I do not see a significant reason to keep rucknium's analysis private based on my best assessment. I already commented this on the CCS proposal

the applicability to arbitrary transactions is reasonably small

and any such "vulnerability" has already been majorly patched in #7821

beyond that, the "vulnerability" generally refers to improvements of the selection algo, which is something that can always use improvement but isn't worth panicking over in my opinion. It's reasonable to speak about the scope of these problems and the results in MRL imho

such over-caution on open research is going to cause more harm than good in this area

I'd suggest also to write a post-mortem similar to Justin Berman did (getmonero.org/2021/09/20/post-mortem-of-decoy-selection-bugs.html)

^ Rucknium[m]

Friendly reminder: Dev meeting this Sunday at 1700 UTC. Agenda: monero-project/meta #614

dEBRUYNE: Post mortem of what, exactly?

the "vulnerability" generally refers to improvements of the selection algo, which is something that can always use improvement but isn't worth panicking over in my opinion.

^ That basically

It's too early to say whether it is worth panicking over.

Look, sgp_ has done great things for Monero and has been involved in lots of technical discussions, but his technical understanding has limitations.

isthmus, who has a Ph.D. from a top-ten U.S. chemistry program and has been working as an MRL researcher for years thinks, as I have stated in this channel previously, that

my work is "a fundamental breakthrough in analyzing Monero-style ledgers" that is "potentially catastrophic" and "might be honest-to-god RIP for Monero at current ring size and composition".

I am merely saying that we should be cautious with wording and not unnecessarily antagonize users

Initial assessment of the other bug was also wrong

We are having other qualified people within the Monero community review it as we speak

Using those quotes without having proper review of other members is arguably unnecessary spreading fear

You know, the more this game of secrecy goes on over something that was essentially qualitatively known, the more I'm starting to smell something off.

dEBRUYNE: Yeah, which is exactly _why_ the technoque and associated information should not be released. we don't understand how dangerous it all is yet

moneromooo: What do you mean by "off", moo?

It suggests some hidden motive.

You know there are people currently reading it who can offer a good assessment

What motive?

That I want to FUD Monero or something?

I'm not sure. It is just starting to feel off.

It doesn't really add up.

Non-experts are commentating and I'm pushing back, based on the fact that they are not experts

Let's wait for more experts to weigh in

Look, different users face different threats. For some users, probabilistic analysis doesn't matter. for others, it does.

Rucknium[m]: Given that 'we don't understand how dangerous it all is yet' we shouldn't draw conclusions and use words that may antagonize users

That's the point I am trying to make

And I feel that's currently not the case

Well, maybe SGP shouldn't have given his assessment publicly then either

SGP has an undergraduate degree only. So does jberman

The bug Justin Berman found was initially deemed to be of high impact. After further review it was concluded that the impact was not as high as initially assessed

In the meantime we had news outlets writing various articles about how 'Monero's privacy was broken'

The only person with a Ph.D. that has weighed in says that it is a problem. Now several people with Ph.D. are examining it and will hopefully give their views shortly

I don't think degree / no degree can necessarily be used as measure to determine one is qualified

dEBRUYNE: Here's the problem, of Monero's own making: I need to raise community support for my project. The remedy to the problem is linked to the attack. People are saying I should release even more info about the attack

That's not the point. This is appeal to authority *and* we've known there is a problem for ages. It's builtin.

Ok, yes there is a problem. Everyone agrees

I have a proposed fix. We are all on the same page

(not for this particular case alone)

I agree that I should just fucking fix it, but I cannot work for months for free. That's unreasonable any way you slice it

If there was some other funding mechanism than CCS, then maybe we wouldn't be having this conversation.

Jesus, straw man.

What's the strawman?

I agree that these things raise the conversation temperature around here. As I have said before, sometimes my emotions come out in a way that I don't want them to

I might be off here, so apologies if so, but I think part of this comes down to financial interest. There's a risk to Rucknium, once the information is made public, that he doesn't get the paid work for improving the mixins, and also potentially doesn't get the bug bounty. I'd probably feel the same anxiety if I thought I had some paid work lined up, and then saw it potentially slipping out my

fingers. However, given that we now have JBerman, SGP and monoromoo (who've seen the write up) advocating for making this info public, it's probably worth clarifying on a few things. 1) if made public - does Rucknium get the bug bounty or not? He has previously said he doesn't care about that monetary aspect, but probably worth still clarifying (?). Then 2) Will making public impact Rucknium's CCS

proposal getting funded? Hard to tell, but probably not? There seems to be concensus that this is a weak point in Monero, and effort to improve it is desired

sorry *moneromooo, i often forget the third 'o' in your name!

john_r366: To clarify this specific point: "He has previously said he doesn't care about that monetary aspect, but probably worth still clarifying"....

