|
_nur
|
 |
June 29, 2016, 12:23:08 AM |
|
I really don't know, all I know is I asked about any security issues with this change and didn't get a very comprehensive answer and then I saw this guys post. Can you link me to the DEV discussion on this before the proposal? I'd like to see how it was vetted. This is the highest security level of any type project so this needs to be taken seriously and just a word saying it's all good is not enough. Also If I was working on a competing project with similar attributes I would tank the current one I was on. That is not an accusation just an observation. As fluffypony said in a recent talk "request the cryptographic proof of the claims being made." This is a good attitude you have concerning this topic. The entire crypto space need more of this. History of Monero development Visualization - video unavailable hmm... |
|
|
|
|
Hueristic
Legendary
 Offline
Activity: 3864
Merit: 5052
Doomed to see the future and unable to prevent it
|
|
June 29, 2016, 12:37:02 AM |
|
...
As fluffypony said in a recent talk "request the cryptographic proof of the claims being made."
This is a good attitude you have concerning this topic.
The entire crypto space need more of this.
Thank you smoothie.  |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
|
aerbax
|
|
June 29, 2016, 01:50:21 AM |
|
...
From what I've gathered Sodium is an easier to integrate 100% API compatible but slower branch of NaCl. Correct?
That's roughly my take from it as well. It's supported on just about every platform..desktop and mobile...and it's actively maintained. Debian's 0MQ has libsodium as a package requirement. At least on Jessie and newer. Ubuntu seems to be Wily and newer. I've briefly used it when I was writing some Python based encryption stuff for a work project recently. |
|
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3864
Merit: 5052
Doomed to see the future and unable to prevent it
|
|
June 29, 2016, 01:00:31 PM
Last edit: June 29, 2016, 01:50:05 PM by Hueristic |
|
Thanks for the link, I'll check it out. And I have a question for you. How long do you think you would last in an interrogation room where all they wanted was for you to look the other way while a piece of code was inserted into an open source project? Hmmm How tough of a man are you? Everyone breaks. A project like this needs vigilance. I have no proof nor suspicions but I do think of attack vectors and this is one. I'm sorry I can't be a card carrying member of the cult. ADDED: OK, Listened to the podcast again and I remember it now. Changing from RPC to IPC on local daemon only correct? I had forgotten that it was only on local communications and that it was to IPC. But I still did not hear anything about what security concerns there may be with this change sans the quoted. Actually the only reason that was given for the change is that RPC is Clunky and doesn't handle interprocess communication well ("risk of having to maintain open handles and all sorts of stuff") where as IPC does Also he mentions that IPC can be extended to remote connections and that there are multiple solutions and multiple libraries that solve these problems. But there is no comparison of all these other methods and/or security tradeoffs. Is that discussion in a DEV meeting Logfile? He also speaks of the need for the messaging que (that is the ipc method) because of multiple instances communicating with the daemon(sometimes up to 30). While this may be true of some cases the average Joe that's going to use this is not going to run more than one. Even Polo apparently is only using one address so I'm not sure of why this is so important except it sounds like a more elegant way of doing things and I can completely understand being a perfectionist. I also don't see why a local client designed for a single machine must communicate with a daemon running locally. Why not direct input and integrate the wallet and daemon for local use? It's funny that the translation stopped at the end of the database talk right before the 0MQ talk. Anyway that link was just a quick announcement that they had decided but there is no reference to where they had decided this. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
|
papa_lazzarou
|
|
June 29, 2016, 01:39:30 PM |
|
Thanks for the link, I'll check it out. And I have a question for you. How long do you think you would last in an interrogation room where all they wanted was for you to look the other way while a piece of code was inserted into an open source project? Hmmm How tough of a man are you? Everyone breaks. A project like this needs vigilance. I have no proof nor suspicions but I do think of attack vectors and this is one. I'm sorry I can't be a card carrying member of the cult. Good for you. Meanwhile you could pay attention to whats happening and try to not raise hell over something that has been planned since ages ago as part of the overall enhancement of Monero. I mean, it is in the freaking goals: https://getmonero.org/design-goals/ (although I don't understand why it is marked as completed). I agree the community should remain vigilant. But that goes both ways. We should refuse to be manipulated by FUD posts. Regardless of the intentions of the poster. |
