December 09, 2017
<sgp> Thanks everyone for waiting
<sgp> 0. Introduction
<sgp> We would like to welcome everyone to this Monero Community Meeting!
<sgp> Link to agenda on GitHub: https://github.com/monero-project/meta/issues/141
<sgp> Monero Community meetings are a discussion place for anything going on in the Monero Community. We use meetings to encourage the community to share ideas and provide support.
<sgp> I have a presentation at noon, so this meeting will be a little shorter than normal. You are welcome to carry on the open ideas time even after I need to leave.
<sgp> 1. Greetings
<cryptochangements> hola amigos
<brendanmcmanus> hey all!
<ErCiccione> Ciao everybody
<msvb-fab> Hello folks.
<sgp> 2. Community highlights
<sgp> For a great weekly summary, please read the Monero Observer: http://monero-observer.com/
<sgp> 3. FFS updates
<sgp> a. RFC-HWALLET-1 project progress
<sgp> @msvb-fab, you have the floor
<msvb-fab> Oh okay.
<msvb-fab> Hardware wallet.
<msvb-fab> Dozens of parts have arrived including panelized PCBs, and some unplanned holiday goodies.
<msvb-fab> We'll be assembling in the next week, in order to deliver a end of year dividend to anybody who has contributed in even the smallest way.
<msvb-fab> Consider this the last chance to sign up as a tester and complete the one minute of duties required to receive the first ever Monero hardware wallet prototype.
<msvb-fab> Our star designer in this round is i_a, who created the 'Julian Candy' release seen here:
<msvb-fab> But as you see from our main page, there are other parallel efforts as well:
<msvb-fab> To become a tester and get a board, I need your mailing address and a couple other 1 minute things. If you have 5 minutes, then read:
<msvb-fab> We also had our first Monero hardware team meeting this week on #monero-hardware.
<msvb-fab> …which went well for a first try. One hour long, we'll probably do one per month.
<msvb-fab> That's all unless other members of the Monero hardware team want to inform…?
<ErCiccione> msv-fab: the prototype only for americans, right? :(
<msvb-fab> ErCiccione: Heh? Actually we are three assemblers and all in different european countries.
<serhack> why americans Erciccione?
<msvb-fab> So all the south and north americans are lucky to get something.
<sgp> Thanks msvb-fab
<msvb-fab> This is universal, even for folks in the ISS space station they can get a prototype.
<ErCiccione> uh, really? i didn't subscrive because i was sure was only available in america. my bad, you have a new tester :)
<msvb-fab> Doesn't have to be planet earth.
<sgp> b. Monero Video Series
<sgp> We would like community comments on the final community script: https://github.com/alvinjoelsantos/promo-video/blob/master/community.md
<sgp> Please make comments on GitHub.
<ErCiccione> don't know why but i was absolutely sure :P
<msvb-fab> I'm on site at a fabricator right now cutting enclosure pieces, so please let me take a 5 minute break to adjust the laser okay?
<sgp> Let's make this video as good or better than the other ones
<sgp> c. Monero Meetup Kit
<msvb-fab> I'll be back in five minutes…
<serhack> I think monero video need translators for subtitles
<sgp> @serhack yes it does. Speak with ErCiccione after the meeting about these
<ajs> If you have any suggestions for script, PR welcomed.
<serhack> great, sgp
<sgp> I have finished all the milestones for the Meetup Kit. I will give the last of my stuff out during a meeting in Madison that starts in 40 mins
<sgp> Does anyone else have a FFS update?
<serhack> We are working hardly on Opencart.
<serhack> you can go on sgp
<msvb-fab> serhack: Working hard or hardly working?
<serhack> Working hard*
<sgp> Great to hear
<sgp> 4. Discuss formation of Malware Response Group
<sgp> Fluffypony and tuckerpreston asked me to reserve some time to discuss the response to malware and botnets.
<fluffypony> this is really an optics problem
<sgp> Fluffypony, welcome!
<fluffypony> basically the issue of poor optics with relation to Monero is going to be an increasing challenge
<fluffypony> some areas we don't have much influence / control over
<fluffypony> but with malware there is something we can do
<fluffypony> we can help people who are infected with malware
<fluffypony> so when someone has found a malicious miner, for instance, what can they do about it?
<fluffypony> well, a Malware Response Group can help that person
<fluffypony> they can provide them with a guide to clearing out the malware
<dEBRUYNE> Perhaps write a guide that shows how to remove malware and alternatively explains how to do a fresh OS install
<msvb-fab> fluffypony: By optics, you mean how people perceive us right? Like regardless of quality, if folks believe Monero is high quality.
