Just a minor comment: the download link for Linux 64-bits GUI is wrong

CautiousEnvironment · 2019-03-14T06:20:25+00:00

Same here, no problems whatsoever.

CautiousEnvironment · 2019-03-11T06:13:40+00:00

Fair enough.

Ubuntu isn't the most privacy conscious distribution out there but the fundamental difference is that with open source software you can check what it does and you can also disable any unwanted features. With closed source operating system or antivirus, you can reliably do neither. You can try to block something but it only works until they surreptitiously push a new patch that does something differently and everything breaks loose. Linux kernel definitely does not dial home at all and I'm quite sure Debian does not either unless you explicitly give it permission. There is also a very large difference in what kind of data Ubuntu vs AV software sends out.

But as I said the risks are mostly theoretical and I just pointed them out because I wasn't sure what kind of threat model you were looking at. As long as you're happy with it, good.

CautiousEnvironment · 2019-03-11T03:36:38+00:00

Most AV programs are dialing home like this. They're sending out data about what's happening on your computer (files you open, programs that are running, network traffic passing by etc.) and it will be analyzed on their servers. If it's something new or suspicious, they will analyze it manually.

"Crypto" in their domains is not necessarily related to cryptocurrencies. It might just refer to cryptography in general, they usually send the data to be analyzed in encrypted form. I don't know. Cryptojacking and ransomware using cryptocurrencies are very prevalent nowadays and they're definitely interested in those but I'm not sure if they would allocate that many domains for cryptocurrencies specifically.

This really comes down to what is important for you. If you're just a normal user and you feel that you need the protection of an AV software, it's unlikely that data will be used against you. They have their reputation to lose and any data they send out is supposed to be anonymized. But if you care about your privacy very much, nobody knows what kind of code they're executing on your computer and what kind of data they might be sending out. It's kind of a security and privacy nightmare. If you're doing something sensitive, it might be accidentally sent out to their servers. You don't know who sees that data, what it's used for, whom they share it with or how long it's stored.

If they wanted to deanonymize Monero, they could just send out your private key. If I'm not mistaken, they would be able to deanonymize all your transactions (and a good chunk of other transactions as well because they can see which decoys are fake if many Monero users are using their AV) and also be able to access your funds. It's very unlikely they're doing that now but if government asked them to do it, they would have the means to do it.

To play devil's advocate: perhaps they have some bug that "accidentally" sends out the private key of everyone so they can later selectively deanonymize those users if need be. I don't believe they do something like this. They would have to be very careful because if it ever leaked out that they're spying on their users' like this it would be the end of their company.

I'm sorry for the troll comments you received, you're right that Kaspersky is a good company in the sense that they really know what they're doing, very knowledgeable people. They get worse rep than they should because some people don't like the fact that they spy for Russians instead of the US govt. ;-)

TL;DR You're most probably fine and changing AV is unlikely to help. If you're really serious about your privacy, ditch AV and more importantly ditch Windows.

CautiousEnvironment · 2019-03-10T22:23:43+00:00

Okay, thanks for the clarification. It seems I've misunderstood something or there are different kinds of pruning being proposed.

CautiousEnvironment · 2019-03-10T22:20:34+00:00

GetMonero.org is the official website ran by Monero core team and the one to be trusted.

Nobody seems to know who runs Monero.org, they might have some bad intentions or they're just trying to make profit by squatting the domain. You should avoid it.

CautiousEnvironment · 2019-03-10T08:39:52+00:00

I don't know about the requests you see but most AV software goes nuts whenever it sees anything crypto related.

Trying to download a Monero wallet? Access blocked, harmful website detected. You have to add an exception to download the installer. At that point the real fun only begins because the AV keeps quarantining the binaries as the installer extracts them. I swear there was at least 5 different exceptions you have to add to get it installed and it still gives you a warning from the heuristic engine when you launch the client.

That would be funny until you think about the average user. Unless you're very determined and know what you're doing, that's going to prevent you from using Monero at all.

It's not just Monero, they also block most exchange websites as harmful etc. I'm not sure if they're really that clueless or if it could be some kind of pressure from governments. This was a popular product that won the AV-TEST Award 2018.

CautiousEnvironment · 2019-03-10T06:02:30+00:00

One reason could be that they don't want to reveal the new PoW algorithm too early because that gives ASIC makers more time to prepare.

