The big one for me is privacy:
“The most critical flaw in Bitcoin is its lack of privacy. If you give me your Bitcoin wallet address so that I can send you a payment, you immediately compromise your privacy. I can see as a matter of public record how much money you have in your Bitcoin wallet ”
I don’t want other people to know how much money I have when I pay them for goods and services or how much I have paid to others in the past. This wouldn’t happen with a bank account but could happen with bitcoin.
I don’t necessarily want people I am negotiating a contract with to know my hand. It potentially gives them an unfair advantage.
If my Monero transaction history can be figured out by a government agency with lots of resources but not the average business, that doesn’t necessarily invalidate Monero for my use cases.
More on topic, there is a difference though, from what I read in the article it doesn't seem like Target had access to what the people bought at other stores. It would be like if Target could see what you bought at Walmart, or at least went there and see how much you spend.
And following someone to BofA doesn't exactly give you much if any information about them. Even if I gave you my checking account number (which is on all my checks), you still can't go and access my financial records without doing something illegal.
It is absurd defense of bitcoin to say "well, it COULD just be as private as these other things, if you only jump through ten more technical hoops and not use bitcoin as intended". Clearly, these other cryptocurrencies offer something that bitcoin doesn't.
Not on every page hit, but on every donation or every few days depending on how many transactions you've received. It doesn't have to be completely new set of keys - you can use deterministic wallet to generate as many as you want from a single master secret.
There's actually a solution called stealth addresses that let you publicize a single static donation address and yet receive every donation at its own unique address:
This is an off-chain construct so can be utilized with any blockchain.
>Would I need to use/trust some kind of 'washing' service to hide my transaction among several others?
congrats, you just reinvented mixers and coinjoins
This is why by default each time you make transaction for any amount bitcoin client send specified amount of coins to target address and all that remain to some new address that you own. While you not announce that you have access to that new address it's fairly easy to track your money.
> Would I need to use/trust some kind of 'washing' service to hide my transaction among several others?
So answer is yes.
The only thing I can think of that separate addrs gives you, is that you can have a small amount of the coin in an address that you use for daily transactions. Meaning each transaction doesn't need to be washed, because you don't care about that address.
Am I missing something?
Publishing of your public key slightly decrease security of your coins. While ECDSA is strong it's still safer when only hash of your public key (bitcoin address) is known. After all you can always end up with weak key due to software or even hardware bugs.
> Am I missing something?
You're completely right, but you underestimate how important that little detail is. If you only receive money to different addresses each time then until you actually start spending it's will be impossible to prove that you actually control any of these addresses.
If I go to a bar should I have to cycle currency between addresses to pay for a drink and avoid the bar man knowing my complete financial history? That sounds like a terrible UX.
I shouldn’t have to think about it. This is why I like the concept of privacy coins.
Iota is/was incredibly broken, and shouldn't be used as an example IMO.
Not saying there isn't tracability though those services (especially since we aren't ideal) since the point of the distributed ledger is tracability.
Something that was rather easy was depositing to an exchange, and just withdrawing; you lose the identity of the coins, at the cost of the exchange knowing the connection.
Of course they'll mention illegal uses. It's what it's for.
That's mentioned explicitly in the article. With explicit dates of certain protocol changes that have improved things.
> And it's not like we aren't actively working on ways to improve anonymity.
In other words, there are threats now. Which is what the article says.
> I always appreciate research into ways to improve Monero, but I don't think this article does the research justice.
I haven't seen the original research, so I cannot tell if the article does it justice. But I can say that what you have said here doesn't call the article into question. You have just restated the things it says.
(For whatever it's worth, I do own some Monero and I would like it to be successful. Part of that is accepting valid, constructive criticism.)
The paper has 3 recommendations:
1. Warn users who made early transactions that they may have had their ring signatures compromised. The stealth addresses would still work. This isn't a suggested improvement, and I believe that any user interested in maintaining their privacy should have considered researching Monero, including reading MRL-0001. I'm sure not everyone did this, but keep in mind that Monero was a much smaller network back then made of mostly enthusiasts. If you were transacting on AlphaBay, the least you could have done is seem what the limitations of your tool are. They were much higher at the time than they are now.
