-
m-relay
<behelit:hackliberty.org> after the ccs incident what does the community think is the best methods of crowdfunding projects
-
m-relay
<behelit:hackliberty.org> Can you send monero whilst offline?
-
m-relay
<4rkal:monero.social> CCS with good opsec is still the best
-
m-relay
<4rkal:monero.social> But whoever is holding the funds should disclose their setup to be "reviewed" by the community. At least in my opinion.
-
m-relay
<behelit:hackliberty.org> how would you trust a reviewed setup
-
m-relay
<4rkal:monero.social> Wdyn?
-
m-relay
<4rkal:monero.social> Wdym?
-
m-relay
<behelit:hackliberty.org> how would you verify that the approved setup is actually being used
-
m-relay
<4rkal:monero.social> You can't
-
m-relay
<4rkal:monero.social> Don't verify; trust
-
m-relay
<4rkal:monero.social> Lol
-
m-relay
<4rkal:monero.social> You are already trusting them to hold the funds so...
-
m-relay
<behelit:hackliberty.org> and what type of entity would be trustworthy in your eyes
-
m-relay
<4rkal:monero.social> Multisig with many devs
-
m-relay
<endor00:matrix.org> You can sign a transaction offline, yes. And then submit it to an online node
-
m-relay
<endor00:matrix.org> Same as any other coin
-
m-relay
<4rkal:monero.social> You can't tho can you?
-
m-relay
<4rkal:monero.social> You have to have an online device too
-
m-relay
<4rkal:monero.social> Before submitting the file to an online node right?
-
m-relay
<endor00:matrix.org> Well yeah, you can't be both online and offline at the same time
-
m-relay
<endor00:matrix.org> The important part is that the private spend key is on a device that never touches the internet
-
m-relay
<behelit:hackliberty.org> can you give examples of this setup
-
m-relay
<unkn8wn69:matrix.org> Anonero
-
m-relay
<4rkal:monero.social>
anonero.io
-
m-relay
<4rkal:monero.social> Tor required
-
m-relay
<vikrants:monero.social> Thanks for foundation devices and stack wallet, cake and Monerocom wallets have native tor in next update.
-
m-relay
-
m-relay
-
m-relay
<vikrants:monero.social> Thanks to foundation devices and stack wallet, cake and Monerocom wallets have native tor in next update.
-
m-relay
<ajs_:matrix.org> monerokon 2024 planning in about an hour
-
m-relay
<ajs_:matrix.org> in #monero-events:monero.social
-
m-relay
<ajs_:matrix.org> agenda
monero-project/meta #929
-
luigi1111w
<4rkal:monero.social> But whoever is holding the funds should disclose their setup to be "reviewed" by the community. At least in my opinion. <= some consideration should be made to physical security as well if "publishing" your setup, targeting involving meatspace could become more likely
-
m-relay
<123bob123:matrix.org> Disclosing somethings is actually worse for opsec
-
m-relay
<ofrnxmr:monero.social> Its on my google drive
-
m-relay
<diego:cypherstack.com> hi guiz
-
m-relay
<behelit:hackliberty.org> sounds like security through obscurity
-
m-relay
<sweetbearkiller:monero.social> have rules that must be followed
-
m-relay
<sweetbearkiller:monero.social> regarding the opsec
-
msvb-lab
Hello diego.
-
luigi1111w
security through obscurity is a great thing when it comes to physical world
-
luigi1111w
(rather, is a part of the equation)
-
plowsof
Upload a floor plan of your home with positions (screenshots of any/all security cameras) so we can help improve your setup
-
m-relay
<sweetbearkiller:monero.social> yes dont forget to send the address to check if you are in a safe place
-
m-relay
<sweetbearkiller:monero.social> just in case
-
m-relay
<4rkal:monero.social> If you told people about your terrible opsec beforehand there would probably have been a large backlash.