I do want to get paid for months of work. However, I don't care much if it comes in the form of CCS or the "bug bounty".

People should also be aware that conceptual problems, and not just code bugs, are within the scope of the Vulnerability Response Process / HackerOne

"This Vulnerability Response Process and subsequent bounty reward apply to the following....(2) Written research from the Monero Research Lab which dictates said code implementation"

Whether it is made public or not has no bearing on whether there is a bounty. However, whether it is deemed worthy of a bounty has influence on whether it is made public.

I've not thought about whether a bounty is applicable here tbh.

As for the work, improvements to the fake out selection is always good, whether the analysis is public or not.

Keep in mind that 11 -- Eleven -- people worked on Moser et al. (2018), which currently determine the mixin selection algorithm. I am not sure how many labor hours went into that paper, but it's probably a lot. Of course, the paper did a lot more than just suggest a new mixin selection algorithm

The only change that could hapoen here is some other person seeing the analysis and doing the work for free to trying another CCS. Slim chance.

sgp made a suggestion in his comment on my CCS that 10 weeks of work by one person (me) plus an undetermined amount of work by jberman may be "on the high side"

(And Moser et al. (2018) couldn't even get it right. They made basic mistakes.)

@Rucknium - moneromooo has just clarified that making this info public does not impact whether or not there is a bounty. So that avenue of payment isn't invalidated. And then in terms of the CCS, it doesn't appear that anyone else is clamouring to do the same work - so that avenue will remain open. It may be worth getting alongside moneromoo, JBerman and SGP - opening up this information, and then

pushing forward to get this CCS into the funding stage?

john_r366: " It may be worth...." Yes, possibly. I think even more people should be brought into the conversation....

In my HackerOne submission I specifically suggested 3 people in particular to act as auxiliary reviewers, since the contents of the submission may have been outside of the area of expertise of luigi and moneromooo...

Two of those people were jberman and isthmus. jberman has weighed in, giving a comment on the CCS proposal page. isthmus has not really made much in the way of public statements, but he is busy with his day job and just sunk a ton of time into Monero, for free, with his (our) analysis of the tx volume anomaly, which I hope people have read.

The third person is in the process of reviewing it.

I believe I have had to do all the legwork to get the auxiliary reviewers on board.

There are also two more Monero community members with Ph.D.'s who have requested and received the HackerOne submission. I'm not sure what they intend to do, though -- give feedback to me privately? Discuss in a group? Public statement? Unclear so far

Ok, so where are you in the process of thinking about opening this information up publicly... you want to wait for this third reviewer to complete?

I guess people hate "appeal to authority", but even one of the people with a Ph.D. told me directly., "Oh, BTW, I have a Ph.D. in X technical subject" when requesting the HackerOne submission, so at least they may think it is important

<dEBRUYNE> "Rucknium: Given that 'we don't..." <- ^

I will refer to dEBRUYNE 's statement here. We don't fully understand how the information could be used by a Monero adversary. I don't understand the urgency for release. Good science takes time. It always does

Look, all of you: I took very seriously the suggestion 1.5 months ago by someone, I don't remember who, that the recent bug found by jberman did not follow proper Vulnerability Response Process guidelines.

So I tried to do what I thought was right

I am under a ton of heat right now. I can take it, but you have to understand why I am doing what I am doing.

Also also take into account my inexperience in this particular area. I don't understand vulnerability processes very well, or the FOSS community for that matter

It hasn't help, frankly, that moneromooo said that he doesn't like to follow formal VRP processes. That's a problem when I don't understand the implicit norms.

* It hasn't helped..

In what way did this hinder you ?

I like mooo. I respect him a lot. Overall I think we have a good working relationship. The whole reason I became involved in Monero research is because mooo made an awesome diamond-the-rough blockchain game, Townforge, actually. But I have not been happy with how my HackerOne submission has been handled

Dude. You want it kept secret but keep talking it up in public.

THAT is what annoys.