2. Improve the decoy selection algorithm. There is definitely room for improvement to make the most out of the decoys selected for the ring signature.
3. Consider avoiding public pool payout outputs, which are known to be used in the pool transactions. This is a fair point, though from the proportion of pool payout transactions to total transactions as found in the paper, this case is likely still adequately covered with ringsize 7. Monero can still consider avoiding these outputs as decoys though in some way.
Monero would gain credibility if it took a conservative approach to ringsize then used research to lower the ringsize. Instead we get no justification for ringsize saying there is no research that shows an increase needed. This is the opposite way of how security is approached. Indeed: The only MRL statement I know of on churn is that it does not work.
I appreciate the work you do and MRL overall. But without practical examination of real-world threats it feels a bit empty. And Monero team refusal to provide any sort of disclaimer at all really undermines the sincerity.
Being on the Monero team, can you comment on the differences between the privacy guarantees provided by the two platforms?
Monero uses ring signatures to prove that one out of n people signed a transaction without revealing which one of the n. Over the course of k steps the possible transaction history might be in any of n^k states. Typically n=5.
Zcash uses Zero-Knowledge-Proofs for anonymity. Any private zcash tx may have gone to or come from any other private zcash tx.
Here are the problems with Zcash as I see them
1) trusted setup. There is some toxic seed data that needed to be destroyed at the time Zcash was created. With that seed you could inflate the coin as much as you want. There was an elaborate ceremony of 6 people (5 of them Zcash employees) showing the seed was destroyed. But elaborate ceremony isn't cryptographic proof.
2) privacy is optional. If a transaction goes from non-private address, to private address, to non-private address it is traceable. The Zcash anonymity set is actually very small.
3) Zcash is a company. I consider the political structure of a coin (or lack thereof) as an attackable surface. A government can force Zcash to back-door their software (hi NSA). There is no head of Monero.
On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.
I chose Monero too for similar reasons inc ZCash people openly saying they support backdoors for LE [but promising ZCash would never have them]. And taking 20% of block reward and not doing anything useful with it [for millions I expect really polished clients and some quick upgrades].
But the low ringsize is weak [hence going from 3 to 5 to now 7]. All ring members are not equal to n^k is very naive. Fee, ringsize, payment ID, in/out count are all metadata that distinguish on-blockchain. Let alone off-blockchain such as keys being hacked/warranted.
Given this and Monero's lack of disclaimer or warning at all about how to use it safely... a paranoid person might suspect ill-motives. [Consider: MyMonero, the Monero 'lead' Web Wallet, goes out of its way to suggest users use a few higher ringsizes to get better privacy, when we know this makes their TX stand out. This is something that presumably he could change with 1 or 2 lines of code but has not.]
That's actually a difficult question. I won't try to estimate here. But IIRC something like 95% of ZCash tx are non-private by user opt in, and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks. So the bar is set really low for Monero to have the best anonymity set of all privacy tokens.
>On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.
I think Monero is in a similar-but-better position. True the core team can be compromised and true the core team is more powerful than others. But I view this as a necessary centralization to get the ball rolling. I want the Monero core team to eventually be more hands off. Spagini's "I'm not a CEO" statement inspires confidence.
>But the low ringsize is weak [hence going from 3 to 5 to now 7].
can't wait for bulletproofs!
>All ring members are not equal to n^k is very naive.
I was intentionally very cautious with my words here. What I actually said was "Over the course of k steps the possible transaction history might be in any of n^k states". I did not say that all n^k states are equally likely. The actual amount of entropy in the Monero blockchain is much harder to explain/estimate so I used n^k as an upper bound.
I was under the impression that no exchanges handle shielded transactions. What do you mean by timing? I would assume you go t-z-t and leave it quite a while as shielded.
>can't wait for bulletproofs!
Bulletproofs do not help verification time which is why we have low ring size. Going from 5 to 21 ringsize only increases size 8%. 15 is even less, a reasonable compromise on size. There is an unspecified perf target that must be met on verification.
