
Monero Is Less Untraceable Than It Seems - mlb_hn
https://www.wired.com/story/monero-privacy/
======
htormey
I hate how everyone always stresses the illegal uses of Monero in these
conversations about traceability. Monero has a lot of legal uses, many of
which are listed here:

[https://www.monero.how/why-monero-vs-bitcoin](https://www.monero.how/why-
monero-vs-bitcoin)

The big one for me is privacy:

“The most critical flaw in Bitcoin is its lack of privacy. If you give me your
Bitcoin wallet address so that I can send you a payment, you immediately
compromise your privacy. I can see as a matter of public record how much money
you have in your Bitcoin wallet ”

I don’t want other people to know how much money I have when I pay them for
goods and services or how much I have paid to others in the past. This
wouldn’t happen with a bank account but could happen with bitcoin.

I don’t necessarily want people I am negotiating a contract with to know my
hand. It potentially gives them an unfair advantage.

If my Monero transaction history can be figured out by a government agency
with lots of resources but not the average business, that doesn’t necessarily
invalidate Monero for my use cases.

~~~
redog
To me this feels like concern without regard for the full differences. With
bank accounts you usually have the restriction of "as many accounts as you can
afford" where with bitcoin addresses you can have countless. So someone could
just as easily watch you drive up to the bank and know you bank there. Keep
your private addresses private, duh.

~~~
OskarS
Yeah, but lets say you make a website and want to accept donations using
bitcoins. What you generally do is put "donations welcome at <bitcoin
address>!" (I see this all over the place). Are you saying that webmasters
should write a script that generates these public/private keys on every page
hit, and then somehow stores all of those millions of private keys...
somewhere? On your server? Or do you have to build an entire infrastructure of
key exchanges to some safe place just so you can accept bitcoin donations
privately?

~~~
dwild
Why would it have to be "donations welcome at <bitcoin address>!"? There's
plenty of ways to ask for donations and it doesn't always require to have a
single address shown. You can have a "Donate" button that when clicked, ask
for a generated wallet (all from the same private key but that would be a
different wallet still) and show it with a QR code in bonus.

~~~
OskarS
Look, I'm not making this up. Lots of people and projects do exactly this.
Tails, the super-secure privacy-focused version of Linux asks for donations in
exactly this way [1] (and if you go to blockchain.info you can see a full
wonderful list of all the bitcoin addresses who have donated to them [2]).
It's a totally reasonable way to set up bitcoin donations (hell, it's even
recommended by the bitcoin wiki! [3]) and it's a significant weakness of
bitcoin that these transactions are not private.

It is absurd defense of bitcoin to say "well, it COULD just be as private as
these other things, if you only jump through ten more technical hoops and not
use bitcoin as intended". Clearly, these other cryptocurrencies offer
something that bitcoin doesn't.

[1]:
[https://tails.boum.org/donate/?r=contribute](https://tails.boum.org/donate/?r=contribute)

[2]:
[https://blockchain.info/address/1BvBMSEYstWetqTFn5Au4m4GFg7x...](https://blockchain.info/address/1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2)

[3]:
[https://en.bitcoin.it/wiki/Receiving_donations_with_bitcoin](https://en.bitcoin.it/wiki/Receiving_donations_with_bitcoin)

------
SarangNoether
I'm on the Monero Research Lab team. This article, like most media coverage of
academic research, ignores much of the subtlety behind the research. The
likelihood that a particular output is positively identified depends heavily
on its age relative to our regular protocol upgrades. And it's not like we
aren't actively working on ways to improve anonymity. We're in the process of
updating the way we choose our fake outputs and discussing best practices for
handling very old outputs. I always appreciate research into ways to improve
Monero, but I don't think this article does the research justice.

~~~
stochastic_monk
I'm not involved with any cryptocurrencies, so I have no dog in this fight. I
am curious, however. Whenever ZCash comes up Monero is mentioned as "also
providing" anonymity.

Being on the Monero team, can you comment on the differences between the
privacy guarantees provided by the two platforms?

~~~
IIAOPSW
I'm a user who picked the Monero side of things. Here's the short run down on
the difference and why I ultimately sided with Monero.

Monero uses ring signatures to prove that one out of n people signed a
transaction without revealing which one of the n. Over the course of k steps
the possible transaction history might be in any of n^k states. Typically n=5.

Zcash uses Zero-Knowledge-Proofs for anonymity. Any private zcash tx may have
gone to or come from any other private zcash tx.

Here are the problems with Zcash as I see them

1) trusted setup. There is some toxic seed data that needed to be destroyed at
the time Zcash was created. With that seed you could inflate the coin as much
as you want. There was an elaborate ceremony of 6 people (5 of them Zcash
employees) showing the seed was destroyed. But elaborate ceremony isn't
cryptographic proof.

2) privacy is optional. If a transaction goes from non-private address, to
private address, to non-private address it is traceable. The Zcash anonymity
set is actually very small.