Not following formal processes? Well, I don't know the do's and don'ts. Apparently I have done a lot of the don'ts. I am sorry for doing the don'ts, but in some ways the responsibility is shared

moneromooo: You gave no clear guidance at all when I specifically requested you tell me what can and cannot be released

I feel a bit dizzy from this continuously circular discussion... 1) Rucknium[m] it may have been useful to get all those extra expert opinions before bringing up the proposal. Now, community members like sgp have no choice but to be vocal in opposition to perceived mistakes for lack of a better option (ie assessing the arguments of those experts). 2) In my experience, closed R&D cycles in crypto are very frustrating because they

feel like runaway trains you have no possibility of affecting (whether or not it needs to be affected). The healthy dynamic is ‘here’s my idea, let me know what you think’ rather than ‘I’m (or we are) doing this thing unless you convince me/us not to do it (or kidnap me/us)’. 3) Appeals to authority can be useful, but in limited cases (like “let’s delay until an expert can look at this” or “let’s hire an

expert to work on this”). It works when you are unable to make a convincing argument - eg your ability to assess something isn’t good enough or the subject matter is too complicated so you want an expert to help. I’m concerned you put too much weight on qualifications as a general rule for ‘does your opinion matter?’. Note that Monero and Bitcoin were and continue to be designed and built by mostly pseudonymous people.

I tend to err on the side of what the reporter wants.

The main thing I want to result from this submission is an o􏰇cial determination of what should be redacted from a public version of this document in order to protect user privacy. I give my own view about information exclusions in Recommendation III. I wish to submit a CCS funding proposal that is based on this 􏰀roadmap􏰁, so your views on redactions is appreciated. The organization and tone of this roadmap will likely change

before release, but the basic elements are all here. The second thing is to initiate the Monero process for mitigating vulnerabilities, whatever that may be. The third and 􏰅nal thing is to determine if this submission quali􏰅es for a vulnerability bug bounty. I have attached an XMR address for use if a bounty is deemed warranted.

^ That is literally the first several lines of my HackerOne report

Meh, formatting. The "􏰅" should be f's, mostly

So it should be clearer why I did what I did, and when I did it.

I submitted this report, said, "Please tell me what is sensitive, moo and luigi, so I can construct my CCS." I got not clear guidance on what was sensitive. I took that to mean that everything was potentially senstive, so I wrote my CCS in the way that I did

Does that clarify my actions to everyone?

It does. Regarding the idea of redacting certain info, it would seem that those who've voiced opinion on making it public (and have seent he document) - moneromoo / SGP / JBerman - don't feel strongly about redacting any content.

mooo felt that a lot of the report was "fluff", so I didn't even want to press him harder on my request for some determination of what was sensitive and what was not

Alright. I will go reread that section and tell you my opinion then.

moneromooo: That would be awesome. Thank you

john_r366: For SGP and jberman, that may be true. For moneromooo , in an earlier discussion about a week ago, he said to not make it public, weakly. He asked if I thought publicly releasing it would aid "assholes" or "helpers" more, at this point. I said the formner, so he deferred to me on the matter

I feel strongly we need more people who have seen the report to weigh in before we go the way of releasing it publicly.

Makes sense - sounds like moneromoo will clarify on that position shortly

Sounds like something I'd say. I don't mind it being private while being worked on. What is started to really get on my tits is the public shit slinging while pointing to secret stuff of unknown magnitude.

moneromooo: I will again refer to the formal VRP process:

"If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus"

We have. Impasse between you and sgp mostly :)

Maybe there should be an acronym for following processes, like there is for RTFM

FTFP

moneromooo: Maybe you could even go so far as to say Sections X YZ A BC are safe to release. As you say, there is some "fluff" in there. And we could just release some of that today, even.

I'm not reading 28 pages of that again. Just going through section 3.

tbh the formalism is not too hard to work out even if kept private I think, so keeping it private is possibly mostly pointless.

moneromooo: I understand and respect your view. I think we should have others weigh in before doing something that cannot be undone, however.

Here's my off-the-cuff view on what may be able to be released. I would like to re-read the sections to think about them more before making a final decision, however.

Probably OK to release:

First three paragraphs of NOTE TO VULNERABILITY RESPONSE PROCESS REVIEWERS... (full message at libera.ems.host/_matrix/media/r0/do…f8cb14626cf9f806a11a399beff1cbbc225)

moneromoo - whilst you've said "I don't mind it being private while being worked on." - just to clarify - are you also ok with it all being made public?

Yes.

thanks

I mean all this VRP stuff is deisgned bug bugs. Keep stuff private till fixed so you can't get pwned.

It doesn't really fit here.