Many people skip the "leave it a while" step.
Also you can look at things like x-amount left this exchange and y-amount entered this exchange.
Huh? Doesn't that contradict https://blog.z.cash/the-design-of-the-ceremony/ ?
I'll admit I'm biased: I worked a bit with Zooko and Nathan (Wilcox), pre-Zcash, on some other security audits. My experience was that making the client look good is really not a consideration. Phrase your findings neutrally and informatively, yes; but you earn your rep by being as creatively nasty as you can at breaching the system.
Not to argue against evaluating claims skeptically -- just to state my most important disagreement.
I have the same problem with Signal, it tries to be 'seamless' in it's integration with SMS. But now I could be talking to someone on Signal who also uses Signal so the communication is secured, but if they don't, Signal just sends messages as an unsecured SMS (though it shows you on the app with a slight UX tweak that this is an unsecured communication channel, but that's not good enough).
Also, some of the authors of the research paper mentioned in the article are part of the competitor Zcash group who sensationalise common knowledge to undermine Monero. Zcash is a US-based company that has a trusted setup which was possibly backdoored , one of their scientists and inventor of Zerocoin protocol publicly supported backdoors , and their CEO and cofounder suggested backdoors as well .
I would read more about Monero before dismissing it, as it's one of the very few legitimate groups in the space besides Bitcoin.
One side is actually doing the work and publishing attacks, even if they are against zcash (shielding/deshielding). The other has some questionable twitter conversations about a hypothetical backdoor. Zcash zk-snarks are backdoored? Proof of concept or GTFO is the law of the land, my dude.
Conveniently, it's impossible to audit whether more coins are being minted right now to add to the developer tax already imposed on block rewards.
Don't think I misrepresented trusted setup--only warning others about the reputation of Zcash. Anonymity for some can be a critical issue, so I don't think everyone can afford to wait for "proof of backdoor" before making their decision.
For Zooko's, literally the next tweet explains that he means for transfers in and out of fiat.
"And by the way, I think we can successfully make Zcash too traceable for criminals like WannaCry, but still completely private & fungible. …
… At least for as long as criminals want to cash out to fiat (years? decades?). …
Since conversions to fiat are done via exchanges, which are regulated, it's pretty simple. This applies to Monero,Dash, etc.
Matt's, which he has pointed out before, was a point that it was possible, which is true for any system. If you follow the general debate on adding backdoors to encryption, you'll know he and almost all cryptographers are completely against them.
Its fine not to be a fan of them or think people should never admit even the conceptual possibility of limitations on privacy but neither quote was endorsing backdoors.
There are plenty of decentralized exchanges (Bisq supports Monero) and OTC trading websites such as LocalMonero. It would make no sense for a criminal to cash out using a centralized exchange that likely requires KYC?
This has always been wrong and it is wrong on the face. Your privacy does NOT depend on your ring-size. That is only for backward-tracing. For forwards tracing [more common: you have bad money and want to turn it anonymous so it is good] you rely on other people on the network false-spending your money.
Between the low ringsize [3, now 5, soon 7] and the fact that a good double-digit % of network is owned by LE-accessible entities [ShapeShift does at least 7-15% of tx].
Even with these papers Monero refuses to provide any sort of disclaimer that transactions may be traceable despite readily admitting you must do churn over time to gain privacy. Monero deserves a lot of criticism even if ZCash is worse in some ways.
I don't think you understand the flaw behind this "design choice". While its great to give the user the choice in how they want to balance things, the individual's choice affects the whole system. If you - as kess privacy-conscious user - use 0 mixins (as was possible) or the min. no. of mixins, when your transaction is used as mixin for a privacy-focused user, you make that user much more identifieable. The choice defeats itself when you depend on others to take at least the same number of mixins for their transactions.
And best of all, it's not yet another cryptocurrency. It's a payment system that works over any currency (traditional VISA, or crypto-currencies). Of course, this means that Taler "tokens" cannot be used as a store of value, other than as a proxy for the underlying store of value. So you would only hold Taler tokens like you would cash in your wallet.
They even have really nice easy integrations into browsers and backend processing.