3) Zcash is a company. I consider the political structure of a coin (or lack
thereof) as an attackable surface. A government can force Zcash to back-door
their software (hi NSA). There is no head of Monero.

~~~
the_stc
On 2: Monero is almost the same. ShapeShift does 7-15% of all tx at least. How
many transactions are actually private after you consider hacks or LE
warrants? Those TX are what you depend on to get false spends.

On 3: How many people must agree in order to change something in Monero such
as HF parameters like ringsize? There is not a single company but it looks [to
an outsider like me] as a similar position.

I chose Monero too for similar reasons inc ZCash people openly saying they
support backdoors for LE [but promising ZCash would never have them]. And
taking 20% of block reward and not doing anything useful with it [for millions
I expect really polished clients and some quick upgrades].

But the low ringsize is weak [hence going from 3 to 5 to now 7]. All ring
members are not equal to n^k is very naive. Fee, ringsize, payment ID, in/out
count are all metadata that distinguish on-blockchain. Let alone off-
blockchain such as keys being hacked/warranted.

Given this and Monero's lack of disclaimer or warning at all about how to use
it safely... a paranoid person might suspect ill-motives. [Consider: MyMonero,
the Monero 'lead' Web Wallet, goes out of its way to suggest users use a few
higher ringsizes to get better privacy, when we know this makes their TX stand
out. This is something that presumably he could change with 1 or 2 lines of
code but has not.]

~~~
IIAOPSW
>On 2: ...How many transactions are actually private after you consider hacks
or LE warrants?

That's actually a difficult question. I won't try to estimate here. But IIRC
something like 95% of ZCash tx are non-private by user opt in, and the
remaining 5% are also vulnerable to things like warrants at the exchange and
timing attacks. So the bar is set really low for Monero to have the best
anonymity set of all privacy tokens.

>On 3: How many people must agree in order to change something in Monero such
as HF parameters like ringsize? There is not a single company but it looks [to
an outsider like me] as a similar position.

I think Monero is in a similar-but-better position. True the core team _can_
be compromised and true the core team _is_ more powerful than others. But I
view this as a necessary centralization to get the ball rolling. I want the
Monero core team to eventually be more hands off. Spagini's "I'm not a CEO"
statement inspires confidence.

>But the low ringsize is weak [hence going from 3 to 5 to now 7].

can't wait for bulletproofs!

>All ring members are not equal to n^k is very naive.

I was intentionally very cautious with my words here. What I actually said was
"Over the course of k steps the possible transaction history might be in any
of n^k states". I did not say that all n^k states are equally likely. The
actual amount of entropy in the Monero blockchain is much harder to
explain/estimate so I used n^k as an upper bound.

~~~
the_stc
>and the remaining 5% are also vulnerable to things like warrants at the
exchange and timing attacks

I was under the impression that no exchanges handle shielded transactions.
What do you mean by timing? I would assume you go t-z-t and leave it quite a
while as shielded.

>can't wait for bulletproofs!

Bulletproofs do not help verification time which is why we have low ring size.
Going from 5 to 21 ringsize only increases size 8%. 15 is even less, a
reasonable compromise on size. There is an unspecified perf target that must
be met on verification.

~~~
IIAOPSW
>I would assume you go t-z-t and leave it quite a while as shielded.

Many people skip the "leave it a while" step.

Also you can look at things like x-amount left this exchange and y-amount
entered this exchange.

------
throwawaylolx
This was a well-known design choice where the user could balance between
transaction size and privacy--people who preferred faster/cheaper transactions
chose to sacrifice untraceability. Nowadays, the default option enforces
higher untraceability.

Also, some of the authors of the research paper mentioned in the article are
part of the competitor Zcash group who sensationalise common knowledge to
undermine Monero. Zcash is a US-based company that has a trusted setup which
was possibly backdoored [1], one of their scientists and inventor of Zerocoin
protocol publicly supported backdoors [2], and their CEO and cofounder
suggested backdoors as well [3].

I would read more about Monero before dismissing it, as it's one of the very
few legitimate groups in the space besides Bitcoin.

[1]
[https://twitter.com/peterktodd/status/793584540891643906](https://twitter.com/peterktodd/status/793584540891643906)

[2]
[https://www.newscientist.com/blogs/onepercent/2013/03/bitcoi...](https://www.newscientist.com/blogs/onepercent/2013/03/bitcoin-
zerocoin.html)

[3]
[https://twitter.com/zooko/status/863202798883577856](https://twitter.com/zooko/status/863202798883577856)

~~~
vzcx
It's fine if you want to defend monero's technology, but attacking the
researchers credibility because of their association with a competing project?
That's some weak sauce in my opinion.

One side is actually doing the work and publishing attacks, even if they are
against zcash (shielding/deshielding). The other has some questionable twitter
conversations about a hypothetical backdoor. Zcash zk-snarks are backdoored?
Proof of concept or GTFO is the law of the land, my dude.

