use too? 12:55:23 image and send it to the feds :3 12:55:47 <1​23bob123:matrix.org> Better of asking citizen labs for help 12:56:12 "biden, north korea might buy nukes with it, please help!" 12:58:24 plot twist: biden stole it and we need nk's help 12:59:44 <1​23bob123:matrix.org> To fund the wall 13:00:16 morning 13:00:24 Realizing there are drawbacks, can anyone attest to the user experience for a large Monero multisig setup? 13:00:24 I would volunteer for doing a many(10+) person test setup this weekend to see what it is like. 13:00:37 happy to do whatever with the server the wallet was on. 13:00:45 hi plowsof 13:00:48 i said plowsof is sleeping on the job 13:00:58 Too big is too much red tape 13:02:12 <1​23bob123:matrix.org> Give everyone teamviewer access :0 13:02:25 <1​23bob123:matrix.org> Or google remote desktop 13:02:40 redeem? 13:02:43 sirs 13:05:50 bloody benchod basterd 13:06:08 jai hind 13:11:34 > doing a many(10+) person test setup 13:11:43 That's almost impossible. 13:12:06 You would have to exchange literally hundreds of messages to just build those 10 wallets. 13:12:35 I made once a 5/7 wallet or so and don't think somebody went higher than that, ever. 13:13:00 Except maybe kayabanerve with this quite different system to build multisig wallets 13:13:01 rbrunner how useable is a 5/7? 13:13:24 Once built, it's kind of ok 13:13:47 Local generations of 16 have occurred. I'm unsure the round complexity and real world impact. 13:14:32 Still hard sending a tx to all those 5 peoples in a row. 13:14:45 I didn't prior recommend monero-serai as I assumed the core multisig would meet the requirements in a non-performance constrained environment. If the newly proposed multisig is to have 7 signers, it sounds like monero-serai *may* be a valid recommendation. 13:15:51 But maybe no sense in going overboard. I think already a 2/3 would be much, much better than the current, or sadly, past setup. 13:16:40 Agreed, yet I think the ideal would be 3-of-5. 13:18:21 Sounds like a fkn disaster. 3 letter agencies would be salivating at the possibilities to co-opt it 13:18:57 literally why havent they done so with core 13:19:23 if thats apparently a "valid" argument 13:20:39 Because core devs have a higher probability of being principled than community members. 13:20:39 Would you give your signature up for $10M? 13:21:06 I can say that I wouldn’t, but do you trust me? 13:21:49 lol 13:21:51 Core team =/= core devs 13:22:00 lets drain 400k by paying 50 million 13:22:04 Core devs = the ppl who got robbed 13:22:15 The ccs proposers who do the work 13:22:32 All right, core team* my b 13:22:52 Why wpuld being a member of a club that doesnt dev, make you more principled? 13:22:59 You’re stuck in the present. With enough time $XMR could be worth a lot more 13:23:16 Pretty sure Core are the ones who robbed the CCS. They gotta pay up 13:23:30 ok, then id wager most community memebers have even less of an incentive 13:23:36 I mean, the money belonged to devs 13:23:42 The devs are the ones who got robbed 13:24:04 money was taken from core team, but it didnt belong to core team 13:24:18 meito seems to think core team = devs 13:24:27 Core cult devs robbed regular devs :D 13:24:57 No I corrected myself above 13:25:00 Meito, how is this "more principled" 13:25:08 Lets assume no foul play 13:25:17 Opsec was worse than niocs cat 13:25:21 Communication too 13:25:45 What principles is mr/mrs meito referring to? 13:25:49 Complacency? 13:25:58 Core isnt paid. Has no dog in the fight 13:26:34 Why would they bend over backwards for us anymore? 13:26:34 At any point in time, bf can have a boating accident 13:27:26 to detect spends from a view only wallet we need 'the thing that does the herustic things'. an example would be generic xmr scanner, whicih i tried and failed to compile 2 weeks ago https://github.com/moneroexamples/generic-xmr-scanner/issues/11 13:27:26 Core used to steer the ship. now core got out of the way. Were supposed to be steering it 13:27:33 But we still rely on them bcuz we need somebody to blame 13:27:57 +1 for out-going scanner 13:28:15 plowsof: The heuristic doesn't work if there is no change going back to the wallet. The theft would not create change. 