(I don't work on GNU Taler, I've just been saddened that such an interesting project has gotten so little press outside of GNU circles.)
The only way you can consider this to be a backdoor is if you think that allowing a government to know how much money a business has made (something that you are legally required to declare for tax purposes) is a bad thing. This seems like an immature view to me -- taxes are very important for a country to continue functioning.
"With Taler, the receiver of any form of payment is easily identified by the government, and the merchant can be compelled to provide the contract that was accepted by the customer. Governments can use this data to tax businesses and individuals based on their income, making tax evasion and black markets less viable.
Thus, despite offering anonymity for citizens spending digital cash to buy goods and services, Taler also ensures that the state can observe incoming funds. This can be used to ensure businesses engage only in legal activities, and do not evade income tax, sales tax or value-added tax."
It's not a backdoor in exactly the same way the Clipper chip was, but it's a backdoor nonetheless.
The fact that the government is the gatekeeper in GNU Taler means that it would have been unable to empower people to get around the financial blockade against Wikileaks the way cryptocurrency did.
That's a practical consequence of giving up privacy and decentralization.
>>This seems like an immature view to me -- taxes are very important for a country to continue functioning.
It's not immature to point out that this gives the government a backdoor to monitor private transactions.
You think this reduction in privacy is necessary to levy sales/income taxes. That's a value judgment, not a refutation of the fact that this is a backdoor.
Something doesn't stop being a [negatively associated noun] because you think its effect is positive.
Speaking the truth instead of sugar coating it for ideological reasons is not immature.
(Most) cryptocurrencies don't have privacy (quite the opposite). The reason why the government couldn't stop cryptocurrency transactions is that they were decentralised.
However, I also believe you're wrong in this case. Anybody can set up a mint, and so it would be entirely possible for a Bitcoin mint to exist (in fact I believe several already do). People could buy Taler tokens from the mint and then send them to Wikileaks. When Wikileaks cashes in the tokens, they are sent (using Bitcoin) to Wikileaks. While the government would be able to tell how much money Wikileaks received, they would not be able to stop the underlying funds transfer (through Bitcoin). Yes, they may be able to try to punish the mint for permitting such transactions, but this would be the same as punishing Coinbase for allowing people to send those transactions as well.
But if you're running a business and you don't want the government to know how much revenue you've made (which means you're running an illegal business from a tax perspective) then yes, you wouldn't be able to use GNU Taler. This is a benefit, because creating a system that encourages tax fraud is one of the easiest ways to have the government ban that system's usage.
> but it's a backdoor nonetheless. [...] not a refutation of the fact that this is a backdoor [...] Something doesn't stop being a [negatively associated noun] because you think its effect is positive.
You are using the term "backdoor". The only reasonable definition of this term is "a method (often secret) to allow an entity to bypass authentication or encryption of a particular system" (which is the common usage of the word).
This does not apply to GNU Taler, because no encryption or privacy guarantee is being bypassed. When you use GNU Taler as a merchant you are aware that your transactions are audiable by the government for tax purposes -- if you don't want that to be the case then you can choose not to use it. Almost all legitimate businesses would not have an issue with this, because they have to declare revenue anyway.
A backdoor would be if Monero had a way to deanonymise transactions, so that governments can figure out what people spent money on. In that case, a privacy guarantee of the system has been subverted.
They can be used in ways that give the user privacy. They're pseudonymous. But yes, a big part of why they can't be stopped is that they're decentralized.
But that decentralization only works if users have some degree of privacy. If governments knew every participant's address, that decentralization would effectively vanish.
>>Yes, they may be able to try to punish the mint for permitting such transactions, but this would be the same as punishing Coinbase for allowing people to send those transactions as well.
Coinbase would not allow transactions to Wikileaks if the financial blockade were reimposed on it.
GNU Taler states that it is designed to prevent illegal use, and if it is accurate in its claim, then it will prevent Wikileaks from using it during a financial blockade.
A technology's susceptibility to government control doesn't discriminate based on the moral justification for the government wanting to exert that control.
