07:44:57 My understanding is that the law firm that made it, is waiting on a publication to get confirmation on what date it will be published, and that it will not be made publicly available until after that date. Please correct me if wrong. 09:14:15 yes that's where it's at 09:14:20 they're waiting on publication dates 09:14:35 if it takes too long to publish then they'll release it separately 13:02:55 Good Morning Guys!! Some news whith FUD? 13:02:56 https://cointelegraph.com/news/ciphertrace-develops-monero-tracing-tool-to-aid-us-dhs-investigations 13:04:42 I'd go with the U (uncertainty), since there are precisely zero details and zero evidence on their methods or success 13:05:00 And without external information, it is not possible to match transactions/outputs with addresses, mathematically 13:10:24 official press release https://ciphertrace.com/ciphertrace-announces-worlds-first-monero-tracing-capabilities/ 13:10:34 The proof of the pudding is in the eating 13:10:37 > There is much work still to be done, but CipherTrace is proud to announce the world’s first Monero tracing capability 13:10:48 really vague, probably basic tracing with exchange data 13:11:05 They could have some heuristics e.g. Knaccc/EABE related stuff? 13:11:59 Do you consider that if they have developed a tool to exploit a vulnerability and trace Monero, ¿it would be disclosed? 13:12:24 IMO really unlikely that they are using some novel method. 13:12:48 I would personally be very surprised if they were using novel methods in their new tools 13:13:18 I would also be exceptionally surprised if such methods were _broadly_ applicable to _modern_ transactions 13:15:01 and I am always suspect of technical claims without evidence by companies who profit from belief in those claims 13:15:58 if it's knaccc/EABE then we can expect more exchange listings, not delistings. Because exchanges are needed for this to work, right? 13:16:22 Almost certainly 13:16:27 Good point 13:16:31 lol 13:16:37 😅 13:16:51 The alternative might be that try to build statistical models without external data, which probably leads to absurd results that one hopes aren't blindly accepted by exchanges et al. 13:17:06 provably absurd results sounds like fun 13:17:11 For example, "your deposit transaction contains a decoy identified in previous bad activity, so we label it high risk" 13:17:39 Absurd results would be absurd, but if entities accept those results, it screws people over 13:18:59 Understand, something like depositing BTC after CJ . Is a risk 13:20:48 Maybe they flag all monero transactions as high risk :D 13:20:56 Lovera[m]: it's not the same thing though 13:21:14 With CoinJoins, you can guarantee that everyone in that transaction actively participated 13:21:22 This is not the case with the Monero protocol 13:21:35 Anyway, this CipherTrace thing is a press release 13:22:52 I think it is very suspect to conclude from it that (a) they have developed any novel methods; (b) that their tools are broadly applicable to modern transactions; (c) that they can accomplish anything of value without fairly significant external information like exchange KYC and records; and (d) that they can perform anything like address linking without such data 13:23:15 If anything, this reinforces earlier work on the risks imposed by exchange interaction 13:23:24 that was done in this and other communities 13:23:49 its exciting to be able to honestly say that we likely already know about any methods used here 13:23:58 Thankful for all those who have done the work to get us to this point 13:24:00 yeah they need exchange information to know something useful. but isn't that the case with tracing bitcoin txs too? 13:25:00 Anyway, I think the best conclusion is that this is press-release journalism until any other evidence or details are presented 13:25:16 Anything beyond this is speculation, and if done in media with claims of correctness, is wildly irresponsible 13:25:40 We have years of preprints, papers, data, and discussion on _actual_ methods and tools available to everyone, including CipherTrace 13:25:41 maybe all they need is for criminals to think monero is traceable, and then problem solved :) 13:25:49 Well, they want to sell their tools 13:25:55 end of story 13:30:29 sarang: do you think you could write a small text up as a response? 13:30:48 The gist would basically be what seth has tweeted recently 13:30:57 That without evidence or details, there is nothing to discuss or debate 13:31:10 We build the protocol under the assumption that people already use the tools and methods we devise 13:32:26 ok, didn’t see his tweets 13:32:33 and the Monero and academic communities have spent years researching and discussing circumstances (far deeper than just at the level CipherTrace would be able to examine) and conditions under which effective privacy is reduced 13:32:36 This is true... 13:32:49 However, just because these circumstances and conditions exist does NOT mean they generalize broadly 13:33:07 You can use any tool unsafely, whether intentionally or not 13:33:33 But just because some people hit their thumbs with hammers does not mean you should report that all hammer use is unsafe and dangerous in practice 13:33:36 https://twitter.com/sethisimmons/status/1300421153832554497?s=21 13:33:43 Please give feedback if something could be more well written/worded 13:33:50 However, if you ran an anti-hammer company, I'm sure your press release would claim this :) 13:35:36 Thanks Seth for Tweet, im going to RT and traslate into Spanish... i think is a good response 13:35:44 Awesome, thanks :) 13:36:01 sethsimmons: your reference to #monero-research-lab on twitter could require a hint that it is on Freenode IRC ... 13:36:19 True Ill add that 13:36:40 "If only there were people to contact with technical questions about claims relating to cryptography... unfortunately, no such people exist..." 13:36:56 I'm super surprised they didn't ask anyone with a technical background about this 13:37:03 Maybe I should not be surprised :( 13:37:21 I mean, seriously, concluding super broad technical things from a press release just makes me angry 13:37:37 "Monero puts out press release saying CipherTrace is full of it" 13:37:39 It feels kind of disingenuous to release a tool without releasing any of the specifics 13:37:40 ^ what now, press? 