Hi my friend is trying to setup XMRIG proxy to work with p2pool

(my friendgroup wants to all mine together to the same p2pool node)

we plan to go off outputs from XMRIG proxy in order to setup automatic payouts after we've found our rewards

(if that's even possible we're all nero noobs)

<NeroCultist[m]> "we plan to go off outputs from..." <- P2pooler

p2pooler

how does work?

<fjhfjfhg6837hyyv> "f-droid.monerujo.io..." <- Monerujo is sus

When an app does not exist on the official FDroid repo, and instead uses its own repo, suspiciousness levels are already off the charts

<cockliuser[m]> "When an app does not exist on..." <- Molly and collabora have their own repos and I don't think they're sus.

Also the guardian project

On Android it's still better to trust the FDroid repo instead of using third party repos

<cockliuser[m]> "When an app does not exist on..." <- The exact opposite is true

And the Guardian Project has had severe problems in the past

idkrn[m]: Why so

cockliuser[m]: Fdroid is possibly the least trustworthy source possible that isn't actively malicious

The official repo serves to be a source of open source software

The review process is very strict

cockliuser[m]: wonderfall.dev/fdroid-issues this is just the start

idkrn[m]: Moved to privsec.dev/posts/android/f-droid-security-issues

Third party repo is worse

cockliuser[m]: No it is not. All it does is ensure free software

The security issues are due to fdroid not working according to the Android security model

Installing third party repos amplifies that issue

They build process is abysmal

s/They/Their/

idkrn[m]: That's what I'm saying

cockliuser[m]: That's not even close to encompassing the issues fdroid provides

cockliuser[m]: With FDroid's repo you have a guarantee that the software you're using is open source

Ok?

With third party repos you don't have that

You can also just check their source yourself…

I do not trust fdroid at all

I'd rather people more involved in the sphere check the source

You should really read the article I linked

Plus fdroid has pretty useful warnings for non open source servers, non open source upstream etc

Who cares

Their build process is awful

They even allow software with known vulnerabilities on their site

idkrn[m]: The article you linked validates my argument even though it says so targeting fdroid

?

"having other repositories in a single app also violates the security model of Android"

In section 4

The article says much much more than that

I'm talking about fdroid specific issues

I know, but I'd rather not trust a third party repository

That's what fdroid is…

Fdroid has issues, but it's the best alternative we have

First party would be from the developer

cockliuser[m]: No it's not

idkrn[m]: Developers have to distribute their code

cockliuser[m]: You can still get it from the developer

That's what first party is

Fdroid is a 3rd party

Third party that also serves as a mini audit for how much software really is open source

Which means absolutely nothing

It all boils down to trust

cockliuser[m]: You're just adding an extra party to trust

One that isn't good at its job

Even their client sucks

The "Android security model" is kind of a bullshit argument though

cockliuser[m]: Read the rest of the article

cockliuser[m]: They could provide this arguably useless service without ruining the build process

idkrn[m]: I have, but the biggest point it outlines is the fact that FDroid doesn't match with the Android security model, the part about the build system is added in for good measure

cockliuser[m]: That's the smallest part

idkrn[m]: Do you want the developer to build the binaries and for users to use the developer-built binaries?

What if the developer bundles in malicious code?

With FDroid, you only have one party to trust

If you do trust FDroid, you can trust that the binaries you get for an application will be built from free software without bundled-in malicious code

>While we’ve seen that F-Droid controls the signing servers (much like Play App Signing), F-Droid also fully controls the build servers that run the disposable VMs used for building apps. And from June to November of 2022, their guest VM image officially ran an end-of-life release of Debian LTS. It is also worth noting that Debian LTS seperate project from Debian which attempts to extend the lifetime of releases that are deemed end-of-life by

the Debian project and does not get handled by the Debian Security team. The version they were using (Debian Stretch) was actually discontinued 2 years prior. Undoubtedly, this raises questions about their whole infrastructure security.

cockliuser[m]: Fdroid isn't stopping that. What if fdroid bundles malicious code??