That's why one has to acknowledge that there's a trade off to be made, and decide which trade off is more conducive to a functional society.
I personally think empowering individuals rather the surveillance state is the better trade-off.
>>This does not apply to GNU Taler, because no encryption or privacy guarantee is being bypassed.
The Clipper chip did not give any privacy guarantee against government monitoring, yet this channel for monitoring was commonly called a backdoor.
And while what consumers (people sending money) spend their money on is completely anonymous and cannot be correlated, merchants (people receiving money) can still have their income audited and taxed accordingly.
The system was designed by a university research team in Europe and became a GNU project a year or two ago.
>And while what consumers (people sending money) spend their money on is completely anonymous and cannot be correlated, merchants (people receiving money) can still have their income audited and taxed accordingly.
Can't be linked but they can be correlated since you have a weak timing channel from issuance of tokens to redemption.
This is the key point from the article and it applies to every cryptocurrency. Just because a crypto seems anonymous now, does not mean it will be forever, and all the transactions from “now” will still be on the blockchain “forever.” Almost ironically, scrutiny of a currency increases with its usage, so you’re probably better off just not using cryptocurrencies to commit crimes.
P.S. Anyone got the link to the paper? Can’t believe wired didn’t even link to it
Just because a crypto <anything> seems safe now, does not mean it will be forever.
"You can't hide secrets from the future with math."
Seems to be a good rule to just not trust anything.
Most of these headlines describe something that would require nation-state resources to crack. If you wanna hide paying for something legal, it's probably still sufficient.
In sum, “not [committing] crimes” isn’t always straightforward.
Also, while “many” is a subjective term, I don’t think you’re using it correctly here. The idea that you should not regulate sex between consenting adults in general is very popular, but most countries carve out exceptions for sex work. Not saying they should, but many do. And I definitely think the incest legalization lobby must be very, very small, even though it probably has a sympathizer in the Oval Office.
… Which nicely illustrates what different people find acceptable. But I agree that sex work would have been a better example. Either way, you felt it necessary to add the qualifier “in general”, and many (…) people, though certainly a relative minority, would fundamentally disagree with this qualifier (while talking about consenting adult without power imbalance in their relationship).
If you take the US as an example (I assume you're American), then did you know that the US Supreme Court doesn't actually know how many laws apply at a particular time to a particular person? The US code has an immense amount of laws that are all equally legally binding, but have different levels of "obviousness" as "don't murder people". If a US Supreme Court judge cannot be sure what laws apply in any given case, what chance does a layperson have to understand the tens of thousands of federal crimes in the US?
For instance 16 U.S.C 3372 (the Lacey Act):
> It is unlawful for any person [...] to import, export, transport, sell, receive, acquire, or purchase any fish or wildlife or plant taken, possessed, transported, or sold in violation of any law, treaty, or regulation of the United States or in violation of any Indian tribal law
So if you have ever bought or been gifted a fish, animal or plant that at any point broke Indian tribal law (even if you didn't know about it, even if it wasn't the law where you received it, and even if the plant or fish is legally farmed and sold in another area) you have broken a federal law and you're now a criminal.
In short, "don't commit crimes" is not as simple as you may think in all cases. You even have cases where the US government has retroactively applied new laws (in violation of the charter of human rights) for things that were not crimes at the time (such as "copyright infringement" for a work that used to be public domain). Very few criminals were tried under these strange laws, but they are still just as illegal as more common crimes.
As for using Monero to break laws, it's probably pretty low risk to buy some MDMA to have a very good weekend, and fairly high risk to receive millions of dollars in payment for a ransomware attack against a government.
> After more recent changes to how Monero chooses its mixins, that trick now can spot the real coin just 45 percent of the time—but still narrows down the real coin to about two possibilities, far fewer than most Monero users would like.
Note that this is still a break, because quick Googling says that there are usually 4 mixins, so random chance would be 20 %.
Zcash is also not trustless because it requires the trusted setup. You have to trust that the developers completely deleted the "toxic waste" during the setup, and that their machines were not compromised (which is totally possible given Meltdown, etc). Recovery of this toxic waste can lead to unlimited coin minting. Another problem with this is that future changes to some properties of the currency require another trusted setup.