Ok, moneromooo and I worked out a semi-official (I guess) statement for me to make on the matter. I suppose if there are questions in other venues about this issue, it would be good to just quote me on this:

"I have found a way to frame the shortcomings of the current mixin (a.k.a. "decoy"; a.k.a. "fake out") selection algorithm in a somewhat rigorous mathematical/statistical form. This discovery would allow someone well-trained in statistical analysis to calculate the likelihood that each ring member in an arbitrary ring of a Monero Transaction is the "real spend" in a more precise way than has previously been achieved. Calculating such a

likelihood increases the traceability of Monero transactions, but it does not make Monero 'traceable' in a deterministic way. The technique is probabilistic, not deterministic. I intend to leverage this technique to inform the development of a substantial improvement to the mixin selection algorithm to help protect the privacy of all Monero users, which is what I think everyone wants."

<Rucknium[m]> "I agree that I should just..." <- I don't get this point. Why not simply telling the Community, that you need further funding and telling why?

mj-xmr: That is what I'm doing, as far as I understand it. You don't think so? I've submitted a CCS. That's how we do things here, no?

Yeah, you did, but it's limited to closing that particular bug you're working on.

I'm thinking about discussing with the Community a possibility of being funded as a resident researcher, if you feel that it will go on for longer than expected.

I'm not saying they'll agree 100%, but that should cover your costs. I've had a very similar situation. My initial proposal takes ages to complete, not from my fault at all.

"I'm thinking about discussing with the Community a possibility of being funded as a resident researcher, if you feel that it will go on for longer than expected." Well that would be just swell :D

I feel like reliance on the CCS system as the sole means of funding Monero work has sort of forced a suboptimal equilibrium.

Just ask. Write on Reddit to get an initial response and give your reasons. See the reaction. With that, you're go to start a follow-up proposal.

Rucknium[m]: Sorry, this ain't a university. Things are not perfect >_<

Be creative :)

mj-xmr[m]: I'll think about it. Maybe in a few days. I'm a bit exhausted at the moment though.

Some times a one step back is needed.

Funding for my BCH was easy. This is tougher, partially since the work is more involved and technical and sensitive. Partly due to the CCS funding structure.

*Funding for my BCH work was easy

It was funded within 48 hours of me posting this:

<Rucknium[m]> "*Funding for my BCH work was..." <- The Monero Community is also equally fast in funding good ideas.

You can blame the CCS system if you want, but it's just ... a system.

Well, CCS is somewhat permissioned though

luigi has to approve it. And then the funds are custodial

Then the question is:

Do you want to get funded, or do you want to change CCS system?

Maybe I'm too pragmatic, but I'm happy with this.

I have said before that I think Monero would benefit from a permissionless, self-hosted, non-custodial option like BCH's Flipstarter. That's in addition to, not instead of CCS.

OK It's not there.

As an economist I have spent, I don't know, thousands of hours thinking about how to get capital and labor to meet up, combine, and produce great things.

(ahem, appeal to authority) So I have some insight into the issue

... in the "Clown World"

mj-xmr: What are you referring to?

Google it.

It's nothing offensive

I see nothing relevant on the first page of results

I also just want to caution everyone into devolving into paranoia; security researchers are often cautious with their research, and Rucknium[m]'s write-up is solid. This is good research that improves Monero, and I support and applaud his efforts.

fluffypony: Thank you for taking an interest in my work. I appreciate it very much.

"Clown World" is also a term used by black project researchers, describing our fake societies, structures and jobs.

I hope this gives you some context.

Rucknium[m]: thank you for your work, anything that provides tangible improvement to Monero - no matter how breakthrough or incremental - should be highly valued

So if you excuse, I've got some stuff to do. I showed you the way, that works. It worked for me at least.

I'm not commenting on the research itself.

mj-xmr: Thank you for your guidance

mj-xmr[m]: I'm sure it's good :)

<Rucknium[m]> ""I have found a way to frame the..." <- To be clear, the statistical tests were specifically run for the *old* version of the selection algorithm. It's not that they don't apply at all to the *current* algorithm, but I think everyone agrees that the numbers are far better for the *current* algorithm than the results may imply

sgp_: By current, you mean the one that was released a few weeks ago, correct?

<Rucknium[m]> "I feel like reliance on the..." <- You do not need to use the CCS. MAGIC could find this easily. It's research

Rucknium[m]: Yeah

MAGIC requires KYC. I don't do KYC

I think MAGIC is good for what it does, but it cannot cover all cases

Still inaccurate to say CCS is the only option

You could do what Monerujo does

But I get why you may want to use CCS

sgp_: I will see if I can figure out a way to get new estimates of attack potency for the new mixin selection algorithm.

