Hacker News new | past | comments | ask | show | jobs | submit login
Monero Is Less Untraceable Than It Seems (wired.com)
157 points by mlb_hn on Mar 27, 2018 | hide | past | web | favorite | 114 comments



I hate how everyone always stresses the illegal uses of Monero in these conversations about traceability. Monero has a lot of legal uses, many of which are listed here:

https://www.monero.how/why-monero-vs-bitcoin

The big one for me is privacy:

“The most critical flaw in Bitcoin is its lack of privacy. If you give me your Bitcoin wallet address so that I can send you a payment, you immediately compromise your privacy. I can see as a matter of public record how much money you have in your Bitcoin wallet ”

I don’t want other people to know how much money I have when I pay them for goods and services or how much I have paid to others in the past. This wouldn’t happen with a bank account but could happen with bitcoin.

I don’t necessarily want people I am negotiating a contract with to know my hand. It potentially gives them an unfair advantage.

If my Monero transaction history can be figured out by a government agency with lots of resources but not the average business, that doesn’t necessarily invalidate Monero for my use cases.


Privacy is indeed the main motivation. But you're missing the threat model. Facebook,Google, Target, etc all run sophisticated customer tracking programs. Target was predicting if their customers were pregnant based on spending habits 5 years ago[0]. If blockchain payments go mainstream, customers will use them and those companies will build profiles based on that data. If 10 grad students on a shoe string budget with ethics/IRB restrictions can break a system, so can many people you should be worried about far short of goverments.

[0]https://www.nytimes.com/2012/02/19/magazine/shopping-habits....


It really isn't difficult to tell if someone is pregnant. I actually make a game out of it when looking through facebook at women I know. So many will drop hints that are seemingly unrelated, but which often tip me off that they're pregnant.

More on topic, there is a difference though, from what I read in the article it doesn't seem like Target had access to what the people bought at other stores. It would be like if Target could see what you bought at Walmart, or at least went there and see how much you spend.


To me this feels like concern without regard for the full differences. With bank accounts you usually have the restriction of "as many accounts as you can afford" where with bitcoin addresses you can have countless. So someone could just as easily watch you drive up to the bank and know you bank there. Keep your private addresses private, duh.


Even with multiple wallets, the point is the same that your Bitcoin address is tied to your complete transaction history and account balance. Your Bitcoin address is just an alias for your real identity. If (or once) your Bitcoin alias is tied to you, you have zero privacy. Through public meta-analysis you can get a pretty clear picture of the spending habits and maybe even location of a Bitcoin address. Or, a purchase of a physical product where you give your home address and your Bitcoin address and your alias is linked to your actual home (albeit in the records of a 2nd party). But still, it's not hard to imagine how non-private Bitcoin is.

And following someone to BofA doesn't exactly give you much if any information about them. Even if I gave you my checking account number (which is on all my checks), you still can't go and access my financial records without doing something illegal.


Yeah, but lets say you make a website and want to accept donations using bitcoins. What you generally do is put "donations welcome at <bitcoin address>!" (I see this all over the place). Are you saying that webmasters should write a script that generates these public/private keys on every page hit, and then somehow stores all of those millions of private keys... somewhere? On your server? Or do you have to build an entire infrastructure of key exchanges to some safe place just so you can accept bitcoin donations privately?


Why would it have to be "donations welcome at <bitcoin address>!"? There's plenty of ways to ask for donations and it doesn't always require to have a single address shown. You can have a "Donate" button that when clicked, ask for a generated wallet (all from the same private key but that would be a different wallet still) and show it with a QR code in bonus.


Look, I'm not making this up. Lots of people and projects do exactly this. Tails, the super-secure privacy-focused version of Linux asks for donations in exactly this way [1] (and if you go to blockchain.info you can see a full wonderful list of all the bitcoin addresses who have donated to them [2]). It's a totally reasonable way to set up bitcoin donations (hell, it's even recommended by the bitcoin wiki! [3]) and it's a significant weakness of bitcoin that these transactions are not private.

It is absurd defense of bitcoin to say "well, it COULD just be as private as these other things, if you only jump through ten more technical hoops and not use bitcoin as intended". Clearly, these other cryptocurrencies offer something that bitcoin doesn't.

[1]: https://tails.boum.org/donate/?r=contribute

[2]: https://blockchain.info/address/1BvBMSEYstWetqTFn5Au4m4GFg7x...

[3]: https://en.bitcoin.it/wiki/Receiving_donations_with_bitcoin


> webmasters should write a script that generates these public/private keys on every page hit

Not on every page hit, but on every donation or every few days depending on how many transactions you've received. It doesn't have to be completely new set of keys - you can use deterministic wallet to generate as many as you want from a single master secret.


>>Are you saying that webmasters should write a script that generates these public/private keys on every page hit, and then somehow stores all of those millions of private keys... somewhere? On your server?

There's actually a solution called stealth addresses that let you publicize a single static donation address and yet receive every donation at its own unique address:

https://bitcoin.stackexchange.com/questions/20701/what-is-a-...

This is an off-chain construct so can be utilized with any blockchain.


If I make a new bitcoin wallet, and transfer money from my 'main' wallet into that one, would that be traceable by anyone who deal with my new wallet? Would I need to use/trust some kind of 'washing' service to hide my transaction among several others?


>would that be traceable by anyone who deal with my new wallet?

yes

>Would I need to use/trust some kind of 'washing' service to hide my transaction among several others?

congrats, you just reinvented mixers and coinjoins


Any "wallet" is not single address, but set of addresses. Each address is just cryptographic private key and you might have as many as you want. Though as soon as you sent any transaction public key of your wallet become known.

This is why by default each time you make transaction for any amount bitcoin client send specified amount of coins to target address and all that remain to some new address that you own. While you not announce that you have access to that new address it's fairly easy to track your money.

> Would I need to use/trust some kind of 'washing' service to hide my transaction among several others?

So answer is yes.


So what good is keeping the coins in separate addresses then? An earlier poster implied that you should keep separate addrs to avoid people knowing how much you have in full - but if you still have to wash the coins to separate accounts, what good is that? You're still washing all your coins - how many addrs you have seems like a side detail.

The only thing I can think of that separate addrs gives you, is that you can have a small amount of the coin in an address that you use for daily transactions. Meaning each transaction doesn't need to be washed, because you don't care about that address.

Am I missing something?


> So what good is keeping the coins in separate addresses then?