~~~
throwawaylolx
Oh, and I forgot to mention they were also sponsored by DARPA. You can pretend
these are all irrelevant arguments and wait for your proof, but the reality is
that reasonable doubt and ad hominem are sometimes appropriate, especially
when dealing with privacy. It's on them to prove their trusted setup can be
trusted, and everything they've done is antithetic to trust.

~~~
the_stc
Trusted setup only compromises the supply integrity not privacy. I am not a
fan of Zooko or the Green comments on backdoors and LE but do not misrepresent
trusted setup.

~~~
throwawaylolx
>only compromises the supply integrity

Conveniently, it's impossible to audit whether more coins are being minted
right now to add to the developer tax already imposed on block rewards.

Don't think I misrepresented trusted setup--only warning others about the
reputation of Zcash. Anonymity for some can be a critical issue, so I don't
think everyone can afford to wait for "proof of backdoor" before making their
decision.

~~~
nootropicat
Deanonymizing zcash's shielded transactions requires breaking the preimage
resistance of sha256.

~~~
ianmiers
Technically, you could also break the encryption used in the memo field. But
thats bog standard cryptography

------
cyphar
I think GNU Taler[1] solves the untracabilty problem in a way that most people
should be happy with. Consumers have all of their transactions private from
everyone (the seller cannot tell how much money they have, what other
transactions they've made, or where the money comes from; a government cannot
tell what transactions a person has made). But seller transactions can be
audited for tax reasons, to avoid tax fraud.

And best of all, it's not yet another cryptocurrency. It's a payment system
that works over any currency (traditional VISA, or crypto-currencies). Of
course, this means that Taler "tokens" cannot be used as a store of value,
other than as a proxy for the underlying store of value. So you would only
hold Taler tokens like you would cash in your wallet.

They even have really nice easy integrations into browsers and backend
processing.

(I don't work on GNU Taler, I've just been saddened that such an interesting
project has gotten so little press outside of GNU circles.)

[1]: [https://taler.net/](https://taler.net/)

~~~
CryptoPunk
GNU Taler wants to give the government a backdoor. That's privacy in the same
way the Clipper chip in the 1990s was privacy.

~~~
cyphar
This is a misunderstanding of GNU Taler, unless you're using a completely new
definition of the word "backdoor". Customer transactions are completely
anonymous -- that's the anonymity guarantee provided by GNU Taler. Mints are
auditable (the amount of coins they've given out and received, and that they
haven't given money to people who didn't have the associated coins). And thus
how much money a particular merchant has traded to the mint for real currency
can be figured out. There is no reasonable analogy between this (which has a
given set of privacy guarantees, but not others) and the clipper chip (which
was an attempt to remove all privacy guarantees from all cryptography).

The only way you can consider this to be a backdoor is if you think that
allowing a government to know how much money a business has made (something
that you are legally required to declare for tax purposes) is a bad thing.
This seems like an immature view to me -- taxes are very important for a
country to continue functioning.

~~~
CryptoPunk
According to the website, GNU Taler gives governments an exclusive view of all
of a merchant's private transactions:

[https://taler.net/en/governments.html](https://taler.net/en/governments.html)

"With Taler, the receiver of any form of payment is easily identified by the
government, and the merchant can be compelled to provide the contract that was
accepted by the customer. Governments can use this data to tax businesses and
individuals based on their income, making tax evasion and black markets less
viable.

Thus, despite offering anonymity for citizens spending digital cash to buy
goods and services, Taler also ensures that the state can observe incoming
funds. This can be used to ensure businesses engage only in legal activities,
and do not evade income tax, sales tax or value-added tax."

It's not a backdoor in exactly the same way the Clipper chip was, but it's a
backdoor nonetheless.

The fact that the government is the gatekeeper in GNU Taler means that it
would have been unable to empower people to get around the financial blockade
against Wikileaks the way cryptocurrency did.

That's a practical consequence of giving up privacy and decentralization.

>>This seems like an immature view to me -- taxes are very important for a
country to continue functioning.

It's not immature to point out that this gives the government a backdoor to
monitor private transactions.

You think this reduction in privacy is necessary to levy sales/income taxes.
That's a value judgment, not a refutation of the fact that this is a backdoor.

Something doesn't stop being a [negatively associated noun] because you think
its effect is positive.

Speaking the truth instead of sugar coating it for ideological reasons is not
immature.

~~~
cyphar
> That's a practical consequence of giving up privacy and decentralization.

(Most) cryptocurrencies don't have privacy (quite the opposite). The reason
why the government couldn't stop cryptocurrency transactions is that they were
decentralised.

However, I also believe you're wrong in this case. Anybody can set up a mint,
and so it would be entirely possible for a Bitcoin mint to exist (in fact I
believe several already do). People could buy Taler tokens from the mint and
then send them to Wikileaks. When Wikileaks cashes in the tokens, they are
sent (using Bitcoin) to Wikileaks. While the government would be able to tell
how much money Wikileaks received, they would not be able to stop the
underlying funds transfer (through Bitcoin). Yes, they may be able to try to
punish the mint for permitting such transactions, but this would be the same
as punishing Coinbase for allowing people to send those transactions as well.