<fluffypony> msvb-fab: yes
<fluffypony> so the other thing that happens is that malware can be found in the wild
<fluffypony> and maybe it uses a particular mining pool
<fluffypony> the Malware Response Group can approach that pool's operator and ask them to please block that address
<fluffypony> which his good for the pool, too, because malware has a negative performance impact on pools
<serhack> what will Malware Response group do if a big company has malicious miner?
<fluffypony> serhack: they can do both - help the company figure out how to remove the malware, and try block it at a pool level
<ArticMine> It is a start.
<ArticMine> but I am not that optimistic
<fluffypony> ArticMine: it lets us answer the question reporters often ask: "what are you doing about cryptojacking / malicious miners?"
<fluffypony> then we can just point to the existence of the Malware Response Workgroup
<sgp> ArticMine, it's not about stopping all malware. It's about optics and providing some level of help
<fluffypony> whether they are effective or not doesn't matter
<serhack> fluffypony: what do you mean by malicious miners? Coinhive could be a malicious miner.
<ArticMine> Yes this is the problem the gray area
<fluffypony> serhack: yes absolutely, as is botnet malware
<xmr_eric> The solution doesn't need to be comprehensive. It just needs to address the basics.
<msvb-fab> fluffypony: Is part of the problem that the affected click on 'vulnerability response' and send email to you and Luigi?
<msvb-fab> …thus overwhelming just a couple security officers?
<fluffypony> msvb-fab: nope, not at all
<fluffypony> this has nothing to do with the VRP
<fluffypony> this is about Monero being used in malware, typically via mining
<QuickBASIC> It's a nice thought, but if the MRW is ineffective at reducing the amount of malware then it's just going to be a big joke.
<fluffypony> but later on also ransomware
<fluffypony> QuickBASIC: how will anyone know if they're effective?
<msvb-fab> I'm imagining what I would do when going to getmonero.org and trying to find an easy way to solve my security problem.
<msvb-fab> I would click 'vulnerability respons' because I don't see anything else related.
<fluffypony> msvb-fab: we're mostly dealing with senior infosec people, they're not dumb enough to do that
<msvb-fab> We're dealing with senior cisos and they can't secure their mining rigs? that's surprising.
<QuickBASIC> My background is in IT support. I've done mostly internal IT for the last several decades… It's anecdotal, but a user that allows their box to be owned by malware to that degree is not going to be able to be assisted in removing their own malware… even if we had a call center full of folks walking them thru it.
<fluffypony> msvb-fab: no no, they're called in to clients who are infected, or they're researchers who find malware in the wild
<fluffypony> QuickBASIC: we're not going to provide assistance at that level
<QuickBASIC> fluffypony: I'll ask you a question to answer your question. How will people know that it IS effective?
<fluffypony> QuickBASIC: this is optics, the very existence of the MRW is enough
<ErCiccione> I agree with QuickBASIC, i see an high possibility of fighting windmill with live support, but create some kind of documentation sound good
<QuickBASIC> I wasn't suggesting we provide assistance at that level.
<fluffypony> we're not providing live support, guys, let's put that idea out of everyone's head right now
<fluffypony> this is almost entirely about how we interact with infosec researchers, and what we can say to reporters
<QuickBASIC> But a couple of guides on a webpage isn't going to actually help anyone… It's just window dressing.
<sgp> QuickBASIC: that's literally the point
<netg> i like the idea
<ArticMine> In fact it can make things worse
<sgp> @ArticMine how could it make things worse?
<QuickBASIC> Anyone with the level of competence to understand that they need assistance with removing malware is going to have the knowledge to seek out other resources that already provide that assistance.
<ArticMine> It can give a person wrong advice. There is no we can identify every king of malware based upon Monero
<ArticMine> I had to deal with Malware infected FLOSS that was distributed via Google ads
<ArticMine> It caught a very experienced Windows administrator
<fluffypony> this is the stuff we're fighting against
<QuickBASIC> What happened to the party line "we can't control what people do with Monero". If we start having the appearance of taking ownership of what people do maliciously with Monero, it could be a bad look for the Monero community… i.e. Look they have a Malware workgroup and look how ineffective it is at making all the bad stuff in the world stop happening.
<ArticMine> It was on a fresh install of Windows XP
<fluffypony> that's all in the past week
<ArticMine> The infected software was VLC
<ArticMine> I only caught it because of a GPL violation
<ArticMine> I had to reinstall XP in order to connect o Windows server
<cryptochangements> devil's advocate: if we start trying to "combat" malware does that mean we also have to help LE with DNMs since they give us a bad image?
<QuickBASIC> I understand that what you're proposing is supposed to diminish the negative views of Monero in the press, but I think it's the wrong tact… I think positive use cases will outweigh any kind of reduction in peoples view of Monero because of some people choosing to use it for malicious purposes.
