Revuo Monero Issue 221: December 5 - 12, 2024. revuo-xmr.com/weekly/issue-221

<s​ervers.guru:matrix.servers.guru> monerobull @monerobull:matrix.org: i checked my cloudflare what I did was the under attack mode + custom waf rule with managed challenge for everyone. Not interactive one.

<s​ervers.guru:matrix.servers.guru> That worked in my case.

<s​ervers.guru:matrix.servers.guru> Also a constant rate limiting rule.

<s​ervers.guru:matrix.servers.guru> Then you can see the challenge solved rate ( next to the rule) if it is working as expected it should be very low.

<s​ervers.guru:matrix.servers.guru> Also probably not accurate anymore as you said your hosting provider changed your ip but there is quite a few result for monero.town in censys

<s​ervers.guru:matrix.servers.guru> search.censys.io/search?resource=ho…virtual_hosts=EXCLUDE&q=monero.town

<s​ervers.guru:matrix.servers.guru> If one of those ips was the previous one, that would allow the attacker to bypass cloudflare entirely.

<s​ervers.guru:matrix.servers.guru> You probably already knows that but if the ip have been exposed before being behind cloudflare it is pointless.

<s​ervers.guru:matrix.servers.guru> You probably already knows that but if the ip have been exposed before being behind cloudflare it is pointless to set it up afterwards.

<s​ervers.guru:matrix.servers.guru> You can also check historical data at securitytrails.com

<s​ervers.guru:matrix.servers.guru> Actually there is a complete record of monero.town ip as of July with associated ip.

<s​ervers.guru:matrix.servers.guru> Actually there is a complete record of monero.town dns as of July with associated ip.

<s​ervers.guru:matrix.servers.guru> Seems to be when you switch to cloudflare.

<s​ervers.guru:matrix.servers.guru> 5 months ago

<s​ervers.guru:matrix.servers.guru> I'll post it here as ip is not valid anymore.

<s​ervers.guru:matrix.servers.guru> matrix.monero.social/_matrix/media/…rvers.guru/bBdNzpCxCNNGvQpNumaZbhHi

<s​ervers.guru:matrix.servers.guru> Might be how cloudflare was bypassed before your hosting provider changed your ip if it didn't change since then.

<s​ervers.guru:matrix.servers.guru> Sorry for the off topic.

<s​ervers.guru:matrix.servers.guru> matrix.monero.social/_matrix/media/…rvers.guru/rTatOFdlHcADrXGgYgfEmIeX

<r​ottenwheel:unredacted.org> Holy shit, doesn't this look exactly the same as ccs.getmonero.org but with different colors? plowsof Diego Salazar

<r​ottenwheel:unredacted.org> ccs.particl.io

<r​ottenwheel:unredacted.org> Guess Firo was one of... a few? 🤔

<d​iego:cypherstack.com> I didn't make that one for them. :P

<r​ottenwheel:unredacted.org> Neither you did for Firo, the first one. :P

<d​iego:cypherstack.com> I did actually. They hired me to fork and do the illustrations, so I did.

<r​ottenwheel:unredacted.org> It was the big geonic or whoever else noticed the first one was copied and pasted, because the repo didn't have any license back then, no?

<r​ottenwheel:unredacted.org> So you forked and did the illustrations of CCS v1 for Firo?

<d​iego:cypherstack.com> And it was I who forgot to put said license on the first one

<r​ottenwheel:unredacted.org> I thought they had forked and deployed on their own.

<d​iego:cypherstack.com> I did, yes.

<d​iego:cypherstack.com> No sir.

<r​ottenwheel:unredacted.org> That's... interesting, for lack of a better word.

<r​ottenwheel:unredacted.org> github.com/particl/ccs-front || github.com/particl/ccs-back

<d​iego:cypherstack.com> When I had discussed with Core about its creation the first time, I was always talking about how cool it'd be to make not just a cryptocurrency, but other neat infrastructure that could be used across other FOSS projects. CCS, Kovri, etc.

<d​iego:cypherstack.com> They were always "yeah, man!"