-
m-relay
<4rkal:monero.social> We only learned about your setup once it was too late
-
m-relay
<4rkal:monero.social> Disclosing that you have for example and offline qubes os install with an offline vm to sign transactions can't really make it easier to attack you. On the other hand if you do something stupid the community might be able to help
-
m-relay
<sweetbearkiller:monero.social> I think the opsec should be disclosed in the future
-
m-relay
<sweetbearkiller:monero.social> security through obscurity has limits
-
m-relay
<sweetbearkiller:monero.social> an attacker will find out
-
m-relay
<sweetbearkiller:monero.social> that or having a standard that everyone must follow once they get enough responsabilities
-
m-relay
<sweetbearkiller:monero.social> it'd not be ridiculous to ask for an airgapped signer when you manage funds >1M$
-
m-relay
<sweetbearkiller:monero.social> and a signer in an offline cube when managing funds > 10k$
-
m-relay
<4rkal:monero.social> Yeah for example don't use an online windows machine when managing 500k in funds
-
m-relay
<sweetbearkiller:monero.social> and a signer in an offline qube when managing funds > 10k$
-
m-relay
<sweetbearkiller:monero.social> we learn from our mistakes
-
m-relay
<4rkal:monero.social> But yeah having a certain standard sounds like a good idea. Should have EXACTLY the same setup for every dev tho
-
m-relay
<sweetbearkiller:monero.social> Shouldnt* ?
-
nioc
luigi1111w: which is why I suggested that trusted persons deal with it without telling who they are, ofc I got laughed at
-
m-relay
<4rkal:monero.social> But yeah having a certain standard sounds like a good idea. Shouldn't have EXACTLY the same setup for every dev tho
-
m-relay
<sweetbearkiller:monero.social> Maybe that will get more consideration now ig
-
plowsof
Seems like people want 4/9 multisig + the plot of a Tom Cruise movie
-
m-relay
<ofrnxmr:monero.social> 2/7
-
m-relay
<ofrnxmr:monero.social> I like 4/90
-
nioc
1/1
-
m-relay
<4rkal:monero.social> 6/9
-
m-relay
<ofrnxmr:monero.social> (4rkal is serious)
-
m-relay
<ofrnxmr:monero.social> Dreamlandia
-
plowsof
I hope people realise we will just be shooting the shit and nothing will happen until multi sig is ready(tm)
-
m-relay
<sweetbearkiller:monero.social> 4/9 would not be irrealist in managing the cold wallet honestly lol
-
m-relay
<4rkal:monero.social> Sorry for cringy joke ofrn
-
nioc
monerokon has not set up their multisig wallet yet because all participants need to be online at the same time for some amount of time
-
nioc
takes a while to do
-
m-relay
<ofrnxmr:monero.social> irrealist (brb while i dictionary)
-
m-relay
<sweetbearkiller:monero.social> lmao
-
nioc
highlight and Rclick
-
m-relay
<ofrnxmr:monero.social> > <nioc> monerokon has not set up their multisig wallet yet because all participants need to be online at the same time for some amount of time
-
m-relay
<ofrnxmr:monero.social> Arent they trusting rino aka basically dr
-
nioc
they want to set up CLI multisig as well for cold wallet
-
nioc
rino = hot wallet
-
m-relay
<ofrnxmr:monero.social> ahi thoight rino = their solution
-
m-relay
<sweetbearkiller:monero.social> if people are trusted and good standards are adopted the risk is already significantly reduced even without multisig
-
m-relay
<ofrnxmr:monero.social> They want to use simplex for their key exchange, thata right
-
nioc
they want to set up a simpleX group, I have no idea how things will be set up
-
nioc
that is, no idea what it will be used for
-
midipoet
why is simplex better for key exchange than pgp encrypted email? Is it just cause simplex establishesbs p2p connection for the blob exchange?
-
midipoet
*establishes
-
plowsof
Security/convenience i think
-
midipoet
sure, but why?
-
midipoet
Or how?