<ArticMine> It is a huge problem in FLOSS F-Droid Android apps that are infected with malware and uploaded to goggle play
<fluffypony> cryptochangements: why do you think we don't allow DNM posts on /r/monero ?
<msvb-fab> DNM == ?
<fluffypony> msvb-fab: darknet markets
<dEBRUYNE> fluffypony: fwiw, I remove any thread that somewhat reeks of illegality
<fluffypony> dEBRUYNE: yep I know
<cryptochangements> not allowing people to talk about something!= helping (more or less effectivly) people stop something
<netg> i mean having such a group and educating our own community is by itself positive
<netg> people getting ripped of their xmr by malware are mostly lost for the project
<fluffypony> netg: agreed
<ErCiccione> QuickBASIC and ArticMine have both good points, how can we provide some kind of assistance (at least minimal) but always "at distance"? The group could be the point of contact, but shouldn't give practical solutions (to avoid responsabilities of eventual mistakes) They can provide documentation and other kind of support (like suggesting who to speak with, more info about Monero's technology)
<fluffypony> ErCiccione: we write guides, and we make those guides available
<cryptochangements> i just dont want things to come off as hypocritical if we address one "bad" thing but not another
<fluffypony> the guides are non-specific
<netg> cryptochangements: malware would be an attack against the project (our users)
<ArticMine> The most effective tools I can think of are 1) A resource directory on malware that points to resources on malware removal 2) Having a working group as fluffypony has suggested 3) Aggressive trademark enforcement 4) I know this is controversial moving to a copyleft license
<sgp> I have the meetup and need to run, but please continue this discussion and move to open ideas time if there is some extra time
<sgp> The next meeting will two weeks from today on 23 December at 17:00 UTC.
<ArticMine> 3) and 4) allow us to use existing legal channels to go after the grey / white area
<fluffypony> ok sgp, all I really wanted to do in this meeting as well is find someone to head the workgroup up and run with the idea
<ErCiccione> fluffypony: beside guides, my point is that we should decide how deep the eventual support should be
<fluffypony> so if anyone wants to volunteer please ping me
<ArticMine> I am talking DMCA take downs etc
<netg> ArticMine: bitcoin, debian, tor never needed aggressive trademark enforcement
<netg> and wtf, people doing harm dont respect laws anyway
<netg> no free project needs that
<netg> super lame
<ArticMine> I mean the grey / white area not black
<ArticMine> Actually there has been a DMCA breakdown over Ubuntu against the MPAA
<ArticMine> about 11 years ago
<ArticMine> It was over GPL violations
<sgp> @fluffypony I am happy to work on this
<fluffypony> ok cool
<ArticMine> Matthew Garrett did ti
<fluffypony> so then if anyone else wants to volunteer for the MRW ping sgp :)
<ArticMine> What is interesting is any contributor can do it on their own
<ErCiccione> we have ten more minutes. Open ideas time?
<serhack> sgp what do you think?
<ArticMine> netg when targeting for profit entities and large corps it is not super lame. It is ust a does of their won medicine
<ErCiccione> ok my idea: I'm building a taiga bot, so we will have live updates from taiga on irc, will let know when ready so who needs it can use it
<serhack> my idea: Mastering Monero ebook. https://www.reddit.com/r/Monero/comments/7imsr9/hello_world_mastering_monero_is_coming_soon/ :)
<ErCiccione> (btw i think we still need to define better the MRW team's duties before starting the actual recruiting)
<ErCiccione> If we are considering the meeting over, the discussion about the MRL can restart
<msvb-fab> We still have five minutes left…
<msvb-fab> parasew[m] pablonero[m]: Any action with planning Monero December, what progress has been made in the first week of December?
<msvb-fab> We have quite a nice activities list in December, the Vienna RIAT group (I think that stands for Research Institute of Austria) is hosting.
<rehrar> Msvb, I'll fill out the stuff today soon. :)
<msvb-fab> A number of us will be travelling on Thursday 14 December, and spend the weekend.
<msvb-fab> rehrar: You mean about the RIAT hosted meetings in Vienna?
<rehrar> No. For wallet test.
<msvb-fab> rehrar: Oh, you mean I think… Yes. That's great, thanks.
<msvb-fab> I think the two who know most/best about the Vienna stuff are parasew[m] pablonero[m], so look for them on #monero-ccc for more information.
<rehrar> Sorry for not being here today. Wife graduating. :) If anyone needs something from me, send me a ping.
<rehrar> Will go over log soon.
<msvb-fab> ErCiccione: We can chat about MRW now?