Publishing of your public key slightly decrease security of your coins. While ECDSA is strong it's still safer when only hash of your public key (bitcoin address) is known. After all you can always end up with weak key due to software or even hardware bugs.

> Am I missing something?

You're completely right, but you underestimate how important that little detail is. If you only receive money to different addresses each time then until you actually start spending it's will be impossible to prove that you actually control any of these addresses.


It's like with session keys for secure communication. Generating different keys for each session doesn't solve all your problems, but there would be no benefit to reusing a nonce key and doing so amplifies certain risks.


I know that, you know that, but is that something the average person is aware of or do they think it works like Venmo?

If I go to a bar should I have to cycle currency between addresses to pay for a drink and avoid the bar man knowing my complete financial history? That sounds like a terrible UX.

I shouldn’t have to think about it. This is why I like the concept of privacy coins.


The wallet UI should do that for you automatically. Wallets which reuse addresses have been a constant source of privacy breaches and even lost coins (is it iota where you can lose coins if you use the same address as few a two different times?)


Most wallets these days don't reuse addresses, but without mixing, confidential transactions, or another approach, it's trivial to cluster a wallet via its chance outputs, etc.

Iota is/was incredibly broken, and shouldn't be used as an example IMO.


This is not quite true if you are using an HD wallet.


Well that's a weak argument. Just give them a new address. Many bitcoin owners have 100+ addresses within their wallet.


That's why the standard advice on any cryptocurrency is to use a different address per transaction. It's just... people are lazy, and more technically (in the past anyway) change addresses became an issue.


and once you transfer money from your onetime address to your main, everyone will be able to see how much money you have. the only difference is, that they will know it "little" later. still good enough f.e. for eshop to categorize customers and retarget them


Is there really a need to even have a “main wallet”? Most implementations I know of will aggregate multiple wallets into your balance, and I think handle sending transactions from those wallets in sum of the full amount being requested to send.


if you want to pay for something what is more expensive than what you have in one wallet (or transfer larger amount), you will eventually have to combine multiple wallets


That's one legit use of a mixing or joining service.

Not saying there isn't tracability though those services (especially since we aren't ideal) since the point of the distributed ledger is tracability.

Something that was rather easy was depositing to an exchange, and just withdrawing; you lose the identity of the coins, at the cost of the exchange knowing the connection.


I think the traceability concerns are mostly handled since while it might be possible to infer an identity from an address that's sent to or from an exchange account, it's a lot more murky once those coins are moved elsewhere. If you know that address ABC belongs to me, and you see I sent coins to address DEF (which is entirely offline and using a brainwallet), and later DEF sends coins to GHI, you're left with the task of proving that DEF and GHI belong to me, and weren't me paying someone else.


What you're saying is correct, except you keep saying "wallet" where you mean "address". A wallet is a collection of addresses.


You can specify more than one input in a transaction, so that shouldn't be necessary.


Isn't it relatively simple to create a new wallet tho?


fungibility


It is trivial to get around the problem you are describing, you just create a new address for every transaction, which is actually what the reference wallets do by default.


Cryptocurrency only real use cases are currency speculation and crime.

Of course they'll mention illegal uses. It's what it's for.


I'm on the Monero Research Lab team. This article, like most media coverage of academic research, ignores much of the subtlety behind the research. The likelihood that a particular output is positively identified depends heavily on its age relative to our regular protocol upgrades. And it's not like we aren't actively working on ways to improve anonymity. We're in the process of updating the way we choose our fake outputs and discussing best practices for handling very old outputs. I always appreciate research into ways to improve Monero, but I don't think this article does the research justice.


> The likelihood that a particular output is positively identified depends heavily on its age relative to our regular protocol upgrades.

That's mentioned explicitly in the article. With explicit dates of certain protocol changes that have improved things.

> And it's not like we aren't actively working on ways to improve anonymity.

In other words, there are threats now. Which is what the article says.

> I always appreciate research into ways to improve Monero, but I don't think this article does the research justice.

I haven't seen the original research, so I cannot tell if the article does it justice. But I can say that what you have said here doesn't call the article into question. You have just restated the things it says.

(For whatever it's worth, I do own some Monero and I would like it to be successful. Part of that is accepting valid, constructive criticism.)


Most importantly, the vast majority of findings from this paper were first researched in late 2014 in MRL-0001. Since this research paper, improvements have been made, including increasing the minimum ringsize to 3, 5, and now 7. RingCT was added in January 2017, which hides the amount.

The paper has 3 recommendations:

1. Warn users who made early transactions that they may have had their ring signatures compromised. The stealth addresses would still work. This isn't a suggested improvement, and I believe that any user interested in maintaining their privacy should have considered researching Monero, including reading MRL-0001. I'm sure not everyone did this, but keep in mind that Monero was a much smaller network back then made of mostly enthusiasts. If you were transacting on AlphaBay, the least you could have done is seem what the limitations of your tool are. They were much higher at the time than they are now.

2. Improve the decoy selection algorithm. There is definitely room for improvement to make the most out of the decoys selected for the ring signature.

3. Consider avoiding public pool payout outputs, which are known to be used in the pool transactions. This is a fair point, though from the proportion of pool payout transactions to total transactions as found in the paper, this case is likely still adequately covered with ringsize 7. Monero can still consider avoiding these outputs as decoys though in some way.


Because the decoy selection is not part of protocol not everyone is doing it. Some exchanges have increased ringsize but kept old selection system. Not to mention that exchanges make up a large bulk of Monero TX and hence are one warrant/hack away from killing a bunch of decoys anyways.

Monero would gain credibility if it took a conservative approach to ringsize then used research to lower the ringsize. Instead we get no justification for ringsize saying there is no research that shows an increase needed. This is the opposite way of how security is approached. Indeed: The only MRL statement I know of on churn is that it does not work.

I appreciate the work you do and MRL overall. But without practical examination of real-world threats it feels a bit empty. And Monero team refusal to provide any sort of disclaimer at all really undermines the sincerity.


I'm not involved with any cryptocurrencies, so I have no dog in this fight. I am curious, however. Whenever ZCash comes up Monero is mentioned as "also providing" anonymity.

Being on the Monero team, can you comment on the differences between the privacy guarantees provided by the two platforms?


I'm a user who picked the Monero side of things. Here's the short run down on the difference and why I ultimately sided with Monero.