13:28:48 My point is that if you were to pick from the community at random vs core team at random, 13:28:48 then the likelihood of the random pick from the community acting ethically is lower than the likelihood of the random core team pick acting ethically 13:28:49 ah understood, thanks, makes sense 13:28:49 they swept in 9 tx 13:28:50 are we sure there was no change? 13:28:57 Who's doing random? 13:29:11 We chose plowsof 13:29:27 Hes more ethical than mary poppins 13:29:37 Wait.. wrong mary 13:29:38 plowsof sadly is neither anon or rich 13:30:16 plowsof is well known to be ofrnxmr's original acct 13:30:21 How do we pick? 13:30:26 5$ wrench attack 13:30:27 lets be real here for a second, CCS wallet isnt even supposed to have that much money in it 13:30:33 Out of a hat 13:30:47 I think a mix of core team and community could work. But not community only 13:30:47 Pull straws 13:30:48 Randomly /s 13:30:58 I don't think we're sure there is no change. The thief could have made a mistake. I can check... 13:31:00 I have ideas 13:31:08 yes, if we turn back time, and asked someone to custody a CCS wallet - the idea was for it to never have nearly 3000xmr in it 13:31:23 people complete work and are paid, happy 13:31:36 yes 13:31:43 3000xmr is supposed to be the _jet fund_ 13:31:49 and in the future this should be prevented 13:31:59 by putting a time on when funds get sent to the shadowrealm (gf) 13:32:00 Somehow it was left with luigi / ccs wallet for like 9 months after she g(t prego 13:32:04 Then the baby was stolen 13:32:06 by putting a timer on when funds get sent to the shadowrealm (gf) 13:32:33 JET FUND 13:33:04 tldr again, by "jet fund" it doesnt mean a real airplane 13:33:18 It means "rainy day dev fund" 13:33:29 separate wallet for each proposal 13:33:36 time-locked 13:33:37 We'd still have 2000+ xmr if we did the jetfund 13:33:48 I quit 13:33:52 Dont get paid enuff to handle that shit 13:33:55 until first milestone 13:33:58 Go kuno 13:35:09 on which server does ccss script is running ? 13:35:19 does / is 13:36:04 > full timeline: https://www.reddit.com/r/Monero/comments/17m6w9e/psa_ccs_wallet_incident/ 13:36:04 . 13:36:31 If anyone wants to have the CCS wallet view key and doesn't have it, it is: 13:36:36 Address: 43H2k6iDgyfNo4HzgQKF8ABALWGpRz9Ez6uexXLGFyuC32SevoaGUiKWbebSkqy5EzdkviwJ4NQwDHkxVxHceUtLBzBjoTV 13:36:36 Secret view key: 645936bdbb2e13830f587351b73b226c7c107ff94e5db0e0dd19c661cd657b0a 13:36:58 Tyvm 13:37:11 The earliest tx I see is 2020-04-21. You can use that as the restore height date. 13:39:21 I don't think we're sure there is no change. The thief could have made a mistake. I can check... <= there is no change 13:39:45 From what I see, the theft transactions did not produce any change 13:39:54 Thanks. Just checked. 13:42:15 luigi became aware of it on the 28th september, if i found out about this hack, i would first endure the stages of grief whilst trying to set up calls/meetings with other member of core 13:42:21 1~ month is an impressive turn around 13:43:38 again, i am not anon, or rich. i have watched the docus on how putin will make ya commit espionage 13:44:47 image.png 13:45:08 double checking timeline 13:46:01 what 13:46:29 can elon musk attatch a community note to monerobulls image .. September 28th it should be 13:46:31 i just thought this comment form /xmr/ is fitting in regards to your stages of grief comment 13:46:37 ohhh lol 13:47:03 my brain sees >green text, it reads 13:47:30 didnt you get that wrong too 13:47:53 that date is referring to which hight the wallet was previously synced 13:48:03 yes, let me pass the laptop to my evil maid who is more awake 13:48:04 that date is referring to which height the wallet was previously synced 13:48:35 image.png <<>> was this supposed to be an image? lol 13:48:51 sorry . and johnfoss68 i just tested, 260 chars seems to be the line limit for irc messages 13:49:09 uhh john_r365 13:50:31 1. Hacked sept 1 13:50:31 2. Sept 28 found out, contacted core 13:50:32 3. Sept 29 contacted plowsof 13:50:32 4. Sept 29, plowsof contacts devs like jeffro, selsta, tobtoht, berman, siren, rucknium, sgp, because they are owed $ and/or because we need solutions and investigations 13:50:33 5. Oct 4th we have disclosure 