XMR vs DRK

[5w00p]

Darksend. What a joke.

IlluminatedForAllToSeeSend is more like it.

[othe]

You should be glad with what you can read, no one (much less Monero devs) owns you explanation to anything. troll.

^ second proposition today from Fluffy proved to be total BS meaning again he has no idea what he is talking about.

still waiting on response to the 3rd Fluffy proposition: P2P network nodes need failovers or the P2P network becomes insecure.  

This is the transaction from the screnshot i posted earlier: https://chainz.cryptoid.info/dash/tx.dws?1622007.htm

You see the guy paid 268DRK https://chainz.cryptoid.info/dash/address.dws?XbMaEcBqEcsCiyrTy2sAnwiQfmYK3SG1y9.htm (Lets say this is a Druglord)

This is my change https://chainz.cryptoid.info/dash/address.dws?XfRgC2e35SpjaKX7p6YxbhzEVqZN223BGe.htm (my change)

If i spend that now on StarFucks i am basically fucked, my pirvacy is Zero.

TL;DR Dangerous pseudo anonymity.

The wallet won't let you "Darksend" funds that have not been through the mixing process.

Wut?

Mixing started here: http://explorer.darkcoin.io/tx/a8703c9911b84af403be436cad8bc9f3b85424e825b54ace01eaaec9ebb0d965

took 14 hours - and it's damn easy to find where i started mixing as there was only 1 address with nearly the same amount of coins in that timeframe.

Now imagine someones who earns his money with statistical analysis wastes resources to find such "evidences" ....

[majamina]

You're not factoring in denominated units (and subsequent rounding at send) and "dead change" being sent to the network to remove linkages in future tx's.

It was a simplified example explaining transactions in general. Remember: the issue we're discussing is the average user deanonymising themselves through inadvertently. Dead change and denominated units do not solve the problem when the user has 50 DRK in their account, they send 20.72368 DRK to pay for some dodgy item, and then because they have some crisis they empty their wallet and deposit the entire remaining 29.27632 DRK on an exchange. Normal actions resulting in unavoidable and unwitting deanonymisation.

Yes this is a problem when the wallet can have "standard coins" and "anonymous coins", you can accidentally send wrong coins.

There should be two wallets imo, the other one can allow only "Darksending" and the other wouldn't have mixing at all.

Good point....or the wallet needs to develop to more clearly show how funds are mixed and associated with transactions. I guess the argument is that better anon, e.g. XMR doesn't have such issues, which is fair enough...

[majamina]

Darksend. What a joke.

IlluminatedForAllToSeeSend is more like it.

why not make a reasonable contribution to the thread.

perhaps can have two threads:

1. XMR vs DRK - reasonable, friendly debate

2. XMR vs DRK - mud-slinging and trolling

[fluffypony]

but if you need to take out (arbitrary figure) 75% of the network to kill it, you don't need to ultra-secure any of it if you assess that taking out 75% is impractical...

We don't want to kill it, we just want to own that arbitrary amount through a combination of legal wrangling (eg. forcing the operator to hand over control or throwing the operator in prison so we can take over his MN, via the SEC or FinCEN or the IRS or similar), rubberhose cryptanalysis attacks (beating the operator with a rubberhose until he gives us access to his MN), court orders to the datacenter or VPS provider, or plain ol' hacking.

Some of those methods will throw up warning sirens among the community, because not all operators will obey gag orders etc., but some of them can be done without the operator even knowing their MN has been compromised by LEA. If LEA starts with the surreptitious methods and manages to compromise, say, 50% of the MasterNodes, then by the time they start using more obvious tactics to compromise the remainder it will be too late for the community to suddenly react and fix it.

Therefore, the securing of MasterNodes would have to be absolute, indelible, ongoing, and without failure or slip-up.

[majamina]

but if you need to take out (arbitrary figure) 75% of the network to kill it, you don't need to ultra-secure any of it if you assess that taking out 75% is impractical...

We don't want to kill it, we just want to own that arbitrary amount through a combination of legal wrangling (eg. forcing the operator to hand over control or throwing the operator in prison so we can take over his MN, via the SEC or FinCEN or the IRS or similar), rubberhose cryptanalysis attacks (beating the operator with a rubberhose until he gives us access to his MN), court orders to the datacenter or VPS provider, or plain ol' hacking.

Some of those methods will throw up warning sirens among the community, because not all operators will obey gag orders etc., but some of them can be done without the operator even knowing their MN has been compromised by LEA. If LEA starts with the surreptitious methods and manages to compromise, say, 50% of the MasterNodes, then by the time they start using more obvious tactics to compromise the remainder it will be too late for the community to suddenly react and fix it.

Therefore, the securing of MasterNodes would have to be absolute, indelible, ongoing, and without failure or slip-up.