cockliuser[m]: Absolutely

That's the problem

You have to trust each and every developer

cockliuser[m]: Fdroid does not stop an app from being malicious

cockliuser[m]: You do anyways

Fdroid doesn't do security audits of apps.

idkrn[m]: It does stop an app from being different from the provided source code

With fdroid there's only one party to trust instead of 2000 developers

idkrn[m]: They verify that the application is fully open source

And the builds are handled by them

cockliuser[m]: Which does what?

cockliuser[m]: You have to trust both…

It mitigates the problem of trusting the developer to not interfere with the binaries

cockliuser[m]: No it does not

f-droid.org/en/packages/com.saverio.pdfviewer they literally build a vulnerable app and continue to ship it to users

How so

The builds are handled by fdroid

Not the developer

And they underline it

cockliuser[m]: They're automated

cockliuser[m]: And?

idkrn[m]: Vulnerabilities are not the problem they're trying to fix

Atleast they actually tell you it has a vulnerability

How is that any different from an app being malicious

cockliuser[m]: Lmao

With the developer distributing the binaries, you'd never know

cockliuser[m]: privsec.dev/posts/android/f-droid-s…issues/#1-the-trusted-party-problem

cockliuser[m]: Are you downloading from devs you don't trust and expecting fdroid to audit the app for you?

Tell me this, would you rather place your trust in every developer not to insert malicious code in the binaries during the compile process

Or would you trust one party

cockliuser[m]: Fdroid didn't get the element update patching the broken e2ee for a whole day

Again, vulnerabilities are not the problem

cockliuser[m]: Fdroid is not trustworthy

cockliuser[m]: No different from an app being malicious when someone can just exploit it themselves

idkrn[m]: There hasn't been anything untrustworthy about FDroid for the many years it has existed :)

cockliuser[m]: It's been untrustworthy for its entire existence

My point isn't that all FDroid apps are inherently secure, but that they do fix a problem

Stemming from their terrible practices

Most users won't compile an Android app from source

cockliuser[m]: They do not

idkrn[m]: Afaik I can use Google play, f-droid and surf the web to download apk. I'm your opinion what should I do ?

cockliuser[m]: So FDroid serves as a party to trust to compile apps identical to source code

s/I'm/In/

fdroid deserves as much 'trust' as any android fucktardphone : none

cockliuser[m]: With the myriad of apps people use, you'd have to trust each and every developer

raas[m]: Google play, the izzyondroid fdroid repo, repos hosted by the developer, or getting apps directly from github etc. Be advised that if you download from github, you must trust the initial app to be genuine (likely the case with https) and manually check for updates. There is also accrescent.app but that isn't 1.0 yet

Instead, you can trust a central party to do so

as2333: FDroid is identical to the Debian packaging system

cockliuser[m]: As you still do

cockliuser[m]: That's not great

At least Debian won't build apps on old and broken OS

idkrn[m]: I don't have to trust the developer regarding the binaries

cockliuser[m]: Fdroid automates the building of apps, so yes you do

I can read the source code and verify that the app isn't malicious, but if I downloaded it from the developer, I'd have to trust him to not bundle in malicious code

Fdroid apps tons of issues and doesn't actually solve any

idkrn[m]: It's about the compile process not the source code's security

idkrn[m]: Don't feel comfortable downloading "random" things from GitHub. I need to trust someone cause lack of technical aptitude to verify stuff myself. I'll check accrescent

Accrescent is almost 1.0. Check out #accrescent:matrix.org

The devs get to upload the apps themselves similarly to Google Play

idkrn[m]: Why would anyone in their right mind recommend izzyondroid while arguing against trusting third parties

cockliuser[m]: Because those aren't build by a third party. They are identical to the ones on github

Are you sure :)

Yes

How do you know

cockliuser[m]: Because I can first download from github, then update from izzy

Good, but you're trusting the GitHub binaries

At that point signature verification ensures the same key was used to sign the app

cockliuser[m]: I only download apps from developers I trust

As I said, I'd rather trust a central party than a random developer

idkrn[m]: That's good, but isn't viable for most people

cockliuser[m]: They are made up of random of developers… They also don't check for anything other than non free software

idkrn[m]: That's enough security for me

It's not to be recommended to other people

By downloading from the developer, you don't even have the guarantee of it being free software

Who cares

Really?