13:51:53 Were a month late and in a wtf situation bcuz everybody who should hsve been told as a part of "need to know basis", was not 13:52:13 Self admitting that core "doesnt do much", so why would core try to solve this withiht us? 13:52:15 This isnt 2016 13:53:36 Bad judgement call. Thats why we have plowsof. Because core doesnt need to make these decisions for us, and then lambasted over it 14:01:03 Thanks plowsof! Useful to know for when breaking up larger messages into smaller chunks 14:06:12 I wasn’t contacted Sep 29th about this. On Monday, I was told that binaryfate would be handling payments , but not why 14:06:38 Oh yeah, im saying thats what SHOULD have happened 14:07:03 clear as mud ofrn lol 14:07:14 just use mutisig https://github.com/monero-project/monero/pull/9050 14:07:41 > luigi became aware of it on the 28th september, if i found out about this hack, i would first endure the stages of grief whilst trying to set up calls/meetings with other member of core 14:07:41 Was a response to this 14:08:01 I wasn't contacted on Sept 29 I only learned about the incident yesterday 14:08:28 ❤️ sorry, ill be more clear next time 14:36:49 ofrnxmr: promises promises 14:37:28 I'm leaning that way too. 14:42:04 And here I thought monero offered some level of anonymity. Damn... 14:46:22 Isn't that where the multi part kicks in? 14:50:48 a moment of silence for the IRC side who have no idea what quotes are being replied to 14:51:24 (reply = doesnt work. Quote = does work) 14:51:42 > (reply = doesnt work. Quote = does work) 14:51:42 thanks! 14:52:24 Don't worry. I'm on the late shift. 14:53:04 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/HfkoJIbwtNaytsAlQSkJRnSz 14:53:17 litmus test for all matrix users who see the above image and continue using reply 14:53:29 test 14:53:40 Haha 14:54:42 I'm pretty sure, had anybody been aware of the setup, they would have objected. I would have. Password, WTF. 14:54:49 i thought you where manually retyping the commment yourself, instead of clicking "quote" 14:55:12 Hahahaha, hahahaha. Hahaha. 14:55:28 yeah trasherdk the setup is quite simple, you just click the 3 dots and then quote.. real simple 14:56:01 password vs key does not plausibly solve much 14:56:37 the ccs node was "broken" a while ago, and "fixed" 14:56:44 cant get in without access to the key, which should have not been on the same device 14:56:50 jeffro256: sent 14:56:53 could information have leaked there? 14:57:10 > > <@plowsof:matrix.org> litmus test for all matrix users who see the above image and continue using reply 14:57:10 > test 14:57:11 boop 14:57:40 plowsof afaik only the viewkey should be at risk there 14:58:11 Isnt the node on same device as the ccs cokd wallet. That got drained? 14:58:18 no 14:58:27 ok ok 14:58:33 well _a_ node is on there. Nothing to do with CCS tracking 14:58:52 Oh ok 14:59:13 Probably shouldnt expose that to the internet 14:59:19 Otherwise its, uh, a hot wallet 14:59:27 but 4rkal said we need more nods 14:59:39 And more windows 14:59:45 Luigi had 5 different os, didnt help 14:59:46 exactly 14:59:59 it's not exposed to the internet, unless router compromised, which is possible 15:00:04 diversified for the ecosystem and this is how he is thanked 15:00:11 otherwise it requires some monerod RCE or so 15:00:27 iptables? Ufw? 15:01:00 Not sure why the jump to router 15:01:06 Unless firewall wasnt config 15:01:24 it doesn't have a public IP. You can't access it unless you get through the router 15:01:26 so we have no idea yet if this was a targetted attack or random / fishnet attack where router firmware is vulnerable 15:01:31 And there was a cve RavFX @gfdshygti53:monero.social: that allowed firewalld to escalate iirc 15:01:51 Csnt debiced do adhoc mode 15:02:01 Why even use a router or run a node 15:02:57 you mean why not full offline? Convenience 15:03:24 clearly wrong choice 15:03:29 That's neat! 15:03:29 When you use the firewall to get root 😂 15:03:37 couldnt put the wallet on a thumbdrive or something? 15:04:03 how do you access it? 15:04:14 By booting into it? 15:04:20 then it's online? 