But if you're running a business and you don't want the government to know how
much revenue you've made (which means you're running an illegal business from
a tax perspective) then yes, you wouldn't be able to use GNU Taler. This is a
benefit, because creating a system that encourages tax fraud is one of the
easiest ways to have the government ban that system's usage.

> but it's a backdoor nonetheless. [...] not a refutation of the fact that
> this is a backdoor [...] Something doesn't stop being a [negatively
> associated noun] because you think its effect is positive.

You are using the term "backdoor". The only reasonable definition of this term
is "a method (often secret) to allow an entity to bypass authentication or
encryption of a particular system" (which is the common usage of the word).

This does not apply to GNU Taler, because no encryption or privacy guarantee
is being bypassed. When you use GNU Taler as a merchant you are aware that
your transactions are audiable by the government for tax purposes -- if you
don't want that to be the case then you can choose not to use it. Almost all
legitimate businesses would not have an issue with this, because they have to
declare revenue anyway.

A backdoor would be if Monero had a way to deanonymise transactions, so that
governments can figure out what people spent money on. In that case, a privacy
guarantee of the system has been subverted.

~~~
CryptoPunk
>>(Most) cryptocurrencies don't have privacy (quite the opposite). The reason
why the government couldn't stop cryptocurrency transactions is that they were
decentralised.

They can be used in ways that give the user privacy. They're pseudonymous. But
yes, a big part of why they can't be stopped is that they're decentralized.

But that decentralization only works if users have some degree of privacy. If
governments knew every participant's address, that decentralization would
effectively vanish.

>>Yes, they may be able to try to punish the mint for permitting such
transactions, but this would be the same as punishing Coinbase for allowing
people to send those transactions as well.

Coinbase would not allow transactions to Wikileaks if the financial blockade
were reimposed on it.

GNU Taler states that it is designed to prevent illegal use, and if it is
accurate in its claim, then it will prevent Wikileaks from using it during a
financial blockade.

A technology's susceptibility to government control doesn't discriminate based
on the moral justification for the government wanting to exert that control.

That's why one has to acknowledge that there's a trade off to be made, and
decide which trade off is more conducive to a functional society.

I personally think empowering individuals rather the surveillance state is the
better trade-off.

>>This does not apply to GNU Taler, because no encryption or privacy guarantee
is being bypassed.

The Clipper chip did not give any privacy guarantee against government
monitoring, yet this channel for monitoring was commonly called a backdoor.

------
chatmasta
> That shouldn’t just worry anyone trying to stealthily spend Monero today. It
> also means evidence of earlier not-quite-untraceable payments remain carved
> into Monero’s blockchain for years to come, visible for any snoop that cares
> to look.

This is the key point from the article and it applies to every cryptocurrency.
Just because a crypto seems anonymous now, does not mean it will be forever,
and all the transactions from “now” will still be on the blockchain “forever.”
Almost ironically, scrutiny of a currency increases with its usage, so you’re
probably better off just not using cryptocurrencies to commit crimes.

P.S. Anyone got the link to the paper? Can’t believe wired didn’t even link to
it

~~~
weber111
[https://arxiv.org/pdf/1704.04299/](https://arxiv.org/pdf/1704.04299/)

------
wjh_
Every single time something seems to claim to be untraceable or anonymous, it
seems to hold for a while, and then there's a "<X> is not as safe as we
thought" headline.

Seems to be a good rule to just not trust anything.

~~~
ashleyn
Or assume the government has unlimited resources to throw at a problem, and
not commit crimes.

Most of these headlines describe something that would require nation-state
resources to crack. If you wanna hide paying for something legal, it's
probably still sufficient.

~~~
klmr
“Not commit crimes” is a good maxim when you’re living in a liberal democracy
(and even then …). It’s less easy when the state outlaws things unjustly. Like
being gay. Or being (a)religious. And to give just two examples that apply to
(otherwise) liberal democracies, most people would include “personal,
recreational drug use” in the same category. And there are Western democracies
that outlaw certain sexual acts between consenting adults (e.g. Germany, which
outlaws _any_ incest, even between consenting adult siblings), which also rubs
many people the wrong way.

In sum, “not [committing] crimes” isn’t always straightforward.

~~~
tessierashpool
I was with you every step of the way, then suddenly you were defending incest
and I was like “how the hell did I end up here?”

Also, while “many” is a subjective term, I don’t think you’re using it
correctly here. The idea that you should not regulate sex between consenting
adults _in general_ is very popular, but most countries carve out exceptions
for sex work. Not saying they should, but _many_ do. And I definitely think
the incest legalization lobby must be very, very small, even though it
probably has a sympathizer in the Oval Office.

~~~
klmr
> then suddenly you were defending incest and I was like “how the hell did I
> end up here?”