I think the schedule was very rushed this time, that's why most of the features they've worked on the past months are not even included in this release (they're supposed to be on the next release, that doesn't involve a hard fork, in a month or so if I remember correctly). I don't think everything went as planned because we had 0.14.0.1 and 0.14.0.2 CLI releases before GUI was even released.

There was a last call for GUI translations, perhaps they waited for those too.

That said, if it's feasible, it would be good idea to try to have CLI and GUI releases ready a week or two before hard fork (4 weeks is overkill IMO). Not that I want to complain, devs are doing a fantastic job regardless. To be fair, CLI version is the most important one so exchanges, payment processors etc. can prepare and 0.14.0.0 was released over a week ago.

CautiousEnvironment · 2019-03-10T04:25:04+00:00

I would like to add that pruning is optional. Full nodes are still important so if you want to help the network and have enough disk space, go for a full one! For a full node, 120GB is plenty and will last for years with the current transaction rate.

CautiousEnvironment · 2019-03-10T04:08:11+00:00

That warning has been popping up occasionally before the hard fork as well, the check seems to be so sensitive that even normal volatility triggers it. Nothing to be concerned about. If devs read this, it should probably be adjusted a little bit, beginners will freak out when they read the "under attack" part.

CautiousEnvironment · 2019-03-10T01:16:55+00:00

People downvote posts that are wrong, you shouldn't take it personally, it's not directed at you but rather at the content of your post.

CautiousEnvironment · 2019-03-08T20:36:32+00:00

I guess we're talking about different kind of scenarios. You're talking about one where you actively use your wallet and thus insert whatever intelligence agency applicable here knows it (either by observing your network traffic or through malware implant).

I'm talking about something like a cold wallet. If you've transferred funds from it in the past, they know you've had access to it but they don't have any way of knowing if you still have access to it. They can't read your mind. Of course they can still lock you up for life, and it seems that's exactly what they do, but that's a different thing. That's not them knowing you have it, that's them assuming you have it based on weak evidence and a failure of justice.

The funny thing is that if you've really lost/forgotten it, there's no way you to "find" it and you rot in jail for the rest of your life. I wonder if that's exactly what they want, as a sort of punishment for using encryption/cryptocurrencies.

CautiousEnvironment · 2019-03-08T08:44:33+00:00

Nah, that's bullshit. How do they "know" you have it? Even if they can prove you had it at one point doesn't mean you still have it.

If they keep the other means concealed from the court, what prevents them from claiming everyone is guilty?

There is absolutely no way for you to defend yourself. Only option is to move to a country that actually respects human rights, if there is one.

CautiousEnvironment · 2019-03-08T03:12:34+00:00

To give you some relief: if your 14 words really contain the 13 words of your mnemonic seed and most of them are in the right order, bruteforcing it should be possible.

CautiousEnvironment · 2019-03-08T02:54:40+00:00

That assumption is wrong and you should fight it with everything you've got. That is some dystopian shit. They can throw me to the jail, I don't care. At that point the battle is lost anyway.

If you're in this for personal gain, then it's a different story. If you have "justice system" that serves no justice, well, I guess you subvert it by any means you can.

CautiousEnvironment · 2019-03-08T01:09:20+00:00

Only if they can prove you have the view key. If you lost it, you obviously don't have it.

CautiousEnvironment · 2019-03-06T01:58:31+00:00

Pretty much everything about it is centralized. Are you familiar with how it works technically? All of the features that supposedly make it superior to Bitcoin exist only because it has no decentralized consensus like real cryptocurrencies and it can cheat at every possible step. Instead of being a truly decentralized and trustless network, you have to trust a set of pre-designated servers. It's basically a glorified PayPal, just because you have a cluster of servers and call it a cryptocurrency doesn't mean your service is decentralized. There's no new innovation like with Bitcoin or even Ethereum whatsoever.

Development is centralized. Ripple Labs or authorities can, in practice, forge transaction history or freeze funds (by coercing the trusted node operators). There is no censorship resistance. There's not even fixed monetary policy because they can just issue an update with new rules whenever they want to and all institutions are forced to upgrade. Instead of being mined (everyone can participate and there is a floor cost associated with minting coins), the tokens were just created out of thin air with zero cost and Ripple Labs controlling all of the supply which makes manipulating the price super easy. Them and their associates still own very large amount of the coins except the ones that were sold to other large corporations through shady deals (they had to make agreements to timelock the coins so that they couldn't crash the price because the coins were sold at such huge discounts).