Monerujo's funding model is about a month old. Hardly something that I want to rely on, especially given that I have little reputation, unlike Monerujo

Should be possible to do some estimates for recent-spend blocks I think. Don't need the full tail

I can maybe work with jberman on this

And fwiw, I do find it odd that we know nothing about your academic background, but you're the first to attack others like me about only having an undergrad. Maybe that's the biggest proof you are in academia though :p

If this report was public I'm confident everyone could just calm down

There's plenty of work to do; what you outlined as future work was just a rough outline so it's not like someone could just steal it

FWIW, I vetted the new MSA back in August and discussed that it improves, but doe not entirely solve, the issue with the MSA

If this was just pitched as "hey I want to make the selection algo better, here's a heuristic example that shows I can look at this, please support future research" that's what I generally look for

>From a statistical perspective, I support the latest version. What is accomplished here is "thickening" the probability density function of the selection algorithm in the section closest to zero. This more closely mimics the observed distribution of mixins + real spends. However, in the near future it is crucial that we consider moving away from the current selection algorithm that is based on Moser et al. 2018. I have some ideas about

how to accomplish this.

^ August 18.

Rucknium[m]: Nothing will "entirely solve" without potentially severe drawbacks

So the goal isn't to make certain values = 0

The secrecy is what has prevented us from having basic discussions about this

Instead I need to have a non-discussion with no details to support anything

Look, we all have to be patient. This needs work ASAP, but no sooner that "is possible". These things cannot be rushed

sgp_1: I feel your pain

\* no sooner _than_ "is possible"

>Nothing will "entirely solve" without potentially severe drawbacks

^ We don't even know this. More research is needed. It might be able to be completely solved.

Keeping cool heads and just waiting until more people who read the report a few more days seems fine

* the report to express opinions a few

<Rucknium[m]> I will refer to dEBRUYNE 's statement here. We don't fully understand how the information could be used by a Monero adversary. <= And that should arguably also have been reflected in the CCS, which currently is not really the case

dEBRUYNE: Ok, sure, I can revise the CCS. That's the point of this part of the CCS process, right?

Revisions, with git?

I feel like you guys are complaining that I'm creating drama or something. Instead, you should be focusing on the technical issues.

Which we are working through as quickly as possible, but deliberately.

i think the bikeshed should be purple

gingeropolous: Good one! I believe what is being referred to here is

Rucknium[m]: I am mostly worried about this:

'I feel some are (understandably) misunderstanding what is being claimed in the post. The claim is not that using the technique in isolation, you can arrive at a conclusion that enables you to trace a transaction with 100% certainty'

I've seen this multiple times already in the community recently

Hence my suggestion to not draw conclusions until the issue has been extensively analyzed

To reiterate, the bug Justin Berman found was also not as impactful as initially thought

dEBRUYNE: I think a lot of this is due to cross-disciplinary miscommunication.

In economics, everything empirical is stochastic.

So maybe in the back of my mind I just have a constant basis of "approximately X, approximately Y"

Whereas in CompSci, things tend to be more deterministic. So I see the point.

I can edit the CCS. I mean, I will edit several things.

I am kind of exhausted at the moment though

Taking dozens of questions and needing to have extensive, precise responses

you need a secretary :D

sech1: Practically, lol. I mean, it would help if some of the more technical reviewers could chime in. But review takes time.

The proposal arguably should simply have been 'marketed' as working full-time on working, among other things, Monero's decoy selection algorithm

Without drawing preliminary conclusions

fwiw, Rucknium I know this has been kinda rough and I really appreciate the report and you opening up a CCS

dEBRUYNE: As I stated above, I specifically asked moneromooo for guidance in constructing my CCS he gave me none. What you see is the result of no guidance

it is good research and I'm glad you are wanting to look into it further

sgp_: I appreciate that. Thank you.

as I said on gitlab: "there's no question in my mind that MRL will get something out of this."

dEBRUYNE: As I stated earlier, no hard feelings toward monermooo, but I am none too happy with how my HackerOne submission was handled. You can take it up with him.

Again, the key phrase at the very top of my HackerOne submission:

>I wish to submit a CCS funding proposal that is based on this "roadmap", so your views on redactions is appreciated.

I encourage you to try to think about things from dEB and my perspective, where we historically have been the ones who deal with the fallout of interestingly-worded scientific papers that are then marketed misleadingly by media and thus cause total chaos in various areas

Luigi in theory also is part of the Vulnerability Response Process, but I have no evidence that luigi read my submission.