13:37:51 dEBRUYNE: not really; they're a company 13:37:56 Sure, but still 13:38:02 What if in the background it is merely a coin toss 13:38:09 I am exaggerating a bit 13:38:13 What's irresponsible is making ecosystem-wide technical claims from a freaking press release 13:38:51 Sure, present the press release if you want, but _in_context_ and presented as such 13:38:52 it's a commercial ad disguised as journalism 13:38:55 yes 13:39:01 that's shoddy journalism 13:39:06 yep 13:39:16 But is very common in this space since reporters don't seem to have any technical background 13:39:26 which, again, is fine... as long as you get it right 13:39:52 But really, someone should release their own press release saying CipherTrace is full of it unless they give details =p 13:39:59 (kidding, kidding...) 13:40:22 Anyway, I'm done giving this nonsense any more of my time 13:40:38 aww, we were just getting started 13:40:38 Time to return to actual open privacy research 13:40:42 what else are we going to discuss? 13:40:52 OK. fair enough 13:41:42 If anyone has technical/research questions, or wants to check the accuracy of claims, mention me or ask in #monero-research-lab 13:41:58 I am more than happy to devote time to accuracy 13:44:11 What about precision? 13:44:12 * Inge- ducks 13:44:35 lol 13:46:00 And feel free to direct interested entities to the Breaking Monero series, where we discuss different specific scenarios where effective privacy _is_ reduced, and try to put them into actual context to show how they are or are not broadly applicable 13:50:11 Lol this guy just followed me: https://twitter.com/R5parrow?s=21 13:50:24 "VP of Attribution at CipherTrace" 13:50:30 Maybe they'll actually reach out now 13:50:38 Maybe that's their tool 13:50:53 secret Twitter follow bot 13:51:22 lol 13:51:24 GOTCHA 13:51:32 ALL YOUR MONERO TRANSACTIONS ARE BELONG TO US 13:51:49 Ask him what your risk score is 13:51:57 XD 14:12:27 sarang: Would you mind leaving a brief comment here? https://old.reddit.com/r/Monero/comments/ijyhmq/ciphertrace_claims_it_developed_a_monero_tracing/ 14:15:31 I commented linking to the tweets... 14:16:54 Same :P 14:17:22 yea removed the link again because you linked already :D 14:22:55 commented dEBRUYNE 14:35:59 Thanks 16:19:11 From the CEO: https://twitter.com/davejevans/status/1300466928440324096 16:20:16 I would be very impressed if the CEO had the expertise to appreciate all of the methods that might be involved 16:21:45 "Thanks fluffy. We will give some more details on an interview, but you can appreciate that we cannot disclose all of the methods or the future plans at this time. We reviewed all the Breaking Monero pods as well as all of the published academic research. It's helpful." 16:22:11 Interesting 16:22:20 Wonder who’s doing the interview 16:22:30 So again sounds like they will refuse to prove any capabilities on mainchain 16:22:41 sgp_ did they ever get back to you about a potential interview? 16:23:34 yes they are free the rest of the day really. I need to confirm they will describe the tracing more before agreeing to schedule one 16:23:51 also define "tracing"... 16:24:13 I can think of several things you could define in a press release as "tracing" and be technically correct 16:25:29 https://twitter.com/davejevans/status/1300469062682640390 16:26:06 interesting tweet 16:26:26 No, because it's almost certainly statistical 16:26:30 Idk what that means tbh 16:26:34 Very vague again 16:26:48 This part is worrisome, because it will be easy to claim "accuracy" to their customers/clients 16:27:12 Whereas for stuff like BTC you can say things with certainty: this transaction signed with this key 16:27:50 If the interview ends up being "we can build statistics on transactions" the response is "yeah, and?" 16:27:54 when triptych 16:27:55 We've known this for years 16:28:13 Triptych doesn't stop the ability of companies to take complex statistics and claim things to people who pay you 16:28:17 You're looking at the tweet too narrowly. He also shared our response 16:28:22 A tool can spit out whatever it wants 16:28:27 We developed a graph+explorer for all the pre-2017 tx based on the Monero Leaks dataset (or whatever it was called). Checkmate Monero. 16:28:39 True 16:28:50 right, but triptych will make their statistics more uncertain, which can be good and bad 16:28:51 sgp_: you'll excuse my cynicism here... they're trying to sell a product with a vague press release 16:29:09 If they're legitimately being open about this, great; I look forward to it 16:29:25 But I am setting my expectations based on how they've approached it so far 16:30:04 Proprietary Statistics and Ranking Algorithms (tm) would not be helpful, for example, either to the research community or to their customers 16:30:10 who should not be expected to be experts in this 16:30:23 If the customers are to rely on CipherTrace to be these experts, they need to demonstrate it IMO 16:31:00 👏 16:31:19 Anyway, I look forward to my cynicism being proven wrong 16:38:04 Anyone want to post the txid of a random test transaction for CipherTrace to be presented? 16:38:55 I doubt that they will prove anything. 16:39:07 No, but it's a good move to ask them to 16:39:35 too late to give them the tracing challenge, but that would be a good demo 16:39:38 They can PR all they want about tools, but getting the output of those tools speaks far louder 16:39:44 Why too late? 16:39:50 Does the tool turn into a pumpkin at midnight? 