"Who cares?"?!?

Yes

Proprietary software isn't inherently dangerous

it is though

idkrn[m]: Murphy's law

you can never really verify if it's doing anything malicious

s0x41[m]: Yes you can. That also doesn't make it malicious by default

so you should assume all proprietary software is malicious

s0x41[m]: No you shouldn't. That's fud

Proprietary software is routinely fuzzed and audited

idkrn[m]: Yes, let me go ahead install microsoft windows and use Microsoft 365 cloud to access my stuff and use zoom for web conferencing

* Yes, let me go ahead and install microsoft windows and use Microsoft 365 cloud to access my stuff and use zoom for web conferencing

That's up to you

idkrn[m]: Wireshark can only find so much

idkrn[m]: Not by you

s0x41[m]: That's not related to wireshark

cockliuser[m]: You're trusting a third party :)

That's what you were arguing against

idkrn[m]: are you talking about third party auditors?

you were just saying about how trusting third parties is bad

s0x41[m]: Yes?

s0x41[m]: It should be reduced to a minimum

cockliuser[m]: You can't build your entire phone yourself. There is guaranteed to be *some* trust in a third party. The point is to minimizenit

Are you trolling? If so, damn that's some masterful baiting

?

If I go to a restaurant, I have to trust the chef not to piss in my food

With proprietary software, you're maximizing trust in a third party

No you aren't. It's barely different from third party software with public source code

Sure it is

I can surely compile my own version of proprietary software from source code and verify that it does only what the source code says it does, right?

If you believe that closed source software is something only the developers can understand, you're basically saying that it is perfectly secure so long as the source code is not available to the attackers

What?

wander[xmpp]: lmao masterful baiting

idkrn[m] proprietary software is malicious per se

obviously software can be introspected and reverse engineered to a certain degree

wander[xmpp]: I bet ur a master debator

s0x41[m]: A large degree

but the system as a whole is obfuscated from view

as2333: No it isn't

it totally depends on the software

ghidra can only do so much

etc

s0x41[m]: No it isn't. Obfuscation is completely different

i wasn't talking about obfuscation

s0x41[m]: Like reverse engineer malware which is actually malicious

* talking about software obfuscation

proprietary software is malware

as2333: Fud and an unsubstantiated claim

nah

you're actually spewing propaganda

I primarily use open source software, but I don't delude myself

Lol

funny how you went from complaining about fdroid to promoting outright malware.

as2333: I never did

Stop lying

you don't delude yourself about what?

About what open source software provides vs. closed source software

Trolls don't make actual arguments

Which is what I've done

Memeing someone isn't an argument

Ok

Lol

Cool

Typical

idkrn: obviously we need to believe in someone or something to survive psychologically

otherwise we would go insane

s0x41[m]: I agree

But there are cases where you don't need to give trust

however i believe it is best to trust software that is universally auditable as opposed to software that can only be audited by a select few individuals

It's unnecessary and undeserved trust

s0x41[m]: Binaries themselves can be audited

they are much more difficult to audit than source code

furthermore reproducible builds exist

why would you audit the binaries if you don't object to proprietary software?

Even if you 100% trust fdroid to perfectly audit code, if they ever get hacked, everything you use is fucked

s0x41[m]: That's just moving trust to whoever verifies the build

as2333: Why wouldn't you?

idkrn[m]: you can easily verify the build yourself

that's the point of reproducible builds

I don't audit things myself, but I care about privacy and security

idkrn[m] why would you. You don't think proprietary software is malware. So just use it. Why would you audit it.

s0x41[m]: Then you can just install what you built from source

So there's no point there

that is true

as2333: There are more problems that just malware

Audits are meant to expose vulnerabilities in the software

A benign application which has been hijacked is no different from a malicious application

idkrn[m] if you're concerned about those, you'd ask the author to show the code

i don't think anyone was talking about security vulnerabilities here

as2333: That isn't enough

* talking about accidental security vulnerabilities

s0x41[m]: Those are no different from a backdoor in an application

The DOD uses open source and has a write-up on why open source is better, you're better off reading it instead of arguing here

idkrn[m] thing is, given the current political situation, trends and the like, there's no reason to tolerate proprietary software.

cockliuser[m]: They also use Windows…

as2333: That is completely different from claiming all proprietary software is malicious

idkrn[m] it's the same thing.