15:04:34 No, its offline 15:04:39 Why would you need net to boot? 15:04:48 https://www.getmonero.org/resources/user-guides/securely_purchase.html 15:04:49 the two person who had access could have done just that. 15:04:49 Each with a usb key with TailOS with the monero stuff. 15:04:49 ofr is right, so easy to setup, and the remove the need of sshshing 15:04:54 ok then we are back to the same thing 15:05:18 offline sign the tx from a cold distro.. 15:05:34 convenience of paying 11+ people every month 15:05:44 yes I agree that would be obviously more secure 15:05:46 Could have been 1 15:05:48 for x years 15:05:53 But plowsof aint bout that life 15:06:22 :( 15:06:26 putin can be very, very persuasive 15:07:37 x % of multisig signers will attend a conference every year together 15:07:56 same place, same time 15:09:36 they wont have the keys/devices on them of course 15:09:58 Kaboom 15:10:02 Nah 15:10:12 My proposed, only 1 went 15:10:39 The rest were cleaning up the mess and guarding the house 15:14:04 Dude, watch it! Signed, boomer 🧐 15:34:06 vtnerd , i thought you had been paid, sincere apologies - there was a merge, but your payouts where not updated, i failed to notice this. this is being solved now MY BAD 15:34:39 vtnerd @vtnerd:monero.social: 15:39:16 where is the animated video on how to do offline signing 15:45:57 Who cares 15:46:04 we need videos on randomx /s 15:52:10 plowsof: sounds good. I contacted Luigi separately anyway, and I've been following this room so I know why there's been a delay 15:52:40 thanks (its just that ive been sharing a list of people awaiting payouts for a while and didnt include you, sorry) 15:52:54 I like the idea of CCS via escrow. Or another idea, instead of a 2/3 multisig, could we have a few different custodians of CCS funds, and people submitting to CCS could choose one of them to custody the funds while they achieve milestones? 15:53:12 luigi do you have access to the GF wallet too or just binary? 15:53:27 just bf 15:53:56 In other words, when you submit a proposal, you also select the person you prefer to handle your future funds. 15:55:11 I have to admit, I never considered this as a possible outcome beforehand. I was more worried about my own machines 15:59:13 BawdyAnarchist: why not just a musig between the ccs community leader, core and the ccs recipient? 16:01:07 creating a multisig wallet for every proposal requiring 3 people will slow things down even more 16:01:13 i don't think it's realistic 16:03:14 if there is multisig involved it should be something that has to be touched only once in a while to fill up the hot wallet 16:04:22 should probably just be one person managing each fund 16:10:18 does managing mean having access to? 16:11:10 as in, do you believe only one person should have access to each fund? or only one should actively perform transactions with it? 16:11:42 (while potentially many have the access to do so if required) 16:12:50 one person having write-access to the wallet, yeah 16:14:08 well what if they get hit by a bus? 16:14:11 you have to consider the bus factor. 16:18:31 selsta, slow down in what way? technically or managerial? 16:19:29 pay 11+ people every month, on the dot, offline signing from a multisig wallet 16:19:59 the CCS already moves a bit slowly with payouts due to limited time availability of core time 16:23:54 well, this bus factor is often a problem in regular companies too. 16:24:26 and with a regular company you have way more options to cover risks and liability 16:24:39 Monero is just some guys sitting in their underwear in a basement 16:25:26 so if you want to 100% protect yourself to all threats, either setup a company and do it the legal way, or make sure multi-sig works properly (also a bus factor there?) 16:26:23 for example, if this were a traditional fund, it would also be insured against theft 16:27:24 kinghat: basically i don't see core managing lots of multisig wallets with different people involved 16:27:25 most pragmatic solution is to find thrustworthy people 16:27:41 luigi is trustworthy in my book 16:28:31 it doesn't need to be core managing it but setting up lots of new wallets is going to be a nightmare surely 16:30:25 that would be 50+ wallets / year 16:30:34 no idea how many proposals we get exactly 16:50:30 free tay k man 16:53:22 why does core need to be involved again? can the community elect ccs members to steward the funds via their own musig setup? 