16:40:00 well, too late for an interview today probably 16:40:03 I will donate $100 to the charity of their choice to compensate them for their time 16:40:05 but I can check 16:42:22 Also, it's not a "tracing challenge", but a way to encourage details on what exactly they claim to provide with their tool 16:43:30 Otherwise everyone is chasing their own tails not talking about any details on anything, which is a waste of everyone's time 16:44:13 emailed them again 16:47:07 https://reddit.com/r/Monero/comments/ijyhmq/_/g3hd4uu/ 16:47:08 [REDDIT] Ciphertrace Claims it Developed a Monero Tracing Tool, I say it’s speculation as they provided no proof of their work (https://cointelegraph.com/news/ciphertrace-develops-monero-tracing-tool-to-aid-us-dhs-investigations) to r/Monero | 30 points (94.0%) | 27 comments | Posted by fellowcitzen | Created at 2020-08-31 - 14:00:26 16:47:10 here are some details 16:47:25 was removed 16:47:30 will repost 16:48:07 https://www.irccloud.com/pastebin/fpZwwSsF/ 16:48:52 "decoy removal" can mean anything 16:49:10 He also claimed that MimbleWimble has worse privacy than Monero: https://www.reddit.com/r/CryptoCurrency/comments/ijzj17/ciphertrace_develops_monerotracing_tool_to_aid_us/g3hg9eq/ 16:49:11 [REDDIT] CipherTrace develops Monero-tracing tool to aid US DHS investigations (https://cointelegraph.com/news/ciphertrace-develops-monero-tracing-tool-to-aid-us-dhs-investigations) to r/CryptoCurrency | 0 points (50.0%) | 7 comments | Posted by jwinterm | Created at 2020-08-31 - 14:59:03 16:49:14 which is not exactly news 16:49:32 he also posted a tracing example, but it requires mod approval 16:49:34 dEBRUYNE: ^^ 16:49:35 Lol he used half of the comment to insult, nice 16:49:53 also not sure if this is a legit account 16:50:39 I can verify 16:50:44 dEBRUYNE needmoney90: https://www.reddit.com/r/Monero/comments/ik0t3h/ciphertrace_monero_tracing_example/ 16:50:45 [REDDIT] CipherTrace Monero tracing example (self.Monero) | 1 points (100.0%) | 0 comments | Posted by CipherTrace-Dave | Created at 2020-08-31 - 16:07:22 16:51:09 waiting approval? 16:51:16 new account gets blocked by automod 16:54:03 Decoy removal? This is too vague description. 16:55:08 OK so 16:55:14 This has _nothing_ to do with linking to addresses 16:55:17 not even close 16:55:31 Lol 16:55:35 that requires external information, known spends to listed addresses, or breaking mathematics in a fascinating way 16:55:49 We have published tools on "decoy removal", and methods and math on this, for years 16:55:56 If they packaged it into a fancy tool, cool 16:56:07 That research is all open, and we don't get to decide how math is used 16:56:19 I stand by my earlier assertions on what this probably is 16:56:42 and by my fear that this will be presented to customers/clients as some kind of yes/no risk tool, when really it's a fuzzy-wuzzy statistical cloud 16:57:00 Kudos to Dave for providing _any_ details, for sure 16:57:13 No fault there 16:57:34 https://usercontent.irccloud-cdn.com/file/QMT8FRCF/ciphertrace 16:57:48 I mean, if Dave wants a list of all outputs that can be _definitively_ traced, with no stats involved, I can literally email this list to him 16:57:54 I can confirm the UI looks like CipherTrace's other tools 16:57:54 Or give him a Python tool to do it himself 16:58:22 So what, this identifies ring members by source? 16:58:26 this screenshot seems real and realistic 16:58:28 Sure, any explorer can do this 16:58:36 Is there more that I'm not getting here? 16:58:36 though obviously this doesn't show much lol 16:59:22 No, it does not 16:59:30 To be fair, I assume their customers dont' _want_ much detail 16:59:33 so it’s a visual block explorer? like fluffy said? lol 16:59:35 They want "risk" 16:59:45 I'm trying to figure out where they are making attributions between outputs and addresses/users 16:59:47 So customers shouldn't be expected to want deep information... 16:59:59 If this is just labeling outputs, that's like... a database 17:00:02 and a block explorer 17:00:07 and a frontend 17:00:10 Is there more here? 17:00:14 Or I am just going insane? 17:00:15 Or both? 17:00:25 looks like a visual block explorer? 17:01:08 if it's easy to use it's a cool tool, but hardly shows/proves much 17:01:35 Lol at all mixins being tagged “mixer” in the legend 17:01:46 Says nothing about how they are deducing true spend from the decoys 17:01:54 That could be a completely false trace for all we know 17:02:05 But maybe someone else can make more sense of it 17:02:10 I'm not 100% sure that's how it works, would be odd if the others were ATM 17:02:38 Can't they just create a risk score for each key image? 17:03:02 they're not "deducing" true spend, they can only estimate probabilities 17:03:11 Sure 17:03:18 But that's essentially risk assessment 17:03:22 Just less accurate 17:03:29 Why are all sends marked as “ATM”? 17:04:18 I am not sure if that's actually what they are marked as 17:04:46 I asked on Reddit for him to explain/walk-through 17:04:56 Because Monero is digital cash, and since ATM's deal with cash 17:05:20 sethsimmons: yeah I wondered that as well. Maybe they have all the ATM info (hence all outputs from ATMs) 17:05:38 That is actually a pretty good example of a potential privacy leak 17:05:58 sgp_: there is a colour key... 17:06:06 You don't think that's accurate? 17:06:32 I guess I would be surprised if it was an ATM example 17:07:33 Seems like they're implying they can trace from DNM to ATM in this graph 17:07:34 And I think they are just coding unknown outputs as "mixer" 17:07:54 so it might be EABE attack using data (known outputs) from ATMs 17:07:56 Even "known" are marked as mixer lol 17:08:06 sech1: that's my guess, yes 17:08:42 I think we're reading it wrong -- I don't think the arrows are covered by the legend 17:08:47 How many ATM software/hardwares are there? 17:08:47 Only the dots/highlighting 17:08:50 Not many right? 17:09:04 The initial sets of inputs have one black (DNM) and one white (unknown) input flagged 17:09:26 Then there is a highlighted green output (ATM)? 17:09:31 The LEAs could also have fake ads on DNMs 17:09:36 That would give them additional data 17:10:02 Not sure how else they could say these originated from DNM 17:10:28 Confiscated accounts? Arrests? 17:11:10 I think this is just an example of the interface. 17:11:18 Well if they own this accounts keys its not really tracing :P 17:12:02 "sgp_" (https://matrix.to/#/@freenode_sgp_:matrix.org): Legend is supposed to be applied to arrows or addresses/circles? 