<ErCiccione> ok, i'll do the sgp/rehrar of the situation :D  Meeting is over thanks everybody for partecipating!
<ErCiccione> let's talk about MRW now
<netg> what we always should highlight is what, separates monero from the rest of the projects, its is the mindset and strong belief, that an completely anonymous egalitarian cryptocurrencies is strongly needed, by alot of people world-wide, and if existing would improve whole humanity
<ErCiccione> This is what I was talking about with this comment: https://github.com/monero-project/meta/issues/141#issuecomment-350490380). Discussions rarely continue after the meeting. A very participated and important discussion died.
<ErCiccione> fluffypony ^^
<fluffypony> ErCiccione: further discussion about the MRW can happen within the MRW :)
<fluffypony> I unfortunately wouldn't have been able to continue the discussion anyway, I'm busy fixing MyMonero problems
<ErCiccione> sure, but this shows that the problem actually exist. This happened and will happen with other subjects. We need to find a way to optimize and don't cut these discussions
<endogenic> ErCiccione: can't anyone bring up the issue when they want and ping the involved parties?
<endogenic> involved -> interested even
<ErCiccione> that doesn't solve the problem. A discussion flows during a meeting, but if it gets interrupted is gonna be hard to remake the logical processes. Meetings are the place for this kind of discussions, it's psicologically hard to restart this conversations with the same intention, the feeling of "officiality" get lost. this means that another meeting will be necessary to make the discussion official. I don't know if i explained
<ErCiccione> well my point
<ErCiccione> but this is my opinion, if i'm the only one feeling the problem, we can just keep going like this. I still think a lot of time will be wasted though
<endogenic> sorry, what's the problem?
<netg> ErCiccione: monero development isnt super fast anyway, because its based on long-term considerations
<ErCiccione> endogenic: https://github.com/monero-project/meta/issues/141#issuecomment-350487067
<endogenic> no i know ErCiccione
<endogenic> i'll type somethin out
<netg> its a top 10 coin, has a healthy community, is building the first infrastructure and is considered the best contender in its niche
<endogenic> the officiality aspect comes from people agreeing on the existence and importance of a problem…
<netg> what do you need more
<endogenic> ErCiccione: example then
<endogenic> did you see Jaquee post this? https://www.reddit.com/r/Monero/comments/7ingmi/transferred_3100_usd_to_mymonero_over_4_days_ago/dr01xy2/
<endogenic> i wanted to reply saying that this is a real foss project so someone must do it and if it's not he who will write the code or design the solutions and he still thinks he knows something then it's on him to inspire others to be the hero to solve it
<endogenic> now i would suggest that'd be an example of leadership for him
<endogenic> if i wanted to solve the problem he wanted to solve i'd just make it specific what the issue is, then take it to the people who are working on it, and show them it's real
<endogenic> if they don't think it's an issue then i can tell others "this person didn't think it was an issue"
<endogenic> it's just facts
<endogenic> wonder if that makes any sense?
<Jaquee> endogenic: he posted the same message in several places. i also wrote this answer: https://www.reddit.com/r/Monero/comments/7ingmi/transferred_3100_usd_to_mymonero_over_4_days_ago/dr02f7i/?st=jazoidya&sh=ca6b4e35
<ErCiccione> mmmh I think we went out of track, sorry I didn't explain myself well :) . My point is just: can we make meetings longer so we don't cut out important conversations? I think this is more about the conception each of us has of the meeting. For me all formal discussions should be done during meetings. But this is how I'm used to for my personal experience. if it's not perceived as a problem. Ok, fine for me :D
<endogenic> ErCiccione: have you ever heard the theory about how widening highways doesn't actually solve traffic problems?
<endogenic> i think it might be similar with meeting times
<netg> +1 for longer meetings
<fluffypony> why not just have meeting once a week instead of every 2 weeks?
<ErCiccione> I'm talking for my personal experience. I've been doing meetings for about 12 years and sometimes they lasted even 6 hours for that very reason. But i'm talking about a completely different environment
<ErCiccione> fluffypony: I would personally prefer longer meetings than more often, but that could be a solution
<fluffypony> I'd kill myself if I had to sit in a 6 hour meeting
<ErCiccione> and wasn't a friendly environment, I was very close to :)
<netg> i just think, we dont need a hard stop at the planed finishing time
<netg> 10 till 30 mins longer depending on if there is something left to talk
<netg> would be ok, IMHO
<ErCiccione> netg: I agree, that's basically what i suggested here: https://github.com/monero-project/meta/issues/141#issuecomment-350490380
<DaveyJones> some kind of meeting reflecting + discussion
<netg> like a sprint review in scrum?
Post tags : Dev Diaries, Cryptography