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3864
Merit: 5052
Doomed to see the future and unable to prevent it
|
|
June 29, 2016, 02:05:01 PM |
|
.... Good for you. Meanwhile you could pay attention to whats happening and try to not raise hell over something that has been planned since ages ago as part of the overall enhancement of Monero. I mean, it is in the freaking goals: https://getmonero.org/design-goals/ (although I don't understand why it is marked as completed). I agree the community should remain vigilant. But that goes both ways. We should refuse to be manipulated by FUD posts. Regardless of the intentions of the poster. I've added to the above post and I'm sorry if my questions sound like fud to you. I asked a simple question on the forum and got no response a week ago. I waited and then saw the other post and asked for a Dev response to that and now because I ask questions I'm a Fudster? REALLY!!! Even the DEVS don't have time to read every damn thing that is happening in this project and you think an unpaid observer does? I waste my time here because I believe in it's merits that is all so If I have a security concern (which was my profession for 20 years) then I'm going to research it before it blows up. And I thought that this was replacing remote communication as well. Which is a VERY BIG DEAL. But after listening to the Podcast you linked I see that it is intended for interprocess communication currently but Fluffy did say it can be extended for wiring protocol replacement. |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
|
papa_lazzarou
|
|
June 29, 2016, 02:39:24 PM |
|
.... Good for you. Meanwhile you could pay attention to whats happening and try to not raise hell over something that has been planned since ages ago as part of the overall enhancement of Monero. I mean, it is in the freaking goals: https://getmonero.org/design-goals/ (although I don't understand why it is marked as completed). I agree the community should remain vigilant. But that goes both ways. We should refuse to be manipulated by FUD posts. Regardless of the intentions of the poster. I've added to the above post and I'm sorry if my questions sound like fud to you. I asked a simple question on the forum and got no response a week ago. I waited and then saw the other post and asked for a Dev response to that and now because I ask questions I'm a Fudster? REALLY!!! Even the DEVS don't have time to read every damn thing that is happening in this project and you think an unpaid observer does? I waste my time here because I believe in it's merits that is all so If I have a security concern (which was my profession for 20 years) then I'm going to research it before it blows up. And I thought that this was replacing remote communication as well. Which is a VERY BIG DEAL. But after listening to the Podcast you linked I see that it is intended for interprocess communication currently but Fluffy did say it can be extended for wiring protocol replacement. I meant the poster at monero forum as the well-intentioned fudster, not you. And you can see in his follow up reply to fluffypony's original reply that he should have asked some questions before yelling DOOM. I think you do good to ask questions. But this post above does sound like a bit alarmist, don't you think? EDIT: My point is people should round up more information before getting to this ^^ level of alarm. |
|
|
|
|
Hueristic
Legendary
Offline
Activity: 3864
Merit: 5052
Doomed to see the future and unable to prevent it
|
|
June 29, 2016, 03:06:41 PM |
|
...
I think you do good to ask questions. But this post above does sound like a bit alarmist, don't you think?
EDIT:
My point is people should round up more information before getting to this ^^ level of alarm.
If you check my previous posts they all ask for the DEV notes on vetting this change and I still haven't got them. That is why my concern has escalated. BTW I Still have not got them. My main reason for wanting them is not only to make sure they have done their diligence but also when I do my check I don't want to repeat any work they already vetted. But I really cannot do anything until I know what has been done already. See? |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
GingerAle
Legendary
Offline
Activity: 1260
Merit: 1008
|
|
June 29, 2016, 05:33:44 PM |
|
...
I think you do good to ask questions. But this post above does sound like a bit alarmist, don't you think?
EDIT:
My point is people should round up more information before getting to this ^^ level of alarm.
