Re: Monero "BADCACA" - XMR Tracking Project? No, just dumb FUD.
Dandelion++, its strengths, and its limitations are of interest not only to Monero users. For I am surely not the only one who wishes to see Dandelion++ implemented in Bitcoin Core, if it can be done without opening mempool DOS vectors. (This was the reason for the rejection of BIP 156 for the inferior Dandelion; IIUC, the worst DOS concerns involve interactions between Dandelion (or Dandelion++) and Bitcoin features that don’t exist in Monero.)
This is primarily a technical post; but first things first...
I'm posting the daily report in Monero topic until they start moderating it.
Hey, JollyGood, you have a reputation for fighting spam and forum abuse. What do you think of badcaca’s overt bragging that he wants to use abusive tactics instead of technical arguments?
I need not remark on the security ignorance and technical ineptitude of the forum’s Timothy Leary.
This argument can be very easily turned around. For people like that, isn't it better to know they have been exposed? Monero is perfectly happy for them to be tracked by Ciphertrace while reassuring them that all is fine.
Oh, spare us your liar’s false pretense of concern for the privacy of users!
If you actually gave a damn about that, then you would disclose in detail what you claim to be doing so that (a) others could evaluate it on its technical merits, and (b) the alleged vulnerability (if any) could be fixed so as to protect privacy.
Of course, that would presume that you actually have a low-resource way to break Dandelion++. (It does not even claim to protect against AS-level adversaries, let alone global adversaries.) At this point, I am pretty sure that you have only bullshit—such as your incessantly repeated deliberate conflation of network-layer attacks against Dandelion++, and Ciphertrace’s (much more credible) claim to have developed probabilistic transaction clustering from blockchain analysis. I do think that the Monero community should pay more heed to the latter; but those are completely different threat levels!
I suggest reading the paper.
I already answered this—twice:
A stopped clock is right at “some” moments of the day.
Of course, if he lists a randomly selected peer IP that handled a transaction in the Dandelion++ stem phase, then that IP will sometimes be the actual originating peer. That is the point of “random”. “However, the protocol also ensures that the first relay node to broadcast is approximately uniformly selected among all relays that have received the message.” See below.
Based on a reasonable inference of what you seem to be suggesting that you are trying to do: The Dandelion++ authors were way ahead of you. That is an admittedly low standard, because you don’t know what the hell you are doing. You are listing the IP addresses of random peers, exactly as I said!
§4.4 at p. 17 of the Dandelion++ paper speaks thusly:
If you claim to be defeating Dandelion++’s random timers, then please show your work with maths and stuff. (LOL, as if.)
Transplanted from the Monero thread, with appropriate context restored to the internal quotation:
Yes it is, Monero community members have a tendency to spew uneducated bullshit. https://link.springer.com/chapter/10.1007%2F978-3-319-19962-7_3
You idiot, the biclique attack does not mean that AES is “broken”. I guessed the related-key attack, because in some versions, that would have much lower time complexity (it just requires, um, related keys).
All that you need to do is to read the abstract of the paper that you cited. You don’t even need to hop over to Sci-Hub and enter the DOI (https://doi.org/10.1007/978-3-319-19962-7_3) to read the full paper. Just at least read the abstract!
Yup:
Break in cryptography is anything faster than a brute force search; it doesn't matter that it takes down security from 2^128 to 2^126 (and is therefore only theoretical), it doesn't even matter if it is a known-plaintext key recovery attack. There is no need to call people names just because you don't know what you are talking about (like most people in Monero btw)
There is a need to call you a liar (in addition to an idiot), when you are using the classic dishonest debate tactic of switching back and forth between two different senses of the same word—in this case, different senses (by orders of magnitude) of a cryptanalytical “break”.
You claim to have broken Monero’s privacy in some significant, practical way. Your website’s FAQ insinuates that this is comparable to how AES is “broken”. For the third time:
By the way, I am not “in Monero”. I am a Bitcoiner and a lifelong privacy fanatic, who sometimes uses both Monero and Zcash. FYI. I am on this thread just because I hate stupidity.