<d​iego:cypherstack.com> so when Firo asked for my help on theirs, I didn't think much of it.

<d​iego:cypherstack.com> But I was wrong for two reasons: 1. I forgot to put a license. So Firo's one was in violation of license as technically the CCS was view-only, and not FOSS.

<d​iego:cypherstack.com> 2. People saw it as a conflict of interest that I made the CCS for Monero (with help from Devin from Globee and xiphon), and then got paid to do a fork for a competing project.

<d​iego:cypherstack.com> I hold that both reasons are silly, but others don't.

<d​iego:cypherstack.com> Particularly because I KNOW I'd spoken with core several times about being excited to make infrastructure that other FOSS projects could use (even outside of the crypto space, was my hope)

<d​iego:cypherstack.com> repo.getmonero.org/monero-project/c…/blob/master/LICENSE?ref_type=heads

<j​effro256:monero.social> Mfw FOSS is free and open source

<m​onerobull:monero.social> Yeah but they for some reason didn't and now they don't have the new IP

<m​onerobull:monero.social> The results are pretty random, just sites that mention .town somewhere

<s​ervers.guru:matrix.servers.guru> Yes true for censys. However the real ip show up on security trails.

<s​ervers.guru:matrix.servers.guru> The old one that is.

<s​ervers.guru:matrix.servers.guru> > <@monerobull:monero.social> The results are pretty random, just sites that mention .town somewhere

<s​ervers.guru:matrix.servers.guru> Yes true for censys, didn't know what it was so didn't know if it was accurate or not. However the real ip show up on security trails.

<m​onerobull:matrix.org> Yeah that one was public for a while

<s​ervers.guru:matrix.servers.guru> Maybe check with the managed challenge on cloudflare then if you haven't already.

<s​ervers.guru:matrix.servers.guru> I think that is the mandatory manual captcha check.

<s​ervers.guru:matrix.servers.guru> > <@monerobull:monero.social> The results are pretty random, just sites that mention .town somewhere

<s​ervers.guru:matrix.servers.guru> Yes true for censys, didn't know what the ip was so didn't know if it was accurate or not. However the real ip show up on security trails.

<d​iego:cypherstack.com> Particularly because I KNOW I'd spoken with core several times about being excited <> we may have found the person writing the tweets

<d​iego:cypherstack.com> Lmao! Nah bruh. Haven't been excited in years since then. ;)

<r​ucknium:monero.social> xcancel.com/W0wn3r0/status/1867624088686182661

<r​ucknium:monero.social> > Serious Wownero vulnerability disclosed by Rucknium at Monero Research Labs: codeberg.org/wownero/wownero/issues/488

<r​ucknium:monero.social> > Basically 80% of true ring members deducible since 2022 😭😭😭 Kind of on-brand for WOW tbh tho 😁 PR welcome!

<o​frnxmr:monero.social> Pretty obvious aint it

<o​frnxmr:monero.social> Theres no on chain volume 🙃, its all coinbases

<o​frnxmr:monero.social> "after the ten block lock." Its three blocks, ruck! RTFM. Wownero -> moon

<r​ucknium:monero.social> This vulnerability isn't about low tx volume. The decoy selection "anchor" was stuck in September 2022. All decoys of the vast majority of txs were all selected from September 2022 and earlier.

<o​frnxmr:monero.social> Yeah ik, i'm just messin

<r​ucknium:monero.social> Yeah, I wasn't sure about how many blocks it was locked.

<o​frnxmr:monero.social> good thing its a memecoin. 20c EOW

<r​brunner7:monero.social> Wow. Just wow. And something so glaringly obvious was overlooked for freaking years? Just check the time scale graph for this WOW transaction - lol:

<r​brunner7:monero.social> explore.wownero.com/tx/27b911bc1bcc…049e9f6e8c940fee3e6bb57dacae7cf75/1

<r​brunner7:monero.social> I wouldn't wish something like this to my worst enemy :)

<r​ucknium:monero.social> The Wownerochan image on the explorer, or whatever, must have gotten in the way 😁

<r​brunner7:monero.social> It gets even better - if I interpret this correctly, they had an assertion in the code that triggered because of this, which they did not understand back then, and just commented out to silence / neuter it: git.wownero.com/wownero/wownero/issues/412

<r​brunner7:monero.social> ROFL

<r​ucknium:monero.social> When you disable a sanity check, your blockchain goes into insane mode.

