If they do not meet our bar then they will not be able to join for now. Over time we will increase our methods to verify escorts.
If we feel someone is not operating under their own agency we will disable their account.
Will this fix everything? No. But it is an improvement over existing systems. And we are open to suggestions. If there is broad user/community consensus on how we should handle some scenarios then we can implement those ideas. The critical part of being extrajurisdictional is that we are not compelled to take a specific approach therefore allowing us ethics over legality.
>and the remaining 5% are also vulnerable to things like warrants at the exchange and timing attacks
I was under the impression that no exchanges handle shielded transactions. What do you mean by timing? I would assume you go t-z-t and leave it quite a while as shielded.
>can't wait for bulletproofs!
Bulletproofs do not help verification time which is why we have low ring size. Going from 5 to 21 ringsize only increases size 8%. 15 is even less, a reasonable compromise on size. There is an unspecified perf target that must be met on verification.
Private-by-default is semi-dishonest. Many tx on Monero are owned by a few entities that are friendly with LE or may get hacked. Thus all those exchange tx or payment gateway tx that are on the blockchain are in practice transparent to the right people or with time. With Monero they give you a false sense of security with ZCash they are open that those tx are not going to help you.
[ShapeShift does 7-15% at least of Monero tx. Add in BitFinex Binance CoinPayments and some others and where we at?]
On 2: Monero is almost the same. ShapeShift does 7-15% of all tx at least. How many transactions are actually private after you consider hacks or LE warrants? Those TX are what you depend on to get false spends.
On 3: How many people must agree in order to change something in Monero such as HF parameters like ringsize? There is not a single company but it looks [to an outsider like me] as a similar position.
I chose Monero too for similar reasons inc ZCash people openly saying they support backdoors for LE [but promising ZCash would never have them]. And taking 20% of block reward and not doing anything useful with it [for millions I expect really polished clients and some quick upgrades].
But the low ringsize is weak [hence going from 3 to 5 to now 7]. All ring members are not equal to n^k is very naive. Fee, ringsize, payment ID, in/out count are all metadata that distinguish on-blockchain. Let alone off-blockchain such as keys being hacked/warranted.
Given this and Monero's lack of disclaimer or warning at all about how to use it safely... a paranoid person might suspect ill-motives. [Consider: MyMonero, the Monero 'lead' Web Wallet, goes out of its way to suggest users use a few higher ringsizes to get better privacy, when we know this makes their TX stand out. This is something that presumably he could change with 1 or 2 lines of code but has not.]
Because the decoy selection is not part of protocol not everyone is doing it. Some exchanges have increased ringsize but kept old selection system. Not to mention that exchanges make up a large bulk of Monero TX and hence are one warrant/hack away from killing a bunch of decoys anyways.
Monero would gain credibility if it took a conservative approach to ringsize then used research to lower the ringsize. Instead we get no justification for ringsize saying there is no research that shows an increase needed. This is the opposite way of how security is approached. Indeed: The only MRL statement I know of on churn is that it does not work.
I appreciate the work you do and MRL overall. But without practical examination of real-world threats it feels a bit empty. And Monero team refusal to provide any sort of disclaimer at all really undermines the sincerity.
Trusted setup only compromises the supply integrity not privacy. I am not a fan of Zooko or the Green comments on backdoors and LE but do not misrepresent trusted setup.
>This was a well-known design choice where the user could balance between transaction size and privacy--people who preferred faster/cheaper transactions chose to sacrifice untraceability. Nowadays, the default option enforces higher untraceability.
This has always been wrong and it is wrong on the face. Your privacy does NOT depend on your ring-size. That is only for backward-tracing. For forwards tracing [more common: you have bad money and want to turn it anonymous so it is good] you rely on other people on the network false-spending your money.
Between the low ringsize [3, now 5, soon 7] and the fact that a good double-digit % of network is owned by LE-accessible entities [ShapeShift does at least 7-15% of tx].
Even with these papers Monero refuses to provide any sort of disclaimer that transactions may be traceable despite readily admitting you must do churn over time to gain privacy. Monero deserves a lot of criticism even if ZCash is worse in some ways.
Monero has some real issues! These papers are OK but I am not sure if they focus on current practical issues:
Main issue: Ringsize is small. Used to be 3 [why??] got bumped to 5 because 3 is obviously useless. Now getting bumped to 7. The team is taking a very aggressive approach here. Aggressive approaches with security tend not to work. They should be conservative and set the ringsize high then back off later once they have done the research to support a small ringsize.
