02:36:31 PSA: everyone needs to remove your offers IMMEDIATELY, there is a protocol exploit being actively used 02:36:44 From woodser, re haveno/retoswap 06:14:12 I was actually gonna ask here about RetoSwap, bc's the only method to get Monero without KYC. But people have warned me that (even without a protocol exploit), it's easy to get scammed when trying to trade. What are y'all's experiences with RetoSwap? 06:15:18 Scammed how - to be specific? 06:15:42 Fiat buyers are very safe, they don't really have any risks. The seller side is different with potential for chargebacks and rogue arbitrators or like today, exploits. 06:15:48 @ofrnxmr:xmr.mx: Ugh that's just great. 06:22:15 @monerobull:matrix.org: Ok, I see. Is there any data besides individual anecdotes to help gauge how likely I am to get scammed while trying to buy monero on there? I'd probably be ok with a chance <5% 06:22:52 It's less than that 06:23:04 It's probably less than 5% even for sellers 06:24:22 Ok cool. Then perhaps ill roll those dice once the exploit is patched 06:24:45 In the two years that it's been running I've seen 1 person complain about it, someone bough XMR via amazon giftcard from them and amazon later removed the credits because they were bought with a stolen credit card 06:33:58 How does the chargeback work in that scenarios? Fiat buyers can charge back XMR that they trade for fiat after the transaction? > <@monerobull:matrix.org> Fiat buyers are very safe, they don't really have any risks. The seller side is different with potential for chargebacks and rogue arbitrators or like today, exploits. 06:34:29 if you buy xmr with fiat there is nothing that can really go wrong 06:34:53 if you are the xmr seller, someone could send you fiat and then do a bank chargeback after you released the XMR 06:35:21 Ohh, ok that makes sense, ty 06:35:46 but i haven't heard of anyone this has actually happened to so far. Just stay away from paypal, that's the easiest to charge back 07:09:51 you could be sent fake fiat though. 07:11:52 How? 07:12:24 Like, if it's cash by mail,Like, you mean fake cash via cash by mail, or invalid giftcards? 07:12:52 BlueyHealer: yes, that's rather easy to execute 07:15:51 Can the seller not verify this& 07:15:53 ? 07:20:34 https://monerospace.org/ this looks great. 07:20:49 nonetheless that's why we have trader volumes an reputation systems in place, as Timothy May have intended 07:20:50 s/an/and/ 07:20:51 Verify what? 07:21:30 Like, that the payment isn't fake? 07:22:11 With non-digital methods, that's rather hard 07:23:27 Can ya yourself think of any method to verify that? even with gift cards, a lot of systems don't exactly always support delaying the activation nor have systems for checking validation either 07:23:48 Like, I'm pretty sure the validity of giftcards can be checked on the respective websites (I recall at least the Visa ones having such). As for cash - I don't think about this because cash by mail is illegal here, but that's a problem for everyone dealing with cash and I don't see people worrying about this much. 07:24:24 Which "universal" giftcards don't support checking? 07:25:49 Not totally sure to be honest, my statement was more theoretical in its outline and somewhat generic because I have to assume a lot 07:27:59 BlueyHealer: Not like the state in your case cares in general, you can send cash via parcel lockers, and intra mailing isn't always properly checked, plus that'll be just an administrative fine 07:28:05 but that's beside the point 07:28:53 "Just an administrative fine"? wtf 07:29:07 I mean I'm unnerved at how casually you dismiss that 07:29:56 Like, when LM was around (rip), I haven't seen any cash by mail offers either. 07:30:14 Why I would not? 07:30:15 What exactly the issue with that? 07:30:50 LM wasn't really used in your state, as TG was always more popular for that, furthermore they applied sanctions at the end of their lifetime 07:31:14 Like, that'd still go on record. And I kinda assumed that if you're caught doing that repeatedly, punishments could get more severe... 07:32:51 Should check if it's like this though. Otherwise everyone would just treat fines like this in general as a potential extra cost... 07:34:02 That's what exactly drugs users do in fact 07:35:20 I've heard that Western drug users use mail, but don't understand that, this seems risky AF and relying on a pinky promise not to look too closely and open. Also there you can receive parcels without signing a form, while here you basically have to acknowledge "yes I was expecting this to come". 