VRP hasn't ever provided CCS feedback before, maybe that assumption led to this confusion

so they were like "sure, go do it" and you were like "pls help" and they were like "normally other people help with that"

sgp_: Yes, I understand this. I am working within the Monero Project as best as I am able, in my estimation. So this is different, of course. I could have just published or, worse, sold off information and my labor to the highest bidder

the CCS audience is almost always quite a community-oriented audience

sgp_: I see. Could be. There have been communication breakdowns all around.

My personal opinion is that Ruck’s submission should be made public at this point. The VRP exists so that matters like these can be worked out quietly and handled without fanfare. The amount of dust that’s been raised by the author around this issue makes that impossible. So if moo is ok with publishing it, do that and let’s deal with the

fallout.

FWIW "I could have screwed you" usually doesn't help in making people see things from your point of fiew.

Rucknium[m]: To be clear, I have a similar opinion as -> I really appreciate the report and you opening up a CCS

However, (i) you cannot hold mooo responsible for the current version of your CCS proposal

You could have asked guidance on IRC from other community members

moneromooo: I mean, I see that. Sorry for my frustrated words

(ii) Please consider this -> <sgp_1> I encourage you to try to think about things from dEB and my perspective, where we historically have been the ones who deal with the fallout of interestingly-worded scientific papers that are then marketed misleadingly by media and thus cause total chaos in various areas

dEBRUYNE: We had a discussion here exactly a week ago when mooo and I and others were openly discussing the HackerOne submission. So where was the "community guidance" then?

I submitted my CCS on Wed

So everyone had 4 days or so to help

Breakdowns, everywhere

I wasn't really able to comment on it because I didn't see the paper so I had no idea if the tone was a good fit or not

Typically -dev is not the place for that, but I guess I am being pedantic

jberman and isthmus had seen the full HackerOne report at the time that I submitted it, which at this point is 2.5 weeks ago

We need to separate the vulnerability process / response here and the ccs proposal

dEBRUYNE: Yes you are since there is no clear place to discuss big Monero issues other than -dev . #monero is, for whatever reason, not the place

Yeah, I'm not quite sure how I became the person responsible for editing people's CCS. I'm on the VRP fix exploitable code.

fwiw, I understand that the separation may not have been clear from rucknium's perspective, but yes in my view they should be thought of separately

sgp_: But, again, I linked them extremely explicitly in my submission. Mooo thought it was "fluff" *shade*

Rucknium[m]: I am speaking about getting input for your CCS, not the VRP

dEBRUYNE: Ok, well maybe I shoudl have gotten some guidance from mooo about how to proceed

would definitely have been useful. I also see how moo doesn't consider that to be their task. hence the result

Since, as I have stated over and over again, I am not a computer scientist, I am not a Real Programmer. I am a researcher!

I suggested to mooo to get additional opinions, but that didn't really happen

I sort of brought up my frustration a week ago in a somewhat unstructured way. Read the -dev logs.

It's not clear to whom I appeal if I feel that the VRP process is not proceeding well.

Within nearly all formal processes within well-functioning organizations, there is an appeal process

I was blocked in by the fact that I didnt know whom i could talk to , and about what since

I am not a Real Programmer. I am an economist.

So I don't understand these processes.

FOSS can appear a bit messy to people that come from private or public organizations

There's often not a clear structure in place

And it's worse when I get a response that the manager of the VRP doesn't like to follow formal processes

Since then, what am I supposed to go on for guidance?

question to anyone: has there ever been another VRP-to-CCS case before?

Ask guidance to the community

You can use r/monero and IRC

dEBRUYNE: dEBRUYNE: But this doesn't work in a VRP case

-dev is more geared towards development, so we typically refer to -community

Did you try contacting luigi on IRC?

wait let's take a step back

Yes. Well I communicated with luigi since I needed to do a test. And luigi replied that the test was OK. Then after I did the submission of my report, I didn't hear anything from luigi.

VRP team basically said that the report was interesting but wasn't necessary to keep private, allowing discretion, right?

So I could have, I guess tried to appeal to luigi I suppose. I think I had difficulty contacting them, though.

Plus, I stated certain things in the HackerOne log, which both Luigi and mooo could see

sgp_1: No

Let me look at IRC logs

if that wasn't clear, then it should have been, because else how would you have known what to do at all

Just look here. I repeatedly query moneromooo about release

Eventually he says, to sum up:

>Whether you should [publish], overall, depends on whether you'd be helping assholes more or helpers more.

So he deferred back to my own judgement. Since, frankly, I don't think that everyone who reads this thing can fully understand its implications.