17:12:26 sethsimmons: no, but it's another set of known "risky" outputs 17:12:37 xmrscott[m]: exactly I don't know 17:12:48 I would say all 17:12:59 Makes no sense to use the same colour otherwise 17:13:06 I think orange arrows are inputs, green are outputs 17:13:17 I don't think the arrows have a legen/apply to the given legend 17:14:17 What I don't understand is the way each transaction is depicted -- is the pentagon a key image, and the square a transaction? It's all so confusing 17:14:31 i'm saying it's a visual block explorer and an api-ready framework for all exchanges/etc to connect to, enforced by LEAs 17:16:07 That wouldn't be of any use for the specified purpose of tracing Monero, though 17:16:18 Since it wouldn't even help in any way to imply a known spend etc. 17:16:21 So if its just a visual block explorer its not interesting 17:16:31 But if it is just that it makes sense why they call it v1 and say they are going to build on it 17:27:46 * needmoney90 rolled over to approve the comments and is only just now coming up to speed 17:27:48 morning :( 17:31:05 needmoney90: good night 17:54:39 hyc: whenever I see your name mentioned on the internet i just forward it to you :-P https://lobste.rs/s/m9vkg4/database_i_wish_i_had#c_askorb 18:00:53 sgp_ You sent the tracing challenge to ciphertrace right? 18:01:00 Have they gotten back to you with any response? 18:01:12 They have a fancy tool that does it, so it should be a cinch 18:01:41 Oh that would be a great test :D 18:01:54 Forgot sgp_ sent them that before we knew about all of this lol 18:02:14 needmoney90: yes I sent it their way 18:02:47 That's where they got the idea ;-) 18:02:57 Two weeks later, product released!! 18:03:18 XD 18:03:27 stranger things have happened 18:03:33 Lets have them on Monero Space for a chat and have them walk us through how they beat the challenge ;) 18:03:54 There's a gimme in there, an EAE, they should at least get that one 18:04:19 literally only one path in the whole set, its a process of elimination thing 18:04:42 What's the attack when you run a load of nodes? 18:05:04 you're able to tell who sent the initial tx, at least before i2p/dandelion 18:05:11 so you record id/tx pairs 18:05:19 Or sorry when you create a load of transactions so you know the majority/substantial portion of outputs.. 18:05:19 and can use that to correlate txes 18:05:24 oh, thats a different one 18:05:36 Yeah, sorry. Got confused 18:05:45 Though both are nasty 18:05:52 That's the one we need to look out for 18:05:55 Dont we run dandelion++ default now? 18:06:11 I thought that fixed it 18:07:56 sgp_ Can I get some confirmation dave is dave? 18:08:02 If you can do it sidechannel 18:08:07 Then I can tag him 18:08:42 Just want some independent sidechannel verification, its kind of a foregone conclusion who he is 18:09:14 pinged on Twitter 18:14:44 Sooooo is this trying to use decoy presence in rings to "estimate" the likelihood of being connected to illicit activity? 18:14:56 If so, that's an insane misrepresentation of how non-interactive signatures work 18:15:10 Without any details, I'll assume this is the case :D 18:19:35 * sarang waits for clarification from people in the know... 18:20:53 * needmoney90 wants a cartoon sarang with a wizard hat fighting off fud with math weapons 18:21:29 If all this tool is doing is counting ring members and tagging them in some database, that's... a really bad way to do this 18:21:42 I really hope they're trying to be more clever than that 18:21:52 Otherwise, they're paying someone way too much 18:22:24 there must be two poisioned outputs that they noticed were later spent in the same transaction, so they're doing pretty straightforward stuff here 18:22:38 dear CyberTrack, I sent a morono tx last night while drunk and don't remember who I sent it to. Can you please help me? 18:23:19 knaccc: is that really a realistic way to look at this? 18:23:31 Oh, are they assuming the poison comes from the same transaction too? 18:23:39 If not, this is a simple example of bad sweep 18:23:45 i assume on two separate occasions, they paid the merchant 18:23:51 then later waited for a cashout 18:23:55 Dont those first two txes have *two highlighted txes* in the same ring? 18:23:55 Sure, that's well known 18:24:00 You cant spend two txes in the same ring 18:24:14 yeah it's really well known 18:24:18 Yuuu 18:24:20 Yuuup 18:24:24 they're not doing anything clever at all, but it does work 18:24:24 OK, this is nothing even remotely new 18:24:37 This is just saying you should _at least_ safely churn before merging 18:24:39 bam 18:24:49 I literally am working on an output merging analysis tool now 18:24:54 to examine distributions of this 18:24:55 lol 18:24:57 oh nice 18:25:00 OK 18:25:05 they only got $120k from DHS sarang 18:25:06 This is super enlightening 18:25:07 maybe we should apply for DHS contracts 18:25:17 We jokingly considered it needmoney90 18:25:19 heh 18:25:22 wen SarangTrace 18:25:30 they actually got $1.3M from dept of interior 18:25:32 I was invited to participate in the CipherTrace interview later today 18:25:39 I'll ask about this specifically 18:25:44 and ask if they'd like my toolkit 18:25:49 profits will go to mooonero development 18:25:57 sarang what does your toolkit do 18:26:02 if we're already doing the development why not get paid for it? 18:26:11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 18:26:18 "Monero being paid by government to break its own software!" 18:26:30 knaccc: looks at distributions of merged outputs 18:26:42 if/when we use epochs, this goes away 18:27:00 Er, goes away if done in a temporally close way 18:27:10 Otherwise, if you aren't accepting controlled payments, this analysis is useless 18:27:21 Also: do individual sweeps before spending 18:27:30 bam, this problem is now solved(ish) 18:27:34 sarang oh i see, so for a tx with 2 inputs, it's looking to see how easy it is to guess the real outputs being spent by noticing they were recevied in a comparatively much closer timespan than other outputs 18:27:37 So it’s just a merge of poisoned outputs? 18:27:44 yeah epochs definitely a great idea 18:27:47 sethsimmons: appears so 18:27:52 Lol 18:28:02 knaccc: also depends if the outputs are known to be controlled to the same entity 18:28:05 That explains a lot 18:28:08 e.g. poisoned outputs at multiple spends 18:28:12 nice 18:28:43 knaccc: one version of merging looks purely at source txns, which is my focus 18:29:06 Source txns being separate but known (like in broad ransomware) is mitigated by avoiding multiple sweeps 18:29:26 This isn't even remotely a concern if you aren't pulling evil shit like this 18:29:48 what is the evil sh*t you're referring to? 18:30:15 you mean ransomware? 18:30:30 If you accept multiple flagged outputs in different transactions and later merge them 18:30:38 So summary: two known poisoned outputs are later merged, allowing the poisoner to use a shared ownership heuristic to tie them to the same entity? 