07:36:07 Drugs are instead delivered by couriers doing, ahem, "geocaching". Saw some of those fuckers doing their job, they were so shameless they weren't even bothered by my presence :/ 07:36:22 Personally I have some administrative penalties, you're aware that you can murder a person and find a job afterwards after you'll be freed, do you actually think that administrative penalties that's so controlling of your employment status in the future? 07:37:11 Also I have seen the results of their "activity" right in our building. And it seems like this problem is EVERYWHERE. A lot of the buildings around even have warnings not to let strangers in for this exact reason. 07:37:24 Sorry for venting I'm just mad at those fuckers. 07:37:30 BlueyHealer: kladmanning isn't the only option, grey area elements like sale of canna seeds could be delivered to parcel lockers easily 07:37:54 do you actually think that administrative penalties that's so controlling of your employment status in the future? <- I'd think yes. And do they not get bigger when you do it repeatedly?.. 07:38:05 Sorry this dismissing of illegality feels just alien to me 07:38:38 BlueyHealer: eh, depends on the offense in all fairness 07:38:46 kladmanning is not the only option but it's apparently the most common, and I hate that I can see traces of it in daily life :/ 07:39:29 Also, would they not confiscate the money in the envelope too? Or just return to sender and then fine them? 07:39:35 BlueyHealer: Uhh, if the daddy state will tell that it's le hecking illegal to use Monero, you'd depart yourself from here? 07:40:04 BlueyHealer: It's usually confiscated and counted towards the fine 07:40:29 oh 07:41:03 So if it's bigger than the fine, it's just confiscated in its entirety? And given that cash by mail offers tend to have INSANE minimums, who would risk that? 07:41:10 really rich people? 07:42:01 As for laws - I just don't understand willingly risking your arrest or fine, I just don't understand people living without a self-preservation instinct. 07:43:03 But I should re-read the law personally, it didn't happened to me even once, but it did happened to my contact in Arhangeljsk, as far as I recall, the fine was rather small 07:44:13 BlueyHealer: We live only once, sucking the state big time is quite uninteresting in my opinion 07:44:22 "Rather small" for some people can mean even like $100, some people are just rich 07:44:53 It's not "sucking the state", it's "being able to afford anything but the groceries" or "not being in prison"! 07:45:27 Like, prison terrifies me because PTSD is NOT CURABLE. So, like, that's only a tier below rabies in the scary disease chart. 07:45:43 BlueyHealer: You get paid ~400 USD working at Ozon, sure, somebody who lives in real Russia, they should move already 07:46:27 BlueyHealer: You'll be jailed for such offenses, not imprisoned 07:47:41 But jail is still more than capable of giving PTSD to a normal, if very soft and gentle, person. So no difference. 07:48:32 I doubt such people will be dealing with Monero in general 07:52:08 depends 07:52:56 Anyway, I feel there's just a fundamental mismatch in how our brains work in terms of risk assessment, so I guess discussing that is kinda unproductive. 07:53:26 Like, I just don't understand thrillseekers, but am fascinated at how they're real. 08:03:40 Like, can't believe there are people who think they could survive *jail* without PTSD. Are they just that strong or do they not know PTSD currently has no cure? 08:05:00 I was jailed for participating in a protest, still alive as you can see 08:07:17 Not about "being alive", more like "having trauma and never being the same afterwards" 08:07:25 Which is, like, horrifying 08:08:22 You should read about the Network Case, despite being tortured, the guys still survived it just alright 08:09:26 anyway, this is very offtopic, I think that at least abusing parcel lockers for exchanging Monero was somewhat on the topic 08:10:39 Yeah I know about that, but not read in detail because I want to sleep at night 08:10:47 Just alright? No trauma at all? 08:10:56 I just know people get it for less 08:13:37 But yeah, 100% agree about it being offtopic. And I don't think there's much point to a discussion either. Like, I know I'm not crazy resistant to trauma like this, I know I'm risk-avoidant and will always be, I don't comprehend how people operate in any different way, and thus there isn't really anything that can be explained or reasoned. 