No it isn't

or closely related

idkrn[m]: People trying to replace bad security practices with good security practices is good for society as a whole

cockliuser[m]: They aren't replacing that with Linux desktops. The hardware is also proprietary

as2333: I guess if you just state it, it's true

idkrn[m]: Do you work at DOD?

How is that relevant

idkrn[m] oh sorry, your baseless, pro-malware claims are so justified.

as2333: "Pro-malware". Evidence?

see above

idkrn[m]: How do you know for a fact that they use Windows and aren't already using open source operating systems for sensitive stuff?

as2333: That isn't evidence

cockliuser[m]: Because a lot of that must be public

If they have a massive contract to have enterprise windows, that will be public information

They definitely use Linux though

The NSA even developed SELinux

Because they need security

And they recognize that open source is inherently more secure due to its auditability

cockliuser[m]: That's why they don't use shit like Ubuntu

They'll secure the servers themselves

Plenty of government used Windows enterprise

Linux servers are 100% used by government though

idkrn[m]: Exactly, which is why they can't trust proprietary software in this day and age

cockliuser[m]: They do trust proprietary software

They use both

They might have used Windows in the old days, but they only use as it as legacy cruft now

It's not easy to replace infrastructure

They still use it now

their nature as a governmental institution also means that they control the proprietary software

s0x41[m]: Not really lol

idkrn[m] so your 'argument' is that governmnt criminals use something like windows...and that proves what exactly.

Goverments are provided source code to Windows

This is why they begged for Apple's help to unlock an iPhone

lawl

cockliuser[m]: Not all of them

idkrn[m]: The DOD definitely is

and now, crapple advertising

as2333: Where did I advertise for them

You've lied about what I've said numerous times

you mean, I 'lied' in your wrong opinion

cockliuser[m]: Certainty not for every update

as2333: An opinion can't even be wrong. That makes no sense

idkrn[m]: They don't update stuff

...

cockliuser[m]: They have to at the very least for security

Servers use stable releases

Have you heard of LTSC

They still get updates

Security updates can be distributed as source code patches

They are not going to be building the entire OS from source and manually distributing it to all their machines after every patch

You can't be sure about that

cockliuser[m]: It's likely

It's the government, they need security

They're not going to trust random binaries

The only trust they'll place is in the compiler and that's it.

cockliuser[m]: i wouldn't be surprised if they keep a version of the compiler that they've bootstrapped from assembly

The CEOs of Apple, Google, Microsoft, etc. don't read the source code of their OS, but they still use it. That probably won't convince you of anything, but maybe it'll make you rethink some things. The code for a kernel alone is 10s of millions. Web browsers have even more. No one is reading all of that code themselves

cockliuser[m]: No way they compile everything themselves

The military can't even repair all their own guns

what point are you making idkrn[m]

Proprietary software is not inherently malicious. Randomly people publishing apps to show off their skills are not malicious, just as an example

>Proprietary software isn't inherently dangerous

that's a wrong, baseless claim

as2333: Correct

what other point are you making

as2333: It is not

You're claiming things are malicious with no evidence of actual malicious behavior

I always prefer FOSS

But I'm not afraid of proprietary software

your problem

>The CEOs of Apple, Google, Microsoft, etc. don't read the source code

those criminals need to be executed

There's definitely proprietary software that is not spyware, it's just a lot harder to figure out if it is and what it's doing.

as2333: This is definitely a level headed take

s0x41[m]: Marginally

s0x41[m]: Might not be spyware, but often contains stolen code, shitty code, exploitable code etc

idkrn[m]: A 13 year old skiddie can create obfuscated malware and you won't be able to understand what it does

ofrnxmr[m]: How would you known it contains stolen code when you can't read it?

Its security via obscurity

Imagine trusting a proprietary encryption algo

cockliuser[m]: False. Also, if the code is actually obfuscated, that is an indication of a malicious app

LMAO

> <@ofrnxmr:monero.social> Its security via obscurity

>

> Imagine trusting a proprietary encryption algo

Who said it had anything to do with security

ofrnxmr[m]: Linux has a ridiculous amount of vulnerable code too

Exactly ^

idkrn[m]: Obfuscation covers up the fact that it's obfuscated bruddah, otherwise all malware would be detected easily by antiviruses

idkrn[m] the code is obfuscated to protect 'intelectual property' - there is nothing malicious about obfuscation.

Difference? It is seen and fixed

Proprietary? 0 dayed

And nobody knows what is going on except for attackers

cockliuser[m]: How can you hide the fact that you're code is obfuscated?

ofrnxmr[m]: So is Linux

And fixed by ANYONEA WHO CAN SEE THE CODE

idkrn[m] oops, you can't keep your bullshit story right eh.

ofrnxmr[m]: You can clearly see my example of fdroid shipping apps with unlatched vulnerabilities

Open source =/= secure

ofrnxmr[m]: You've never fixed a 0 day

idkrn[m] you see nothing wrong with propiertary code, but obfuscated proprietary code is somehow bad.

idkrn[m]: Nit a crit, but yes I have

idkrn[m]: They literally wrote "THIS APP CONTAINS A KNOWN VULNERABILITY"

If you can't read that then :P

as2333: Anything obfuscated is a red flag. A compiled app is not the same as an obfuscated one

cockliuser[m]: That's not relevant to what I just wrote

idkrn[m] enough of your trolling

Low level convo

ofrnxmr[m]: I was refuting this claim by showing an open source app currently being shipped with a known vulnerability

Telegram level chat

I mean if you want to use proprietary software go for it. Just don't pretend it's more secure than OSS.

s0x41[m]: When did I ever

I rarely use proprietary software anyway

I'm just not scared of it

Who's scared of it? Plenty of things we use in daily life run prop code

ofrnxmr[m]: There are multiple people here who claim that all proprietary software is malicious

It is

it's just more bullshit

Being lazy and greedy = malicious

<as2333> "idkrn proprietary software is..." <- Like here

ofrnxmr[m]: Greedy? Who releasing an app for free is greedy?

he's calling people who reject proprietary crap cowards

idkrn[m]: Yes

That's a reach

Long arms

ofrnxmr[m]: I wasn't asking a yes or no question lmao

ofrnxmr[m]: Lol clearly

Greedy? Is a yes or no question, dummy

as2333: Not really

ofrnxmr[m]: "Who releasing an app for free is greedy?"

idkrn[m] I'm not 'scared' of proprietary software either. I know it's shit and that's why I reject it.

I never answers your second question, but a few devs ive worked with on prop software are who

ofrnxmr[m]: How are you not scared of what you consider to be malicious?

idkrn[m]: Malicious =/= scary

ofrnxmr[m]: I'm confused as to how you can give something away for free while still being greedy

I have a pair

Lmao what

Nothing in life is free

That's not true

What are you talking about

We've been discussing free and open source software for half this entire discussion

Are you saying FOSS isn't free?

Exactly

Do you think devs dev without eating?

You're one of those entitled people that think open source software is produced for free?

People pay for the software. You might not. Someone does

They don't make money off of someone downloading what they release for free

ofrnxmr[m]: That doesn't make it not free

L o l

ofrnxmr[m]: They deliberately release it for free

You're currently chatting on this server without needing to pay

This server is paid for by cake wallet

"Free"

Ok? You're using it for free

Says you

Yes?

YouTube is free 🫠

Gmail is free 🫠

Protonmail is free 🫠🫠

It may be that only S0x41 and cockliuser: are open minded

Tor is free 🫠🫠🫠🫠🫠🫠

Yes

You don't have to pay to use it

Freeloader

I think you have a very different definition of free

ofrnxmr[m]: You don't know what I've paid for

So you do pay?

Not your business

Freeloader.

You don't know if I pay or not

<idkrn[m]> "They don't make money off of..." <- Free as in libre, not free as in beer

888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H

Feel free to make a donation to the general fund

We have developers we need to hire

That doesn't even show up as a valid address for me

Is that monero?

Yes lol

Scroll to bottom

Oh you didn't format it that's why

I think monero:// does it

monero://888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H

Hmmm

Tell me you've never used Monero without telling me you've never used monero

Its `monero:` btw

And you dont need the uri

I can use monero without knowing how the links work…

If you tap on the qr code on the website, it will launch using the uri

idkrn[m]: 💀

I know

If you copy and paste the address, that is how you typically send monero

Clearly that a first for you

monero:888tNkZrPN6JsEgekjMnABU4TBzc2Dt29EPAvkRxbANsAnjyPbb3iQ1YBRk1UXcdRsiKc9dhwMVgN5S9cQUiyoogDavup3H

Yeah still didn't work

Are you using cocliwallet or something?

Element normally highlights the addresses and makes them clickable

Copy > paste = 🤯

Next time, paste into wallet

I was just surprised it didn't link it for me

Sir

This is NOT about a bad trade

ofrnxmr[m]: What

Just something we say around here

Random outburst.

We'll I've been arguing for 90 minutes and don't think I actually lead anyone to changing their minds

Failed mission :(

100%

This is very sad

I only try to help

Next you'll tell me to use bitcoin to protect my financial future :(

Idkrn, I dont know right now but maybe you need to be WOW pill

s/pill/pilled/

idkrn[m] what do you think of government 'enforcing' so called 'intelectual property' at gunpoint?

ofrnxmr[m]: I'm in the monero room lol

as2333: I have no idea

I almost thought I was in the proprietary software shilling room

Imagine using s proprietary wallet app 💀

I don't

ofrnxmr[m]: I prefer FOSS

<betcryptocr[m]> "AKA the General found wallet XD" <- if you want to help the Monero community more, donate only to proposals you value, "vote with your wallet". Or, as others pointed out, donate to other ongoings projects directly.

nioc is never going to catch up at this rate

gm

What is the xmrvbeast bonus hashrate raffle?

What does it actually do and who funds it?

Xmrvsbeast funds it

Donates hashrate from xmrvsbeasts miner to your mining address (from what I recall, pre p2pool)

ofrnxmr[m]: xmrvbeast's miner?

As in his computing power or is it like mining software like xmrig where a part of a user's hash power is donated?

As in his computing power

Dont quote me on that. Its been a long time since I mined on xmrvsbeast, but IIRC that is how it works

<Richiedevs> I need a good bootstrap address to use for my wallet. Any recommendations?

Richiedevs: Do you mean a remote node?

<Richiedevs> yes

<Richiedevs> got any recommendations for a remote node?

canada or france?

monero.fail has some e.g. node2.monerodevs.org:18089 (france)

<Richiedevs> Alright thank you

<plowsof11> "monero.fail has some e.g. node2..." <- Isn't monerodevs testnet only?

Oh nvm

<cockliuser[m]> "Tell me this, would you rather..." <- nextcloud/news-android #1109

That's due to a fault in jitpack

Not fdroid

We're not doing this again idkrn

Is this like a gos and fdroid thing?

Cock.li has been down for a while now

Hey wait wtf it came back online

FBI honeypot now 😨

<plowsof11> "We're not doing this again idkrn..." <- Just adding a link to my previous claim

<DanIsnotthemanBr> "Is this like a gos and fdroid..." <- Just fdroid lol

Randomly scrolled by and saw someone saying that monerujo was sus for having its own repo and not being part of fdroid

<plowsof11> "We're not doing this again idkrn..." <- This is NOT about a bad trade. Do not joking!!

so what happened with monero pr marketing department?

I got fired

Jk. Meeting tomorrow

yolo