… Which nicely illustrates what different people find acceptable. But I agree
that sex work would have been a better example. Either way, you felt it
necessary to add the qualifier “in general”, and many (…) people, though
certainly a relative minority, would fundamentally disagree with this
qualifier (while talking about consenting adult without power imbalance in
their relationship).

------
blattimwind
Who would've thought cryptocurrency guys would inflate whatever valid claims
they might have had?

> After more recent changes to how Monero chooses its mixins, that trick now
> can spot the real coin just 45 percent of the time—but still narrows down
> the real coin to about two possibilities, far fewer than most Monero users
> would like.

Note that this is still a break, because quick Googling says that there are
usually 4 mixins, so random chance would be 20 %.

~~~
socrates1024
Even more recent changes have made this better too. The research in the paper
only goes up to Apr. 2017 or so. Since then, the "recent zone" has been a)
reduced from 5 days to 3 days, and b) more recent zone mixins are included. We
haven't quantified what improvement that makes, but it should help.

------
wemdyjreichert
Cryptocurrency: hi, im a distributed, permanent record of all the transactions
you make. Dark web: ooh look, anonymity!

~~~
OrganicMSG
I have often wondered about the sanity of people who are using a blockchain
based currency across tor. Admittedly, I haven't fully checked my assumptions
here, but my initial thoughts on the matter have always been that I'd be
amazed if it was a good idea from a security perspective.

------
erpellan
What about zcash? As I understand it has much stronger privacy, but almost
nobody understands it so people are skeptical. I'm surprised it doesn't get
more attention.

~~~
sparkie
This isn't really true. Zcash isn't private by default, which weakens the
concept for anyone who wants to use the privacy features. If not many people
are using them then analysis of the transactions that are meant to be private
becomes easier.

Zcash is also not trustless because it requires the trusted setup. You have to
trust that the developers completely deleted the "toxic waste" during the
setup, and that their machines were not compromised (which is totally possible
given Meltdown, etc). Recovery of this toxic waste can lead to unlimited coin
minting. Another problem with this is that future changes to some properties
of the currency require another trusted setup.

~~~
the_stc
Private-by-default is semi-dishonest. Many tx on Monero are owned by a few
entities that are friendly with LE or may get hacked. Thus all those exchange
tx or payment gateway tx that are on the blockchain are in practice
transparent to the right people or with time. With Monero they give you a
false sense of security with ZCash they are open that those tx are not going
to help you.

[ShapeShift does 7-15% at least of Monero tx. Add in BitFinex Binance
CoinPayments and some others and where we at?]

------
zeveb
I think that the timing issues are related to the problems with mixnets for
anonymity: it turns out a global passive adversary can observe all messages
sent and received and eventually determine which parties are talking to one
another, within certain probability bounds. It sounds like a similar issue is
at play with cryptocurrency.

The solution with anonymity is to send cover & real messages through the
network in such a way that traffic analysis fails. One approach would be to
saturate a network link, sending random cover data until there's real data to
send, then returning to cover data. There are more bandwidth-friendly schemes
as well.

Might a similar scheme for cryptocurrency be to constantly (or stochastically,
based on some probability distribution) send money to one's own other
addresses? Obviously there's an issue with transfer fees, but maybe this could
be a tunable, based on how important your privacy is.

------
yrjocz
well, there are others, I would say, younger and more private and secure
currencies than Monero - for example Sumokoin
([https://www.sumokoin.org](https://www.sumokoin.org)), setting Ring
Confidential Transactions (RingCT) with minimum ringsize (mixin) of 12 to
conceal sources/amounts transferred and make it high resistance to blockchain
analysis (Monero does have 4 or something, even I have read devs are planning
to increase it?)or even younger Ombre
([https://www.ombre.io](https://www.ombre.io))....

add "illegal only" topic - well, that depends on point of view, for me
personally there is always benefit to have real privacy for what are you
paying for.. which you dont have with "fiat" currencies or less secure/private
crypto currencies..

------
nootropicat
Very good article, doesn't go far enough - monero is not anonymous at all. It
misses the biggest issue - that analyzing agencies can spam transactions,
generating thousands of inputs daily. A big fraction of other transactions is
transparent (shapeshift or other exchanges) to state agencies anyway. As
monero has almost no use, cross-chain mixing with bitcoin/ethereum is way, way
more anonymous than monero, and in addition can be done in a way that
maintains plausible deniability.

Monero is the worst instance of false security in crypto. Unfortunately, at
least in my experience, monero users are impervious to these facts, so darknet
busts with ridiculous parallel construction narratives aren't going to stop
anytime soon. It's not like fbi is ever going to publicly say that monero
isn't anonymous to them.

------
chewbaccafoo
Another day, another bunch of irresponsible reporting in the cryptocurrency
world.

Wired fails to disclose that the first mentioned correspondent is Andrew
Miller of the Zcash foundation. He previously published a blog containing much
the same content about Monero.