Monero uses ring signatures to prove that one out of n people signed a transaction without revealing which one of the n. Over the course of k steps the possible transaction history might be in any of n^k states. Typically n=5.

Zcash uses Zero-Knowledge-Proofs for anonymity. Any private zcash tx may have gone to or come from any other private zcash tx.

Here are the problems with Zcash as I see them

1) trusted setup. There is some toxic seed data that needed to be destroyed at the time Zcash was created. With that seed you could inflate the coin as much as you want. There was an elaborate ceremony of 6 people (5 of them Zcash employees) showing the seed was destroyed. But elaborate ceremony isn't cryptographic proof.

2) privacy is optional. If a transaction goes from non-private address, to private address, to non-private address it is traceable. The Zcash anonymity set is actually very small.

3) Zcash is a company. I consider the political structure of a coin (or lack thereof) as an attackable surface. A government can force Zcash to back-door their software (hi NSA). There is no head of Monero.


On 2: Monero is almost the same. ShapeShift does 7-15% of all tx at least. How many transactions are actually private after you consider hacks or LE warrants? Those TX are what you depend on to get false spends.

On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.

I chose Monero too for similar reasons inc ZCash people openly saying they support backdoors for LE [but promising ZCash would never have them]. And taking 20% of block reward and not doing anything useful with it [for millions I expect really polished clients and some quick upgrades].

But the low ringsize is weak [hence going from 3 to 5 to now 7]. All ring members are not equal to n^k is very naive. Fee, ringsize, payment ID, in/out count are all metadata that distinguish on-blockchain. Let alone off-blockchain such as keys being hacked/warranted.

Given this and Monero's lack of disclaimer or warning at all about how to use it safely... a paranoid person might suspect ill-motives. [Consider: MyMonero, the Monero 'lead' Web Wallet, goes out of its way to suggest users use a few higher ringsizes to get better privacy, when we know this makes their TX stand out. This is something that presumably he could change with 1 or 2 lines of code but has not.]


>On 2: ...How many transactions are actually private after you consider hacks or LE warrants?

That's actually a difficult question. I won't try to estimate here. But IIRC something like 95% of ZCash tx are non-private by user opt in, and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks. So the bar is set really low for Monero to have the best anonymity set of all privacy tokens.

>On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.

I think Monero is in a similar-but-better position. True the core team can be compromised and true the core team is more powerful than others. But I view this as a necessary centralization to get the ball rolling. I want the Monero core team to eventually be more hands off. Spagini's "I'm not a CEO" statement inspires confidence.

>But the low ringsize is weak [hence going from 3 to 5 to now 7].

can't wait for bulletproofs!

>All ring members are not equal to n^k is very naive.

I was intentionally very cautious with my words here. What I actually said was "Over the course of k steps the possible transaction history might be in any of n^k states". I did not say that all n^k states are equally likely. The actual amount of entropy in the Monero blockchain is much harder to explain/estimate so I used n^k as an upper bound.


>and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks

I was under the impression that no exchanges handle shielded transactions. What do you mean by timing? I would assume you go t-z-t and leave it quite a while as shielded.

>can't wait for bulletproofs!

Bulletproofs do not help verification time which is why we have low ring size. Going from 5 to 21 ringsize only increases size 8%. 15 is even less, a reasonable compromise on size. There is an unspecified perf target that must be met on verification.


>I would assume you go t-z-t and leave it quite a while as shielded.

Many people skip the "leave it a while" step.

Also you can look at things like x-amount left this exchange and y-amount entered this exchange.


> 5 of them Zcash employees.

Huh? Doesn't that contradict https://blog.z.cash/the-design-of-the-ceremony/ ?


of the 6 person ceremony we have ZCash founder, ZCash technical advisor (Andrew Miller), ZCash CTO (Nathan Willock). My bad. 3 of the 6 (possibly +1 because one is still unknown). I mis-remembered. Arguably the person from NCC isn't conflict free as they were paid directly by ZCash.


NCC gets paid to do security audits, and getting paid puts their (very high) professional reputation on the line.

I'll admit I'm biased: I worked a bit with Zooko and Nathan (Wilcox), pre-Zcash, on some other security audits. My experience was that making the client look good is really not a consideration. Phrase your findings neutrally and informatively, yes; but you earn your rep by being as creatively nasty as you can at breaching the system.

Not to argue against evaluating claims skeptically -- just to state my most important disagreement.


ZCash's biggest problem from a common man's perspective: It's privacy isn't enabled by default, it's opt-in. That means, people (i.e. the people you are interacting with) need to opt-in with it's privacy, in order for you to be able to achieve privacy.

I have the same problem with Signal, it tries to be 'seamless' in it's integration with SMS. But now I could be talking to someone on Signal who also uses Signal so the communication is secured, but if they don't, Signal just sends messages as an unsecured SMS (though it shows you on the app with a slight UX tweak that this is an unsecured communication channel, but that's not good enough).


My understanding is that shielded transactions were made opt-in due to time and resource needs in computing their zero-knowledge proofs. Hopefully they can improve this and do away with unshielded transactions altogether in the future.


Just wanted to say thanks for your work! It's my favorite crypto out there and the more I learn about it the more I realize how solid the tech is.


This was a well-known design choice where the user could balance between transaction size and privacy--people who preferred faster/cheaper transactions chose to sacrifice untraceability. Nowadays, the default option enforces higher untraceability.

Also, some of the authors of the research paper mentioned in the article are part of the competitor Zcash group who sensationalise common knowledge to undermine Monero. Zcash is a US-based company that has a trusted setup which was possibly backdoored [1], one of their scientists and inventor of Zerocoin protocol publicly supported backdoors [2], and their CEO and cofounder suggested backdoors as well [3].

I would read more about Monero before dismissing it, as it's one of the very few legitimate groups in the space besides Bitcoin.

[1] https://twitter.com/peterktodd/status/793584540891643906

[2] https://www.newscientist.com/blogs/onepercent/2013/03/bitcoi...

[3] https://twitter.com/zooko/status/863202798883577856


It's fine if you want to defend monero's technology, but attacking the researchers credibility because of their association with a competing project? That's some weak sauce in my opinion.

One side is actually doing the work and publishing attacks, even if they are against zcash (shielding/deshielding). The other has some questionable twitter conversations about a hypothetical backdoor. Zcash zk-snarks are backdoored? Proof of concept or GTFO is the law of the land, my dude.