Note: I have not reviewed the code of Monero’s Dandelion++ implementation. But I am pretty sure that the people who wrote and reviewed that code would not have omitted the aforesaid random clocks, without which Dandelion++ would be trivial for any s’kiddie-tier retard to defeat.
P.S., monero_badcaca, would you please apply your superb grasp of statistics to a gambling method, and gamble using my reflink? Thanks. Fallacies can be profitable!
This is primarily a technical post; but first things first...
Monero lost its reputation a very long time ago. Just imagine people having your IP addresses along with which sites you visited or where specifically you purchased something is quite frightening for those that thought they were dealing with a privacy based coin. I checked the link (https://monero-badcaca.net/) it does not look good for Monero as a privacy coin and it does not look good for those 100 user details that will be published daily 
I'm posting the daily report in Monero topic until they start moderating it.
Hey, JollyGood, you have a reputation for fighting spam and forum abuse. What do you think of badcaca’s overt bragging that he wants to use abusive tactics instead of technical arguments?
I need not remark on the security ignorance and technical ineptitude of the forum’s Timothy Leary.
But for all we know there are whistleblowers buying VPNs or domains, and you're putting out IP address data which could be used in combination with other methods to identify those people.
This argument can be very easily turned around. For people like that, isn't it better to know they have been exposed? Monero is perfectly happy for them to be tracked by Ciphertrace while reassuring them that all is fine.
Oh, spare us your liar’s false pretense of concern for the privacy of users!
If you actually gave a damn about that, then you would disclose in detail what you claim to be doing so that (a) others could evaluate it on its technical merits, and (b) the alleged vulnerability (if any) could be fixed so as to protect privacy.
Of course, that would presume that you actually have a low-resource way to break Dandelion++. (It does not even claim to protect against AS-level adversaries, let alone global adversaries.) At this point, I am pretty sure that you have only bullshit—such as your incessantly repeated deliberate conflation of network-layer attacks against Dandelion++, and Ciphertrace’s (much more credible) claim to have developed probabilistic transaction clustering from blockchain analysis. I do think that the Monero community should pay more heed to the latter; but those are completely different threat levels!
Interesting thanks for the clarification. I'm not particularly familiar with dandelion++. Does the original node broadcast the transaction to multiple nodes in the stem phase or just to one other node? What determines when the fluff phase occurs?
I suggest reading the paper.
Having read the actual Dandelion++ paper when it came out, I can safely call this ridiculous.
I already answered this—twice:
My first thought is, “Whose IP addresses are those supposed to be? The originating nodes’? Contra what it says in the badcaca FAQ, Dandelion++ would make it easy to mistake the IP address of the originating node.”
It is exactly the type of technology which will make badcaca associate transactions with the wrong IP address.
I'll be the first to say it. BADCACA's data is not "just dumb FUD". I looked through the data and there's definitely some authentically traced transactions in there.
A stopped clock is right at “some” moments of the day.
Of course, if he lists a randomly selected peer IP that handled a transaction in the Dandelion++ stem phase, then that IP will sometimes be the actual originating peer. That is the point of “random”. “However, the protocol also ensures that the first relay node to broadcast is approximately uniformly selected among all relays that have received the message.” See below.
You are confusing cause and effect here. Transaction sitting in node's mempool is caused by it being intercepted and then rebroadcast.
There is no such thing as a public mempool on a p2p network level. What you are seeing on the website is a snapshot of one node's mempool. The way dandelion++ works is that the transaction will be put into the original node's mempool, broadcast in stem phase, and if the node doesn't see it again, it will be broadcast in fluff phase. The "not seeing it again" part is the cause of the delay.