When you say 'take over his MN' what are you actually describing? Denial of service? Snooping Traffic? Replacing the daemon with a compromised version?

Need to understand what you actually mean and how it relates to security of the network and any information gathering.

[fluffypony]

lot of words not much content

You're not factoring in denominated units and "dead change" being sent to the network to remove linkages in future tx's.

^ second proposition today from Fluffy proved to be total BS meaning again he has no idea what he is talking about.

still waiting on response to the 3rd Fluffy proposition: P2P network nodes need failovers or the P2P network becomes insecure.  

BlockaFett my friend, I can tell you're passionate about this subject by virtue of the massive amounts of insults you hurl and the sheer amount of bold in your replies. However, please remember that this is a cordial discussion, and if I conclude something based on an incorrect understanding I will absolutely admit that my conclusion was incorrect and based on false assumptions or faulty logic.

I'm not perfect, I will make mistakes, and I do reach conclusions on a regular basis that are incorrect. Over and above that I am analysing a technology I did not create and that has no formal model I can study, and so much of the data I am working with is based on what I have observed and read about the subject matter, and is thus open to change.

All of that does not imply I am talking "total BS" or I have "no idea what I am talking about", it just means that the model I have been forced to construct in my head is in a necessary state of flux.

It's also immensely frustrating when I am trying to reply to comments in the order in which they appear in the thread, and in the time it takes me to thoughtfully reply to one person you've submitted 5 posts that consist of:

- "fluffypony once again proves he knows nothing"
- "why hasn't he answered the simple question?"
- "hah such garbage"
- "obviously wrong and complete BS"
- "still waiting on a reply to that question from 3.7 seconds ago??"

Try and chillax, this is a technical and non-technical back-and-forth, not a personal attack on your family and your second child:)

[megges]

You're not factoring in denominated units (and subsequent rounding at send) and "dead change" being sent to the network to remove linkages in future tx's.

It was a simplified example explaining transactions in general. Remember: the issue we're discussing is the average user deanonymising themselves through inadvertently. Dead change and denominated units do not solve the problem when the user has 50 DRK in their account, they send 20.72368 DRK to pay for some dodgy item, and then because they have some crisis they empty their wallet and deposit the entire remaining 29.27632 DRK on an exchange. Normal actions resulting in unavoidable and unwitting deanonymisation.

I know you are capable of it, we had a few posts with each other, so i know you are not someone who doesn't understand things.

The thing is you arguing on a wrong assumption about darksend!

Its realy not how it works if you use darksend.

Ill try to give an example.

If you have 50 drk in addr1
after starting the darksend denomination process you have (for example):
10 drk in addr2
10 drk in addr3
10 drk in addr4
10 drk in addr5
1 drk in addr6
1 drk in addr7
1 drk in addr8
1 drk in addr9
1 drk in addr10
1 drk in addr11
1 drk in addr12
1 drk in addr13
1 drk in addr14
0.1 drk in addr15
0.1 drk in addr16
0.1 drk in addr17
0.1 drk in addr18
0.1 drk in addr19
0.1 drk in addr20
0.1 drk in addr21
0.1 drk in addr22
0.1 drk in addr23
0.1 drk in addr24

so now all these addresses contain drk which has been mixed in the process of darksend with other users who also started the darksend mixture.
So there is no direct connection between these addresses.

so now you send
20.72368 that means darksend will use your previous mixed addresses - for this it will be something like:
addr2 + addr3 + addr15 + addr16 + addr17 + addr18 + addr19 + addr20 + addr21 - this will add to 20.8 - you have to pay 20.8, the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

so now these addresses are all gone out of your pool, if you now spend the rest, there is no connection between these addresses used in the first and the ones used in the second send right now.

[fluffypony]

When you say 'take over his MN' what are you actually describing? Denial of service? Snooping Traffic? Replacing the daemon with a compromised version?

Need to understand what you actually mean and how it relates to security of the network and any information gathering.

Snooping the traffic won't do much good, you can just use end-to-end encryption to defeat that. It would require some level of access to the machine itself, either remote or physical. For the surreptitious access rootkits would be most appropriate (although not entirely required, less sophisticated options are available if it just has to monitor on-disk logs or watch the daemon's activity in-memory), as they can just monitor the daemon, see what it is doing, and periodically report back. For the more obvious take-overs they would just use the operator or his laptop/desktop to gain access to the box and install their own MN daemon that periodically reports back.

[fluffypony]

the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

Ok that's the key element I was missing, that basically there are no change addresses (although if 0.1 is the minimum that means every anonymous payment you make will incur an additional cost of as much as $0.51 at present, presumably this lower bound will decrease in future).

BlockaFett: now's the time you do a little happy dance and write lots of bold text about how one of my conclusions was incorrect. You can even call it "BS" and say that I "don't understand anything" if it'll help you with your self-esteem problems:)

[majamina]

When you say 'take over his MN' what are you actually describing? Denial of service? Snooping Traffic? Replacing the daemon with a compromised version?

Need to understand what you actually mean and how it relates to security of the network and any information gathering.

Snooping the traffic won't do much good, you can just use end-to-end encryption to defeat that. It would require some level of access to the machine itself, either remote or physical. For the surreptitious access rootkits would be most appropriate (although not entirely required, less sophisticated options are available if it just has to monitor on-disk logs or watch the daemon's activity in-memory), as they can just monitor the daemon, see what it is doing, and periodically report back. For the more obvious take-overs they would just use the operator or his laptop/desktop to gain access to the box and install their own MN daemon that periodically reports back.

OK gotcha.

I still think the scale of the attack is critical here. To consider the likelihood of such an attack ever being successful we need to know how many nodes must be compromised to break Darksend and unravel privacy.

[megges]

the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

Ok that's the key element I was missing, that basically there are no change addresses (although if 0.1 is the minimum that means every anonymous payment you make will incur an additional cost of as much as $0.51 at present, presumably this lower bound will decrease in future).

BlockaFett: now's the time you do a little happy dance and write lots of bold text about how one of my conclusions was incorrect. You can even call it "BS" and say that I "don't understand anything" if it'll help you with your self-esteem problems:)

yes its right there could be a fee of up to 0.00999999 DRK/DASH ~ 51 cents right now.

But i don't see that as a problem, if price goes up, its no problem to adjust the lowest denomination to 0.01 or 0.001 ...

And if you do not want to "support" the network with that 51 cent miners fee, you could also adjust the amount you send, to a "denominational" amount, so you'll give it as tip to whoever you pay. (Ofc you can't do this if the reciever handles the transaction automatically and he needs the amount to be exactly what he stated)

[Macno]

the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

Ok that's the key element I was missing, that basically there are no change addresses (although if 0.1 is the minimum that means every anonymous payment you make will incur an additional cost of as much as $0.51 at present, presumably this lower bound will decrease in future).

BlockaFett: now's the time you do a little happy dance and write lots of bold text about how one of my conclusions was incorrect. You can even call it "BS" and say that I "don't understand anything" if it'll help you with your self-esteem problems:)

yes its right there could be a fee of up to 0.00999999 DRK/DASH ~ 51 cents right now.

But i don't see that as a problem, if price goes up, its no problem to adjust the lowest denomination to 0.01 or 0.001 ...

And if you do not want to "support" the network with that 51 cent miners fee, you could also adjust the amount you send, to a "denominational" amount, so you'll give it as tip to whoever you pay. (Ofc you can't do this if the reciever handles the transaction automatically and he needs the amount to be exactly what he stated)

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

[fluffypony]

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

No, there was one deanonymisation problem I posited late today which proved to be incorrect (that users can trivially and unwittingly deanonymise themselves, through change addresses, when sending successive post-mixing transactions). Thus far I believe the rest of my assertions to be correct.

[oblox]

You're not factoring in denominated units (and subsequent rounding at send) and "dead change" being sent to the network to remove linkages in future tx's.

It was a simplified example explaining transactions in general. Remember: the issue we're discussing is the average user deanonymising themselves through inadvertently. Dead change and denominated units do not solve the problem when the user has 50 DRK in their account, they send 20.72368 DRK to pay for some dodgy item, and then because they have some crisis they empty their wallet and deposit the entire remaining 29.27632 DRK on an exchange. Normal actions resulting in unavoidable and unwitting deanonymisation.

Assuming the wallet is already denominated, then in your scenario, the DS inputs would be two 10s, nine 1s and three .10s with the rounded up change going to the network... yes, it very much solves the issue you are trying to point out.

[megges]

the difference goes to the miners exactly for the fact wo don't want any change address! (you could have also send 20.8 instead so you wont sponsor the miners)

Ok that's the key element I was missing, that basically there are no change addresses (although if 0.1 is the minimum that means every anonymous payment you make will incur an additional cost of as much as $0.51 at present, presumably this lower bound will decrease in future).

BlockaFett: now's the time you do a little happy dance and write lots of bold text about how one of my conclusions was incorrect. You can even call it "BS" and say that I "don't understand anything" if it'll help you with your self-esteem problems:)

yes its right there could be a fee of up to 0.00999999 DRK/DASH ~ 51 cents right now.

But i don't see that as a problem, if price goes up, its no problem to adjust the lowest denomination to 0.01 or 0.001 ...

And if you do not want to "support" the network with that 51 cent miners fee, you could also adjust the amount you send, to a "denominational" amount, so you'll give it as tip to whoever you pay. (Ofc you can't do this if the reciever handles the transaction automatically and he needs the amount to be exactly what he stated)

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

I wouldn't conclude that

But i would say, yes for me thats enough anonymity, in the end everything is "exploitable" its just a question of "costs", like fluffypony said - yes you need more power then in the whole universe so for now thats not possible, but you cant know whats there in the future, and you can't know if the attacker got lucky and just needs 1 min, because he was lucky. (I hope i don't misqoute fluffypony here, but i interpret this that way.)

Cryptographic negligibility has a very specific meaning. Something like a one-way hash function can still be attacked (ie. the original value corresponding to the hashed value can be determined), but it would typically take more power than in the universe to brute-force it. We normally state negligibility on the basis of a computationally bounded adversary, that is to say an adversary who has access to a reasonable amount of processing power regardless of the cost or speciality of the equipment required.

So you can calculate the security of your darksend by yourself with a few assumption you have to take (because you cant know) like

darksend with 50 rounds, masternode network has 2000 masternodes, and i assume for me in worst case 1500 of these are bad actors.

So i got something like:
(1500/2000)^50 = 0.000005 => its a chance of 1 : 1750000 that a bad actor (with 1500 of 2000 MN) statistically can observe my mixing.

For me thats enough secure to say its anonym. But for some it may be not enough, because they cant know if there and how many bad actors are in the net. so if all 2000 out of 2000 are bad actors, you can be sure it won't be anonym anymore. (I think thats the point im reading about MNs are not trustless, because you can't know if they save the darksend or not - but thats not my view of it)

[majamina]

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

Thus far I believe the rest of my assertions to be correct.

Well, I'm still not convinced by your assessment of MN network vulnerability. You seem to be in realms of the theoretical rather than the practical....

[othe]

You're not factoring in denominated units (and subsequent rounding at send) and "dead change" being sent to the network to remove linkages in future tx's.

It was a simplified example explaining transactions in general. Remember: the issue we're discussing is the average user deanonymising themselves through inadvertently. Dead change and denominated units do not solve the problem when the user has 50 DRK in their account, they send 20.72368 DRK to pay for some dodgy item, and then because they have some crisis they empty their wallet and deposit the entire remaining 29.27632 DRK on an exchange. Normal actions resulting in unavoidable and unwitting deanonymisation.

Assuming the wallet is already denominated, then in your scenario, the DS inputs would be two 10s, nine 1s and three .10s with the rounded up change going to the network... yes, it very much solves the issue you are trying to point out.

You're not factoring in denominated units (and subsequent rounding at send) and "dead change" being sent to the network to remove linkages in future tx's.

It was a simplified example explaining transactions in general. Remember: the issue we're discussing is the average user deanonymising themselves through inadvertently. Dead change and denominated units do not solve the problem when the user has 50 DRK in their account, they send 20.72368 DRK to pay for some dodgy item, and then because they have some crisis they empty their wallet and deposit the entire remaining 29.27632 DRK on an exchange. Normal actions resulting in unavoidable and unwitting deanonymisation.

Assuming the wallet is already denominated, then in your scenario, the DS inputs would be two 10s, nine 1s and three .10s with the rounded up change going to the network... yes, it very much solves the issue you are trying to point out.

How does that solve the issues my post mentioned?

So you can calculate the security of your darksend by yourself with a few assumption you have to take (because you cant know) like

darksend with 50 rounds, masternode network has 2000 masternodes, and i assume for me in worst case 1500 of these are bad actors.

So i got something like:
(1500/2000)^50 = 0.000005 => its a chance of 1 : 1750000 that a bad actor (with 1500 of 2000 MN) statistically can observe my mixing.

For me thats enough secure to say its anonym. But for some it may be not enough, because they cant know if there and how many bad actors are in the net. so if all 2000 out of 2000 are bad actors, you can be sure it won't be anonym anymore. (I think thats the point im reading about MNs are not trustless, because you can't know if they save the sarksend or not)

You can just own the major amount of coinjoin-transactions to trace back what happens; no need to mess with masternodes. Combined with other statical analysis approaches this is quiet powerful?

[Macno]

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

Thus far I believe the rest of my assertions to be correct.

Well, I'm still not convinced by your assessment of MN network vulnerability. You seem to be in realms of the theoretical rather than the practical....

Ok, so you could somehow compromise the MN network, but you can`t be de-anonymized because you did not do enough "opsec" other than mixing your coins.

[majamina]

So to put that in laymens terms: darksend is fine for usage in darkmarkets after all and fluffpony agrees?

Thus far I believe the rest of my assertions to be correct.

Well, I'm still not convinced by your assessment of MN network vulnerability. You seem to be in realms of the theoretical rather than the practical....

Ok, so you could somehow compromise the MN network, but you can`t be de-anonymized because you did not do enough "opsec" other than mixing your coins.

No, I'm not sure you can compromise the MN network in any practical sense, assuming it works as designed.