11:20:19 now I'm rethinking about the decision of writing a blog post about chainalysis, take a look on how Tor project handles such situation https://blog.torproject.org/tor-is-still-safe/ 11:22:20 being transparent is better than looking like you are trying to hide it 11:23:03 Who's trying to hide anything? why would we acknowledge what we've already acknowledged 11:23:16 Theres a whole youtube series about how to break monero, called breaking monero 11:23:50 If you want to write a blog post, https://github.com/monero-prohect/monero-site 11:23:54 for the ones that don't know 11:23:57 Nobody is stopping you 11:25:13 I wasn't saying that I'm the one writing about it, rather someone one from MRL or knowledgeable. 11:26:32 we dont pay 100k/yr to devs and reseaeches to they can spend 6hrs at 1.1xmr/hr to write a blog post that will be read by 14 people 11:27:10 i'd prefer devs spend their time working on monero 11:27:51 source on 14 people? 11:27:56 And again, the fact is that monero is not perfect 11:28:04 There are no guidelines on churning 11:28:19 Weve been recommending against remote nodes _forever_ 11:28:49 or you are just throwing random made-up statistics? 11:29:01 yes 11:29:17 not constructive 11:29:29 Neither is cheerleading 11:30:02 Go write the post or find someone who has nothing better to do 11:30:17 https://matrix.monero.social/_matrix/media/v1/download/matrix.org/xvxrthxBDIOXHTduIudSRPeS 11:31:13 ? Why would i care to be distracted by fud? 11:31:55 perhaps you are not, but outsiders maybe 11:31:57 is it true that decoys can be elimited? OF COURSE 11:32:02 Its always been true 11:32:55 Is it possible to use off chain data to trace the path of monero spending? OF COURSE! Its always been true 11:34:01 If it wasnt, we would never had standardized ring size, increased ring size, planned to increase with seraphis, or threw that all away in favor of FCMP 11:34:16 Rings are trash and always have been 11:34:39 p2pool had to hard fork to stop damaging rings 11:35:00 There are 2 mrl issues (108 and 109) that targeted the pollution of ribs via coinbase outputs 11:35:25 The only thing that matters is that we get fcmp out the door 11:35:55 Because there is NO fact based advice on how to best manage monero outputs 11:36:39 Stealth addresses and CT (amounts) are the only things truly private in monero 11:36:45 The tx graph is not 11:37:41 Anyways, I think that being transparent through official mediums (like blog, which is turning into just a changelog) is the right approach instead of letting rumors spread, which also keeps your community knowledgable with current development/attack vectors so they can base their threat model correctly. 11:38:46 The blog has a big post about fcmp on it 11:39:04 "so they can" do what? They cant 11:39:57 all they can do is use a _trusted_ onion node, or a node that they run themself 11:40:11 sit back and wait for fcmp 11:40:35 "dont use clearnet nodes without a vpn/tor" is common sense 11:41:05 It doesnt matter how private your blockchain is if your connecting over clearnet to broadcast your txid directly to them 11:45:46 Also, youre the only person in monero i see asking questions. Even chainalysis is having the video taken down _everywhere_ 11:46:04 Monero are the ones keeping the video circulating. 11:46:14 Monero market itself as community-driven, there should be transparency about everthing going in community. 11:46:20 wym? 11:46:41 i mean, the video link has beem DCMA'd everywhere 11:46:58 We've put up torrent, hosted it on personal websites, odysee, etc 11:47:01 yea? 11:47:40 We're the ones spreading the video around, because theres nothing new or exciting in it 11:48:03 We have a hackerone telling ppl bot to use remote nodes from many months ago 11:48:14 ik, but this irrelevant to what I was suggesting, it looks like the actual project is out of loop/not caring while the community do care. 11:48:28 We had PSA's telling ppl bot to use remote nodes for years due to malicious high fee 11:48:46 And the software itself (cli) warns users not to use remote nodes 11:48:58 hackerone is a bug bounty platform... 