Oh, and I forgot to mention they were also sponsored by DARPA. You can pretend these are all irrelevant arguments and wait for your proof, but the reality is that reasonable doubt and ad hominem are sometimes appropriate, especially when dealing with privacy. It's on them to prove their trusted setup can be trusted, and everything they've done is antithetic to trust.


Trusted setup only compromises the supply integrity not privacy. I am not a fan of Zooko or the Green comments on backdoors and LE but do not misrepresent trusted setup.


>only compromises the supply integrity

Conveniently, it's impossible to audit whether more coins are being minted right now to add to the developer tax already imposed on block rewards.

Don't think I misrepresented trusted setup--only warning others about the reputation of Zcash. Anonymity for some can be a critical issue, so I don't think everyone can afford to wait for "proof of backdoor" before making their decision.


Deanonymizing zcash's shielded transactions requires breaking the preimage resistance of sha256.


Technically, you could also break the encryption used in the memo field. But thats bog standard cryptography


By the way, the backdoor comments are taken out of context in a very inaccurate way.

For Zooko's, literally the next tweet explains that he means for transfers in and out of fiat.

"And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible. …

… At least for as long as criminals want to cash out to fiat (years? decades?). … "[0]

Since conversions to fiat are done via exchanges, which are regulated, it's pretty simple. This applies to Monero,Dash, etc.

Matt's, which he has pointed out before[0], was a point that it was possible, which is true for any system. If you follow the general debate on adding backdoors to encryption, you'll know he and almost all cryptographers are completely against them.

Its fine not to be a fan of them or think people should never admit even the conceptual possibility of limitations on privacy but neither quote was endorsing backdoors.

[0] https://twitter.com/zooko/status/863202964416077824

[1] https://news.ycombinator.com/item?id=15370744


>Since conversions to fiat are done via exchanges, which are regulated, it's pretty simple.

There are plenty of decentralized exchanges (Bisq supports Monero) and OTC trading websites such as LocalMonero. It would make no sense for a criminal to cash out using a centralized exchange that likely requires KYC?


>This was a well-known design choice where the user could balance between transaction size and privacy--people who preferred faster/cheaper transactions chose to sacrifice untraceability. Nowadays, the default option enforces higher untraceability.

This has always been wrong and it is wrong on the face. Your privacy does NOT depend on your ring-size. That is only for backward-tracing. For forwards tracing [more common: you have bad money and want to turn it anonymous so it is good] you rely on other people on the network false-spending your money.

Between the low ringsize [3, now 5, soon 7] and the fact that a good double-digit % of network is owned by LE-accessible entities [ShapeShift does at least 7-15% of tx].

Even with these papers Monero refuses to provide any sort of disclaimer that transactions may be traceable despite readily admitting you must do churn over time to gain privacy. Monero deserves a lot of criticism even if ZCash is worse in some ways.


> This was a well-known design choice where the user could balance between transaction size and privacy--people who preferred faster/cheaper transactions chose to sacrifice untraceability. Nowadays, the default option enforces higher untraceability.

I don't think you understand the flaw behind this "design choice". While its great to give the user the choice in how they want to balance things, the individual's choice affects the whole system. If you - as kess privacy-conscious user - use 0 mixins (as was possible) or the min. no. of mixins, when your transaction is used as mixin for a privacy-focused user, you make that user much more identifieable. The choice defeats itself when you depend on others to take at least the same number of mixins for their transactions.


This isn't a good explanation. The result of this research is actually that even if you opted in to privacy during mid 2016 to jan 2017, you wouldn't have gotten it.


If the ZCash trusted setup was compromised, it would allow the compromiser to create ZCash "out of thin air" and effectively rob other ZEC holders through seigniorage. It would not allow them to spy on transactions.


I think GNU Taler[1] solves the untracabilty problem in a way that most people should be happy with. Consumers have all of their transactions private from everyone (the seller cannot tell how much money they have, what other transactions they've made, or where the money comes from; a government cannot tell what transactions a person has made). But seller transactions can be audited for tax reasons, to avoid tax fraud.

And best of all, it's not yet another cryptocurrency. It's a payment system that works over any currency (traditional VISA, or crypto-currencies). Of course, this means that Taler "tokens" cannot be used as a store of value, other than as a proxy for the underlying store of value. So you would only hold Taler tokens like you would cash in your wallet.

They even have really nice easy integrations into browsers and backend processing.

(I don't work on GNU Taler, I've just been saddened that such an interesting project has gotten so little press outside of GNU circles.)

[1]: https://taler.net/


GNU Taler wants to give the government a backdoor. That's privacy in the same way the Clipper chip in the 1990s was privacy.


This is a misunderstanding of GNU Taler, unless you're using a completely new definition of the word "backdoor". Customer transactions are completely anonymous -- that's the anonymity guarantee provided by GNU Taler. Mints are auditable (the amount of coins they've given out and received, and that they haven't given money to people who didn't have the associated coins). And thus how much money a particular merchant has traded to the mint for real currency can be figured out. There is no reasonable analogy between this (which has a given set of privacy guarantees, but not others) and the clipper chip (which was an attempt to remove all privacy guarantees from all cryptography).

The only way you can consider this to be a backdoor is if you think that allowing a government to know how much money a business has made (something that you are legally required to declare for tax purposes) is a bad thing. This seems like an immature view to me -- taxes are very important for a country to continue functioning.


According to the website, GNU Taler gives governments an exclusive view of all of a merchant's private transactions:

https://taler.net/en/governments.html

"With Taler, the receiver of any form of payment is easily identified by the government, and the merchant can be compelled to provide the contract that was accepted by the customer. Governments can use this data to tax businesses and individuals based on their income, making tax evasion and black markets less viable.

Thus, despite offering anonymity for citizens spending digital cash to buy goods and services, Taler also ensures that the state can observe incoming funds. This can be used to ensure businesses engage only in legal activities, and do not evade income tax, sales tax or value-added tax."

It's not a backdoor in exactly the same way the Clipper chip was, but it's a backdoor nonetheless.

The fact that the government is the gatekeeper in GNU Taler means that it would have been unable to empower people to get around the financial blockade against Wikileaks the way cryptocurrency did.

That's a practical consequence of giving up privacy and decentralization.

>>This seems like an immature view to me -- taxes are very important for a country to continue functioning.

It's not immature to point out that this gives the government a backdoor to monitor private transactions.