-
plowsof
So with pgp, because i have to give my blob thing to all participants several times/vice versa - i would have to encrypt the message separately with each participants pgp.pub keys
-
plowsof
Unless there is a shared pgp key between us all (not sure how that would be distributed securely)
-
plowsof
Protonmail does the above automagically(?) Simplex even more automagically(?) I dont know
-
m-relay
<sweetbearkiller:monero.social> do that with the key ?
-
m-relay
<sweetbearkiller:monero.social> tho that means if anyone leaks everyone is compromised, we cant just revoke one key
-
midipoet
Yeah, should still be shared encrypted on simplex. There are still five (for example) phones with the blob on it. Unless there is autodestruct on messages, i guess.
-
m-relay
<sneedlewoods_xmr:matrix.org> > <plowsof> So with pgp, because i have to give my blob thing to all participants several times/vice versa - i would have to encrypt the message separately with each participants pgp.pub keys
-
m-relay
<sneedlewoods_xmr:matrix.org> not sure I understand this correctly, do you mean with pgp you have to create multiple encrypted messages, each for every participant?
-
plowsof
You have to encrypt the message with someones public key
-
m-relay
<sneedlewoods_xmr:matrix.org> yes, but you can add multiple pub keys to one encrypted message
-
plowsof
TIL?
-
plowsof
Nice, PGP is more than pretty good
crypto.stackexchange.com/a/86489
-
plowsof
So midipoet i see no reason for not using pgp over trusting 'thr next best thing since sliced bread' app
-
m-relay
<plowsof:matrix.org> Community meeting next Saturday - what do we discuss
-
m-relay
<plowsof:matrix.org> 280 XMR to be handed to 37c3 event organisers to pay an outstanding invoice, and to fund the current event:
repo.getmonero.org/monero-project/c…als/-/merge_requests/105#note_22896
-
m-relay
<plowsof:matrix.org> How to fix the ccs wallet because every option has a reason not to move forward with it
-
m-relay
<plowsof:matrix.org> are we gatekeeping the ccs so that only core / seraphis devs will receive funding? is everyone finally happy?
-
m-relay
<plowsof:matrix.org> xmrscott wants to raise a Q about
mattermost.getmonero.org
-
m-relay
<plowsof:matrix.org> adding a custom "fr-external" tag to ccs proposals with an extra "donate-url" field would allow things to be displayed on the funding required page, and simply re-direct people to the link. (no progress bar or anything unless integration for specific funding platforms is added to scrape their api on regular intervals) - problem is that the ccs backend can't be built (needs a docke<clipped message>
-
m-relay
<plowsof:matrix.org> r wizard to handle old php dependencies)
-
m-relay
<plowsof:matrix.org> also subscribe to featherwallets RSS feed
featherwallet.org/feed.xml (theres going to be nice update soon with offline QR code transfer capabilities
-
m-relay
<plowsof:matrix.org> diceware (adding dice rolls to produce seeds / add extra entropy?) and other things listed here
matrix.to/#/!mehPttlWNbDtNeDbvu:mon…rg&via=monero.social&via=nitro.chat
-
midipoet
Plowsof: whats the gatekeeping topic about?
-
m-relay
<plowsof:matrix.org> so currently the only assurances for proposals in the ideas stage have been made to core / seraphis dev things
-
m-relay
<plowsof:matrix.org> the rest of them (myself included) are being left in the dark / asked to wait for a magic fix
-
midipoet
how do you mean assurances?
-
m-relay
<plowsof:matrix.org> funding will be secured for them (one way or another: either directly from the general fund / put forward for retro funding(should the ccs wallet situation be fixed shortly) or a combination of the 2)
-
m-relay
<plowsof:matrix.org> all of the inprogress proposals are covered* this is for the proposals at ideas
-
midipoet
Can we not just a set up a RINO wallet as a stop gap in the short term ? Is it that we don't have anyone trusted enough to run it?
-
nioc
we need more than one incase someone gets hit by a bus
-
midipoet
Just leave the backup with a couple of trusted members. Don't say who
-
m-relay
<plowsof:matrix.org> i am in favour of any stop gap short term solution. the bar for being "more secure" than the previous setup is really low and the disclosure can be as simple as "its not a hot wallet" hooray
-
midipoet
plowsof: I agree.