16:54:10 Well, trustworthy *and* able to keep up good opsec longtime ... 16:56:00 Yeah, additionally I would explicitly put a warning against sending XMR to any address found on the site until the issue is resolved. Thanks for working on that! 16:58:17 core doesn't have to be involved 16:58:47 Luigii, was the first half of the seed persistent in your Wire chat with fluffy? Or was it deleted from the chat history. If a new device signs into a wire account are the historical messages sync’d? Did you store your wire credentials within Lastpass? (I’m not that familiar with wire) 17:01:20 I have a suspicion that the lastpass breach is highly likely to be involved here one way or another. Did you store any passwords in lastpass that could allow someone into your home network? (Maybe ssh set up with reverse dns or something) 17:02:17 the lastpass breech has been so widely known about for so long D: crazy to have been using it and not change everything 17:02:36 I know that's not a helpful comment but gd 17:03:19 this has probably been addressed so apologies but what's the situation with the general fund right now? who is known to have access? does it have any of the same security issues? are we talking about setting up a new one? 17:03:36 Sorry for the barrage of questions, but what router are you using for your home network and do you have segmentation, vlans, or anything else like that or is it a flat network? Just trying to get a good idea of possible scenarios 17:04:50 Lyza, Changing all your passwords is a real PITA, especially if you have hundreds or thousands of accounts. Its understandable how that could be procrastinated. Not ideal but understandable 17:19:46 evening boys 17:22:14 My speculation would also be on LastPass. Somehow, "around two corners", working their way towards the end goal, the Monero wallet 17:24:28 why in the world does anybody use lastpass when keepassxc exists... blows my mind 17:25:29 Would anyone here like to be the MoneroTopia special guest tomorrow to chat about the incident? Obviously all are welcome join during the “viewers on stage” portion of the show to have a group chat but first would like to have one guest jump on to give people the low down on what happened, and likely path forward etc. 17:26:37 i'll do it 17:26:39 monerobull: plowsof ofrnxmr geonic spirobel ?? 17:27:23 Keepass had its own exploit 17:27:40 not keepassxc though 17:28:16 Yes, and it's not a complete solution. If you want it on your PC, on your Android phone, on your iPad, and have it synced, you need 4 or 5 different apps from 4 or 5 different teams. 17:28:20 ack-j: wire doesn't sync for new devices. 17:29:02 Otherwise known as "PITA" 17:29:08 rbrunner7: yes it's the spectrum between security and convenience, but you still don't need a centralized service rofl there's ways to set up keepassxc as a local web server 17:29:52 you may have a point though idk i don't use phones or tablets 17:30:00 Yeah, as "normal" people routinely set up local webservers :) 17:30:08 I use google password manager 17:30:22 Thats safest, right? /s 17:30:28 Suuure. 17:30:44 not like a full apache server lol it's just a web interface for your passwords 17:30:47 But still better than nothing, I would say. It's all relative. 17:32:33 But we are speaking here about pros that have to manage half a million USD in XMR. I agree that's a different starting point. 17:33:06 All we need is user-friendly offline (=airgapped) wallet 17:33:11 We should CCS that :D 17:33:24 Lol 17:39:12 Thanks luigii, what about the other questions 17:39:52 Sech1 anonero 17:40:17 I did have a few crypto (not xmr) accounts in lastpass, mostly small and/or hard to migrate. I'm pretending they are a honeypot now. Anyway they are untouched so far. 17:40:58 Imajin storing keys and seed in other people computers 17:41:15 Not your keys,. 17:41:16 Lyza binaryFate is the only one with access to the big genfund wallet 17:41:23 Not your coins? 17:41:38 something like that yeah 17:42:48 there was no rdns or ssh on at the router 17:43:31 Router is running stock firmware, i assume 17:43:44 From service provider? 