11:49:18 The community is spreading the video, 11:49:19 "the actual project" == the community 11:49:28 Yea i saw that, when you want to use a non-onion node it forces you to type a long argument lol 11:49:30 I mean, it was disclosed on reddit 11:50:05 https://www.reddit.com/r/Monero/comments/134jbdt/security_advisory_new_attack_from_malicious/ 11:50:35 "this-is-probably-a-spy-node" 11:50:44 Exactly, that is why I suggested that so monero community can have a legit source to share instead of comments scattered. 11:51:44 Magic blog post 11:52:02 New blog post "i thought we told yall to stop using remote nodes?" 11:52:35 Perhaps a forum would better fit the need ? Like discourse ? 11:52:37 https://monero.observer/tevador-security-advisory-medium-severity-vulnerability-monero-wallets-malicious-remote-nodes/ 11:52:49 (Correct me if I'm missing the point) 11:53:32 I think the post is like "water is wet" 11:53:57 Why are we wasting writing blog post to explain things that are obvious 11:54:13 the fud screenshot you posted has NOTHING to do with the video 11:54:24 Its just dero "account model" fud 11:54:25 that is opposite of what I'm saying, but yes, discourse is a lot better & reliable for managing long discussions/threads that Reddit and group messsaging platforms 11:54:51 Dero, yknow, the chain that had everythinf incl amoints unravelled, and is still unfixed 11:55:31 missing the point of the current discussion, but discourse is also a great idea that I suggested before 11:56:01 Its called "dont feed the trolls" 11:56:03 chainalysis didnt do anything special. And the ppl spreading fud are bag holders of a deanonymized chain 11:56:25 I think torproject could be copied on that, they have a blog where they share the latest news, and they also have a discourse for their community 11:56:50 acknowleding an issue doesn't imply "feeding trools" 11:56:56 acknowleding an issue doesn't imply "feeding trolls" 11:57:21 acknowledging what issue? 11:57:31 Please explain what were acknowledging 11:57:49 "dont use remote nodes"? 11:57:51 https://monero.observer/tevador-security-advisory-medium-severity-vulnerability-monero-wallets-malicious-remote-nodes/ 11:57:54 Old news 11:57:58 some people are very over protective about Monero being hidden dev/not engaging with the community 11:58:29 That CEX can keep track of the outputs the decoys that they own? 11:58:31 old news 11:59:02 yes, a reminder 11:59:18 we have one every 3 months 11:59:24 where? 11:59:39 The spam that caused a "black marble" attack was like 4 months ago 11:59:50 Could be a "best opsec practices" section somewhere, saying that to maintain anonymity its best to do x y z 12:00:00 There isnt any 12:00:14 was there a blog post about it? 12:00:18 Dont use remote nodes, uae onion nodes if you must 12:00:38 Idk, you read the blog, not me 12:01:14 We have list.getmonero.org as well 12:01:20 But its pretty much dead 12:01:22 there is not, could have written about it as he was the one researched about the spam attack 12:01:35 https://monero.observer/monero-mean-effective-ring-size-rises-suspected-spam-attack-subsides/ 12:02:31 other than that you will keep news agencies claiming "anonymous sources" etc for info regarding some specific 12:02:48 other than that you will keep news agencies claiming "anonymous sources" etc for info regarding some specific situation 12:03:15 Some news channel claimes that MAGIC is in charge of the technical direction of monero 12:03:19 there's no need to continue arguing about a transparency issue and being more engaging in with the community 12:03:30 Write the post!! 12:03:32 yes, that is what I'm talking about 12:04:20 someone from MRL or that keeps up with MRL discussions 12:04:27 Mrl doesnt discuss this 12:04:42 bruh wtf 12:04:53 u reply before thinking for 1 sec? 12:05:27 https://github.com/monero-project/meta/issues/1070 12:05:30 mrl doesnt discuss off chain tracing using 9yr old methods 12:05:31 >Chainalysis capabilities video. 