Users cannot just increase their ringsize. Doing so makes their transactions stick out: different metadata. If you always use, example, ringsize 21: then your tx look different on-blockchain. Despite this, BOTH wallets in common use have features that encourage users to make this mistake. It is like sabotage. The official GUI provides a slider that goes to 26 and says more privacy [you see a good number of of ringsize 26 tx]. The 'official' Web Wallet run by the Monero lead offers a 4-setting: 5 [default], 11 21 & 41. You see a good number of 11 21 41 ringsize tx because of this.
It has been known for a long time that picking and forcing one ringsize is a good idea yet both wallets insist on encouraging the user to mess up. Not good. No warnings in the wallet, either. We need higher ringsize because the privacy of your transaction going forward depends on other users picking your output as a decoy in their own rings.
Now the small ringsize is made worse by the fact that a single entity, ShapeShift.io, runs 7-15% at least of the network by tx volume! That means with one hack or warrant an attacker will be able to eliminate many fake decoys from other tx rings! How much will a few other exchanges or payment processors make up of the network? 50%? More? Despite this the ringsize stays very small.
The response to all this is 'churn'. This is sending coins to yourself [looks same as sending to other people] so that you obfuscate the connection over time. But despite that this is a core feature of Monero they have provided zero research zero guide on how to do so. They spend money and time researching fancy new maths and this is great. Yet the core functionality to answer the question: How anonymous am I, how mixed in am I, this remains unanswered.
Despite this they refuse to provide any sort of disclaimer. Contrast to Tor Project which makes a big deal of telling users they can hurt themselves and Tor is not some magic. In comparison Monero just claims untraceable & private with no caveat whatsoever. This is irresponsible & reckless, damaging to users and not justified. Only when users start thinking and asking questions are they told oh of course you need to churn but no one knows what this is.
That is the core issue. Other issues:
1. Unencrypted transactions. Your ISP or NSA may easily monitor which tx you broadcast. This let them link your IP to a tx as well as link your tx across time. Even though HTTP is used thus adding TLS [unauthenticated but at least preventing passive snooping] would be an obvious step. On the other hand... traffic analysis might break this anyway. Tor is needed to really protect but see below.
2. Wallet leaks information. When connecting, it requests block info from the last block it has. This allows tracking that user over time. The obvious solution of having the wallet always request fixed number of blocks back in history is not implemented. This is simple engineering fixing, not fancy math.
3. The height leak is very damaging for users attempting to churn. In that case they connect, sync, broadcast, disconnect, repeat. Every time they connect they are indicating approximately where they left off. This means when they broadcast again ... one only need to look at the tx to see if there is a ring member near where the wallet connected. If so, you have linked TX.
4. The wallet will ask to confirm transactions sometimes... AFTER it has send the ring to the remote node! If you cancel tx then try again, you have sent 2 rings to the remote node but in each ring the real input is the same. Congrats, tx linked or ownership of output now shown.
5. Wallet and network does not support Tor. Despite using HTTP they do not have proxy support. On Linux they suggest hooking syscall to force proxy [torsocks]. On Windows they scorn users and tell them to use Linux. At the Monero network level only IP addresses are accepted meaning we cannot have Tor-to-Tor.
6. Tor is downplayed because they are writing-from-scratch a new I2P implementation in C++ named Kovri. Instead of using Tor today they provide no sort of IP hiding while everyone must wait for a new I2P impl. This is bad engineering and means few people can properly submit tx over Tor.
7. All TX are not the same. There is no solution to joining bad outputs. When you make a multi-in transaction you provide strong linkage if an attacker knows or suspects multiple outputs are yours. Example: you accept donations or are a darknet dealer. Attacker sends many small outputs to you. Attacker will know when you make a move because they will see a multi-input transaction containing one of their known outputs in each ring. This is useful for LE: send small money then know when money is moved. From that point trace forward and see if descendants of that TX end up at known exchange. Now you have a short list of suspects.
8. A lot of metadata per TX. Each TX can have a payment ID [old style], payment ID [new style] or none. Each tx has a fee, and fee is one of 4 levels [0.25x, 1x, and 2 large x]. But the default is 1x. This encourages smart or big users to change from default to 0.25x to save money. But now their tx look different from common users. Exchanges in particular may do this.
9. Probably other things I am not thinking off of the top of my head.
In short I think that Monero practical privacy for users that have something to hide [darknet] and may find themselves against a LEA might find themselves in a bad position. Compounding this is Monero's total refusal to warn users and provide self-sabotaging options. A Tor-style warning is absolutely required given the state of things. More paranoid people might think the lack of warning and some of these issues are intentional.