17:44:04 luigi1111w: received, thanks 17:44:25 "This isnt an investigation, this is an interrogation!" 😆 17:45:07 "dont bring problems, being solutions" 17:45:12 I think so. I will have to check. 17:45:13 Bring 17:45:35 ISP router where know to have a LOT of flaws, depending which one and when 17:45:49 it's a netgear, not ISP 17:45:53 but probably still lots of flaws 17:46:02 But if lastpass is the leak then it does not matter, no need to connect to actual wallet, just restore it from the seed 17:46:12 seed was definitely not in lastpass 17:49:14 is the GF wallet still >8k XMR as per https://www.reddit.com/r/Monero/comments/11fslu9/monero_general_fund_transparency_report_march_2023/ 17:50:19 seed was definitely not in lastpass: Yes, I understood that. But maybe contained something else that allowed them to prepare a trap for you in some way that enabled them to watch you do so something. That's what I meant with "around two corners" 17:50:41 Even a home address 17:50:53 sorry that was in response to name I can't type 17:50:56 Login to a travel website to know when youre OT or on a boat 17:50:57 when i was looking around for bad nodes, i found some unrestricted ones, i then went to their ip's directly and was greeted with router login pages. a quick search reveals default admin/usernames for those routers 17:51:22 Haxx0r 17:51:46 what did you do once inside, mr plow 🤣 17:52:00 an automated monero peer list checker which sees if the routers are running vulnerable firmware or default user/password is not outside the realm of reality 17:52:20 Not even that 17:52:28 A checker in the code to check from user side 17:52:54 My peers arent my problem, my own setup is 17:53:06 there is a constant backgroud noise of login attempts to my nodes which have ssh login only .... where they attempt to login as "ubuntu" "odoo" "vbox" etc etc 17:53:14 "privacy checkup" 17:53:14 "bro, yur password is default. Noob" 17:53:21 Should we create a form/questionnaire that BOTH luigi and fluffy can answer to try and understand the attack vector? 17:53:28 The trick is to disable password authentification 17:53:54 Yea 17:53:57 and to put the SSH service behind tor hidden service 17:53:57 Have fun to find it... Then no password trying will work, you need the SSH key 17:54:01 Keys only 17:54:13 should the opsec of the GF be considered? being controlled by one person? 17:54:14 yes i have ssh key for convenience , not security lol 17:54:15 coincidentally is better for securiyt 17:54:22 :D rav lmao, i do that cuz im a loser, not cuz of opsec 17:54:33 At the moment we have a stream of questions and answers from only one party, and it could have equally been either 17:54:47 kinghat: yes, that is definitely a concern also 17:54:52 Or neither 17:54:53 As soon as you have convenience setted up, you turn password auth off... 17:54:53 I hope you use password on you're keys, just in case someone steal then!! 17:55:14 i do not 17:55:16 Leaving password on is senseless 17:55:20 I just never log in to my home connection remotely, that shit can wait 17:55:26 disable all remote login, done 17:55:49 i forgot the password to my pgp file once :( 17:56:02 just once? :D 17:56:07 Whats the diff if you forget acct oassword? 17:56:20 With keys, even if they yur pw, they need the key too 17:57:49 You can also limit active sessions and login attempts 17:58:00 with fail2ban 17:58:04 easy setup 17:58:08 So if im logged in, nobody else can even try 17:58:12 Even with ssh setup 17:58:14 A naked brute force attack through router compromise is not realistic. Key entropy way too high. 17:58:27 but with key, there is no login attemps, if password auth is off and you try to login, you just get insta-disconnected 17:58:34 MaxAuthTries 1 17:58:34 This will allow only 1 login attempt per connection. 