If you check my previous posts they all ask for the DEV notes on vetting this change and I still haven't got them. That is why my concern has escalated. BTW I Still have not got them. My main reason for wanting them is not only to make sure they have done their diligence but also when I do my check I don't want to repeat any work they already vetted. But I really cannot do anything until I know what has been done already. See? SHOW ME THE NOTES! All I know about the 0MQ integrating into Monero thing is that its been in progress for a while. So the decision was probably made in 2014. Who knows what kind of notes are available for the decision. I bet it went something like this. "Wow this RPC thing is crap. Whats the best way to do this?" then months of reading, chatting, and talking to people about the best tool for the job. I mean, how did the core team decide on LMDB? No idea. Were those notes ever public? Perhaps conversations on IRC maybe. I mean, hell, Fluffypony , in person, met and chatted with the 0MQ creator / core maintainer / developer on his Monero Mystery Tour. https://getmonero.org/2015/06/29/monero-missive-for-the-week-of-2015-06-29.htmlIf anyone knows the flaws of a piece of code, its the person that created, maintains, actively develops., etc. And if there's ever a venue when they will tell you, truly, about anything thats in the closet, its when you chat in person. And over beers. But in general thanks for bringing that post to everyone's attention. I wouldn't have seen it. |
|
|
|
Hueristic
Legendary
Offline
Activity: 3864
Merit: 5052
Doomed to see the future and unable to prevent it
|
|
June 29, 2016, 05:52:57 PM |
|
...
I think you do good to ask questions. But this post above does sound like a bit alarmist, don't you think?
EDIT:
My point is people should round up more information before getting to this ^^ level of alarm.
If you check my previous posts they all ask for the DEV notes on vetting this change and I still haven't got them. That is why my concern has escalated. BTW I Still have not got them. My main reason for wanting them is not only to make sure they have done their diligence but also when I do my check I don't want to repeat any work they already vetted. But I really cannot do anything until I know what has been done already. See? SHOW ME THE NOTES! All I know about the 0MQ integrating into Monero thing is that its been in progress for a while. So the decision was probably made in 2014. Who knows what kind of notes are available for the decision. I bet it went something like this. "Wow this RPC thing is crap. Whats the best way to do this?" then months of reading, chatting, and talking to people about the best tool for the job. I mean, how did the core team decide on LMDB? No idea. Were those notes ever public? Perhaps conversations on IRC maybe. I mean, hell, Fluffypony , in person, met and chatted with the 0MQ creator / core maintainer / developer on his Monero Mystery Tour. https://getmonero.org/2015/06/29/monero-missive-for-the-week-of-2015-06-29.htmlIf anyone knows the flaws of a piece of code, its the person that created, maintains, actively develops., etc. And if there's ever a venue when they will tell you, truly, about anything thats in the closet, its when you chat in person. And over beers. But in general thanks for bringing that post to everyone's attention. I wouldn't have seen it. Thanks for that link. this seems to be the pertinent part. A lot of the stuff, like the 6 month rolling hard fork, that we've been speaking about now and there is some other stuff that I've been putting down. A lot of that comes out of that conversation between BinaryFate, Peter and myself. I've written this all down in a post that I am putting up on the forum about some other changes that we want to make. But Peter, obviously as the guy behind ZeroMQ, manages and is responsible for a very large open source project and so he has gone through a lot of the pain of dealing with an open source project and dealing with different personalities, people of various skill levels and contributors. You know, all that sort of jazz, and so there was a lot that I was able to take away from that discussion, took back and we didn't discussed as a core team. Some really nice things have come out of that, some really nice ideas and also just a general sense of how difficult it is to manage an open source project and to sort of do so in a way that doesn't offend people that want to contribute and doesn't make the barrier to entry so high, but at the same time acknowledging that this is difficult. It's security software and it's not the sort of thing that we want to leave open to making very many mistakes. So yeah, there was that. Do you have a link to the post fluffy refers to in that? |
“Bad men need nothing more to compass their ends, than that good men should look on and do nothing.”
|
|
|
natall.com
Member
Offline
Activity: 97
Merit: 10
net profit: 2700$
|
|
June 29, 2016, 08:20:47 PM |
|
Monero has the following issues
-currently only 15MH/s, a few supercomputers could take out the network easily currently
-in the future mining centralisation is likely(difficult to avoid with PoW currencies).
-the confirmation time is to slow, cannot supstitute cash.
-not many people actually using it, the network effect is small and it is likely to fail the altcoin competition.
I will not invest at the current price, maybe if it drops 50%(this is likely to happen if the bitcoin price drops).
|
I actually hate trading and i am never happy.
|
|
|
|
c789
|
|
June 29, 2016, 09:10:41 PM |
|
Monero has the following issues
-currently only 15MH/s, a few supercomputers could take out the network easily currently
-in the future mining centralisation is likely(difficult to avoid with PoW currencies).