12:06:55 Frankly, the Achilles heel that chainalysis is targeting here, is the trust people have in centralised exchanges 12:07:12 and remote nodes 12:07:21 It is from that, mainly that they can do stuff 12:08:53 You dont have to run a cex to own the output distribution 12:09:01 You can just spam the network 12:09:21 And keep track of every output that you created and control 12:09:55 You can also dust wallets of potential targets and perform EAE if users arent paying attn 12:24:01 Literally hours of videos from sarang and sgp are better training vids than chainalysis 13:15:59 way easier to just have the FBI ask the CEX on your behalf though 13:16:06 and free! 13:16:41 Spamming outputs to yourself doesnt cost a lot either 13:18:53 especially if the goal is just to create black marbles while avoiding block size increase (using lowest fee, and cycling) 13:19:15 its still free vs spending 13:19:32 And not as useful lol 13:20:03 they didnt even bother to run proper fake nodes which would have cost what? $30 per month? and those are very useful, in fact, their most useful asset 13:20:05 cex data is nice, but 50% of tx vs 99% is a big diff 13:20:09 They literally did tho 13:20:19 you need to spam a loooooooot to get 99% tx 13:20:34 they proxied to other real nodes 13:20:37 no. You need to spam 110ktx/day 13:20:49 Type, 90*% 13:20:57 They disnt tho 13:21:05 that was playing devils advocate 13:21:15 they did though 13:21:22 they disnt 13:21:31 The node is still up and isnt proxied afaict 13:21:33 or am i retarded and dont understand the digilol article 13:21:49 And they have THOUSANDs of ips pointing at their own real nkde 13:22:06 Digilol spoke to rupee who claimed he didnt control those ip's anymore 13:23:38 so they have one real node and a bunch of proxies 13:23:54 even without the video leaking, that could have been discovered 13:25:27 http://96.43.139.226 13:25:41 https://www.digilol.net/blog/chainanalysis-malicious-xmr.html 13:25:43 Not in the list 13:26:17 This is 1 of like 10 nodes that rupee controlled where the ip was supposedly "lost" 13:26:53 http://96.43.139.226:18089/get_info 13:28:04 If its proxied to another node, it still makes 0 sense for them not to run the node themselves, with the ability to tamper with relay times and decoys 13:28:48 I'm sure they didnt have 100s or 1000s of nodes, but they likely had that many ips proxied to their node 13:29:35 I also wouldnt be surprised if they were running the majority on --public-node IPs (simple/bootstrap mode) 13:37:02 https://b10c.me/observations/06-linkinglion/ 13:37:19 These nodes were in the video and are still active today 14:19:50 --public-node is opt in , nuff said 14:21:27 Makes sense from a personal privacy / resource perspective but its reducing the pool of available nodes for simple mode 14:22:46 The problem cant be solved can it. Trusted nodes can still be spy nodes unless you can see the server before your very eyes 14:23:34 Trust nodes = people you actually trust 14:23:49 Not some fake trust 14:24:07 public-node has to be opt-in, because it can obliterate your data cap 14:24:22 Which is also why its a dream honeypot 14:24:38 Bad actors nodes likely ALL have it enabled 14:25:20 I wouldnt mind if --public-mode was killed altogether 14:25:54 You can use boostrap mode and specify a daemon. No reason to tell advertise rpc to random strangers over p2p network 14:27:40 I really see absolutely NO good reason for --public-node. It doesnt even need a replacement, just kill it with fire 14:28:24 1. Local node 14:28:25 2. Enter a node that you trust 14:28:27 nobody needs "use random rasp pi or honeypot" 19:32:41 <3​21bob321:monero.social> Me i have lollies 19:35:45 Candies* 19:36:03 <3​21bob321:monero.social> Thats merica! 19:36:05 wording matters, or you will get caught in 4k 📷