Based on a reasonable inference of what you seem to be suggesting that you are trying to do: The Dandelion++ authors were way ahead of you. That is an admittedly low standard, because you don’t know what the hell you are doing. You are listing the IP addresses of random peers, exactly as I said!
§4.4 at p. 17 of the Dandelion++ paper speaks thusly:
If you claim to be defeating Dandelion++’s random timers, then please show your work with maths and stuff. (LOL, as if.)
Transplanted from the Monero thread, with appropriate context restored to the internal quotation:
Among other things, AES is broken!!
Say what!? When was AES broken?
(Just a guess: If you are talking about related-key cryptanalysis, then you are mentally retarded and you know nothing about cryptography.)
I dearly wish that Monero were exactly as “broken” as AES!
Quote from: https://monero-badcaca.net/faq.html
Do you think Vincent Rijmen exploded with anger when AES was broken? No, he congratulated the authors.
Say what!? When was AES broken?
(Just a guess: If you are talking about related-key cryptanalysis, then you are mentally retarded and you know nothing about cryptography.)
I dearly wish that Monero were exactly as “broken” as AES!
Yes it is, Monero community members have a tendency to spew uneducated bullshit. https://link.springer.com/chapter/10.1007%2F978-3-319-19962-7_3
You idiot, the biclique attack does not mean that AES is “broken”. I guessed the related-key attack, because in some versions, that would have much lower time complexity (it just requires, um, related keys).
All that you need to do is to read the abstract of the paper that you cited. You don’t even need to hop over to Sci-Hub and enter the DOI (https://doi.org/10.1007/978-3-319-19962-7_3) to read the full paper. Just at least read the abstract!
Quote from: Tao B., Wu H. (2015) Improving the Biclique Cryptanalysis of AES.
Biclique attack is currently the only key-recovery attack on the full AES with a single key.... We have a biclique attack on each of the following AES versions:
Our results have the best time complexities among all the existing key-recovery attacks with data less than the entire code book.
- AES-128 with time complexity 2126.13 and data complexity 256,
- AES-128 with time complexity 2126.01 and data complexity 272,
- AES-192 with time complexity 2189.91 and data complexity 248, and
- AES-256 with time complexity 2254.27 and data complexity 240.
Our results have the best time complexities among all the existing key-recovery attacks with data less than the entire code book.
Yup:
I dearly wish that Monero were exactly as “broken” as AES!
Break in cryptography is anything faster than a brute force search; it doesn't matter that it takes down security from 2^128 to 2^126 (and is therefore only theoretical), it doesn't even matter if it is a known-plaintext key recovery attack. There is no need to call people names just because you don't know what you are talking about (like most people in Monero btw)
There is a need to call you a liar (in addition to an idiot), when you are using the classic dishonest debate tactic of switching back and forth between two different senses of the same word—in this case, different senses (by orders of magnitude) of a cryptanalytical “break”.
You claim to have broken Monero’s privacy in some significant, practical way. Your website’s FAQ insinuates that this is comparable to how AES is “broken”. For the third time:
I dearly wish that Monero were exactly as “broken” as AES!
By the way, I am not “in Monero”. I am a Bitcoiner and a lifelong privacy fanatic, who sometimes uses both Monero and Zcash. FYI. I am on this thread just because I hate stupidity.
Note: I have not reviewed the code of Monero’s Dandelion++ implementation. But I am pretty sure that the people who wrote and reviewed that code would not have omitted the aforesaid random clocks, without which Dandelion++ would be trivial for any s’kiddie-tier retard to defeat.
Quote from: the Dandelion++ paper, a minor detail which it seems *nobody* here has bothered
the memorylessness of the exponential clocks
P.S., monero_badcaca, would you please apply your superb grasp of statistics to a gambling method, and gamble using my reflink? Thanks. Fallacies can be profitable!
I know investing can be difficult for some people, they invest more than they are willing to lose and can become emotionally involved in the projects they back. Maybe you should consider analyzing your position, frankly and without emotion, and move on.