17:59:12 http://serverfault.com/questions/275669/ddg#563794 18:00:14 But That does really work 18:00:14 I mean, by default if you type wrong password in one session, you have to wait like 3 second before next try. 18:00:15 Instead it's better to open many ssh session in parallel 18:00:38 ``` 18:00:38 Find the MaxStartups option and set the value to the maximum simultaneous connections to allow: MaxStartups 1 18:00:38 ``` 18:00:58 oh, nice. could be a good idea to add that, plus they keys 18:00:59 I also restrict my firewall to only allow ip ranges that i use myself 18:01:11 Yeah, ideally you want that indeed 18:04:34 chowbungaman: not ignoring you. I'm not sure i can commit yet, and im sure the others are exhausted as well. We need to form a solution first. Perhaps if we get that done, we can come speak about it 18:48:00 https://matrix.monero.social/_matrix/media/v1/download/kernal.eu/DFplkOWyyueMKwfXSUEgjhuq 18:48:04 good advice 19:04:28 <1​23bob123:matrix.org> The Agent ofrn find the hole 19:05:01 <1​23bob123:matrix.org> Also i use crowdsec instead of fail2ban 19:05:56 <1​23bob123:matrix.org> Also you can try https://cisofy.com/lynis/ 19:06:13 <1​23bob123:matrix.org> Dis Agent ofrn find  the hole 19:14:44 <1​23bob123:matrix.org> Also mentioned https://tinyssh.org/ 19:25:45 <1​23bob123:matrix.org> https://medium.com/@truvis.thornton/commandline-auditing-using-different-tools-to-security-your-linux-server-and-environments-2fcd361142ef 19:25:45 <1​23bob123:matrix.org> Also 19:59:47 <4​rkal:monero.social> Hate to be that guy, but what proof has been given that this wasn't an inside job? I mean no malware or anything... 20:00:17 <4​rkal:monero.social> Bad opsec doesn't mean shit without the malware 20:01:06 <1​23bob123:matrix.org> Dunno 20:01:24 <1​23bob123:matrix.org> They need to audit the pcs 20:01:34 <4​rkal:monero.social> Should really have a third party audit it 20:01:54 <4​rkal:monero.social> Also was this windows machine a daily driver or just a random laptop? 20:01:56 <1​23bob123:matrix.org> Lynis will run tests for cve and security vul 20:15:10 as has been answered it was not a daily driver, only used for this one purpose 20:17:11 <1​23bob123:matrix.org> The real question is how did you go with mineswepper 20:17:38 solitaire and minesweeper can be played on an airgapped machine 20:19:26 Gameboy color 20:20:20 I prefer to solitaire online. Sir 20:21:21 It does not really matter at the end as long as there is not a extra malware installed (or vulnerable software) 20:21:21 NSA & friend can just look on github for all glibc devs, check which one have almost dry bank account, check his code quality and offer him 1M for a nicely coded "bug". 20:21:22 * Bounty should be adjusted proportionally to the dev bank account quality 20:21:22 * Replace glibc by every crap in the know dependency tree 20:21:23 But yeah, airgapped, multisig... 20:21:23 While we don't have multisig officially and it's going to get there soon I think, we have hardware and cold wallets since a long time :/ 20:26:10 And Ubuntu is often the prime candidate to dev and test CVE POC to later dump on github for other to cook exploits (that will often work on Ubuntu first) 20:27:29 <1​23bob123:matrix.org> https://matrix.monero.social/_matrix/media/v1/download/matrix.org/EluBBoETVsMvyErcDMqDxmrM 20:27:30 And when exploiting Linux in general, Ubuntu is often the prime candidate to dev and test CVE POC to later dump on github for other to cook exploits (that will often work on Ubuntu first) 20:28:01 <1​23bob123:matrix.org> at least use kicksecure if you want debian based 20:28:17 I have to test that NixOS eventually 20:30:50 Mint is also based on Ubuntu / Debian 20:30:50 and MX Linux is now on the top in distrowatch.. 🤨 20:35:52 lol 20:36:54 @ ofrn and geonic multisig idea 20:37:08 <1​23bob123:matrix.org> tried voidlinux? 20:42:02 Installed it one time but I did not allocate time to play with it. Got replaced by something else after 20:50:15 Mx been top but I'm told they're a paid sponsor and that's the only reason why 20:50:47 Oh, interesting... 20:52:20 Uncomfirmed tho. I want a vimOS 21:42:18 <1​23bob123:matrix.org> so meeting this week? 21:42:21 <1​23bob123:matrix.org> on next steps 21:45:54 <1​23bob123:matrix.org> jet has been down graded to cessna 22:02:08 Jet taking off soon dw 22:02:12 No delays noted 22:13:33 Just figured out, I have to highlight/select the text to get the `forward` option 😳 22:25:13 Cessna makes a jet right 22:28:44 Bit confining to have such a discussion limited to just 60 minutes and a particular timeblock when folk in parts of the world are going to be asleep. The GitHub Issue already has conversation around the two questions most pressing for -community and be discussed by anyone at any time: 22:28:44 - How do we achieve CCS continuity for existing contributors? Core team is in favor of covering existing liabilities from the General Fund. 22:28:44 - How do we structure the CCS going forward? 