Edit: I still support Monero and think it is the best project. Despite ZCash looking better on paper the team makes me nervous and I avoid it. [Their wallet software is even worse despite them having many millions to fix it] ... I just want Monero stronger as it will help our users overall and that is good for my business.
We cannot launch our project too soon [details in profile]. We will do what we can to prevent trafficking: asking for ID and verifying they have an escorting presence is a good start. Analytics to look at payment flow and see if one entity is controlling multiple escorts is another.
From what I remember, those rely on some older aspects of Monero no longer present. But more importantly, they do not provide positive guidance on exactly how much mixing [churn] with what ring-sizes are needed to achieve a certain anonymity set size. Monero project itself has no statements on these key issues [except for a sentence in one of their updates stating that churning is not sufficient].
The research you linked does illustrate some problems. And Monero's reaction, to not include any disclaimers, to continue saying it is private and untraceable... misleads users.
That is almost certainly how many people will view it, and is the reason why we are set-up as an extrajurisdictional company: it will make enforcement very difficult.
PinkDate is an extrajurisdictional company that will dramatically improve the escorting [sex work] industry. We depend on privacy and anonymity tech, including Monero [XMR]. Monero has lofty goals and powerful privacy claims that fall short in actual operation.
As an example: All network communications are unencrypted which allows a passive adversary to easily de-anonymize many transactions. Instead: Monero should be encrypted and easily integrate with Tor to hide user activity.
Contract 1: We desire an engineer to contribute to the Monero open source project. This includes adding encryption between nodes, reducing wallet metadata leakage, and integrating Tor into both the client [easy] and the node software [more challenging].
Contract 2: We need someone to write a simulator and improve blockchain explorer tools to determine how well Monero's privacy claims truly hold up. To-date there is no public research on fundamental aspect of Monero. We want to be able to have answers to the questions of how private a user becomes when using Monero. How often must a user send money to themselves [churn] to effectively hide among X users? We want to make proposals to change the Monero network parameters to improve privacy and have the evidence to make the case.
All work will be published openly and you can take the credit with a note that PinkDate is the sponsor. You should be comfortable engaging with community and defending design decisions and research.
Note: PinkDate is an extrajurisdictional company and pays contractors in cryptocurrencies as a transfer mechanism. We price contracts in USD.
If you like the idea of working on an underground project: We often have contracts or positions available in legal, security, [counter]intelligence, devops and general software engineering. Drop me a line: [email protected]
It certainly is a possibility. I am acutely aware of it every day. It is incredibly high stress. That is why our core team desires to hire people to run the business day-to-day, so we minimize our exposure online and hence reduce possibilities of making opsec mistakes.
Communicating with a lawyer anonymously is not much more difficult than communicating with someone on HN anonymously.
I am not pretending algorithmic magic will prevent sex trafficking. I am saying that, to the best of our abilities, we will ban it from our platform. At least for underage trafficking, by checking IDs we are already far better than classifieds.
So we will do our part to fight against and not enable trafficking. We are not a free-for-all marketplace.
That is the extent of my claims!
Police are ineffective because they do not control the marketplace, unlike us. If governments wanted to shut down trafficking they have the option to legalize and regulate. That would harm illegal operations.
I am pointing out that not all ICOs are pure-product-free-plays.
Voting, we are uncertain how that would work but very much open to it. Dividends, yes, that is the entire point of us selling equity. This is considerably better than what you get from some publicly traded companies these days!
Open financials: We will have a certificate-transparency-style audit-log of our revenue and we will release limited financials and can discuss concerns if the revenue numbers and profits are too far apart.
This is better because before anonymity tech and cryptocurrencies...It was very difficult to invest in or even run a global escorting platform. This is due to the laws in many countries that we can now work-around. And investors can participate while maintaining their complete privacy. This is difficult with traditional government-regulated equities.
We have consulted with lawyers. None of them are going to give the go-ahead on this project.
Quote from one of them: There is no such things as extrajurisdictional, unless you're on the moon. My reply: If our opsec is good, we may as well be. Tor's latency even makes it feel like being in space.
If our opsec fails and I am unmasked, I will be unhappy at being caught. Successors will recover the system from backup keys and continue on. Small comfort.
Our ICO is really an IPO. We are selling shares in our company (unregulated security). We have a real business model, good fundamentals. And before the full ICO, we will have a working service.
Cryptocurrency allows us to avoid capital and other controls to fund a venture which would be impossible to fund otherwise.
But most ICOs are blatant scams trying to justify their useless tokens, Kodak included.
I apologize for my tone and do not mean to speak ill of the Monero team. I still choose Monero and feel it has the best benefits overall.