[ShapeShift does 7-15% at least of Monero tx. Add in BitFinex Binance CoinPayments and some others and where we at?]
The solution with anonymity is to send cover & real messages through the network in such a way that traffic analysis fails. One approach would be to saturate a network link, sending random cover data until there's real data to send, then returning to cover data. There are more bandwidth-friendly schemes as well.
Might a similar scheme for cryptocurrency be to constantly (or stochastically, based on some probability distribution) send money to one's own other addresses? Obviously there's an issue with transfer fees, but maybe this could be a tunable, based on how important your privacy is.
add "illegal only" topic - well, that depends on point of view, for me personally there is always benefit to have real privacy for what are you paying for.. which you dont have with "fiat" currencies or less secure/private crypto currencies..
Monero is the worst instance of false security in crypto. Unfortunately, at least in my experience, monero users are impervious to these facts, so darknet busts with ridiculous parallel construction narratives aren't going to stop anytime soon. It's not like fbi is ever going to publicly say that monero isn't anonymous to them.
Just off the top of my head I would expect two immediate effects if such a thing really caught on:
1) An increase in many types of illegal commerce.
2) A huge downturn in industries used for money laundering and tax evasion.
These might be highly localized, e.g. a bunch of bars might close in City A because that's how the locals wash money; while in City B there might be a surge in "Anonymero" wealth because they make cocaine and are good at shipping it.
Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because 3 is obviously useless. Now getting bumped to 7. The team is taking a very aggressive approach here. Aggressive approaches with security tend not to work. They should be conservative and set the ringsize high then back off later once they have done the research to support a small ringsize.
Users cannot just increase their ringsize. Doing so makes their transactions stick out: different metadata. If you always use, example, ringsize 21: then your tx look different on-blockchain. Despite this, BOTH wallets in common use have features that encourage users to make this mistake. It is like sabotage. The official GUI provides a slider that goes to 26 and says more privacy [you see a good number of of ringsize 26 tx]. The 'official' Web Wallet run by the Monero lead offers a 4-setting: 5 [default], 11 21 & 41. You see a good number of 11 21 41 ringsize tx because of this.
It has been known for a long time that picking and forcing one ringsize is a good idea yet both wallets insist on encouraging the user to mess up. Not good. No warnings in the wallet, either. We need higher ringsize because the privacy of your transaction going forward depends on other users picking your output as a decoy in their own rings.
Now the small ringsize is made worse by the fact that a single entity, ShapeShift.io, runs 7-15% at least of the network by tx volume! That means with one hack or warrant an attacker will be able to eliminate many fake decoys from other tx rings! How much will a few other exchanges or payment processors make up of the network? 50%? More? Despite this the ringsize stays very small.
The response to all this is 'churn'. This is sending coins to yourself [looks same as sending to other people] so that you obfuscate the connection over time. But despite that this is a core feature of Monero they have provided zero research zero guide on how to do so. They spend money and time researching fancy new maths and this is great. Yet the core functionality to answer the question: How anonymous am I, how mixed in am I, this remains unanswered.
Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.
That is the core issue. Other issues:
1. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you broadcast. This let them link your IP to a tx as well as link your tx across time. Even though HTTP is used thus adding TLS [unauthenticated but at least preventing passive snooping] would be an obvious step. On the other hand... traffic analysis might break this anyway. Tor is needed to really protect but see below.
2. Wallet leaks information. When connecting, it requests block info from the last block it has. This allows tracking that user over time. The obvious solution of having the wallet always request fixed number of blocks back in history is not implemented. This is simple engineering fixing, not fancy math.
3. The height leak is very damaging for users attempting to churn. In that case they connect, sync, broadcast, disconnect, repeat. Every time they connect they are indicating approximately where they left off. This means when they broadcast again ... one only need to look at the tx to see if there is a ring member near where the wallet connected. If so, you have linked TX.
4. The wallet will ask to confirm transactions sometimes... AFTER it has send the ring to the remote node! If you cancel tx then try again, you have sent 2 rings to the remote node but in each ring the real input is the same. Congrats, tx linked or ownership of output now shown.