08:35:21 @gan:skhron.org: How do you believe you got made ? 08:44:15 @pyratevevo:matrix.org: Huh? to answer literally - I'm made out of the pretty weak flesh 08:45:08 Also as much as I have a habit of commenting-in-place, this is rather offtopic :P 13:08:09 i think modern society made a lot of people that they're more mentally weak that they actually are > Like, can't believe there are people who think they could survive *jail* without PTSD. Are they just that strong or do they not know PTSD currently has no cure? 13:09:43 same as ganza i was attacked by riot police and taken into custody during a protest and even if for some month after that i had a lot of fear issues when seeing riot police, well i'm still alive and it went off 13:10:16 "alive" =/= well tho 13:10:34 I mean, I'm openly queer in Russia 🚎 13:10:47 Like, I can't imagine being "ok" after that. Because, like, I know that trauma can't be cured, only treated. 13:11:50 Those who are afraid will never taste the fruit of true liberty 🧌 13:12:13 people online get "attacked" and "damaged" for texts, i don't know how wild it is, and saying you get ptsd for light stuff (jail is not a light stuff, i just say it's not at hard as the original concept of the ptsd) when you compare the concept of ptsd that originated in the war veteran, man that's clearly a different concept 13:13:08 @gan:skhron.org: kinda true, like, since i accepted the idea that it's better and actually easier to not get caught than to try to follow all of the rules, life has never been easier 13:13:21 Eh, I was grabbed and thrown into a clown car, if I've resisted that could've been a lot worse of course 13:13:45 I am pretty average, don't do illegal stuff, but I will almost always avoid passing police 13:14:54 Maybe that's trauma, idk, but I just don't trust police at all 13:15:04 Anyway, I don't think there's anything to explain. Some people are just thrillseekers and mentally tanky. 13:15:42 I was under the impression that jail could give a really meek, soft person PTSD for real 13:16:37 I don't think anyone is the same person coming out as they were going in. 13:16:40 Like, that's just different brain frequencies, metaphorically speaking 13:16:47 soft/hard.. doesn't matter 13:17:22 like for example you could take a very old vehicule, heavely modify it yourself, make it run on "special" fuel that cost waayyy less, pay government workers to manage to get papers in order, and what would happend? 13:17:22 or you could go get a loan that will chain you, buy a new vehicule that would break down in 4year because one security thingy in plastic decided to brake, and if you don't give it the official government approved fuel it will not start 13:17:31 losing your freedom like that is probably the most traumatic one can experience. 13:19:30 Anyway, my point was that most people aren't like this and thus mostly interested in normal people way 13:20:06 idk about most people, i also think that most people will not end up in jail nor wake up, nor have to face anything hard 13:20:24 beside obviously the collapse of the western society economically 13:20:36 that will hit a bit most people 13:31:30 Wake up from what? Like, you can be aware of the ills going on, and just as aware of the limitations of your own agency, and make peace with that. 13:33:41 daily reminder to preform your reality check to confirm this is not a dream and we're reading the Monero matrix chat 13:33:49 brb enjoying my lucid dream 13:35:09 Thanks, I've been doing that a while ago. Kinda miss having lucid dreams consistently. 13:35:33 * BlueyHealer looks twice at the watch to check that the numbers it shows are consistent 13:43:33 I personally don't mind topics that are directly related to Monero's mission like internet privacy and freedom etc. 13:45:26 true, although I have led the convo away from that and into being puzzled about self-preservation in general 15:27:58 Does anyone know when the next payout batch is? How often is the intervals? 15:29:27 payout batch of what? 15:29:33 For bounties 15:29:37 maybe you say hello while joining the room 15:29:47 pardon? 