You think this reduction in privacy is necessary to levy sales/income taxes. That's a value judgment, not a refutation of the fact that this is a backdoor.

Something doesn't stop being a [negatively associated noun] because you think its effect is positive.

Speaking the truth instead of sugar coating it for ideological reasons is not immature.


> That's a practical consequence of giving up privacy and decentralization.

(Most) cryptocurrencies don't have privacy (quite the opposite). The reason why the government couldn't stop cryptocurrency transactions is that they were decentralised.

However, I also believe you're wrong in this case. Anybody can set up a mint, and so it would be entirely possible for a Bitcoin mint to exist (in fact I believe several already do). People could buy Taler tokens from the mint and then send them to Wikileaks. When Wikileaks cashes in the tokens, they are sent (using Bitcoin) to Wikileaks. While the government would be able to tell how much money Wikileaks received, they would not be able to stop the underlying funds transfer (through Bitcoin). Yes, they may be able to try to punish the mint for permitting such transactions, but this would be the same as punishing Coinbase for allowing people to send those transactions as well.

But if you're running a business and you don't want the government to know how much revenue you've made (which means you're running an illegal business from a tax perspective) then yes, you wouldn't be able to use GNU Taler. This is a benefit, because creating a system that encourages tax fraud is one of the easiest ways to have the government ban that system's usage.

> but it's a backdoor nonetheless. [...] not a refutation of the fact that this is a backdoor [...] Something doesn't stop being a [negatively associated noun] because you think its effect is positive.

You are using the term "backdoor". The only reasonable definition of this term is "a method (often secret) to allow an entity to bypass authentication or encryption of a particular system" (which is the common usage of the word).

This does not apply to GNU Taler, because no encryption or privacy guarantee is being bypassed. When you use GNU Taler as a merchant you are aware that your transactions are audiable by the government for tax purposes -- if you don't want that to be the case then you can choose not to use it. Almost all legitimate businesses would not have an issue with this, because they have to declare revenue anyway.

A backdoor would be if Monero had a way to deanonymise transactions, so that governments can figure out what people spent money on. In that case, a privacy guarantee of the system has been subverted.


>>(Most) cryptocurrencies don't have privacy (quite the opposite). The reason why the government couldn't stop cryptocurrency transactions is that they were decentralised.

They can be used in ways that give the user privacy. They're pseudonymous. But yes, a big part of why they can't be stopped is that they're decentralized.

But that decentralization only works if users have some degree of privacy. If governments knew every participant's address, that decentralization would effectively vanish.

>>Yes, they may be able to try to punish the mint for permitting such transactions, but this would be the same as punishing Coinbase for allowing people to send those transactions as well.

Coinbase would not allow transactions to Wikileaks if the financial blockade were reimposed on it.

GNU Taler states that it is designed to prevent illegal use, and if it is accurate in its claim, then it will prevent Wikileaks from using it during a financial blockade.

A technology's susceptibility to government control doesn't discriminate based on the moral justification for the government wanting to exert that control.

That's why one has to acknowledge that there's a trade off to be made, and decide which trade off is more conducive to a functional society.

I personally think empowering individuals rather the surveillance state is the better trade-off.

>>This does not apply to GNU Taler, because no encryption or privacy guarantee is being bypassed.

The Clipper chip did not give any privacy guarantee against government monitoring, yet this channel for monitoring was commonly called a backdoor.


Yeah this is such a simple improvement over the current payment cartel, dodging the scaling issues and taxation issues through its conservatism. I wish we could all switch to this and then resume comparing altcoins.


Is GNU Taler an anonymous ecash mint?


Their website[1] gives more detailed information on how it works than I can here. Effectively, yes, but the system explicitly supports having different mints that operate over different currencies.

And while what consumers (people sending money) spend their money on is completely anonymous and cannot be correlated, merchants (people receiving money) can still have their income audited and taxed accordingly.

The system was designed by a university research team in Europe and became a GNU project a year or two ago.

[1]: https://taler.net/en/architecture.html


The FAQ says blind signatures which would definitely confirm it as an eCash mint. Wish they had a sentence on the website that said "we implement the CHL eCash scheme over the blah curve" for the technical folks.

>And while what consumers (people sending money) spend their money on is completely anonymous and cannot be correlated, merchants (people receiving money) can still have their income audited and taxed accordingly.

Can't be linked but they can be correlated since you have a weak timing channel from issuance of tokens to redemption.


> That shouldn’t just worry anyone trying to stealthily spend Monero today. It also means evidence of earlier not-quite-untraceable payments remain carved into Monero’s blockchain for years to come, visible for any snoop that cares to look.

This is the key point from the article and it applies to every cryptocurrency. Just because a crypto seems anonymous now, does not mean it will be forever, and all the transactions from “now” will still be on the blockchain “forever.” Almost ironically, scrutiny of a currency increases with its usage, so you’re probably better off just not using cryptocurrencies to commit crimes.

P.S. Anyone got the link to the paper? Can’t believe wired didn’t even link to it



Same goes for TLS - there's ample evidence that TLS data is being suctioned up at scale and stored for eventual decryption.


> Just because a crypto seems anonymous now, does not mean it will be forever

Just because a crypto <anything> seems safe now, does not mean it will be forever.

"You can't hide secrets from the future with math."


Every single time something seems to claim to be untraceable or anonymous, it seems to hold for a while, and then there's a "<X> is not as safe as we thought" headline.

Seems to be a good rule to just not trust anything.


Or assume the government has unlimited resources to throw at a problem, and not commit crimes.

Most of these headlines describe something that would require nation-state resources to crack. If you wanna hide paying for something legal, it's probably still sufficient.


“Not commit crimes” is a good maxim when you’re living in a liberal democracy (and even then …). It’s less easy when the state outlaws things unjustly. Like being gay. Or being (a)religious. And to give just two examples that apply to (otherwise) liberal democracies, most people would include “personal, recreational drug use” in the same category. And there are Western democracies that outlaw certain sexual acts between consenting adults (e.g. Germany, which outlaws any incest, even between consenting adult siblings), which also rubs many people the wrong way.

In sum, “not [committing] crimes” isn’t always straightforward.


I was with you every step of the way, then suddenly you were defending incest and I was like “how the hell did I end up here?”

Also, while “many” is a subjective term, I don’t think you’re using it correctly here. The idea that you should not regulate sex between consenting adults in general is very popular, but most countries carve out exceptions for sex work. Not saying they should, but many do. And I definitely think the incest legalization lobby must be very, very small, even though it probably has a sympathizer in the Oval Office.


