[XMR] Monero - A secure, private, untraceable cryptocurrency

[GingerAle]

not 2-3 sentences

yeop, still not any clearer what exactly you are asking.

[1714748208]

1714748208

[1714748208]

1714748208

[1714748208]

1714748208

[1714748208]

1714748208

[dEBRUYNE]

Community input needed:

https://www.reddit.com/r/Monero/comments/4sx825/kovri_enduser_documentation_proposal_now_open_for/

[e-coinomist]

Looking forward to this. XMR + STEEM could very well be the best investments of 2016.

To me, an important difference (among many important differences) is that XMR could very well be the best investment of the third millennium.  STEEM, not so much.

Crossposting this from Smooth-selfmoderated-thread over here, for Safety.

Sounds interesting, especially the link pointing at the balances. iamnotback is Anonymint?

You fools enjoy being kept in the cage by your thread moderator whilst he escapes to partake of the fruits you are told to reject?

Then again, maybe you should feel happy that he is perhaps buying XMR with his proceeds of stripping the n00bs of their money via the Streemit pyramid.

I did not ever tell anyone to invest in Steem. I think the long term prospects for the value of the token are not great. I've told the developers of Steem that. I've told people on my crypto social circle that. I've posted that. I don't know what more I can do.

I suppose reiterating here is good for disclosure, given you are somewhat a public figure.

I just wish you had made me aware of your open mind about profiting any way we want to, because I thought you were much more dogmatic in the past.

I am actually a free market anarchist, so I can't fault you for what you've done. Actually I must admire it. But I just feel you need to be consistent, so that we know how to interface with you.

Also I think you could help by speaking frankly about the meritocracy of the fact that you could get $50,000 a week for basically a very minimal effort. You could perhaps influence some speculators and newbies to think carefully about what types of projects they want to support. Without being too dogmatic, just about the value of meritocracy.

I did not support the sneaky-mine and said at the time that I would not promote the coin to crypto speculators (although kind of an easy promise to make since I never promote any crypto coins -- my best guess is all going to zero, though at different rates). It was, however, far more transparent and than the Dash instamine or the Bytecoin hidden premine. For the record, when I first stated that opinion (after the initial mining) it was worth approximately nothing, so the the alleged current market value has changed nothing here.

That said, I also do not think it necessarily will with certainty go to zero, and people can do their own analysis and reach their own conclusions. Hell, even Auroracoin and other pure garbage (nothing person to Auroracoin devs) still has some value. Steem has more merit than that.

What is the merit of Steem? It is a premeditated pyramid. Designed to be so. How can we reach an alternative conclusion? By what math and analysis? Dan et al are not dumb. They computed all this.

New development in this story that I did not anticipate:

Smooth seems to have found a way to game the system

Look at his balance https://steemit.com/@smooth/transfers

He already owns $ 5 Millions at today's market price. Insane.

He acquired nearly 1% back during the "sneaky mine" phase. You can understand why he wasn't willing to attack this coin the way he normally attacks pump and dump scams. That $millions bought his "I am not omniscient about the potential future not being a disaster" attitude.

Btw, smooth is cashing out roughly $50,000 per week. (assuming your $5m valuation of his SP is correct)

Is that a meritocracy 

You can see why he would have an incentive to not speak about how it will be a disaster for those who invest in SP now (requires a 2 year lock up cashed out over 104 weeks), while he is cashing out every week. Chaching. Fools please buy Steemit and give your money to smooth.

You are turning the s/w industry into lies and scams. I want nothing to do with you if you are going to on the one hand be so dogmatic even leading me entirely away from doing what Dan has done (I originally was talking ICOs and no no no don't you dare do anything but PoW distribution). I had more respect for you than this, that at least some consistency of your position.

I don't have a problem with Dan doing this. Everyone should be free. I just have a problem with feeling like I been jerked around, some people telling me to be idealistic, then telling me as long as you build adoption through lying to people's emotions, then that is positive.

I don't feel there is any consistency of anything. Everyone should do what ever in the hell they want.

...

Steemit is taking money from new investors and redistributing it to those with the most rep power. And fooling bloggers to join by hyping payouts most of them will never receive. That doesn't sound to me like building a good long-term business model.

Bernie Madoff must be proud.

Smooth never bribed me and in fact he helped me and I am grateful, but I did put a lot of weight into his opinions:

smooth may I ask what is the incentive for you to promote steem? Are you now affiliated with the Larimers?