15:29:52 np 15:29:52 :D 15:31:08 for bounties, there was a core software release, and then some issues with gitlab - so availability to organise/perform bounty payouts has been effected 15:32:35 Thanks for the info. Do payouts usually happen on a fixed schedule/batch interval, or is it usually just manual depending on maintainer availability? 15:32:58 btcdwed my mistake haha 15:33:25 if you say hello, or show socialized behaviour 15:33:30 someone will answer your question faster 15:33:34 :P 15:33:38 yep, that was my mistake, understood 15:33:47 hi plowsof o/ 15:33:49 i'm very new to libera chat 15:33:54 np burh, yw 15:33:56 bruh 15:37:20 any idea as well for the "CC all points of contact", is there suppose to be more than just luigi1111, I don't think I'm missing anything, am I? https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md#i-points-of-contact-for-security-issues 15:41:45 I would just assume that luigi1111⊙go is the proper email to send it to, it's weird that the pgp email isn't aligning though. 15:43:35 i was getting a recipient's key validation failure. the defined sending key on the public key is `luigi1111w⊙gc`. 15:48:45 ro1m: did you submit it on hackerone? or only per email? 15:48:52 email 15:50:25 and did you receive a reply? 15:50:35 or why do you think you are getting a bounty? 15:51:53 No, I forgot to clarify that it's only been 1 business day so far. Documentation says to expect 3 business days, as for your bounty question, what do you mean? Email is the place to submit possible vulnerability findings, along with hackerone as an alternative option, am I correct? 15:52:10 we are receiving a ton of low quality AI subissions on both hackerone and email 15:54:16 Lots of programs are having that issue, unfortunately. 15:58:04 This is false. Nohello.net > if you say hello, or show socialized behaviour 16:00:23 ro1m, your report will be looked into and you will receive a response. Hackerone is preferred, and the gmail is a better place to send to. The getmonero email is flooded with spam 16:01:01 ofrnxmr, interesting, should I still send pgp encrypted or no? and could you verify the gmail? 16:01:12 I would assume pgp encryption still 😅 16:03:08 can you send the report to me over IRC? my gpg key is in the repo 16:03:39 if you just send it to the email it might get lost due to regular spam and nonsense vuln submissions 16:05:26 ^^ selsta is the one to talk to right now 16:05:38 (i handle reports submitted to hackerone, not email usually) 16:05:48 okay, thank you, I have to help my kid, be right back 16:08:02 selsta what's your fingerprint? 16:08:31 29A5 B386 FB94 3B68 4FBF 7BBD 2EA0 A99A 8B07 AE5E 16:13:41 Hi btcwed 0/ , ah its hackerone selsta thanks 16:52:35 we have a gmail account? lol 16:52:59 I was thinking it, you're saying it 😅 17:20:28 yes please don't send vuln emails to getmonero email addy. It's really unusable 17:21:30 ofrnxmr: HELLO :P 17:23:55 luigi1111: Maybe update the page to reflect this preference? 17:24:11 I can assure you that would help a lot of people 17:24:59 At this point method "a" to submit something is by email, but it seems here it should be "b" 17:27:38 Perhaps it's a filter for low-effort AI spam 17:30:00 that's just anoying if you're a legitimate researcher 17:30:13 there should be other methods to combat spam 17:31:26 you could scrap email altogether if it's unusable 17:32:02 I just want to put the thought inside your head to make sure to stop receiving reports over email, but make sure to check every one after that ;) 17:41:22 hackerone is definitely preferred. email to gmail is possible (can encrypt) since their spam handling is much much better 17:41:58 the problem with hackerone is your reporters are frequently "afraid" of reporting. 17:42:16 since reputation and signal requirements for newer hackers. 17:43:13 that doc def needs updating. Selsta should be on there and maybe others(?). Moo I don't think is active around there either 17:46:45 Is https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone suppose to be working? 17:47:15 supposed* 17:56:11 no 17:56:30 doc needs updating 18:00:36 Is the spam flood because of normal people using AI to find hallucinated vuilns and then report it via email. Or because of automated spam emails that have nothing to do with vulnerability disclosure? 