5. Wallet and network does not support Tor. Despite using HTTP they do not have proxy support. On Linux they suggest hooking syscall to force proxy [torsocks]. On Windows they scorn users and tell them to use Linux. At the Monero network level only IP addresses are accepted meaning we cannot have Tor-to-Tor.
6. Tor is downplayed because they are writing-from-scratch a new I2P implementation in C++ named Kovri. Instead of using Tor today they provide no sort of IP hiding while everyone must wait for a new I2P impl. This is bad engineering and means few people can properly submit tx over Tor.
7. All TX are not the same. There is no solution to joining bad outputs. When you make a multi-in transaction you provide strong linkage if an attacker knows or suspects multiple outputs are yours. Example: you accept donations or are a darknet dealer. Attacker sends many small outputs to you. Attacker will know when you make a move because they will see a multi-input transaction containing one of their known outputs in each ring. This is useful for LE: send small money then know when money is moved. From that point trace forward and see if descendants of that TX end up at known exchange. Now you have a short list of suspects.
8. A lot of metadata per TX. Each TX can have a payment ID [old style], payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or big users to change from default to 0.25x to save money. But now their tx look different from common users. Exchanges in particular may do this.
9. Probably other things I am not thinking off of the top of my head.
In short I think that Monero practical privacy for users that have something to hide [darknet] and may find themselves against a LEA might find themselves in a bad position. Compounding this is Monero's total refusal to warn users and provide self-sabotaging options. A Tor-style warning is absolutely required given the state of things. More paranoid people might think the lack of warning and some of these issues are intentional.
Edit: I still support Monero and think it is the best project. Despite ZCash looking better on paper the team makes me nervous and I avoid it. [Their wallet software is even worse despite them having many millions to fix it] ... I just want Monero stronger as it will help our users overall and that is good for my business.
This is a balancing act. Will the anonymity set actually lower if transaction fees double?
> Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.
> The response to all this is 'churn'. This is sending coins to yourself [looks same as sending to other people] so that you obfuscate the connection over time. But despite that this is a core feature of Monero they have provided zero research zero guide on how to do so. They spend money and time researching fancy new maths and this is great. Yet the core functionality to answer the question: How anonymous am I, how mixed in am I, this remains unanswered.
I think thus is a fair concern, but no one has "refuse[d] to provide any sort of disclaimer." I think it's totally fair to write one up. Add it to a certain portion of the website.
For churning, research has been ongoing. Specifically for EAE scenarios.
> 1. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you broadcast. This let them link your IP to a tx as well as link your tx across time. Even though HTTP is used thus adding TLS [unauthenticated but at least preventing passive snooping] would be an obvious step. On the other hand... traffic analysis might break this anyway. Tor is needed to really protect but see below.
Kovri will include encrypted connections. Monero community members have never claimed to provide IP protection in the current state. If you are currently worried, use a public hotspot somewhere.
> 2. Wallet leaks information. When connecting, it requests block info from the last block it has. This allows tracking that user over time. The obvious solution of having the wallet always request fixed number of blocks back in history is not implemented. This is simple engineering fixing, not fancy math.
This is an issue with remote nodes only. This can be mitigated at a cost of efficiency, and even if mitigated, it can still be relatively traceable if enough connections are made. If you are concerned about this risk, use your own node. There will always be privacy loss when using someone else's copy of the blockchain.
> 3. The height leak is very damaging for users attempting to churn. In that case they connect, sync, broadcast, disconnect, repeat. Every time they connect they are indicating approximately where they left off. This means when they broadcast again ... one only need to look at the tx to see if there is a ring member near where the wallet connected. If so, you have linked TX.
I argue that churning is absolutely outside the scope of users who are using remote nodes. It's extremely unlikely an advanced user who cares about their privacy will make a fundamental mistake in trusting someone else's node. This is outside the scope of protections. Just run your own node if your threat model even considers churning.