> then suddenly you were defending incest and I was like “how the hell did I end up here?”

… Which nicely illustrates what different people find acceptable. But I agree that sex work would have been a better example. Either way, you felt it necessary to add the qualifier “in general”, and many (…) people, though certainly a relative minority, would fundamentally disagree with this qualifier (while talking about consenting adult without power imbalance in their relationship).


> not commit crimes

If you take the US as an example (I assume you're American), then did you know that the US Supreme Court doesn't actually know how many laws apply at a particular time to a particular person[1]? The US code has an immense amount of laws that are all equally legally binding, but have different levels of "obviousness" as "don't murder people". If a US Supreme Court judge cannot be sure what laws apply in any given case, what chance does a layperson have to understand the tens of thousands of federal crimes in the US?

For instance 16 U.S.C 3372 (the Lacey Act):

> It is unlawful for any person [...] to import, export, transport, sell, receive, acquire, or purchase any fish or wildlife or plant taken, possessed, transported, or sold in violation of any law, treaty, or regulation of the United States or in violation of any Indian tribal law

So if you have ever bought or been gifted a fish, animal or plant that at any point broke Indian tribal law (even if you didn't know about it, even if it wasn't the law where you received it, and even if the plant or fish is legally farmed and sold in another area) you have broken a federal law and you're now a criminal.

In short, "don't commit crimes" is not as simple as you may think in all cases. You even have cases where the US government has retroactively applied new laws (in violation of the charter of human rights) for things that were not crimes at the time (such as "copyright infringement" for a work that used to be public domain). Very few criminals were tried under these strange laws, but they are still just as illegal as more common crimes.

[1]: https://youtu.be/d-7o9xYp7eE?t=279


OK, but this is theory. Can you point to any practical examples of people who were charged with a crime under the Lacey Act for a common, harmless transaction?


As with crypto for personal communications or mobile devices, I think it's reasonable for people to expect things claiming to be secure to be secure, or to more clearly explain the attack surface area. Someone using a technology should be able to determine what sort of protection they have if they use it for something opposed by a nation state.

As for using Monero to break laws, it's probably pretty low risk to buy some MDMA to have a very good weekend, and fairly high risk to receive millions of dollars in payment for a ransomware attack against a government.


Who would've thought cryptocurrency guys would inflate whatever valid claims they might have had?

> After more recent changes to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.

Note that this is still a break, because quick Googling says that there are usually 4 mixins, so random chance would be 20 %.


Even more recent changes have made this better too. The research in the paper only goes up to Apr. 2017 or so. Since then, the "recent zone" has been a) reduced from 5 days to 3 days, and b) more recent zone mixins are included. We haven't quantified what improvement that makes, but it should help.


Cryptocurrency: hi, im a distributed, permanent record of all the transactions you make. Dark web: ooh look, anonymity!


I have often wondered about the sanity of people who are using a blockchain based currency across tor. Admittedly, I haven't fully checked my assumptions here, but my initial thoughts on the matter have always been that I'd be amazed if it was a good idea from a security perspective.


What about zcash? As I understand it has much stronger privacy, but almost nobody understands it so people are skeptical. I'm surprised it doesn't get more attention.


This isn't really true. Zcash isn't private by default, which weakens the concept for anyone who wants to use the privacy features. If not many people are using them then analysis of the transactions that are meant to be private becomes easier.

Zcash is also not trustless because it requires the trusted setup. You have to trust that the developers completely deleted the "toxic waste" during the setup, and that their machines were not compromised (which is totally possible given Meltdown, etc). Recovery of this toxic waste can lead to unlimited coin minting. Another problem with this is that future changes to some properties of the currency require another trusted setup.


Private-by-default is semi-dishonest. Many tx on Monero are owned by a few entities that are friendly with LE or may get hacked. Thus all those exchange tx or payment gateway tx that are on the blockchain are in practice transparent to the right people or with time. With Monero they give you a false sense of security with ZCash they are open that those tx are not going to help you.

[ShapeShift does 7-15% at least of Monero tx. Add in BitFinex Binance CoinPayments and some others and where we at?]


I would recommend waiting until Sapling goes live before diving whole hog into Zcash. The performance benefits with shielded transactions will make it more practical for people to opt to use z-addrs instead of t-addrs, especially on mobile devices.

https://blog.z.cash/cultivating-sapling-faster-zksnarks/


There has been similar research into tracing Zcash transactions between their transparent and shielded pool.



I think that the timing issues are related to the problems with mixnets for anonymity: it turns out a global passive adversary can observe all messages sent and received and eventually determine which parties are talking to one another, within certain probability bounds. It sounds like a similar issue is at play with cryptocurrency.

The solution with anonymity is to send cover & real messages through the network in such a way that traffic analysis fails. One approach would be to saturate a network link, sending random cover data until there's real data to send, then returning to cover data. There are more bandwidth-friendly schemes as well.

Might a similar scheme for cryptocurrency be to constantly (or stochastically, based on some probability distribution) send money to one's own other addresses? Obviously there's an issue with transfer fees, but maybe this could be a tunable, based on how important your privacy is.


well, there are others, I would say, younger and more private and secure currencies than Monero - for example Sumokoin (https://www.sumokoin.org), setting Ring Confidential Transactions (RingCT) with minimum ringsize (mixin) of 12 to conceal sources/amounts transferred and make it high resistance to blockchain analysis (Monero does have 4 or something, even I have read devs are planning to increase it?)or even younger Ombre (https://www.ombre.io)....

add "illegal only" topic - well, that depends on point of view, for me personally there is always benefit to have real privacy for what are you paying for.. which you dont have with "fiat" currencies or less secure/private crypto currencies..


Very good article, doesn't go far enough - monero is not anonymous at all. It misses the biggest issue - that analyzing agencies can spam transactions, generating thousands of inputs daily. A big fraction of other transactions is transparent (shapeshift or other exchanges) to state agencies anyway. As monero has almost no use, cross-chain mixing with bitcoin/ethereum is way, way more anonymous than monero, and in addition can be done in a way that maintains plausible deniability.

Monero is the worst instance of false security in crypto. Unfortunately, at least in my experience, monero users are impervious to these facts, so darknet busts with ridiculous parallel construction narratives aren't going to stop anytime soon. It's not like fbi is ever going to publicly say that monero isn't anonymous to them.