]It is bizarre given when we first spoke about the state-of-altcoins some many moons ago in 2015, and I had stated that maybe Bitshares and Dan Larimer were credible and you tried to convince me that their mcap was all manipulation and to discourage me from taking them seriously.

Now suddenly you jump on their boat and I've noted you stated some where you were able to mine 1+% of the coins during the stealth mining phase.

I respected you and followed your lead to admonish ICOs, premines, instanmines, and I would assume that would include stealthmining launches. But in the end, all this did was mess up my own degrees-of-freedom to make my project come to fruition because I was trying to bend over backwards to find a way to fit into that impossible set of requirements. And now after all that, it ends up you don't even follow your own ethics.

Hey I am happy with letting the altcoin market be free of Sheriffs. So more power to your newly discovered ethics. I just feel slightly jaded for receiving bad advice from you. I am sorry to bring this out in public, and I must presume you have a good explanation. So I'll await to read your take on this. Thanks.

Is smooth - core member and one of the lead community managers of Monero - a hypocrite?

[raphma]

Looking forward to this. XMR + STEEM could very well be the best investments of 2016.

To me, an important difference (among many important differences) is that XMR could very well be the best investment of the third millennium.  STEEM, not so much.

For me its BTS + STEEM are going to be the best ones. XMR, need to hear some good news.

and why BTS would be better then monero? 
just wait for the GUI and you will see monero pumping.

[TheKoziTwo]

IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:

I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.

This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.

When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082

Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.

The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.

This does not affect normal wallets, only if you run it in server mode like I explained above.

As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.

It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.

[Hueristic]

IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:

I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.

This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.

When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082

Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.

The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.

This does not affect normal wallets, only if you run it in server mode like I explained above.

As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.

It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.

Nice find, I'm not sure why this info is not more widely known. Maybe because the RPC layer is just not discussed in open forum enough. :rolleyes:

[MoneroMooo]

When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082

Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.

That's a bug. It's supposed to bind to loopback if you don't supply --rpc-bind-ip with another one. I will fix.

Edit: works fine here. Either that server was specifically told to listen inbound, or if you can repro it, file a bug with full command line and OS etc.

[TheKoziTwo]

When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082

Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.

That's a bug. It's supposed to bind to loopback if you don't supply --rpc-bind-ip with another one. I will fix.

Edit: works fine here. Either that server was specifically told to listen inbound, or if you can repro it, file a bug with full command line and OS etc.

I've not tested it myself. I guess you're right, and it was also bound to IP. That makes it a little less dangerous.

[Hueristic]

BTW, thought I'd mention to you guys 6 is a chinese lucky number that alot of them believe holds power, second only to 8 in some parts (I'm not an expert). I know this because of the Chinese hoard of poker players. So if you see the coin being propped up at a 666 or if it goes to 888 it is more than likely chinese. Of course as this becomes more well know (for instance someone like me pointing it out), it can be used for manipulation. But thats the same with everything ground floor knowledge is power.

[smoothie]

IMPORTANT ANNOUNCEMENT FOR ALL SERVICE PROVIDERS:

I basically hacked cryptonic.net today as I was able to get their wallet seed and transfer out 2380 XMR. I will of course return the funds to the owner, the only reason I transferred them out is to safe keep them from other potential attackers.

This is something that has been worrying me for a while, but it was only today after receiving a PM from a guy asking for help that I decided to go through the effort. I scanned the monero network, a total of 318 IP's on port 18082. I found 2 matches, and only 1 that I was able to attack. But there could be more vulnerable services out there running on different ports.

When you're running the wallet in rpc mode (you can do that by binding the port) for example like this:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082

Your wallet will be able to respond to RPC calls. What is very important to know is that the RPC calls are NOT password protected. The password I specified in my example (demo123) only protects the wallet. Once the wallet is running as rpc server it will accept incoming calls. Therefore your port 18082 MUST BE CLOSED (or whatever port you use to run the wallet server). This way you can only access the RPC from localhost.

The RPC has calls like "query_key" where you can retrive view_key or the mnemonic seed. That's what I used, but I could also have used commands like "transfer" to take the funds.

This does not affect normal wallets, only if you run it in server mode like I explained above.

As of right now I'd advise people to wait with purchases on cryptonic until the owner has responded and secured his wallet.

It doesn't appear to be any major issue at the moment as I only found this 1 wallet vulnerable, but again I don't know how many are running servers on different ports and I think it's best this info is out in the open so admins can secure their wallets correctly. It's very simple, just make sure that the port you bind your wallet to is closed.

Thank you for this.

Although I don't personally run a monero in server mode it is good to see we have good intentioned whitehat hackers around.