22:28:45 https://github.com/monero-project/meta/issues/916 22:32:26 <1​23bob123:matrix.org> yeah,but needs to be discussed in a meeting also. realtime 22:39:46 What happened to the Monero Outreach website? 22:39:49 https://web.archive.org/web/20201226142509/https://www.monerooutreach.org/breaking-monero/introduction.html 22:39:54 doesn't even load in web archive anymore 22:40:03 is there a repository? 22:40:50 found it https://github.com/monero-ecosystem/outreach-docs/tree/master/monero-outreach-docs/en/transcriptions/breaking_monero 22:44:16 <1​23bob123:matrix.org> your welcome please come again :) 22:48:47 <1​23bob123:matrix.org> also you can pcap dump the m$ pc for network traffic if its still running, but i would isolate these two pcs asap 23:00:52 selsta: It disappeared a while ago. I made an issue on github a few months ago 23:01:58 I've read all of the messages, and it seems that the current design of the CCS is not viable. 23:02:25 Even with transparency, multisig, and whatnot. Maybe something else should be considered 23:04:17 <1​23bob123:matrix.org> Think they are 23:04:50 <1​23bob123:matrix.org> Cause if it was targeted then luigi might be doxxed? 23:13:20 Why is it not viable? It has funded a lot of developers and projects over the years. 23:13:47 If someone doesn't like the CCS system then they can do setup their own funding. 23:16:47 Join us to discuss the Monero CCS hack! labitconf & Monero Argentina meetup, DragonXchain to chat about the Hurricane #Otis Monero fundraiser in Acapulco + 📈(BawdyAnarchist_), 🗞 (tony_huszar) & 🔩 (GergelyGombai) & MORE! Join us TMRW at 11AM-EDT/5PM-CET! ! 23:16:47 👀➡️: https://youtube.com/watch?v=ZDJqbIEJnSI 23:16:48 Join ➡️: https://streamyard.com/h6ke6gmzu8 23:16:48 🙏🏽 23:16:49 https://monero.com/ 23:16:49 https://cakewallet.com/ 23:16:50 https://localmonero.co/ 23:19:47 <4​rkal:monero.social> This makes it even more sus 23:20:11 <4​rkal:monero.social> I mean a dedicated machine is a lot harder to hack than a machine you use daily 23:21:10 <4​rkal:monero.social> I just find it very hard to believe that an experienced monero dev somehow got his DEDICATED machine hacked. 23:21:53 <1​23bob123:matrix.org> Complacency! 23:22:39 Complacency. It that a nicer word for laziness ? 23:22:43 <1​23bob123:matrix.org> Also where very reactive here 23:23:39 that machine was one of the most dedicated workers around 23:24:08 <1​23bob123:matrix.org> On another note never seen so much community action 23:24:35 <1​23bob123:matrix.org> People please contribute to community meetings! 23:25:04 Any chance to sling some mud bring out the peanut gallery. 23:25:45 <1​23bob123:matrix.org> Probably they want the money now? 23:26:21 I want a refund 23:26:33 <1​23bob123:matrix.org> First it was monerokon chairs and now this 23:28:46 "monerokon chairs" what's up with that? Did I miss some drama? 23:29:53 several weeks after monerkon (with another cyrptocurrency event taking place at the same venue) - monerokon staff where asked about a few missing chairs 23:30:04 the meme was born 23:37:29 No worries. If you change your mind jump via the streamyard link. As alway, all are welcome to join the “viewers on stage” segment. Chatting here in the room is a bit hard to follow. Would be nice to see a bunch of community members jump on stage to discuss their different takes and opinions on the incident. 23:37:29 https://x.com/monerotopia/status/1720548304272990358?s=46&t=WeY1AyuT6Ir1FNBKKq_Beg 23:38:44 Google drive 23:38:59 Present! 23:48:31 <1​23bob123:matrix.org> Please dont say the G word, it triggers me! 23:50:35 https://moonstoneresearch.com/2023/11/03/Postmortem-of-Monero-CCS-Hack 23:51:44 <1​23bob123:matrix.org> Some reason i thought it had stoner in it 23:52:36 they use the word "enote" <3 23:54:08 <1​23bob123:matrix.org> Ima wait for ruck to trackem down 23:56:57 Pocketchange ftw 23:57:18 sorry monerujo, but i swear i told ya so 600x 23:58:55 sweep_all created those 9 tx's automagically