Arguably off topic, but do any cryptocurrency experts here know of any studies on the potential economic effects of a truly (or even effectively) untraceable digital currency?

Just off the top of my head I would expect two immediate effects if such a thing really caught on:

1) An increase in many types of illegal commerce.

2) A huge downturn in industries used for money laundering and tax evasion.

These might be highly localized, e.g. a bunch of bars might close in City A because that's how the locals wash money; while in City B there might be a surge in "Anonymero" wealth because they make cocaine and are good at shipping it.


Monero has some real issues! These papers are OK but I am not sure if they focus on current practical issues:

Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because 3 is obviously useless. Now getting bumped to 7. The team is taking a very aggressive approach here. Aggressive approaches with security tend not to work. They should be conservative and set the ringsize high then back off later once they have done the research to support a small ringsize.

Users cannot just increase their ringsize. Doing so makes their transactions stick out: different metadata. If you always use, example, ringsize 21: then your tx look different on-blockchain. Despite this, BOTH wallets in common use have features that encourage users to make this mistake. It is like sabotage. The official GUI provides a slider that goes to 26 and says more privacy [you see a good number of of ringsize 26 tx]. The 'official' Web Wallet run by the Monero lead offers a 4-setting: 5 [default], 11 21 & 41. You see a good number of 11 21 41 ringsize tx because of this.

It has been known for a long time that picking and forcing one ringsize is a good idea yet both wallets insist on encouraging the user to mess up. Not good. No warnings in the wallet, either. We need higher ringsize because the privacy of your transaction going forward depends on other users picking your output as a decoy in their own rings.

Now the small ringsize is made worse by the fact that a single entity, ShapeShift.io, runs 7-15% at least of the network by tx volume! That means with one hack or warrant an attacker will be able to eliminate many fake decoys from other tx rings! How much will a few other exchanges or payment processors make up of the network? 50%? More? Despite this the ringsize stays very small.

The response to all this is 'churn'. This is sending coins to yourself [looks same as sending to other people] so that you obfuscate the connection over time. But despite that this is a core feature of Monero they have provided zero research zero guide on how to do so. They spend money and time researching fancy new maths and this is great. Yet the core functionality to answer the question: How anonymous am I, how mixed in am I, this remains unanswered.

Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.

That is the core issue. Other issues:

1. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you broadcast. This let them link your IP to a tx as well as link your tx across time. Even though HTTP is used thus adding TLS [unauthenticated but at least preventing passive snooping] would be an obvious step. On the other hand... traffic analysis might break this anyway. Tor is needed to really protect but see below.

2. Wallet leaks information. When connecting, it requests block info from the last block it has. This allows tracking that user over time. The obvious solution of having the wallet always request fixed number of blocks back in history is not implemented. This is simple engineering fixing, not fancy math.

3. The height leak is very damaging for users attempting to churn. In that case they connect, sync, broadcast, disconnect, repeat. Every time they connect they are indicating approximately where they left off. This means when they broadcast again ... one only need to look at the tx to see if there is a ring member near where the wallet connected. If so, you have linked TX.

4. The wallet will ask to confirm transactions sometimes... AFTER it has send the ring to the remote node! If you cancel tx then try again, you have sent 2 rings to the remote node but in each ring the real input is the same. Congrats, tx linked or ownership of output now shown.

5. Wallet and network does not support Tor. Despite using HTTP they do not have proxy support. On Linux they suggest hooking syscall to force proxy [torsocks]. On Windows they scorn users and tell them to use Linux. At the Monero network level only IP addresses are accepted meaning we cannot have Tor-to-Tor.

6. Tor is downplayed because they are writing-from-scratch a new I2P implementation in C++ named Kovri. Instead of using Tor today they provide no sort of IP hiding while everyone must wait for a new I2P impl. This is bad engineering and means few people can properly submit tx over Tor.

7. All TX are not the same. There is no solution to joining bad outputs. When you make a multi-in transaction you provide strong linkage if an attacker knows or suspects multiple outputs are yours. Example: you accept donations or are a darknet dealer. Attacker sends many small outputs to you. Attacker will know when you make a move because they will see a multi-input transaction containing one of their known outputs in each ring. This is useful for LE: send small money then know when money is moved. From that point trace forward and see if descendants of that TX end up at known exchange. Now you have a short list of suspects.

8. A lot of metadata per TX. Each TX can have a payment ID [old style], payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or big users to change from default to 0.25x to save money. But now their tx look different from common users. Exchanges in particular may do this.

9. Probably other things I am not thinking off of the top of my head.

In short I think that Monero practical privacy for users that have something to hide [darknet] and may find themselves against a LEA might find themselves in a bad position. Compounding this is Monero's total refusal to warn users and provide self-sabotaging options. A Tor-style warning is absolutely required given the state of things. More paranoid people might think the lack of warning and some of these issues are intentional.

Edit: I still support Monero and think it is the best project. Despite ZCash looking better on paper the team makes me nervous and I avoid it. [Their wallet software is even worse despite them having many millions to fix it] ... I just want Monero stronger as it will help our users overall and that is good for my business.


> Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because 3 is obviously useless. Now getting bumped to 7. The team is taking a very aggressive approach here. Aggressive approaches with security tend not to work. They should be conservative and set the ringsize high then back off later once they have done the research to support a small ringsize.

This is a balancing act. Will the anonymity set actually lower if transaction fees double?

> Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.

> The response to all this is 'churn'. This is sending coins to yourself [looks same as sending to other people] so that you obfuscate the connection over time. But despite that this is a core feature of Monero they have provided zero research zero guide on how to do so. They spend money and time researching fancy new maths and this is great. Yet the core functionality to answer the question: How anonymous am I, how mixed in am I, this remains unanswered.

> Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.

I think thus is a fair concern, but no one has "refuse[d] to provide any sort of disclaimer." I think it's totally fair to write one up. Add it to a certain portion of the website.

For churning, research has been ongoing. Specifically for EAE scenarios.

> 1. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you broadcast. This let them link your IP to a tx as well as link your tx across time. Even though HTTP is used thus adding TLS [unauthenticated but at least preventing passive snooping] would be an obvious step. On the other hand... traffic analysis might break this anyway. Tor is needed to really protect but see below.

Kovri will include encrypted connections. Monero community members have never claimed to provide IP protection in the current state. If you are currently worried, use a public hotspot somewhere.