Good work!!

[TheKoziTwo]

UPDATE: cryptonic.net is no longer compromised. All funds has been returned to the owner.

[Hueristic]

...
Thank you for this.

Although I don't personally run a monero in server mode it is good to see we have good intentioned whitehat hackers Security Professionals around.

Good work!!

FTFY.


BTW Most Security Pro's wear a grey hat.

[cryptonic21]

UPDATE: cryptonic.net is no longer compromised. All funds has been returned to the owner.

Thanks a lot, TheKoziTwo! That's great that YOU have found this bug!

As a temporary fix I have changed the payment address (the new one is not bound to our node yet) so we can process payments manually while repairing our automatic payment processing.

[smoothie]

...
Thank you for this.

Although I don't personally run a monero in server mode it is good to see we have good intentioned whitehat hackers Security Professionals around.

Good work!!

FTFY.


BTW Most Security Pro's wear a grey hat.

lol potato potah-toe.

Don't both categories have some overlap?

[saddambitcoin]

Also if you are running a service that needs to use simplewallet in RPC mode to check if payments are received but you have no need to send funds remotely, it's good to enable this flag: --restricted-rpc: Restricts RPC to view-only commands

for example:

Code:

./simplewallet --wallet-file mywallet.dat --password demo123 --rpc-bind-port 18082 --restricted-rpc

Then you can check to see if payments are received.

In addition to other things such as firewall restriction you should read this post by Fluffypony on some basic ways to secure your network if you need to use RPC for sending and receiving:

https://www.reddit.com/r/Monero/comments/4atg0d/monero_rpc_no_password/d13io7e

[luigi1111]

not 2-3 sentences

yeop, still not any clearer what exactly you are asking.

Yeah...Hueristic, man, it wasn't/isn't very clear what you want. You express concern about the wire protocol, but then go back into cryptography in 0MQ?

As for Curve25519, that is a birationally equivalent curve of what Monero *currently* uses for its crypto. It's one of the "safest" out there, Bruce's comments nothwithstanding.

Write succinct questions instead of walls of text demanding answers to vague "questions" and sounding angry and entitled when they aren't forthcoming (sorry if you didn't mean to come off like that).

[Hueristic]

not 2-3 sentences

yeop, still not any clearer what exactly you are asking.

Yeah...Hueristic, man, it wasn't/isn't very clear what you want. You express concern about the wire protocol, but then go back into cryptography in 0MQ?

As for Curve25519, that is a birationally equivalent curve of what Monero *currently* uses for its crypto. It's one of the "safest" out there, Bruce's comments nothwithstanding.

Write succinct questions instead of walls of text demanding answers to vague "questions" and sounding angry and entitled when they aren't forthcoming (sorry if you didn't mean to come off like that).

I'll go back over the conversation when I have some time and see if I can be more specific. I am asking these questions to better understand the rational and decision making that is going into these changes and have not gotten any answers to that. Is it so hard to show dev logs of the discussions of these decisions? AFA what protocols to use I have just started researching them and i'm aware curve25519 (I plan on in the future if i ever get time to see if it uses the set commonly used points or not) is already used but this question was a primer for my next question on which of those points used (I.E. how are they chosen). And I did not want to go there before I understood the answer to the questions I had listed. From what I understand the weakness of curve25519 is only when the common points are used and I am not even sure if that common point set is already being ignored for XMR and I have no clue if it's hard baked into ZMTP.

Is that any clearer? My memory is really bad these days so I have to reread alot of stuff (including my own conversations) and retracing my thought process can be tedious. That's probably why I come off as being terse. My apologies guys.

[Drhiggins]

I understand you trying to promote your business on this forum, but you can't even pay with Monero..??   I mean really.

[smoothie]

Seems counterproductive to post about there being XMR apparel then show DASH and ETH images?

[dEBRUYNE]

Eleventh dev meeting in approximately 4 hours (16:00 UTC). Dev meeting will be held at #monero-dev on freenode.

http://www.timeanddate.com/worldclock/converted.html?iso=20160717T16&p1=0&p2=56&p3=37&p4=102&p5=240&p6=136&p7=179&p8=137&p9=70&p10=28


Kovri (I2P) dev meeting in approximately 5 hours (17:00 UTC). Dev meeting can be followed at #monero-dev on freenode.

https://www.timeanddate.com/worldclock/converted.html?iso=20160717T17&p1=0&p2=56&p3=37&p4=102&p5=240&p6=136&p7=179&p8=137&p9=70&p10=28