18:31:02 The original merge research assumed you were looking at outputs generated in the same txn, but this isn't that common 18:31:08 well if you're selling bibles in china, you can't avoid receiving poisioned outputs. all you can do is later not spend them together 18:31:21 But if you assume the source txns are in some list somewhere (like in a broad ransomware attack), the idea is similar 18:31:27 knaccc: right 18:31:34 Best way to avoid this myself is sweeping individual outputs from potentially tracked sources (like KYC exchanges) before merging at some point later (if needed)? 18:31:43 Yes 18:31:51 This doesn't eliminate all risk, but mitigates it 18:31:52 Thanks 18:31:58 This has been looooong known 18:32:04 Could this be done by default at the wallet level? 18:32:04 NOTE: this is speculation 18:32:19 Yeah for sure this is old as time 18:32:20 We don't know if this is actually what the Fancy Tool does 18:32:27 But it sure sounds like it 18:32:34 the question is: how can monero be designed such that monero users don't need to know all these special rules in order to have untraceability 18:32:47 knaccc: this is the correct question :) 18:32:55 If it is, a simple “right click incoming TX>churn” in GUI would fix in theory 18:33:05 Well, to a point, yes 18:33:20 Since it adds those outputs to a "recent pool" likely to be chosen in many txns 18:33:23 well you'd need to churn more than once, especially if there were more than two poisioned outputs 18:33:24 YES! 18:33:29 ALSO: this Fancy Tool is statistical only 18:33:32 a LOT more than once 18:33:47 knaccc: sure 18:33:57 Maybe “flag for churning” and let the wallet churn based on some profile over time 18:33:57 it moves the analysis down the graph 18:34:15 But it does sound like CT is doing very little broad graph analysis 18:34:22 I'm a bit disappointed :( 18:34:25 haha 18:34:31 I had kinda hoped for more interesting stuff 18:34:37 This is... not interesting 18:34:39 Lol 18:34:41 Useful? Sometimes 18:35:05 haha you're getting annoyed at someone breaking your crypto and it's only a wrench 18:35:18 I mean I suspect they're embarrassed about their tool's capabilities, or they'd be yelling about them 18:35:29 I'll bring it up in the interview 18:35:44 best I can do needmoney90 https://i.imgur.com/CQDficY.png 18:35:46 I'm not saying it's nothing 18:35:48 Should be good 😎 18:35:53 or a bike lock with a ball-point pen. amateur! 18:35:59 hahaha 18:36:03 Interview with sgp_ or who? 18:36:10 It does highlight ways the wallet can continue to protect against certain silly things 18:36:13 yes 18:36:47 Nice 18:37:11 Dave is talking to Sarang and me later today 18:37:16 I wonder if they did something else with their year of work 18:37:27 Yeah some easier coin control is a bare minimum needed for this, but automated behind the scenes is best 18:37:30 I'll probably post the interview tonight unless it goes poorly and they don't answer any questions 18:37:48 Sweet 18:38:42 I guess most china bible seller are not familiar with coin control at all 18:39:43 But yeah, this is a great opportunity to review how wallets handle outputs in this way 18:40:00 Absolutely 18:40:05 A tool like this could be enough to get them in some of those reeducation camps or worse. Not that the tool is ground breaking or anything, but a good reminder that all theoretical attack vectors will, with enough time, be explored. 18:40:24 Absolutely 18:41:01 I've said for a _long_ time that what was untested was the extent to which plausible deniability and statistical heuristics actually matter in the real world 18:41:08 This is a fascinating example of it happening 18:41:19 Unfortunately, they won't say the actual thresholds 18:41:38 but FWIW nothing about their example provides definitive evidence of transaction structure 18:41:44 it's just a merge analysis 18:42:12 This was published years ago 18:42:15 There are warnings (e.g. spending multiple old outputs) that only get displayed in monero-wallet-cli currently, they should be added to GUI. 18:42:44 absolutely 18:42:48 go for it :D 18:43:02 I'll try to use this interview to say "sooooooo this is a merge analysis, then" 18:48:34 needmoney90 actually this would be a really cool traceability challenge. you could give me two different wallet addresses, and i'd send an output to each of them. then you avoid combining them directly by spending them both in the same transaction. instead, you try an churn each of them independently, and only eventually spend the results of those churns later 18:48:47 and i see if i can tell you the tx where you finally combined them :) 18:49:04 i wonder how many false positives i'd see 18:50:04 Yeah, this is part of the analysis I'm doing now 18:50:19 oh nice 18:50:38 i'm kinda nervous at what you might discover. 18:50:40 My conclusion: if you aren't concerned about multiple flagged outputs, and you aren't performing these merges, this technique likely does not apply to you 18:50:42 https://pastebin.com/raw/ZMtQAE0k 18:50:44 sarang <3 18:51:09 <3 18:51:12 Fascinating that a tool is actually doing this 18:51:27 I'm still academically disappointed they aren't doing something more interesting =p 18:52:27 sarang what you just said sounds eequivalent to: "if you aren't concerned about an exchange being hacked (which would effectively 'flag' certain outputs as being sent to a particular person), and if you never cash out more than one received outputs at a KYC exchange, then this threat does not apply to you 18:52:58 but that's basically unmasking vast numbers of trading relationships between exchange users in the event of a hack 18:54:41 The flagging part is true 18:54:45 The intermediate steps, less so 18:54:54 But I get what you're saying; you've brought it up before 18:55:24 i'm glad you're doing this merge analysis, it sounds incredibly interesting 18:55:39 I have mixed feelings about the "exchange got hacked" argument, since at some level it devolves to "I gave this entity loads of personal information, and now it lost them" 18:56:11 If CipherTrace wishes to fund public research, more power to them :) 18:56:42 the research does not seem very public 18:56:57 only their conclusions :D 18:57:39 we should just ask an exchange to give us an anonymized dump of their data for research purposes 18:57:39 No, but if they want to support me and the research is all public, go for it! 18:57:54 knaccc: shapeshift's api is public 18:58:13 they don't say when two txs were by the same person though, which is the critical thing 18:58:43 unless they are reporting IP addresses or something i didn't notice 18:59:09 they are not 19:05:30 sarang btw have you been making any mainnet txs and churning them etc for your research purposes? 