<r​brunner7:monero.social> How did you become aware of this, Rucknium ? Can you, are you allowed to tell? Very curious - pure chance?

<r​ucknium:monero.social> I'm not 100% sure that issue #412 is related to this bug, but looks suspicious, doesn't t? I did a quick search of issues on the repo before I reported the vulnerability, to check if it was already known.

<r​brunner7:monero.social> Yeah, same here, not fully sure, but does indeed look suspicious

<r​ucknium:monero.social> rbrunner7: (1) plowsof wrote WOW support into Wishlist as a Service. (2) nioCat donated WOW to support my server costs: rucknium.me/donate

<r​ucknium:monero.social> (3) mainnet_pat added BCH support to BasicSwap. (4) I asked snex to test BCH<>WOW atomic swaps. (5) Curious about the process, I watch the `wownero-wallet-rpc` logs as the swap happens. Then I see

<r​ucknium:monero.social> `real_output_in_tx_index=1`

<o​frnxmr:xmr.mx> rip snex

<r​ucknium:monero.social> Which should _not_ happen, given that the output was at least a week old

<r​ucknium:monero.social> So really it was a group effort :D

<r​brunner7:monero.social> Thanks. Really cool story, bro :)

<r​ucknium:monero.social> I checked the transaction on the wownero block explorer and saw all but one of the ring members was from 2022 and earlier

<o​frnxmr:xmr.mx> Could this have anything to do with the shared-ring-db

<r​ucknium:monero.social> Then checked a few more. Then adapted by Monero blockchain analysis code to Wownero to assess the full impact.

<o​frnxmr:xmr.mx> Bcuz that thing causes 100 issues with wow

<r​ucknium:monero.social> ofrnxmr: I remembered that, too. Maybe there is the same root issue

<o​frnxmr:xmr.mx> example: use wownero-wallet-cli to send a tx, but when it asks to confirm (Y/Yes/N/No), press enter

<o​frnxmr:xmr.mx> Then try to repeat the tx = fails

good job everyone, 1 less item to add to the wow roadmap

<r​ucknium:monero.social> rbrunner7: I thought the same thing. for a few minutes I wondered if I was just seeing things wrong. Because anyone who would glance at the ring member distribution would notice the problem, if they had any familiarity with how ring sigs are supposed to work.

<o​frnxmr:xmr.mx> wownero up 3% today 💪

<3​21bob321:monero.social> Inverse reaction to news

<3​21bob321:monero.social> matrix.monero.social/_matrix/media/…ero.social/xzBYiUZGxvDSWMrVuhyrZNWO

<3​21bob321:monero.social> seems like that took the news hard

<r​amoses:beeper.com> newbie monero here

<h​avenouser:monero.social> no, u are just upside down 🙃

<d​iego:cypherstack.com> Made by us ;)

<d​iego:cypherstack.com> Good to see our work everywhere.

<r​ottenwheel:unredacted.org> Thought you were going to say you are that only one wow wallet doing the decoy selection properly. Oh, well, almost.

<d​iego:cypherstack.com> Ill get my illustrators to make more wow illustrations in celebration of the vuln

<d​iego:cypherstack.com> Hmmm... would be nice wouldn't it?

<d​iego:cypherstack.com> Its ok, wow barely works as a blockchain regardless

<d​iego:cypherstack.com> Actually funny that wow price is indeed going up though. True to form.

it werks

<r​ottenwheel:unredacted.org> nioCat did you dump all your wownoros yet?

never

<r​ucknium:monero.social> Diego Salazar: You can check if Stack's implementation is affected by following this procedure: codeberg.org/wownero/wownero/issues/488#issuecomment-2514139

<o​frnxmr:xmr.mx> It is

<o​frnxmr:xmr.mx> Ive made tx from stack's wow that have the the issue

<o​frnxmr:xmr.mx> Tldr: my 2022 tx's seem ok :D but everyrhing after that arent

<o​frnxmr:xmr.mx> And stack was my main wow wallet. Most of my outgoing wow tx this yr were from stack

<r​ucknium:monero.social> According to my blockchain surveillance, it seems that there is at least one implementation in the wild that does not have the bug.