[https://z.cash.foundation/about/](https://z.cash.foundation/about/)

[http://hackingdistributed.com/2017/04/19/monero-
linkability/](http://hackingdistributed.com/2017/04/19/monero-linkability/)

So how much money are some people making today on Monero shorts and Zcash
longs thanks to a front page Wired article?

------
biztos
Arguably off topic, but do any cryptocurrency experts here know of any studies
on the potential economic effects of a truly (or even effectively) untraceable
digital currency?

Just off the top of my head I would expect two immediate effects if such a
thing really caught on:

1) An increase in many types of illegal commerce.

2) A huge downturn in industries used for money laundering and tax evasion.

These might be highly localized, e.g. a bunch of bars might close in City A
because that's how the locals wash money; while in City B there might be a
surge in "Anonymero" wealth because they make cocaine and are good at shipping
it.

------
the_stc
Monero has some real issues! These papers are OK but I am not sure if they
focus on current practical issues:

Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because 3
is obviously useless. Now getting bumped to 7. The team is taking a very
aggressive approach here. Aggressive approaches with security tend not to
work. They should be conservative and set the ringsize high then back off
later once they have done the research to support a small ringsize.

Users cannot just increase their ringsize. Doing so makes their transactions
stick out: different metadata. If you always use, example, ringsize 21: then
your tx look different on-blockchain. Despite this, BOTH wallets in common use
have features that encourage users to make this mistake. It is like sabotage.
The official GUI provides a slider that goes to 26 and says more privacy [you
see a good number of of ringsize 26 tx]. The 'official' Web Wallet run by the
Monero lead offers a 4-setting: 5 [default], 11 21 & 41\. You see a good
number of 11 21 41 ringsize tx because of this.

It has been known for a long time that picking and forcing one ringsize is a
good idea yet both wallets insist on encouraging the user to mess up. Not
good. No warnings in the wallet, either. We need higher ringsize because the
privacy of your transaction going forward depends on other users picking your
output as a decoy in their own rings.

Now the small ringsize is made worse by the fact that a single entity,
ShapeShift.io, runs 7-15% at least of the network by tx volume! That means
with one hack or warrant an attacker will be able to eliminate many fake
decoys from other tx rings! How much will a few other exchanges or payment
processors make up of the network? 50%? More? Despite this the ringsize stays
very small.

The response to all this is 'churn'. This is sending coins to yourself [looks
same as sending to other people] so that you obfuscate the connection over
time. But despite that this is a core feature of Monero they have provided
zero research zero guide on how to do so. They spend money and time
researching fancy new maths and this is great. Yet the core functionality to
answer the question: How anonymous am I, how mixed in am I, this remains
unanswered.

Despite this they refuse to provide any sort of disclaimer. Contrast to Tor
Project which makes a big deal of telling users they can hurt themselves and
Tor is not some magic. In comparison Monero just claims untraceable & private
with no caveat whatsoever. This is irresponsible & reckless, damaging to users
and not justified. Only when users start thinking and asking questions are
they told oh of course you need to churn but no one knows what this is.

That is the core issue. Other issues:

1\. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you
broadcast. This let them link your IP to a tx as well as link your tx across
time. Even though HTTP is used thus adding TLS [unauthenticated but at least
preventing passive snooping] would be an obvious step. On the other hand...
traffic analysis might break this anyway. Tor is needed to really protect but
see below.

2\. Wallet leaks information. When connecting, it requests block info from the
last block it has. This allows tracking that user over time. The obvious
solution of having the wallet always request fixed number of blocks back in
history is not implemented. This is simple engineering fixing, not fancy math.

3\. The height leak is very damaging for users attempting to churn. In that
case they connect, sync, broadcast, disconnect, repeat. Every time they
connect they are indicating approximately where they left off. This means when
they broadcast again ... one only need to look at the tx to see if there is a
ring member near where the wallet connected. If so, you have linked TX.

4\. The wallet will ask to confirm transactions sometimes... AFTER it has send
the ring to the remote node! If you cancel tx then try again, you have sent 2
rings to the remote node but in each ring the real input is the same.
Congrats, tx linked or ownership of output now shown.

5\. Wallet and network does not support Tor. Despite using HTTP they do not
have proxy support. On Linux they suggest hooking syscall to force proxy
[torsocks]. On Windows they scorn users and tell them to use Linux. At the
Monero network level only IP addresses are accepted meaning we cannot have
Tor-to-Tor.

6\. Tor is downplayed because they are writing-from-scratch a new I2P
implementation in C++ named Kovri. Instead of using Tor today they provide no
sort of IP hiding while everyone must wait for a new I2P impl. This is bad
engineering and means few people can properly submit tx over Tor.

7\. All TX are not the same. There is no solution to joining bad outputs. When
you make a multi-in transaction you provide strong linkage if an attacker
knows or suspects multiple outputs are yours. Example: you accept donations or
are a darknet dealer. Attacker sends many small outputs to you. Attacker will
know when you make a move because they will see a multi-input transaction
containing one of their known outputs in each ring. This is useful for LE:
send small money then know when money is moved. From that point trace forward
and see if descendants of that TX end up at known exchange. Now you have a
short list of suspects.