19:05:44 it'd be cool to establish a library of 'tracing challenges' 19:05:54 including nm90's latest tracing challenge 19:08:15 I have not 19:08:27 I've been doing stats to get typical distributions 19:08:41 ah ok 19:09:24 Mine should be a cakewalk compared to real world data 19:09:34 Literally all occurred within two days 19:09:46 Barely any time to analyze at all, tons you can rule out 19:10:38 I find it surprising they'd do this kind of merge analysis and not the trivial value-based Zcash-type pool interaction stuff, which seems way easier 19:10:41 Unless... they are... 19:10:42 <_< 19:10:43 >_> 19:10:47 Ciphertrace has had access to the challenge since it came out, we shared it with them 19:11:36 Yeah, but Zcash isn't as heavily used/recognized, so it wouldn't sell as well 19:12:43 s/it/the news 19:12:43 xmrscott[m] meant to say: Yeah, but Zcash isn't as heavily used/recognized, so the news wouldn't sell as well 19:30:57 chainalasys has a tool for zcash already though 19:32:21 But AFAIK it doesn't even bother doing pool transitions 19:32:46 and historically those are _huge_ for linking shielding operations; unfortunately no one has bothered to do an updated analysis of this 19:32:57 (I tried, but the tooling is _awful_ for this) 20:13:25 Ciphertrace *could* have spammed transactions... 20:13:58 We'll be asking this in the interview 20:14:45 FWIW another entity (like a government partner) could do the spamming and present the info to CT 20:14:53 and then CT is technically not spamming, and can deny this 20:14:59 So any response could be weasel words 20:16:33 so the recent transaction volume growth was spamming? 20:16:42 recent = 6 months or so 20:16:59 I don't know what caused it 20:17:09 I intended to ask this question of them generally 20:17:12 as part of their tooling 20:17:17 I wouldn't be surprised if its recent increase in DNM adoption 20:17:24 As there are clear and tangible signs of that 20:17:29 But definitely curious what they say 20:17:46 "we deduced the output because we owned the other 8/9/10" would be spicy 20:19:08 I'm sure they don't do the spamming 20:19:24 But I wager they won't answer about their investigative partners doing controlled transactions 20:19:26 we'll see 20:19:32 We should assume this happens anyway 20:19:48 Crypto activity generally picked up, also DNM adoption increased. 20:20:21 Also felt like more support threads with basic questions but that’s not really accurate metric. 20:22:57 Is it worthwhile at all to create some sort of dashboard to monitor 'community'-type activity vs tx volume to make sure there's no funny business? 20:23:11 doubtr 20:23:26 There's an easy way to test it tho :D 20:23:32 first spike in txs around a year ago was the introduction of the game minko :) 20:24:03 If you want to test whether an active attacker is spamming a % of txes, create a sustained burst of txes for a few days and see if it gets matched 20:24:46 I considered doing something like that for a puzzle, but it was too costly to get a large % for a few weeks, even with our tx costs 20:25:38 2 XMR/day at most 20:26:00 if you just fill empty space in blocks to make them 300 KB 20:26:20 well, costly to sustain it for a few weeks :D 20:29:54 I'm aware of other indicators that at least some portion of the transaction increase are legitimate 20:30:07 How so? 20:30:09 Can you share? 20:30:25 not really my info to share 20:30:46 i love that monero's total monthly tx volume only cost $600 in tx fees 20:31:07 i wonder if that's in the realm of what governments can afford to spend to spam the blockchain :) 20:31:48 Well, it's tough to have the protocol determine what's a "legit" transaction... 20:31:58 and any ongoing spam attack needs to be... ongoing 20:32:09 Which is of course not infeasible 20:32:15 but does require ongoing sustained effort 20:32:17 yeah, can they afford to spend $600 a month on an ongoing basis 20:32:21 knaccc https://pbs.twimg.com/media/Efu9dd7UMAALfKW?format=jpg&name=large 20:32:24 lol that's not what I mean 20:32:26 I agree with selsta's sentiment. From the burst of recent activity in the monero channels + reddit i would say an increase of tx seems organic, especially if we consider the recent price rise. Just a feelijng tho, i have nothing to back that claim 20:32:28 Implying *our* fees our low? 20:32:38 It's about fraction of control 20:33:19 needmoney90 HAHAHAHA 20:33:24 who did that?! 20:33:33 I made that one lol 20:33:43 you drew that? that's incredible! 20:33:45 nonono 20:33:47 so good 20:33:48 I modified it 20:33:53 still awesome 20:34:15 https://i.kym-cdn.com/photos/images/newsfeed/001/838/613/45e.jpg 20:34:20 the original creator was 3palec 20:34:32 I swapped out the medal and barolo label 20:34:38 ha it looks seamless 20:34:52 barolo label is sooo off 20:34:58 but you didnt hear it from me 20:35:00 I got lazy :p 20:35:21 didnt bother to mask it against the bottle edge 20:35:34 so a corner sticks out and the bottle is visible in other parts 20:36:01 it looked totally seamless to me 20:36:06 hehe 20:36:35 * needmoney90 was pretty happy with how it turned out 20:36:44 https://twitter.com/MoneroMemes/status/1295837645487054848 20:36:47 it got some upvotes :D 20:38:10 (also the person who originally charted those numbers forgot litecoin) 20:38:15 (so we were actually 4th) 20:38:26 but shh 20:39:02 its funny that our fees are that much higher than other networks when we're sitting at this point in market cap 20:40:19 We’re one of the few L1s that sees actual usage 20:40:36 Most base layers are dead 20:41:07 Someone pointed out (reddit?) that Monero tends to be delightfully boring 20:41:09 I like that 20:41:24 I have a screwdriver set that I use for fixing things, and it's delightfully boring too 20:41:36 IMO good tools should do their job and be predictably dull 20:42:29 lets move the decimal 1 place and claim its an airdrop to all monero holders 20:43:22 -____- 20:44:27 "we 10x'ed the coins!!!!!" 