18:01:38 No, it just from automated bulkshit emails 18:01:50 But you can add ai garbage to that now too 18:02:48 Its been flooded with trash for a long time. The getmonero repo has 5 million spam accounts. You can imagine how many emails are sent to the getmonero email 18:02:51 @eddie:oblak.be: "normal people", an interesting way to phrase blatant stupidity 18:03:41 Yeah, I am trying to think how this can be solved without having to rely on google 18:04:09 How about get AI to process the AI generated report, to judge if it's AI or not. Sounds like a really good idea. 18:05:20 My first thought is to have a submission form with a proof of work captcha 18:05:22 "Selsta should be on there and maybe others" <-- i don't like having my contact in that doc, maybe we can find a different solution 18:05:55 @eddie:oblak.be: https://libroot.org/posts/project-nojscap I found this recently and I like the concept 18:07:10 it cannot be solved without other operators and client sharing 18:07:10 client? 18:07:12 what the fuck 18:07:13 how I wrote that 18:07:14 sharing lists* 18:07:15 ro1m: No, even more shitter idea 18:07:36 Sarcasm :] 18:09:10 @gan:skhron.org: Anyway, creating garbage with abominable Intelligence is always easier since its the main purpose of bullshit generators than creating something of value, defining what's valuable is even harder 18:09:13 selsta: Ideally you have something like "disclosure⊙go" where the relevant people have access to 18:09:39 i thought about that but we all have different gpg keys 18:09:45 so i guess there would be one master key 18:14:55 selsta: would that be a big problem? 18:15:11 it doesn't solve the spam problem of course 18:17:19 You lose accountability that way, along with offboarding is a terrible process and then there's no redundency under any circumstance of a compromise 18:17:26 redundancy* 18:17:37 I'm not selsta though 18:18:30 selsta: Encrypted data could be addressed to multiple recipients 18:18:39 see the output of "gpg --encrypt", it explicitly asks for "recipients", and in my experience neomutt supports setting multiple of them just fine, can't say much about clients 18:18:43 ro1m: what? 18:19:19 How a fucking master key would provide more redundancy? not to mention that somebody being "accountable" could just use their fucking key? 18:19:34 offboarding, as in you don't want a maintainer to have access anymore, you would have to rotate the whole key and tell all researchers to use the new one, along with if one machine gets malware (as in private key leak) all encrypted reports can get exposed 18:19:49 and for accountability with one shared private key, you cannot tell who decrypted/read what. 18:19:51 so you could send to 1 generic email address, while still addressing several public keys? > <@gan:skhron.org> Encrypted data could be addressed to multiple recipients 18:20:35 does that make sense? 18:20:41 that's just my thought like I said 18:22:22 @eddie:oblak.be: https://www.gnupg.org/gph/en/manual.html#AEN111 18:22:22 > To encrypt a document the option --encrypt is used. You must have the public keys of the intended recipients. [...] 18:23:19 well that seems like clean option, you don't have to share personal emails on the internet, only the keys (which are public anyway) 18:23:46 ro1m: you can't tell that with a master key either 18:23:47 Sorry to say, but some trust is always expected 18:24:32 @gan:skhron.org: yeah, it is so common to have for example a "support@bla" email that is being managed by a team of people. 18:24:41 the dispatching is another mechanism 18:24:57 Yeah I think we're agreeing. I worded that badly, I meant a shared master key doesn't provide good redundancy/accountability. Multi-recipient encryption to individual maintaner keys seems much cleaner. 18:25:07 one public disclosure address, reports encrypted to several public keys 18:25:17 so if someone leaves you remove their key going forward instead of rotating one shared private key 18:25:44 oh fuck, I'm a dumbass probably, ro1m is probably responding to the other person (i.e., selsta) commentary 18:25:46 ah shoot 18:26:44 Yeah exactly, I was responding to the master-key idea, not arguing against multi-recipient encryption 18:28:12 i guess multiple recepients would work if it's documented 19:26:57 Is there a reason why it says I'm banned from #monero-pools? 19:27:16 #monero-pools * 19:27:59 moved to Rizon network 19:28:07 ah okay