8\. A lot of metadata per TX. Each TX can have a payment ID [old style],
payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels
[0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or
big users to change from default to 0.25x to save money. But now their tx look
different from common users. Exchanges in particular may do this.

9\. Probably other things I am not thinking off of the top of my head.

In short I think that Monero practical privacy for users that have something
to hide [darknet] and may find themselves against a LEA might find themselves
in a bad position. Compounding this is Monero's total refusal to warn users
and provide self-sabotaging options. A Tor-style warning is absolutely
required given the state of things. More paranoid people might think the lack
of warning and some of these issues are intentional.

Edit: I still support Monero and think it is the best project. Despite ZCash
looking better on paper the team makes me nervous and I avoid it. [Their
wallet software is even worse despite them having many millions to fix it] ...
I just want Monero stronger as it will help our users overall and that is good
for my business.

~~~
sgp_
> Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because
> 3 is obviously useless. Now getting bumped to 7. The team is taking a very
> aggressive approach here. Aggressive approaches with security tend not to
> work. They should be conservative and set the ringsize high then back off
> later once they have done the research to support a small ringsize.

This is a balancing act. Will the anonymity set actually lower if transaction
fees double?

> Despite this they refuse to provide any sort of disclaimer. Contrast to Tor
> Project which makes a big deal of telling users they can hurt themselves and
> Tor is not some magic. In comparison Monero just claims untraceable &
> private with no caveat whatsoever. This is irresponsible & reckless,
> damaging to users and not justified. Only when users start thinking and
> asking questions are they told oh of course you need to churn but no one
> knows what this is.

> The response to all this is 'churn'. This is sending coins to yourself
> [looks same as sending to other people] so that you obfuscate the connection
> over time. But despite that this is a core feature of Monero they have
> provided zero research zero guide on how to do so. They spend money and time
> researching fancy new maths and this is great. Yet the core functionality to
> answer the question: How anonymous am I, how mixed in am I, this remains
> unanswered.

> Despite this they refuse to provide any sort of disclaimer. Contrast to Tor
> Project which makes a big deal of telling users they can hurt themselves and
> Tor is not some magic. In comparison Monero just claims untraceable &
> private with no caveat whatsoever. This is irresponsible & reckless,
> damaging to users and not justified. Only when users start thinking and
> asking questions are they told oh of course you need to churn but no one
> knows what this is.

I think thus is a fair concern, but no one has "refuse[d] to provide any sort
of disclaimer." I think it's totally fair to write one up. Add it to a certain
portion of the website.

For churning, research has been ongoing. Specifically for EAE scenarios.

> 1\. Unencrypted transactions. Your ISP or NSA may easily monitor which tx
> you broadcast. This let them link your IP to a tx as well as link your tx
> across time. Even though HTTP is used thus adding TLS [unauthenticated but
> at least preventing passive snooping] would be an obvious step. On the other
> hand... traffic analysis might break this anyway. Tor is needed to really
> protect but see below.

Kovri will include encrypted connections. Monero community members have never
claimed to provide IP protection in the current state. If you are currently
worried, use a public hotspot somewhere.

> 2\. Wallet leaks information. When connecting, it requests block info from
> the last block it has. This allows tracking that user over time. The obvious
> solution of having the wallet always request fixed number of blocks back in
> history is not implemented. This is simple engineering fixing, not fancy
> math.

This is an issue with remote nodes only. This can be mitigated at a cost of
efficiency, and even if mitigated, it can still be relatively traceable if
enough connections are made. If you are concerned about this risk, use your
own node. There will always be privacy loss when using someone else's copy of
the blockchain.

> 3\. The height leak is very damaging for users attempting to churn. In that
> case they connect, sync, broadcast, disconnect, repeat. Every time they
> connect they are indicating approximately where they left off. This means
> when they broadcast again ... one only need to look at the tx to see if
> there is a ring member near where the wallet connected. If so, you have
> linked TX.

I argue that churning is absolutely outside the scope of users who are using
remote nodes. It's extremely unlikely an advanced user who cares about their
privacy will make a fundamental mistake in trusting someone else's node. This
is outside the scope of protections. Just run your own node if your threat
model even considers churning.

> 4\. The wallet will ask to confirm transactions sometimes... AFTER it has
> send the ring to the remote node! If you cancel tx then try again, you have
> sent 2 rings to the remote node but in each ring the real input is the same.
> Congrats, tx linked or ownership of output now shown.

This was disclosed in HackerOne and has been patched.

> 5\. Wallet and network does not support Tor. Despite using HTTP they do not
> have proxy support. On Linux they suggest hooking syscall to force proxy
> [torsocks]. On Windows they scorn users and tell them to use Linux. At the
> Monero network level only IP addresses are accepted meaning we cannot have
> Tor-to-Tor.

Little effort has gone into this since the support is being designed for I2P.

> 6\. Tor is downplayed because they are writing-from-scratch a new I2P
> implementation in C++ named Kovri. Instead of using Tor today they provide
> no sort of IP hiding while everyone must wait for a new I2P impl. This is
> bad engineering and means few people can properly submit tx over Tor.

There are other considerations when submitting transactions over Tor. I'm not
an expert here, but fluffypony has been critical of this approach in the past.

> 7\. All TX are not the same. There is no solution to joining bad outputs.
> When you make a multi-in transaction you provide strong linkage if an
> attacker knows or suspects multiple outputs are yours. Example: you accept
> donations or are a darknet dealer. Attacker sends many small outputs to you.
> Attacker will know when you make a move because they will see a multi-input
> transaction containing one of their known outputs in each ring. This is
> useful for LE: send small money then know when money is moved. From that
> point trace forward and see if descendants of that TX end up at known
> exchange. Now you have a short list of suspects.

Each output is used in several transactions. While it does not completely
mitigate the risk you describe, it means there is at least some plausible
deniability in practice. If you are in a situation with a significant number
of outputs, you definitely should not simply send a transaction with these to
an exchange or similar.

> 8\. A lot of metadata per TX. Each TX can have a payment ID [old style],
> payment ID [new style] or none. Each tx has a fee, and fee is one of 4
> levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages
> smart or big users to change from default to 0.25x to save money. But now
> their tx look different from common users. Exchanges in particular may do
> this.

There will always be some metadata, but based on how the system works, there
will always need to have the fee. The multiplier is set to be more automatic
in the latest version. The payment ID metadata has been improved to be
encrypted, and to encourage use for all transactions with integrated
addresses. Metadata for these two items is the least of our concerns since
there is still a pretty large entropy set for normal situations, but of course
there could be improvements.

> 9\. Probably other things I am not thinking off of the top of my head.

Me too :) Key image reuse attacks seemed to come out of nowhere, and we needed
to respond to them.

> In short I think that Monero practical privacy for users that have something
> to hide [darknet] and may find themselves against a LEA might find
> themselves in a bad position. Compounding this is Monero's total refusal to
> warn users and provide self-sabotaging options. A Tor-style warning is
> absolutely required given the state of things. More paranoid people might
> think the lack of warning and some of these issues are intentional.

I disagree with your tone here. Here I am, a community member, agreeing with
many of your criticisms. The idea of a better warning guide has been discussed
for quite some time, and I believe it has been relatively strongly received.
If you were to start a project on Taiga to get this started I'm sure many
people would respect you.

The best summary I can say is this: Monero is a tool that can provide
significant privacy under a variety of use-cases. If your use-case is hiding
your wallet balance and transactions from merchants, ad agencies, and most
attackers, you can use Monero with little to no significant consideration for
your privacy. If you are worried about colluding KYC exchanges, governments,
and motivated attempts to target you specifically by powerful attackers, then
the use-case for Monero needs to be better-defined. Monero will preserve
privacy under some situations better than others. Given that it is relatively
hard to understand, Monero will need to use a mix of education and
default/mandatory functionality to encourage the correct behavior.

