Thoughts? reddit.com/r/Monero/comments/h9dhcy…nything_monday_june_15_2020/fuxaej6

good point

Would this have any effect on key management, or is just a simple check of the password?

just a check of the password

to make sure you're allowed to make that change

Right, but what's the threat model for this?

Either the spend key is accessible for making a transaction, or it isn't

sarang: I leave my computer unlocked and the GUI open, someone gets on my computer, disables the "ask for password" feature

and then empties the wallet

But is the spend key still accessible to the attacker anyway?

Or is this just a protection against casual attacks like you mention?

casual attacks, this isn't to guard against exfiltration from memory

Fair enough

As long as it doesn't make the user think there's protection that isn't really there

Like a warning that this doesn't replace the need for good device and key security

in the CLI we prompt for the password to change settings

sarang: this setting is on by default

yeah

I get what you're saying

so if the person turns it off they're choosing to lower their security

Seems reasonable as long as it's not a false sense of security about making transactions

It's hard to resist the urge to make sarcastic comments here, especially as I'm feeling extra sarcastic of late -_-

like what?

this is a safe space, moneromooo, you can be sarcastic here

:-P

Well, it feels like we'd end up with pages of US style lawyer speak on everything we do just because someone thinks someone else might shoot themselves in the foot

I don't mean warning on disabling the check

I mean is having the check a false sense of security

I get the "don't mislead people", but turning "ask for password" to "someone might think this protects them against malaria" (not actual wording, that's for effect) is a bit... meh ?

At any rate, if your device is compromised, you probably have many things to worry about

I guess if an attacker is on your system then you have lost anyway.

^ ya

I tend to like defense in depth. Even if a layer is not perfect, it tends to stop some percentage of attacks. Enough layers, and you end up stopping a fair amount, even if each layer has large caveats.

Sure, you always have this APT who knows their way and will not be stopped by any layer, but that doesn't mean the layers aren't useful against others.

right that’s why we ask for the password by default when viewing the seed or doing a tx

I do realize that, to some extent, this is just throwing stuff against the wall and hoping it sticks, which is kinda the antithesis of a threat model :)

Craig Wright blames APTs for everything

No existing issues with the GUI in Ubuntu with connecting to the integrated monerod, right?

Working with the Locha Mesh guys and they're having some issues but I don't have an Ubuntu desktop to test with right now

GUI worked OK for me when I tried it last week or so, alltho that might have been version 15.x

On Ubuntu, that is

Thanks

Im asking for the specific error but havent gotten it yet

Something about SSL

best to also ask for `uname -a` and `cat /etc/lsb-release`

Will do!

and the GUI mode they have chosen :)