> 2. Wallet leaks information. When connecting, it requests block info from the last block it has. This allows tracking that user over time. The obvious solution of having the wallet always request fixed number of blocks back in history is not implemented. This is simple engineering fixing, not fancy math.

This is an issue with remote nodes only. This can be mitigated at a cost of efficiency, and even if mitigated, it can still be relatively traceable if enough connections are made. If you are concerned about this risk, use your own node. There will always be privacy loss when using someone else's copy of the blockchain.

> 3. The height leak is very damaging for users attempting to churn. In that case they connect, sync, broadcast, disconnect, repeat. Every time they connect they are indicating approximately where they left off. This means when they broadcast again ... one only need to look at the tx to see if there is a ring member near where the wallet connected. If so, you have linked TX.

I argue that churning is absolutely outside the scope of users who are using remote nodes. It's extremely unlikely an advanced user who cares about their privacy will make a fundamental mistake in trusting someone else's node. This is outside the scope of protections. Just run your own node if your threat model even considers churning.

> 4. The wallet will ask to confirm transactions sometimes... AFTER it has send the ring to the remote node! If you cancel tx then try again, you have sent 2 rings to the remote node but in each ring the real input is the same. Congrats, tx linked or ownership of output now shown.

This was disclosed in HackerOne and has been patched.

> 5. Wallet and network does not support Tor. Despite using HTTP they do not have proxy support. On Linux they suggest hooking syscall to force proxy [torsocks]. On Windows they scorn users and tell them to use Linux. At the Monero network level only IP addresses are accepted meaning we cannot have Tor-to-Tor.

Little effort has gone into this since the support is being designed for I2P.

> 6. Tor is downplayed because they are writing-from-scratch a new I2P implementation in C++ named Kovri. Instead of using Tor today they provide no sort of IP hiding while everyone must wait for a new I2P impl. This is bad engineering and means few people can properly submit tx over Tor.

There are other considerations when submitting transactions over Tor. I'm not an expert here, but fluffypony has been critical of this approach in the past.

> 7. All TX are not the same. There is no solution to joining bad outputs. When you make a multi-in transaction you provide strong linkage if an attacker knows or suspects multiple outputs are yours. Example: you accept donations or are a darknet dealer. Attacker sends many small outputs to you. Attacker will know when you make a move because they will see a multi-input transaction containing one of their known outputs in each ring. This is useful for LE: send small money then know when money is moved. From that point trace forward and see if descendants of that TX end up at known exchange. Now you have a short list of suspects.

Each output is used in several transactions. While it does not completely mitigate the risk you describe, it means there is at least some plausible deniability in practice. If you are in a situation with a significant number of outputs, you definitely should not simply send a transaction with these to an exchange or similar.

> 8. A lot of metadata per TX. Each TX can have a payment ID [old style], payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or big users to change from default to 0.25x to save money. But now their tx look different from common users. Exchanges in particular may do this.

There will always be some metadata, but based on how the system works, there will always need to have the fee. The multiplier is set to be more automatic in the latest version. The payment ID metadata has been improved to be encrypted, and to encourage use for all transactions with integrated addresses. Metadata for these two items is the least of our concerns since there is still a pretty large entropy set for normal situations, but of course there could be improvements.

> 9. Probably other things I am not thinking off of the top of my head.

Me too :) Key image reuse attacks seemed to come out of nowhere, and we needed to respond to them.

> In short I think that Monero practical privacy for users that have something to hide [darknet] and may find themselves against a LEA might find themselves in a bad position. Compounding this is Monero's total refusal to warn users and provide self-sabotaging options. A Tor-style warning is absolutely required given the state of things. More paranoid people might think the lack of warning and some of these issues are intentional.

I disagree with your tone here. Here I am, a community member, agreeing with many of your criticisms. The idea of a better warning guide has been discussed for quite some time, and I believe it has been relatively strongly received. If you were to start a project on Taiga to get this started I'm sure many people would respect you.

The best summary I can say is this: Monero is a tool that can provide significant privacy under a variety of use-cases. If your use-case is hiding your wallet balance and transactions from merchants, ad agencies, and most attackers, you can use Monero with little to no significant consideration for your privacy. If you are worried about colluding KYC exchanges, governments, and motivated attempts to target you specifically by powerful attackers, then the use-case for Monero needs to be better-defined. Monero will preserve privacy under some situations better than others. Given that it is relatively hard to understand, Monero will need to use a mix of education and default/mandatory functionality to encourage the correct behavior.


I will look up the complaints about Tor.

I apologize for my tone and do not mean to speak ill of the Monero team. I still choose Monero and feel it has the best benefits overall.


Thanks for being informed about some of the limitations! I highly appreciate having these conversations, and I look forward to working with you to improve Monero.


I've seen countless writings against monero yet the market still price it worthy https://www.coingecko.com/en/price_charts/monero/usd Can compare this to iota revelation?


Side-channels are the gap between theory and reality; a gulf filled with information theory and tears.

As they point out, the public, consensual mutation-resistance of blockchain makes it rather hard to walk back mistakes.


I only ever hear of Monero in a negative light. Has anything positive come from it?


It can't be that both affirmations have negative connotation:

"Monero can be 100% anonymous, so it's the preferred coin of criminals"

"Monero is not 100% anonymous, so big time criminals can't use it."


Anonymity is not something you either have or don't have. It's always relative to an anonymity set. Mathematically, a ring signature provides a guarantee of anonymity within the ring.


I think the rise of darknet drug dealers is something positive. They're less dangerous than street drug dealers.


The SAFE project would have totally private coins. If they ever launch, I mean :)


Next frontier: XSpectreCoin

https://spectreproject.io


Down votes but no explanation. XSpec's level of untraceability goes quite a bit beyond Monero's.


> Down votes but no explanation

Consider the obverse: a promotional link with no explanation. A short blurb about why XSpec is better than Monero might help your comment stand stronger on its own.


The difference is that Spectrecoin has no paper and no explanation how "stealth staking" works.


Another day, another bunch of irresponsible reporting in the cryptocurrency world.

Wired fails to disclose that the first mentioned correspondent is Andrew Miller of the Zcash foundation. He previously published a blog containing much the same content about Monero.

https://z.cash.foundation/about/

http://hackingdistributed.com/2017/04/19/monero-linkability/

So how much money are some people making today on Monero shorts and Zcash longs thanks to a front page Wired article?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: