Monero VS dalek libraries VS Particl Security Audit Bulletproof & RingCT

[dadon]

Source: https://blog.quarkslab.com/tag/bulletproof.html

[qwizzie]

Only thing i am interested in with regards to Monero is knowing how hackers got into their boxed-off website and were able to replace their binaries with coin-stealing malware binaries.
As long as no answer has been provided in that particular area, i consider Monero compromised towards its users.

You can have strong security technology in a blockchain, but if you can not guarantee a secure website from which to download the binaries, then that will impact your reputation as a blockchain.
Link : https://arstechnica.com/information-technology/2019/11/official-monero-website-is-hacked-to-deliver-currency-stealing-malware/

To be absolutely clear, i am not interested in the specifics of the malware, that has been covered in great detail.
I am interested in knowing what happened with the closed-off box that fluffypony sent to a bunch of specialists to investigate the website breach.

 

[dadon]

I am aware of this incident but honestly wasn't aware of much of the details. I just knew something went down and some users who downloaded wallets from their official website were affected by it. Fluffypony has become a bit of a crypto celebrity over the years and I think people put their trust in individuals far too much and this is especially the case with celebrities of any type. It's a little alarming to start with that fluffy has such access for this to even be possible, and It is even more alarming that Monero's team is not encouraging users to download directly from their official GitHub accompanied by the use of checksums to validate the download.

As we take our users security seriously at particl we encourage users to take their own security seriously as well. Our files are hosted on GitHub and we encourage users to verify the checksums. They are not gameable and We have a link to the wiki for such matters. https://particl.wiki/tutorial/verify-downloads < Here anybody unfamiliar with checksums and validating download sources can find explanations and guides for everything relating to this matter. We do this to keep our users safe and we have always practiced in this manner as is the responsibility of the project to do so, If Monero would follow such protocol to protect their users maybe their reputation wouldn't be in question.

(NOTE: Monero could be encouraging the use of checksums now I honestly don't follow their development/News/Updates very closely anymore)

[qwizzie]

I am aware of this incident but honestly wasn't aware of much of the details. I just knew something went down and some users who downloaded wallets from their official website were affected by it. Fluffypony has become a bit of a crypto celebrity over the years and I think people put their trust in individuals far too much and this is especially the case with celebrities of any type. It's a little alarming to start with that fluffy has such access for this to even be possible, and It is even more alarming that Monero's team is not encouraging users to download directly from their official GitHub accompanied by the use of checksums to validate the download.

As we take our users security seriously at particl we encourage users to take their own security seriously as well. Our files are hosted on GitHub and we encourage users to verify the checksums. They are not gameable and We have a link to the wiki for such matters. https://particl.wiki/tutorial/verify-downloads < Here anybody unfamiliar with checksums and validating download sources can find explanations and guides for everything relating to this matter. We do this to keep our users safe and we have always practiced in this manner as is the responsibility of the project to do so, If Monero would follow such protocol to protect their users maybe their reputation wouldn't be in question.

(NOTE: Monero could be encouraging the use of checksums now I honestly don't follow their development/News/Updates very closely anymore)

I could be mistaken here, but so far i know Github is not encouraged for Monero users to download their binaries. They do encourage the use of checksums, but that still does not explain how
their closed-off box of their official website got compromised in the first place and if things have been properly patched up on that server / closed-off box.

Ever since fluffypony send that closed-off box out for investigation two months ago, there has been a total silence on that part.
This creates rumors that it could have been the work of inside developers who either went rogue or were really negligent with their security access.

[dadon]

I am aware of this incident but honestly wasn't aware of much of the details. I just knew something went down and some users who downloaded wallets from their official website were affected by it. Fluffypony has become a bit of a crypto celebrity over the years and I think people put their trust in individuals far too much and this is especially the case with celebrities of any type. It's a little alarming to start with that fluffy has such access for this to even be possible, and It is even more alarming that Monero's team is not encouraging users to download directly from their official GitHub accompanied by the use of checksums to validate the download.

As we take our users security seriously at particl we encourage users to take their own security seriously as well. Our files are hosted on GitHub and we encourage users to verify the checksums. They are not gameable and We have a link to the wiki for such matters. https://particl.wiki/tutorial/verify-downloads < Here anybody unfamiliar with checksums and validating download sources can find explanations and guides for everything relating to this matter. We do this to keep our users safe and we have always practiced in this manner as is the responsibility of the project to do so, If Monero would follow such protocol to protect their users maybe their reputation wouldn't be in question.

(NOTE: Monero could be encouraging the use of checksums now I honestly don't follow their development/News/Updates very closely anymore)

I could be mistaken here, but so far i know Github is still not encouraged for Monero users to download their binaries. They do encourage the use of checksums, but that still does not explain how
their closed-off box of their official website got compromised in the first place and if things have been properly patched up on that server / closed box side.

Ever since fluffypony send that closed-off box out for investigation two months ago, there has been a total silence on that part.      

I can not understand why they would not encourage users to use a trusted source like Github for something as important as this and I am pretty sure this would(could)not have happened if they did encourage only to use Github for binary downloads.(silly) As for the other stuff it sounds really strange and I hope answers can be found to these questions in a timely manner, sounds like fluffy needs to give some explanations as it is not fair to keep people in the dark like that when the matter at hand is so serious.

[rustynailer]

I dont want to throw any shade on fluffypony or Monero but it looks like someone made a booboo. I hope they figure it out soon because if they cant, then we wont know if or when this will happen again.