-the confirmation time is to slow, cannot supstitute cash.
-not many people actually using it, the network effect is small and it is likely to fail the altcoin competition.
I will not invest at the current price, maybe if it drops 50%(this is likely to happen if the bitcoin price drops).
- 15MH/s is substantial given that a good i7 can hash at only ~200 H/s. GPUs can't do much more, I believe ~300 H/s is average. Many other coins don't have close to XMR's network hash rate. - Mining centralization is likely? That could be said for any PoW coin, so why is that an issue only for Monero? Besides, this coin has several large pools...just like most other PoW coins. - Confirmation time for XMR is faster than Bitcoin, and Bitcoin is doing quite well. - The number of people using Monero is increasing, as are the number of people mining it. - It's your choice to invest or not. This coin is 100% decentralized, private, untraceable, and fungible, unlike other non-cryptonote coins, so it has several features that the other coins don't have and that people have a desire for. To investors, that usually means "buy and hold long term." |
|
|
|
TripleHeXXX
Full Member
Offline
Activity: 176
Merit: 102
https://www.cryptopia.co.nz
|
|
June 30, 2016, 12:20:39 AM |
|
XMR is now a basemarket on Cryptopia
|
|
|
|
natall.com
Member
Offline
Activity: 97
Merit: 10
net profit: 2700$
|
|
June 30, 2016, 05:33:55 AM
Last edit: June 30, 2016, 05:53:36 AM by natall.com |
|
- 15MH/s is substantial given that a good i7 can hash at only ~200 H/s. GPUs can't do much more, I believe ~300 H/s is average. Many other coins don't have close to XMR's network hash rate.
- Mining centralization is likely? That could be said for any PoW coin, so why is that an issue only for Monero? Besides, this coin has several large pools...just like most other PoW coins.
- Confirmation time for XMR is faster than Bitcoin, and Bitcoin is doing quite well.
- The number of people using Monero is increasing, as are the number of people mining it.
- It's your choice to invest or not. This coin is 100% decentralized, private, untraceable, and fungible, unlike other non-cryptonote coins, so it has several features that the other coins don't have and that people have a desire for. To investors, that usually means "buy and hold long term."
Actually mining centralisation(giant asic farms) might be impossible to avoid with pure PoW. Bitcoin currently get away with slow confirmation time, poor anonymity and mining centralisation due to the first mover advantage/network effect. Monero is still in the "invest and mine" phase and you will most likely lose your money if you invest in it. I currently get almost 700H/s for each r9 290 and 200H/s from my i7-3930K, i will try to push it a little further. Unfortinatily i do not have enough money to invest heavily into promesing altcoins until i suceed and get a huge return, i need to be careful. Will there come a better coin and beat monero? i do dislike PoS but it solves the first 2 problems listed. Is there any viable way to solve the issue of slow confirmirmation time with monero or do you have to launch a new coin for that? |
I actually hate trading and i am never happy.
|
|
|
GingerAle
Legendary
Offline
Activity: 1260
Merit: 1008
|
|
June 30, 2016, 09:38:20 AM |
|
- 15MH/s is substantial given that a good i7 can hash at only ~200 H/s. GPUs can't do much more, I believe ~300 H/s is average. Many other coins don't have close to XMR's network hash rate.
- Mining centralization is likely? That could be said for any PoW coin, so why is that an issue only for Monero? Besides, this coin has several large pools...just like most other PoW coins.
- Confirmation time for XMR is faster than Bitcoin, and Bitcoin is doing quite well.
- The number of people using Monero is increasing, as are the number of people mining it.
- It's your choice to invest or not. This coin is 100% decentralized, private, untraceable, and fungible, unlike other non-cryptonote coins, so it has several features that the other coins don't have and that people have a desire for. To investors, that usually means "buy and hold long term."