And I said "Then let's not publish"

yeah imo moneromooo a clearer "yes or no" that wasn't all on rucknium deciding would have helped a lot I think

SerHack said

>Then there's a solid no from me.

selsta:

>It's fine not to disclose it publicly in this case.

serhack and selsta didn't see it by then right?

So that's mooo (deferring to me), SerHack (security researcher), and selsta (dev, paid via CCS) all saying

NO

I did not see anything yet.

No, SerHack hasn't seen it either

they probably said NO because they had no ability to judge the severity because they didn't see the report

But ....look, just read the logs

SerHack and selsta asked questions of me. I responded. Then, in their judgement, they said "Don't disclose"

sgp_: Yeah, better safe than sorry!

yeah but the risks were inflated in these discussions imho

LOOOK

The first time I encounter real encryption, it was in a context in which if the encryption protocol failed..

PEOPLE COULD BE KILLED

SO I TAKE THIS DEADLY SERIOUSLY

FFS!

oh my

SO, BETTER SAFE THANM SORRY

FFS

Protection of user privacy is paramount.

Every other concern is secondary.

For Monero, what is privacy-critical is also safety-critical.

I don't want blood on my hands.

I don't know about you.

FFS

What we are NOT is stewards of price, or, really, image.

We are stewards of people's privacy, in safety-critical contexts.

yes yes.

I don't care if some "FUD" is generated, if at the end of the day, user privacy is protected.

dude it didn't matter what you did. FUD would have been generated

Monero is literally a FUD machine. Effort goes in, FUD comes out.

ya

Maybe I should do what mooo did and take a break for a bit

It is quite hot in this room. And yeah, I made a lot of the heat.

I'd focus on working with other developers and researchers on determining the impact of the bug

And not making any public statements about it until we have sufficient clarity

<Rucknium[m]> Protection of user privacy is paramount. <= And giving proper information to the user is imperative

That doens't work well since we don't know full impact for weeks into my CCS research.

Drawing preliminary conclusions could technically lead to misinformation, which may falsely antagonize the user

There has to be a healthy balance here

The CCS can still be merged, I don't see any issue with that

Yeah, i agree. I have avoided making key specific statements that are in my HackerOne submission, since they may be misinterpreted by users

#monero-community:monero.social meeting starting this moment btw

Just on time. lol. I will observe there

looking at specific steps forward here:

I think the most obvious thing would be a short document for VRP-to-CCS that explains expectations and gives some highlights to people who haven't made a CCS before

Rucknium[m] sorry I had a bit of trouble decrypting (fixed now), and was also a bit behind to start, however I had/have no issue deferring to mooo for opinions in the meantime

moneromooo there's something weird going on with Monero network right now. Multiple nodes get stuck and mempool is flooded (no of txs: 491, size: 43243.58 kB)

sech1: which height?

2462270-2462280, different nodes stuck at different heights. Very high CPU usage

I was able to recover my node by popping blocks and flushing tx pool offline and then syncing from node.supportxmr.com in exclusive mode

2462324 took 9 minutes to produce

my low ram nodes got killed

my regular node seems fine at height 2462324

my node has 64 GB RAM

the problem was with CPU usage

two tx with huge input set just got mined: localmonero.co/blocks/tx/ee82f9330c…e72f6e3f6103630b319989cc5c6af2ee753 localmonero.co/blocks/tx/555a3a9258…48229b4d7ceadc2d1c230a3c6a6ae2ccd78

3 more in this block: localmonero.co/blocks/block/2462321

2 in this block: localmonero.co/blocks/block/2462319

On my node too, very high CPU usage with 8 core

DDOS?

past 24hrs 194 input txs spiking: pooldata.xmrlab.com

I think it's just the max size for a single tx

created by CLI wallet

sech1: do you still have high cpu usage?

not anymore, after flushing tx pool

every recent block seems to have some of em

jberman[m] Rucknium[m] isthmus: maybe the tx volume anomaly consolidating outputs?

that's what I'm thinking too

tx pool still has a ton of them submitted 1.5-2hr ago; it will take a while to get through them all

1-1.5hr*

Interesting... This is just speculation, but it looked like the tx vol anomaly was spending outputs as fast as it was creating them, so I assumed that volume dropped off as they simply ran out of funds / ran out of outputs

So I don't know that they'd have much left to consolidate

Also the anomaly had just 2-output txns, so every time they made a 3+ input transaction, they reduced their total available output count

that's my `print_pool_stats` output: paste.debian.net/hidden/99b1ade0

check this, something odd in tx pool volume 8 hrs ago: pooldata.xmrlab.com; I also noticed the 194-input tx all have one very young ring member (just visually based on the dots: xmrchain.net/tx/f95f7826531b7333a26…6cdcebcd9fddd9d32c99103d522e4c3b1dc)

<luigi1111w> "Rucknium sorry I had a bit of..." <- Ah I see. Thank you.