> 4. The wallet will ask to confirm transactions sometimes... AFTER it has send the ring to the remote node! If you cancel tx then try again, you have sent 2 rings to the remote node but in each ring the real input is the same. Congrats, tx linked or ownership of output now shown.
This was disclosed in HackerOne and has been patched.
> 5. Wallet and network does not support Tor. Despite using HTTP they do not have proxy support. On Linux they suggest hooking syscall to force proxy [torsocks]. On Windows they scorn users and tell them to use Linux. At the Monero network level only IP addresses are accepted meaning we cannot have Tor-to-Tor.
Little effort has gone into this since the support is being designed for I2P.
> 6. Tor is downplayed because they are writing-from-scratch a new I2P implementation in C++ named Kovri. Instead of using Tor today they provide no sort of IP hiding while everyone must wait for a new I2P impl. This is bad engineering and means few people can properly submit tx over Tor.
There are other considerations when submitting transactions over Tor. I'm not an expert here, but fluffypony has been critical of this approach in the past.
> 7. All TX are not the same. There is no solution to joining bad outputs. When you make a multi-in transaction you provide strong linkage if an attacker knows or suspects multiple outputs are yours. Example: you accept donations or are a darknet dealer. Attacker sends many small outputs to you. Attacker will know when you make a move because they will see a multi-input transaction containing one of their known outputs in each ring. This is useful for LE: send small money then know when money is moved. From that point trace forward and see if descendants of that TX end up at known exchange. Now you have a short list of suspects.
Each output is used in several transactions. While it does not completely mitigate the risk you describe, it means there is at least some plausible deniability in practice. If you are in a situation with a significant number of outputs, you definitely should not simply send a transaction with these to an exchange or similar.
> 8. A lot of metadata per TX. Each TX can have a payment ID [old style], payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or big users to change from default to 0.25x to save money. But now their tx look different from common users. Exchanges in particular may do this.
There will always be some metadata, but based on how the system works, there will always need to have the fee. The multiplier is set to be more automatic in the latest version. The payment ID metadata has been improved to be encrypted, and to encourage use for all transactions with integrated addresses. Metadata for these two items is the least of our concerns since there is still a pretty large entropy set for normal situations, but of course there could be improvements.
> 9. Probably other things I am not thinking off of the top of my head.
Me too :) Key image reuse attacks seemed to come out of nowhere, and we needed to respond to them.
> In short I think that Monero practical privacy for users that have something to hide [darknet] and may find themselves against a LEA might find themselves in a bad position. Compounding this is Monero's total refusal to warn users and provide self-sabotaging options. A Tor-style warning is absolutely required given the state of things. More paranoid people might think the lack of warning and some of these issues are intentional.
I disagree with your tone here. Here I am, a community member, agreeing with many of your criticisms. The idea of a better warning guide has been discussed for quite some time, and I believe it has been relatively strongly received. If you were to start a project on Taiga to get this started I'm sure many people would respect you.
The best summary I can say is this: Monero is a tool that can provide significant privacy under a variety of use-cases. If your use-case is hiding your wallet balance and transactions from merchants, ad agencies, and most attackers, you can use Monero with little to no significant consideration for your privacy. If you are worried about colluding KYC exchanges, governments, and motivated attempts to target you specifically by powerful attackers, then the use-case for Monero needs to be better-defined. Monero will preserve privacy under some situations better than others. Given that it is relatively hard to understand, Monero will need to use a mix of education and default/mandatory functionality to encourage the correct behavior.
I apologize for my tone and do not mean to speak ill of the Monero team. I still choose Monero and feel it has the best benefits overall.
As they point out, the public, consensual mutation-resistance of blockchain makes it rather hard to walk back mistakes.
"Monero can be 100% anonymous, so it's the preferred coin of criminals"
"Monero is not 100% anonymous, so big time criminals can't use it."
Consider the obverse: a promotional link with no explanation. A short blurb about why XSpec is better than Monero might help your comment stand stronger on its own.
Wired fails to disclose that the first mentioned correspondent is Andrew Miller of the Zcash foundation. He previously published a blog containing much the same content about Monero.
So how much money are some people making today on Monero shorts and Zcash longs thanks to a front page Wired article?