<ofrnxmr:xmr.mx> PSA: everyone needs to remove your offers IMMEDIATELY, there is a protocol exploit being actively used

<ofrnxmr:xmr.mx> From woodser, re haveno/retoswap

<sadgirlava:catgirl.cloud> I was actually gonna ask here about RetoSwap, bc's the only method to get Monero without KYC. But people have warned me that (even without a protocol exploit), it's easy to get scammed when trying to trade. What are y'all's experiences with RetoSwap?

<gan:skhron.org> Scammed how - to be specific?

<monerobull:matrix.org> Fiat buyers are very safe, they don't really have any risks. The seller side is different with potential for chargebacks and rogue arbitrators or like today, exploits.

<pyratevevo:matrix.org> @ofrnxmr:xmr.mx: Ugh that's just great.

<sadgirlava:catgirl.cloud> @monerobull:matrix.org: Ok, I see. Is there any data besides individual anecdotes to help gauge how likely I am to get scammed while trying to buy monero on there? I'd probably be ok with a chance <5%

<monerobull:matrix.org> It's less than that

<monerobull:matrix.org> It's probably less than 5% even for sellers

<sadgirlava:catgirl.cloud> Ok cool. Then perhaps ill roll those dice once the exploit is patched

<monerobull:matrix.org> In the two years that it's been running I've seen 1 person complain about it, someone bough XMR via amazon giftcard from them and amazon later removed the credits because they were bought with a stolen credit card

<sadgirlava:catgirl.cloud> How does the chargeback work in that scenarios? Fiat buyers can charge back XMR that they trade for fiat after the transaction? > <@monerobull:matrix.org> Fiat buyers are very safe, they don't really have any risks. The seller side is different with potential for chargebacks and rogue arbitrators or like today, exploits.

<monerobull:matrix.org> if you buy xmr with fiat there is nothing that can really go wrong

<monerobull:matrix.org> if you are the xmr seller, someone could send you fiat and then do a bank chargeback after you released the XMR

<sadgirlava:catgirl.cloud> Ohh, ok that makes sense, ty

<monerobull:matrix.org> but i haven't heard of anyone this has actually happened to so far. Just stay away from paypal, that's the easiest to charge back

<hbs:matrix.org> you could be sent fake fiat though.

How?

Like, if it's cash by mail,Like, you mean fake cash via cash by mail, or invalid giftcards?

<gan:skhron.org> BlueyHealer: yes, that's rather easy to execute

Can the seller not verify this&

?

<pyratevevo:matrix.org> monerospace.org this looks great.

<gan:skhron.org> nonetheless that's why we have trader volumes an reputation systems in place, as Timothy May have intended

<gan:skhron.org> s/an/and/

<gan:skhron.org> Verify what?

Like, that the payment isn't fake?

<gan:skhron.org> With non-digital methods, that's rather hard

<gan:skhron.org> Can ya yourself think of any method to verify that? even with gift cards, a lot of systems don't exactly always support delaying the activation nor have systems for checking validation either

Like, I'm pretty sure the validity of giftcards can be checked on the respective websites (I recall at least the Visa ones having such). As for cash - I don't think about this because cash by mail is illegal here, but that's a problem for everyone dealing with cash and I don't see people worrying about this much.

Which "universal" giftcards don't support checking?

<gan:skhron.org> Not totally sure to be honest, my statement was more theoretical in its outline and somewhat generic because I have to assume a lot

<gan:skhron.org> BlueyHealer: Not like the state in your case cares in general, you can send cash via parcel lockers, and intra mailing isn't always properly checked, plus that'll be just an administrative fine

<gan:skhron.org> but that's beside the point

"Just an administrative fine"? wtf

I mean I'm unnerved at how casually you dismiss that

Like, when LM was around (rip), I haven't seen any cash by mail offers either.

<gan:skhron.org> Why I would not?

<gan:skhron.org> What exactly the issue with that?

<gan:skhron.org> LM wasn't really used in your state, as TG was always more popular for that, furthermore they applied sanctions at the end of their lifetime

Like, that'd still go on record. And I kinda assumed that if you're caught doing that repeatedly, punishments could get more severe...

Should check if it's like this though. Otherwise everyone would just treat fines like this in general as a potential extra cost...

<gan:skhron.org> That's what exactly drugs users do in fact

I've heard that Western drug users use mail, but don't understand that, this seems risky AF and relying on a pinky promise not to look too closely and open. Also there you can receive parcels without signing a form, while here you basically have to acknowledge "yes I was expecting this to come".

Drugs are instead delivered by couriers doing, ahem, "geocaching". Saw some of those fuckers doing their job, they were so shameless they weren't even bothered by my presence :/

<gan:skhron.org> Personally I have some administrative penalties, you're aware that you can murder a person and find a job afterwards after you'll be freed, do you actually think that administrative penalties that's so controlling of your employment status in the future?

Also I have seen the results of their "activity" right in our building. And it seems like this problem is EVERYWHERE. A lot of the buildings around even have warnings not to let strangers in for this exact reason.

Sorry for venting I'm just mad at those fuckers.

<gan:skhron.org> BlueyHealer: kladmanning isn't the only option, grey area elements like sale of canna seeds could be delivered to parcel lockers easily

do you actually think that administrative penalties that's so controlling of your employment status in the future? <- I'd think yes. And do they not get bigger when you do it repeatedly?..

Sorry this dismissing of illegality feels just alien to me

<gan:skhron.org> BlueyHealer: eh, depends on the offense in all fairness

kladmanning is not the only option but it's apparently the most common, and I hate that I can see traces of it in daily life :/

Also, would they not confiscate the money in the envelope too? Or just return to sender and then fine them?

<gan:skhron.org> BlueyHealer: Uhh, if the daddy state will tell that it's le hecking illegal to use Monero, you'd depart yourself from here?

<gan:skhron.org> BlueyHealer: It's usually confiscated and counted towards the fine

oh

So if it's bigger than the fine, it's just confiscated in its entirety? And given that cash by mail offers tend to have INSANE minimums, who would risk that?

really rich people?

As for laws - I just don't understand willingly risking your arrest or fine, I just don't understand people living without a self-preservation instinct.

<gan:skhron.org> But I should re-read the law personally, it didn't happened to me even once, but it did happened to my contact in Arhangeljsk, as far as I recall, the fine was rather small

<gan:skhron.org> BlueyHealer: We live only once, sucking the state big time is quite uninteresting in my opinion

"Rather small" for some people can mean even like $100, some people are just rich

It's not "sucking the state", it's "being able to afford anything but the groceries" or "not being in prison"!

Like, prison terrifies me because PTSD is NOT CURABLE. So, like, that's only a tier below rabies in the scary disease chart.

<gan:skhron.org> BlueyHealer: You get paid ~400 USD working at Ozon, sure, somebody who lives in real Russia, they should move already

<gan:skhron.org> BlueyHealer: You'll be jailed for such offenses, not imprisoned

But jail is still more than capable of giving PTSD to a normal, if very soft and gentle, person. So no difference.

<gan:skhron.org> I doubt such people will be dealing with Monero in general

depends

Anyway, I feel there's just a fundamental mismatch in how our brains work in terms of risk assessment, so I guess discussing that is kinda unproductive.

Like, I just don't understand thrillseekers, but am fascinated at how they're real.

Like, can't believe there are people who think they could survive *jail* without PTSD. Are they just that strong or do they not know PTSD currently has no cure?

<gan:skhron.org> I was jailed for participating in a protest, still alive as you can see

Not about "being alive", more like "having trauma and never being the same afterwards"

Which is, like, horrifying

<gan:skhron.org> You should read about the Network Case, despite being tortured, the guys still survived it just alright

<gan:skhron.org> anyway, this is very offtopic, I think that at least abusing parcel lockers for exchanging Monero was somewhat on the topic

Yeah I know about that, but not read in detail because I want to sleep at night

Just alright? No trauma at all?

I just know people get it for less

But yeah, 100% agree about it being offtopic. And I don't think there's much point to a discussion either. Like, I know I'm not crazy resistant to trauma like this, I know I'm risk-avoidant and will always be, I don't comprehend how people operate in any different way, and thus there isn't really anything that can be explained or reasoned.

<pyratevevo:matrix.org> @gan:skhron.org: How do you believe you got made ?

<gan:skhron.org> @pyratevevo:matrix.org: Huh? to answer literally - I'm made out of the pretty weak flesh

<gan:skhron.org> Also as much as I have a habit of commenting-in-place, this is rather offtopic :P

<reaster:matrix.reaster.dev> i think modern society made a lot of people that they're more mentally weak that they actually are > <BlueyHealer> Like, can't believe there are people who think they could survive *jail* without PTSD. Are they just that strong or do they not know PTSD currently has no cure?

<reaster:matrix.reaster.dev> same as ganza i was attacked by riot police and taken into custody during a protest and even if for some month after that i had a lot of fear issues when seeing riot police, well i'm still alive and it went off

"alive" =/= well tho

<gan:skhron.org> I mean, I'm openly queer in Russia 🚎

Like, I can't imagine being "ok" after that. Because, like, I know that trauma can't be cured, only treated.

<gan:skhron.org> Those who are afraid will never taste the fruit of true liberty 🧌

<reaster:matrix.reaster.dev> people online get "attacked" and "damaged" for texts, i don't know how wild it is, and saying you get ptsd for light stuff (jail is not a light stuff, i just say it's not at hard as the original concept of the ptsd) when you compare the concept of ptsd that originated in the war veteran, man that's clearly a different concept

<reaster:matrix.reaster.dev> @gan:skhron.org: kinda true, like, since i accepted the idea that it's better and actually easier to not get caught than to try to follow all of the rules, life has never been easier

<gan:skhron.org> Eh, I was grabbed and thrown into a clown car, if I've resisted that could've been a lot worse of course

<eddie:oblak.be> I am pretty average, don't do illegal stuff, but I will almost always avoid passing police

<eddie:oblak.be> Maybe that's trauma, idk, but I just don't trust police at all

Anyway, I don't think there's anything to explain. Some people are just thrillseekers and mentally tanky.

I was under the impression that jail could give a really meek, soft person PTSD for real

<eddie:oblak.be> I don't think anyone is the same person coming out as they were going in.

Like, that's just different brain frequencies, metaphorically speaking

<eddie:oblak.be> soft/hard.. doesn't matter

<reaster:matrix.reaster.dev> like for example you could take a very old vehicule, heavely modify it yourself, make it run on "special" fuel that cost waayyy less, pay government workers to manage to get papers in order, and what would happend?

<reaster:matrix.reaster.dev> or you could go get a loan that will chain you, buy a new vehicule that would break down in 4year because one security thingy in plastic decided to brake, and if you don't give it the official government approved fuel it will not start

<eddie:oblak.be> losing your freedom like that is probably the most traumatic one can experience.

Anyway, my point was that most people aren't like this and thus mostly interested in normal people way

<reaster:matrix.reaster.dev> idk about most people, i also think that most people will not end up in jail nor wake up, nor have to face anything hard

<reaster:matrix.reaster.dev> beside obviously the collapse of the western society economically

<reaster:matrix.reaster.dev> that will hit a bit most people

Wake up from what? Like, you can be aware of the ills going on, and just as aware of the limitations of your own agency, and make peace with that.

<plowsof:matrix.org> daily reminder to preform your reality check to confirm this is not a dream and we're reading the Monero matrix chat

<plowsof:matrix.org> brb enjoying my lucid dream

Thanks, I've been doing that a while ago. Kinda miss having lucid dreams consistently.

<pyratevevo:matrix.org> I personally don't mind topics that are directly related to Monero's mission like internet privacy and freedom etc.

true, although I have led the convo away from that and into being puzzled about self-preservation in general

Does anyone know when the next payout batch is? How often is the intervals?

payout batch of what?

For bounties

maybe you say hello while joining the room

pardon?

np

:D

<plowsof:matrix.org> for bounties, there was a core software release, and then some issues with gitlab - so availability to organise/perform bounty payouts has been effected

Thanks for the info. Do payouts usually happen on a fixed schedule/batch interval, or is it usually just manual depending on maintainer availability?

btcdwed my mistake haha

if you say hello, or show socialized behaviour

someone will answer your question faster

:P

yep, that was my mistake, understood

hi plowsof o/

i'm very new to libera chat

np burh, yw

bruh

any idea as well for the "CC all points of contact", is there suppose to be more than just luigi1111, I don't think I'm missing anything, am I? github.com/monero-project/meta/blob…ints-of-contact-for-security-issues

I would just assume that luigi1111⊙go is the proper email to send it to, it's weird that the pgp email isn't aligning though.

i was getting a recipient's key validation failure. the defined sending key on the public key is `luigi1111w⊙gc`.

ro1m: did you submit it on hackerone? or only per email?

email

and did you receive a reply?

or why do you think you are getting a bounty?

No, I forgot to clarify that it's only been 1 business day so far. Documentation says to expect 3 business days, as for your bounty question, what do you mean? Email is the place to submit possible vulnerability findings, along with hackerone as an alternative option, am I correct?

we are receiving a ton of low quality AI subissions on both hackerone and email

Lots of programs are having that issue, unfortunately.

<ofrnxmr> This is false. Nohello.net > <btcdwed> if you say hello, or show socialized behaviour

<ofrnxmr> ro1m, your report will be looked into and you will receive a response. Hackerone is preferred, and the gmail is a better place to send to. The getmonero email is flooded with spam

ofrnxmr, interesting, should I still send pgp encrypted or no? and could you verify the gmail?

I would assume pgp encryption still 😅

can you send the report to me over IRC? my gpg key is in the repo

if you just send it to the email it might get lost due to regular spam and nonsense vuln submissions

<ofrnxmr> ^^ selsta is the one to talk to right now

(i handle reports submitted to hackerone, not email usually)

okay, thank you, I have to help my kid, be right back

selsta what's your fingerprint?

29A5 B386 FB94 3B68 4FBF 7BBD 2EA0 A99A 8B07 AE5E

Hi btcwed 0/ , ah its hackerone selsta thanks

we have a gmail account? lol

<eddie:oblak.be> I was thinking it, you're saying it 😅

yes please don't send vuln emails to getmonero email addy. It's really unusable

ofrnxmr: HELLO :P

<eddie:oblak.be> luigi1111: Maybe update the page to reflect this preference?

I can assure you that would help a lot of people

<eddie:oblak.be> At this point method "a" to submit something is by email, but it seems here it should be "b"

<sadgirlava:catgirl.cloud> Perhaps it's a filter for low-effort AI spam

<eddie:oblak.be> that's just anoying if you're a legitimate researcher

<eddie:oblak.be> there should be other methods to combat spam

<eddie:oblak.be> you could scrap email altogether if it's unusable

I just want to put the thought inside your head to make sure to stop receiving reports over email, but make sure to check every one after that ;)

hackerone is definitely preferred. email to gmail is possible (can encrypt) since their spam handling is much much better

the problem with hackerone is your reporters are frequently "afraid" of reporting.

since reputation and signal requirements for newer hackers.

that doc def needs updating. Selsta should be on there and maybe others(?). Moo I don't think is active around there either

Is forum.getmonero.org/8/funding-requi…d/87597/monero-bounty-for-hackerone suppose to be working?

supposed*

no

doc needs updating

<eddie:oblak.be> Is the spam flood because of normal people using AI to find hallucinated vuilns and then report it via email. Or because of automated spam emails that have nothing to do with vulnerability disclosure?

<ofrnxmr:xmr.mx> No, it just from automated bulkshit emails

<ofrnxmr:xmr.mx> But you can add ai garbage to that now too

<ofrnxmr:xmr.mx> Its been flooded with trash for a long time. The getmonero repo has 5 million spam accounts. You can imagine how many emails are sent to the getmonero email

<gan:skhron.org> @eddie:oblak.be: "normal people", an interesting way to phrase blatant stupidity

<eddie:oblak.be> Yeah, I am trying to think how this can be solved without having to rely on google

How about get AI to process the AI generated report, to judge if it's AI or not. Sounds like a really good idea.

<eddie:oblak.be> My first thought is to have a submission form with a proof of work captcha

"Selsta should be on there and maybe others" <-- i don't like having my contact in that doc, maybe we can find a different solution

<eddie:oblak.be> @eddie:oblak.be: libroot.org/posts/project-nojscap I found this recently and I like the concept

<gan:skhron.org> it cannot be solved without other operators and client sharing

<gan:skhron.org> client?

<gan:skhron.org> what the fuck

<gan:skhron.org> how I wrote that

<gan:skhron.org> sharing lists*

<gan:skhron.org> ro1m: No, even more shitter idea

Sarcasm :]

<gan:skhron.org> @gan:skhron.org: Anyway, creating garbage with abominable Intelligence is always easier since its the main purpose of bullshit generators than creating something of value, defining what's valuable is even harder

<eddie:oblak.be> selsta: Ideally you have something like "disclosure⊙go" where the relevant people have access to

i thought about that but we all have different gpg keys

so i guess there would be one master key

<eddie:oblak.be> selsta: would that be a big problem?

<eddie:oblak.be> it doesn't solve the spam problem of course

You lose accountability that way, along with offboarding is a terrible process and then there's no redundency under any circumstance of a compromise

redundancy*

I'm not selsta though

<gan:skhron.org> selsta: Encrypted data could be addressed to multiple recipients

<gan:skhron.org> see the output of "gpg --encrypt", it explicitly asks for "recipients", and in my experience neomutt supports setting multiple of them just fine, can't say much about clients

<gan:skhron.org> ro1m: what?

<gan:skhron.org> How a fucking master key would provide more redundancy? not to mention that somebody being "accountable" could just use their fucking key?

offboarding, as in you don't want a maintainer to have access anymore, you would have to rotate the whole key and tell all researchers to use the new one, along with if one machine gets malware (as in private key leak) all encrypted reports can get exposed

and for accountability with one shared private key, you cannot tell who decrypted/read what.

<eddie:oblak.be> so you could send to 1 generic email address, while still addressing several public keys? > <@gan:skhron.org> Encrypted data could be addressed to multiple recipients

does that make sense?

that's just my thought like I said

<gan:skhron.org> @eddie:oblak.be: gnupg.org/gph/en/manual.html#AEN111

<gan:skhron.org> > To encrypt a document the option --encrypt is used. You must have the public keys of the intended recipients. [...]

<eddie:oblak.be> well that seems like clean option, you don't have to share personal emails on the internet, only the keys (which are public anyway)

<gan:skhron.org> ro1m: you can't tell that with a master key either

<gan:skhron.org> Sorry to say, but some trust is always expected

<eddie:oblak.be> @gan:skhron.org: yeah, it is so common to have for example a "support@bla" email that is being managed by a team of people.

<eddie:oblak.be> the dispatching is another mechanism

Yeah I think we're agreeing. I worded that badly, I meant a shared master key doesn't provide good redundancy/accountability. Multi-recipient encryption to individual maintaner keys seems much cleaner.

one public disclosure address, reports encrypted to several public keys

so if someone leaves you remove their key going forward instead of rotating one shared private key

<gan:skhron.org> oh fuck, I'm a dumbass probably, ro1m is probably responding to the other person (i.e., selsta) commentary

<gan:skhron.org> ah shoot

Yeah exactly, I was responding to the master-key idea, not arguing against multi-recipient encryption

i guess multiple recepients would work if it's documented