Hmm are they all 1-input 2-output tx?

seems like a lot of variance no?

.bbl

yeah idk don't see any real patterns in ring member reference ages with just visual inspection...

<Rucknium[m]> "It's too early to say whether it is worth panicking over" <- Ruck really wants his research to mean something, his funding depends of it

makes sense

<+moneromooo> "It suggests some hidden motive" <- No hidden motive he wants funding

That's what we will get with self recruited talent usually

Let's not act surprised

<sgp_1> "And fwiw, I do find it odd that we know nothing about your academic background, but you're the first to attack others like me about only having an undergrad. Maybe that's the biggest proof you are in academia though" - I did warn you that recruiting self-declared anon phd's could be troublesome, and that it would not be sustainable or

scalable

Chamus: Ok, here's someone with a PhD who has been working on Monero for years. isthmus. Here's what he has to say about my HackerOne submission.

let's not argue who has PhDs and who hasn't :D just wait for core to review the report

Zzz, are you still paying attention to Chamus? ffs.

(isthmus actually approved me sharing his views this time -- I've apologized to him for posting his private statements)

:thumbup:

Here's what isthmus said in #monero-research-lab:matrix.org

>Having MRL be up to date with Monero analysis best practices is especially important as we try to assess the threat posed by Ruck’s work regarding ring signature deanonymization.

>To ascertain if or how alarmed we should be, it’ll need to be evaluated in the context of other advances such as implementation within a Hopcroft–Karp algorithm compatible framework seeded with probable edges from the other analysis methods developed over the last few years.

>Because we haven’t been keeping up with literature as closely, it’s hard for me to tell whether a competent adversary would be able to combine these approaches to deanonymize 0.2% of ring signatures or 2% of ring signatures or 20% of ring signatures.

>I prefer to be reserved and measured in public statements. Unfortunately some of my private comments have been plastered around IRC lately. While not how I would have chosen to communicate my concerns to the community, it is true that my perspective is that we should avoid complacency...

>...and have a few qualified people very seriously evaluate how all of the analyses in the public domain or developed internally can be combined.

<end>

So, isthmus is saying (to interpret) that it's too early to say whether my HackerOne submission should be released.

Precisely because the implications are still not clear and need further research.

I did specifically mention isthmus's views about the dangers combining attacks in my HackerOne submission, so all of those who read the report should have been aware of his concerns.

selsta: Is Core reviewing the report, to your knowledge?

Rucknium: If an expert statistician decided to look into monero's decoy selection algorithm today, would they be likely to discover the same things you did on their own?

rupee: Hard to say. I am an expert statistician, plus empirical economist. Often, more theoretical statisticians might miss something.

As I stated in my CCS, "the fuse is lit" though. I think sooner or later adversaries will figure things out.

Rucknium[m]: They will take a look at the report, I don't know if they will "review" it.

selsta: I see.

I mention here that within an hour of reading the Moser et al. (2018) paper -- or, actually, just the "countermeasures" section -- I was able to see substantial problems and even start conceptual work on some solutions:

It's all in the linked #monero-dev:monero.social logs from 2021-08-06

But seeing problems is different from formulating an attack.

Rucknium[m]: are you really an expert statistician? where are you located? I have a PhD in machine learning and signal processing with applications for sound and music, and I've wondered what it would be like to focus on being a proper statistician.

Do you mind if I have an information interview with you sometime?

(I promise not to ask for a job.)

ullbeking_: Have you seen....?

We need people. And you could get funding with a good research proposal.

No, i haven't!

I haven't been working in academic for a while, but I'd love to get my foot back in the door

I know how to write research proposals

Ok. Read that. And skim the comments I suppose. And then make a Matrix account and join #monero-recruitment:monero.social

ullbeking_: You're hired! lol

Cool beans, lol :D

There is a ton to do. Serious, a ton.

Rucknium[m]: I am focusing on Bitcoin, Namecoin, and Monero

Rucknium[m]: thank you for the heads up and encouragement

I'll be around

Ok great. I will put you on the "recruitable" list ;)

ullbeking_: Try to come to Monero Research Lab meetings in #monero-research-lab:matrix.org . They are on Wednesdays at 17:00 UTC for now, posted here: github.com/monero-project/meta/issues

Thanks, I'll put it in my diary

I'm very keep to get back into research