~~~
the_stc
I will look up the complaints about Tor.

I apologize for my tone and do not mean to speak ill of the Monero team. I
still choose Monero and feel it has the best benefits overall.

~~~
sgp_
Thanks for being informed about some of the limitations! I highly appreciate
having these conversations, and I look forward to working with you to improve
Monero.

------
granaldo
I've seen countless writings against monero yet the market still price it
worthy
[https://www.coingecko.com/en/price_charts/monero/usd](https://www.coingecko.com/en/price_charts/monero/usd)
Can compare this to iota revelation?

------
jacques_chester
Side-channels are the gap between theory and reality; a gulf filled with
information theory and tears.

As they point out, the public, consensual mutation-resistance of blockchain
makes it rather hard to walk back mistakes.

------
criddell
I only ever hear of Monero in a negative light. Has anything positive come
from it?

~~~
tudorconstantin
It can't be that both affirmations have negative connotation:

"Monero can be 100% anonymous, so it's the preferred coin of criminals"

"Monero is not 100% anonymous, so big time criminals can't use it."

~~~
SarangNoether
Anonymity is not something you either have or don't have. It's always relative
to an anonymity set. Mathematically, a ring signature provides a guarantee of
anonymity within the ring.

------
EGreg
The SAFE project would have totally private coins. If they ever launch, I mean
:)

------
cies
Next frontier: XSpectreCoin

[https://spectreproject.io](https://spectreproject.io)

~~~
cies
Down votes but no explanation. XSpec's level of untraceability goes quite a
bit beyond Monero's.

~~~
JumpCrisscross
> _Down votes but no explanation_

Consider the obverse: a promotional link with no explanation. A short blurb
about why XSpec is better than Monero might help your comment stand stronger
on its own.

~~~
throwawaylolx
The difference is that Spectrecoin has no paper and no explanation how
"stealth staking" works.