Actually mining centralisation(giant asic farms) might be impossible to avoid with pure PoW. Bitcoin currently get away with slow confirmation time, poor anonymity and mining centralisation due to the first mover advantage/network effect. Monero is still in the "invest and mine" phase and you will most likely lose your money if you invest in it. I currently get almost 700H/s for each r9 290 and 200H/s from my i7-3930K, i will try to push it a little further. Unfortinatily i do not have enough money to invest heavily into promesing altcoins until i suceed and get a huge return, i need to be careful. Will there come a better coin and beat monero? i do dislike PoS but it solves the first 2 problems listed. Is there any viable way to solve the issue of slow confirmirmation time with monero or do you have to launch a new coin for that? Mining centralization will be very difficult for Monero. Currently, the only way to centralize mining is via GPU farms, and it isn't cheap, and it doesn't yield the same ROI as other coins. There have been discussions about the PoW and migrating to something different at some point, but this is all just thoughts currently. But yes, if ASICS happen, I agree that it will be difficult to prevent centralization. https://github.com/tromp/cuckooThough, it also depends on how ASICS are developed and the software is designed. I view it as pure laziness that the bitcoin asics weren't developed with solo mining capabilities, or the ability to form ad-hoc pools with local peers (some ping cutoff radius), or better, configured to run with p2pool. If it comes to it and asics in Monero happen, we'll just have to do it better than has been done before. |
|
|
|
myagui
Legendary
Offline
Activity: 1154
Merit: 1001
|
|
June 30, 2016, 10:44:55 AM |
|
Mining centralization will be very difficult for Monero. [...]
Difficult might not be the best word there. I think we're not at a nethash that is AWS (or some other large cloud provider) resistant so to speak. It would be extremely expensive though. So much so, that it makes no economical sense to begin with.  Smart Mining(TM), where are thou?  |
|
|
|
natall.com
Member
Offline
Activity: 97
Merit: 10
net profit: 2700$
|
|
June 30, 2016, 02:37:05 PM |
|
Buying a GPU just for monero mining currently is a bad idea, it is cheaper to buy monero from an exchange. Currently monero mining only makes sense if you already own the hardware or plan to use it for gaming/something also(you mine when you do not play games) and this is actually a good thing. The advantage with ASIC mining is that a 51% attack will be much more difficult, unfortinatily it also tend to make the network more and more centralised(mined when the electrisity is cheap in giant farms.  When a few persons/companies control over 50% of the betwork they can easily abuse the power, one method is to not implement a scheduled block reward halving(likely to happen with bitcoin) of course they cannot abuse their power too much unless they want to kill the currency they are mining(which would make their hardware obselete). |
I actually hate trading and i am never happy.
|
|
|
GingerAle
Legendary
Offline
Activity: 1260
Merit: 1008
|
|
June 30, 2016, 03:08:39 PM |
|
Buying a GPU just for monero mining currently is a bad idea, it is cheaper to buy monero from an exchange. Currently monero mining only makes sense if you already own the hardware or plan to use it for gaming/something also(you mine when you do not play games) and this is actually a good thing.
The advantage with ASIC mining is that a 51% attack will be much more difficult, unfortinatily it also tend to make the network more and more centralised(mined when the electrisity is cheap in giant farms.
img snp
When a few persons/companies control over 50% of the betwork they can easily abuse the power, one method is to not implement a scheduled block reward halving(likely to happen with bitcoin) of course they cannot abuse their power too much unless they want to kill the currency they are mining(which would make their hardware obselete).
The bolded statement depends on how confident you are that monero will moon, hold value, or go up at all. If you buy 100$ worth of monero, and monero goes to 0$ in a month, then you lost 100$. If you buy a 750 ti ($100), you mine for a month and monero goes to 0$ in a month, you've mined ~ 4.2 monero , spent some $ on electricity, and then you sell your card for $80 (or mine something else). Plus, you know, buying and operating hardware helps support the network. Sure, buying coins does in an abstract way wherein the value goes up and thus more people mine. I don't know why I posted this. Carry on. |
|
|
|
kokonit
Newbie
Offline
Activity: 53
Merit: 0
|
|
June 30, 2016, 04:48:05 PM |
|
When a few persons/companies control over 50% of the betwork they can easily abuse the power, one method is to not implement a scheduled block reward halving(likely to happen with bitcoin) of course they cannot abuse their power too much unless they want to kill the currency they are mining(which would make their hardware obselete).
This cannot happen ever, because 0 services will support this code. The miner will just mine on the wrong fork even with 90% mining power |
|
|
|
|
|