-
m-relay
<plowsof:matrix.org> multisig which is what RINO is based on though, is not "known secure" (there is an above zero chance an exploit exists)
-
midipoet
it will be fine
-
midipoet
and it's a short/medium term solution anyway
-
midipoet
if events want to risk 12k with it, i am sure CCS can risk the same
-
midipoet
how much normally does the CCS wallet need to hold at any one time?
-
m-relay
<plowsof:matrix.org> the last group of pending payments accumulated about 600 xmr in 1 month which is an ok estimate to throughput
-
nioc
there was over 600xmr in proposals ready to be merged when the bad news was announced
-
midipoet
Yeah, i count ~870 XMR in ideas now (not founding FCMPs)
-
luigi1111
Realistically it's gonna be 1-2k if people don't leave milestones for years. 1k per 3 months is probably not far off, I can easily check later
-
nioc
some are a no go
-
nioc
events won't keep all funds raised in RINO
-
nioc
CLI multisig = cold, RINO = hot
-
m-relay
<plowsof:matrix.org> we have to ask ourselves then, the theoretical multisig hacker: would they steal a few measily monteros or wait for something big - if this is the only reasoning then , it would be safe, however , the damage to the project/core team if it happens would be severe / out weight the monetary value so seems appealing for enemies
-
m-relay
<plowsof:matrix.org> in security there is a counter argument for everything :(
-
midipoet
so theoretically what is the total amount we are willing to risk in a RINO wallet?
-
midipoet
250 XMR?
-
m-relay
<plowsof:matrix.org> 244~xmr was the "unhacked amount" in the CCS2 (the small wallet that was actually used to payout people quickly) so its a good number to start at
-
midipoet
Just make that the max allowed for each wallet. Will take some managing, admittedly but it's doable.
-
midipoet
And just distribute control out to trusted members and don't say who
-
midipoet
also, ensure backups are distributed out as well, to mitigate bus
-
nioc
to reduce the number of Monero needed to be held please pump (blasphemy)
-
m-relay
<plowsof:matrix.org> reduce the coinbase outputs temporarily
-
m-relay
<plowsof:matrix.org> this is no time for inflation
-
midipoet
right, so we have a plan?
-
m-relay
<plowsof:matrix.org> the github security experts and the anti ccs / core people will be mean to us
-
midipoet
People are mean here most of the time these days, so how does that change anything?
-
midipoet
we probably need four RINO wallets, and four (?) trusted members + plowsof.
-
m-relay
<ofrnxmr:monero.social> Round and round we go
-
m-relay
<ofrnxmr:monero.social> Or should i say
-
m-relay
<ofrnxmr:monero.social> facepalm
-
m-relay
<ofrnxmr:monero.social> That IF core holds it
-
m-relay
<ofrnxmr:monero.social> argument has been had and settled
-
m-relay
<ofrnxmr:monero.social> Solution: core doesnt hold the money, duh
-
m-relay
<ofrnxmr:monero.social> Lets just leave the money in the known vaults why dont we
-
nioc
they are not trustworthy?
-
nioc
let Cat do it, nobody would suspect
-
m-relay
<ofrnxmr:monero.social> +1
-
m-relay
<ofrnxmr:monero.social> Lets give it back to luigi, so i can rob him twice in a row
-
m-relay
<ofrnxmr:monero.social> Or give to bf, so when i finally get him, i can wipe monero clean
-
m-relay
<ofrnxmr:monero.social> Or give it to cat
-
m-relay
<ofrnxmr:monero.social> .. why would i waste my time on cat
-
m-relay
<ofrnxmr:monero.social> Cat wont even get me famous
-
m-relay
<ofrnxmr:monero.social> I hacked cat for 100xmr? "do you want a gold star sticker, ofrn?"
-
m-relay
<ofrnxmr:monero.social> Making a big deal out of peanuts. What we lost were funds that should not have been there