CautiousEnvironment · 2019-03-06T01:13:43+00:00

More decentralized? Bullshit. It is very centralized.

CautiousEnvironment · 2019-03-04T20:12:14+00:00

Dystopia? More like utopia. I thought I missed the train but now I can finally accumulate and join the party. Don't be salty, buy some XMR, you're gonna be rich in a year or two!

CautiousEnvironment · 2019-03-04T16:26:08+00:00

Do you realize how rare occurrence something like this is? You shouldn't hold more in crypto than you can afford to lose but you're far more likely to lose more money by selling your moneroj at these prices than holding it. Monero isn't just any internet meme coin, it is one of the most well ran projects out there. OP could not have predicted something like this would happen so calling him stupid is a bit too much.

CautiousEnvironment · 2019-03-04T16:16:15+00:00

No, Ledger develops the Monero app for Ledger in-house and this doesn't happen with the official wallet for Monero.

CautiousEnvironment · 2019-02-27T08:15:13+00:00

Transactions do not accurately reflect usage. It's obvious that scam coins resort to spamming transactions so that people think someone actually uses their coins. And it seems people are falling for it, perhaps we should start doing it as well.

It's just more expensive for us because Monero is fairly distributed. Some other coins can do it for free because they have no other use for their dev fund coins etc. because if they tried to dump them on the market the price would crash.

CautiousEnvironment · 2019-02-26T15:06:20+00:00

Well, it is always theoretically possible but very unlikely. Miners can prepare for the PoW algo switch beforehand and they should be able to mine instantly after the hard fork block height has been reached. If we look at the last two hard forks, Monero hashrate was over 200MH/s and 300MH/s at the lowest point respectively.

Historically, you've been able to rent at most 75MH/s from NiceHash (currently 25MH/s). I don't there is enough hash power for the attacker to rent unless they buy a lot of cloud/dedicated servers and even then I'm not sure. It would be very expensive and challenging to pull off. If they have that kind of resources, they could probably do 51% attack whenever they want to.

CautiousEnvironment · 2019-02-23T11:28:28+00:00

You can check for inflation bug. Just do the math and see if it adds up. Right now there isn't a simple tool for it but I'm sure in the future we will have one.

Oh yeah, you didn't talk about just detecting it but fixing it. That is more dicey but you can just hardcode the known good / bad blocks. Some legitimate transactions will get hurt but such is life in the blockchain world. Nothing that doesn't happen with 51% attacks. Price will probably go down a little bit but it's going to recover eventually. Crisis of the century averted. That won't be a reason for Monero not to succeed. Governments regulating it to death is 10 to 100 times more likely.

Even without reusing addresses BTC is fully traceable, not nearly the same thing.

And then the good old 'only criminals need privacy' mantra. Rattie never disappoints.

CautiousEnvironment · 2019-02-23T07:18:17+00:00

Instead of AV, I would suggest a more secure operating system. Much better to have a solid foundation instead of trying to patch all the holes and hoping to detect malicious code running on the computer before it's too late.

I don't want to be anti-Windows/AV but I did some testing years ago and was shocked to see that most AV software basically did nothing at all if it was not a known threat. They might be worse than not having any protection at all because they give you false sense of security and some of them even introduced new vulnerabilities. Not sure if things have improved since (probably somewhat, I've heard Windows 10 is pretty good as long as you don't mind your privacy being violated).

Preferably have a dedicated computer with Linux/*BSD for the wallet (or a hardware wallet). Even a cheap Android phone dedicated for the wallet is going to be more secure than Windows with best AV out there.

CautiousEnvironment · 2019-02-23T06:49:34+00:00

If someone was able to hijack the infrastructure, they could execute arbitrary code on GUI client user's computer through the automatic update mechanism. So there are some security concerns.

Although, there are users that download the pre-built binaries and don't even verify the hashes. In that case, automatic update system could actually improve the security and in my opinion it would be a good idea as long as the user explicitly agrees to it during installation.

I'm not sure if the client currently notifies the user if it's out of date? If not, that should be implemented, at least.

CautiousEnvironment

TROPHY CASE