20:44:55 wen 20:44:57 we would pamp 20:44:58 so hard 20:46:04 isn’t Apple / Tesla pumping hard due to stock split? 20:46:13 soo big companies do the same :D 20:46:25 cmon guys lets push this 20:46:43 private airdrops 20:47:01 when my private airdrop 20:47:10 sgp_, knaccc, sarang: Would it be worthwhile to write a brief 'A response to' blog now that an example has been posted? 20:47:24 !tip sgp_ 10 20:47:25 idk, not yet? 20:47:32 The previous blogs have come in handy when the subject ultimately arises 20:47:49 sure, maybe a MO post is enough though for this? 20:47:56 I'm not really sure tbh 20:48:10 Probably best to wait until after the interview 20:48:17 we should have an interview up in ~2 hours anyway 20:48:17 yeah worth seeing what they have to say 20:48:19 yeah 20:48:27 cant wait! 20:48:40 imagine if it was live lol 20:48:48 Spicy :D 20:48:49 that would be more risky though 20:48:50 I wish it was live 20:48:52 Open questions 20:48:59 (I don't actually wish it was live) 20:49:01 Has that reddit post been verified? 20:49:03 haha literally open chat to the public 20:49:05 But I kinda do just for the risk factor 20:49:05 As being from Dave's account? 20:49:09 If so, worth noting this 20:49:21 no it has not been verified yet 20:49:27 I can ask before the interview however 20:50:19 Please do 20:50:27 I want to know if it can/should be referenced as accurate 20:50:34 He could tweet a link etc. 20:50:37 obviously yeah 20:50:45 Right, to be publicly verifiable 20:50:51 like I said we can easily confirm before asking questions 20:50:51 as opposed to just emailing you 20:50:55 yes 20:51:00 but ideally publicly verifiable is best 20:51:11 If he emails you, you could lie about it etc. 20:51:14 sarang: The mods can flair given private info 20:51:21 and often do 20:51:31 yeha I see nothing wrong with private verification 20:51:37 once flaired, you can assume the subreddit mods reputation is at stake there 20:51:48 Sure, he can do whatever he wants 20:51:58 But it's easiest if he tweets it 20:52:05 Then he's also taking public ownership of it 20:52:10 which IMO is beneficial 20:52:33 Until then, I don't think a blag post about that plot is a good idea, since it could be trivially faked 20:52:38 We've been duped before 20:53:44 to be fair, we spoke with them regarding the whole writeup to begin with 20:53:51 beforehand 20:53:59 and they asked a bunch of BS questions 20:54:09 ? 20:54:28 Did they discuss the post? 21:20:17 Will the interview be publicly published btw? 21:21:34 On the Monero Space channel AFAIK 21:21:38 He said right after 21:22:09 Yes 21:22:16 We are conducting the interview as we speak 21:27:16 share juicy details 21:36:24 https://www.reddit.com/r/Monero/comments/ijyhmq/ciphertrace_claims_it_developed_a_monero_tracing/ 21:36:24 [REDDIT] Ciphertrace Claims it Developed a Monero Tracing Tool, I say it’s speculation as they provided no proof of their work (https://cointelegraph.com/news/ciphertrace-develops-monero-tracing-tool-to-aid-us-dhs-investigations) to r/Monero | 43 points (90.0%) | 49 comments | Posted by [deleted] | Created at 2020-08-31 - 14:00:26 21:36:27 Author deleted that thread 21:37:16 Can we still make it visible somehow? 21:37:23 we can't afaik 21:37:37 who originally made it? 21:37:40 Why is it gone? D: 21:37:53 we could crosspost to the comments thread 21:37:57 as a new post 21:38:01 thats about the best possible 21:55:32 You mean the example thread? 21:55:35 Let's do that I guess 21:55:57 https://decrypt.co/40284/us-homeland-security-can-now-track-privacy-crypto-monero 21:56:00 lolol 21:56:29 i guess they watched Breaking Monero 21:56:54 "CipherTrace paints it as a positive for XMR by adding legitimacy to the privacy coin" that is world-class spin 21:57:02 Hate to be the tinfoil guy, but am I the only one who finds the timing of this disinformation campaign a little suspect? This is within a week of the news of DNMs becoming mostly XMR 21:57:23 which DNMs are those? 21:57:42 The lead DNM exit scammed, which was mainly Bitcoin 21:57:45 They got gov contracts, worked on this for over one year. Obviously they have to claim that "they can now trace monero". 21:57:53 Almost all of the rest are XMR exclusively or Primarily XMR 21:58:14 i think sgp_ needs to create a series called Fixing Monero 21:58:34 :) 21:58:41 It’s almost like this came out of someone’s playbook... 21:59:01 I’ll take the tinfoil off now. Back to regularly scheduled programming.... 21:59:04 I see bears and crabs in the sky 21:59:08 lol @ article 21:59:20 I only read headline 21:59:25 MO 21:59:34 At least later they admit it’s not like Bitcoin and more of a probabilistic game. 21:59:34 why waste time 22:00:26 thx for saving me time selsta <3 22:01:06 they take a corporate press release and present it as a fact in the title 22:03:13 how else will people click and read the link? 22:03:20 think of the missed ad revenue !! 22:03:42 CipherTrace claims to be privacy advocates in that article too 22:04:50 CTO of CipherTrace is presented as pro-cryptography, see bio 22:04:58 on their official website 22:06:14 yeah sure 22:06:22 writes a smear job and endorses it 22:06:26 Hate to be the tinfo"> Nah, I commented my hunch is maybe TLA psyops given timing 22:06:29 Without talking to the people who actually did the research they used 22:07:15 Btw, for reddit mods, consider removing any direct mention to phishig sites from the subreddit, see also https://www.reddit.com/r/Monero/comments/ijv0c3/account_address_and_receive_address/ 22:07:15 [REDDIT] Account Address and Receive Address (self.Monero) | 9 points (92.0%) | 3 comments | Posted by French2 | Created at 2020-08-31 - 09:39:59 22:07:20 Because it might increase their SEO 22:07:34 When I say direct, I mean a 1:1 URL 22:08:02 I thought they were on the list 22:08:05 we do have an autoremove list 22:08:10 that one wasnt on it for some reason 22:08:13 right 22:08:30 Same w/ CEO on Twitter. Cypherpunk and smart contract advocate since 1999 (TM). Ok buddy. 