<r​ucknium:monero.social> Maybe I will do a deeper analysis

<o​frnxmr:xmr.mx> I assume its the ringdb tbh

<o​frnxmr:xmr.mx> i hate the ringdb, even for monero. Seems like an ugly (stores in your home drive by default, like wth? Lol)

<o​frnxmr:xmr.mx> I havent tried the 11.0 implementation

<r​ucknium:monero.social> For example, this one looks fine: explore.wownero.com/tx/6ba48277c159…f97da8a7208ff5d302a6dce92540a9811/1

<o​frnxmr:xmr.mx> that was hardfork. And there are only wowlet, cli, rpc, stack and elitewallet

<o​frnxmr:xmr.mx> Not sure if elitewallet works. never used it to send a tx

<r​ucknium:monero.social> If it was Elite Wallet that had it right 😂

<d​iego:cypherstack.com> Just have wow update to fcmp right away.

<m​ario5555:matrix.org> Tunnel to a hosted VPS through SSH would bypass CGNat on things like starlink and then run a remote Tor on that VPS instance, you could probably do something with i2p also.

<s​hortwavesurfer2009:monero.social> That's a possibility. I remember when I was in high school, setting up my web browser through SSH to tunnel back to my home network so that I basically had my own VPN to get around the school firewall. So as long as I have the money to pay for it, that could work.

<s​hortwavesurfer2009:monero.social> I haven't set up any connection like that in a long time, but I know it wouldn't be hard to find the proper commands.

<o​frnxmr:xmr.mx> Rucknium is like 5 memes today

<r​ucknium:monero.social> Submit vulnerability for a memecoin; get memed. It was inevitable.

<r​ucknium:monero.social> I just see 13 transactions in 2024 that appear unaffected by the bug: codeberg.org/wownero/wownero/issues/488#issuecomment-2514678

<o​frnxmr:xmr.mx> Yup

<o​frnxmr:xmr.mx> matrix.to/#/!mzmDQgjgqNJMGyTtDm:wow…=xmr.mx&via=t2bot.io&via=matrix.org

<o​frnxmr:xmr.mx> matrix.monero.social/_matrix/media/…oad/xmr.mx/LThXSNhlnMDURIGhLztODsZT

<m​ario5555:matrix.org> ssh -C ( from memory )

<s​hortwavesurfer2009:monero.social> I want to say it was like ssh -n

<m​ario5555:matrix.org> Forwards the remote back to host with a keepalive so traditional client / server would still work and vise versa like in p2p

<s​hortwavesurfer2009:monero.social> I remember you had to specify the port on the remote system and the port on the local system as well.

<m​ario5555:matrix.org> Yes, I probably have it setup in VSCode for one of my remotes

<r​ottenwheel:unredacted.org> I am testing wow txs. and posting results in Codeberg issue shortly. Going to test: WOWlet; Cake; and Stack.

<r​ottenwheel:unredacted.org> WOWlet is broken.

there is a wow channel

<r​ottenwheel:unredacted.org> Cake production has a bug where it syncs 20-25k blocks, screen blinks on me, next thing I know I'm on main screen, gotta restart for it to happen all over again. Kind of pointless to try and sync with this current state of affairs. Skipping. Going for Stack, will edit comment when Cake's done.

<r​ottenwheel:unredacted.org> nioCat really? Shocking.

<m​ario5555:matrix.org> I2P is better if want device-network-location agnosticism, SSH you'll still have know where the VM is.

<m​ario5555:matrix.org> [@shortwavesurfer2009:monero.social](https://matrix.to/#/@shortwavesurfer2009:monero.social)