07:11:52 Thoughts? https://www.reddit.com/r/Monero/comments/h9dhcy/maam_monero_ask_anything_monday_june_15_2020/fuxaej6/ 07:24:30 good point 11:45:26 -xmr-pr- selsta opened pull request #2959: SettingsLayout: ask password for password relevant setting 11:45:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2959 11:50:40 Would this have any effect on key management, or is just a simple check of the password? 12:33:03 just a check of the password 12:33:09 to make sure you're allowed to make that change 12:34:58 Right, but what's the threat model for this? 12:35:41 Either the spend key is accessible for making a transaction, or it isn't 12:36:17 sarang: I leave my computer unlocked and the GUI open, someone gets on my computer, disables the "ask for password" feature 12:36:21 and then empties the wallet 12:37:00 But is the spend key still accessible to the attacker anyway? 12:37:16 Or is this just a protection against casual attacks like you mention? 12:37:59 casual attacks, this isn't to guard against exfiltration from memory 12:38:06 Fair enough 12:38:19 As long as it doesn't make the user think there's protection that isn't really there 12:38:51 Like a warning that this doesn't replace the need for good device and key security 12:38:59 in the CLI we prompt for the password to change settings 12:39:11 sarang: this setting is on by default 12:39:26 yeah 12:39:30 I get what you're saying 12:39:46 so if the person turns it off they're choosing to lower their security 12:39:49 Seems reasonable as long as it's not a false sense of security about making transactions 12:41:45 It's hard to resist the urge to make sarcastic comments here, especially as I'm feeling extra sarcastic of late -_- 12:42:11 like what? 12:42:39 this is a safe space, moneromooo, you can be sarcastic here 12:42:40 :-P 12:43:24 Well, it feels like we'd end up with pages of US style lawyer speak on everything we do just because someone thinks someone else might shoot themselves in the foot 12:44:28 I don't mean warning on disabling the check 12:44:51 I mean is having the check a false sense of security 12:45:04 I get the "don't mislead people", but turning "ask for password" to "someone might think this protects them against malaria" (not actual wording, that's for effect) is a bit... meh ? 12:45:33 At any rate, if your device is compromised, you probably have many things to worry about 12:45:37 I guess if an attacker is on your system then you have lost anyway. 12:45:41 ^ ya 12:46:59 I tend to like defense in depth. Even if a layer is not perfect, it tends to stop some percentage of attacks. Enough layers, and you end up stopping a fair amount, even if each layer has large caveats. 12:47:43 Sure, you always have this APT who knows their way and will not be stopped by any layer, but that doesn't mean the layers aren't useful against others. 12:48:42 right that’s why we ask for the password by default when viewing the seed or doing a tx 12:48:56 I do realize that, to some extent, this is just throwing stuff against the wall and hoping it sticks, which is kinda the antithesis of a threat model :) 14:01:17 Craig Wright blames APTs for everything 15:53:43 No existing issues with the GUI in Ubuntu with connecting to the integrated monerod, right? 15:53:58 Working with the Locha Mesh guys and they're having some issues but I don't have an Ubuntu desktop to test with right now 15:56:37 GUI worked OK for me when I tried it last week or so, alltho that might have been version 15.x 15:56:54 On Ubuntu, that is 16:04:08 Thanks 16:04:15 Im asking for the specific error but havent gotten it yet 16:05:35 Something about SSL 16:07:17 best to also ask for `uname -a` and `cat /etc/lsb-release` 16:08:13 Will do! 16:09:05 and the GUI mode they have chosen :)