22:09:11 Done 22:09:20 tysir 22:09:20 It's now on the list 22:09:24 shouldn't happen again 22:09:35 I strip the privacy 22:09:37 TO build it back up 22:09:39 you see? 22:09:59 *while working with govs 100% 22:10:04 ANd taking helicopter money 22:10:06 Their day job: CipherTrace. Their night job: being mooo 22:10:11 And selling KYC info to the gov 22:10:14 LOL 22:11:56 Meh I don't really care if people work for chain analytics or the gov. but I do care if news website publish sensational headlines :P 22:13:25 I suppose it's a good sign that any such news is immediately "big news" - it reconfirms that Monero's privacy is strong 22:13:44 That's fair. Regardless of gov one is going to contribute to ensure Monero is fungible. However w/ terrible tech news outlets that just regurgitate sales pitches you have to waste extra energy informing the public that snake oil is in fact, snake oil 22:14:57 article needs more clicks, otherwise how they will pay their bills 22:16:42 lol the threads on /r/cc about it are downvoted hard 22:23:06 also dsc_ for SEO reasons, the text in the sidebar that says changelly and freewallet are distrusted? The a in both of them is a non-standard character. 22:23:20 If you copy/paste those into google you wont get any hits :) 22:23:47 I made that change a few months back lol 22:24:16 nice one 22:24:24 oh, there are google hits now 22:24:27 I don't know if it helps but it cant hurt at least :D 22:24:29 but only for people caching our page :D 22:33:53 Interview has ended! 22:34:05 👀 22:34:06 how was it 22:34:09 :o 22:34:18 Not all of my questions have been answered, but I was pleasantly surprised that the CEO shared what he did 22:34:24 So kudos to Dave for this 22:34:34 I still have my issues with the way they presented this, no doubt 22:36:07 And I still do not think there is anything fundamentally new here, but the idea of building in likelihoods of signing and non-signing in transactions 22:36:16 which has long been the subject of research in one way or another 22:40:21 Their press release met their business objectives before it met its accuracy. Doesn't mean that's right but that's their perspective 22:41:01 For press releases the way it's conveyed is usually purposefully broad 22:42:18 Yes, and I specifically called it out as being ambiguous, perhaps to the point of misleading 22:43:03 sgp_: should I produce a list of technical questions that Dave wasn't able to answer? 22:43:24 FWIW I don't fault him for not knowing all the details, but I do hope we can ask people who _do_ know the details 22:43:48 sure make a list 22:43:53 no harm in having a list 22:44:30 What's infurating is the idea of taking all sorts of external information and trying to pull all risk into some kind of single "percentage", as if there is a definitive standard for doing this 22:44:45 The idea that this is non-interactive further makes this very wishy-washy 22:44:55 I tried to convey the frustration of this difference in the interview 22:45:15 But to be clear: Dave confirmed that having tainted outputs in a ring does in fact lead to "higher risk" 22:45:34 Presumably as part of this "final percentage" score 22:46:40 So you can inadvertently get implicated in case the decoy selection algorithm picks a poisoned output? 22:47:59 The way the news was presented leads to erroneous claims like this -> https://twitter.com/TheCryptoLark/status/1300534387226763264 22:48:03 Essentially a great way to spread FUD 22:48:51 Dave claims that their algorithms try to avoid these false positives 22:49:05 I pushed back on how this was possible since the math is closed and unavailable 22:49:10 How do you avoid false positive 22:49:15 He basically said "yep tough problem" 22:49:22 Yeah, we all know it's a hard problem 22:49:46 I _highly_ recommend watching this interview once posted 22:49:52 Let Dave speak for himself 22:51:06 Anyway, we have few details about what exactly they're using for heuristics, and they might not say 22:51:20 But he referred us to others on their team, to whom I intend to present these questions 22:51:31 I understand if they want to vet the questions and responses; they're a private company 22:51:59 sgp_: wen 22:52:17 we have few details about what exactly they're using for heuristics <= Can you share those? 22:52:32 I expect they're in the upcoming video 22:52:35 eta 2 hours or so 22:52:52 dEBRUYNE: it's all in the video 22:52:58 I don't want to put words in his mouth 22:53:11 But he basically said they use a lot of sources 22:53:19 Notably, they perform their own transactions 22:53:24 He confirmed this twice 22:53:29 (I wanted to be sure) 22:54:05 Again, kudos to him for even doing this interview 22:55:58 It's editing and it's almost uploaded now. I should be paid for this SLA :p 22:56:09 s/editing/edited 22:56:09 sgp_ meant to say: It's edited and it's almost uploaded now. I should be paid for this SLA :p 23:07:18 nice! 23:07:26 So I guess they are creating a stream of poisoned outputs they can subsequently utilize 23:07:40 That may be a part of it; it's unclear precisely what heuristics are used 23:07:56 I asked about merge analysis in the r/Monero example, and did not get clarity 23:08:19 Dave then responded on reddit and said it wasn't a simple merge analysis, but this is not clear to me from our interview specifically 23:08:24 except in generalizations 23:09:44 If they used some other analysis / data than that statement is basically valid 23:09:54 Doesn't mean it wasn't predominantly merge analysis 23:11:21 Well, he said "as you know ..." which isn't totally accurate 23:11:41 > However, statistical reasoning is crucial to the solution, which means unless we are 90% confident, we do not present it to the investigator. 23:11:43 He say generally that they would use multiple data sources, but I do not have any specific information about the example in the post 23:11:56 arbitrary 90% lol 23:12:12 s/say generally/said generally/ 23:12:12 sarang meant to say: He said generally that they would use multiple data sources, but I do not have any specific information about the example in the post 23:12:56 selsta: Where is that from? 23:13:03 selsta: he did say the 90% threshold was arbitrary 23:13:10 > And we do provide off-chain data such as IPs. 23:13:13 It's also unclear what goes into such a single number 23:13:13 dEBRUYNE: reddit 23:13:22 I asked about this 23:16:25 Can we make an accept cookies pop-up for GetMonero that when you click yes posts this comic? https://usercontent.irccloud-cdn.com/file/C8W0ueSE/WUHIEV-dIaZHWxM-2r8ZFGojvTJa-ZClMN_kEhZ8O00.jpg